Commit 3cf5db3a authored by Alex Deucher's avatar Alex Deucher Committed by dinglongwei
Browse files

video/aperture: optionally match the device in sysfb_disable() 

stable inclusion
from stable-v6.10.8
commit 17e78f43de0c6da34204cc858b4cc05671ea9acf
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAR4KI
CVE: CVE-2024-46698

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=17e78f43de0c6da34204cc858b4cc05671ea9acf



--------------------------------

commit b49420d6a1aeb399e5b107fc6eb8584d0860fbd7 upstream.

In aperture_remove_conflicting_pci_devices(), we currently only
call sysfb_disable() on vga class devices.  This leads to the
following problem when the pimary device is not VGA compatible:

1. A PCI device with a non-VGA class is the boot display
2. That device is probed first and it is not a VGA device so
   sysfb_disable() is not called, but the device resources
   are freed by aperture_detach_platform_device()
3. Non-primary GPU has a VGA class and it ends up calling sysfb_disable()
4. NULL pointer dereference via sysfb_disable() since the resources
   have already been freed by aperture_detach_platform_device() when
   it was called by the other device.

Fix this by passing a device pointer to sysfb_disable() and checking
the device to determine if we should execute it or not.

v2: Fix build when CONFIG_SCREEN_INFO is not set
v3: Move device check into the mutex
    Drop primary variable in aperture_remove_conflicting_pci_devices()
    Drop __init on pci sysfb_pci_dev_is_enabled()

Fixes: 5ae3716c ("video/aperture: Only remove sysfb on the default vga pci device")
Cc: Javier Martinez Canillas <javierm@redhat.com>
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: Helge Deller <deller@gmx.de>
Cc: Sam Ravnborg <sam@ravnborg.org>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Reviewed-by: default avatarJavier Martinez Canillas <javierm@redhat.com>
Reviewed-by: default avatarThomas Zimmermann <tzimmermann@suse.de>
Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240821191135.829765-1-alexander.deucher@amd.com


Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatardinglongwei <dinglongwei1@huawei.com>
parent 30e4280b

drivers/firmware/sysfb.c

+13 −6
Original line number Diff line number Diff line
@@ -39,6 +39,8 @@ static struct platform_device *pd; 
static DEFINE_MUTEX(disable_lock);

static bool disabled;



static struct device *sysfb_parent_dev(const struct screen_info *si);



static bool sysfb_unregister(void)

{

	if (IS_ERR_OR_NULL(pd))
@@ -52,6 +54,7 @@ static bool sysfb_unregister(void) 


/**

 * sysfb_disable() - disable the Generic System Framebuffers support

 * @dev:	the device to check if non-NULL

 *

 * This disables the registration of system framebuffer devices that match the

 * generic drivers that make use of the system framebuffer set up by firmware.
@@ -61,17 +64,21 @@ static bool sysfb_unregister(void) 
 * Context: The function can sleep. A @disable_lock mutex is acquired to serialize

 *          against sysfb_init(), that registers a system framebuffer device.

 */

void sysfb_disable(void)

void sysfb_disable(struct device *dev)

{

	struct screen_info *si = &screen_info;



	mutex_lock(&disable_lock);

	if (!dev || dev == sysfb_parent_dev(si)) {

		sysfb_unregister();

		disabled = true;

	}

	mutex_unlock(&disable_lock);

}

EXPORT_SYMBOL_GPL(sysfb_disable);



#if defined(CONFIG_PCI)

static __init bool sysfb_pci_dev_is_enabled(struct pci_dev *pdev)

static bool sysfb_pci_dev_is_enabled(struct pci_dev *pdev)

{

	/*

	 * TODO: Try to integrate this code into the PCI subsystem
@@ -87,13 +94,13 @@ static __init bool sysfb_pci_dev_is_enabled(struct pci_dev *pdev) 
	return true;

}

#else

static __init bool sysfb_pci_dev_is_enabled(struct pci_dev *pdev)

static bool sysfb_pci_dev_is_enabled(struct pci_dev *pdev)

{

	return false;

}

#endif



static __init struct device *sysfb_parent_dev(const struct screen_info *si)

static struct device *sysfb_parent_dev(const struct screen_info *si)

{

	struct pci_dev *pdev;

drivers/of/platform.c

+1 −1
Original line number Diff line number Diff line
@@ -633,7 +633,7 @@ static int __init of_platform_default_populate_init(void) 
			 * This can happen for example on DT systems that do EFI

			 * booting and may provide a GOP handle to the EFI stub.

			 */

			sysfb_disable();

			sysfb_disable(NULL);

			of_platform_device_create(node, NULL, NULL);

			of_node_put(node);

		}

drivers/video/aperture.c

+3 −8
Original line number Diff line number Diff line
@@ -293,7 +293,7 @@ int aperture_remove_conflicting_devices(resource_size_t base, resource_size_t si 
	 * ask for this, so let's assume that a real driver for the display

	 * was already probed and prevent sysfb to register devices later.

	 */

	sysfb_disable();

	sysfb_disable(NULL);



	aperture_detach_devices(base, size);
@@ -346,15 +346,10 @@ EXPORT_SYMBOL(__aperture_remove_legacy_vga_devices); 
 */

int aperture_remove_conflicting_pci_devices(struct pci_dev *pdev, const char *name)

{

	bool primary = false;

	resource_size_t base, size;

	int bar, ret = 0;



	if (pdev == vga_default_device())

		primary = true;



	if (primary)

		sysfb_disable();

	sysfb_disable(&pdev->dev);



	for (bar = 0; bar < PCI_STD_NUM_BARS; ++bar) {

		if (!(pci_resource_flags(pdev, bar) & IORESOURCE_MEM))
@@ -370,7 +365,7 @@ int aperture_remove_conflicting_pci_devices(struct pci_dev *pdev, const char *na 
	 * that consumes the VGA framebuffer I/O range. Remove this

	 * device as well.

	 */

	if (primary)

	if (pdev == vga_default_device())

		ret = __aperture_remove_legacy_vga_devices(pdev);



	return ret;

include/linux/sysfb.h

+2 −2
Original line number Diff line number Diff line
@@ -58,11 +58,11 @@ struct efifb_dmi_info { 


#ifdef CONFIG_SYSFB



void sysfb_disable(void);

void sysfb_disable(struct device *dev);



#else /* CONFIG_SYSFB */



static inline void sysfb_disable(void)

static inline void sysfb_disable(struct device *dev)

{

}