Commit fc38c324 authored Nov 18, 2024 by Javier Martinez Canillas Committed by dinglongwei Nov 18, 2024

of/platform: Disable sysfb if a simple-framebuffer node is found

mainline inclusion
from mainline-v6.8-rc1
commit 3310288f61357b9b54139c93fc7665d60c0288bf
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAR4KI
CVE: CVE-2024-46698

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3310288f61357b9b54139c93fc7665d60c0288bf



--------------------------------

Some DT platforms use EFI to boot and in this case the EFI Boot Services
may register a EFI_GRAPHICS_OUTPUT_PROTOCOL handle, that will later be
queried by the Linux EFI stub to fill the global struct screen_info data.

The data is used by the Generic System Framebuffers (sysfb) framework to
add a platform device with platform data about the system framebuffer.

But if there is a "simple-framebuffer" node in the DT, the OF core will
also do the same and add another device for the system framebuffer.

This could lead for example, to two platform devices ("simple-framebuffer"
and "efi-framebuffer") to be added and matched with their corresponding
drivers. So both efifb and simpledrm will be probed, leading to following:

[    0.055752] efifb: framebuffer at 0xbd58dc000, using 16000k, total 16000k
[    0.055755] efifb: mode is 2560x1600x32, linelength=10240, pages=1
[    0.055758] efifb: scrolling: redraw
[    0.055759] efifb: Truecolor: size=2:10:10:10, shift=30:20:10:0
...
[    3.295896] simple-framebuffer bd58dc000.framebuffer: [drm] *ERROR*
could not acquire memory range [??? 0xffff79f30a29ee40-0x2a5000001a7
flags 0x0]: -16
[    3.298018] simple-framebuffer: probe of bd58dc000.framebuffer
failed with error -16

To prevent the issue, make the OF core to disable sysfb if there is a node
with a "simple-framebuffer" compatible. That way only this device will be
registered and sysfb would not attempt to register another one using the
screen_info data even if this has been filled.

This seems the correct thing to do in this case because:

a) On a DT platform, the DTB is the single source of truth since is what
   describes the hardware topology. Even if EFI Boot Services are used to
   boot the machine.

b) The of_platform_default_populate_init() function is called in the
   arch_initcall_sync() initcall level while the sysfb_init() function
   is called later in the subsys_initcall() initcall level.

Reported-by: Andrew Worsley <amworsley@gmail.com>
Closes: https://lore.kernel.org/all/20231111042926.52990-2-amworsley@gmail.com


Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://lore.kernel.org/r/20231113085305.1823455-1-javierm@redhat.com


Signed-off-by: Rob Herring <robh@kernel.org>
Signed-off-by: dinglongwei <dinglongwei1@huawei.com>

parent 7a7909bb

drivers/of/platform.c

+16 −2

Original line number	Diff line number	Diff line
		@@ -20,6 +20,7 @@
		#include <linux/of_irq.h>
		#include <linux/of_platform.h>
		#include <linux/platform_device.h>
		#include <linux/sysfb.h>

		#include "of_private.h"

		@@ -621,8 +622,21 @@ static int __init of_platform_default_populate_init(void)
		}

		node = of_get_compatible_child(of_chosen, "simple-framebuffer");
		if (node) {
		/*
		* Since a "simple-framebuffer" device is already added
		* here, disable the Generic System Framebuffers (sysfb)
		* to prevent it from registering another device for the
		* system framebuffer later (e.g: using the screen_info
		* data that may had been filled as well).
		*
		* This can happen for example on DT systems that do EFI
		* booting and may provide a GOP handle to the EFI stub.
		*/
		sysfb_disable();
		of_platform_device_create(node, NULL, NULL);
		of_node_put(node);
		}

		/* Populate everything else. */
		of_platform_default_populate(NULL, NULL, NULL);