tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

fbdev: defio: Keep module reference from VMAs

Acquire a module reference on each mmap and VMA open; hold it until
the kernel closes the VMA. Protects against unloading the module
while user space still has a mapping of the graphics memory. The
VMA page-fault handling would then call into undefined code.

This situation can happen if the underlying device has been unplugged
and the driver has been unloaded. It would then be possible to trigger
the bug by unloading the fbdev core module.

Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Signed-off-by: Helge Deller <deller@gmx.de>

authored by

Thomas Zimmermann and committed by
Helge Deller d460a54f 9ded47ad

+6
+6
drivers/video/fbdev/core/fb_defio.c
··· 14 14 #include <linux/export.h> 15 15 #include <linux/string.h> 16 16 #include <linux/mm.h> 17 + #include <linux/module.h> 17 18 #include <linux/vmalloc.h> 18 19 #include <linux/delay.h> 19 20 #include <linux/interrupt.h> ··· 84 83 { 85 84 struct fb_deferred_io_state *fbdefio_state = vma->vm_private_data; 86 85 86 + WARN_ON_ONCE(!try_module_get(THIS_MODULE)); 87 87 fb_deferred_io_state_get(fbdefio_state); 88 88 } 89 89 ··· 93 91 struct fb_deferred_io_state *fbdefio_state = vma->vm_private_data; 94 92 95 93 fb_deferred_io_state_put(fbdefio_state); 94 + module_put(THIS_MODULE); 96 95 } 97 96 98 97 static struct page *fb_deferred_io_get_page(struct fb_info *info, unsigned long offs) ··· 337 334 int fb_deferred_io_mmap(struct fb_info *info, struct vm_area_struct *vma) 338 335 { 339 336 vma->vm_page_prot = pgprot_decrypted(vma->vm_page_prot); 337 + 338 + if (!try_module_get(THIS_MODULE)) 339 + return -EINVAL; 340 340 341 341 vma->vm_ops = &fb_deferred_io_vm_ops; 342 342 vm_flags_set(vma, VM_DONTEXPAND | VM_DONTDUMP);