mirror of
https://github.com/torvalds/linux.git
synced 2026-05-12 08:08:03 +02:00
8de779dc40
dlfb_ops_mmap() uses remap_pfn_range() to map vmalloc framebuffer pages to userspace but sets no vm_ops on the VMA. This means the kernel cannot track active mmaps. When dlfb_realloc_framebuffer() replaces the backing buffer via FBIOPUT_VSCREENINFO, existing mmap PTEs are not invalidated. On USB disconnect, dlfb_ops_destroy() calls vfree() on the old pages while userspace PTEs still reference them, resulting in a use-after-free: the process retains read/write access to freed kernel pages. Add vm_operations_struct with open/close callbacks that maintain an atomic mmap_count on struct dlfb_data. In dlfb_realloc_framebuffer(), check mmap_count and return -EBUSY if the buffer is currently mapped, preventing buffer replacement while userspace holds stale PTEs. Tested with PoC using dummy_hcd + raw_gadget USB device emulation. Signed-off-by: Rajat Gupta <rajgupt@qti.qualcomm.com> Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: stable@vger.kernel.org Signed-off-by: Helge Deller <deller@gmx.de> |
||
|---|---|---|
| .. | ||
| atmel_lcdc.h | ||
| aty128.h | ||
| broadsheetfb.h | ||
| cirrus.h | ||
| cmdline.h | ||
| cvisionppc.h | ||
| display_timing.h | ||
| edid.h | ||
| gbe.h | ||
| hecubafb.h | ||
| ili9320.h | ||
| imx-ipu-image-convert.h | ||
| imx-ipu-v3.h | ||
| kyro.h | ||
| mach64.h | ||
| maxinefb.h | ||
| metronomefb.h | ||
| mipi_display.h | ||
| mmp_disp.h | ||
| neomagic.h | ||
| newport.h | ||
| nomodeset.h | ||
| of_display_timing.h | ||
| of_videomode.h | ||
| omapfb_dss.h | ||
| omapvrfb.h | ||
| permedia2.h | ||
| pixel_format.h | ||
| platform_lcd.h | ||
| pm3fb.h | ||
| pmag-ba-fb.h | ||
| pmagb-b-fb.h | ||
| pxa168fb.h | ||
| radeon.h | ||
| s1d13xxxfb.h | ||
| sa1100fb.h | ||
| samsung_fimd.h | ||
| sh_mobile_lcdc.h | ||
| sisfb.h | ||
| sstfb.h | ||
| sticore.h | ||
| tdfx.h | ||
| tgafb.h | ||
| trident.h | ||
| udlfb.h | ||
| uvesafb.h | ||
| vga.h | ||
| videomode.h | ||