From: Thomas Zimmermann <tzimmermann@suse.de> mainline inclusion from mainline-v6.10-rc7 commit 3285d8f0a2ede604c368155c9c0921e16d41f70a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAR4KI CVE: CVE-2024-46698 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- Retrieving the system framebuffer's parent device in sysfb_init() increments the parent device's reference count. Hence release the reference before leaving the init function. Adding the sysfb platform device acquires and additional reference for the parent. This keeps the parent device around while the system framebuffer is in use. Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de> Fixes: 9eac534db001 ("firmware/sysfb: Set firmware-framebuffer parent device") Cc: Thomas Zimmermann <tzimmermann@suse.de> Cc: Javier Martinez Canillas <javierm@redhat.com> Cc: Helge Deller <deller@gmx.de> Cc: Jani Nikula <jani.nikula@intel.com> Cc: Dan Carpenter <dan.carpenter@linaro.org> Cc: Arnd Bergmann <arnd@arndb.de> Cc: Sui Jingfeng <suijingfeng@loongson.cn> Cc: <stable@vger.kernel.org> # v6.9+ Reviewed-by: Javier Martinez Canillas <javierm@redhat.com> Link: https://patchwork.freedesktop.org/patch/msgid/20240625081818.15696-1-tzimmer... Signed-off-by: dinglongwei <dinglongwei1@huawei.com> --- drivers/firmware/sysfb.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/drivers/firmware/sysfb.c b/drivers/firmware/sysfb.c index ac4680dc463f..02a07d3d0d40 100644 --- a/drivers/firmware/sysfb.c +++ b/drivers/firmware/sysfb.c @@ -108,8 +108,10 @@ static struct device *sysfb_parent_dev(const struct screen_info *si) if (IS_ERR(pdev)) { return ERR_CAST(pdev); } else if (pdev) { - if (!sysfb_pci_dev_is_enabled(pdev)) + if (!sysfb_pci_dev_is_enabled(pdev)) { + pci_dev_put(pdev); return ERR_PTR(-ENODEV); + } return &pdev->dev; } @@ -144,7 +146,7 @@ static __init int sysfb_init(void) if (compatible) { pd = sysfb_create_simplefb(si, &mode, parent); if (!IS_ERR(pd)) - goto unlock_mutex; + goto put_device; } /* if the FB is incompatible, create a legacy framebuffer device */ @@ -162,7 +164,7 @@ static __init int sysfb_init(void) pd = platform_device_alloc(name, 0); if (!pd) { ret = -ENOMEM; - goto unlock_mutex; + goto put_device; } pd->dev.parent = parent; @@ -177,9 +179,11 @@ static __init int sysfb_init(void) if (ret) goto err; - goto unlock_mutex; + goto put_device; err: platform_device_put(pd); +put_device: + put_device(parent); unlock_mutex: mutex_unlock(&disable_lock); return ret; -- 2.17.1