From: Jakub Kicinski <kubakici@wp.pl>
To: Daniel Wagner <daniel.wagner@bmw-carit.de>,
Bjorn Andersson <bjorn.andersson@linaro.org>
Cc: "Luis R. Rodriguez" <mcgrof@kernel.org>, linux-kernel@vger.kernel.org
Subject: Re: 4.10-rc3, firmware loading via user space helper crashes if firmware not present
Date: Fri, 13 Jan 2017 19:40:50 -0800 [thread overview]
Message-ID: <20170113194050.48fa5e0b@laptop> (raw)
In-Reply-To: <20170113133258.1cc6bf39@laptop>
On Fri, 13 Jan 2017 13:32:58 -0800, Jakub Kicinski wrote:
> If one requests a FW which does not exist in the FS and the user space
> helper is used then fw_load_abort() will be called twice which leads to
> NULL-deref.
>
> It will be called once in firmware_loading_store() (handling the -1
> case) and then again in _request_firmware_load() because return value
> from fw_state_wait_timeout() was negative.
>
> I think this is introduced in by f52cc379423d ("firmware: refactor
> loading status").
>
> The simple fix would be to not "unlink" the buf by fw_load_abort() in
> firmware_loading_store() and always rely on firmware_loading_store().
>
> ------->8------------------------------------
>
> diff --git a/drivers/base/firmware_class.c
> b/drivers/base/firmware_class.c index 4497d263209f..89eb9de81145 100644
> --- a/drivers/base/firmware_class.c
> +++ b/drivers/base/firmware_class.c
> @@ -766,7 +770,7 @@ static ssize_t firmware_loading_store(struct device
> *dev, dev_err(dev, "%s: unexpected value (%d)\n", __func__, loading);
> /* fallthrough */
> case -1:
> - fw_load_abort(fw_priv);
> + fw_state_aborted(&fw_buf->fw_st);
> break;
> }
> out:
>
> -------8<------------------------------------
>
> Or should we fix up the ret code handling in __fw_state_wait_common()?
I got this backwards, I blamed the wrong commit, it's the 5d47ec02c37e
("firmware: Correct handling of fw_state_wait() return value") in fact.
It made the assumption that all errors returned from
fw_state_wait_timeout() require calling the abort, while in fact abort
should only be called if user mode helper didn't do anything (either
it timed out or someone hit ^C).
I'm leaning towards this:
------->8------------------------------------
diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c
index 4497d263209f..ce142e6b2c72 100644
--- a/drivers/base/firmware_class.c
+++ b/drivers/base/firmware_class.c
@@ -1020,7 +1020,7 @@ static int _request_firmware_load(struct firmware_priv *fw_priv,
}
retval = fw_state_wait_timeout(&buf->fw_st, timeout);
- if (retval < 0) {
+ if (retval == -ETIMEDOUT || retval == -ERESTARTSYS) {
mutex_lock(&fw_lock);
fw_load_abort(fw_priv);
mutex_unlock(&fw_lock);
-------8<------------------------------------
Unless advised otherwise I will submit this officially on Monday :)
prev parent reply other threads:[~2017-01-14 3:41 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-13 21:32 4.10-rc3, firmware loading via user space helper crashes if firmware not present Jakub Kicinski
2017-01-14 3:40 ` Jakub Kicinski [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170113194050.48fa5e0b@laptop \
--to=kubakici@wp.pl \
--cc=bjorn.andersson@linaro.org \
--cc=daniel.wagner@bmw-carit.de \
--cc=linux-kernel@vger.kernel.org \
--cc=mcgrof@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.