From: Anirudh Rayabharam <mail@anirudhrb.com>
To: Luis Chamberlain <mcgrof@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
"Rafael J. Wysocki" <rafael@kernel.org>,
Junyong Sun <sunjy516@gmail.com>,
syzbot+de271708674e2093097b@syzkaller.appspotmail.com,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] firmware_loader: fix use-after-free in firmware_fallback_sysfs
Date: Wed, 14 Apr 2021 14:41:37 +0530 [thread overview]
Message-ID: <YHaxySNDxXIRp+eH@anirudhrb.com> (raw)
In-Reply-To: <20210413165138.GI4332@42.do-not-panic.com>
On Tue, Apr 13, 2021 at 04:51:38PM +0000, Luis Chamberlain wrote:
> On Tue, Apr 13, 2021 at 04:12:42PM +0530, Anirudh Rayabharam wrote:
> > The use-after-free happens when a fw_priv object has been freed but
> > hasn't been removed from the pending list (pending_fw_head). The next
> > time fw_load_sysfs_fallback tries to insert into the list, it ends up
> > accessing the pending_list member of the previoiusly freed fw_priv.
> >
> > In commit bcfbd3523f3c ("firmware: fix a double abort case with
> > fw_load_sysfs_fallback"), fw_load_abort() is skipped if
> > fw_sysfs_wait_timeout() returns -ENOENT. This causes the fw_priv to
> > not be removed from the pending list.
> >
> > To fix this, delete the fw_priv from the pending list when retval
> > is -ENOENT instead of skipping the entire block.
> >
> > Fixes: bcfbd3523f3c ("firmware: fix a double abort case with fw_load_sysfs_fallback")
> > Reported-by: syzbot+de271708674e2093097b@syzkaller.appspotmail.com
> > Tested-by: syzbot+de271708674e2093097b@syzkaller.appspotmail.com
> > Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com>
>
> Thanks for your patch Anirudh, but please also see this reply to the
> issue:
>
> http://lkml.kernel.org/r/20210403013143.GV4332@42.do-not-panic.com
I have now sent a v3 that is more along the lines of the patch suggested
in the above thread.
Thanks!
- Anirudh.
prev parent reply other threads:[~2021-04-14 9:11 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-13 10:42 [PATCH v2] firmware_loader: fix use-after-free in firmware_fallback_sysfs Anirudh Rayabharam
2021-04-13 16:51 ` Luis Chamberlain
2021-04-14 5:05 ` Anirudh Rayabharam
2021-04-14 9:11 ` Anirudh Rayabharam [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YHaxySNDxXIRp+eH@anirudhrb.com \
--to=mail@anirudhrb.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mcgrof@kernel.org \
--cc=rafael@kernel.org \
--cc=sunjy516@gmail.com \
--cc=syzbot+de271708674e2093097b@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.