[PATCH] firmware_loader: Add null pointer checks in request_firmware_nowait()

[PATCH] firmware_loader: Add null pointer checks in request_firmware_nowait()

[Abhishek Kumar]

Add defensive null pointer checks before calling get_device() and
put_device() functions to prevent potential null pointer dereferences
in the firmware loading subsystem.

Specifically:
- In request_firmware_work_func(): Check fw_work->device before
  put_device() to safely handle cleanup when device reference may
  not be initialized.

- In _request_firmware_nowait(): Check device parameter before
  get_device() to validate input and prevent reference counting
  on invalid pointers.

These changes improve code robustness by adding defensive checks
against edge cases that could lead to kernel crashes.

Signed-off-by: Abhishek Kumar <abhishek_sts8@yahoo.com>
---
 drivers/base/firmware_loader/main.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/base/firmware_loader/main.c b/drivers/base/firmware_loader/main.c
index a11b30dda23b..3395ba3d9066 100644
--- a/drivers/base/firmware_loader/main.c
+++ b/drivers/base/firmware_loader/main.c
@@ -1150,7 +1150,8 @@ static void request_firmware_work_func(struct work_struct *work)
 	_request_firmware(&fw, fw_work->name, fw_work->device, NULL, 0, 0,
 			  fw_work->opt_flags);
 	fw_work->cont(fw, fw_work->context);
-	put_device(fw_work->device); /* taken in request_firmware_nowait() */
+	if (fw_work->device)
+		put_device(fw_work->device); /* taken in request_firmware_nowait() */
 
 	module_put(fw_work->module);
 	kfree_const(fw_work->name);
@@ -1194,7 +1195,8 @@ static int _request_firmware_nowait(
 		return -EFAULT;
 	}
 
-	get_device(fw_work->device);
+	if (device)
+		get_device(device);
 	INIT_WORK(&fw_work->work, request_firmware_work_func);
 	schedule_work(&fw_work->work);
 	return 0;
-- 
2.43.0

Re: [PATCH] firmware_loader: Add null pointer checks in request_firmware_nowait()

[Danilo Krummrich]

On Sat Feb 28, 2026 at 7:11 AM CET, Abhishek Kumar wrote:
> diff --git a/drivers/base/firmware_loader/main.c b/drivers/base/firmware_loader/main.c
> index a11b30dda23b..3395ba3d9066 100644
> --- a/drivers/base/firmware_loader/main.c
> +++ b/drivers/base/firmware_loader/main.c
> @@ -1150,7 +1150,8 @@ static void request_firmware_work_func(struct work_struct *work)
>  	_request_firmware(&fw, fw_work->name, fw_work->device, NULL, 0, 0,
>  			  fw_work->opt_flags);
>  	fw_work->cont(fw, fw_work->context);
> -	put_device(fw_work->device); /* taken in request_firmware_nowait() */
> +	if (fw_work->device)
> +		put_device(fw_work->device); /* taken in request_firmware_nowait() */
>  
>  	module_put(fw_work->module);
>  	kfree_const(fw_work->name);
> @@ -1194,7 +1195,8 @@ static int _request_firmware_nowait(
>  		return -EFAULT;
>  	}
>  
> -	get_device(fw_work->device);
> +	if (device)
> +		get_device(device);
>  	INIT_WORK(&fw_work->work, request_firmware_work_func);
>  	schedule_work(&fw_work->work);
>  	return 0;

Those can only ever be NULL if either request_firmware_nowait() or
firmware_request_nowait_nowarn() are called with NULL and it is up to the user
of those functions to call them with valid arguments.

Besides that, it would just move the bug elsewhere, as _request_firmware()
heavily uses the device pointer.

(Also note that a NULL check by itself doesn't do a lot in terms of robustness,
since a non-null pointer can still be invalid.)