From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751496AbdAMVkD (ORCPT <rfc822;w@1wt.eu>);
        Fri, 13 Jan 2017 16:40:03 -0500
Received: from mx4.wp.pl ([212.77.101.12]:51425 "EHLO mx4.wp.pl"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1751132AbdAMVkB (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 13 Jan 2017 16:40:01 -0500
X-Greylist: delayed 399 seconds by postgrey-1.27 at vger.kernel.org; Fri, 13 Jan 2017 16:40:01 EST
Date: Fri, 13 Jan 2017 13:32:58 -0800
From: Jakub Kicinski <kubakici@wp.pl>
To: Daniel Wagner <daniel.wagner@bmw-carit.de>
Cc: "Luis R. Rodriguez" <mcgrof@kernel.org>,
        Bjorn Andersson <bjorn.andersson@linaro.org>,
        linux-kernel@vger.kernel.org
Subject: 4.10-rc3, firmware loading via user space helper crashes if
 firmware not present
Message-ID: <20170113133258.1cc6bf39@laptop>
X-Mailer: Claws Mail 3.14.0-49-g1cc35f (GTK+ 2.24.31; x86_64-unknown-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-WP-MailID: cc318b77a7848c948c780c28addabbc2
X-WP-AV: skaner antywirusowy Poczty Wirtualnej Polski
X-WP-SPAM: NO 000000A [kVOE]                               
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi!

If one requests a FW which does not exist in the FS and the user space
helper is used then fw_load_abort() will be called twice which leads to
NULL-deref.

It will be called once in firmware_loading_store() (handling the -1
case) and then again in _request_firmware_load() because return value
from fw_state_wait_timeout() was negative.

I think this is introduced in by f52cc379423d ("firmware: refactor
loading status").

The simple fix would be to not "unlink" the buf by fw_load_abort() in
firmware_loading_store() and always rely on firmware_loading_store().

------->8------------------------------------

diff --git a/drivers/base/firmware_class.c
b/drivers/base/firmware_class.c index 4497d263209f..89eb9de81145 100644
--- a/drivers/base/firmware_class.c
+++ b/drivers/base/firmware_class.c
@@ -766,7 +770,7 @@ static ssize_t firmware_loading_store(struct device
*dev, dev_err(dev, "%s: unexpected value (%d)\n", __func__, loading);
 		/* fallthrough */
 	case -1:
-		fw_load_abort(fw_priv);
+		fw_state_aborted(&fw_buf->fw_st);
 		break;
 	}
 out:

-------8<------------------------------------

Or should we fix up the ret code handling in __fw_state_wait_common()?

Kuba