From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Neil Horman <nhorman@tuxdriver.com>
Subject: [03/49] firmware: Fix an oops on reading fw_priv->fw in sysfs loading file
Date: Tue, 10 Jan 2012 13:55:06 -0800 [thread overview]
Message-ID: <20120110215601.777947770@clark.kroah.org> (raw)
In-Reply-To: <20120110215609.GA22505@kroah.com>
3.2-stable review patch. If anyone has any objections, please let me know.
------------------
From: Neil Horman <nhorman@tuxdriver.com>
commit eea915bb0d1358755f151eaefb8208a2d5f3e10c upstream.
This oops was reported recently:
firmware_loading_store+0xf9/0x17b
dev_attr_store+0x20/0x22
sysfs_write_file+0x101/0x134
vfs_write+0xac/0xf3
sys_write+0x4a/0x6e
system_call_fastpath+0x16/0x1b
The complete backtrace was unfortunately not captured, but details can be found
here:
https://bugzilla.redhat.com/show_bug.cgi?id=769920
The cause is fairly clear.
Its caused by the fact that firmware_loading_store has a case 0 in its
switch statement that reads and writes the fw_priv->fw poniter without the
protection of the fw_lock mutex. since there is a window between the time that
_request_firmware sets fw_priv->fw to NULL and the time the corresponding sysfs
file is unregistered, its possible for a user space application to race in, and
write a zero to the loading file, causing a NULL dereference in
firmware_loading_store. Fix it by extending the protection of the fw_lock mutex
to cover all of the firware_loading_store function.
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/base/firmware_class.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/drivers/base/firmware_class.c
+++ b/drivers/base/firmware_class.c
@@ -226,13 +226,13 @@ static ssize_t firmware_loading_store(st
int loading = simple_strtol(buf, NULL, 10);
int i;
+ mutex_lock(&fw_lock);
+
+ if (!fw_priv->fw)
+ goto out;
+
switch (loading) {
case 1:
- mutex_lock(&fw_lock);
- if (!fw_priv->fw) {
- mutex_unlock(&fw_lock);
- break;
- }
firmware_free_data(fw_priv->fw);
memset(fw_priv->fw, 0, sizeof(struct firmware));
/* If the pages are not owned by 'struct firmware' */
@@ -243,7 +243,6 @@ static ssize_t firmware_loading_store(st
fw_priv->page_array_size = 0;
fw_priv->nr_pages = 0;
set_bit(FW_STATUS_LOADING, &fw_priv->status);
- mutex_unlock(&fw_lock);
break;
case 0:
if (test_bit(FW_STATUS_LOADING, &fw_priv->status)) {
@@ -274,7 +273,8 @@ static ssize_t firmware_loading_store(st
fw_load_abort(fw_priv);
break;
}
-
+out:
+ mutex_unlock(&fw_lock);
return count;
}
next prev parent reply other threads:[~2012-01-10 21:55 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-10 21:56 [00/49] 3.2.1-stable review Greg KH
2012-01-10 21:55 ` [01/49] MAINTAINERS: stable: Update address Greg KH
2012-01-10 21:55 ` [02/49] Documentation: Update stable address Greg KH
2012-01-10 21:55 ` Greg KH [this message]
2012-01-10 21:55 ` [04/49] rt2800usb: Move ID out of unknown Greg KH
2012-01-10 21:55 ` [05/49] offb: Fix setting of the pseudo-palette for >8bpp Greg KH
2012-01-10 21:55 ` [06/49] offb: Fix bug in calculating requested vram size Greg KH
2012-01-10 21:55 ` [07/49] libertas: clean up scan thread handling Greg KH
2012-01-10 21:55 ` [08/49] bcma: support for suspend and resume Greg KH
2012-01-10 21:55 ` [09/49] wl12xx: Validate FEM index from ini file and FW Greg KH
2012-01-10 21:55 ` [10/49] wl12xx: Check buffer bound when processing nvs data Greg KH
2012-01-10 21:55 ` [11/49] wl12xx: Restore testmode ABI Greg KH
2012-01-10 21:55 ` [12/49] powerpc/time: Handle wrapping of decrementer Greg KH
2012-01-10 21:55 ` [13/49] powerpc: Fix unpaired probe_hcall_entry and probe_hcall_exit Greg KH
2012-01-10 21:55 ` [14/49] IB/qib: Fix a possible data corruption when receiving packets Greg KH
2012-01-10 21:55 ` [15/49] IB/uverbs: Protect QP multicast list Greg KH
2012-01-10 21:55 ` [16/49] iwlagn: fix TID use bug Greg KH
2012-01-10 21:55 ` [17/49] iwlagn: fix (remove) use of PAGE_SIZE Greg KH
2012-01-10 21:55 ` [18/49] perf: Fix parsing of __print_flags() in TP_printk() Greg KH
2012-01-10 21:55 ` [19/49] ore: Fix crash in case of an IO error Greg KH
2012-01-10 21:55 ` [20/49] ore: fix BUG_ON, too few sgs when reading Greg KH
2012-01-10 21:55 ` [21/49] ore: Must support none-PAGE-aligned IO Greg KH
2012-01-10 21:55 ` [22/49] ore: FIX breakage when MISC_FILESYSTEMS is not set Greg KH
2012-01-10 21:55 ` [23/49] reiserfs: Fix quota mount option parsing Greg KH
2012-01-10 21:55 ` [24/49] reiserfs: Force inode evictions before umount to avoid crash Greg KH
2012-01-10 21:55 ` [25/49] ext3: Dont warn from writepage when readonly inode is spotted after error Greg KH
2012-01-10 21:55 ` [26/49] drivers: hv: Dont OOPS when you cannot init vmbus Greg KH
2012-01-10 21:55 ` [27/49] Drivers:hv: Fix a bug in vmbus_driver_unregister() Greg KH
2012-01-10 21:55 ` [28/49] USB: update documentation for usbmon Greg KH
2012-01-10 21:55 ` [29/49] usbfs: Fix oops related to user namespace conversion Greg KH
2012-01-10 21:55 ` [30/49] atmel_serial: fix spinlock lockup in RS485 code Greg KH
2012-01-10 21:55 ` [31/49] cgroup: fix to allow mounting a hierarchy by name Greg KH
2012-01-10 21:55 ` [32/49] udf: Fix deadlock when converting file from in-ICB one to normal one Greg KH
2012-01-10 21:55 ` [33/49] drivers/usb/class/cdc-acm.c: clear dangling pointer Greg KH
2012-01-10 21:55 ` [34/49] USB: isight: fix kernel bug when loading firmware Greg KH
2012-01-10 21:55 ` [35/49] usb: usb-storage doesnt support dynamic id currently, the patch disables the feature to fix an oops Greg KH
2012-01-10 21:55 ` [36/49] USB: pxa168: Fix compilation error Greg KH
2012-01-10 21:55 ` [37/49] USB: add quirk for another camera Greg KH
2012-01-10 21:55 ` [38/49] usb: musb: fix pm_runtime mismatch Greg KH
2012-01-10 21:55 ` [39/49] USB: omninet: fix write_room Greg KH
2012-01-10 21:55 ` [40/49] usb: option: add ZD Incorporated HSPA modem Greg KH
2012-01-10 21:55 ` [41/49] USB: Add USB-ID for Multiplex RC serial adapter to cp210x.c Greg KH
2012-01-10 21:55 ` [42/49] usb: fix number of mapped SG DMA entries Greg KH
2012-01-10 21:55 ` [43/49] xhci: Properly handle COMP_2ND_BW_ERR Greg KH
2012-01-10 21:55 ` [44/49] usb: ch9: fix up MaxStreams helper Greg KH
2012-01-10 21:55 ` [45/49] igmp: Avoid zero delay when receiving odd mixture of IGMP queries Greg KH
2012-01-10 21:55 ` [46/49] asix: fix infinite loop in rx_fixup() Greg KH
2012-01-10 21:55 ` [47/49] bonding: fix error handling if slave is busy (v2) Greg KH
2012-01-10 21:55 ` [48/49] usb: cdc-acm: Fix acm_tty_hangup() vs. acm_tty_close() race Greg KH
2012-01-10 21:55 ` [49/49] xfs: fix acl count validation in xfs_acl_from_disk() Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120110215601.777947770@clark.kroah.org \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).