Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 87597936 authored by Ming Lei's avatar Ming Lei Committed by Greg Kroah-Hartman
Browse files

firmware loader: fix use-after-free by double abort 

fw_priv->buf is accessed in both request_firmware_load() and
writing to sysfs file of 'loading' context, but not protected
by 'fw_lock' entirely. The patch makes sure that access on
'fw_priv->buf' is protected by the lock.

So fixes the double abort problem reported by nirinA raseliarison:

	http://lkml.org/lkml/2013/6/14/188



Reported-and-tested-by: default avatarnirinA raseliarison <nirina.raseliarison@gmail.com>
Cc: Guenter Roeck <linux@roeck-us.net>
Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: stable <stable@vger.kernel.org> # 3.9
Signed-off-by: default avatarMing Lei <ming.lei@canonical.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 7d132055

drivers/base/firmware_class.c

+18 −9
Original line number Diff line number Diff line
@@ -450,8 +450,18 @@ static void fw_load_abort(struct firmware_priv *fw_priv) 
{

	struct firmware_buf *buf = fw_priv->buf;



	/*

	 * There is a small window in which user can write to 'loading'

	 * between loading done and disappearance of 'loading'

	 */

	if (test_bit(FW_STATUS_DONE, &buf->status))

		return;



	set_bit(FW_STATUS_ABORT, &buf->status);

	complete_all(&buf->completion);



	/* avoid user action after loading abort */

	fw_priv->buf = NULL;

}



#define is_fw_load_aborted(buf)	\
@@ -528,7 +538,12 @@ static ssize_t firmware_loading_show(struct device *dev, 
				     struct device_attribute *attr, char *buf)

{

	struct firmware_priv *fw_priv = to_firmware_priv(dev);

	int loading = test_bit(FW_STATUS_LOADING, &fw_priv->buf->status);

	int loading = 0;



	mutex_lock(&fw_lock);

	if (fw_priv->buf)

		loading = test_bit(FW_STATUS_LOADING, &fw_priv->buf->status);

	mutex_unlock(&fw_lock);



	return sprintf(buf, "%d\n", loading);

}
@@ -570,12 +585,12 @@ static ssize_t firmware_loading_store(struct device *dev, 
				      const char *buf, size_t count)

{

	struct firmware_priv *fw_priv = to_firmware_priv(dev);

	struct firmware_buf *fw_buf = fw_priv->buf;

	struct firmware_buf *fw_buf;

	int loading = simple_strtol(buf, NULL, 10);

	int i;



	mutex_lock(&fw_lock);



	fw_buf = fw_priv->buf;

	if (!fw_buf)

		goto out;
@@ -777,10 +792,6 @@ static void firmware_class_timeout_work(struct work_struct *work) 
			struct firmware_priv, timeout_work.work);



	mutex_lock(&fw_lock);

	if (test_bit(FW_STATUS_DONE, &(fw_priv->buf->status))) {

		mutex_unlock(&fw_lock);

		return;

	}

	fw_load_abort(fw_priv);

	mutex_unlock(&fw_lock);

}
@@ -861,8 +872,6 @@ static int _request_firmware_load(struct firmware_priv *fw_priv, bool uevent, 


	cancel_delayed_work_sync(&fw_priv->timeout_work);



	fw_priv->buf = NULL;



	device_remove_file(f_dev, &dev_attr_loading);

err_del_bin_attr:

	device_remove_bin_file(f_dev, &firmware_attr_data);