Commit e8780dac authored by Linus Torvalds's avatar Linus Torvalds Committed by Sasha Levin

Fix firmware loader uevent buffer NULL pointer dereference

[ Upstream commit 6f957724 ]

The firmware class uevent function accessed the "fw_priv->buf" buffer
without the proper locking and testing for NULL.  This is an old bug
(looks like it goes back to 2012 and commit 1244691c: "firmware
loader: introduce firmware_buf"), but for some reason it's triggering
only now in 4.2-rc1.

Shuah Khan is trying to bisect what it is that causes this to trigger
more easily, but in the meantime let's just fix the bug since others are
hitting it too (at least Ingo reports having seen it as well).
Reported-and-tested-by: default avatarShuah Khan <shuahkh@osg.samsung.com>
Acked-by: default avatarMing Lei <ming.lei@canonical.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
parent 3e35337a
......@@ -545,10 +545,8 @@ static void fw_dev_release(struct device *dev)
kfree(fw_priv);
}
static int firmware_uevent(struct device *dev, struct kobj_uevent_env *env)
static int do_firmware_uevent(struct firmware_priv *fw_priv, struct kobj_uevent_env *env)
{
struct firmware_priv *fw_priv = to_firmware_priv(dev);
if (add_uevent_var(env, "FIRMWARE=%s", fw_priv->buf->fw_id))
return -ENOMEM;
if (add_uevent_var(env, "TIMEOUT=%i", loading_timeout))
......@@ -559,6 +557,18 @@ static int firmware_uevent(struct device *dev, struct kobj_uevent_env *env)
return 0;
}
static int firmware_uevent(struct device *dev, struct kobj_uevent_env *env)
{
struct firmware_priv *fw_priv = to_firmware_priv(dev);
int err = 0;
mutex_lock(&fw_lock);
if (fw_priv->buf)
err = do_firmware_uevent(fw_priv, env);
mutex_unlock(&fw_lock);
return err;
}
static struct class firmware_class = {
.name = "firmware",
.class_attrs = firmware_class_attrs,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment