evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

firmware loader: fix use-after-free by double abort

Browse source 
fw_priv->buf is accessed in both request_firmware_load() and
writing to sysfs file of 'loading' context, but not protected
by 'fw_lock' entirely. The patch makes sure that access on
'fw_priv->buf' is protected by the lock.

So fixes the double abort problem reported by nirinA raseliarison:

	http://lkml.org/lkml/2013/6/14/188

Reported-and-tested-by: nirinA raseliarison <nirina.raseliarison@gmail.com>
Cc: Guenter Roeck <linux@roeck-us.net>
Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: stable <stable@vger.kernel.org> # 3.9
Signed-off-by: Ming Lei <ming.lei@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Ming Lei 2013-06-15 16:36:38 +08:00 committed by Greg Kroah-Hartman
parent 7d13205581
commit 875979368e
1 changed files with 18 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

27
drivers/base/firmware_class.c
View file

@ -450,8 +450,18 @@ static void fw_load_abort(struct firmware_priv *fw_priv)
{ {
struct firmware_buf *buf = fw_priv->buf; struct firmware_buf *buf = fw_priv->buf;
/*
* There is a small window in which user can write to 'loading'
* between loading done and disappearance of 'loading'
*/
if (test_bit(FW_STATUS_DONE, &buf->status))
return;
set_bit(FW_STATUS_ABORT, &buf->status); set_bit(FW_STATUS_ABORT, &buf->status);
complete_all(&buf->completion); complete_all(&buf->completion);
/* avoid user action after loading abort */
fw_priv->buf = NULL;
} }
#define is_fw_load_aborted(buf) \ #define is_fw_load_aborted(buf) \
@ -528,7 +538,12 @@ static ssize_t firmware_loading_show(struct device *dev,
struct device_attribute *attr, char *buf) struct device_attribute *attr, char *buf)
{ {
struct firmware_priv *fw_priv = to_firmware_priv(dev); struct firmware_priv *fw_priv = to_firmware_priv(dev);
int loading = test_bit(FW_STATUS_LOADING, &fw_priv->buf->status); int loading = 0;
mutex_lock(&fw_lock);
if (fw_priv->buf)
loading = test_bit(FW_STATUS_LOADING, &fw_priv->buf->status);
mutex_unlock(&fw_lock);
return sprintf(buf, "%d\n", loading); return sprintf(buf, "%d\n", loading);
} }
@ -570,12 +585,12 @@ static ssize_t firmware_loading_store(struct device *dev,
const char *buf, size_t count) const char *buf, size_t count)
{ {
struct firmware_priv *fw_priv = to_firmware_priv(dev); struct firmware_priv *fw_priv = to_firmware_priv(dev);
struct firmware_buf *fw_buf = fw_priv->buf; struct firmware_buf *fw_buf;
int loading = simple_strtol(buf, NULL, 10); int loading = simple_strtol(buf, NULL, 10);
int i; int i;
mutex_lock(&fw_lock); mutex_lock(&fw_lock);
fw_buf = fw_priv->buf;
if (!fw_buf) if (!fw_buf)
goto out; goto out;
@ -777,10 +792,6 @@ static void firmware_class_timeout_work(struct work_struct *work)
struct firmware_priv, timeout_work.work); struct firmware_priv, timeout_work.work);
mutex_lock(&fw_lock); mutex_lock(&fw_lock);
if (test_bit(FW_STATUS_DONE, &(fw_priv->buf->status))) {
mutex_unlock(&fw_lock);
return;
}
fw_load_abort(fw_priv); fw_load_abort(fw_priv);
mutex_unlock(&fw_lock); mutex_unlock(&fw_lock);
} }
@ -861,8 +872,6 @@ static int _request_firmware_load(struct firmware_priv *fw_priv, bool uevent,
cancel_delayed_work_sync(&fw_priv->timeout_work); cancel_delayed_work_sync(&fw_priv->timeout_work);
fw_priv->buf = NULL;
device_remove_file(f_dev, &dev_attr_loading); device_remove_file(f_dev, &dev_attr_loading);
err_del_bin_attr: err_del_bin_attr:
device_remove_bin_file(f_dev, &firmware_attr_data); device_remove_bin_file(f_dev, &firmware_attr_data);