subject:"4.10\-rc3, firmware loading via user space helper crashes if firmware not present"

Re: 4.10-rc3, firmware loading via user space helper crashes if firmware not present

2017-01-13 Thread Jakub Kicinski

On Fri, 13 Jan 2017 13:32:58 -0800, Jakub Kicinski wrote:
> If one requests a FW which does not exist in the FS and the user space
> helper is used then fw_load_abort() will be called twice which leads to
> NULL-deref.
> 
> It will be called once in firmware_loading_store() (handling the -1
> case) and then again in _request_firmware_load() because return value
> from fw_state_wait_timeout() was negative.
> 
> I think this is introduced in by f52cc379423d ("firmware: refactor
> loading status").
> 
> The simple fix would be to not "unlink" the buf by fw_load_abort() in
> firmware_loading_store() and always rely on firmware_loading_store().
> 
> --->8  
> 
> diff --git a/drivers/base/firmware_class.c
> b/drivers/base/firmware_class.c index 4497d263209f..89eb9de81145 100644
> --- a/drivers/base/firmware_class.c
> +++ b/drivers/base/firmware_class.c
> @@ -766,7 +770,7 @@ static ssize_t firmware_loading_store(struct device
> *dev, dev_err(dev, "%s: unexpected value (%d)\n", __func__, loading);
>   /* fallthrough */
>   case -1:
> - fw_load_abort(fw_priv);
> + fw_state_aborted(_buf->fw_st);
>   break;
>   }
>  out:
> 
> ---8<
> 
> Or should we fix up the ret code handling in __fw_state_wait_common()?

I got this backwards, I blamed the wrong commit, it's the 5d47ec02c37e
("firmware: Correct handling of fw_state_wait() return value") in fact.
It made the assumption that all errors returned from
fw_state_wait_timeout() require calling the abort, while in fact abort
should only be called if user mode helper didn't do anything (either
it timed out or someone hit ^C).

I'm leaning towards this:

--->8

diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c
index 4497d263209f..ce142e6b2c72 100644
--- a/drivers/base/firmware_class.c
+++ b/drivers/base/firmware_class.c
@@ -1020,7 +1020,7 @@ static int _request_firmware_load(struct firmware_priv 
*fw_priv,
}
 
retval = fw_state_wait_timeout(>fw_st, timeout);
-   if (retval < 0) {
+   if (retval == -ETIMEDOUT || retval == -ERESTARTSYS) {
mutex_lock(_lock);
fw_load_abort(fw_priv);
mutex_unlock(_lock);

---8<

Unless advised otherwise I will submit this officially on Monday :)

Re: 4.10-rc3, firmware loading via user space helper crashes if firmware not present

2017-01-13 Thread Jakub Kicinski

On Fri, 13 Jan 2017 13:32:58 -0800, Jakub Kicinski wrote:
> If one requests a FW which does not exist in the FS and the user space
> helper is used then fw_load_abort() will be called twice which leads to
> NULL-deref.
> 
> It will be called once in firmware_loading_store() (handling the -1
> case) and then again in _request_firmware_load() because return value
> from fw_state_wait_timeout() was negative.
> 
> I think this is introduced in by f52cc379423d ("firmware: refactor
> loading status").
> 
> The simple fix would be to not "unlink" the buf by fw_load_abort() in
> firmware_loading_store() and always rely on firmware_loading_store().
> 
> --->8  
> 
> diff --git a/drivers/base/firmware_class.c
> b/drivers/base/firmware_class.c index 4497d263209f..89eb9de81145 100644
> --- a/drivers/base/firmware_class.c
> +++ b/drivers/base/firmware_class.c
> @@ -766,7 +770,7 @@ static ssize_t firmware_loading_store(struct device
> *dev, dev_err(dev, "%s: unexpected value (%d)\n", __func__, loading);
>   /* fallthrough */
>   case -1:
> - fw_load_abort(fw_priv);
> + fw_state_aborted(_buf->fw_st);
>   break;
>   }
>  out:
> 
> ---8<
> 
> Or should we fix up the ret code handling in __fw_state_wait_common()?

I got this backwards, I blamed the wrong commit, it's the 5d47ec02c37e
("firmware: Correct handling of fw_state_wait() return value") in fact.
It made the assumption that all errors returned from
fw_state_wait_timeout() require calling the abort, while in fact abort
should only be called if user mode helper didn't do anything (either
it timed out or someone hit ^C).

I'm leaning towards this:

--->8

diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c
index 4497d263209f..ce142e6b2c72 100644
--- a/drivers/base/firmware_class.c
+++ b/drivers/base/firmware_class.c
@@ -1020,7 +1020,7 @@ static int _request_firmware_load(struct firmware_priv 
*fw_priv,
}
 
retval = fw_state_wait_timeout(>fw_st, timeout);
-   if (retval < 0) {
+   if (retval == -ETIMEDOUT || retval == -ERESTARTSYS) {
mutex_lock(_lock);
fw_load_abort(fw_priv);
mutex_unlock(_lock);

---8<

Unless advised otherwise I will submit this officially on Monday :)

4.10-rc3, firmware loading via user space helper crashes if firmware not present

2017-01-13 Thread Jakub Kicinski

Hi!

If one requests a FW which does not exist in the FS and the user space
helper is used then fw_load_abort() will be called twice which leads to
NULL-deref.

It will be called once in firmware_loading_store() (handling the -1
case) and then again in _request_firmware_load() because return value
from fw_state_wait_timeout() was negative.

I think this is introduced in by f52cc379423d ("firmware: refactor
loading status").

The simple fix would be to not "unlink" the buf by fw_load_abort() in
firmware_loading_store() and always rely on firmware_loading_store().

--->8

diff --git a/drivers/base/firmware_class.c
b/drivers/base/firmware_class.c index 4497d263209f..89eb9de81145 100644
--- a/drivers/base/firmware_class.c
+++ b/drivers/base/firmware_class.c
@@ -766,7 +770,7 @@ static ssize_t firmware_loading_store(struct device
*dev, dev_err(dev, "%s: unexpected value (%d)\n", __func__, loading);
/* fallthrough */
case -1:
-   fw_load_abort(fw_priv);
+   fw_state_aborted(_buf->fw_st);
break;
}
 out:

---8<

Or should we fix up the ret code handling in __fw_state_wait_common()?

Kuba

4.10-rc3, firmware loading via user space helper crashes if firmware not present

2017-01-13 Thread Jakub Kicinski

Hi!

If one requests a FW which does not exist in the FS and the user space
helper is used then fw_load_abort() will be called twice which leads to
NULL-deref.

It will be called once in firmware_loading_store() (handling the -1
case) and then again in _request_firmware_load() because return value
from fw_state_wait_timeout() was negative.

I think this is introduced in by f52cc379423d ("firmware: refactor
loading status").

The simple fix would be to not "unlink" the buf by fw_load_abort() in
firmware_loading_store() and always rely on firmware_loading_store().

--->8

diff --git a/drivers/base/firmware_class.c
b/drivers/base/firmware_class.c index 4497d263209f..89eb9de81145 100644
--- a/drivers/base/firmware_class.c
+++ b/drivers/base/firmware_class.c
@@ -766,7 +770,7 @@ static ssize_t firmware_loading_store(struct device
*dev, dev_err(dev, "%s: unexpected value (%d)\n", __func__, loading);
/* fallthrough */
case -1:
-   fw_load_abort(fw_priv);
+   fw_state_aborted(_buf->fw_st);
break;
}
 out:

---8<

Or should we fix up the ret code handling in __fw_state_wait_common()?

Kuba

Re: 4.10-rc3, firmware loading via user space helper crashes if firmware not present

Re: 4.10-rc3, firmware loading via user space helper crashes if firmware not present

4.10-rc3, firmware loading via user space helper crashes if firmware not present

4.10-rc3, firmware loading via user space helper crashes if firmware not present

4 matches

Site Navigation

Mail list logo

Footer information