Re: 4.10-rc3, firmware loading via user space helper crashes if firmware not present
On Fri, 13 Jan 2017 13:32:58 -0800, Jakub Kicinski wrote: > If one requests a FW which does not exist in the FS and the user space > helper is used then fw_load_abort() will be called twice which leads to > NULL-deref. > > It will be called once in firmware_loading_store() (handling the -1 > case) and then again in _request_firmware_load() because return value > from fw_state_wait_timeout() was negative. > > I think this is introduced in by f52cc379423d ("firmware: refactor > loading status"). > > The simple fix would be to not "unlink" the buf by fw_load_abort() in > firmware_loading_store() and always rely on firmware_loading_store(). > > --->8 > > diff --git a/drivers/base/firmware_class.c > b/drivers/base/firmware_class.c index 4497d263209f..89eb9de81145 100644 > --- a/drivers/base/firmware_class.c > +++ b/drivers/base/firmware_class.c > @@ -766,7 +770,7 @@ static ssize_t firmware_loading_store(struct device > *dev, dev_err(dev, "%s: unexpected value (%d)\n", __func__, loading); > /* fallthrough */ > case -1: > - fw_load_abort(fw_priv); > + fw_state_aborted(_buf->fw_st); > break; > } > out: > > ---8< > > Or should we fix up the ret code handling in __fw_state_wait_common()? I got this backwards, I blamed the wrong commit, it's the 5d47ec02c37e ("firmware: Correct handling of fw_state_wait() return value") in fact. It made the assumption that all errors returned from fw_state_wait_timeout() require calling the abort, while in fact abort should only be called if user mode helper didn't do anything (either it timed out or someone hit ^C). I'm leaning towards this: --->8 diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c index 4497d263209f..ce142e6b2c72 100644 --- a/drivers/base/firmware_class.c +++ b/drivers/base/firmware_class.c @@ -1020,7 +1020,7 @@ static int _request_firmware_load(struct firmware_priv *fw_priv, } retval = fw_state_wait_timeout(>fw_st, timeout); - if (retval < 0) { + if (retval == -ETIMEDOUT || retval == -ERESTARTSYS) { mutex_lock(_lock); fw_load_abort(fw_priv); mutex_unlock(_lock); ---8< Unless advised otherwise I will submit this officially on Monday :)
Re: 4.10-rc3, firmware loading via user space helper crashes if firmware not present
On Fri, 13 Jan 2017 13:32:58 -0800, Jakub Kicinski wrote: > If one requests a FW which does not exist in the FS and the user space > helper is used then fw_load_abort() will be called twice which leads to > NULL-deref. > > It will be called once in firmware_loading_store() (handling the -1 > case) and then again in _request_firmware_load() because return value > from fw_state_wait_timeout() was negative. > > I think this is introduced in by f52cc379423d ("firmware: refactor > loading status"). > > The simple fix would be to not "unlink" the buf by fw_load_abort() in > firmware_loading_store() and always rely on firmware_loading_store(). > > --->8 > > diff --git a/drivers/base/firmware_class.c > b/drivers/base/firmware_class.c index 4497d263209f..89eb9de81145 100644 > --- a/drivers/base/firmware_class.c > +++ b/drivers/base/firmware_class.c > @@ -766,7 +770,7 @@ static ssize_t firmware_loading_store(struct device > *dev, dev_err(dev, "%s: unexpected value (%d)\n", __func__, loading); > /* fallthrough */ > case -1: > - fw_load_abort(fw_priv); > + fw_state_aborted(_buf->fw_st); > break; > } > out: > > ---8< > > Or should we fix up the ret code handling in __fw_state_wait_common()? I got this backwards, I blamed the wrong commit, it's the 5d47ec02c37e ("firmware: Correct handling of fw_state_wait() return value") in fact. It made the assumption that all errors returned from fw_state_wait_timeout() require calling the abort, while in fact abort should only be called if user mode helper didn't do anything (either it timed out or someone hit ^C). I'm leaning towards this: --->8 diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c index 4497d263209f..ce142e6b2c72 100644 --- a/drivers/base/firmware_class.c +++ b/drivers/base/firmware_class.c @@ -1020,7 +1020,7 @@ static int _request_firmware_load(struct firmware_priv *fw_priv, } retval = fw_state_wait_timeout(>fw_st, timeout); - if (retval < 0) { + if (retval == -ETIMEDOUT || retval == -ERESTARTSYS) { mutex_lock(_lock); fw_load_abort(fw_priv); mutex_unlock(_lock); ---8< Unless advised otherwise I will submit this officially on Monday :)
4.10-rc3, firmware loading via user space helper crashes if firmware not present
Hi! If one requests a FW which does not exist in the FS and the user space helper is used then fw_load_abort() will be called twice which leads to NULL-deref. It will be called once in firmware_loading_store() (handling the -1 case) and then again in _request_firmware_load() because return value from fw_state_wait_timeout() was negative. I think this is introduced in by f52cc379423d ("firmware: refactor loading status"). The simple fix would be to not "unlink" the buf by fw_load_abort() in firmware_loading_store() and always rely on firmware_loading_store(). --->8 diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c index 4497d263209f..89eb9de81145 100644 --- a/drivers/base/firmware_class.c +++ b/drivers/base/firmware_class.c @@ -766,7 +770,7 @@ static ssize_t firmware_loading_store(struct device *dev, dev_err(dev, "%s: unexpected value (%d)\n", __func__, loading); /* fallthrough */ case -1: - fw_load_abort(fw_priv); + fw_state_aborted(_buf->fw_st); break; } out: ---8< Or should we fix up the ret code handling in __fw_state_wait_common()? Kuba
4.10-rc3, firmware loading via user space helper crashes if firmware not present
Hi! If one requests a FW which does not exist in the FS and the user space helper is used then fw_load_abort() will be called twice which leads to NULL-deref. It will be called once in firmware_loading_store() (handling the -1 case) and then again in _request_firmware_load() because return value from fw_state_wait_timeout() was negative. I think this is introduced in by f52cc379423d ("firmware: refactor loading status"). The simple fix would be to not "unlink" the buf by fw_load_abort() in firmware_loading_store() and always rely on firmware_loading_store(). --->8 diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c index 4497d263209f..89eb9de81145 100644 --- a/drivers/base/firmware_class.c +++ b/drivers/base/firmware_class.c @@ -766,7 +770,7 @@ static ssize_t firmware_loading_store(struct device *dev, dev_err(dev, "%s: unexpected value (%d)\n", __func__, loading); /* fallthrough */ case -1: - fw_load_abort(fw_priv); + fw_state_aborted(_buf->fw_st); break; } out: ---8< Or should we fix up the ret code handling in __fw_state_wait_common()? Kuba