linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Michał Lach" <michal.lach@samsung.com>
To: <linux-kernel@vger.kernel.org>
Cc: <mcgrof@kernel.org>, <russell.h.weight@intel.com>,
	<gregkh@linuxfoundation.org>, <rafael@kernel.org>,
	<ming.lei@canonical.com>, <tiwai@suse.de>
Subject: RE: [PATCH] drivers/firmware_loader: remove list entry before deallocation
Date: Thu, 8 Dec 2022 11:45:28 +0100	[thread overview]
Message-ID: <000901d90af2$309b7c80$91d27580$@samsung.com> (raw)
In-Reply-To: <20221123111455.94972-1-michal.lach@samsung.com>

Pinging

With regards,
Michał

> -----Original Message-----
> From: Michal Lach <michal.lach@samsung.com>
> Sent: środa, 23 listopada 2022 12:15
> To: linux-kernel@vger.kernel.org
> Cc: mcgrof@kernel.org; russell.h.weight@intel.com;
> gregkh@linuxfoundation.org; rafael@kernel.org; ming.lei@canonical.com;
> tiwai@suse.de; michal.lach@samsung.com
> Subject: [PATCH] drivers/firmware_loader: remove list entry before deallocation
> 
> If CONFIG_FW_LOADER_USER_HELPER is enabled, it is possible to interrupt the
> loading process after adding pending_list to pending_fw_list.
> Subsequently, if user calls release_firmware() which deallocates the fw_priv
> structure which pending_list is a member of, the entry in the list is not deleted.
> This causes a use-after-free on further attempts to add an entry to the list or on
> list traversal.
> 
> While not problematic in most drivers since this function is mainly used in probe
> or init routines, some drivers expose firmware loading functionality via user-
> accessible functions like write() etc.
> In this case during the sysfs loading process, we can send SIGKILL to the thread
> which is then in kernel, leave the entry in the list and then free the structure.
> 
> Example kernel panics with CONFIG_DEBUG_LIST turned on:
> 
> kernel BUG at lib/list_debug.c:25!
> /* ... */
> Call trace:
>  __list_add_valid+0x7c/0x98
>  fw_load_sysfs_fallback+0xd4/0x334
>  fw_load_from_user_helper+0x148/0x1f8
>  firmware_fallback_sysfs+0xe0/0x17c
>  _request_firmware+0x1a0/0x470
>  request_firmware+0x50/0x78
> /* ... */
> 
> or
> 
> kernel BUG at lib/list_debug.c:56!
> /* ... */
> Call trace:
>  __list_del_entry_valid+0xa0/0xa4
>  fw_load_abort+0x38/0x64
>  fw_load_sysfs_fallback+0x354/0x468
>  fw_load_from_user_helper+0x17c/0x1c0
>  firmware_fallback_sysfs+0xc0/0x11c
>  _request_firmware+0xe0/0x4a4
>  request_firmware+0x20/0x2c
> /* ... */
> 
> Fixes: fe304143b0c3 ("firmware: Avoid deadlock of usermodehelper lock at
> shutdown")
> Signed-off-by: Michal Lach <michal.lach@samsung.com>
> ---
>  drivers/base/firmware_loader/main.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/drivers/base/firmware_loader/main.c
> b/drivers/base/firmware_loader/main.c
> index 7c3590fd97c2..381997c84e4f 100644
> --- a/drivers/base/firmware_loader/main.c
> +++ b/drivers/base/firmware_loader/main.c
> @@ -209,6 +209,10 @@ static void __free_fw_priv(struct kref *ref)
>  		 __func__, fw_priv->fw_name, fw_priv, fw_priv->data,
>  		 (unsigned int)fw_priv->size);
> 
> +#ifdef CONFIG_FW_LOADER_USER_HELPER
> +	list_del(&fw_priv->pending_list);
> +#endif
> +
>  	list_del(&fw_priv->list);
>  	spin_unlock(&fwc->lock);
> 
> --
> 2.25.1




  parent reply	other threads:[~2022-12-08 10:53 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <CGME20221123111806eucas1p23fdcdbe6e5f4a9e714db428fcd6552b9@eucas1p2.samsung.com>
2022-11-23 11:14 ` [PATCH] drivers/firmware_loader: remove list entry before deallocation Michal Lach
2022-11-29 19:06   ` Russ Weight
2022-12-08 10:45   ` Michał Lach [this message]
2022-12-08 13:18     ` Greg KH
2022-12-08 15:23       ` Michał Lach
2022-12-08 15:42         ` Greg KH
2022-12-08 16:18           ` Michał Lach
2022-12-08 18:18             ` Greg KH
2022-12-09 14:09               ` Michał Lach
2022-12-12  6:04   ` Luis Chamberlain
2022-12-12 17:52     ` Michał Lach
2022-12-13 23:05       ` Luis Chamberlain

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='000901d90af2$309b7c80$91d27580$@samsung.com' \
    --to=michal.lach@samsung.com \
    --cc=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mcgrof@kernel.org \
    --cc=ming.lei@canonical.com \
    --cc=rafael@kernel.org \
    --cc=russell.h.weight@intel.com \
    --cc=tiwai@suse.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).