From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1750996AbdANDlO (ORCPT <rfc822;w@1wt.eu>);
        Fri, 13 Jan 2017 22:41:14 -0500
Received: from mx4.wp.pl ([212.77.101.12]:52837 "EHLO mx4.wp.pl"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1750750AbdANDlN (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 13 Jan 2017 22:41:13 -0500
Date: Fri, 13 Jan 2017 19:40:50 -0800
From: Jakub Kicinski <kubakici@wp.pl>
To: Daniel Wagner <daniel.wagner@bmw-carit.de>,
        Bjorn Andersson <bjorn.andersson@linaro.org>
Cc: "Luis R. Rodriguez" <mcgrof@kernel.org>, linux-kernel@vger.kernel.org
Subject: Re: 4.10-rc3, firmware loading via user space helper crashes if
 firmware not present
Message-ID: <20170113194050.48fa5e0b@laptop>
In-Reply-To: <20170113133258.1cc6bf39@laptop>
References: <20170113133258.1cc6bf39@laptop>
X-Mailer: Claws Mail 3.14.0-49-g1cc35f (GTK+ 2.24.31; x86_64-unknown-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-WP-MailID: 0df986e5b7ca4df92d7cc96fd1b8642f
X-WP-AV: skaner antywirusowy Poczty Wirtualnej Polski
X-WP-SPAM: NO 000000A [AdMk]                               
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, 13 Jan 2017 13:32:58 -0800, Jakub Kicinski wrote:
> If one requests a FW which does not exist in the FS and the user space
> helper is used then fw_load_abort() will be called twice which leads to
> NULL-deref.
> 
> It will be called once in firmware_loading_store() (handling the -1
> case) and then again in _request_firmware_load() because return value
> from fw_state_wait_timeout() was negative.
> 
> I think this is introduced in by f52cc379423d ("firmware: refactor
> loading status").
> 
> The simple fix would be to not "unlink" the buf by fw_load_abort() in
> firmware_loading_store() and always rely on firmware_loading_store().
> 
> ------->8------------------------------------  
> 
> diff --git a/drivers/base/firmware_class.c
> b/drivers/base/firmware_class.c index 4497d263209f..89eb9de81145 100644
> --- a/drivers/base/firmware_class.c
> +++ b/drivers/base/firmware_class.c
> @@ -766,7 +770,7 @@ static ssize_t firmware_loading_store(struct device
> *dev, dev_err(dev, "%s: unexpected value (%d)\n", __func__, loading);
>  		/* fallthrough */
>  	case -1:
> -		fw_load_abort(fw_priv);
> +		fw_state_aborted(&fw_buf->fw_st);
>  		break;
>  	}
>  out:
> 
> -------8<------------------------------------
> 
> Or should we fix up the ret code handling in __fw_state_wait_common()?

I got this backwards, I blamed the wrong commit, it's the 5d47ec02c37e
("firmware: Correct handling of fw_state_wait() return value") in fact.
It made the assumption that all errors returned from
fw_state_wait_timeout() require calling the abort, while in fact abort
should only be called if user mode helper didn't do anything (either
it timed out or someone hit ^C).

I'm leaning towards this:

------->8------------------------------------

diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c
index 4497d263209f..ce142e6b2c72 100644
--- a/drivers/base/firmware_class.c
+++ b/drivers/base/firmware_class.c
@@ -1020,7 +1020,7 @@ static int _request_firmware_load(struct firmware_priv *fw_priv,
 	}
 
 	retval = fw_state_wait_timeout(&buf->fw_st, timeout);
-	if (retval < 0) {
+	if (retval == -ETIMEDOUT || retval == -ERESTARTSYS) {
 		mutex_lock(&fw_lock);
 		fw_load_abort(fw_priv);
 		mutex_unlock(&fw_lock);

-------8<------------------------------------

Unless advised otherwise I will submit this officially on Monday :)