From: Greg KH <gregkh@linuxfoundation.org>
To: "Luis R. Rodriguez" <mcgrof@kernel.org>
Cc: ming.lei@canonical.com, keescook@chromium.org,
linux-kernel-dev@beckhoff.com, jakub.kicinski@netronome.com,
chris@chris-wilson.co.uk, oss-drivers@netronome.com,
johannes@sipsolutions.net, j@w1.fi, teg@jklm.no, kay@vrfy.org,
jwboyer@fedoraproject.org, dmitry.torokhov@gmail.com,
seth.forshee@canonical.com, bjorn.andersson@linaro.org,
linux-kernel@vger.kernel.org, wagi@monom.org,
stephen.boyd@linaro.org, zohar@linux.vnet.ibm.com, tiwai@suse.de,
dwmw2@infradead.org, fengguang.wu@intel.com, dhowells@redhat.com,
arend.vanspriel@broadcom.com, kvalo@codeaurora.org,
kimran@codeaurora.org, "[3.10+]" <stable@vger.kernel.org>
Subject: Re: [PATCH v2] firmware: fix NULL pointer dereference in __fw_load_abort()
Date: Wed, 25 Jan 2017 16:47:25 +0100 [thread overview]
Message-ID: <20170125154725.GB21106@kroah.com> (raw)
In-Reply-To: <20170125152118.27171-1-mcgrof@kernel.org>
On Wed, Jan 25, 2017 at 07:21:18AM -0800, Luis R. Rodriguez wrote:
> Since commit 5d47ec02c37ea632398cb251c884e3a488dff794
> ("firmware: Correct handling of fw_state_wait() return value")
> fw_load_abort(fw_priv) could be called twice and lead us to a
> kernel crash. This happens only when the firmware fallback mechanism
> (regular or custom) is used. The fallback mechanism exposes a sysfs
> interface for userspace to upload a file and notify the kernel when
> the file is loaded and ready, or to cancel an upload by echo'ing -1
> into on the loading file:
>
> echo -n "-1" > /sys/$DEVPATH/loading
>
> This will call fw_load_abort(). Some distributions actually have
> a udev rule in place to *always* immediately cancel all firmware
> fallback mechanism requests (Debian), they have:
>
> $ cat /lib/udev/rules.d/50-firmware.rules
> # stub for immediately telling the kernel that userspace firmware loading
> # failed; necessary to avoid long timeouts with CONFIG_FW_LOADER_USER_HELPER=y
> SUBSYSTEM=="firmware", ACTION=="add", ATTR{loading}="-1
>
> This was done since udev removed the firmware fallback mechanism a while ago
> and a long standing misunderstood issues with the timeout (but now corrected).
> Distributions with this udev rule would run into this crash only if the
> fallback mechanism is used. Since most distributions disable by default
> using the fallback mechanism (CONFIG_FW_LOADER_USER_HELPER_FALLBACK), this
> would typicaly mean only 2 drivers which *require* the fallback mechanism
> could typically incur a crash: drivers/firmware/dell_rbu.c and the
> drivers/leds/leds-lp55xx-common.c driver.
>
> The crash happens because after commit 5b029624948d ("firmware: do not
> use fw_lock for fw_state protection") and subsequent fix commit
> 5d47ec02c37ea6 ("firmware: Correct handling of fw_state_wait() return
> value") a race can happen between this cancelation and the firmware
> fw_state_wait_timeout() being woken up after a state change with which
> fw_load_abort() as that calls swake_up(). Upon error fw_state_wait_timeout()
> will also again call fw_load_abort() and trigger a null reference.
>
> At first glance we could just fix this with a !buf check on
> fw_load_abort() before accessing buf->fw_st, however there is
> a logical issue in having a state machine used for the fallback
> mechanism and preventing access from it once we abort as its inside
> the buf (buf->fw_st).
>
> The firmware_class.c code is setting the buf to NULL to annotate an
> abort has occurred. Replace this mechanism by simply using the state check
> instead. All the other code in place already uses similar checks
> for aborting as well so no further changes are needed.
>
> An oops can be reproduced with the new fw_fallback.sh fallback
> mechanism cancellation test. Either cancelling the fallback mechanism
> or the custom fallback mechanism triggers a crash.
You are still writing books here.
With crazy margins, pick one line width (72 columns), and stick with it
please.
Can you reformat this and resend please?
thanks,
greg k-h-
next prev parent reply other threads:[~2017-01-25 15:47 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-17 15:35 [PATCHv2] firmware: Correct handling of fw_state_wait_timeout() return value Jakub Kicinski
2017-01-17 16:15 ` Luis R. Rodriguez
2017-01-17 16:21 ` Luis R. Rodriguez
2017-01-17 16:30 ` Jakub Kicinski
2017-01-17 17:30 ` Luis R. Rodriguez
2017-01-17 18:04 ` Jakub Kicinski
2017-01-17 20:53 ` Luis R. Rodriguez
2017-01-17 21:17 ` Jakub Kicinski
2017-01-18 6:33 ` linux-kernel-dev
2017-01-18 20:01 ` Luis R. Rodriguez
2017-01-23 16:11 ` [PATCH 0/7] firmware: expand test units for fallback mechanism Luis R. Rodriguez
2017-01-23 16:11 ` [PATCH 1/7] test_firmware: move misc_device down Luis R. Rodriguez
2017-01-23 16:11 ` [PATCH 2/7] test_firmware: use device attribute groups Luis R. Rodriguez
2017-01-23 16:11 ` [PATCH 3/7] tools: firmware: check for distro fallback udev cancel rule Luis R. Rodriguez
2017-01-23 16:11 ` [PATCH 4/7] tools: firmware: rename fallback mechanism script Luis R. Rodriguez
2017-01-23 16:11 ` [PATCH 5/7] tools: firmware: add fallback cancelation testing Luis R. Rodriguez
2017-01-23 16:11 ` [PATCH 6/7] test_firmware: add test custom fallback trigger Luis R. Rodriguez
2017-01-23 16:11 ` [PATCH 7/7] firmware: firmware: fix NULL pointer dereference in __fw_load_abort() Luis R. Rodriguez
2017-01-25 10:52 ` Greg KH
2017-01-25 13:36 ` Luis R. Rodriguez
2017-01-25 13:42 ` Luis R. Rodriguez
2017-01-25 14:41 ` Greg KH
2017-01-25 15:21 ` [PATCH v2] " Luis R. Rodriguez
2017-01-25 15:47 ` Greg KH [this message]
2017-01-25 18:31 ` Luis R. Rodriguez
2017-01-25 18:31 ` [PATCH v3] " Luis R. Rodriguez
-- strict thread matches above, loose matches on Subject: below --
2017-01-17 10:08 [PATCH v2] " linux-kernel-dev
2017-01-17 16:20 ` Luis R. Rodriguez
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170125154725.GB21106@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=arend.vanspriel@broadcom.com \
--cc=bjorn.andersson@linaro.org \
--cc=chris@chris-wilson.co.uk \
--cc=dhowells@redhat.com \
--cc=dmitry.torokhov@gmail.com \
--cc=dwmw2@infradead.org \
--cc=fengguang.wu@intel.com \
--cc=j@w1.fi \
--cc=jakub.kicinski@netronome.com \
--cc=johannes@sipsolutions.net \
--cc=jwboyer@fedoraproject.org \
--cc=kay@vrfy.org \
--cc=keescook@chromium.org \
--cc=kimran@codeaurora.org \
--cc=kvalo@codeaurora.org \
--cc=linux-kernel-dev@beckhoff.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mcgrof@kernel.org \
--cc=ming.lei@canonical.com \
--cc=oss-drivers@netronome.com \
--cc=seth.forshee@canonical.com \
--cc=stable@vger.kernel.org \
--cc=stephen.boyd@linaro.org \
--cc=teg@jklm.no \
--cc=tiwai@suse.de \
--cc=wagi@monom.org \
--cc=zohar@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).