linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Luis Chamberlain <mcgrof@kernel.org>
To: Shuah Khan <skhan@linuxfoundation.org>
Cc: Anirudh Rayabharam <mail@anirudhrb.com>,
	Hillf Danton <hdanton@sina.com>,
	gregkh@linuxfoundation.org, rafael@kernel.org,
	linux-kernel@vger.kernel.org,
	syzbot+77cea49e091776a57689@syzkaller.appspotmail.com
Subject: Re: [PATCH] firmware_loader: Fix use-after-free Read in firmware_loading_store
Date: Thu, 15 Jul 2021 16:21:05 -0700	[thread overview]
Message-ID: <20210715232105.am4wsxfclj2ufjdw@garbanzo> (raw)
In-Reply-To: <d17eeb0f-a46e-2515-43a6-36c16002928a@linuxfoundation.org>

On Thu, Jul 15, 2021 at 04:46:24PM -0600, Shuah Khan wrote:
> On 7/15/21 4:28 PM, Luis Chamberlain wrote:
> > On Fri, Jul 09, 2021 at 10:38:12AM -0600, Shuah Khan wrote:
> > > However I am seeing the following over and over again in the
> > > log - hence I think it is safer to check the aborted status
> > > in __fw_load_abort().
> > > 
> > > ? __list_del_entry_valid+0xe0/0xf0
> > > [  348.604808][T12994]  __list_del_entry_valid+0xe0/0xf0
> > > [  348.610020][T12994]  firmware_loading_store+0x141/0x650
> > > [  348.615761][T12994]  ? firmware_data_write+0x4e0/0x4e0
> > > [  348.621064][T12994]  ? sysfs_file_ops+0x1c0/0x1c0
> > > [  348.625921][T12994]  dev_attr_store+0x50/0x80
> > > 
> > > Also the fallback logic takes actions based on errors as in
> > > fw_load_sysfs_fallback() that returns -EAGAIN which would
> > > trigger request_firmware() again.
> > > 
> > > Based on all of this I think this fix is needed, if only I can
> > > test for sure.
> > 
> > Shuah, curious if you had read this patch from Anirudh Rayabharam
> > and my response to that v4 patch iteration?
> > 
> > https://lkml.kernel.org/r/20210518155921.4181-1-mail@anirudhrb.com
> > 
> 
> Yes. I realized I am trying to fix the same problem we have been
> discussing. :) Sorry for the noise.

No worries, and thanks again for you help!

> Ignore my patch. I will follow the thread.

OK ! I think all we need is just Anirudh to split his patch to
remove the -EAGAIN return value in a separate patch as a first step,
documenting in the commmit log that:

The only motivation on her part with using -EAGAIN on commit
0542ad88fbdd81bb ("firmware loader: Fix _request_firmware_load()
return val for fw load abort") was to distinguish the error from
-ENOMEM, and so there is no real reason in keeping it. Keeping
-ETIMEDOUT is much telling of what the reason for a failure is,
so just use that.

Then his second patch would be simplified without the -EAGAIN
condition.

All I asked was to confirm that the -ETIMEDOUT was indeed propagated.

Anirudh, sorry for the trouble, but can I ask you for a v5 with two
patches as described above?

  Luis

  reply	other threads:[~2021-07-15 23:21 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-08  3:13 [PATCH] firmware_loader: Fix use-after-free Read in firmware_loading_store Shuah Khan
     [not found] ` <20210709091721.1869-1-hdanton@sina.com>
2021-07-09 16:15   ` Shuah Khan
2021-07-09 16:38     ` Shuah Khan
2021-07-15 22:28       ` Luis Chamberlain
2021-07-15 22:46         ` Shuah Khan
2021-07-15 23:21           ` Luis Chamberlain [this message]
2021-07-18  9:01             ` Anirudh Rayabharam

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210715232105.am4wsxfclj2ufjdw@garbanzo \
    --to=mcgrof@kernel.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=hdanton@sina.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mail@anirudhrb.com \
    --cc=rafael@kernel.org \
    --cc=skhan@linuxfoundation.org \
    --cc=syzbot+77cea49e091776a57689@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).