From: Luis Chamberlain <mcgrof@kernel.org>
To: Shuah Khan <skhan@linuxfoundation.org>
Cc: Anirudh Rayabharam <mail@anirudhrb.com>,
Hillf Danton <hdanton@sina.com>,
gregkh@linuxfoundation.org, rafael@kernel.org,
linux-kernel@vger.kernel.org,
syzbot+77cea49e091776a57689@syzkaller.appspotmail.com
Subject: Re: [PATCH] firmware_loader: Fix use-after-free Read in firmware_loading_store
Date: Thu, 15 Jul 2021 16:21:05 -0700 [thread overview]
Message-ID: <20210715232105.am4wsxfclj2ufjdw@garbanzo> (raw)
In-Reply-To: <d17eeb0f-a46e-2515-43a6-36c16002928a@linuxfoundation.org>
On Thu, Jul 15, 2021 at 04:46:24PM -0600, Shuah Khan wrote:
> On 7/15/21 4:28 PM, Luis Chamberlain wrote:
> > On Fri, Jul 09, 2021 at 10:38:12AM -0600, Shuah Khan wrote:
> > > However I am seeing the following over and over again in the
> > > log - hence I think it is safer to check the aborted status
> > > in __fw_load_abort().
> > >
> > > ? __list_del_entry_valid+0xe0/0xf0
> > > [ 348.604808][T12994] __list_del_entry_valid+0xe0/0xf0
> > > [ 348.610020][T12994] firmware_loading_store+0x141/0x650
> > > [ 348.615761][T12994] ? firmware_data_write+0x4e0/0x4e0
> > > [ 348.621064][T12994] ? sysfs_file_ops+0x1c0/0x1c0
> > > [ 348.625921][T12994] dev_attr_store+0x50/0x80
> > >
> > > Also the fallback logic takes actions based on errors as in
> > > fw_load_sysfs_fallback() that returns -EAGAIN which would
> > > trigger request_firmware() again.
> > >
> > > Based on all of this I think this fix is needed, if only I can
> > > test for sure.
> >
> > Shuah, curious if you had read this patch from Anirudh Rayabharam
> > and my response to that v4 patch iteration?
> >
> > https://lkml.kernel.org/r/20210518155921.4181-1-mail@anirudhrb.com
> >
>
> Yes. I realized I am trying to fix the same problem we have been
> discussing. :) Sorry for the noise.
No worries, and thanks again for you help!
> Ignore my patch. I will follow the thread.
OK ! I think all we need is just Anirudh to split his patch to
remove the -EAGAIN return value in a separate patch as a first step,
documenting in the commmit log that:
The only motivation on her part with using -EAGAIN on commit
0542ad88fbdd81bb ("firmware loader: Fix _request_firmware_load()
return val for fw load abort") was to distinguish the error from
-ENOMEM, and so there is no real reason in keeping it. Keeping
-ETIMEDOUT is much telling of what the reason for a failure is,
so just use that.
Then his second patch would be simplified without the -EAGAIN
condition.
All I asked was to confirm that the -ETIMEDOUT was indeed propagated.
Anirudh, sorry for the trouble, but can I ask you for a v5 with two
patches as described above?
Luis
next prev parent reply other threads:[~2021-07-15 23:21 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-08 3:13 [PATCH] firmware_loader: Fix use-after-free Read in firmware_loading_store Shuah Khan
[not found] ` <20210709091721.1869-1-hdanton@sina.com>
2021-07-09 16:15 ` Shuah Khan
2021-07-09 16:38 ` Shuah Khan
2021-07-15 22:28 ` Luis Chamberlain
2021-07-15 22:46 ` Shuah Khan
2021-07-15 23:21 ` Luis Chamberlain [this message]
2021-07-18 9:01 ` Anirudh Rayabharam
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210715232105.am4wsxfclj2ufjdw@garbanzo \
--to=mcgrof@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=hdanton@sina.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mail@anirudhrb.com \
--cc=rafael@kernel.org \
--cc=skhan@linuxfoundation.org \
--cc=syzbot+77cea49e091776a57689@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).