Fix firmware loader uevent buffer NULL pointer dereference

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The firmware class uevent function accessed the "fw_priv->buf" buffer
without the proper locking and testing for NULL. This is an old bug
(looks like it goes back to 2012 and commit 1244691c73b2: "firmware
loader: introduce firmware_buf"), but for some reason it's triggering
only now in 4.2-rc1.

Shuah Khan is trying to bisect what it is that causes this to trigger
more easily, but in the meantime let's just fix the bug since others are
hitting it too (at least Ingo reports having seen it as well).

Reported-and-tested-by: Shuah Khan <shuahkh@osg.samsung.com>
Acked-by: Ming Lei <ming.lei@canonical.com>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Linus Torvalds 10 years ago 6f957724 6b7339f4

+13 -3

1 changed file

expand all

drivers

base

firmware_class.c

+13 -3

drivers/base/firmware_class.c

··· 563 563 kfree(fw_priv); 564 564 } 565 565 566 - static int firmware_uevent(struct device *dev, struct kobj_uevent_env *env) 566 + static int do_firmware_uevent(struct firmware_priv *fw_priv, struct kobj_uevent_env *env) 567 567 { 568 - struct firmware_priv *fw_priv = to_firmware_priv(dev); 569 - 570 568 if (add_uevent_var(env, "FIRMWARE=%s", fw_priv->buf->fw_id)) 571 569 return -ENOMEM; 572 570 if (add_uevent_var(env, "TIMEOUT=%i", loading_timeout)) ··· 573 575 return -ENOMEM; 574 576 575 577 return 0; 578 + } 579 + 580 + static int firmware_uevent(struct device *dev, struct kobj_uevent_env *env) 581 + { 582 + struct firmware_priv *fw_priv = to_firmware_priv(dev); 583 + int err = 0; 584 + 585 + mutex_lock(&fw_lock); 586 + if (fw_priv->buf) 587 + err = do_firmware_uevent(fw_priv, env); 588 + mutex_unlock(&fw_lock); 589 + return err; 576 590 } 577 591 578 592 static struct class firmware_class = {