linux-toradex.git/drivers/base/firmware_class.c, branch v3.12.51 Linux kernel for Apalis and Colibri modules Fix firmware loader uevent buffer NULL pointer dereference 2015-08-04T14:52:36+00:00 Linus Torvalds torvalds@linux-foundation.org 2015-07-09T18:20:01+00:00 c81091b32079bbc46119530dd5ccbdac671ab934 commit 6f957724b94cb19f5c1c97efd01dd4df8ced323c upstream. The firmware class uevent function accessed the "fw_priv->buf" buffer without the proper locking and testing for NULL. This is an old bug (looks like it goes back to 2012 and commit 1244691c73b2: "firmware loader: introduce firmware_buf"), but for some reason it's triggering only now in 4.2-rc1. Shuah Khan is trying to bisect what it is that causes this to trigger more easily, but in the meantime let's just fix the bug since others are hitting it too (at least Ingo reports having seen it as well). Reported-and-tested-by: Shuah Khan <shuahkh@osg.samsung.com> Acked-by: Ming Lei <ming.lei@canonical.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Jiri Slaby <jslaby@suse.cz> 
commit 6f957724b94cb19f5c1c97efd01dd4df8ced323c upstream.

The firmware class uevent function accessed the "fw_priv->buf" buffer
without the proper locking and testing for NULL.  This is an old bug
(looks like it goes back to 2012 and commit 1244691c73b2: "firmware
loader: introduce firmware_buf"), but for some reason it's triggering
only now in 4.2-rc1.

Shuah Khan is trying to bisect what it is that causes this to trigger
more easily, but in the meantime let's just fix the bug since others are
hitting it too (at least Ingo reports having seen it as well).

Reported-and-tested-by: Shuah Khan <shuahkh@osg.samsung.com>
Acked-by: Ming Lei <ming.lei@canonical.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
firmware_class: make sure fw requests contain a name 2014-10-31T14:11:13+00:00 Kees Cook keescook@chromium.org 2014-09-18T18:25:37+00:00 7c77b7f1a637718d4acdc6dd09e56b3016a5f42b commit 471b095dfe0d693a8d624cbc716d1ee4d74eb437 upstream. An empty firmware request name will trigger warnings when building device names. Make sure this is caught earlier and rejected. The warning was visible via the test_firmware.ko module interface: echo -ne "\x00" > /sys/devices/virtual/misc/test_firmware/trigger_request Reported-by: Sasha Levin <sasha.levin@oracle.com> Signed-off-by: Kees Cook <keescook@chromium.org> Tested-by: Sasha Levin <sasha.levin@oracle.com> Signed-off-by: Jiri Slaby <jslaby@suse.cz> 
commit 471b095dfe0d693a8d624cbc716d1ee4d74eb437 upstream.

An empty firmware request name will trigger warnings when building
device names. Make sure this is caught earlier and rejected.

The warning was visible via the test_firmware.ko module interface:

echo -ne "\x00" > /sys/devices/virtual/misc/test_firmware/trigger_request

Reported-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Tested-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
PM / hibernate: Fix restore hang in freeze_processes() 2014-03-05T16:13:55+00:00 Sebastian Capella sebastian.capella@linaro.org 2014-02-19T01:52:08+00:00 3787169fa3185aa8587972b5fdccbf700f60a4f1 commit f8d5b9e9e5372f0deb7bc1ab1088a9b60b0a793d upstream. During restore, pm_notifier chain are called with PM_RESTORE_PREPARE. The firmware_class driver handler fw_pm_notify does not have a handler for this. As a result, it keeps a reader on the kmod.c umhelper_sem. During freeze_processes, the call to __usermodehelper_disable tries to take a write lock on this semaphore and hangs waiting. Signed-off-by: Sebastian Capella <sebastian.capella@linaro.org> Acked-by: Ming Lei <ming.lei@canonical.com> Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com> Signed-off-by: Jiri Slaby <jslaby@suse.cz> 
commit f8d5b9e9e5372f0deb7bc1ab1088a9b60b0a793d upstream.

During restore, pm_notifier chain are called with
PM_RESTORE_PREPARE.  The firmware_class driver handler
fw_pm_notify does not have a handler for this.  As a result,
it keeps a reader on the kmod.c umhelper_sem.  During
freeze_processes, the call to __usermodehelper_disable tries to
take a write lock on this semaphore and hangs waiting.

Signed-off-by: Sebastian Capella <sebastian.capella@linaro.org>
Acked-by: Ming Lei <ming.lei@canonical.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
firmware loader: fix pending_fw_head list corruption 2013-08-30T19:04:27+00:00 Maxime Bizon mbizon@freebox.fr 2013-08-29T18:28:13+00:00 1eeeef153c02f5856ec109fa532eb5f31c39f85c Got the following oops just before reboot: Unable to handle kernel NULL pointer dereference at virtual address 00000000 [<8028d300>] (__list_del_entry+0x44/0xac) [<802e3320>] (__fw_load_abort.part.13+0x1c/0x50) [<802e337c>] (fw_shutdown_notify+0x28/0x50) [<80034f80>] (notifier_call_chain.isra.1+0x5c/0x9c) [<800350ec>] (__blocking_notifier_call_chain+0x44/0x58) [<80035114>] (blocking_notifier_call_chain+0x14/0x18) [<80035d64>] (kernel_restart_prepare+0x14/0x38) [<80035d94>] (kernel_restart+0xc/0x50) The following race condition triggers here: _request_firmware_load() device_create_file(...) kobject_uevent(...) (schedule) (resume) firmware_loading_store(1) firmware_loading_store(0) list_del_init(&buf->pending_list) (schedule) (resume) list_add(&buf->pending_list, &pending_fw_head); wait_for_completion(&buf->completion); causing an oops later when walking pending_list after the firmware has been released. The proposed fix is to move the list_add() before sysfs attribute creation. Signed-off-by: Maxime Bizon <mbizon@freebox.fr> Acked-by: Ming Lei <ming.lei@canonical.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Got the following oops just before reboot:

Unable to handle kernel NULL pointer dereference at virtual address 00000000
[<8028d300>] (__list_del_entry+0x44/0xac)
[<802e3320>] (__fw_load_abort.part.13+0x1c/0x50)
[<802e337c>] (fw_shutdown_notify+0x28/0x50)
[<80034f80>] (notifier_call_chain.isra.1+0x5c/0x9c)
[<800350ec>] (__blocking_notifier_call_chain+0x44/0x58)
[<80035114>] (blocking_notifier_call_chain+0x14/0x18)
[<80035d64>] (kernel_restart_prepare+0x14/0x38)
[<80035d94>] (kernel_restart+0xc/0x50)

The following race condition triggers here:

  _request_firmware_load()
  device_create_file(...)
  kobject_uevent(...)
  (schedule)
                                       (resume)
                                       firmware_loading_store(1)
                                       firmware_loading_store(0)
                                       list_del_init(&buf->pending_list)
                                       (schedule)
  (resume)
  list_add(&buf->pending_list, &pending_fw_head);
  wait_for_completion(&buf->completion);

causing an oops later when walking pending_list after the firmware has
been released.

The proposed fix is to move the list_add() before sysfs attribute
creation.

Signed-off-by: Maxime Bizon <mbizon@freebox.fr>
Acked-by: Ming Lei <ming.lei@canonical.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
driver core: firmware: use __ATTR_RW() 2013-08-24T00:08:48+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2013-08-24T00:08:48+00:00 14adbe5307a4110af7d1e95fb604a1abcdaa6cce Use __ATTR_RW() instead of __ATTR() to make it more obvious what the type of attribute is being created. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
Use __ATTR_RW() instead of __ATTR() to make it more obvious what the
type of attribute is being created.

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
firmware loader: fix another compile warning with PM_SLEEP unset 2013-06-26T04:04:22+00:00 Ming Lei ming.lei@canonical.com 2013-06-26T01:28:17+00:00 6a2c123427ffece4174db0792c3009e7df770d9a This patch fixes another compiling warning with PM_SLEEP unset: drivers/base/firmware_class.c:221:29: warning: 'fw_lookup_buf' defined but not used [-Wunused-function] This time I do build kernel with both PM_SLEEP set and unset, and no warning found any more with the patch. Reported-by: Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by: Ming Lei <ming.lei@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
This patch fixes another compiling warning with PM_SLEEP unset:

drivers/base/firmware_class.c:221:29: warning: 'fw_lookup_buf' defined
but not used [-Wunused-function]

This time I do build kernel with both PM_SLEEP set and unset, and no
warning found any more with the patch.

Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Ming Lei <ming.lei@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
firmware loader: fix compile warning with PM_SLEEP set 2013-06-21T21:09:47+00:00 Ming Lei ming.lei@canonical.com 2013-06-20T04:30:16+00:00 90f8908127b55aa22f5a995880d5ac8cd23fbe1e This patch fixes the below compile warning: drivers/base/firmware_class.c:1254:12: warning: 'cache_firmware' defined but not used [-Wunused-function] static int cache_firmware(const char *fw_name) ^ drivers/base/firmware_class.c:1281:12: warning: 'uncache_firmware' defined but not used [-Wunused-function] static int uncache_firmware(const char *fw_name) ^ Reported-by: Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by: Ming Lei <ming.lei@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
This patch fixes the below compile warning:

drivers/base/firmware_class.c:1254:12: warning: 'cache_firmware' defined
but not used [-Wunused-function]
 static int cache_firmware(const char *fw_name)
            ^
drivers/base/firmware_class.c:1281:12: warning: 'uncache_firmware'
defined but not used [-Wunused-function]
 static int uncache_firmware(const char *fw_name)
            ^

Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Ming Lei <ming.lei@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Merge branch 'driver-core-linus' into driver-core-next 2013-06-20T03:26:43+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2013-06-20T03:26:43+00:00 7068cb07563d8f001e83a2836ccf1cef6518aea4 This resolves the merge issues with drivers/base/firmware_class.c Thanks to Ming Lei for the patch and hints on how to resolve it. Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
This resolves the merge issues with drivers/base/firmware_class.c

Thanks to Ming Lei for the patch and hints on how to resolve it.

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
firmware loader: fix use-after-free by double abort 2013-06-18T17:41:55+00:00 Ming Lei ming.lei@canonical.com 2013-06-15T08:36:38+00:00 875979368eb4cfecff9f0e97625b90cc6009269d fw_priv->buf is accessed in both request_firmware_load() and writing to sysfs file of 'loading' context, but not protected by 'fw_lock' entirely. The patch makes sure that access on 'fw_priv->buf' is protected by the lock. So fixes the double abort problem reported by nirinA raseliarison: http://lkml.org/lkml/2013/6/14/188 Reported-and-tested-by: nirinA raseliarison <nirina.raseliarison@gmail.com> Cc: Guenter Roeck <linux@roeck-us.net> Cc: Bjorn Helgaas <bhelgaas@google.com> Cc: stable <stable@vger.kernel.org> # 3.9 Signed-off-by: Ming Lei <ming.lei@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
fw_priv->buf is accessed in both request_firmware_load() and
writing to sysfs file of 'loading' context, but not protected
by 'fw_lock' entirely. The patch makes sure that access on
'fw_priv->buf' is protected by the lock.

So fixes the double abort problem reported by nirinA raseliarison:

	http://lkml.org/lkml/2013/6/14/188

Reported-and-tested-by: nirinA raseliarison <nirina.raseliarison@gmail.com>
Cc: Guenter Roeck <linux@roeck-us.net>
Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: stable <stable@vger.kernel.org> # 3.9
Signed-off-by: Ming Lei <ming.lei@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
firmware loader: simplify holding module for request_firmware 2013-06-06T19:41:57+00:00 Ming Lei ming.lei@canonical.com 2013-06-06T12:01:48+00:00 d6c8aa3906d5d0e4012b9811d6e0928dc7b4cbaf module reference doesn't cover direct loading path, so this patch simply holds the module in the whole life time of request_firmware() to fix the problem. Signed-off-by: Ming Lei <ming.lei@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
module reference doesn't cover direct loading path, so this patch
simply holds the module in the whole life time of request_firmware()
to fix the problem.

Signed-off-by: Ming Lei <ming.lei@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>