diff options
author | Sven Van Asbroeck <thesven73@gmail.com> | 2019-06-24 10:07:31 -0400 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-08-04 09:34:37 +0200 |
commit | 5239be20a1bddfbcc1ad5cdec1496de510fb72db (patch) | |
tree | c1fbd4d9194a89a6c4ef0da69eda0d5f5df1da5a /drivers/scsi/sd.c | |
parent | 00d376f0c4b1f1c4de08fe0f5509b0ea76a4bf1c (diff) |
dmaengine: imx-sdma: fix use-after-free on probe error path
[ Upstream commit 2b8066c3deb9140fdf258417a51479b2aeaa7622 ]
If probe() fails anywhere beyond the point where
sdma_get_firmware() is called, then a kernel oops may occur.
Problematic sequence of events:
1. probe() calls sdma_get_firmware(), which schedules the
firmware callback to run when firmware becomes available,
using the sdma instance structure as the context
2. probe() encounters an error, which deallocates the
sdma instance structure
3. firmware becomes available, firmware callback is
called with deallocated sdma instance structure
4. use after free - kernel oops !
Solution: only attempt to load firmware when we're certain
that probe() will succeed. This guarantees that the firmware
callback's context will remain valid.
Note that the remove() path is unaffected by this issue: the
firmware loader will increment the driver module's use count,
ensuring that the module cannot be unloaded while the
firmware callback is pending or running.
Signed-off-by: Sven Van Asbroeck <TheSven73@gmail.com>
Reviewed-by: Robin Gong <yibin.gong@nxp.com>
[vkoul: fixed braces for if condition]
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'drivers/scsi/sd.c')
0 files changed, 0 insertions, 0 deletions