summaryrefslogtreecommitdiff
path: root/drivers/scsi/sd.c
diff options
context:
space:
mode:
authorSven Van Asbroeck <thesven73@gmail.com>2019-06-24 10:07:31 -0400
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2019-08-04 09:34:37 +0200
commit5239be20a1bddfbcc1ad5cdec1496de510fb72db (patch)
treec1fbd4d9194a89a6c4ef0da69eda0d5f5df1da5a /drivers/scsi/sd.c
parent00d376f0c4b1f1c4de08fe0f5509b0ea76a4bf1c (diff)
dmaengine: imx-sdma: fix use-after-free on probe error path
[ Upstream commit 2b8066c3deb9140fdf258417a51479b2aeaa7622 ] If probe() fails anywhere beyond the point where sdma_get_firmware() is called, then a kernel oops may occur. Problematic sequence of events: 1. probe() calls sdma_get_firmware(), which schedules the firmware callback to run when firmware becomes available, using the sdma instance structure as the context 2. probe() encounters an error, which deallocates the sdma instance structure 3. firmware becomes available, firmware callback is called with deallocated sdma instance structure 4. use after free - kernel oops ! Solution: only attempt to load firmware when we're certain that probe() will succeed. This guarantees that the firmware callback's context will remain valid. Note that the remove() path is unaffected by this issue: the firmware loader will increment the driver module's use count, ensuring that the module cannot be unloaded while the firmware callback is pending or running. Signed-off-by: Sven Van Asbroeck <TheSven73@gmail.com> Reviewed-by: Robin Gong <yibin.gong@nxp.com> [vkoul: fixed braces for if condition] Signed-off-by: Vinod Koul <vkoul@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'drivers/scsi/sd.c')
0 files changed, 0 insertions, 0 deletions