aboutsummaryrefslogtreecommitdiffstats
path: root/drivers/base/firmware_class.c
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2015-07-09 14:20:01 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2015-07-09 14:20:01 -0400
commit6f957724b94cb19f5c1c97efd01dd4df8ced323c (patch)
treea5f0dc7258865efa5c39e80cf729f7db5d0c970f /drivers/base/firmware_class.c
parent6b7339f4c31ad69c8e9c0b2859276e22cf72176d (diff)
Fix firmware loader uevent buffer NULL pointer dereference
The firmware class uevent function accessed the "fw_priv->buf" buffer without the proper locking and testing for NULL. This is an old bug (looks like it goes back to 2012 and commit 1244691c73b2: "firmware loader: introduce firmware_buf"), but for some reason it's triggering only now in 4.2-rc1. Shuah Khan is trying to bisect what it is that causes this to trigger more easily, but in the meantime let's just fix the bug since others are hitting it too (at least Ingo reports having seen it as well). Reported-and-tested-by: Shuah Khan <shuahkh@osg.samsung.com> Acked-by: Ming Lei <ming.lei@canonical.com> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'drivers/base/firmware_class.c')
-rw-r--r--drivers/base/firmware_class.c16
1 files changed, 13 insertions, 3 deletions
diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c
index 9c4288362a8e..894bda114224 100644
--- a/drivers/base/firmware_class.c
+++ b/drivers/base/firmware_class.c
@@ -563,10 +563,8 @@ static void fw_dev_release(struct device *dev)
563 kfree(fw_priv); 563 kfree(fw_priv);
564} 564}
565 565
566static int firmware_uevent(struct device *dev, struct kobj_uevent_env *env) 566static int do_firmware_uevent(struct firmware_priv *fw_priv, struct kobj_uevent_env *env)
567{ 567{
568 struct firmware_priv *fw_priv = to_firmware_priv(dev);
569
570 if (add_uevent_var(env, "FIRMWARE=%s", fw_priv->buf->fw_id)) 568 if (add_uevent_var(env, "FIRMWARE=%s", fw_priv->buf->fw_id))
571 return -ENOMEM; 569 return -ENOMEM;
572 if (add_uevent_var(env, "TIMEOUT=%i", loading_timeout)) 570 if (add_uevent_var(env, "TIMEOUT=%i", loading_timeout))
@@ -577,6 +575,18 @@ static int firmware_uevent(struct device *dev, struct kobj_uevent_env *env)
577 return 0; 575 return 0;
578} 576}
579 577
578static int firmware_uevent(struct device *dev, struct kobj_uevent_env *env)
579{
580 struct firmware_priv *fw_priv = to_firmware_priv(dev);
581 int err = 0;
582
583 mutex_lock(&fw_lock);
584 if (fw_priv->buf)
585 err = do_firmware_uevent(fw_priv, env);
586 mutex_unlock(&fw_lock);
587 return err;
588}
589
580static struct class firmware_class = { 590static struct class firmware_class = {
581 .name = "firmware", 591 .name = "firmware",
582 .class_attrs = firmware_class_attrs, 592 .class_attrs = firmware_class_attrs,
generated by cgit v1.2.2 (git 2.25.0) at 2025-08-11 04:13:59 -0400