linux/drivers/base
Anirudh Rayabharam 75d95e2e39 firmware_loader: fix use-after-free in firmware_fallback_sysfs
This use-after-free happens when a fw_priv object has been freed but
hasn't been removed from the pending list (pending_fw_head). The next
time fw_load_sysfs_fallback tries to insert into the list, it ends up
accessing the pending_list member of the previously freed fw_priv.

The root cause here is that all code paths that abort the fw load
don't delete it from the pending list. For example:

        _request_firmware()
          -> fw_abort_batch_reqs()
              -> fw_state_aborted()

To fix this, delete the fw_priv from the list in __fw_set_state() if
the new state is DONE or ABORTED. This way, all aborts will remove
the fw_priv from the list. Accordingly, remove calls to list_del_init
that were being made before calling fw_state_(aborted|done).

Also, in fw_load_sysfs_fallback, don't add the fw_priv to the pending
list if it is already aborted. Instead, just jump out and return early.

Fixes: bcfbd3523f ("firmware: fix a double abort case with fw_load_sysfs_fallback")
Cc: stable <stable@vger.kernel.org>
Reported-by: syzbot+de271708674e2093097b@syzkaller.appspotmail.com
Tested-by: syzbot+de271708674e2093097b@syzkaller.appspotmail.com
Reviewed-by: Shuah Khan <skhan@linuxfoundation.org>
Acked-by: Luis Chamberlain <mcgrof@kernel.org>
Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com>
Link: https://lore.kernel.org/r/20210728085107.4141-3-mail@anirudhrb.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-07-29 17:22:15 +02:00
..
firmware_loader firmware_loader: fix use-after-free in firmware_fallback_sysfs 2021-07-29 17:22:15 +02:00
power Merge branches 'pm-cpuidle', 'pm-sleep' and 'pm-domains' 2021-07-07 20:17:43 +02:00
regmap regmap: mdio: Reject invalid addresses 2021-06-14 15:00:29 +01:00
test device property: Remove some casts in property-entry-test 2021-06-23 16:37:21 -06:00
arch_numa.c arch_numa: fix common code printing of phys_addr_t 2021-02-18 23:18:04 -08:00
arch_topology.c arch_topology: Avoid use-after-free for scale_freq_data 2021-07-01 07:32:14 +05:30
attribute_container.c driver core: attribute_container: fix W=1 warnings 2021-05-14 13:37:10 +02:00
auxiliary.c driver core: auxiliary bus: Fix memory leak when driver_register() fail 2021-07-21 16:36:06 +02:00
base.h driver core: Export device_driver_attach() 2021-06-21 15:29:24 -06:00
bus.c driver core: Flow the return code from ->probe() through to sysfs bind 2021-06-21 15:29:24 -06:00
cacheinfo.c drivers core: Use sysfs_emit for shared_cpu_map_show and shared_cpu_list_show 2020-10-02 13:24:40 +02:00
class.c drivers: base: fix some kernel-doc markups 2020-11-09 18:56:49 +01:00
component.c component: Rename 'dev' to 'parent' 2021-05-27 15:49:59 +02:00
container.c driver core: Remove redundant license text 2017-12-07 18:36:44 +01:00
core.c driver core: Prevent warning when removing a device link from unregistered consumer 2021-07-21 17:28:42 +02:00
cpu.c drivers/base: Constify static attribute_group structs 2021-06-04 15:06:28 +02:00
dd.c drivers core: Fix oops when driver probe fails 2021-07-27 14:44:43 +02:00
devcoredump.c devcoredump: remove contact information 2021-06-04 15:05:44 +02:00
devres.c devres: Enable trace events 2021-06-15 17:14:36 +02:00
devtmpfs.c devtmpfs: actually reclaim some init memory 2021-03-23 14:57:35 +01:00
driver.c drivers: base: Convert to printk alias functions 2020-07-10 14:16:44 +02:00
firmware.c driver core: Remove redundant license text 2017-12-07 18:36:44 +01:00
hypervisor.c driver core: Remove redundant license text 2017-12-07 18:36:44 +01:00
init.c driver core: auxiliary bus: Fix calling stage for auxiliary bus init 2021-02-11 08:43:03 +01:00
isa.c isa: Make the remove callback for isa drivers return void 2021-01-26 07:42:27 +01:00
Kconfig RISC-V Patches for the 5.12 Merge Window 2021-02-26 10:28:35 -08:00
Makefile devres: Enable trace events 2021-06-15 17:14:36 +02:00
map.c driver core: Remove redundant license text 2017-12-07 18:36:44 +01:00
memory.c Linux 5.13-rc6 2021-06-14 09:07:45 +02:00
module.c driver core: Remove redundant license text 2017-12-07 18:36:44 +01:00
node.c Driver core changes for 5.14-rc1 2021-07-05 13:51:41 -07:00
pinctrl.c driver core: Remove redundant license text 2017-12-07 18:36:44 +01:00
platform-msi.c platform-msi: fix kernel-doc warnings 2021-04-02 16:40:08 +02:00
platform.c drivers/base: Constify static attribute_group structs 2021-06-04 15:06:28 +02:00
property.c Driver core changes for 5.14-rc1 2021-07-05 13:51:41 -07:00
soc.c soc: fix comment for freeing soc_dev_attr 2020-12-09 19:46:31 +01:00
swnode.c software node: Handle software node injection to an existing device properly 2021-06-23 19:34:58 +02:00
syscore.c syscore: Use pm_pr_dbg() for syscore_{suspend,resume}() 2020-09-08 13:32:06 +02:00
topology.c drivers core: Miscellaneous changes for sysfs_emit 2020-10-02 13:12:07 +02:00
trace.c devres: Enable trace events 2021-06-15 17:14:36 +02:00
trace.h devres: Enable trace events 2021-06-15 17:14:36 +02:00
transport_class.c scsi: drivers: base: Propagate errors through the transport component 2020-01-15 22:55:37 -05:00