[ commit be37bed754ed90b2655382f93f9724b3c1aae847 upstream ]
Dan Carpenter spotted that test_fw_config->reqs will be leaked if trigger_batched_requests_store() is called two or more times. The same appears with trigger_batched_requests_async_store().
This bug wasn't triggered by the tests, but observed by Dan's visual inspection of the code.
The recommended workaround was to return -EBUSY if test_fw_config->reqs is already allocated.
Fixes: c92316bf8e94 ("test_firmware: add batched firmware tests") Cc: Luis Chamberlain mcgrof@kernel.org Cc: Greg Kroah-Hartman gregkh@linuxfoundation.org Cc: Russ Weight russell.h.weight@intel.com Cc: Tianfei Zhang tianfei.zhang@intel.com Cc: Shuah Khan shuah@kernel.org Cc: Colin Ian King colin.i.king@gmail.com Cc: Randy Dunlap rdunlap@infradead.org Cc: linux-kselftest@vger.kernel.org Cc: stable@vger.kernel.org # v4.19 Suggested-by: Dan Carpenter error27@gmail.com Suggested-by: Takashi Iwai tiwai@suse.de Link: https://lore.kernel.org/r/20230509084746.48259-2-mirsad.todorovac@alu.unizg.... Signed-off-by: Mirsad Todorovac mirsad.todorovac@alu.unizg.hr
[ This is a backport to v4.19 stable branch without a change in code from the 5.4+ patch ]
--- v2: no changes to commit. minor clarifications with versioning for the patchwork.
v1: patch sumbmitted verbatim from the 5.4+ branch to 4.19
lib/test_firmware.c | 10 ++++++++++ 1 file changed, 10 insertions(+)
diff --git a/lib/test_firmware.c b/lib/test_firmware.c index f4cc874021da..e4688821eab8 100644 --- a/lib/test_firmware.c +++ b/lib/test_firmware.c @@ -618,6 +618,11 @@ static ssize_t trigger_batched_requests_store(struct device *dev,
mutex_lock(&test_fw_mutex);
+ if (test_fw_config->reqs) { + rc = -EBUSY; + goto out_bail; + } + test_fw_config->reqs = vzalloc(array3_size(sizeof(struct test_batched_req), test_fw_config->num_requests, 2)); @@ -721,6 +726,11 @@ ssize_t trigger_batched_requests_async_store(struct device *dev,
mutex_lock(&test_fw_mutex);
+ if (test_fw_config->reqs) { + rc = -EBUSY; + goto out_bail; + } + test_fw_config->reqs = vzalloc(array3_size(sizeof(struct test_batched_req), test_fw_config->num_requests, 2));
[ Upstream commit 7dae593cd226a0bca61201cf85ceb9335cf63682 ]
In a couple of situations like
name = kstrndup(buf, count, GFP_KERNEL); if (!name) return -ENOSPC;
the error is not actually "No space left on device", but "Out of memory".
It is semantically correct to return -ENOMEM in all failed kstrndup() and kzalloc() cases in this driver, as it is not a problem with disk space, but with kernel memory allocator failing allocation.
The semantically correct should be:
name = kstrndup(buf, count, GFP_KERNEL); if (!name) return -ENOMEM;
Cc: Dan Carpenter error27@gmail.com Cc: Takashi Iwai tiwai@suse.de Cc: Kees Cook keescook@chromium.org Cc: Luis R. Rodriguez mcgrof@kernel.org Cc: Brian Norris computersforpeace@gmail.com Cc: stable@vger.kernel.org # 4.19, 4.14 Fixes: c92316bf8e948 ("test_firmware: add batched firmware tests") Fixes: 0a8adf584759c ("test: add firmware_class loader test") Fixes: eb910947c82f9 ("test: firmware_class: add asynchronous request trigger") Fixes: 061132d2b9c95 ("test_firmware: add test custom fallback trigger") Link: https://lore.kernel.org/all/20230606070808.9300-1-mirsad.todorovac@alu.unizg... Signed-off-by: Mirsad Todorovac mirsad.todorovac@alu.unizg.hr
[ This is the backport of the patch to 4.19 and 4.14 branches. There are no ] [ semantic differences in the commit. The same fix applies to 4.19 and 4.14 ] [ tree. The backport is provided for completenes sake so the bug would be fixed ] [ for all of the supported LTS kernels ]
--- v2 -> v3: minor clarifications with the versioning for the patchwork. no change to commit.
v1 -> v2: removed the Reviewed-by: and Acked-by tags, as this is a slightly different patch and those need to be reacquired
lib/test_firmware.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/lib/test_firmware.c b/lib/test_firmware.c index e4688821eab8..b5e779bcfb34 100644 --- a/lib/test_firmware.c +++ b/lib/test_firmware.c @@ -160,7 +160,7 @@ static int __kstrncpy(char **dst, const char *name, size_t count, gfp_t gfp) { *dst = kstrndup(name, count, gfp); if (!*dst) - return -ENOSPC; + return -ENOMEM; return count; }
@@ -456,7 +456,7 @@ static ssize_t trigger_request_store(struct device *dev,
name = kstrndup(buf, count, GFP_KERNEL); if (!name) - return -ENOSPC; + return -ENOMEM;
pr_info("loading '%s'\n", name);
@@ -497,7 +497,7 @@ static ssize_t trigger_async_request_store(struct device *dev,
name = kstrndup(buf, count, GFP_KERNEL); if (!name) - return -ENOSPC; + return -ENOMEM;
pr_info("loading '%s'\n", name);
@@ -540,7 +540,7 @@ static ssize_t trigger_custom_fallback_store(struct device *dev,
name = kstrndup(buf, count, GFP_KERNEL); if (!name) - return -ENOSPC; + return -ENOMEM;
pr_info("loading '%s' using custom fallback mechanism\n", name);
linux-stable-mirror@lists.linaro.org
-
Mirsad Todorovac