When freeing the fw_priv the item is taken off the list. This causes an oops in the FW_OPT_NOCACHE case as the list object is not initialized.
Make sure to initialize the list object regardless of this flag.
Fixes: 422b3db2a503 ("firmware: Fix security issue with request_firmware_into_buf()") Cc: stable@vger.kernel.org Cc: Rishabh Bhatnagar rishabhb@codeaurora.org Signed-off-by: Bjorn Andersson bjorn.andersson@linaro.org --- drivers/base/firmware_loader/main.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/base/firmware_loader/main.c b/drivers/base/firmware_loader/main.c index b3c0498ee433..8e9213b36e31 100644 --- a/drivers/base/firmware_loader/main.c +++ b/drivers/base/firmware_loader/main.c @@ -226,8 +226,11 @@ static int alloc_lookup_fw_priv(const char *fw_name, }
tmp = __allocate_fw_priv(fw_name, fwc, dbuf, size); - if (tmp && !(opt_flags & FW_OPT_NOCACHE)) - list_add(&tmp->list, &fwc->head); + if (tmp) { + INIT_LIST_HEAD(&tmp->list); + if (!(opt_flags & FW_OPT_NOCACHE)) + list_add(&tmp->list, &fwc->head); + } spin_unlock(&fwc->lock);
*fw_priv = tmp;
On Wed, Sep 19, 2018 at 06:09:38PM -0700, Bjorn Andersson wrote:
When freeing the fw_priv the item is taken off the list. This causes an oops in the FW_OPT_NOCACHE case as the list object is not initialized.
Make sure to initialize the list object regardless of this flag.
Fixes: 422b3db2a503 ("firmware: Fix security issue with request_firmware_into_buf()") Cc: stable@vger.kernel.org Cc: Rishabh Bhatnagar rishabhb@codeaurora.org Signed-off-by: Bjorn Andersson bjorn.andersson@linaro.org
drivers/base/firmware_loader/main.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)
Is this being triggered by some hardware somewhere today? Or is this just a fix found by code inspection?
thanks,
greg k-h
On Wed 19 Sep 22:22 PDT 2018, Greg Kroah-Hartman wrote:
On Wed, Sep 19, 2018 at 06:09:38PM -0700, Bjorn Andersson wrote:
When freeing the fw_priv the item is taken off the list. This causes an oops in the FW_OPT_NOCACHE case as the list object is not initialized.
Make sure to initialize the list object regardless of this flag.
Fixes: 422b3db2a503 ("firmware: Fix security issue with request_firmware_into_buf()") Cc: stable@vger.kernel.org Cc: Rishabh Bhatnagar rishabhb@codeaurora.org Signed-off-by: Bjorn Andersson bjorn.andersson@linaro.org
drivers/base/firmware_loader/main.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)
Is this being triggered by some hardware somewhere today? Or is this just a fix found by code inspection?
Hi Greg,
Yes, I found this issue while attempting to load the firmware and boot one of the DSPs on one of my Qualcomm dev boards after v4.19-rc4 and it can be reproduced on the upstream Dragonboard 820c.
Regards, Bjorn
On Thu, Sep 20, 2018 at 12:34:15AM -0700, Bjorn Andersson wrote:
On Wed 19 Sep 22:22 PDT 2018, Greg Kroah-Hartman wrote:
On Wed, Sep 19, 2018 at 06:09:38PM -0700, Bjorn Andersson wrote:
When freeing the fw_priv the item is taken off the list. This causes an oops in the FW_OPT_NOCACHE case as the list object is not initialized.
Make sure to initialize the list object regardless of this flag.
Fixes: 422b3db2a503 ("firmware: Fix security issue with request_firmware_into_buf()") Cc: stable@vger.kernel.org Cc: Rishabh Bhatnagar rishabhb@codeaurora.org Signed-off-by: Bjorn Andersson bjorn.andersson@linaro.org
drivers/base/firmware_loader/main.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)
Is this being triggered by some hardware somewhere today? Or is this just a fix found by code inspection?
Hi Greg,
Yes, I found this issue while attempting to load the firmware and boot one of the DSPs on one of my Qualcomm dev boards after v4.19-rc4 and it can be reproduced on the upstream Dragonboard 820c.
I still see this issue on v4.19-rc6.
It would be nice if this fix gets merged before v4.19 gets released.
Kind regards, Niklas
On Mon, Oct 01, 2018 at 03:27:03PM +0200, Niklas Cassel wrote:
On Thu, Sep 20, 2018 at 12:34:15AM -0700, Bjorn Andersson wrote:
On Wed 19 Sep 22:22 PDT 2018, Greg Kroah-Hartman wrote:
On Wed, Sep 19, 2018 at 06:09:38PM -0700, Bjorn Andersson wrote:
When freeing the fw_priv the item is taken off the list. This causes an oops in the FW_OPT_NOCACHE case as the list object is not initialized.
Make sure to initialize the list object regardless of this flag.
Fixes: 422b3db2a503 ("firmware: Fix security issue with request_firmware_into_buf()") Cc: stable@vger.kernel.org Cc: Rishabh Bhatnagar rishabhb@codeaurora.org Signed-off-by: Bjorn Andersson bjorn.andersson@linaro.org
drivers/base/firmware_loader/main.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)
Is this being triggered by some hardware somewhere today? Or is this just a fix found by code inspection?
Hi Greg,
Yes, I found this issue while attempting to load the firmware and boot one of the DSPs on one of my Qualcomm dev boards after v4.19-rc4 and it can be reproduced on the upstream Dragonboard 820c.
I still see this issue on v4.19-rc6.
It would be nice if this fix gets merged before v4.19 gets released.
This is the first I hear of this and this patch, so you should re-send it and I can review it. Also please Cc Rishabh.
Rishabh, had you heard of this and can you confirm as well as 422b3db2a503 was your commit?
Luis
On Mon 01 Oct 11:18 PDT 2018, Luis Chamberlain wrote:
On Mon, Oct 01, 2018 at 03:27:03PM +0200, Niklas Cassel wrote:
On Thu, Sep 20, 2018 at 12:34:15AM -0700, Bjorn Andersson wrote:
On Wed 19 Sep 22:22 PDT 2018, Greg Kroah-Hartman wrote:
On Wed, Sep 19, 2018 at 06:09:38PM -0700, Bjorn Andersson wrote:
When freeing the fw_priv the item is taken off the list. This causes an oops in the FW_OPT_NOCACHE case as the list object is not initialized.
Make sure to initialize the list object regardless of this flag.
Fixes: 422b3db2a503 ("firmware: Fix security issue with request_firmware_into_buf()") Cc: stable@vger.kernel.org Cc: Rishabh Bhatnagar rishabhb@codeaurora.org Signed-off-by: Bjorn Andersson bjorn.andersson@linaro.org
drivers/base/firmware_loader/main.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)
Is this being triggered by some hardware somewhere today? Or is this just a fix found by code inspection?
Hi Greg,
Yes, I found this issue while attempting to load the firmware and boot one of the DSPs on one of my Qualcomm dev boards after v4.19-rc4 and it can be reproduced on the upstream Dragonboard 820c.
I still see this issue on v4.19-rc6.
It would be nice if this fix gets merged before v4.19 gets released.
This is the first I hear of this and this patch, so you should re-send it and I can review it. Also please Cc Rishabh.
Rishabh, had you heard of this and can you confirm as well as 422b3db2a503 was your commit?
Thanks Luis,
It seems like Greg did pick the patch yesterday [1], so hopefully he sends himself a pull request this week for inclusion in v4.19-rc7.
[1] https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git/log/?h=...
Regards, Bjorn
On Mon, Oct 01, 2018 at 11:32:16AM -0700, Bjorn Andersson wrote:
On Mon 01 Oct 11:18 PDT 2018, Luis Chamberlain wrote:
On Mon, Oct 01, 2018 at 03:27:03PM +0200, Niklas Cassel wrote:
On Thu, Sep 20, 2018 at 12:34:15AM -0700, Bjorn Andersson wrote:
On Wed 19 Sep 22:22 PDT 2018, Greg Kroah-Hartman wrote:
On Wed, Sep 19, 2018 at 06:09:38PM -0700, Bjorn Andersson wrote:
When freeing the fw_priv the item is taken off the list. This causes an oops in the FW_OPT_NOCACHE case as the list object is not initialized.
Make sure to initialize the list object regardless of this flag.
Fixes: 422b3db2a503 ("firmware: Fix security issue with request_firmware_into_buf()") Cc: stable@vger.kernel.org Cc: Rishabh Bhatnagar rishabhb@codeaurora.org Signed-off-by: Bjorn Andersson bjorn.andersson@linaro.org
drivers/base/firmware_loader/main.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)
Is this being triggered by some hardware somewhere today? Or is this just a fix found by code inspection?
Hi Greg,
Yes, I found this issue while attempting to load the firmware and boot one of the DSPs on one of my Qualcomm dev boards after v4.19-rc4 and it can be reproduced on the upstream Dragonboard 820c.
I still see this issue on v4.19-rc6.
It would be nice if this fix gets merged before v4.19 gets released.
This is the first I hear of this and this patch, so you should re-send it and I can review it. Also please Cc Rishabh.
Rishabh, had you heard of this and can you confirm as well as 422b3db2a503 was your commit?
Thanks Luis,
It seems like Greg did pick the patch yesterday [1], so hopefully he sends himself a pull request this week for inclusion in v4.19-rc7.
[1] https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc.git/log/?h=...
The patch looks good. Next time please send patches to the maintainer as well.
Luis
On Mon, Oct 01, 2018 at 11:32:16AM -0700, Bjorn Andersson wrote:
On Mon 01 Oct 11:18 PDT 2018, Luis Chamberlain wrote:
On Mon, Oct 01, 2018 at 03:27:03PM +0200, Niklas Cassel wrote:
On Thu, Sep 20, 2018 at 12:34:15AM -0700, Bjorn Andersson wrote:
On Wed 19 Sep 22:22 PDT 2018, Greg Kroah-Hartman wrote:
On Wed, Sep 19, 2018 at 06:09:38PM -0700, Bjorn Andersson wrote:
When freeing the fw_priv the item is taken off the list. This causes an oops in the FW_OPT_NOCACHE case as the list object is not initialized.
Make sure to initialize the list object regardless of this flag.
Fixes: 422b3db2a503 ("firmware: Fix security issue with request_firmware_into_buf()") Cc: stable@vger.kernel.org Cc: Rishabh Bhatnagar rishabhb@codeaurora.org Signed-off-by: Bjorn Andersson bjorn.andersson@linaro.org
drivers/base/firmware_loader/main.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)
Is this being triggered by some hardware somewhere today? Or is this just a fix found by code inspection?
Hi Greg,
Yes, I found this issue while attempting to load the firmware and boot one of the DSPs on one of my Qualcomm dev boards after v4.19-rc4 and it can be reproduced on the upstream Dragonboard 820c.
I still see this issue on v4.19-rc6.
It would be nice if this fix gets merged before v4.19 gets released.
This is the first I hear of this and this patch, so you should re-send it and I can review it. Also please Cc Rishabh.
Rishabh, had you heard of this and can you confirm as well as 422b3db2a503 was your commit?
Thanks Luis,
It seems like Greg did pick the patch yesterday [1], so hopefully he sends himself a pull request this week for inclusion in v4.19-rc7.
That was going to be my plan :)
thanks,
greg k-h
On Thu, Sep 20, 2018 at 3:07 AM Bjorn Andersson bjorn.andersson@linaro.org wrote:
When freeing the fw_priv the item is taken off the list. This causes an oops in the FW_OPT_NOCACHE case as the list object is not initialized.
Make sure to initialize the list object regardless of this flag.
Fixes: 422b3db2a503 ("firmware: Fix security issue with request_firmware_into_buf()") Cc: stable@vger.kernel.org Cc: Rishabh Bhatnagar rishabhb@codeaurora.org Signed-off-by: Bjorn Andersson bjorn.andersson@linaro.org
drivers/base/firmware_loader/main.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/base/firmware_loader/main.c b/drivers/base/firmware_loader/main.c index b3c0498ee433..8e9213b36e31 100644 --- a/drivers/base/firmware_loader/main.c +++ b/drivers/base/firmware_loader/main.c @@ -226,8 +226,11 @@ static int alloc_lookup_fw_priv(const char *fw_name, }
tmp = __allocate_fw_priv(fw_name, fwc, dbuf, size);
if (tmp && !(opt_flags & FW_OPT_NOCACHE))
list_add(&tmp->list, &fwc->head);
if (tmp) {
INIT_LIST_HEAD(&tmp->list);
if (!(opt_flags & FW_OPT_NOCACHE))
list_add(&tmp->list, &fwc->head);
} spin_unlock(&fwc->lock); *fw_priv = tmp;
--
Reviewed-by: Rafael J. Wysocki rafael.j.wysocki@intel.com
linux-stable-mirror@lists.linaro.org