diff options
author | Zhen Lei <thunder.leizhen@huawei.com> | 2021-07-19 08:45:31 +0200 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2021-07-21 16:11:42 +0200 |
commit | 3ecc8cb7c092b2f50e21d2aaaae35b8221ee7214 (patch) | |
tree | cef77ebda3ce29e037761941970ce75007ae1012 /drivers/base/dd.c | |
parent | sysfs: Use local reference in compat_only_sysfs_link_entry_to_kobj() (diff) | |
download | linux-3ecc8cb7c092b2f50e21d2aaaae35b8221ee7214.tar.xz linux-3ecc8cb7c092b2f50e21d2aaaae35b8221ee7214.zip |
firmware: fix theoretical UAF race with firmware cache and resume
This race was discovered when I carefully analyzed the code to locate
another firmware-related UAF issue. It can be triggered only when the
firmware load operation is executed during suspend. This possibility is
almost impossible because there are few firmware load and suspend actions
in the actual environment.
CPU0 CPU1
__device_uncache_fw_images(): assign_fw():
fw_cache_piggyback_on_request()
<----- P0
spin_lock(&fwc->name_lock);
...
list_del(&fce->list);
spin_unlock(&fwc->name_lock);
uncache_firmware(fce->name);
<----- P1
kref_get(&fw_priv->ref);
If CPU1 is interrupted at position P0, the new 'fce' has been added to the
list fwc->fw_names by the fw_cache_piggyback_on_request(). In this case,
CPU0 executes __device_uncache_fw_images() and will be able to see it when
it traverses list fwc->fw_names. Before CPU1 executes kref_get() at P1, if
CPU0 further executes uncache_firmware(), the count of fw_priv->ref may
decrease to 0, causing fw_priv to be released in advance.
Move kref_get() to the lock protection range of fwc->name_lock to fix it.
Fixes: ac39b3ea73aa ("firmware loader: let caching firmware piggyback on loading firmware")
Acked-by: Luis Chamberlain <mcgrof@kernel.org>
Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
Link: https://lore.kernel.org/r/20210719064531.3733-2-thunder.leizhen@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/base/dd.c')
0 files changed, 0 insertions, 0 deletions