Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp1598142pxv; Fri, 16 Jul 2021 13:01:08 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy8Re8IDb7zDSWz3Tfz9Xr0iDV2qsOiH5/xO8hgD0fudXsd1me7s8WqTX4It82BJ/4NKj9j X-Received: by 2002:a17:906:c302:: with SMTP id s2mr13434997ejz.151.1626465668013; Fri, 16 Jul 2021 13:01:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1626465668; cv=none; d=google.com; s=arc-20160816; b=UzbYVRxwas01/qi9zoLKP0Sms7OcbTJX5gaKpuMkWJVRJnmOu0GSgHVUfHgWiN8Uqm 1fFj9K1pmpERKKmy1+AVOLf23uWJslE13kWJ4qHffShqH7D8QCPJ54QrM7bo3AKHQVhd ubLAzskb2STxEqUjkmlU0Kb9ZLlf1vTCpA/Wvvzf8ahHgrR7kyaZ2czPG3QEJMo3jRKv IHPh9smfMvdp9hw2DUsiT2xjVqvizNthGfVPK4MtTKqZOPbEHR3QfF46enwS1B5no+Es jCFilctEn7zVU1jl9oN8Z6JaAmSnEm1UGyrZbnS3gYpSYbiqjTRjO/zQFoznkUC4tDl+ mgFQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=WD1BB+4u4UOIUk2edt7NFesq6yeysoarV2Cv8CeX26k=; b=xP1AaGxsCK+iXZbJqAUsiTJ2KSRjKrUl5OutAN81RQ2K3nZ5QRSOHhpClif2BIreRM kRKi+oKDqdAVB+Ui/LYG8fpLlh21eWe6cGOGRVfk2qdJOLZR148A7xJD0ynECtKndm1J z8OyehFfWvqhV1XLzzQFx55BeIdhxsL1TS61IJJr0eWq26XLznNsEX+AWH6h51KCO7gB 4uXHj1sEkZzdXPZnEYdJeamsXIVlP31MaZNHGWSZh6f3+gMitdvH+smGJktOktQaxbYb gosQqre0e8OOQ6XHCBKgXWaWjqfCTuBpEnumaxC0W4clF/JMUhirHm4PRDSTLfFm/dsi 4YBg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t10si11621936eju.92.2021.07.16.13.00.43; Fri, 16 Jul 2021 13:01:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232312AbhGPT7a (ORCPT + 99 others); Fri, 16 Jul 2021 15:59:30 -0400 Received: from mail-pj1-f41.google.com ([209.85.216.41]:43927 "EHLO mail-pj1-f41.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230256AbhGPT72 (ORCPT ); Fri, 16 Jul 2021 15:59:28 -0400 Received: by mail-pj1-f41.google.com with SMTP id x13-20020a17090a46cdb0290175cf22899cso1480431pjg.2 for ; Fri, 16 Jul 2021 12:56:32 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=WD1BB+4u4UOIUk2edt7NFesq6yeysoarV2Cv8CeX26k=; b=Sxmr8pLyv7GGupiiMYSiCT2NX/4yaKI2DM9HRn8dO5kUXFip2eKTBEE38H8uUjCC00 vDChXtFWoGzVeVNLHb22xKouEz0LyQeNFkWPIaESnwp0xpA4/eSeydBjj2+RnPHDZ7tI 5CReW0+LGe8OY+YHwLwhhQj4wZlKss2ezOUzGjvnFvExE2rUbpMa0YNj4+7b3JNT14Ma eB8L35WLdIy6yRzzoWIJus6lZMp77hCHXnKxzqlzxPinp3FBeTQKO6Z4J3CGUl1PnZgX Kpo7ylDpyqkTGEBTPH1EWCfgSJoHcl6qdaTfHHuw9Dtx1ZH6qV07aLsLP8aU4q+URLn9 +fyQ== X-Gm-Message-State: AOAM531Lwa67TJl8rnOZ9SENL8aqsFnDU24Ul4rJH3EG/DP5IsKKPPTz j1YdQJcr5kkayrHhd4HLXvY= X-Received: by 2002:a17:902:a415:b029:129:5342:eab7 with SMTP id p21-20020a170902a415b02901295342eab7mr9078657plq.26.1626465391987; Fri, 16 Jul 2021 12:56:31 -0700 (PDT) Received: from garbanzo ([191.96.120.37]) by smtp.gmail.com with ESMTPSA id b21sm10939680pfo.64.2021.07.16.12.56.30 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 16 Jul 2021 12:56:30 -0700 (PDT) Date: Fri, 16 Jul 2021 12:56:28 -0700 From: Luis Chamberlain To: Zhen Lei Cc: Greg Kroah-Hartman , "Rafael J . Wysocki" , Ming Lei , linux-kernel Subject: Re: [PATCH 1/1] firmware: fix use-after-free in _request_firmware() Message-ID: <20210716195628.a2pz73hdudrsf7vu@garbanzo> References: <20210713024942.2881-1-thunder.leizhen@huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210713024942.2881-1-thunder.leizhen@huawei.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 13, 2021 at 10:49:42AM +0800, Zhen Lei wrote: > CPU0 CPU1 > __device_uncache_fw_images(): assign_fw(): > fw_cache_piggyback_on_request() > <----- P0 > spin_lock(&fwc->name_lock); > ... > list_del(&fce->list); > spin_unlock(&fwc->name_lock); > > uncache_firmware(fce->name); > <----- P1 > kref_get(&fw_priv->ref); > > If CPU1 is interrupted at position P0, the new 'fce' has been added to the > list fwc->fw_names by the fw_cache_piggyback_on_request(). In this case, > CPU0 executes __device_uncache_fw_images() and will be able to see it when > it traverses list fwc->fw_names. Before CPU1 executes kref_get() at P1, if > CPU0 further executes uncache_firmware(), the count of fw_priv->ref may > decrease to 0, causing fw_priv to be released in advance. > > Move kref_get() to the lock protection range of fwc->name_lock to fix it. > > Fixes: ac39b3ea73aa ("firmware loader: let caching firmware piggyback on loading firmware") > Signed-off-by: Zhen Lei Acked-by: Luis Chamberlain Good catch! Can you resend a v2 patch describing how this race is rather difficult to run into given it likely involves looping modprobe / rmod on a driver while doing the suspend / resume cycle? I can't see how else to trigger this. Additionally if you can describe in the patch how you found this, (code inspection, a robot code system which looks for UAF?) it would be good for the commit log. Having a possible impact described in the commit log is useful for folks who may want to put effort into backporting this for for older kernels in case it does not apply as-is. Luis