Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp3767586pxv; Mon, 26 Jul 2021 11:28:54 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxa6ojwZJ3UWsgSPVzen7e+3DBRMX430E58eYbrMeiWGD7hdWm+hQOXskB7YMUwNPj46PBq X-Received: by 2002:a6b:d619:: with SMTP id w25mr15870083ioa.124.1627324134738; Mon, 26 Jul 2021 11:28:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1627324134; cv=none; d=google.com; s=arc-20160816; b=bD4j3U5mRSvNUDaotTCsIwWtSK+CNnFF37JfXHX2oH6KYGsYEpqcePLvu5dDfz1W/E JS7mUK/Pi6+em7uSsG0pinTMwQXEyLHV7P5u2O96JaZiUi/9D0xr8AqZNx2WXB7BhFC0 Ywb+17Pac7l5X7IfNQI901cuk1oc1kLK2zYfJNZ8THgDayRv60rNBg0kiiBhdpJd6UkQ t+1bjPc/hRgsoQHPMZYxXWSevydbpMATV6/g/7/eiG/bAhSy3AEg/Cv+IF+iX7sR76p0 o/qcoe+V1YEcd+X8TIQFW0vEYXMl1/lwf+EK4BnwVHg89mJH5WGBW3rxI7Q8z2r359MA Ko3Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=2D7KWiv7vc0sjsa/iS28Qt6i9VASwIkA6EYIfMK6Jp8=; b=jjuIqdUh3/d7y9b/pDxM8aQNTqmk5AgAunH+Gm0JHmIybchUlbDxfIMa+p5P3NaAnM AAsw/L0t22YYiHHWiwJoSXcQIUsstPtYXxL/HcU/Jt7849HJfss9F/8ndSVW07mznVW2 Tjmbj9ybIO/6NNh9IBmFgB0RZ9orNoHh/cRDAi7UqdBEv397z8Ytn/7hoUE9tdbSdOSt 3K9XeWPPSGaBUjlGhzvfvfn1Ev4MPKzb6ithYP8P6gtpYFKijavVYwIUsP2nmJ28pYFe pCgg8B61+qJM5Nq9EMoQKySARrVGlJO95oiL0mXPASq0Zb18anQaFhBEY+8aEFFTbLxe tyNg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r6si704239iog.53.2021.07.26.11.28.42; Mon, 26 Jul 2021 11:28:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231612AbhGZRq6 (ORCPT + 99 others); Mon, 26 Jul 2021 13:46:58 -0400 Received: from mail-pl1-f172.google.com ([209.85.214.172]:41899 "EHLO mail-pl1-f172.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229489AbhGZRq6 (ORCPT ); Mon, 26 Jul 2021 13:46:58 -0400 Received: by mail-pl1-f172.google.com with SMTP id e14so12748092plh.8 for ; Mon, 26 Jul 2021 11:27:26 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=2D7KWiv7vc0sjsa/iS28Qt6i9VASwIkA6EYIfMK6Jp8=; b=taDX7tG0GhyRl1Ck3qb6v3wCgZGWKRpSOzCef8j/JzNMROo9pTZBcgXb8w6iSo824I JU1m9F6PGXtRJfZDvmQl0uc6uZ6lvD3AJKe+BpIWXENbgLeYzLWSlolutULHTpoWGCcq 3Vluzns0/p10fQxvTcQNiMZHwBIvlkqhn0kbcpIKzRM/NEdED/pEkfcR6FVkJoQqS1iX GEjm05XhxO6w73h4kEs43g38HFMMjnCkQKXFiDX0zv7ffSQ7NTlknLgGASiC9CdriUem TpQIT6Y6RFlPGvJBAuQOID+4RzWN5zg/BG8SmidkZwHPyJkJTR/uGy4WCRCLkkVLKA9e YJ2g== X-Gm-Message-State: AOAM531/NR2i914B6ngwNKGrwng6QSlOWT0t+bpE3UNXAH5Uux9nQCMs IJbCDk/QF2mmVJyq6D86KoE= X-Received: by 2002:a63:4710:: with SMTP id u16mr12197161pga.232.1627324045472; Mon, 26 Jul 2021 11:27:25 -0700 (PDT) Received: from garbanzo ([191.96.121.228]) by smtp.gmail.com with ESMTPSA id w2sm631415pjf.2.2021.07.26.11.27.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 26 Jul 2021 11:27:24 -0700 (PDT) Date: Mon, 26 Jul 2021 11:27:21 -0700 From: Luis Chamberlain To: Anirudh Rayabharam Cc: gregkh@linuxfoundation.org, rafael@kernel.org, skhan@linuxfoundation.org, linux-kernel@vger.kernel.org, linux-kernel-mentees@lists.linuxfoundation.org, syzbot+de271708674e2093097b@syzkaller.appspotmail.com Subject: Re: [PATCH v7 2/2] firmware_loader: fix use-after-free in firmware_fallback_sysfs Message-ID: <20210726182721.3no7ql73ggttdiyx@garbanzo> References: <20210724121134.6364-1-mail@anirudhrb.com> <20210724121134.6364-3-mail@anirudhrb.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210724121134.6364-3-mail@anirudhrb.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Jul 24, 2021 at 05:41:34PM +0530, Anirudh Rayabharam wrote: > This use-after-free happens when a fw_priv object has been freed but > hasn't been removed from the pending list (pending_fw_head). The next > time fw_load_sysfs_fallback tries to insert into the list, it ends up > accessing the pending_list member of the previoiusly freed fw_priv. > > The root cause here is that all code paths that abort the fw load > don't delete it from the pending list. For example: > > _request_firmware() > -> fw_abort_batch_reqs() > -> fw_state_aborted() > > To fix this, delete the fw_priv from the list in __fw_set_state() if > the new state is DONE or ABORTED. This way, all aborts will remove > the fw_priv from the list. Accordingly, remove calls to list_del_init > that were being made before calling fw_state_(aborted|done). > > Also, in fw_load_sysfs_fallback, don't add the fw_priv to the pending > list if it is already aborted. Instead, just jump out and return early. > > Fixes: bcfbd3523f3c ("firmware: fix a double abort case with fw_load_sysfs_fallback") > Reported-by: syzbot+de271708674e2093097b@syzkaller.appspotmail.com > Tested-by: syzbot+de271708674e2093097b@syzkaller.appspotmail.com Curious, how do you get syzbot to test this, I mean your custom tree? > Signed-off-by: Anirudh Rayabharam With the changes Shua requested being made: Acked-by: Luis Chamberlain Luis