Received: by 2002:a05:6a10:1287:0:0:0:0 with SMTP id d7csp5055947pxv; Wed, 28 Jul 2021 01:53:26 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwoitnNJkMCKfc1Lbrdn0glaUqmyYp5LRENXFHAjJkD6qqkWi9qxoGj1B24h9dm2aztjS0u X-Received: by 2002:a05:6402:284:: with SMTP id l4mr16675402edv.108.1627462406002; Wed, 28 Jul 2021 01:53:26 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1627462405; cv=pass; d=google.com; s=arc-20160816; b=KjzHe/Zsc6DJuRaCJnFxt6Yqtv6bg6BGaOZBFXzaHic7G3RcSXGPtCJeh0SyxQFSUe CH/03rpCrbD06MTLopNlzZMaqj22E0rTqDyPc+ZkJEXNusa27YC6vpt33A/Haj/3zWxM zuu/qM1zj8nwx7Lekun6+I2o+Xy9P97qsqH4tud9hQsvxgpoKR8QdfQde6Ubu9E506d5 ilCEuIid99DKrC3FshTLBLPmDK1lWKwCnzmrgQ0t3yn7LH5Z7gzMv8I1LOkR583fKBoe XFz+VXHI4TP+7CzgclkQw7PEXN2wq2omtFrEJ4/K1tMOBQcO+Rb+7dFsZd3oF8Idd0pt PCNw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=ZG502c7KtdGTgFEv3R+joxM5QstperDpibzCKlU+jAY=; b=EvpKk7/7U4luERWDms/SF4tgs0vjwGSAxti31VYx4gRY/w3G7PTdeCnujwfGeQ4jde GKPXFD0uOX9y3u+Q7Isae19hCulCr8deRKiyzCwPWuHqK1P20uX/F9GkZ08Casv0HHwe tTYLUFHU8KDEziL3JH5ytbbcklZGa9Jw1tRDFj1QtcrKD7y4XiCgpFMe1L7ymNuTBK/z N4G96WcCQ9ja3ri7P3L6sbyuUDWYg2Tm5+wKPhX6YDCH32nzWF3O+TIvi7ujeaKkiDyV C0yfVghXkvvgqbMtsimSJ4AZ8wJRZ/EcKlgPMnlhbxjLbffyUhfNd+kieBS+Od/z5OW/ 8OOQ== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@anirudhrb.com header.s=zoho header.b=lS1XvwX3; arc=pass (i=1 spf=pass spfdomain=anirudhrb.com dkim=pass dkdomain=anirudhrb.com dmarc=pass fromdomain=anirudhrb.com>); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p23si2794773edx.440.2021.07.28.01.53.03; Wed, 28 Jul 2021 01:53:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@anirudhrb.com header.s=zoho header.b=lS1XvwX3; arc=pass (i=1 spf=pass spfdomain=anirudhrb.com dkim=pass dkdomain=anirudhrb.com dmarc=pass fromdomain=anirudhrb.com>); spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235142AbhG1Ivh (ORCPT + 99 others); Wed, 28 Jul 2021 04:51:37 -0400 Received: from sender4-of-o53.zoho.com ([136.143.188.53]:21394 "EHLO sender4-of-o53.zoho.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234655AbhG1Ivg (ORCPT ); Wed, 28 Jul 2021 04:51:36 -0400 ARC-Seal: i=1; a=rsa-sha256; t=1627462290; cv=none; d=zohomail.com; s=zohoarc; b=Pi2KqZWuK18dhZOcGaixn0LZJgWdkezNxd8qBIbJZFG+iw/EEekkgrPsGIMi0tFbw118mPqRr4VXb0yH1Qsbu6ze5X1mC87FUG27jeSmmpnrr4AnUt4znClTTZdnmJXIEWR8oNcLrn4bN7XwuC/4LbWQAk0haZ4ZsZdCkmasFKs= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1627462290; h=Content-Transfer-Encoding:Cc:Date:From:MIME-Version:Message-ID:Subject:To; bh=ZG502c7KtdGTgFEv3R+joxM5QstperDpibzCKlU+jAY=; b=ae6WporXuPPrjLJ3wztVjYwIWkwgIpwEco1WI94e9D3HBHhihrZSGm/88ByLcgGHcpvNZ3D1NdOz2CCrJd/XGXljx6qF7ialsuDaQfuj1LgGd/QAdxHFYR6MUMJ0BjojpQOCpMHaovPcqMQalBB/KyURkk5NSC+nGVzXeKYFrBA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass header.i=anirudhrb.com; spf=pass smtp.mailfrom=mail@anirudhrb.com; dmarc=pass header.from= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1627462290; s=zoho; d=anirudhrb.com; i=mail@anirudhrb.com; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version:Content-Transfer-Encoding; bh=ZG502c7KtdGTgFEv3R+joxM5QstperDpibzCKlU+jAY=; b=lS1XvwX3gAzHA4g/eFF4n6MDPueGgBpRsnS8mRqx3BiACndXi4qhqd+42WsUPXzF L/hdQwThyriMXQxIUy0E4ONlxVGukUcamL9GSPM4d1EOpqrNbcw1+O30mUitMjU/N9Q jLD2NE0JIfA4EU7Jyoe5SNj/QBeY3WPAL3GJ4P9g= Received: from localhost.localdomain (49.207.59.170 [49.207.59.170]) by mx.zohomail.com with SMTPS id 1627462286332340.6254694070768; Wed, 28 Jul 2021 01:51:26 -0700 (PDT) From: Anirudh Rayabharam To: mcgrof@kernel.org, gregkh@linuxfoundation.org, rafael@kernel.org, skhan@linuxfoundation.org Cc: Anirudh Rayabharam , linux-kernel@vger.kernel.org, linux-kernel-mentees@lists.linuxfoundation.org Subject: [PATCH v8 0/2] firmware_loader: fix uaf in firmware_fallback_sysfs Date: Wed, 28 Jul 2021 14:21:05 +0530 Message-Id: <20210728085107.4141-1-mail@anirudhrb.com> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-ZohoMailClient: External Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This series fixes the use after free in firmware_fallback_sysfs reported by syzbot at: https://syzkaller.appspot.com/bug?extid=de271708674e2093097b The first patch gets rid of the -EAGAIN return since it doesn't make sense (see patch description for more info). The second patch goes on to actually fix the use after free issue. Changes in v8: 1. Added/fixed some comments as suggested by Shuah Changes in v7: 1. Don't move the error handling code from fw_load_sysfs_fallback to fw_sysfs_wait_timeout to simplify the patch. Also, the move is unnecessary. 2. Fix the commit log for patch 1 as per Luis' suggestions. Changes in v6: 1. v5 didn't actually remove -EAGAIN. So, fixed that. Changes in v5: 1. Split the patch into two patches as discussed here: https://lore.kernel.org/lkml/20210715232105.am4wsxfclj2ufjdw@garbanzo/ Changes in v4: Documented the reasons behind the error codes returned from fw_sysfs_wait_timeout() as suggested by Luis Chamberlain. Changes in v3: Modified the patch to incorporate suggestions by Luis Chamberlain in order to fix the root cause instead of applying a "band-aid" kind of fix. https://lore.kernel.org/lkml/20210403013143.GV4332@42.do-not-panic.com/ Changes in v2: 1. Fixed 1 error and 1 warning (in the commit message) reported by checkpatch.pl. The error was regarding the format for referring to another commit "commit ("oneline")". The warning was for line longer than 75 chars. Anirudh Rayabharam (2): firmware_loader: use -ETIMEDOUT instead of -EAGAIN in fw_load_sysfs_fallback firmware_loader: fix use-after-free in firmware_fallback_sysfs drivers/base/firmware_loader/fallback.c | 14 ++++++++------ drivers/base/firmware_loader/firmware.h | 10 +++++++++- drivers/base/firmware_loader/main.c | 2 ++ 3 files changed, 19 insertions(+), 7 deletions(-) -- 2.26.2