Received: by 2002:a05:6a10:6d25:0:0:0:0 with SMTP id gq37csp1859000pxb; Mon, 13 Sep 2021 07:05:03 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyUN1Fq8KsPte4RW4+kbVuk3n0xPGialo94DDSJsuGBvSR264RDA7CYF3tuEsP8hJ7mctD6 X-Received: by 2002:ac2:5fa8:: with SMTP id s8mr3112869lfe.88.1631541903500; Mon, 13 Sep 2021 07:05:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631541903; cv=none; d=google.com; s=arc-20160816; b=qYTv3pQj4UY3YjRLDZ2nliKZOK4V995H/Mo6F1C3xFWYL4gWHiCBhZePTSj0ekBxu7 DOwsJpzfwcQRNvuPoTQutHDl2mwHU9MWl4lSJ8CcADOngJqu3KN8ZBD2B0FadDBbS+qw 0nbeWUHvc9905rwMLzKn2DlvtI3vX9XuT9JYbfvmpP6CEtnLcmQxTmQmpQiD9fcRIsWo x2f4ez8Q3ozPYWl4REMza8H6c7xLJDDEj5YYjsgY39EyOrqLRD9Zg146k63SRgVufbJ3 KYsnDdrsRTddldzNjm6lDYaubnaPfwMYLZE/kUeMlr4NY5ObdJmxak1z5rSTEkRwar8e BVBA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=P6EaxLCGhbzUoRdGZ8abht/8F/uGIi4fcink2svGLJI=; b=F6zURpwvZ3dWYhnuf5vuj2HyXU5njEId9iUltqXHaAlcpngT9oX3g0dtxZu2kK3jIe ztsJXnv8GGI1cTlTfNm7WVQpziwimjkHwCJ5W4VYhspgfjZpAswWclZA+YmYutYwnszf C7Jq37FXYNvtNq8mr3uJa9CVi6RLXW7tL6B148Ry1f/TB/Sf/27ZBnTEZbhPuwRrH3DM /xyjWBOADLZLxYgkEOpfEQrDB6XyOBF1BU9pIIPe4fb6iXxxU4morpOqsi+7wuBoISt8 agUHFU3d5TV+km+y7ytaw/8wfur2YJx5zQVpUqklKQTeY2OyOiy0HQWFxAh6n2ufqf2l OKuw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Vnl1QGUX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i18si8702933edc.541.2021.09.13.07.04.38; Mon, 13 Sep 2021 07:05:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Vnl1QGUX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343962AbhIMOBf (ORCPT + 99 others); Mon, 13 Sep 2021 10:01:35 -0400 Received: from mail.kernel.org ([198.145.29.99]:46320 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244976AbhIMN6q (ORCPT ); Mon, 13 Sep 2021 09:58:46 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 9B719610A5; Mon, 13 Sep 2021 13:37:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1631540223; bh=hlZCErq6/PJuwsCPLLzVeydPlwvbHm2q8eaWhHa1HEQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Vnl1QGUXm1bb4AVKyZS5AxIp6ZnD3PB+NaJ+G2muyFgCn2txkZSM2KLRqCvF7u1on Ng5eaLMQIHiw30c+lHo/jiERXGoGXhg2n28g7uuayjA7qrmeIHYDwzv8HaBGB+QRw2 a56oKgafeu3/Y8lcpsw5I3ULWKZSn1WJ17V7oWNU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Luis Chamberlain , Zhen Lei , Sasha Levin Subject: [PATCH 5.13 104/300] firmware: fix theoretical UAF race with firmware cache and resume Date: Mon, 13 Sep 2021 15:12:45 +0200 Message-Id: <20210913131112.887440329@linuxfoundation.org> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20210913131109.253835823@linuxfoundation.org> References: <20210913131109.253835823@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Zhen Lei [ Upstream commit 3ecc8cb7c092b2f50e21d2aaaae35b8221ee7214 ] This race was discovered when I carefully analyzed the code to locate another firmware-related UAF issue. It can be triggered only when the firmware load operation is executed during suspend. This possibility is almost impossible because there are few firmware load and suspend actions in the actual environment. CPU0 CPU1 __device_uncache_fw_images(): assign_fw(): fw_cache_piggyback_on_request() <----- P0 spin_lock(&fwc->name_lock); ... list_del(&fce->list); spin_unlock(&fwc->name_lock); uncache_firmware(fce->name); <----- P1 kref_get(&fw_priv->ref); If CPU1 is interrupted at position P0, the new 'fce' has been added to the list fwc->fw_names by the fw_cache_piggyback_on_request(). In this case, CPU0 executes __device_uncache_fw_images() and will be able to see it when it traverses list fwc->fw_names. Before CPU1 executes kref_get() at P1, if CPU0 further executes uncache_firmware(), the count of fw_priv->ref may decrease to 0, causing fw_priv to be released in advance. Move kref_get() to the lock protection range of fwc->name_lock to fix it. Fixes: ac39b3ea73aa ("firmware loader: let caching firmware piggyback on loading firmware") Acked-by: Luis Chamberlain Signed-off-by: Zhen Lei Link: https://lore.kernel.org/r/20210719064531.3733-2-thunder.leizhen@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/base/firmware_loader/main.c | 20 ++++++++------------ 1 file changed, 8 insertions(+), 12 deletions(-) diff --git a/drivers/base/firmware_loader/main.c b/drivers/base/firmware_loader/main.c index 68c549d71230..bdbedc6660a8 100644 --- a/drivers/base/firmware_loader/main.c +++ b/drivers/base/firmware_loader/main.c @@ -165,7 +165,7 @@ static inline int fw_state_wait(struct fw_priv *fw_priv) return __fw_state_wait_common(fw_priv, MAX_SCHEDULE_TIMEOUT); } -static int fw_cache_piggyback_on_request(const char *name); +static void fw_cache_piggyback_on_request(struct fw_priv *fw_priv); static struct fw_priv *__allocate_fw_priv(const char *fw_name, struct firmware_cache *fwc, @@ -707,10 +707,8 @@ int assign_fw(struct firmware *fw, struct device *device) * on request firmware. */ if (!(fw_priv->opt_flags & FW_OPT_NOCACHE) && - fw_priv->fwc->state == FW_LOADER_START_CACHE) { - if (fw_cache_piggyback_on_request(fw_priv->fw_name)) - kref_get(&fw_priv->ref); - } + fw_priv->fwc->state == FW_LOADER_START_CACHE) + fw_cache_piggyback_on_request(fw_priv); /* pass the pages buffer to driver at the last minute */ fw_set_page_data(fw_priv, fw); @@ -1259,11 +1257,11 @@ static int __fw_entry_found(const char *name) return 0; } -static int fw_cache_piggyback_on_request(const char *name) +static void fw_cache_piggyback_on_request(struct fw_priv *fw_priv) { - struct firmware_cache *fwc = &fw_cache; + const char *name = fw_priv->fw_name; + struct firmware_cache *fwc = fw_priv->fwc; struct fw_cache_entry *fce; - int ret = 0; spin_lock(&fwc->name_lock); if (__fw_entry_found(name)) @@ -1271,13 +1269,12 @@ static int fw_cache_piggyback_on_request(const char *name) fce = alloc_fw_cache_entry(name); if (fce) { - ret = 1; list_add(&fce->list, &fwc->fw_names); + kref_get(&fw_priv->ref); pr_debug("%s: fw: %s\n", __func__, name); } found: spin_unlock(&fwc->name_lock); - return ret; } static void free_fw_cache_entry(struct fw_cache_entry *fce) @@ -1508,9 +1505,8 @@ static inline void unregister_fw_pm_ops(void) unregister_pm_notifier(&fw_cache.pm_notify); } #else -static int fw_cache_piggyback_on_request(const char *name) +static void fw_cache_piggyback_on_request(struct fw_priv *fw_priv) { - return 0; } static inline int register_fw_pm_ops(void) { -- 2.30.2