UbiquitousOS
/
OpenCloudOS-Kernel
mirror of https://gitee.com/OpenCloudOS/OpenCloudOS-Kernel.git
11
0
Fork 0
Code Issues Projects Releases Wiki Activity
OpenCloudOS-Kernel/drivers
History
Zhen Lei 3ecc8cb7c0 firmware: fix theoretical UAF race with firmware cache and resume 
This race was discovered when I carefully analyzed the code to locate
another firmware-related UAF issue. It can be triggered only when the
firmware load operation is executed during suspend. This possibility is
almost impossible because there are few firmware load and suspend actions
in the actual environment.

		CPU0			CPU1
__device_uncache_fw_images():		assign_fw():
					fw_cache_piggyback_on_request()
					<----- P0
	spin_lock(&fwc->name_lock);
	...
	list_del(&fce->list);
	spin_unlock(&fwc->name_lock);

	uncache_firmware(fce->name);
					<----- P1
					kref_get(&fw_priv->ref);

If CPU1 is interrupted at position P0, the new 'fce' has been added to the
list fwc->fw_names by the fw_cache_piggyback_on_request(). In this case,
CPU0 executes __device_uncache_fw_images() and will be able to see it when
it traverses list fwc->fw_names. Before CPU1 executes kref_get() at P1, if
CPU0 further executes uncache_firmware(), the count of fw_priv->ref may
decrease to 0, causing fw_priv to be released in advance.

Move kref_get() to the lock protection range of fwc->name_lock to fix it.

Fixes: ac39b3ea73 ("firmware loader: let caching firmware piggyback on loading firmware")
Acked-by: Luis Chamberlain <mcgrof@kernel.org>
Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
Link: https://lore.kernel.org/r/20210719064531.3733-2-thunder.leizhen@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2021-07-21 16:11:42 +02:00
..
accessibility TTY / Serial patches for 5.14-rc1 2021-07-05 14:08:24 -07:00
acpi bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
amba bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
android
ata ARM: SoC changes for 5.14 2021-07-10 09:22:44 -07:00
atm Networking changes for 5.14. 2021-06-30 15:51:09 -07:00
auxdisplay
base firmware: fix theoretical UAF race with firmware cache and resume 2021-07-21 16:11:42 +02:00
bcma bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
block block-5.14-2021-07-16 2021-07-16 12:31:44 -07:00
bluetooth TTY / Serial patches for 5.14-rc1 2021-07-05 14:08:24 -07:00
bus bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
cdrom block: remove REQ_OP_SCSI_{IN,OUT} 2021-06-30 15:34:19 -06:00
char powerpc/powernv: Fix fall-through warning for Clang 2021-07-13 19:21:41 -05:00
clk dt-bindings: clock: r9a07g044-cpg: Update clock/reset definitions 2021-07-12 10:52:03 +02:00
clocksource This round has a diffstat dominated by Qualcomm clk drivers. Honestly though 2021-07-01 13:26:16 -07:00
comedi Staging / IIO driver patches for 5.14-rc1 2021-07-05 14:01:53 -07:00
connector
counter
cpufreq cpufreq: Fix fall-through warning for Clang 2021-07-13 11:53:07 -05:00
cpuidle - Add support for the Qcom MSM8226 (Bartosz Dudziak) 2021-06-30 14:56:51 +02:00
crypto ARM: SoC changes for 5.14 2021-07-10 09:22:44 -07:00
cxl bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
dax bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
dca
devfreq PM / devfreq: passive: Fix get_target_freq when not using required-opp 2021-06-24 10:37:35 +09:00
dio
dma bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
dma-buf Short summary of fixes pull: 2021-07-13 15:15:17 +02:00
edac EDAC/igen6: fix core dependency AGAIN 2021-07-15 11:59:59 -07:00
eisa
extcon Char / Misc driver updates for 5.14-rc1 2021-07-05 13:42:16 -07:00
firewire bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
firmware bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
fpga bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
fsi
gnss
gpio - Core Frameworks 2021-07-05 12:10:34 -07:00
gpu drm fixes for 5.14-rc2 2021-07-16 11:14:54 -07:00
greybus
hid bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
hsi
hv bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
hwmon Char / Misc driver updates for 5.14-rc1 2021-07-05 13:42:16 -07:00
hwspinlock
hwtracing bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
i2c bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
i3c bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
idle
iio Staging / IIO driver patches for 5.14-rc1 2021-07-05 14:01:53 -07:00
infiniband Tracing updates for 5.14: 2021-07-03 11:13:22 -07:00
input bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
interconnect interconnect changes for 5.14 2021-06-22 22:03:25 +02:00
iommu fallthrough fixes for Clang for 5.14-rc2 2021-07-15 13:57:31 -07:00
ipack bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
irqchip irqchip fixes for 5.14, take #1 2021-07-09 15:35:13 +02:00
isdn TTY / Serial patches for 5.14-rc1 2021-07-05 14:08:24 -07:00
leds This contains quite a lot of fixes, with more fixes in my inbox that 2021-07-03 11:57:42 -07:00
lightnvm
macintosh bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
mailbox mbox: add polarfire soc system controller mailbox 2021-06-26 12:06:48 -05:00
mcb bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
md - Various DM persistent-data library improvements and fixes that 2021-06-30 18:19:39 -07:00
media bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
memory
memstick bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
message scsi: message: mptfc: Switch from pci_ to dma_ API 2021-06-22 23:00:01 -04:00
mfd bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
misc bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
mmc bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
most
mtd mtd: cfi_util: Fix unreachable code issue 2021-07-12 11:15:28 -05:00
mux
net bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
nfc
ntb bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
nubus bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
nvdimm bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
nvme block-5.14-2021-07-16 2021-07-16 12:31:44 -07:00
nvmem Char / Misc driver updates for 5.14-rc1 2021-07-05 13:42:16 -07:00
of Devicetree updates for v5.14: 2021-07-03 10:54:08 -07:00
opp
parisc kernel.h: split out panic and oops helpers 2021-07-01 11:06:04 -07:00
parport
pci bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
pcmcia bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
perf
phy USB / Thunderbolt patches for 5.14-rc1 2021-07-05 14:16:22 -07:00
pinctrl This is the bulk of pin control changes for the v5.14 kernel: 2021-07-01 16:57:14 -07:00
platform bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
pnp bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
power power: supply: Fix fall-through warnings for Clang 2021-07-13 14:50:47 -05:00
powercap
pps
ps3
ptp ptp: Relocate lookup cookie to correct block. 2021-07-08 12:33:10 -07:00
pwm pwm: ep93xx: Ensure configuring period and duty_cycle isn't wrongly skipped 2021-07-08 16:09:30 +02:00
rapidio bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
ras
regulator - Core Frameworks 2021-07-05 12:10:34 -07:00
remoteproc remoteproc updates for v5.14 2021-07-07 10:50:03 -07:00
reset ARM: Drivers for 5.14 2021-07-10 09:46:20 -07:00
rpmsg bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
rtc RTC for 5.14 2021-07-10 16:19:10 -07:00
s390 bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
sbus
scsi bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
sh bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
siox bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
slimbus bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
soc bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
soundwire Char / Misc driver updates for 5.14-rc1 2021-07-05 13:42:16 -07:00
spi bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
spmi bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
ssb bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
staging bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
target bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
tc
tee fallthrough fixes for Clang for 5.14-rc1 2021-06-28 20:03:38 -07:00
thermal - Add rk3568 sensor support (Finley Xiao) 2021-07-10 11:43:25 -07:00
thunderbolt bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
tty bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
uio
usb bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
vdpa bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
vfio bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
vhost vdpa: support packed virtqueue for set/get_vq_state() 2021-07-08 07:49:01 -04:00
video drm fixes for 5.14-rc2 2021-07-16 11:14:54 -07:00
virt nitro_enclaves: Set Bus Master for the NE PCI device 2021-06-24 15:48:27 +02:00
virtio bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
visorbus
vlynq bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
vme bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
w1
watchdog linux-watchdog 5.14-rc1 tag 2021-07-07 12:57:46 -07:00
xen bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
zorro bus: Make remove callback return void 2021-07-21 11:53:42 +02:00
Kconfig
Makefile hyperv-next for 5.14 2021-06-29 11:21:35 -07:00