mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2025-01-20 13:47:56 +07:00
bd9eb7fbe6
There is one race that both request_firmware() with the same
firmware name.
The race scenerio is as below:
CPU1 CPU2
request_firmware() -->
_request_firmware_load() return err another request_firmware() is coming -->
_request_firmware_cleanup is called --> _request_firmware_prepare -->
release_firmware ---> fw_lookup_and_allocate_buf -->
spin_lock(&fwc->lock)
... __fw_lookup_buf() return true
fw_free_buf() will be called --> ...
kref_put -->
decrease the refcount to 0
kref_get(&tmp->ref) ==> it will trigger warning
due to refcount == 0
__fw_free_buf() -->
... spin_unlock(&fwc->lock)
spin_lock(&fwc->lock)
list_del(&buf->list)
spin_unlock(&fwc->lock)
kfree(buf)
After that, the freed buf will be used.
The key race is decreasing refcount to 0 and list_del is not protected together by
fwc->lock, and it is possible another thread try to get it between refcount==0
and list_del.
Fix it here to protect it together.
Acked-by: Ming Lei <ming.lei@canonical.com>
Signed-off-by: liu chuansheng <chuansheng.liu@intel.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|---|---|---|
| .. | ||
| power | ||
| regmap | ||
| attribute_container.c | ||
| base.h | ||
| bus.c | ||
| class.c | ||
| core.c | ||
| cpu.c | ||
| dd.c | ||
| devres.c | ||
| devtmpfs.c | ||
| dma-buf.c | ||
| dma-coherent.c | ||
| dma-contiguous.c | ||
| dma-mapping.c | ||
| driver.c | ||
| firmware_class.c | ||
| firmware.c | ||
| hypervisor.c | ||
| init.c | ||
| isa.c | ||
| Kconfig | ||
| Makefile | ||
| map.c | ||
| memory.c | ||
| module.c | ||
| node.c | ||
| platform.c | ||
| soc.c | ||
| syscore.c | ||
| topology.c | ||
| transport_class.c | ||