mirror of
https://github.com/AuxXxilium/linux_dsm_epyc7002.git
synced 2025-03-31 17:08:39 +07:00
eea915bb0d
This oops was reported recently: firmware_loading_store+0xf9/0x17b dev_attr_store+0x20/0x22 sysfs_write_file+0x101/0x134 vfs_write+0xac/0xf3 sys_write+0x4a/0x6e system_call_fastpath+0x16/0x1b The complete backtrace was unfortunately not captured, but details can be found here: https://bugzilla.redhat.com/show_bug.cgi?id=769920 The cause is fairly clear. Its caused by the fact that firmware_loading_store has a case 0 in its switch statement that reads and writes the fw_priv->fw poniter without the protection of the fw_lock mutex. since there is a window between the time that _request_firmware sets fw_priv->fw to NULL and the time the corresponding sysfs file is unregistered, its possible for a user space application to race in, and write a zero to the loading file, causing a NULL dereference in firmware_loading_store. Fix it by extending the protection of the fw_lock mutex to cover all of the firware_loading_store function. Signed-off-by: Neil Horman <nhorman@tuxdriver.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
||
|---|---|---|
| .. | ||
| power | ||
| regmap | ||
| attribute_container.c | ||
| base.h | ||
| bus.c | ||
| class.c | ||
| core.c | ||
| cpu.c | ||
| dd.c | ||
| devres.c | ||
| devtmpfs.c | ||
| dma-coherent.c | ||
| dma-mapping.c | ||
| driver.c | ||
| firmware_class.c | ||
| firmware.c | ||
| hypervisor.c | ||
| init.c | ||
| isa.c | ||
| Kconfig | ||
| Makefile | ||
| map.c | ||
| memory.c | ||
| module.c | ||
| node.c | ||
| platform.c | ||
| sys.c | ||
| syscore.c | ||
| topology.c | ||
| transport_class.c | ||