Tree - kernel/kernel-source - Pagure for openSUSE

kernel / kernel-source

Source
Stats

Blame patches.suse/firmware-qemu_fw_cfg-fix-NULL-pointer-deref-on-dupli.patch

Blob History Raw

Takashi Iwai	2a9a10	`From a57ac7acdcc1665662e369993898194def56e888 Mon Sep 17 00:00:00 2001`
Takashi Iwai	2a9a10	`From: Johan Hovold <johan@kernel.org>`
Takashi Iwai	2a9a10	`Date: Wed, 1 Dec 2021 14:25:25 +0100`
Takashi Iwai	2a9a10	`Subject: [PATCH] firmware: qemu_fw_cfg: fix NULL-pointer deref on duplicate entries`
Takashi Iwai	2a9a10	`Git-commit: a57ac7acdcc1665662e369993898194def56e888`
Takashi Iwai	8f947a	`Alt-commit: d3e305592d69e21e36b76d24ca3c01971a2d09be`
Takashi Iwai	2a9a10	`Patch-mainline: v5.17-rc1`
Takashi Iwai	2a9a10	`References: git-fixes`
Takashi Iwai	2a9a10
Takashi Iwai	2a9a10	`Commit fe3c60684377 ("firmware: Fix a reference count leak.") "fixed"`
Takashi Iwai	2a9a10	`a kobject leak in the file registration helper by properly calling`
Takashi Iwai	2a9a10	`kobject_put() for the entry in case registration of the object fails`
Takashi Iwai	2a9a10	`(e.g. due to a name collision).`
Takashi Iwai	2a9a10
Takashi Iwai	2a9a10	`This would however result in a NULL pointer dereference when the`
Takashi Iwai	2a9a10	`release function tries to remove the never added entry from the`
Takashi Iwai	2a9a10	`fw_cfg_entry_cache list.`
Takashi Iwai	2a9a10
Takashi Iwai	2a9a10	`Fix this by moving the list-removal out of the release function.`
Takashi Iwai	2a9a10
Takashi Iwai	2a9a10	`Note that the offending commit was one of the benign looking umn.edu`
Takashi Iwai	2a9a10	`fixes which was reviewed but not reverted. [1][2]`
Takashi Iwai	2a9a10
Takashi Iwai	2a9a10	`[1] https://lore.kernel.org/r/202105051005.49BFABCE@keescook`
Takashi Iwai	2a9a10	`[2] https://lore.kernel.org/all/YIg7ZOZvS3a8LjSv@kroah.com`
Takashi Iwai	2a9a10
Takashi Iwai	2a9a10	`Fixes: fe3c60684377 ("firmware: Fix a reference count leak.")`
Takashi Iwai	2a9a10	`Cc: stable@vger.kernel.org # 5.8`
Takashi Iwai	2a9a10	`Cc: Qiushi Wu <wu000273@umn.edu>`
Takashi Iwai	2a9a10	`Cc: Kees Cook <keescook@chromium.org>`
Takashi Iwai	2a9a10	`Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>`
Takashi Iwai	2a9a10	`Signed-off-by: Johan Hovold <johan@kernel.org>`
Takashi Iwai	2a9a10	`Link: https://lore.kernel.org/r/20211201132528.30025-2-johan@kernel.org`
Takashi Iwai	2a9a10	`Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>`
Takashi Iwai	2a9a10	`Acked-by: Takashi Iwai <tiwai@suse.de>`
Takashi Iwai	2a9a10
Takashi Iwai	2a9a10	`---`
Takashi Iwai	2a9a10	`drivers/firmware/qemu_fw_cfg.c \| 5 +----`
Takashi Iwai	2a9a10	`1 file changed, 1 insertion(+), 4 deletions(-)`
Takashi Iwai	2a9a10
Takashi Iwai	2a9a10	`diff --git a/drivers/firmware/qemu_fw_cfg.c b/drivers/firmware/qemu_fw_cfg.c`
Takashi Iwai	2a9a10	`index 172c751a4f6c..a9c64ebfc49a 100644`
Takashi Iwai	2a9a10	`--- a/drivers/firmware/qemu_fw_cfg.c`
Takashi Iwai	2a9a10	`+++ b/drivers/firmware/qemu_fw_cfg.c`
Takashi Iwai	2a9a10	`@@ -388,9 +388,7 @@ static void fw_cfg_sysfs_cache_cleanup(void)`
Takashi Iwai	2a9a10	`struct fw_cfg_sysfs_entry entry, next;`
Takashi Iwai	2a9a10
Takashi Iwai	2a9a10	`list_for_each_entry_safe(entry, next, &fw_cfg_entry_cache, list) {`
Takashi Iwai	2a9a10	`- /* will end up invoking fw_cfg_sysfs_cache_delist()`
Takashi Iwai	2a9a10	`- * via each object's release() method (i.e. destructor)`
Takashi Iwai	2a9a10	`- */`
Takashi Iwai	2a9a10	`+ fw_cfg_sysfs_cache_delist(entry);`
Takashi Iwai	2a9a10	`kobject_put(&entry->kobj);`
Takashi Iwai	2a9a10	`}`
Takashi Iwai	2a9a10	`}`
Takashi Iwai	2a9a10	`@@ -448,7 +446,6 @@ static void fw_cfg_sysfs_release_entry(struct kobject *kobj)`
Takashi Iwai	2a9a10	`{`
Takashi Iwai	2a9a10	`struct fw_cfg_sysfs_entry *entry = to_entry(kobj);`
Takashi Iwai	2a9a10
Takashi Iwai	2a9a10	`- fw_cfg_sysfs_cache_delist(entry);`
Takashi Iwai	2a9a10	`kfree(entry);`
Takashi Iwai	2a9a10	`}`
Takashi Iwai	2a9a10
Takashi Iwai	2a9a10	`--`
Takashi Iwai	2a9a10	`2.31.1`
Takashi Iwai	2a9a10

kernel / kernel-source

Source Code

Blame patches.suse/firmware-qemu_fw_cfg-fix-NULL-pointer-deref-on-dupli.patch