[PATCH] firmware: Fix race condition in firmware_loading_store

From: Guenter Roeck
Date: Fri Jun 14 2013 - 11:39:06 EST

Next message: Li Wang: "[PATCH 2/2] Punch hole support against 3.10-rc5"
Previous message: Li Wang: "[PATCH 1/2] Punch hole support against 3.8-rc3"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Fix:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000040
IP: [<ffffffff81491844>] fw_load_abort.isra.5+0x4/0x20
...
Call Trace:
[<ffffffff81491917>] firmware_loading_store+0x77/0x150
[<ffffffff81483063>] dev_attr_store+0x13/0x20
[<ffffffff8119bc9e>] sysfs_write_file+0xce/0x140
[<ffffffff81133e8a>] vfs_write+0x9a/0x160
[<ffffffff81134164>] sys_write+0x44/0x90
[<ffffffff817d70ed>] system_call_fastpath+0x1a/0x1f

Signed-off-by: Guenter Roeck <linux@xxxxxxxxxxxx>
---
drivers/base/firmware_class.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c
index 4b1f926..f34b489 100644
--- a/drivers/base/firmware_class.c
+++ b/drivers/base/firmware_class.c
@@ -570,12 +570,13 @@ static ssize_t firmware_loading_store(struct device *dev,
const char *buf, size_t count)
{
struct firmware_priv *fw_priv = to_firmware_priv(dev);
- struct firmware_buf *fw_buf = fw_priv->buf;
int loading = simple_strtol(buf, NULL, 10);
+ struct firmware_buf *fw_buf;
int i;

mutex_lock(&fw_lock);

+ fw_buf = fw_priv->buf;
if (!fw_buf)
goto out;

--
1.7.9.7

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Li Wang: "[PATCH 2/2] Punch hole support against 3.10-rc5"
Previous message: Li Wang: "[PATCH 1/2] Punch hole support against 3.8-rc3"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]