From patchwork Wed Jan 25 12:45:42 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Khan, Imran" X-Patchwork-Id: 9536999 X-Patchwork-Delegate: agross@codeaurora.org Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 831206046A for ; Wed, 25 Jan 2017 12:46:26 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 73A7427DF9 for ; Wed, 25 Jan 2017 12:46:26 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6517927F81; Wed, 25 Jan 2017 12:46:26 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0188A27DF9 for ; Wed, 25 Jan 2017 12:46:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751386AbdAYMqX (ORCPT ); Wed, 25 Jan 2017 07:46:23 -0500 Received: from smtp.codeaurora.org ([198.145.29.96]:55344 "EHLO smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751426AbdAYMqX (ORCPT ); Wed, 25 Jan 2017 07:46:23 -0500 Received: by smtp.codeaurora.org (Postfix, from userid 1000) id 6E569607F2; Wed, 25 Jan 2017 12:46:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1485348382; bh=70H9Cm3AYdG1ZgMzRx0fcJrwUe8VRxasHx2a6AkTAwg=; h=From:To:Cc:Subject:Date:From; b=Uc6VXm9iermWOVzAf6M/IQkyCkZWvbjPOVmeRDt3MtZ4R1qAghSglVe/jJVj0INqo wkZdJk+8h4cWgw5c05BPhqQ1BVUUHQaZXshtXvfspgG6QclRA/YxeQsuaX6G09R4kK Oeh45eWxA4MbTqN6st3BF8SwNJTHYQtbE91XO/9w= Received: from kimran-linux.qualcomm.com (unknown [202.46.23.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: kimran@smtp.codeaurora.org) by smtp.codeaurora.org (Postfix) with ESMTPSA id 81667607F2; Wed, 25 Jan 2017 12:46:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1485348381; bh=70H9Cm3AYdG1ZgMzRx0fcJrwUe8VRxasHx2a6AkTAwg=; h=From:To:Cc:Subject:Date:From; b=Lh2Efdv2C+Np2GCLgAqqdDqsd7UuRxs+o9mD7n4BuYUjLwBSqrxU8ySfHq/oCAVY3 P/NKpbeaoMDyaU7gSeGjsSAiCz2EOUWkV5RVQL5FPzy668aXNdifsGq8ALbin9Mkwq /qPLLyFZVS+U8vvZCns+t3rHlBcwuS+3AZ8s8cvk= DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 81667607F2 Authentication-Results: pdx-caf-mail.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: pdx-caf-mail.web.codeaurora.org; spf=none smtp.mailfrom=kimran@codeaurora.org From: Imran Khan To: ming.lei@canonical.com Cc: mcgrof@kernel.org, gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, linux-arm-msm@vger.kernel.org, Imran Khan Subject: [PATCH] firmware_class: Avoid pending list corruption Date: Wed, 25 Jan 2017 18:15:42 +0530 Message-Id: <1485348342-11536-1-git-send-email-kimran@codeaurora.org> X-Mailer: git-send-email 1.9.1 Sender: linux-arm-msm-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-arm-msm@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Remove firmware buffer from pending list when it is freed. Once the buffer is free kmalloc can allocate the same slab object for some other user but as the buffer is still there in the pending list, we end up with multiple users of the same slab object using it in different contexts. Signed-off-by: Imran Khan --- drivers/base/firmware_class.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c index 4497d26..d09c1aa 100644 --- a/drivers/base/firmware_class.c +++ b/drivers/base/firmware_class.c @@ -339,6 +339,9 @@ static void __fw_free_buf(struct kref *ref) (unsigned int)buf->size); list_del(&buf->list); +#ifdef CONFIG_FW_LOADER_USER_HELPER + list_del(&buf->pending_list); +#endif spin_unlock(&fwc->lock); #ifdef CONFIG_FW_LOADER_USER_HELPER