[PATCH] request_firmware(): avoid race conditions
Avoid race occurs when some process have open file descriptor for class
device attributes and already firmware allocated memory are freed. Don't
allow negative loading timeout.
Signed-off-by: Stanislaw W. Gruszka <stf_xl@wp.pl>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
diff --git a/drivers/base/firmware_class.c b/drivers/base/firmware_class.c
index 97fe13f..6522814 100644
--- a/drivers/base/firmware_class.c
+++ b/drivers/base/firmware_class.c
@@ -74,6 +74,8 @@
firmware_timeout_store(struct class *class, const char *buf, size_t count)
{
loading_timeout = simple_strtol(buf, NULL, 10);
+ if (loading_timeout < 0)
+ loading_timeout = 0;
return count;
}
@@ -138,6 +140,10 @@
switch (loading) {
case 1:
down(&fw_lock);
+ if (!fw_priv->fw) {
+ up(&fw_lock);
+ break;
+ }
vfree(fw_priv->fw->data);
fw_priv->fw->data = NULL;
fw_priv->fw->size = 0;
@@ -178,7 +184,7 @@
down(&fw_lock);
fw = fw_priv->fw;
- if (test_bit(FW_STATUS_DONE, &fw_priv->status)) {
+ if (!fw || test_bit(FW_STATUS_DONE, &fw_priv->status)) {
ret_count = -ENODEV;
goto out;
}
@@ -238,9 +244,10 @@
if (!capable(CAP_SYS_RAWIO))
return -EPERM;
+
down(&fw_lock);
fw = fw_priv->fw;
- if (test_bit(FW_STATUS_DONE, &fw_priv->status)) {
+ if (!fw || test_bit(FW_STATUS_DONE, &fw_priv->status)) {
retval = -ENODEV;
goto out;
}
@@ -418,7 +425,7 @@
fw_priv = class_get_devdata(class_dev);
- if (loading_timeout) {
+ if (loading_timeout > 0) {
fw_priv->timeout.expires = jiffies + loading_timeout * HZ;
add_timer(&fw_priv->timeout);
}