On Tue, May 05, 2015 at 05:44:22PM -0700, Luis R. Rodriguez wrote: > From: "Luis R. Rodriguez" <mcgrof at suse.com> > > Asynchronous firmware loading copies the pointer to the > name passed as an argument only to be scheduled later and > used. This behaviour works well for synchronous calling > but in asynchronous mode there's a chance the caller could > immediately free the passed string after making the > asynchronous call. This could trigger a use after free > having the kernel look on disk for arbitrary file names. <-- snip --> > Unfortunatley in the worst and most common case however you > can typically crash your system with a page fault by trying to > free something which you cannot, and/or a NULL pointer > dereference [1]. I've found a few more bugs in this code that should be stable fixes. Since the fixes are all related there is an alternative approach to the problem here which would require us to just deal with PATH_MAX a few times in code for firmware requests. Although that does increase the allocation required by a few KB I think the simplicity is worth it. So if this patch has not yet been applied I will send out a new series of fixes addressing name issues through an alternative approach and implementation preferences so please yield applying this yet, if it has already been applied / submitted upstream let me know. Luis