d-two/operating-system
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Linux: Update kernel 5.10.103

Browse Source
This commit is contained in:
Stefan Agner
2022-03-08 17:24:12 +01:00
parent 3e689001c4
commit f189a8bce7
9 changed files with 14 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
buildroot-external/board/pc/patches/linux/0002-iwlwifi-fix-use-after-free.patch
View File

@@ -1,49 +0,0 @@
From ca69c942280b3fccd641ba2ca24c7c5925014241 Mon Sep 17 00:00:00 2001
Message-Id: <ca69c942280b3fccd641ba2ca24c7c5925014241.1644327234.git.stefan@agner.ch>
In-Reply-To: <6e5d979ec45555720a6537eb006947dca825afc0.1644327234.git.stefan@agner.ch>
References: <6e5d979ec45555720a6537eb006947dca825afc0.1644327234.git.stefan@agner.ch>
From: Johannes Berg <johannes.berg@intel.com>
Date: Tue, 8 Feb 2022 11:47:30 +0100
Subject: [PATCH 2/2] iwlwifi: fix use-after-free
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
If no firmware was present at all (or, presumably, all of the
firmware files failed to parse), we end up unbinding by calling
device_release_driver(), which calls remove(), which then in
iwlwifi calls iwl_drv_stop(), freeing the 'drv' struct. However
the new code I added will still erroneously access it after it
was freed.
Set 'failure=false' in this case to avoid the access, all data
was already freed anyway.
Cc: stable@vger.kernel.org
Reported-by: Stefan Agner <stefan@agner.ch>
Reported-by: Wolfgang Walter <linux@stwm.de>
Reported-by: Jason Self <jason@bluehome.net>
Reported-by: Dominik Behr <dominik@dominikbehr.com>
Reported-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Fixes: ab07506b0454 ("iwlwifi: fix leaks/bad data after failed firmware load")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
---
drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
index d64cec9d593d..90a680799b03 100644
--- a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
+++ b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
@@ -1646,6 +1646,8 @@ static void iwl_req_fw_callback(const struct firmware *ucode_raw, void *context)
out_unbind:
complete(&drv->request_firmware_complete);
device_release_driver(drv->trans->dev);
+ /* drv has just been freed by the release */
+ failure = false;
free:
if (failure)
iwl_dealloc_ucode(drv);
--
2.35.1