50 lines
2.0 KiB
Diff
50 lines
2.0 KiB
Diff
From ca69c942280b3fccd641ba2ca24c7c5925014241 Mon Sep 17 00:00:00 2001
|
|
Message-Id: <ca69c942280b3fccd641ba2ca24c7c5925014241.1644327234.git.stefan@agner.ch>
|
|
In-Reply-To: <6e5d979ec45555720a6537eb006947dca825afc0.1644327234.git.stefan@agner.ch>
|
|
References: <6e5d979ec45555720a6537eb006947dca825afc0.1644327234.git.stefan@agner.ch>
|
|
From: Johannes Berg <johannes.berg@intel.com>
|
|
Date: Tue, 8 Feb 2022 11:47:30 +0100
|
|
Subject: [PATCH 2/2] iwlwifi: fix use-after-free
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
If no firmware was present at all (or, presumably, all of the
|
|
firmware files failed to parse), we end up unbinding by calling
|
|
device_release_driver(), which calls remove(), which then in
|
|
iwlwifi calls iwl_drv_stop(), freeing the 'drv' struct. However
|
|
the new code I added will still erroneously access it after it
|
|
was freed.
|
|
|
|
Set 'failure=false' in this case to avoid the access, all data
|
|
was already freed anyway.
|
|
|
|
Cc: stable@vger.kernel.org
|
|
Reported-by: Stefan Agner <stefan@agner.ch>
|
|
Reported-by: Wolfgang Walter <linux@stwm.de>
|
|
Reported-by: Jason Self <jason@bluehome.net>
|
|
Reported-by: Dominik Behr <dominik@dominikbehr.com>
|
|
Reported-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
|
|
Fixes: ab07506b0454 ("iwlwifi: fix leaks/bad data after failed firmware load")
|
|
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
|
|
---
|
|
drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 2 ++
|
|
1 file changed, 2 insertions(+)
|
|
|
|
diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
|
|
index d64cec9d593d..90a680799b03 100644
|
|
--- a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
|
|
+++ b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
|
|
@@ -1646,6 +1646,8 @@ static void iwl_req_fw_callback(const struct firmware *ucode_raw, void *context)
|
|
out_unbind:
|
|
complete(&drv->request_firmware_complete);
|
|
device_release_driver(drv->trans->dev);
|
|
+ /* drv has just been freed by the release */
|
|
+ failure = false;
|
|
free:
|
|
if (failure)
|
|
iwl_dealloc_ucode(drv);
|
|
--
|
|
2.35.1
|
|
|