| 1 |
commit: a8586fe04190d60e515a4a0a05e58a3a3ef5d46b |
| 2 |
Author: Mike Pagano <mpagano <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Tue Feb 8 13:33:42 2022 +0000 |
| 4 |
Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Tue Feb 8 13:33:42 2022 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=a8586fe0 |
| 7 |
|
| 8 |
iwlwifi: fix use-after-free |
| 9 |
|
| 10 |
Bug: https://bugs.gentoo.org/832795 |
| 11 |
|
| 12 |
Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org> |
| 13 |
|
| 14 |
0000_README | 4 ++++ |
| 15 |
2410_iwlwifi-fix-use-after-free.patch | 37 +++++++++++++++++++++++++++++++++++ |
| 16 |
2 files changed, 41 insertions(+) |
| 17 |
|
| 18 |
diff --git a/0000_README b/0000_README |
| 19 |
index 2af50adb..735f80d8 100644 |
| 20 |
--- a/0000_README |
| 21 |
+++ b/0000_README |
| 22 |
@@ -87,6 +87,10 @@ Patch: 2400_mt76-mt7921e-fix-possible-probe-failure-after-reboot.patch |
| 23 |
From: https://patchwork.kernel.org/project/linux-wireless/patch/70e27cbc652cbdb78277b9c691a3a5ba02653afb.1641540175.git.objelf@×××××.com/ |
| 24 |
Desc: mt76: mt7921e: fix possible probe failure after reboot |
| 25 |
|
| 26 |
+Patch: 2410_iwlwifi-fix-use-after-free.patch |
| 27 |
+From: https://marc.info/?l=linux-wireless&m=164431994900440&w=2 |
| 28 |
+Desc: iwlwifi: fix use-after-free |
| 29 |
+ |
| 30 |
Patch: 2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch |
| 31 |
From: https://bugs.gentoo.org/710790 |
| 32 |
Desc: tmp513 requies REGMAP_I2C to build. Select it by default in Kconfig. See bug #710790. Thanks to Phil Stracchino |
| 33 |
|
| 34 |
diff --git a/2410_iwlwifi-fix-use-after-free.patch b/2410_iwlwifi-fix-use-after-free.patch |
| 35 |
new file mode 100644 |
| 36 |
index 00000000..4c94467b |
| 37 |
--- /dev/null |
| 38 |
+++ b/2410_iwlwifi-fix-use-after-free.patch |
| 39 |
@@ -0,0 +1,37 @@ |
| 40 |
+If no firmware was present at all (or, presumably, all of the |
| 41 |
+firmware files failed to parse), we end up unbinding by calling |
| 42 |
+device_release_driver(), which calls remove(), which then in |
| 43 |
+iwlwifi calls iwl_drv_stop(), freeing the 'drv' struct. However |
| 44 |
+the new code I added will still erroneously access it after it |
| 45 |
+was freed. |
| 46 |
+ |
| 47 |
+Set 'failure=false' in this case to avoid the access, all data |
| 48 |
+was already freed anyway. |
| 49 |
+ |
| 50 |
+Cc: stable@×××××××××××.org |
| 51 |
+Reported-by: Stefan Agner <stefan@×××××.ch> |
| 52 |
+Reported-by: Wolfgang Walter <linux@××××.de> |
| 53 |
+Reported-by: Jason Self <jason@××××××××.net> |
| 54 |
+Reported-by: Dominik Behr <dominik@×××××××××××.com> |
| 55 |
+Reported-by: Marek Marczykowski-Górecki <marmarek@××××××××××××××××××.com> |
| 56 |
+Fixes: ab07506b0454 ("iwlwifi: fix leaks/bad data after failed firmware load") |
| 57 |
+Signed-off-by: Johannes Berg <johannes.berg@×××××.com> |
| 58 |
+--- |
| 59 |
+ drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 2 ++ |
| 60 |
+ 1 file changed, 2 insertions(+) |
| 61 |
+ |
| 62 |
+diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c |
| 63 |
+index 83e3b731ad29..6651e78b39ec 100644 |
| 64 |
+--- a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c |
| 65 |
++++ b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c |
| 66 |
+@@ -1707,6 +1707,8 @@ static void iwl_req_fw_callback(const struct firmware *ucode_raw, void *context) |
| 67 |
+ out_unbind: |
| 68 |
+ complete(&drv->request_firmware_complete); |
| 69 |
+ device_release_driver(drv->trans->dev); |
| 70 |
++ /* drv has just been freed by the release */ |
| 71 |
++ failure = false; |
| 72 |
+ free: |
| 73 |
+ if (failure) |
| 74 |
+ iwl_dealloc_ucode(drv); |
| 75 |
+-- |
| 76 |
+2.34.1 |
Archives