commit: eff3601ea056d61ad7d11aca447061570a56ec74 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org> AuthorDate: Tue Feb 8 15:12:41 2022 +0000 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org> CommitDate: Tue Feb 8 15:12:41 2022 +0000 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=eff3601e
iwlwifi: fix use-after-free Bug: https://bugs.gentoo.org/832795 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org> 0000_README | 4 ++++ 2410_iwlwifi-fix-use-after-free.patch | 37 +++++++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+) diff --git a/0000_README b/0000_README index 60575044..3e49e689 100644 --- a/0000_README +++ b/0000_README @@ -139,6 +139,10 @@ Patch: 2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch From: https://lore.kernel.org/linux-bluetooth/[email protected]/raw Desc: Bluetooth: Check key sizes only when Secure Simple Pairing is enabled. See bug #686758 +Patch: 2410_iwlwifi-fix-use-after-free.patch +From: https://marc.info/?l=linux-wireless&m=164431994900440&w=2 +Desc: iwlwifi: fix use-after-free + Patch: 2900_tmp513-Fix-build-issue-by-selecting-CONFIG_REG.patch From: https://bugs.gentoo.org/710790 Desc: tmp513 requies REGMAP_I2C to build. Select it by default in Kconfig. See bug #710790. Thanks to Phil Stracchino diff --git a/2410_iwlwifi-fix-use-after-free.patch b/2410_iwlwifi-fix-use-after-free.patch new file mode 100644 index 00000000..4c94467b --- /dev/null +++ b/2410_iwlwifi-fix-use-after-free.patch @@ -0,0 +1,37 @@ +If no firmware was present at all (or, presumably, all of the +firmware files failed to parse), we end up unbinding by calling +device_release_driver(), which calls remove(), which then in +iwlwifi calls iwl_drv_stop(), freeing the 'drv' struct. However +the new code I added will still erroneously access it after it +was freed. + +Set 'failure=false' in this case to avoid the access, all data +was already freed anyway. + +Cc: [email protected] +Reported-by: Stefan Agner <[email protected]> +Reported-by: Wolfgang Walter <[email protected]> +Reported-by: Jason Self <[email protected]> +Reported-by: Dominik Behr <[email protected]> +Reported-by: Marek Marczykowski-Górecki <[email protected]> +Fixes: ab07506b0454 ("iwlwifi: fix leaks/bad data after failed firmware load") +Signed-off-by: Johannes Berg <[email protected]> +--- + drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c +index 83e3b731ad29..6651e78b39ec 100644 +--- a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c ++++ b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c +@@ -1707,6 +1707,8 @@ static void iwl_req_fw_callback(const struct firmware *ucode_raw, void *context) + out_unbind: + complete(&drv->request_firmware_complete); + device_release_driver(drv->trans->dev); ++ /* drv has just been freed by the release */ ++ failure = false; + free: + if (failure) + iwl_dealloc_ucode(drv); +-- +2.34.1
