proxmox-mirrors/mirror_ubuntu-kernels
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_ubuntu-kernels.git synced 2026-01-06 01:12:43 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
257051a235
mirror_ubuntu-kernels/drivers/net/wireless
History
Zheyu Ma 257051a235 mwl8k: Fix use-after-free in mwl8k_fw_state_machine() 
When the driver fails to request the firmware, it calls its error
handler. In the error handler, the driver detaches device from driver
first before releasing the firmware, which can cause a use-after-free bug.

Fix this by releasing firmware first.

The following log reveals it:

[    9.007301 ] BUG: KASAN: use-after-free in mwl8k_fw_state_machine+0x320/0xba0
[    9.010143 ] Workqueue: events request_firmware_work_func
[    9.010830 ] Call Trace:
[    9.010830 ]  dump_stack_lvl+0xa8/0xd1
[    9.010830 ]  print_address_description+0x87/0x3b0
[    9.010830 ]  kasan_report+0x172/0x1c0
[    9.010830 ]  ? mutex_unlock+0xd/0x10
[    9.010830 ]  ? mwl8k_fw_state_machine+0x320/0xba0
[    9.010830 ]  ? mwl8k_fw_state_machine+0x320/0xba0
[    9.010830 ]  __asan_report_load8_noabort+0x14/0x20
[    9.010830 ]  mwl8k_fw_state_machine+0x320/0xba0
[    9.010830 ]  ? mwl8k_load_firmware+0x5f0/0x5f0
[    9.010830 ]  request_firmware_work_func+0x172/0x250
[    9.010830 ]  ? read_lock_is_recursive+0x20/0x20
[    9.010830 ]  ? process_one_work+0x7a1/0x1100
[    9.010830 ]  ? request_firmware_nowait+0x460/0x460
[    9.010830 ]  ? __this_cpu_preempt_check+0x13/0x20
[    9.010830 ]  process_one_work+0x9bb/0x1100

Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1634356979-6211-1-git-send-email-zheyuma97@gmail.com
2021-10-20 11:41:21 +03:00
..
admtek module: remove never implemented MODULE_SUPPORTED_DEVICE 2021-03-17 13:16:18 -07:00
ath wireless: Remove redundant 'flush_workqueue()' calls 2021-10-13 09:22:19 +03:00
atmel module: remove never implemented MODULE_SUPPORTED_DEVICE 2021-03-17 13:16:18 -07:00
broadcom b43: fix a lower bounds test 2021-10-11 09:09:30 +03:00
cisco airo: use ndo_siocdevprivate 2021-07-27 20:11:44 +01:00
intel wireless: Remove redundant 'flush_workqueue()' calls 2021-10-13 09:22:19 +03:00
intersil Kbuild updates for v5.15 2021-09-03 15:33:47 -07:00
marvell mwl8k: Fix use-after-free in mwl8k_fw_state_machine() 2021-10-20 11:41:21 +03:00
mediatek mt7601u: Remove redundant initialization of variable ret 2021-10-13 09:21:09 +03:00
microchip wireless: Remove redundant 'flush_workqueue()' calls 2021-10-13 09:22:19 +03:00
quantenna wireless: Remove redundant 'flush_workqueue()' calls 2021-10-13 09:22:19 +03:00
ralink rt2x00: remove duplicate USB device ID 2021-09-21 18:09:38 +03:00
realtek rtw89: Remove redundant check of ret after call to rtw89_mac_enable_bb_rf 2021-10-18 15:31:24 +03:00
rsi rsi: stop thread firstly in rsi_91x_init() error handling 2021-10-20 11:39:43 +03:00
st wireless: Remove redundant 'flush_workqueue()' calls 2021-10-13 09:22:19 +03:00
ti Driver core changes for 5.14-rc1 2021-07-05 13:51:41 -07:00
zydas zd1211rw: remove duplicate USB device ID 2021-09-21 18:09:37 +03:00
Kconfig
mac80211_hwsim.c mac80211-hwsim: fix late beacon hrtimer handling 2021-09-23 13:25:12 +02:00
mac80211_hwsim.h
Makefile
ray_cs.c ray_cs: Split memcpy() to avoid bounds check warning 2021-08-21 20:15:36 +03:00
ray_cs.h
rayctl.h
rndis_wlan.c wireless: Remove redundant 'flush_workqueue()' calls 2021-10-13 09:22:19 +03:00
virt_wifi.c virt_wifi: fix error on connect 2021-07-23 10:34:31 +02:00
wl3501_cs.c wl3501_cs: Fix out-of-bounds warnings in wl3501_mgmt_join 2021-04-22 17:38:41 +03:00
wl3501.h wl3501_cs: Fix out-of-bounds warnings in wl3501_mgmt_join 2021-04-22 17:38:41 +03:00