Google Git
Sign in
kernel / pub / scm / linux / kernel / git / stable / stable-queue / d4a7a066b6caec2b695cf0414a27491372676926 / . / releases / 5.4.160 / mwl8k-fix-use-after-free-in-mwl8k_fw_state_machine.patch
blob: ce50b89149b9fd054a8e9217ae80c76e3e85148c [file] [log] [blame]
From ddf90f03a6327f764dde5483294c069c67c56f72 Mon Sep 17 00:00:00 2001
From: Sasha Levin <sashal@kernel.org>
Date: Sat, 16 Oct 2021 04:02:59 +0000
Subject: mwl8k: Fix use-after-free in mwl8k_fw_state_machine()
From: Zheyu Ma <zheyuma97@gmail.com>
[ Upstream commit 257051a235c17e33782b6e24a4b17f2d7915aaec ]
When the driver fails to request the firmware, it calls its error
handler. In the error handler, the driver detaches device from driver
first before releasing the firmware, which can cause a use-after-free bug.
Fix this by releasing firmware first.
The following log reveals it:
[ 9.007301 ] BUG: KASAN: use-after-free in mwl8k_fw_state_machine+0x320/0xba0
[ 9.010143 ] Workqueue: events request_firmware_work_func
[ 9.010830 ] Call Trace:
[ 9.010830 ] dump_stack_lvl+0xa8/0xd1
[ 9.010830 ] print_address_description+0x87/0x3b0
[ 9.010830 ] kasan_report+0x172/0x1c0
[ 9.010830 ] ? mutex_unlock+0xd/0x10
[ 9.010830 ] ? mwl8k_fw_state_machine+0x320/0xba0
[ 9.010830 ] ? mwl8k_fw_state_machine+0x320/0xba0
[ 9.010830 ] __asan_report_load8_noabort+0x14/0x20
[ 9.010830 ] mwl8k_fw_state_machine+0x320/0xba0
[ 9.010830 ] ? mwl8k_load_firmware+0x5f0/0x5f0
[ 9.010830 ] request_firmware_work_func+0x172/0x250
[ 9.010830 ] ? read_lock_is_recursive+0x20/0x20
[ 9.010830 ] ? process_one_work+0x7a1/0x1100
[ 9.010830 ] ? request_firmware_nowait+0x460/0x460
[ 9.010830 ] ? __this_cpu_preempt_check+0x13/0x20
[ 9.010830 ] process_one_work+0x9bb/0x1100
Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1634356979-6211-1-git-send-email-zheyuma97@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/marvell/mwl8k.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/marvell/mwl8k.c b/drivers/net/wireless/marvell/mwl8k.c
index 1b76b24191866..14ac2384218df 100644
--- a/drivers/net/wireless/marvell/mwl8k.c
+++ b/drivers/net/wireless/marvell/mwl8k.c
@@ -5796,8 +5796,8 @@ static void mwl8k_fw_state_machine(const struct firmware *fw, void *context)
fail:
priv->fw_state = FW_STATE_ERROR;
complete(&priv->firmware_loading_complete);
- device_release_driver(&priv->pdev->dev);
mwl8k_release_firmware(priv);
+ device_release_driver(&priv->pdev->dev);
}
#define MAX_RESTART_ATTEMPTS 1
--
2.33.0