| From cc4255eff523f25187bb95561642941de0e57497 Mon Sep 17 00:00:00 2001 |
| From: Avraham Stern <avraham.stern@intel.com> |
| Date: Fri, 31 Jan 2020 15:45:27 +0200 |
| Subject: iwlwifi: mvm: avoid use after free for pmsr request |
| |
| From: Avraham Stern <avraham.stern@intel.com> |
| |
| commit cc4255eff523f25187bb95561642941de0e57497 upstream. |
| |
| When a FTM request is aborted, the driver sends the abort command to |
| the fw and waits for a response. When the response arrives, the driver |
| calls cfg80211_pmsr_complete() for that request. |
| However, cfg80211 frees the requested data immediately after sending |
| the abort command, so this may lead to use after free. |
| |
| Fix it by clearing the request data in the driver when the abort |
| command arrives and ignoring the fw notification that will come |
| afterwards. |
| |
| Signed-off-by: Avraham Stern <avraham.stern@intel.com> |
| Fixes: fc36ffda3267 ("iwlwifi: mvm: support FTM initiator") |
| Signed-off-by: Luca Coelho <luciano.coelho@intel.com> |
| Signed-off-by: Kalle Valo <kvalo@codeaurora.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c | 5 ++++- |
| 1 file changed, 4 insertions(+), 1 deletion(-) |
| |
| --- a/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c |
| +++ b/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c |
| @@ -8,6 +8,7 @@ |
| * Copyright(c) 2015 - 2017 Intel Deutschland GmbH |
| * Copyright (C) 2018 Intel Corporation |
| * Copyright (C) 2019 Intel Corporation |
| + * Copyright (C) 2020 Intel Corporation |
| * |
| * This program is free software; you can redistribute it and/or modify |
| * it under the terms of version 2 of the GNU General Public License as |
| @@ -30,6 +31,7 @@ |
| * Copyright(c) 2015 - 2017 Intel Deutschland GmbH |
| * Copyright (C) 2018 Intel Corporation |
| * Copyright (C) 2019 Intel Corporation |
| + * Copyright (C) 2020 Intel Corporation |
| * All rights reserved. |
| * |
| * Redistribution and use in source and binary forms, with or without |
| @@ -389,6 +391,8 @@ void iwl_mvm_ftm_abort(struct iwl_mvm *m |
| if (req != mvm->ftm_initiator.req) |
| return; |
| |
| + iwl_mvm_ftm_reset(mvm); |
| + |
| if (iwl_mvm_send_cmd_pdu(mvm, iwl_cmd_id(TOF_RANGE_ABORT_CMD, |
| LOCATION_GROUP, 0), |
| 0, sizeof(cmd), &cmd)) |
| @@ -502,7 +506,6 @@ void iwl_mvm_ftm_range_resp(struct iwl_m |
| lockdep_assert_held(&mvm->mutex); |
| |
| if (!mvm->ftm_initiator.req) { |
| - IWL_ERR(mvm, "Got FTM response but have no request?\n"); |
| return; |
| } |
| |