github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-07 14:04:54 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
82327823f3
linux/drivers/net
History
Zheyu Ma 451cef276f mwl8k: Fix use-after-free in mwl8k_fw_state_machine() 
[ Upstream commit 257051a235 ]

When the driver fails to request the firmware, it calls its error
handler. In the error handler, the driver detaches device from driver
first before releasing the firmware, which can cause a use-after-free bug.

Fix this by releasing firmware first.

The following log reveals it:

[    9.007301 ] BUG: KASAN: use-after-free in mwl8k_fw_state_machine+0x320/0xba0
[    9.010143 ] Workqueue: events request_firmware_work_func
[    9.010830 ] Call Trace:
[    9.010830 ]  dump_stack_lvl+0xa8/0xd1
[    9.010830 ]  print_address_description+0x87/0x3b0
[    9.010830 ]  kasan_report+0x172/0x1c0
[    9.010830 ]  ? mutex_unlock+0xd/0x10
[    9.010830 ]  ? mwl8k_fw_state_machine+0x320/0xba0
[    9.010830 ]  ? mwl8k_fw_state_machine+0x320/0xba0
[    9.010830 ]  __asan_report_load8_noabort+0x14/0x20
[    9.010830 ]  mwl8k_fw_state_machine+0x320/0xba0
[    9.010830 ]  ? mwl8k_load_firmware+0x5f0/0x5f0
[    9.010830 ]  request_firmware_work_func+0x172/0x250
[    9.010830 ]  ? read_lock_is_recursive+0x20/0x20
[    9.010830 ]  ? process_one_work+0x7a1/0x1100
[    9.010830 ]  ? request_firmware_nowait+0x460/0x460
[    9.010830 ]  ? __this_cpu_preempt_check+0x13/0x20
[    9.010830 ]  process_one_work+0x9bb/0x1100

Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1634356979-6211-1-git-send-email-zheyuma97@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-11-18 14:03:58 +01:00
..
appletalk
arcnet
bonding bonding: 3ad: fix the concurrency between __bond_release_one() and bond_3ad_state_machine_handler() 2021-09-18 13:40:24 +02:00
caif net: caif: fix memory leak in ldisc_open 2021-06-30 08:47:21 -04:00
can can: peak_pci: peak_pci_remove(): fix UAF 2021-10-27 09:56:50 +02:00
dsa net: dsa: mt7530: correct ds->num_ports 2021-10-27 09:56:52 +02:00
ethernet nfp: bpf: relax prog rejection for mtu check through max_pkt_offset 2021-11-18 14:03:43 +01:00
fddi net: fddi: fix UAF in fza_probe 2021-07-25 14:36:20 +02:00
fjes fjes: check return value after calling platform_get_resource() 2021-07-19 09:44:49 +02:00
hamradio net: 6pack: Fix tx timeout and slot time 2021-09-30 10:11:07 +02:00
hippi
hyperv
ieee802154 ieee802154: hwsim: fix GPF in hwsim_new_edge_nl 2021-08-18 08:59:07 +02:00
ipa net: ipa: initialize all filter table slots 2021-09-22 12:27:57 +02:00
ipvlan
mdio net: mdio-mux: Handle -EPROBE_DEFER correctly 2021-08-26 08:35:49 -04:00
netdevsim net: netdevsim: use xso.real_dev instead of xso.dev in callback functions of struct xfrmdev_ops 2021-07-25 14:36:19 +02:00
pcs
phy net: phy: micrel: make *-skew-ps check more lenient 2021-11-18 14:03:57 +01:00
plip
ppp ppp: Fix generating ifname when empty IFLA_IFNAME is specified 2021-08-18 08:59:10 +02:00
slip
team
usb net: lan78xx: fix division by zero in send path 2021-11-02 19:48:20 +01:00
vmxnet3 vmxnet3: do not stop tx queues after netif_device_detach() 2021-11-18 14:03:43 +01:00
wan
wimax
wireguard
wireless mwl8k: Fix use-after-free in mwl8k_fw_state_machine() 2021-11-18 14:03:58 +01:00
xen-netback xen-netback: correct success/error reporting for the SKB-with-fraglist case 2021-10-09 14:40:56 +02:00
bareudp.c bareudp: Fix invalid read beyond skb's linear data 2021-08-18 08:59:11 +02:00
dummy.c
eql.c
geneve.c
gtp.c
ifb.c ifb: fix building without CONFIG_NET_CLS_ACT 2021-11-18 14:03:49 +01:00
Kconfig ifb: Depend on netfilter alternatively to tc 2021-11-18 14:03:46 +01:00
LICENSE.SRC
loopback.c
macsec.c net: macsec: fix the length used to copy the key for offloading 2021-07-14 16:56:28 +02:00
macvlan.c
macvtap.c
Makefile
mdio.c
mii.c
net_failover.c
netconsole.c
nlmon.c
ntb_netdev.c
rionet.c
sb1000.c
Space.c
sungem_phy.c
tap.c
thunderbolt.c
tun.c
veth.c
virtio_net.c virtio-net: use NETIF_F_GRO_HW instead of NETIF_F_LRO 2021-08-26 08:35:48 -04:00
vrf.c vrf: Revert "Reset skb conntrack connection..." 2021-11-06 14:10:09 +01:00
vsockmon.c
vxlan.c vxlan: add missing rcu_read_lock() in neigh_reduce() 2021-07-14 16:56:25 +02:00
xen-netfront.c xen/netfront: stop tx queues during live migration 2021-11-18 14:03:42 +01:00