github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-12 16:18:45 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
fcee7d82f2
linux/drivers/net/wireless/rsi
History
Jeongjun Park db57a1aa54 wifi: rsi: fix kthread lifetime race between self-exit and external-stop 
RSI driver use both self-exit(kthread_complete_and_exit) and external-stop
(kthread_stop) when killing a kthread. Generally, kthread_stop() is called
first, and in this case, no particular issues occur.

However, in rare instances where kthread_complete_and_exit() is called
first and then kthread_stop() is called, a UAF occurs because the kthread
object, which has already exited and been freed, is accessed again.

Therefore, to prevent this with minimal modification, you must remove
kthread_stop() and change the code to wait until the self-exit operation
is completed.

Cc: <stable@vger.kernel.org>
Reported-by: syzbot+5de83f57cd8531f55596@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/69e5d03b.a00a0220.1bd0ca.0064.GAE@google.com/
Fixes: 4c62764d0f ("rsi: improve kernel thread handling to fix kernel panic")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Link: https://patch.msgid.link/20260422173846.37640-1-aha310510@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2026-04-28 10:40:52 +02:00
..
Kconfig treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
Makefile
rsi_91x_coex.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
rsi_91x_core.c wifi: rsi: Fix handling of 802.3 EAPOL frames sent via control port 2022-11-08 09:41:02 +02:00
rsi_91x_debugfs.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
rsi_91x_hal.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
rsi_91x_mac80211.c wifi: rsi_91x_usb: do not pause rfkill polling when stopping mac80211 2026-03-19 09:07:16 +01:00
rsi_91x_main.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
rsi_91x_mgmt.c wifi: rsi: Slightly simplify rsi_set_channel() 2023-03-31 17:45:50 +03:00
rsi_91x_ps.c rsi: remove unused including <linux/version.h> 2021-04-13 14:51:41 -07:00
rsi_91x_sdio_ops.c wifi: rsi: rsi_91x_sdio_ops: Remove unnecessary (void*) conversions 2023-08-23 14:07:15 +03:00
rsi_91x_sdio.c Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
rsi_91x_usb_ops.c wifi: rsi: rsi_91x_usb_ops: Remove unnecessary (void*) conversions 2023-08-23 14:07:16 +03:00
rsi_91x_usb.c wifi: rsi_91x_usb: do not pause rfkill polling when stopping mac80211 2026-03-19 09:07:16 +01:00
rsi_boot_params.h rsi: fix comment syntax in file headers 2021-04-18 09:27:35 +03:00
rsi_coex.h rsi: fix comment syntax in file headers 2021-04-18 09:27:35 +03:00
rsi_common.h wifi: rsi: fix kthread lifetime race between self-exit and external-stop 2026-04-28 10:40:52 +02:00
rsi_debugfs.h wifi: rsi: Remove an unused field in struct rsi_debugfs 2024-09-09 15:30:49 +03:00
rsi_hal.h wifi: rsi: Avoid defines prefixed with CONFIG 2023-02-13 19:24:10 +02:00
rsi_main.h rsi: fix rate mask set leading to P2P failure 2021-09-21 08:42:37 +03:00
rsi_mgmt.h rsi: fix comment syntax in file headers 2021-04-18 09:27:35 +03:00
rsi_ps.h rsi: fix comment syntax in file headers 2021-04-18 09:27:35 +03:00
rsi_sdio.h rsi: fix comment syntax in file headers 2021-04-18 09:27:35 +03:00
rsi_usb.h rsi: Fix out-of-bounds read in rsi_read_pkt() 2021-11-29 12:43:54 +02:00