Message ID | 20240726114657.25396-1-dmantipov@yandex.ru (mailing list archive) |
---|---|
State | Accepted |
Delegated to: | Ping-Ke Shih |
Headers | show |
Series | wifi: rtw88: always wait for both firmware loading attempts | expand |
Dmitry Antipov <dmantipov@yandex.ru> wrote: > In 'rtw_wait_firmware_completion()', always wait for both (regular and > wowlan) firmware loading attempts. Otherwise if 'rtw_usb_intf_init()' > has failed in 'rtw_usb_probe()', 'rtw_usb_disconnect()' may issue > 'ieee80211_free_hw()' when one of 'rtw_load_firmware_cb()' (usually > the wowlan one) is still in progress, causing UAF detected by KASAN. > > Fixes: c8e5695eae99 ("rtw88: load wowlan firmware if wowlan is supported") > Reported-by: syzbot+6c6c08700f9480c41fe3@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=6c6c08700f9480c41fe3 > Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru> 1 patch(es) applied to rtw-next branch of rtw.git, thanks. 0e735a4c6137 wifi: rtw88: always wait for both firmware loading attempts --- https://github.com/pkshih/rtw.git
diff --git a/drivers/net/wireless/realtek/rtw88/main.c b/drivers/net/wireless/realtek/rtw88/main.c index 7ab7a988b123..33a7577557a5 100644 --- a/drivers/net/wireless/realtek/rtw88/main.c +++ b/drivers/net/wireless/realtek/rtw88/main.c @@ -1313,20 +1313,21 @@ static int rtw_wait_firmware_completion(struct rtw_dev *rtwdev) { const struct rtw_chip_info *chip = rtwdev->chip; struct rtw_fw_state *fw; + int ret = 0; fw = &rtwdev->fw; wait_for_completion(&fw->completion); if (!fw->firmware) - return -EINVAL; + ret = -EINVAL; if (chip->wow_fw_name) { fw = &rtwdev->wow_fw; wait_for_completion(&fw->completion); if (!fw->firmware) - return -EINVAL; + ret = -EINVAL; } - return 0; + return ret; } static enum rtw_lps_deep_mode rtw_update_lps_deep_mode(struct rtw_dev *rtwdev,
In 'rtw_wait_firmware_completion()', always wait for both (regular and wowlan) firmware loading attempts. Otherwise if 'rtw_usb_intf_init()' has failed in 'rtw_usb_probe()', 'rtw_usb_disconnect()' may issue 'ieee80211_free_hw()' when one of 'rtw_load_firmware_cb()' (usually the wowlan one) is still in progress, causing UAF detected by KASAN. Fixes: c8e5695eae99 ("rtw88: load wowlan firmware if wowlan is supported") Reported-by: syzbot+6c6c08700f9480c41fe3@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=6c6c08700f9480c41fe3 Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru> --- drivers/net/wireless/realtek/rtw88/main.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-)