diff mbox series

wifi: rtw88: always wait for both firmware loading attempts

Message ID 20240726114657.25396-1-dmantipov@yandex.ru (mailing list archive)
State Accepted
Delegated to: Ping-Ke Shih
Headers show
Series wifi: rtw88: always wait for both firmware loading attempts | expand

Commit Message

Dmitry Antipov July 26, 2024, 11:46 a.m. UTC
In 'rtw_wait_firmware_completion()', always wait for both (regular and
wowlan) firmware loading attempts. Otherwise if 'rtw_usb_intf_init()'
has failed in 'rtw_usb_probe()', 'rtw_usb_disconnect()' may issue
'ieee80211_free_hw()' when one of 'rtw_load_firmware_cb()' (usually
the wowlan one) is still in progress, causing UAF detected by KASAN.

Fixes: c8e5695eae99 ("rtw88: load wowlan firmware if wowlan is supported")
Reported-by: syzbot+6c6c08700f9480c41fe3@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=6c6c08700f9480c41fe3
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
---
 drivers/net/wireless/realtek/rtw88/main.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

Comments

Ping-Ke Shih Aug. 2, 2024, 1:31 a.m. UTC | #1
Dmitry Antipov <dmantipov@yandex.ru> wrote:

> In 'rtw_wait_firmware_completion()', always wait for both (regular and
> wowlan) firmware loading attempts. Otherwise if 'rtw_usb_intf_init()'
> has failed in 'rtw_usb_probe()', 'rtw_usb_disconnect()' may issue
> 'ieee80211_free_hw()' when one of 'rtw_load_firmware_cb()' (usually
> the wowlan one) is still in progress, causing UAF detected by KASAN.
> 
> Fixes: c8e5695eae99 ("rtw88: load wowlan firmware if wowlan is supported")
> Reported-by: syzbot+6c6c08700f9480c41fe3@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=6c6c08700f9480c41fe3
> Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>

1 patch(es) applied to rtw-next branch of rtw.git, thanks.

0e735a4c6137 wifi: rtw88: always wait for both firmware loading attempts

---
https://github.com/pkshih/rtw.git
diff mbox series

Patch

diff --git a/drivers/net/wireless/realtek/rtw88/main.c b/drivers/net/wireless/realtek/rtw88/main.c
index 7ab7a988b123..33a7577557a5 100644
--- a/drivers/net/wireless/realtek/rtw88/main.c
+++ b/drivers/net/wireless/realtek/rtw88/main.c
@@ -1313,20 +1313,21 @@  static int rtw_wait_firmware_completion(struct rtw_dev *rtwdev)
 {
 	const struct rtw_chip_info *chip = rtwdev->chip;
 	struct rtw_fw_state *fw;
+	int ret = 0;
 
 	fw = &rtwdev->fw;
 	wait_for_completion(&fw->completion);
 	if (!fw->firmware)
-		return -EINVAL;
+		ret = -EINVAL;
 
 	if (chip->wow_fw_name) {
 		fw = &rtwdev->wow_fw;
 		wait_for_completion(&fw->completion);
 		if (!fw->firmware)
-			return -EINVAL;
+			ret = -EINVAL;
 	}
 
-	return 0;
+	return ret;
 }
 
 static enum rtw_lps_deep_mode rtw_update_lps_deep_mode(struct rtw_dev *rtwdev,