iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8628ff7ffe
linux/drivers/staging/rtl8712
History
Pavel Skripkin c052cc1a06 staging: rtl8712: fix use-after-free in rtl8712_dl_fw 
Syzbot reported use-after-free in rtl8712_dl_fw(). The problem was in
race condition between r871xu_dev_remove() ->ndo_open() callback.

It's easy to see from crash log, that driver accesses released firmware
in ->ndo_open() callback. It may happen, since driver was releasing
firmware _before_ unregistering netdev. Fix it by moving
unregister_netdev() before cleaning up resources.

Call Trace:
...
 rtl871x_open_fw drivers/staging/rtl8712/hal_init.c:83 [inline]
 rtl8712_dl_fw+0xd95/0xe10 drivers/staging/rtl8712/hal_init.c:170
 rtl8712_hal_init drivers/staging/rtl8712/hal_init.c:330 [inline]
 rtl871x_hal_init+0xae/0x180 drivers/staging/rtl8712/hal_init.c:394
 netdev_open+0xe6/0x6c0 drivers/staging/rtl8712/os_intfs.c:380
 __dev_open+0x2bc/0x4d0 net/core/dev.c:1484

Freed by task 1306:
...
 release_firmware+0x1b/0x30 drivers/base/firmware_loader/main.c:1053
 r871xu_dev_remove+0xcc/0x2c0 drivers/staging/rtl8712/usb_intf.c:599
 usb_unbind_interface+0x1d8/0x8d0 drivers/usb/core/driver.c:458

Fixes: 8c213fa591 ("staging: r8712u: Use asynchronous firmware loading")
Cc: stable <stable@vger.kernel.org>
Reported-and-tested-by: syzbot+c55162be492189fb4f51@syzkaller.appspotmail.com
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Link: https://lore.kernel.org/r/20211019211718.26354-1-paskripkin@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-10-20 19:35:38 +02:00
..
basic_types.h staging: rtl8712: base_types: Remove unused macros 2020-07-03 10:32:13 +02:00
drv_types.h drivers: staging: rtl8712: _adapter is declared twice 2021-03-26 14:59:33 +01:00
ethernet.h
hal_init.c Merge 5.14-rc5 into staging-next 2021-08-09 08:59:23 +02:00
ieee80211.c staging: rtl8712: Use constants from <linux/ieee80211.h> 2021-04-07 10:19:12 +02:00
ieee80211.h
Kconfig
Makefile
mlme_linux.c
mlme_osdep.h drivers: staging: rtl8712: align arguments with open parenthesis 2021-04-06 14:15:56 +02:00
mp_custom_oid.h
os_intfs.c staging: rtl8712: prepare for const netdev->dev_addr 2021-10-20 19:33:58 +02:00
osdep_intf.h staging: rtl8712: Simplify expressions with boolean logic 2020-07-10 13:53:59 +02:00
osdep_service.h staging: rtl8712: Fix alignment 2021-07-21 11:01:58 +02:00
recv_linux.c
recv_osdep.h
rtl871x_cmd.c staging: rtl8712: prepare for const netdev->dev_addr 2021-10-20 19:33:58 +02:00
rtl871x_cmd.h staging: rtl8712: prepare for const netdev->dev_addr 2021-10-20 19:33:58 +02:00
rtl871x_debug.h staging: rtl8712: Remove unnecessary alias of printk() 2021-06-09 12:11:21 +02:00
rtl871x_eeprom.c
rtl871x_eeprom.h
rtl871x_event.h staging: rtl8712: add blank lines after declarations 2021-04-05 12:12:26 +02:00
rtl871x_ht.h staging: rtl8712: remove struct rtl_ieee80211_ht_cap and ieee80211_ht_addt_info 2021-04-09 16:14:33 +02:00
rtl871x_io.c staging: rtl8712: clean up comparsions to NULL 2020-09-22 09:49:59 +02:00
rtl871x_io.h staging: rtl8712: Remove extra blank lines 2021-04-06 14:16:20 +02:00
rtl871x_ioctl_linux.c staging: rtl8712: remove struct rtl_ieee80211_ht_cap and ieee80211_ht_addt_info 2021-04-09 16:14:33 +02:00
rtl871x_ioctl_rtl.c
rtl871x_ioctl_rtl.h
rtl871x_ioctl_set.c
rtl871x_ioctl_set.h
rtl871x_ioctl.h
rtl871x_led.h staging: rtl8712: get rid of flush_scheduled_work 2021-07-27 15:15:24 +02:00
rtl871x_mlme.c staging: rtl8712: Use list iterators and helpers 2021-05-10 11:19:33 +02:00
rtl871x_mlme.h staging: rtl8712: Remove extra blank lines 2021-04-06 14:16:20 +02:00
rtl871x_mp_ioctl.c staging: rtl8712: fix the bssid in mp_start_test() 2021-05-19 16:02:51 +02:00
rtl871x_mp_ioctl.h staging: rtl8712: rtl871x_mp_ioctl: Remove a bunch of unused tables 2021-05-10 11:19:23 +02:00
rtl871x_mp_phy_regdef.h
rtl871x_mp.c staging: rtl8712: add blank lines after declarations 2021-04-05 12:12:26 +02:00
rtl871x_mp.h staging: rtl8712: add blank lines after declarations 2021-04-05 12:12:26 +02:00
rtl871x_pwrctrl.c staging: rtl8712: get rid of flush_scheduled_work 2021-07-27 15:15:24 +02:00
rtl871x_pwrctrl.h staging: rtl8712: get rid of flush_scheduled_work 2021-07-27 15:15:24 +02:00
rtl871x_recv.c staging: rtl8712: Fix some tests against some 'data' subtype frames 2021-05-10 11:19:34 +02:00
rtl871x_recv.h staging: rtl8712: Remove extra blank lines 2021-04-06 14:16:20 +02:00
rtl871x_rf.h
rtl871x_security.c staging: rtl8712: Fix some tests against some 'data' subtype frames 2021-05-10 11:19:34 +02:00
rtl871x_security.h staging: rtl8712: add spaces around operators 2021-04-06 14:15:39 +02:00
rtl871x_sta_mgt.c staging: rtl8712: Removed unnecessary blank lines 2021-05-25 18:23:26 +02:00
rtl871x_wlan_sme.h
rtl871x_xmit.c staging: rtl8712: Removed unnecessary blank lines 2021-05-25 18:23:26 +02:00
rtl871x_xmit.h staging: rtl8712: Statements should start on a tabstop 2021-10-05 12:32:42 +02:00
rtl8712_bitdef.h
rtl8712_cmd.c staging: rtl8712: Replace printk() with netdev_dbg() 2021-06-12 15:37:57 +02:00
rtl8712_cmd.h
rtl8712_cmdctrl_bitdef.h
rtl8712_cmdctrl_regdef.h
rtl8712_debugctrl_bitdef.h
rtl8712_debugctrl_regdef.h
rtl8712_edcasetting_bitdef.h
rtl8712_edcasetting_regdef.h
rtl8712_efuse.c
rtl8712_efuse.h
rtl8712_event.h
rtl8712_fifoctrl_bitdef.h
rtl8712_fifoctrl_regdef.h
rtl8712_gp_bitdef.h
rtl8712_gp_regdef.h
rtl8712_hal.h
rtl8712_interrupt_bitdef.h
rtl8712_io.c
rtl8712_led.c staging: rtl8712: get rid of flush_scheduled_work 2021-07-27 15:15:24 +02:00
rtl8712_macsetting_bitdef.h
rtl8712_macsetting_regdef.h
rtl8712_powersave_bitdef.h
rtl8712_powersave_regdef.h
rtl8712_ratectrl_bitdef.h
rtl8712_ratectrl_regdef.h
rtl8712_recv.c staging: rtl8712: remove multiple multiple assignments 2021-05-10 11:19:34 +02:00
rtl8712_recv.h staging: rtl8712: remove extra blank lines 2021-04-05 12:12:26 +02:00
rtl8712_regdef.h
rtl8712_security_bitdef.h
rtl8712_spec.h
rtl8712_syscfg_bitdef.h
rtl8712_syscfg_regdef.h
rtl8712_timectrl_bitdef.h
rtl8712_timectrl_regdef.h
rtl8712_wmac_bitdef.h
rtl8712_wmac_regdef.h staging: rtl8712: removed extra blank line 2021-04-08 09:27:59 +02:00
rtl8712_xmit.c Staging: rtl8712: Cleanup coding style warning 2021-06-03 15:57:37 +02:00
rtl8712_xmit.h staging: rtl8712: fixed whitespace coding style issue 2021-03-12 17:31:01 +01:00
sta_info.h staging: rtl8712: Remove extra blank lines 2021-04-06 14:16:20 +02:00
TODO
usb_halinit.c
usb_intf.c staging: rtl8712: fix use-after-free in rtl8712_dl_fw 2021-10-20 19:35:38 +02:00
usb_ops_linux.c staging: rtl8712: convert tasklets to use new tasklet_setup() API 2020-09-16 13:13:00 +02:00
usb_ops.c
usb_ops.h staging: rtl8712: matched alignment with open parenthesis 2021-04-08 09:27:58 +02:00
usb_osintf.h
wifi.h staging: rtl8712: Remove some unused #define and enum 2021-07-21 11:01:54 +02:00
wlan_bssdef.h staging: rtl8712: add spaces around '+' 2021-04-09 16:11:23 +02:00
xmit_linux.c staging: rtl8712: Removed unnecessary blank lines 2021-05-25 18:23:26 +02:00
xmit_osdep.h staging: rtl8712: match parentheses alignment 2021-04-06 14:15:40 +02:00