diff options
author | Johannes Berg <johannes.berg@intel.com> | 2022-02-08 11:47:30 +0100 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2022-02-23 11:58:38 +0100 |
commit | 7d6475179b85a83186ccce59cdc359d4f07d0bcb (patch) | |
tree | 1762d268c9a6cee32a068029c6bbc1b36650adc3 /security | |
parent | a0c66ac8b72f816d5631fde0ca0b39af602dce48 (diff) | |
download | linux-stable-7d6475179b85a83186ccce59cdc359d4f07d0bcb.tar.gz linux-stable-7d6475179b85a83186ccce59cdc359d4f07d0bcb.tar.bz2 linux-stable-7d6475179b85a83186ccce59cdc359d4f07d0bcb.zip |
iwlwifi: fix use-after-free
commit bea2662e7818e15d7607d17d57912ac984275d94 upstream.
If no firmware was present at all (or, presumably, all of the
firmware files failed to parse), we end up unbinding by calling
device_release_driver(), which calls remove(), which then in
iwlwifi calls iwl_drv_stop(), freeing the 'drv' struct. However
the new code I added will still erroneously access it after it
was freed.
Set 'failure=false' in this case to avoid the access, all data
was already freed anyway.
Cc: stable@vger.kernel.org
Reported-by: Stefan Agner <stefan@agner.ch>
Reported-by: Wolfgang Walter <linux@stwm.de>
Reported-by: Jason Self <jason@bluehome.net>
Reported-by: Dominik Behr <dominik@dominikbehr.com>
Reported-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
Fixes: ab07506b0454 ("iwlwifi: fix leaks/bad data after failed firmware load")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20220208114728.e6b514cf4c85.Iffb575ca2a623d7859b542c33b2a507d01554251@changeid
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'security')
0 files changed, 0 insertions, 0 deletions