Patch "mwl8k: Fix use-after-free in mwl8k_fw_state_machine()" has been added to the 5.4-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 14 Nov 2021 22:47:50 -0500

This is a note to let you know that I've just added the patch titled

    mwl8k: Fix use-after-free in mwl8k_fw_state_machine()

to the 5.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     mwl8k-fix-use-after-free-in-mwl8k_fw_state_machine.patch
and it can be found in the queue-5.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit ddf90f03a6327f764dde5483294c069c67c56f72
Author: Zheyu Ma <zheyuma97@xxxxxxxxx>
Date:   Sat Oct 16 04:02:59 2021 +0000

    mwl8k: Fix use-after-free in mwl8k_fw_state_machine()
    
    [ Upstream commit 257051a235c17e33782b6e24a4b17f2d7915aaec ]
    
    When the driver fails to request the firmware, it calls its error
    handler. In the error handler, the driver detaches device from driver
    first before releasing the firmware, which can cause a use-after-free bug.
    
    Fix this by releasing firmware first.
    
    The following log reveals it:
    
    [    9.007301 ] BUG: KASAN: use-after-free in mwl8k_fw_state_machine+0x320/0xba0
    [    9.010143 ] Workqueue: events request_firmware_work_func
    [    9.010830 ] Call Trace:
    [    9.010830 ]  dump_stack_lvl+0xa8/0xd1
    [    9.010830 ]  print_address_description+0x87/0x3b0
    [    9.010830 ]  kasan_report+0x172/0x1c0
    [    9.010830 ]  ? mutex_unlock+0xd/0x10
    [    9.010830 ]  ? mwl8k_fw_state_machine+0x320/0xba0
    [    9.010830 ]  ? mwl8k_fw_state_machine+0x320/0xba0
    [    9.010830 ]  __asan_report_load8_noabort+0x14/0x20
    [    9.010830 ]  mwl8k_fw_state_machine+0x320/0xba0
    [    9.010830 ]  ? mwl8k_load_firmware+0x5f0/0x5f0
    [    9.010830 ]  request_firmware_work_func+0x172/0x250
    [    9.010830 ]  ? read_lock_is_recursive+0x20/0x20
    [    9.010830 ]  ? process_one_work+0x7a1/0x1100
    [    9.010830 ]  ? request_firmware_nowait+0x460/0x460
    [    9.010830 ]  ? __this_cpu_preempt_check+0x13/0x20
    [    9.010830 ]  process_one_work+0x9bb/0x1100
    
    Signed-off-by: Zheyu Ma <zheyuma97@xxxxxxxxx>
    Signed-off-by: Kalle Valo <kvalo@xxxxxxxxxxxxxx>
    Link: https://lore.kernel.org/r/1634356979-6211-1-git-send-email-zheyuma97@xxxxxxxxx
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/wireless/marvell/mwl8k.c b/drivers/net/wireless/marvell/mwl8k.c
index 1b76b24191866..14ac2384218df 100644
--- a/drivers/net/wireless/marvell/mwl8k.c
+++ b/drivers/net/wireless/marvell/mwl8k.c
@@ -5796,8 +5796,8 @@ static void mwl8k_fw_state_machine(const struct firmware *fw, void *context)
 fail:
 	priv->fw_state = FW_STATE_ERROR;
 	complete(&priv->firmware_loading_complete);
-	device_release_driver(&priv->pdev->dev);
 	mwl8k_release_firmware(priv);
+	device_release_driver(&priv->pdev->dev);
 }
 
 #define MAX_RESTART_ATTEMPTS 1






