Patch "wifi: mt76: mt7921: Fix use-after-free in fw features query." has been added to the 6.2-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Mon, 1 May 2023 07:27:06 -0400

This is a note to let you know that I've just added the patch titled

    wifi: mt76: mt7921: Fix use-after-free in fw features query.

to the 6.2-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     wifi-mt76-mt7921-fix-use-after-free-in-fw-features-q.patch
and it can be found in the queue-6.2 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit be5ae23823f4688efbf3e3375e841bd9bc00e912
Author: Ben Greear <greearb@xxxxxxxxxxxxxxx>
Date:   Wed Mar 22 17:37:17 2023 +0100

    wifi: mt76: mt7921: Fix use-after-free in fw features query.
    
    [ Upstream commit 2ceb76f734e37833824b7fab6af17c999eb48d2b ]
    
    Stop referencing 'features' memory after release_firmware is called.
    
    Fixes this crash:
    
    RIP: 0010:mt7921_check_offload_capability+0x17d
    mt7921_pci_probe+0xca/0x4b0
    ...
    
    Signed-off-by: Ben Greear <greearb@xxxxxxxxxxxxxxx>
    Signed-off-by: Lorenzo Bianconi <lorenzo@xxxxxxxxxx>
    Acked-by: Felix Fietkau <nbd@xxxxxxxx>
    Signed-off-by: Kalle Valo <kvalo@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/51fd8f76494348aa9ecbf0abc471ebe47a983dfd.1679502607.git.lorenzo@xxxxxxxxxx
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/init.c b/drivers/net/wireless/mediatek/mt76/mt7921/init.c
index d4b681d7e1d22..f2c6ec4d8e2ee 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7921/init.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7921/init.c
@@ -162,12 +162,12 @@ mt7921_mac_init_band(struct mt7921_dev *dev, u8 band)
 
 u8 mt7921_check_offload_capability(struct device *dev, const char *fw_wm)
 {
-	struct mt7921_fw_features *features = NULL;
 	const struct mt76_connac2_fw_trailer *hdr;
 	struct mt7921_realease_info *rel_info;
 	const struct firmware *fw;
 	int ret, i, offset = 0;
 	const u8 *data, *end;
+	u8 offload_caps = 0;
 
 	ret = request_firmware(&fw, fw_wm, dev);
 	if (ret)
@@ -199,7 +199,10 @@ u8 mt7921_check_offload_capability(struct device *dev, const char *fw_wm)
 		data += sizeof(*rel_info);
 
 		if (rel_info->tag == MT7921_FW_TAG_FEATURE) {
+			struct mt7921_fw_features *features;
+
 			features = (struct mt7921_fw_features *)data;
+			offload_caps = features->data;
 			break;
 		}
 
@@ -209,7 +212,7 @@ u8 mt7921_check_offload_capability(struct device *dev, const char *fw_wm)
 out:
 	release_firmware(fw);
 
-	return features ? features->data : 0;
+	return offload_caps;
 }
 EXPORT_SYMBOL_GPL(mt7921_check_offload_capability);
 






