Patch "wifi: iwlwifi: pcie: fix possible NULL pointer dereference" has been added to the 5.10-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Fri, 19 May 2023 22:01:34 -0400

This is a note to let you know that I've just added the patch titled

    wifi: iwlwifi: pcie: fix possible NULL pointer dereference

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     wifi-iwlwifi-pcie-fix-possible-null-pointer-derefere.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 64515bcd2435e20fe9b35a08654effdafac81251
Author: Daniel Gabay <daniel.gabay@xxxxxxxxx>
Date:   Thu Apr 13 21:40:32 2023 +0300

    wifi: iwlwifi: pcie: fix possible NULL pointer dereference
    
    [ Upstream commit b655b9a9f8467684cfa8906713d33b71ea8c8f54 ]
    
    It is possible that iwl_pci_probe() will fail and free the trans,
    then afterwards iwl_pci_remove() will be called and crash by trying
    to access trans which is already freed, fix it.
    
    iwlwifi 0000:01:00.0: Detected crf-id 0xa5a5a5a2, cnv-id 0xa5a5a5a2
                          wfpm id 0xa5a5a5a2
    iwlwifi 0000:01:00.0: Can't find a correct rfid for crf id 0x5a2
    ...
    BUG: kernel NULL pointer dereference, address: 0000000000000028
    ...
    RIP: 0010:iwl_pci_remove+0x12/0x30 [iwlwifi]
    pci_device_remove+0x3e/0xb0
    device_release_driver_internal+0x103/0x1f0
    driver_detach+0x4c/0x90
    bus_remove_driver+0x5c/0xd0
    driver_unregister+0x31/0x50
    pci_unregister_driver+0x40/0x90
    iwl_pci_unregister_driver+0x15/0x20 [iwlwifi]
    __exit_compat+0x9/0x98 [iwlwifi]
    __x64_sys_delete_module+0x147/0x260
    
    Signed-off-by: Daniel Gabay <daniel.gabay@xxxxxxxxx>
    Signed-off-by: Gregory Greenman <gregory.greenman@xxxxxxxxx>
    Link: https://lore.kernel.org/r/20230413213309.082f6e21341b.I0db21d7fa9a828d571ca886713bd0b5d0b6e1e5c@changeid
    Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
index 4e43efd5d1ea1..dc0a507213ca6 100644
--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
@@ -1214,6 +1214,9 @@ static void iwl_pci_remove(struct pci_dev *pdev)
 {
 	struct iwl_trans *trans = pci_get_drvdata(pdev);
 
+	if (!trans)
+		return;
+
 	iwl_drv_stop(trans->drv);
 
 	iwl_trans_pcie_free(trans);






