Patch "wifi: rtw88: always wait for both firmware loading attempts" has been added to the 6.6-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    wifi: rtw88: always wait for both firmware loading attempts

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     wifi-rtw88-always-wait-for-both-firmware-loading-att.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 2d771049c0df03e9efcac3dbecfbea83b8ff7ee6
Author: Dmitry Antipov <dmantipov@xxxxxxxxx>
Date:   Fri Jul 26 14:46:57 2024 +0300

    wifi: rtw88: always wait for both firmware loading attempts
    
    [ Upstream commit 0e735a4c6137262bcefe45bb52fde7b1f5fc6c4d ]
    
    In 'rtw_wait_firmware_completion()', always wait for both (regular and
    wowlan) firmware loading attempts. Otherwise if 'rtw_usb_intf_init()'
    has failed in 'rtw_usb_probe()', 'rtw_usb_disconnect()' may issue
    'ieee80211_free_hw()' when one of 'rtw_load_firmware_cb()' (usually
    the wowlan one) is still in progress, causing UAF detected by KASAN.
    
    Fixes: c8e5695eae99 ("rtw88: load wowlan firmware if wowlan is supported")
    Reported-by: syzbot+6c6c08700f9480c41fe3@xxxxxxxxxxxxxxxxxxxxxxxxx
    Closes: https://syzkaller.appspot.com/bug?extid=6c6c08700f9480c41fe3
    Signed-off-by: Dmitry Antipov <dmantipov@xxxxxxxxx>
    Signed-off-by: Ping-Ke Shih <pkshih@xxxxxxxxxxx>
    Link: https://patch.msgid.link/20240726114657.25396-1-dmantipov@xxxxxxxxx
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/wireless/realtek/rtw88/main.c b/drivers/net/wireless/realtek/rtw88/main.c
index 63673005c2fb1..b90ea6c88b15d 100644
--- a/drivers/net/wireless/realtek/rtw88/main.c
+++ b/drivers/net/wireless/realtek/rtw88/main.c
@@ -1314,20 +1314,21 @@ static int rtw_wait_firmware_completion(struct rtw_dev *rtwdev)
 {
 	const struct rtw_chip_info *chip = rtwdev->chip;
 	struct rtw_fw_state *fw;
+	int ret = 0;
 
 	fw = &rtwdev->fw;
 	wait_for_completion(&fw->completion);
 	if (!fw->firmware)
-		return -EINVAL;
+		ret = -EINVAL;
 
 	if (chip->wow_fw_name) {
 		fw = &rtwdev->wow_fw;
 		wait_for_completion(&fw->completion);
 		if (!fw->firmware)
-			return -EINVAL;
+			ret = -EINVAL;
 	}
 
-	return 0;
+	return ret;
 }
 
 static enum rtw_lps_deep_mode rtw_update_lps_deep_mode(struct rtw_dev *rtwdev,




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux