Patch "brcmfmac: change driver unbind order of the sdio function devices" has been added to the 4.14-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Mon, 11 Dec 2017 22:52:15 +0100

This is a note to let you know that I've just added the patch titled

    brcmfmac: change driver unbind order of the sdio function devices

to the 4.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     brcmfmac-change-driver-unbind-order-of-the-sdio-function-devices.patch
and it can be found in the queue-4.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 5c3de777bdaf48bd0cfb43097c0d0fb85056cab7 Mon Sep 17 00:00:00 2001
From: Arend Van Spriel <arend.vanspriel@xxxxxxxxxxxx>
Date: Sat, 25 Nov 2017 21:39:25 +0100
Subject: brcmfmac: change driver unbind order of the sdio function devices

From: Arend Van Spriel <arend.vanspriel@xxxxxxxxxxxx>

commit 5c3de777bdaf48bd0cfb43097c0d0fb85056cab7 upstream.

In the function brcmf_sdio_firmware_callback() the driver is
unbound from the sdio function devices in the error path.
However, the order in which it is done resulted in a use-after-free
issue (see brcmf_ops_sdio_remove() in bcmsdh.c). Hence change
the order and first unbind sdio function #2 device and then
unbind sdio function #1 device.

Fixes: 7a51461fc2da ("brcmfmac: unbind all devices upon failure in firmware callback")
Reported-by: Stefan Wahren <stefan.wahren@xxxxxxxx>
Reviewed-by: Hante Meuleman <hante.meuleman@xxxxxxxxxxxx>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@xxxxxxxxxxxx>
Reviewed-by: Franky Lin <franky.lin@xxxxxxxxxxxx>
Signed-off-by: Arend van Spriel <arend.vanspriel@xxxxxxxxxxxx>
Signed-off-by: Kalle Valo <kvalo@xxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
 drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
@@ -4096,8 +4096,8 @@ release:
 	sdio_release_host(sdiodev->func[1]);
 fail:
 	brcmf_dbg(TRACE, "failed: dev=%s, err=%d\n", dev_name(dev), err);
-	device_release_driver(dev);
 	device_release_driver(&sdiodev->func[2]->dev);
+	device_release_driver(dev);
 }
 
 struct brcmf_sdio *brcmf_sdio_probe(struct brcmf_sdio_dev *sdiodev)


Patches currently in stable-queue which might be from arend.vanspriel@xxxxxxxxxxxx are

queue-4.14/brcmfmac-change-driver-unbind-order-of-the-sdio-function-devices.patch






