Johannes Berg <johannes@xxxxxxxxxxxxxxxx> wrote:
> From: Johannes Berg <johannes.berg@xxxxxxxxx>
>
> If no firmware was present at all (or, presumably, all of the
> firmware files failed to parse), we end up unbinding by calling
> device_release_driver(), which calls remove(), which then in
> iwlwifi calls iwl_drv_stop(), freeing the 'drv' struct. However
> the new code I added will still erroneously access it after it
> was freed.
>
> Set 'failure=false' in this case to avoid the access, all data
> was already freed anyway.
>
> Cc: stable@xxxxxxxxxxxxxxx
> Reported-by: Stefan Agner <stefan@xxxxxxxx>
> Reported-by: Wolfgang Walter <linux@xxxxxxx>
> Reported-by: Jason Self <jason@xxxxxxxxxxxx>
> Reported-by: Dominik Behr <dominik@xxxxxxxxxxxxxxx>
> Reported-by: Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx>
> Fixes: ab07506b0454 ("iwlwifi: fix leaks/bad data after failed firmware load")
> Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx>
Patch applied to wireless.git, thanks.
bea2662e7818 iwlwifi: fix use-after-free
--
https://patchwork.kernel.org/project/linux-wireless/patch/20220208114728.e6b514cf4c85.Iffb575ca2a623d7859b542c33b2a507d01554251@changeid/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
