Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp2100659ybl; Thu, 30 Jan 2020 11:21:52 -0800 (PST) X-Google-Smtp-Source: APXvYqw2unDShHNGcc+J46vnWYeEjAsC0KiiqpWS6BeZLZPA11tQcgI9GFGYHLxXvItmMMxjCLIE X-Received: by 2002:aca:eccd:: with SMTP id k196mr3746727oih.95.1580412112778; Thu, 30 Jan 2020 11:21:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1580412112; cv=none; d=google.com; s=arc-20160816; b=bJTSpm7So/QJaaRGRxFEk/j2B+/dFoEeTLn8sHX8JXWD9+3mqhA4JkqtPE5TlyLzk8 86woaBOSIQupt767QX8kcyFdOVhV0HeRquP1ZkkwEm6aTsq5LzVONONVsWM1CNzW+WAI PTmX1znky/8zAUwmAVbO0fyGpWzu9h/XtTTK8Uhcjjc3DKFFXlqZBWyZYVYuboARrOID /OAguT9QawqUKpFPuJmPIUNPM5rPUPLA/OfMI1DeEushfDmlLhdYrygpjB3g4cPDi4kF URuLVBw6D9/+DuS/pOdgbEtGIaNc2e08qVGr4mgPCLHHDU2GKH9TWrCV0nAvRgfDuZQS VoNg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=LDDB0FKAD3Ul/+Z7cjqIeIX/tadzrsARLStQF42pHDY=; b=HiacXtHYsAM1LEXFLPhzzWtZ2vaV9S7d6TkY5dXlqwAMD7njQIk1vAdES5XTnapMLk LtqEZxgd8Mxq+ZWjkB7wf7veobPVr+9JSOD3bwqk4XABCrPY4m4zOIfq1jB41xJMBter ycAlRykh/C2hmFwE5Om3uflb6uwKg1QkKbavd08kusa5rtSvihpcznTCHYIoyNiWRHPH w8jlIsHBETvqaR3WnZwwCh4aRXfYOW+26oKbN4/hSGOCgarXEGP07N65fs52qfkhMVkl 4PLd5JkXh5Irx8eKij60NuUvcl2qPj9vWFim7rqW39vV98KiZhKawPF8ZqPXKbCaBrCO zr9A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=105BQyWw; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y186si3165768oig.241.2020.01.30.11.21.41; Thu, 30 Jan 2020 11:21:52 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=105BQyWw; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731324AbgA3Suh (ORCPT + 99 others); Thu, 30 Jan 2020 13:50:37 -0500 Received: from mail.kernel.org ([198.145.29.99]:56780 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730795AbgA3Sqj (ORCPT ); Thu, 30 Jan 2020 13:46:39 -0500 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 02CB220CC7; Thu, 30 Jan 2020 18:46:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1580409998; bh=LQYGm44o3kuZaSKrPBpL9FgbVJTuNAROgwlpse27PMA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=105BQyWwLAolPlqfyYqlQFPgOufq77LoScN1SZcl6/Ox8Nijq6xwFfZvQ54dtMJLC a2f8RfoW+HsV0TBTo/G30gFsx0EouTWkHJGxU6qA2Bnbj67BfHuQs36Emi7aqoKopD IiOSngWJF8zsT3M0xqrXMfgf1UO4my70XdM2Inqw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+1d1597a5aa3679c65b9f@syzkaller.appspotmail.com, Prameela Rani Garnepudi , Amitkumar Karwar , Johan Hovold , Kalle Valo Subject: [PATCH 5.4 101/110] rsi: fix use-after-free on probe errors Date: Thu, 30 Jan 2020 19:39:17 +0100 Message-Id: <20200130183625.643309472@linuxfoundation.org> X-Mailer: git-send-email 2.25.0 In-Reply-To: <20200130183613.810054545@linuxfoundation.org> References: <20200130183613.810054545@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johan Hovold commit 92aafe77123ab478e5f5095878856ab0424910da upstream. The driver would fail to stop the command timer in most error paths, something which specifically could lead to the timer being freed while still active on I/O errors during probe. Fix this by making sure that each function starting the timer also stops it in all relevant error paths. Reported-by: syzbot+1d1597a5aa3679c65b9f@syzkaller.appspotmail.com Fixes: b78e91bcfb33 ("rsi: Add new firmware loading method") Cc: stable # 4.12 Cc: Prameela Rani Garnepudi Cc: Amitkumar Karwar Signed-off-by: Johan Hovold Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman --- drivers/net/wireless/rsi/rsi_91x_hal.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) --- a/drivers/net/wireless/rsi/rsi_91x_hal.c +++ b/drivers/net/wireless/rsi/rsi_91x_hal.c @@ -622,6 +622,7 @@ static int bl_cmd(struct rsi_hw *adapter bl_start_cmd_timer(adapter, timeout); status = bl_write_cmd(adapter, cmd, exp_resp, ®out_val); if (status < 0) { + bl_stop_cmd_timer(adapter); rsi_dbg(ERR_ZONE, "%s: Command %s (%0x) writing failed..\n", __func__, str, cmd); @@ -737,10 +738,9 @@ static int ping_pong_write(struct rsi_hw } status = bl_cmd(adapter, cmd_req, cmd_resp, str); - if (status) { - bl_stop_cmd_timer(adapter); + if (status) return status; - } + return 0; } @@ -828,10 +828,9 @@ static int auto_fw_upgrade(struct rsi_hw status = bl_cmd(adapter, EOF_REACHED, FW_LOADING_SUCCESSFUL, "EOF_REACHED"); - if (status) { - bl_stop_cmd_timer(adapter); + if (status) return status; - } + rsi_dbg(INFO_ZONE, "FW loading is done and FW is running..\n"); return 0; } @@ -849,6 +848,7 @@ static int rsi_hal_prepare_fwload(struct ®out_val, RSI_COMMON_REG_SIZE); if (status < 0) { + bl_stop_cmd_timer(adapter); rsi_dbg(ERR_ZONE, "%s: REGOUT read failed\n", __func__); return status;