Commit d9965f13 authored Nov 29, 2024 by Dmitry Antipov Committed by Wang Liang Nov 29, 2024

wifi: rtw88: always wait for both firmware loading attempts

stable inclusion
from stable-v5.10.227
commit a0c1e2da652cf70825739bc12d49ea15805690bf
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYPKI
CVE: CVE-2024-47718

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=a0c1e2da652cf70825739bc12d49ea15805690bf



--------------------------------

[ Upstream commit 0e735a4c6137262bcefe45bb52fde7b1f5fc6c4d ]

In 'rtw_wait_firmware_completion()', always wait for both (regular and
wowlan) firmware loading attempts. Otherwise if 'rtw_usb_intf_init()'
has failed in 'rtw_usb_probe()', 'rtw_usb_disconnect()' may issue
'ieee80211_free_hw()' when one of 'rtw_load_firmware_cb()' (usually
the wowlan one) is still in progress, causing UAF detected by KASAN.

Fixes: c8e5695e ("rtw88: load wowlan firmware if wowlan is supported")
Reported-by:  <syzbot+6c6c08700f9480c41fe3@syzkaller.appspotmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=6c6c08700f9480c41fe3


Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20240726114657.25396-1-dmantipov@yandex.ru


Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Wang Liang <wangliang74@huawei.com>

parent 1a47bbfa

drivers/net/wireless/realtek/rtw88/main.c

+4 −3

Original line number	Diff line number	Diff line
		@@ -1007,20 +1007,21 @@ static int rtw_wait_firmware_completion(struct rtw_dev *rtwdev)
		{
		struct rtw_chip_info *chip = rtwdev->chip;
		struct rtw_fw_state *fw;
		int ret = 0;

		fw = &rtwdev->fw;
		wait_for_completion(&fw->completion);
		if (!fw->firmware)
		return -EINVAL;
		ret = -EINVAL;

		if (chip->wow_fw_name) {
		fw = &rtwdev->wow_fw;
		wait_for_completion(&fw->completion);
		if (!fw->firmware)
		return -EINVAL;
		ret = -EINVAL;
		}

		return 0;
		return ret;
		}

		static int rtw_power_on(struct rtw_dev *rtwdev)