[PATCH 4.19 48/55] rsi: fix use-after-free on probe errors
From: Greg Kroah-Hartman
Date: Thu Jan 30 2020 - 13:48:40 EST
From: Johan Hovold <johan@xxxxxxxxxx>
commit 92aafe77123ab478e5f5095878856ab0424910da upstream.
The driver would fail to stop the command timer in most error paths,
something which specifically could lead to the timer being freed while
still active on I/O errors during probe.
Fix this by making sure that each function starting the timer also stops
it in all relevant error paths.
Reported-by: syzbot+1d1597a5aa3679c65b9f@xxxxxxxxxxxxxxxxxxxxxxxxx
Fixes: b78e91bcfb33 ("rsi: Add new firmware loading method")
Cc: stable <stable@xxxxxxxxxxxxxxx> # 4.12
Cc: Prameela Rani Garnepudi <prameela.j04cs@xxxxxxxxx>
Cc: Amitkumar Karwar <amit.karwar@xxxxxxxxxxxxxxxxxx>
Signed-off-by: Johan Hovold <johan@xxxxxxxxxx>
Signed-off-by: Kalle Valo <kvalo@xxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/net/wireless/rsi/rsi_91x_hal.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/drivers/net/wireless/rsi/rsi_91x_hal.c
+++ b/drivers/net/wireless/rsi/rsi_91x_hal.c
@@ -616,6 +616,7 @@ static int bl_cmd(struct rsi_hw *adapter
bl_start_cmd_timer(adapter, timeout);
status = bl_write_cmd(adapter, cmd, exp_resp, ®out_val);
if (status < 0) {
+ bl_stop_cmd_timer(adapter);
rsi_dbg(ERR_ZONE,
"%s: Command %s (%0x) writing failed..\n",
__func__, str, cmd);
@@ -731,10 +732,9 @@ static int ping_pong_write(struct rsi_hw
}
status = bl_cmd(adapter, cmd_req, cmd_resp, str);
- if (status) {
- bl_stop_cmd_timer(adapter);
+ if (status)
return status;
- }
+
return 0;
}
@@ -822,10 +822,9 @@ static int auto_fw_upgrade(struct rsi_hw
status = bl_cmd(adapter, EOF_REACHED, FW_LOADING_SUCCESSFUL,
"EOF_REACHED");
- if (status) {
- bl_stop_cmd_timer(adapter);
+ if (status)
return status;
- }
+
rsi_dbg(INFO_ZONE, "FW loading is done and FW is running..\n");
return 0;
}
@@ -846,6 +845,7 @@ static int rsi_load_firmware(struct rsi_
status = hif_ops->master_reg_read(adapter, SWBL_REGOUT,
®out_val, 2);
if (status < 0) {
+ bl_stop_cmd_timer(adapter);
rsi_dbg(ERR_ZONE,
"%s: REGOUT read failed\n", __func__);
return status;