Re: [syzbot] [wireless?] [usb?] KASAN: use-after-free Read in rtw_load_firmware_cb
From: Edward Adam Davis
Date: Fri Jul 26 2024 - 08:31:34 EST
need wait for wow firmward complete
#syz test: https://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb.git 933069701c1b
diff --git a/drivers/net/wireless/realtek/rtw88/main.c b/drivers/net/wireless/realtek/rtw88/main.c
index 7ab7a988b123..ba2066aa46d9 100644
--- a/drivers/net/wireless/realtek/rtw88/main.c
+++ b/drivers/net/wireless/realtek/rtw88/main.c
@@ -1316,8 +1316,7 @@ static int rtw_wait_firmware_completion(struct rtw_dev *rtwdev)
fw = &rtwdev->fw;
wait_for_completion(&fw->completion);
- if (!fw->firmware)
- return -EINVAL;
+ printk("rtwdev: %p, fw name: %s, wow fw name: %s, fw: %p, %s\n", rtwdev, chip->fw_name, chip->wow_fw_name, fw->firmware, __func__);
if (chip->wow_fw_name) {
fw = &rtwdev->wow_fw;
@@ -2174,6 +2173,7 @@ void rtw_core_deinit(struct rtw_dev *rtwdev)
struct rtw_rsvd_page *rsvd_pkt, *tmp;
unsigned long flags;
+ printk("rtwdev: %p, %s\n", rtwdev, __func__);
rtw_wait_firmware_completion(rtwdev);
if (fw->firmware)
diff --git a/drivers/net/wireless/realtek/rtw88/usb.c b/drivers/net/wireless/realtek/rtw88/usb.c
index a0188511099a..2bbf285c021a 100644
--- a/drivers/net/wireless/realtek/rtw88/usb.c
+++ b/drivers/net/wireless/realtek/rtw88/usb.c
@@ -913,6 +913,7 @@ int rtw_usb_probe(struct usb_interface *intf, const struct usb_device_id *id)
rtw_usb_free_rx_bufs(rtwusb);
err_release_hw:
+ printk("rtwdev: %p, %s\n", rtwdev, __func__);
ieee80211_free_hw(hw);
return ret;
@@ -944,6 +945,7 @@ void rtw_usb_disconnect(struct usb_interface *intf)
rtw_usb_intf_deinit(rtwdev, intf);
rtw_core_deinit(rtwdev);
+ printk("rtwdev: %p, %s\n", rtwdev, __func__);
ieee80211_free_hw(hw);
}
EXPORT_SYMBOL(rtw_usb_disconnect);