wifi: rtw88: always wait for both firmware loading attempts

[ Upstream commit 0e735a4c6137262bcefe45bb52fde7b1f5fc6c4d ]

In 'rtw_wait_firmware_completion()', always wait for both (regular and
wowlan) firmware loading attempts. Otherwise if 'rtw_usb_intf_init()'
has failed in 'rtw_usb_probe()', 'rtw_usb_disconnect()' may issue
'ieee80211_free_hw()' when one of 'rtw_load_firmware_cb()' (usually
the wowlan one) is still in progress, causing UAF detected by KASAN.

Fixes: c8e5695eae ("rtw88: load wowlan firmware if wowlan is supported")
Reported-by: syzbot+6c6c08700f9480c41fe3@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=6c6c08700f9480c41fe3
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20240726114657.25396-1-dmantipov@yandex.ru
Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
Dmitry Antipov 2024-07-26 14:46:57 +03:00 committed by Greg Kroah-Hartman
parent b3e360e00d
commit 1b8178a2ae
1 changed files with 4 additions and 3 deletions

View File

@ -1314,20 +1314,21 @@ static int rtw_wait_firmware_completion(struct rtw_dev *rtwdev)
{ {
const struct rtw_chip_info *chip = rtwdev->chip; const struct rtw_chip_info *chip = rtwdev->chip;
struct rtw_fw_state *fw; struct rtw_fw_state *fw;
int ret = 0;
fw = &rtwdev->fw; fw = &rtwdev->fw;
wait_for_completion(&fw->completion); wait_for_completion(&fw->completion);
if (!fw->firmware) if (!fw->firmware)
return -EINVAL; ret = -EINVAL;
if (chip->wow_fw_name) { if (chip->wow_fw_name) {
fw = &rtwdev->wow_fw; fw = &rtwdev->wow_fw;
wait_for_completion(&fw->completion); wait_for_completion(&fw->completion);
if (!fw->firmware) if (!fw->firmware)
return -EINVAL; ret = -EINVAL;
} }
return 0; return ret;
} }
static enum rtw_lps_deep_mode rtw_update_lps_deep_mode(struct rtw_dev *rtwdev, static enum rtw_lps_deep_mode rtw_update_lps_deep_mode(struct rtw_dev *rtwdev,