diff mbox series

net: wireless: b43: Avoid possible double calls to b43_one_core_detach()

Message ID 20190504091000.18665-1-baijiaju1990@gmail.com
State Awaiting Upstream
Delegated to: David Miller
Headers show
Series net: wireless: b43: Avoid possible double calls to b43_one_core_detach() | expand

Commit Message

Jia-Ju Bai May 4, 2019, 9:10 a.m. UTC 
In b43_request_firmware(), when ieee80211_register_hw() fails,
b43_one_core_detach() is called. In b43_bcma_remove() and
b43_ssb_remove(), b43_one_core_detach() is called again. In this case, 
null-pointer dereferences and double-free problems can occur when 
the driver is removed.

To fix this bug, the call to b43_one_core_detach() in
b43_request_firmware() is deleted.

This bug is found by a runtime fuzzing tool named FIZZER written by us.

Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
---
 drivers/net/wireless/broadcom/b43/main.c | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

Comments

Kalle Valo May 6, 2019, 8:21 a.m. UTC | #1 
Jia-Ju Bai <baijiaju1990@gmail.com> writes:

> In b43_request_firmware(), when ieee80211_register_hw() fails,
> b43_one_core_detach() is called. In b43_bcma_remove() and
> b43_ssb_remove(), b43_one_core_detach() is called again. In this case, 
> null-pointer dereferences and double-free problems can occur when 
> the driver is removed.
>
> To fix this bug, the call to b43_one_core_detach() in
> b43_request_firmware() is deleted.
>
> This bug is found by a runtime fuzzing tool named FIZZER written by us.
>
> Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
> ---
>  drivers/net/wireless/broadcom/b43/main.c | 7 +------
>  1 file changed, 1 insertion(+), 6 deletions(-)

You can use just "b43:" as prefix, no need to have "net:" nor
"wireless:" in the title. I'll fix it this time, but please use correct
style in the future.

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches#commit_title_is_wrong
Kalle Valo May 28, 2019, 12:43 p.m. UTC | #2 
Jia-Ju Bai <baijiaju1990@gmail.com> wrote:

> In b43_request_firmware(), when ieee80211_register_hw() fails,
> b43_one_core_detach() is called. In b43_bcma_remove() and
> b43_ssb_remove(), b43_one_core_detach() is called again. In this case, 
> null-pointer dereferences and double-free problems can occur when 
> the driver is removed.
> 
> To fix this bug, the call to b43_one_core_detach() in
> b43_request_firmware() is deleted.
> 
> This bug is found by a runtime fuzzing tool named FIZZER written by us.
> 
> Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>

Patch applied to wireless-drivers-next.git, thanks.

ec2e93cf1910 b43: Avoid possible double calls to b43_one_core_detach()
diff mbox series

Patch

diff --git a/drivers/net/wireless/broadcom/b43/main.c b/drivers/net/wireless/broadcom/b43/main.c
index 74be3c809225..e666a472a0da 100644
--- a/drivers/net/wireless/broadcom/b43/main.c
+++ b/drivers/net/wireless/broadcom/b43/main.c
@@ -2610,18 +2610,13 @@  static void b43_request_firmware(struct work_struct *work)
 
 	err = ieee80211_register_hw(wl->hw);
 	if (err)
-		goto err_one_core_detach;
+		goto out;
 	wl->hw_registered = true;
 	b43_leds_register(wl->current_dev);
 
 	/* Register HW RNG driver */
 	b43_rng_init(wl);
 
-	goto out;
-
-err_one_core_detach:
-	b43_one_core_detach(dev->dev);
-
 out:
 	kfree(ctx);
 }