diff options
| author | Daniel Gabay <daniel.gabay@intel.com> | 2023-04-13 21:40:32 +0300 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2023-05-24 17:32:38 +0100 |
| commit | 0f9a1bcb94016d3a3c455a77b01f6bb06e15f6eb (patch) | |
| tree | 393d4109118748b10ea563e5b04f562590efe056 /drivers/net/wireless/intel | |
| parent | b4acb6c3ede88d6b7d33742a09e63cfce5e7fb69 (diff) | |
| download | linux-0f9a1bcb94016d3a3c455a77b01f6bb06e15f6eb.tar.gz | |
wifi: iwlwifi: pcie: fix possible NULL pointer dereference
[ Upstream commit b655b9a9f8467684cfa8906713d33b71ea8c8f54 ] It is possible that iwl_pci_probe() will fail and free the trans, then afterwards iwl_pci_remove() will be called and crash by trying to access trans which is already freed, fix it. iwlwifi 0000:01:00.0: Detected crf-id 0xa5a5a5a2, cnv-id 0xa5a5a5a2 wfpm id 0xa5a5a5a2 iwlwifi 0000:01:00.0: Can't find a correct rfid for crf id 0x5a2 ... BUG: kernel NULL pointer dereference, address: 0000000000000028 ... RIP: 0010:iwl_pci_remove+0x12/0x30 [iwlwifi] pci_device_remove+0x3e/0xb0 device_release_driver_internal+0x103/0x1f0 driver_detach+0x4c/0x90 bus_remove_driver+0x5c/0xd0 driver_unregister+0x31/0x50 pci_unregister_driver+0x40/0x90 iwl_pci_unregister_driver+0x15/0x20 [iwlwifi] __exit_compat+0x9/0x98 [iwlwifi] __x64_sys_delete_module+0x147/0x260 Signed-off-by: Daniel Gabay <daniel.gabay@intel.com> Signed-off-by: Gregory Greenman <gregory.greenman@intel.com> Link: https://lore.kernel.org/r/20230413213309.082f6e21341b.I0db21d7fa9a828d571ca886713bd0b5d0b6e1e5c@changeid Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'drivers/net/wireless/intel')
| -rw-r--r-- | drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c index 85fadd1ef1ff..afe6cc15c845 100644 --- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c +++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c @@ -1685,6 +1685,9 @@ static void iwl_pci_remove(struct pci_dev *pdev) { struct iwl_trans *trans = pci_get_drvdata(pdev); + if (!trans) + return; + iwl_drv_stop(trans->drv); iwl_trans_pcie_free(trans); |