diff options
Diffstat (limited to 'package/kernel/mac80211/patches/305-v4.15-brcmfmac-change-driver-unbind-order-of-the-sdio-func.patch')
-rw-r--r-- | package/kernel/mac80211/patches/305-v4.15-brcmfmac-change-driver-unbind-order-of-the-sdio-func.patch | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/package/kernel/mac80211/patches/305-v4.15-brcmfmac-change-driver-unbind-order-of-the-sdio-func.patch b/package/kernel/mac80211/patches/305-v4.15-brcmfmac-change-driver-unbind-order-of-the-sdio-func.patch new file mode 100644 index 0000000000..3649bdda49 --- /dev/null +++ b/package/kernel/mac80211/patches/305-v4.15-brcmfmac-change-driver-unbind-order-of-the-sdio-func.patch @@ -0,0 +1,37 @@ +From 5c3de777bdaf48bd0cfb43097c0d0fb85056cab7 Mon Sep 17 00:00:00 2001 +From: Arend Van Spriel <arend.vanspriel@broadcom.com> +Date: Sat, 25 Nov 2017 21:39:25 +0100 +Subject: [PATCH] brcmfmac: change driver unbind order of the sdio function + devices + +In the function brcmf_sdio_firmware_callback() the driver is +unbound from the sdio function devices in the error path. +However, the order in which it is done resulted in a use-after-free +issue (see brcmf_ops_sdio_remove() in bcmsdh.c). Hence change +the order and first unbind sdio function #2 device and then +unbind sdio function #1 device. + +Cc: stable@vger.kernel.org # v4.12.x +Fixes: 7a51461fc2da ("brcmfmac: unbind all devices upon failure in firmware callback") +Reported-by: Stefan Wahren <stefan.wahren@i2se.com> +Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com> +Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com> +Reviewed-by: Franky Lin <franky.lin@broadcom.com> +Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com> +Signed-off-by: Kalle Valo <kvalo@codeaurora.org> +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +@@ -4121,8 +4121,8 @@ release: + sdio_release_host(sdiodev->func[1]); + fail: + brcmf_dbg(TRACE, "failed: dev=%s, err=%d\n", dev_name(dev), err); +- device_release_driver(dev); + device_release_driver(&sdiodev->func[2]->dev); ++ device_release_driver(dev); + } + + struct brcmf_sdio *brcmf_sdio_probe(struct brcmf_sdio_dev *sdiodev) |