Add Intel WiFi driver fix to avoid crash on Intel NUC systems (#1739) (#1745)

2025-07-28 07:26:28 +00:00 · 2022-02-08 16:13:13 +01:00 · 2022-02-08 16:13:13 +01:00 · 061a6e9860
commit 061a6e9860
parent c29f95678f
2 changed files with 56 additions and 7 deletions
--- a/buildroot-external/board/pc/patches/linux/0001-iwlwifi-Make-missed-beacon-timeout-configurable.patch
+++ b/buildroot-external/board/pc/patches/linux/0001-iwlwifi-Make-missed-beacon-timeout-configurable.patch
@ -1,8 +1,8 @@
-From 332c4f164ac60dcc65c315841d9c6f064ae316ec Mon Sep 17 00:00:00 2001
-Message-Id: <332c4f164ac60dcc65c315841d9c6f064ae316ec.1639398304.git.stefan@agner.ch>
+From 6e5d979ec45555720a6537eb006947dca825afc0 Mon Sep 17 00:00:00 2001
+Message-Id: <6e5d979ec45555720a6537eb006947dca825afc0.1644327234.git.stefan@agner.ch>
 From: Zachary Michaels <mikezackles@gmail.com>
 Date: Thu, 7 Jan 2021 08:13:11 -0800
-Subject: [PATCH] iwlwifi: Make missed beacon timeout configurable
+Subject: [PATCH 1/2] iwlwifi: Make missed beacon timeout configurable

 Makes the beacon timeout a module parameter, allowing the original default (16
 missed beacons) to be kept while also enabling users that experience problems to
@ -19,10 +19,10 @@ Signed-off-by: Stefan Agner <stefan@agner.ch>
 4 files changed, 8 insertions(+), 2 deletions(-)

 diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
-index be214f39f52b..4401b6b8484a 100644
+index 30c6d7b18599..d64cec9d593d 100644
 --- a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
 +++ b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
-@@ -1740,6 +1740,7 @@ struct iwl_mod_params iwlwifi_mod_params = {
+@@ -1741,6 +1741,7 @@ struct iwl_mod_params iwlwifi_mod_params = {
 	.power_level = IWL_POWER_INDEX_1,
 	.uapsd_disable = IWL_DISABLE_UAPSD_BSS | IWL_DISABLE_UAPSD_P2P_CLIENT,
 	.enable_ini = true,
@ -30,7 +30,7 @@ index be214f39f52b..4401b6b8484a 100644
 	/* the rest are 0 by default */
 };
 IWL_EXPORT_SYMBOL(iwlwifi_mod_params);
-@@ -1857,6 +1858,9 @@ module_param_named(enable_ini, iwlwifi_mod_params.enable_ini,
+@@ -1858,6 +1859,9 @@ module_param_named(enable_ini, iwlwifi_mod_params.enable_ini,
 		   bool, S_IRUGO | S_IWUSR);
 MODULE_PARM_DESC(enable_ini,
 		 "Enable debug INI TLV FW debug infrastructure (default: true");
@ -94,5 +94,5 @@ index 64f5a4cb3d3a..730638da8fd3 100644
 /* A TimeUnit is 1024 microsecond */
 #define MSEC_TO_TU(_msec)	(_msec*1000/1024)
 -- 
-2.34.0
+2.35.1

--- a/buildroot-external/board/pc/patches/linux/0002-iwlwifi-fix-use-after-free.patch
+++ b/buildroot-external/board/pc/patches/linux/0002-iwlwifi-fix-use-after-free.patch
@ -0,0 +1,49 @@
+From ca69c942280b3fccd641ba2ca24c7c5925014241 Mon Sep 17 00:00:00 2001
+Message-Id: <ca69c942280b3fccd641ba2ca24c7c5925014241.1644327234.git.stefan@agner.ch>
+In-Reply-To: <6e5d979ec45555720a6537eb006947dca825afc0.1644327234.git.stefan@agner.ch>
+References: <6e5d979ec45555720a6537eb006947dca825afc0.1644327234.git.stefan@agner.ch>
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 8 Feb 2022 11:47:30 +0100
+Subject: [PATCH 2/2] iwlwifi: fix use-after-free
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+If no firmware was present at all (or, presumably, all of the
+firmware files failed to parse), we end up unbinding by calling
+device_release_driver(), which calls remove(), which then in
+iwlwifi calls iwl_drv_stop(), freeing the 'drv' struct. However
+the new code I added will still erroneously access it after it
+was freed.
+
+Set 'failure=false' in this case to avoid the access, all data
+was already freed anyway.
+
+Cc: stable@vger.kernel.org
+Reported-by: Stefan Agner <stefan@agner.ch>
+Reported-by: Wolfgang Walter <linux@stwm.de>
+Reported-by: Jason Self <jason@bluehome.net>
+Reported-by: Dominik Behr <dominik@dominikbehr.com>
+Reported-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+Fixes: ab07506b0454 ("iwlwifi: fix leaks/bad data after failed firmware load")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+---
+ drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
+index d64cec9d593d..90a680799b03 100644
+--- a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
+++ b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c
+@@ -1646,6 +1646,8 @@ static void iwl_req_fw_callback(const struct firmware *ucode_raw, void *context)
+  out_unbind:
+ 	complete(&drv->request_firmware_complete);
+ 	device_release_driver(drv->trans->dev);
+	/* drv has just been freed by the release */
+	failure = false;
+  free:
+ 	if (failure)
+ 		iwl_dealloc_ucode(drv);
+-- 
+2.35.1
+