From 061a6e9860b5c43c255221132294c983514bf409 Mon Sep 17 00:00:00 2001 From: Stefan Agner Date: Tue, 8 Feb 2022 16:13:13 +0100 Subject: [PATCH] Add Intel WiFi driver fix to avoid crash on Intel NUC systems (#1739) (#1745) --- ...e-missed-beacon-timeout-configurable.patch | 14 +++--- .../0002-iwlwifi-fix-use-after-free.patch | 49 +++++++++++++++++++ 2 files changed, 56 insertions(+), 7 deletions(-) create mode 100644 buildroot-external/board/pc/patches/linux/0002-iwlwifi-fix-use-after-free.patch diff --git a/buildroot-external/board/pc/patches/linux/0001-iwlwifi-Make-missed-beacon-timeout-configurable.patch b/buildroot-external/board/pc/patches/linux/0001-iwlwifi-Make-missed-beacon-timeout-configurable.patch index 0c4ef994c..8029126ef 100644 --- a/buildroot-external/board/pc/patches/linux/0001-iwlwifi-Make-missed-beacon-timeout-configurable.patch +++ b/buildroot-external/board/pc/patches/linux/0001-iwlwifi-Make-missed-beacon-timeout-configurable.patch @@ -1,8 +1,8 @@ -From 332c4f164ac60dcc65c315841d9c6f064ae316ec Mon Sep 17 00:00:00 2001 -Message-Id: <332c4f164ac60dcc65c315841d9c6f064ae316ec.1639398304.git.stefan@agner.ch> +From 6e5d979ec45555720a6537eb006947dca825afc0 Mon Sep 17 00:00:00 2001 +Message-Id: <6e5d979ec45555720a6537eb006947dca825afc0.1644327234.git.stefan@agner.ch> From: Zachary Michaels Date: Thu, 7 Jan 2021 08:13:11 -0800 -Subject: [PATCH] iwlwifi: Make missed beacon timeout configurable +Subject: [PATCH 1/2] iwlwifi: Make missed beacon timeout configurable Makes the beacon timeout a module parameter, allowing the original default (16 missed beacons) to be kept while also enabling users that experience problems to @@ -19,10 +19,10 @@ Signed-off-by: Stefan Agner 4 files changed, 8 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c -index be214f39f52b..4401b6b8484a 100644 +index 30c6d7b18599..d64cec9d593d 100644 --- a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c +++ b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c -@@ -1740,6 +1740,7 @@ struct iwl_mod_params iwlwifi_mod_params = { +@@ -1741,6 +1741,7 @@ struct iwl_mod_params iwlwifi_mod_params = { .power_level = IWL_POWER_INDEX_1, .uapsd_disable = IWL_DISABLE_UAPSD_BSS | IWL_DISABLE_UAPSD_P2P_CLIENT, .enable_ini = true, @@ -30,7 +30,7 @@ index be214f39f52b..4401b6b8484a 100644 /* the rest are 0 by default */ }; IWL_EXPORT_SYMBOL(iwlwifi_mod_params); -@@ -1857,6 +1858,9 @@ module_param_named(enable_ini, iwlwifi_mod_params.enable_ini, +@@ -1858,6 +1859,9 @@ module_param_named(enable_ini, iwlwifi_mod_params.enable_ini, bool, S_IRUGO | S_IWUSR); MODULE_PARM_DESC(enable_ini, "Enable debug INI TLV FW debug infrastructure (default: true"); @@ -94,5 +94,5 @@ index 64f5a4cb3d3a..730638da8fd3 100644 /* A TimeUnit is 1024 microsecond */ #define MSEC_TO_TU(_msec) (_msec*1000/1024) -- -2.34.0 +2.35.1 diff --git a/buildroot-external/board/pc/patches/linux/0002-iwlwifi-fix-use-after-free.patch b/buildroot-external/board/pc/patches/linux/0002-iwlwifi-fix-use-after-free.patch new file mode 100644 index 000000000..3a8a9bda5 --- /dev/null +++ b/buildroot-external/board/pc/patches/linux/0002-iwlwifi-fix-use-after-free.patch @@ -0,0 +1,49 @@ +From ca69c942280b3fccd641ba2ca24c7c5925014241 Mon Sep 17 00:00:00 2001 +Message-Id: +In-Reply-To: <6e5d979ec45555720a6537eb006947dca825afc0.1644327234.git.stefan@agner.ch> +References: <6e5d979ec45555720a6537eb006947dca825afc0.1644327234.git.stefan@agner.ch> +From: Johannes Berg +Date: Tue, 8 Feb 2022 11:47:30 +0100 +Subject: [PATCH 2/2] iwlwifi: fix use-after-free +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +If no firmware was present at all (or, presumably, all of the +firmware files failed to parse), we end up unbinding by calling +device_release_driver(), which calls remove(), which then in +iwlwifi calls iwl_drv_stop(), freeing the 'drv' struct. However +the new code I added will still erroneously access it after it +was freed. + +Set 'failure=false' in this case to avoid the access, all data +was already freed anyway. + +Cc: stable@vger.kernel.org +Reported-by: Stefan Agner +Reported-by: Wolfgang Walter +Reported-by: Jason Self +Reported-by: Dominik Behr +Reported-by: Marek Marczykowski-Górecki +Fixes: ab07506b0454 ("iwlwifi: fix leaks/bad data after failed firmware load") +Signed-off-by: Johannes Berg +--- + drivers/net/wireless/intel/iwlwifi/iwl-drv.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c +index d64cec9d593d..90a680799b03 100644 +--- a/drivers/net/wireless/intel/iwlwifi/iwl-drv.c ++++ b/drivers/net/wireless/intel/iwlwifi/iwl-drv.c +@@ -1646,6 +1646,8 @@ static void iwl_req_fw_callback(const struct firmware *ucode_raw, void *context) + out_unbind: + complete(&drv->request_firmware_complete); + device_release_driver(drv->trans->dev); ++ /* drv has just been freed by the release */ ++ failure = false; + free: + if (failure) + iwl_dealloc_ucode(drv); +-- +2.35.1 +