From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:55286 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751395AbdK1JyP (ORCPT ); Tue, 28 Nov 2017 04:54:15 -0500 Subject: Patch "mwifiex: sdio: fix use after free issue for save_adapter" has been added to the 4.9-stable tree To: akarwar@marvell.com, alexander.levin@verizon.com, gregkh@linuxfoundation.org, kvalo@codeaurora.org Cc: , From: Date: Tue, 28 Nov 2017 10:50:45 +0100 Message-ID: <1511862645202186@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled mwifiex: sdio: fix use after free issue for save_adapter to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: mwifiex-sdio-fix-use-after-free-issue-for-save_adapter.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From foo@baz Tue Nov 28 10:49:28 CET 2017 From: Amitkumar Karwar Date: Thu, 1 Dec 2016 19:23:31 +0530 Subject: mwifiex: sdio: fix use after free issue for save_adapter From: Amitkumar Karwar [ Upstream commit 74c8719b8ee0922593a5cbec0bd6127d86d8a2f4 ] If we have sdio work requests received when sdio card reset is happening, we may end up accessing older save_adapter pointer later which is already freed during card reset. This patch solves the problem by cancelling those pending requests. Signed-off-by: Amitkumar Karwar Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/net/wireless/marvell/mwifiex/sdio.c | 6 ++++++ 1 file changed, 6 insertions(+) --- a/drivers/net/wireless/marvell/mwifiex/sdio.c +++ b/drivers/net/wireless/marvell/mwifiex/sdio.c @@ -2296,6 +2296,12 @@ static void mwifiex_recreate_adapter(str mmc_hw_reset(func->card->host); sdio_release_host(func); + /* Previous save_adapter won't be valid after this. We will cancel + * pending work requests. + */ + clear_bit(MWIFIEX_IFACE_WORK_DEVICE_DUMP, &iface_work_flags); + clear_bit(MWIFIEX_IFACE_WORK_CARD_RESET, &iface_work_flags); + mwifiex_sdio_probe(func, device_id); } Patches currently in stable-queue which might be from akarwar@marvell.com are queue-4.9/mwifiex-sdio-fix-use-after-free-issue-for-save_adapter.patch