]> git.ipfire.org Git - thirdparty/linux.git/commitdiff
projects / thirdparty / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9bb8dea)
wifi: at76c50x: fix use after free access in at76_disconnect
authorAbdun Nihaal <abdun.nihaal@gmail.com>
Sun, 30 Mar 2025 10:31:10 +0000 (16:01 +0530)
committerJohannes Berg <johannes.berg@intel.com>
Wed, 2 Apr 2025 08:43:56 +0000 (10:43 +0200)
The memory pointed to by priv is freed at the end of at76_delete_device
function (using ieee80211_free_hw). But the code then accesses the udev
field of the freed object to put the USB device. This may also lead to a
memory leak of the usb device. Fix this by using udev from interface.

Fixes: 29e20aa6c6af ("at76c50x-usb: fix use after free on failure path in at76_probe()")
Signed-off-by: Abdun Nihaal <abdun.nihaal@gmail.com>
Link: https://patch.msgid.link/20250330103110.44080-1-abdun.nihaal@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
drivers/net/wireless/atmel/at76c50x-usb.c patch | blob | blame | history

diff --git a/drivers/net/wireless/atmel/at76c50x-usb.c b/drivers/net/wireless/atmel/at76c50x-usb.c
index 504e05ea30f2982eac2c7152d2049d343d59a822..97ea7ab0f491026a04662ff514236bcdb8ec1206 100644 (file)
--- a/drivers/net/wireless/atmel/at76c50x-usb.c
+++ b/drivers/net/wireless/atmel/at76c50x-usb.c
@@ -2552,7 +2552,7 @@ static void at76_disconnect(struct usb_interface *interface)
 
        wiphy_info(priv->hw->wiphy, "disconnecting\n");
        at76_delete_device(priv);
-       usb_put_dev(priv->udev);
+       usb_put_dev(interface_to_usbdev(interface));
        dev_info(&interface->dev, "disconnected\n");
 }
 
A mirror of Linus' kernel repository