--- /dev/null
+From 8b51dc7291473093c821195c4b6af85fadedbc2f Mon Sep 17 00:00:00 2001
+From: Hui Peng <benquike@gmail.com>
+Date: Mon, 19 Aug 2019 18:02:29 -0400
+Subject: rsi: fix a double free bug in rsi_91x_deinit()
+
+From: Hui Peng <benquike@gmail.com>
+
+commit 8b51dc7291473093c821195c4b6af85fadedbc2f upstream.
+
+`dev` (struct rsi_91x_usbdev *) field of adapter
+(struct rsi_91x_usbdev *) is allocated and initialized in
+`rsi_init_usb_interface`. If any error is detected in information
+read from the device side, `rsi_init_usb_interface` will be
+freed. However, in the higher level error handling code in
+`rsi_probe`, if error is detected, `rsi_91x_deinit` is called
+again, in which `dev` will be freed again, resulting double free.
+
+This patch fixes the double free by removing the free operation on
+`dev` in `rsi_init_usb_interface`, because `rsi_91x_deinit` is also
+used in `rsi_disconnect`, in that code path, the `dev` field is not
+ (and thus needs to be) freed.
+
+This bug was found in v4.19, but is also present in the latest version
+of kernel. Fixes CVE-2019-15504.
+
+Reported-by: Hui Peng <benquike@gmail.com>
+Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
+Signed-off-by: Hui Peng <benquike@gmail.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rsi/rsi_91x_usb.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/net/wireless/rsi/rsi_91x_usb.c
++++ b/drivers/net/wireless/rsi/rsi_91x_usb.c
+@@ -643,7 +643,6 @@ fail_rx:
+ kfree(rsi_dev->tx_buffer);
+
+ fail_eps:
+- kfree(rsi_dev);
+
+ return status;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
