From: John W. Linville <linville@tuxdriver.com>
To: ath9k-devel@lists.ath9k.org
Subject: [ath9k-devel] [PATCH -next] wireless: ath9k-htc: fix possible use after free
Date: Thu, 27 Sep 2012 17:24:35 -0400 [thread overview]
Message-ID: <20120927212435.GA1892@tuxdriver.com> (raw)
In-Reply-To: <CACVXFVOkTNOtk6_nxG4CgcgZX5iLCiuSusxvbBpn43F1=L=X2g@mail.gmail.com>
On Thu, Sep 27, 2012 at 12:06:17PM +0800, Ming Lei wrote:
> On Thu, Sep 13, 2012 at 10:33 AM, Ming Lei <ming.lei@canonical.com> wrote:
> > Inside ath9k_hif_usb_firmware_fail(), the instance of
> > 'struct struct hif_device_usb' may be freed by
> > ath9k_hif_usb_disconnect() after
> >
> > complete(&hif_dev->fw_done);
> >
> > But 'hif_dev' is still accessed after the line code
> > above is executed.
> >
> > This patch fixes the issue by not accessing 'hif_dev'
> > after 'complete(&hif_dev->fw_done)' inside
> > ath9k_hif_usb_firmware_fail().
> >
> > Cc: ath9k-devel at lists.ath9k.org
> > Cc: "Luis R. Rodriguez" <mcgrof@qca.qualcomm.com>
> > Cc: Jouni Malinen <jouni@qca.qualcomm.com>
> > Cc: Vasanthakumar Thiagarajan <vthiagar@qca.qualcomm.com>
> > Cc: Senthil Balasubramanian <senthilb@qca.qualcomm.com>
> > Cc: "John W. Linville" <linville@tuxdriver.com>
>
> Gentle ping, :-)
This is commit e962610f8100e1b52973f5a9c855cbc3d1ba04ec in wireless-next?
--
John W. Linville Someday the world will need a hero, and you
linville at tuxdriver.com might be all we have. Be ready.
WARNING: multiple messages have this Message-ID (diff)
From: "John W. Linville" <linville@tuxdriver.com>
To: Ming Lei <ming.lei@canonical.com>
Cc: linux-wireless@vger.kernel.org, ath9k-devel@lists.ath9k.org,
"Luis R. Rodriguez" <mcgrof@qca.qualcomm.com>,
Jouni Malinen <jouni@qca.qualcomm.com>,
Vasanthakumar Thiagarajan <vthiagar@qca.qualcomm.com>,
Senthil Balasubramanian <senthilb@qca.qualcomm.com>
Subject: Re: [PATCH -next] wireless: ath9k-htc: fix possible use after free
Date: Thu, 27 Sep 2012 17:24:35 -0400 [thread overview]
Message-ID: <20120927212435.GA1892@tuxdriver.com> (raw)
In-Reply-To: <CACVXFVOkTNOtk6_nxG4CgcgZX5iLCiuSusxvbBpn43F1=L=X2g@mail.gmail.com>
On Thu, Sep 27, 2012 at 12:06:17PM +0800, Ming Lei wrote:
> On Thu, Sep 13, 2012 at 10:33 AM, Ming Lei <ming.lei@canonical.com> wrote:
> > Inside ath9k_hif_usb_firmware_fail(), the instance of
> > 'struct struct hif_device_usb' may be freed by
> > ath9k_hif_usb_disconnect() after
> >
> > complete(&hif_dev->fw_done);
> >
> > But 'hif_dev' is still accessed after the line code
> > above is executed.
> >
> > This patch fixes the issue by not accessing 'hif_dev'
> > after 'complete(&hif_dev->fw_done)' inside
> > ath9k_hif_usb_firmware_fail().
> >
> > Cc: ath9k-devel@lists.ath9k.org
> > Cc: "Luis R. Rodriguez" <mcgrof@qca.qualcomm.com>
> > Cc: Jouni Malinen <jouni@qca.qualcomm.com>
> > Cc: Vasanthakumar Thiagarajan <vthiagar@qca.qualcomm.com>
> > Cc: Senthil Balasubramanian <senthilb@qca.qualcomm.com>
> > Cc: "John W. Linville" <linville@tuxdriver.com>
>
> Gentle ping, :-)
This is commit e962610f8100e1b52973f5a9c855cbc3d1ba04ec in wireless-next?
--
John W. Linville Someday the world will need a hero, and you
linville@tuxdriver.com might be all we have. Be ready.
next prev parent reply other threads:[~2012-09-27 21:24 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-09-13 2:33 [ath9k-devel] [PATCH -next] wireless: ath9k-htc: fix possible use after free Ming Lei
2012-09-13 2:33 ` Ming Lei
2012-09-27 4:06 ` [ath9k-devel] " Ming Lei
2012-09-27 4:06 ` Ming Lei
2012-09-27 21:24 ` John W. Linville [this message]
2012-09-27 21:24 ` John W. Linville
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120927212435.GA1892@tuxdriver.com \
--to=linville@tuxdriver.com \
--cc=ath9k-devel@lists.ath9k.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.