Re: [PATCH] ath10k: Fix kernel panic due to use after free

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Kalle Valo <kvalo@codeaurora.org>
To: Karthikeyan Periyasamy <periyasa@codeaurora.org>
Cc: ath10k@lists.infradead.org, linux-wireless@vger.kernel.org,
	Karthikeyan Periyasamy <periyasa@codeaurora.org>
Subject: Re: [PATCH] ath10k: Fix kernel panic due to use after free
Date: Thu, 20 Dec 2018 16:51:39 +0000 (UTC)	[thread overview]
Message-ID: <20181220165139.A410960767@smtp.codeaurora.org> (raw)
In-Reply-To: <1541753646-11533-1-git-send-email-periyasa@codeaurora.org>

Karthikeyan Periyasamy <periyasa@codeaurora.org> wrote:

> This issue arise in a race condition between ath10k_sta_state() and
> ath10k_htt_fetch_peer_stats(), explained in below scenario
> 
> Steps:
> 1. In ath10k_sta_state(), arsta->tx_stats get deallocated before peer deletion
>    when the station moves from IEEE80211_STA_NONE to IEEE80211_STA_NOTEXIST
>    state.
> 2. Meanwhile ath10k receive HTT_T2H_MSG_TYPE_PEER_STATS message.
>    In ath10k_htt_fetch_peer_stats(), arsta->tx_stats get accessed after
>    the peer validation check.
> 
> Since arsta->tx_stats get freed before the peer deletion [1].
> ath10k_htt_fetch_peer_stats() ended up in "use after free" situation.
> 
> Fixed this issue by moving the arsta->tx_stats free handling after the
> peer deletion. so that ath10k_htt_fetch_peer_stats() will not end up in
> "use after free" situation.
> 
> Kernel Panic:
> 
> Unable to handle kernel NULL pointer dereference at virtual address 00000286
> pgd = d8754000
> [00000286] *pgd=00000000
> Internal error: Oops: 5 [#1] PREEMPT SMP ARM
> ...
> CPU: 0 PID: 6245 Comm: hostapd Not tainted
> task: dc44cac0 ti: d4a38000 task.ti: d4a38000
> PC is at kmem_cache_alloc+0x7c/0x114
> LR is at ath10k_sta_state+0x190/0xd58 [ath10k_core]
> pc : [<c02bdc50>]    lr : [<bf916b78>]    psr: 20000013
> sp : d4a39b88  ip : 00000000  fp : 00000001
> r10: 00000000  r9 : 1d3bc000  r8 : 00000dc0
> r7 : 000080d0  r6 : d4a38000  r5 : dd401b00  r4 : 00000286
> r3 : 00000000  r2 : d4a39ba0  r1 : 000080d0  r0 : dd401b00
> Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
> Control: 10c5787d  Table: 5a75406a  DAC: 00000015
> Process hostapd (pid: 6245, stack limit = 0xd4a38238)
> Stack: (0xd4a39b88 to 0xd4a3a000)
> ...
> [<c02bdc50>] (kmem_cache_alloc) from [<bf916b78>] (ath10k_sta_state+0x190/0xd58 [ath10k_core])
> [<bf916b78>] (ath10k_sta_state [ath10k_core]) from [<bf870d4c>] (sta_info_insert_rcu+0x418/0x61c [mac80211])
> [<bf870d4c>] (sta_info_insert_rcu [mac80211]) from [<bf88634c>] (ieee80211_add_station+0xf0/0x134 [mac80211])
> [<bf88634c>] (ieee80211_add_station [mac80211]) from [<bf83f3c4>] (nl80211_new_station+0x330/0x36c [cfg80211])
> [<bf83f3c4>] (nl80211_new_station [cfg80211]) from [<bf6c4040>] (extack_doit+0x2c/0x74 [compat])
> [<bf6c4040>] (extack_doit [compat]) from [<c05c285c>] (genl_rcv_msg+0x274/0x30c)
> [<c05c285c>] (genl_rcv_msg) from [<c05c1d98>] (netlink_rcv_skb+0x58/0xac)
> [<c05c1d98>] (netlink_rcv_skb) from [<c05c25d4>] (genl_rcv+0x20/0x34)
> [<c05c25d4>] (genl_rcv) from [<c05c1750>] (netlink_unicast+0x11c/0x204)
> [<c05c1750>] (netlink_unicast) from [<c05c1be0>] (netlink_sendmsg+0x30c/0x370)
> [<c05c1be0>] (netlink_sendmsg) from [<c0587e90>] (sock_sendmsg+0x70/0x84)
> [<c0587e90>] (sock_sendmsg) from [<c058970c>] (___sys_sendmsg.part.3+0x188/0x228)
> [<c058970c>] (___sys_sendmsg.part.3) from [<c058a594>] (__sys_sendmsg+0x4c/0x70)
> [<c058a594>] (__sys_sendmsg) from [<c0208c80>] (ret_fast_syscall+0x0/0x44)
> Code: ebfffec1 e1a04000 ea00001b e5953014 (e7940003)
> ath10k_pci 0000:01:00.0: SWBA overrun on vdev 0, skipped old beacon
> 
> Hardware tested: QCA9984
> Firmware tested: 10.4-3.6.0.1-00004
> 
> Fixes: a904417fc ("ath10k: add extended per sta tx statistics support")
> Signed-off-by: Karthikeyan Periyasamy <periyasa@codeaurora.org>
> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>

Patch applied to ath-next branch of ath.git, thanks.

553a7cca769d ath10k: fix kernel panic due to use after free

-- 
https://patchwork.kernel.org/patch/10675533/

https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches

     prev parent reply	other threads:[~2018-12-20 16:51 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-11-09  8:54 [PATCH] ath10k: Fix kernel panic due to use after free Karthikeyan Periyasamy
2018-11-09  8:54 ` Karthikeyan Periyasamy
2018-12-20 16:51 ` Kalle Valo
2018-12-20 16:51 ` Kalle Valo [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20181220165139.A410960767@smtp.codeaurora.org \
    --to=kvalo@codeaurora.org \
    --cc=ath10k@lists.infradead.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=periyasa@codeaurora.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.