From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: "Minsuk Kang" <linuxlovemin@yonsei.ac.kr>,
"Dokyung Song" <dokyungs@yonsei.ac.kr>,
"Jisoo Jang" <jisoo.jang@yonsei.ac.kr>,
"Toke Høiland-Jørgensen" <toke@toke.dk>,
"Kalle Valo" <quic_kvalo@quicinc.com>,
"Sasha Levin" <sashal@kernel.org>,
kvalo@kernel.org, davem@davemloft.net, edumazet@google.com,
kuba@kernel.org, pabeni@redhat.com,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 6.2 01/53] wifi: ath9k: Fix use-after-free in ath9k_hif_usb_disconnect()
Date: Sun, 26 Feb 2023 09:43:53 -0500 [thread overview]
Message-ID: <20230226144446.824580-1-sashal@kernel.org> (raw)
From: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
[ Upstream commit f099c5c9e2ba08a379bd354a82e05ef839ae29ac ]
This patch fixes a use-after-free in ath9k that occurs in
ath9k_hif_usb_disconnect() when ath9k_destroy_wmi() is trying to access
'drv_priv' that has already been freed by ieee80211_free_hw(), called by
ath9k_htc_hw_deinit(). The patch moves ath9k_destroy_wmi() before
ieee80211_free_hw(). Note that urbs from the driver should be killed
before freeing 'wmi' with ath9k_destroy_wmi() as their callbacks will
access 'wmi'.
Found by a modified version of syzkaller.
==================================================================
BUG: KASAN: use-after-free in ath9k_destroy_wmi+0x38/0x40
Read of size 8 at addr ffff8881069132a0 by task kworker/0:1/7
CPU: 0 PID: 7 Comm: kworker/0:1 Tainted: G O 5.14.0+ #131
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
Workqueue: usb_hub_wq hub_event
Call Trace:
dump_stack_lvl+0x8e/0xd1
print_address_description.constprop.0.cold+0x93/0x334
? ath9k_destroy_wmi+0x38/0x40
? ath9k_destroy_wmi+0x38/0x40
kasan_report.cold+0x83/0xdf
? ath9k_destroy_wmi+0x38/0x40
ath9k_destroy_wmi+0x38/0x40
ath9k_hif_usb_disconnect+0x329/0x3f0
? ath9k_hif_usb_suspend+0x120/0x120
? usb_disable_interface+0xfc/0x180
usb_unbind_interface+0x19b/0x7e0
? usb_autoresume_device+0x50/0x50
device_release_driver_internal+0x44d/0x520
bus_remove_device+0x2e5/0x5a0
device_del+0x5b2/0xe30
? __device_link_del+0x370/0x370
? usb_remove_ep_devs+0x43/0x80
? remove_intf_ep_devs+0x112/0x1a0
usb_disable_device+0x1e3/0x5a0
usb_disconnect+0x267/0x870
hub_event+0x168d/0x3950
? rcu_read_lock_sched_held+0xa1/0xd0
? hub_port_debounce+0x2e0/0x2e0
? check_irq_usage+0x860/0xf20
? drain_workqueue+0x281/0x360
? lock_release+0x640/0x640
? rcu_read_lock_sched_held+0xa1/0xd0
? rcu_read_lock_bh_held+0xb0/0xb0
? lockdep_hardirqs_on_prepare+0x273/0x3e0
process_one_work+0x92b/0x1460
? pwq_dec_nr_in_flight+0x330/0x330
? rwlock_bug.part.0+0x90/0x90
worker_thread+0x95/0xe00
? __kthread_parkme+0x115/0x1e0
? process_one_work+0x1460/0x1460
kthread+0x3a1/0x480
? set_kthread_struct+0x120/0x120
ret_from_fork+0x1f/0x30
The buggy address belongs to the page:
page:ffffea00041a44c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106913
flags: 0x200000000000000(node=0|zone=2)
raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as freed
page last allocated via order 3, migratetype Unmovable, gfp_mask 0x40dc0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), pid 7, ts 38347963444, free_ts 41399957635
prep_new_page+0x1aa/0x240
get_page_from_freelist+0x159a/0x27c0
__alloc_pages+0x2da/0x6a0
alloc_pages+0xec/0x1e0
kmalloc_order+0x39/0xf0
kmalloc_order_trace+0x19/0x120
__kmalloc+0x308/0x390
wiphy_new_nm+0x6f5/0x1dd0
ieee80211_alloc_hw_nm+0x36d/0x2230
ath9k_htc_probe_device+0x9d/0x1e10
ath9k_htc_hw_init+0x34/0x50
ath9k_hif_usb_firmware_cb+0x25f/0x4e0
request_firmware_work_func+0x131/0x240
process_one_work+0x92b/0x1460
worker_thread+0x95/0xe00
kthread+0x3a1/0x480
page last free stack trace:
free_pcp_prepare+0x3d3/0x7f0
free_unref_page+0x1e/0x3d0
device_release+0xa4/0x240
kobject_put+0x186/0x4c0
put_device+0x20/0x30
ath9k_htc_disconnect_device+0x1cf/0x2c0
ath9k_htc_hw_deinit+0x26/0x30
ath9k_hif_usb_disconnect+0x2d9/0x3f0
usb_unbind_interface+0x19b/0x7e0
device_release_driver_internal+0x44d/0x520
bus_remove_device+0x2e5/0x5a0
device_del+0x5b2/0xe30
usb_disable_device+0x1e3/0x5a0
usb_disconnect+0x267/0x870
hub_event+0x168d/0x3950
process_one_work+0x92b/0x1460
Memory state around the buggy address:
ffff888106913180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888106913200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff888106913280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888106913300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888106913380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
Reported-by: Dokyung Song <dokyungs@yonsei.ac.kr>
Reported-by: Jisoo Jang <jisoo.jang@yonsei.ac.kr>
Reported-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
Signed-off-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20221205014308.1617597-1-linuxlovemin@yonsei.ac.kr
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath9k/hif_usb.c | 2 --
drivers/net/wireless/ath/ath9k/htc_drv_init.c | 2 ++
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c
index 1a2e0c7eeb023..86ede591dafaf 100644
--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
@@ -1411,8 +1411,6 @@ static void ath9k_hif_usb_disconnect(struct usb_interface *interface)
if (hif_dev->flags & HIF_USB_READY) {
ath9k_htc_hw_deinit(hif_dev->htc_handle, unplugged);
- ath9k_hif_usb_dev_deinit(hif_dev);
- ath9k_destroy_wmi(hif_dev->htc_handle->drv_priv);
ath9k_htc_hw_free(hif_dev->htc_handle);
}
diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_init.c b/drivers/net/wireless/ath/ath9k/htc_drv_init.c
index 07ac88fb1c577..96a3185a96d75 100644
--- a/drivers/net/wireless/ath/ath9k/htc_drv_init.c
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_init.c
@@ -988,6 +988,8 @@ void ath9k_htc_disconnect_device(struct htc_target *htc_handle, bool hotunplug)
ath9k_deinit_device(htc_handle->drv_priv);
ath9k_stop_wmi(htc_handle->drv_priv);
+ ath9k_hif_usb_dealloc_urbs((struct hif_device_usb *)htc_handle->hif_dev);
+ ath9k_destroy_wmi(htc_handle->drv_priv);
ieee80211_free_hw(htc_handle->drv_priv->hw);
}
}
--
2.39.0
next reply other threads:[~2023-02-26 14:44 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-26 14:43 Sasha Levin [this message]
2023-02-26 14:43 ` [PATCH AUTOSEL 6.2 02/53] wifi: ath11k: fix monitor mode bringup crash Sasha Levin
2023-02-26 14:43 ` Sasha Levin
2023-02-26 14:43 ` [PATCH AUTOSEL 6.2 03/53] wifi: brcmfmac: Fix potential stack-out-of-bounds in brcmf_c_preinit_dcmds() Sasha Levin
2023-02-26 14:43 ` [PATCH AUTOSEL 6.2 04/53] rcu: Make RCU_LOCKDEP_WARN() avoid early lockdep checks Sasha Levin
2023-02-26 14:43 ` [PATCH AUTOSEL 6.2 05/53] rcu: Suppress smp_processor_id() complaint in synchronize_rcu_expedited_wait() Sasha Levin
2023-02-26 14:43 ` [PATCH AUTOSEL 6.2 06/53] srcu: Delegate work to the boot cpu if using SRCU_SIZE_SMALL Sasha Levin
2023-02-26 14:43 ` [PATCH AUTOSEL 6.2 07/53] rcu-tasks: Make rude RCU-Tasks work well with CPU hotplug Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 08/53] rcu-tasks: Handle queue-shrink/callback-enqueue race condition Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 09/53] wifi: ath11k: debugfs: fix to work with multiple PCI devices Sasha Levin
2023-02-26 14:44 ` Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 10/53] thermal: intel: Fix unsigned comparison with less than zero Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 11/53] timers: Prevent union confusion from unexpected restart_syscall() Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 12/53] x86/bugs: Reset speculation control settings on init Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 13/53] bpftool: Always disable stack protection for BPF objects Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 14/53] wifi: brcmfmac: ensure CLM version is null-terminated to prevent stack-out-of-bounds Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 15/53] wifi: rtw89: fix assignation of TX BD RAM table Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 16/53] wifi: mt7601u: fix an integer underflow Sasha Levin
2023-02-26 14:44 ` Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 17/53] inet: fix fast path in __inet_hash_connect() Sasha Levin
2023-02-26 14:44 ` [Intel-wired-lan] [PATCH AUTOSEL 6.2 18/53] ice: restrict PTP HW clock freq adjustments to 100, 000, 000 PPB Sasha Levin
2023-02-26 14:44 ` Sasha Levin
2023-02-26 14:44 ` [Intel-wired-lan] [PATCH AUTOSEL 6.2 19/53] ice: add missing checks for PF vsi type Sasha Levin
2023-02-26 14:44 ` Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 20/53] Compiler attributes: GCC cold function alignment workarounds Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 21/53] ACPI: Don't build ACPICA with '-Os' Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 22/53] bpf, docs: Fix modulo zero, division by zero, overflow, and underflow Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 23/53] thermal: intel: intel_pch: Add support for Wellsburg PCH Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 24/53] clocksource: Suspend the watchdog temporarily when high read latency detected Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 25/53] crypto: hisilicon: Wipe entire pool on error Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 26/53] netpoll: Remove 4s sleep during carrier detection Sasha Levin
2023-02-27 18:15 ` Jakub Kicinski
2023-03-01 2:10 ` Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 27/53] net: bcmgenet: Add a check for oversized packets Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 28/53] m68k: Check syscall_trace_enter() return code Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 29/53] s390/mm,ptdump: avoid Kasan vs Memcpy Real markers swapping Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 30/53] netfilter: nf_tables: NULL pointer dereference in nf_tables_updobj() Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 31/53] neighbor: fix proxy_delay usage when it is zero Sasha Levin
2023-02-27 18:15 ` Jakub Kicinski
2023-03-01 14:13 ` Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 32/53] can: isotp: check CAN address family in isotp_bind() Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 33/53] gcc-plugins: drop -std=gnu++11 to fix GCC 13 build Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 34/53] tools/power/x86/intel-speed-select: Add Emerald Rapid quirk Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 35/53] platform/x86: dell-ddv: Add support for interface version 3 Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 36/53] wifi: mt76: dma: free rx_head in mt76_dma_rx_cleanup Sasha Levin
2023-02-26 14:44 ` Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 37/53] ACPI: video: Fix Lenovo Ideapad Z570 DMI match Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 38/53] net/mlx5: fw_tracer: Fix debug print Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 39/53] coda: Avoid partial allocation of sig_inputArgs Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 40/53] uaccess: Add minimum bounds check on kernel buffer size Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 41/53] s390/idle: mark arch_cpu_idle() noinstr Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 42/53] time/debug: Fix memory leak with using debugfs_lookup() Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 43/53] PM: domains: fix " Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 44/53] PM: EM: " Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 45/53] Bluetooth: Fix issue with Actions Semi ATS2851 based devices Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 46/53] Bluetooth: btusb: Add new PID/VID 0489:e0f2 for MT7921 Sasha Levin
2023-02-26 14:44 ` Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 47/53] Bluetooth: btusb: Add VID:PID 13d3:3529 for Realtek RTL8821CE Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 48/53] wifi: rtw89: debug: avoid invalid access on RTW89_DBG_SEL_MAC_30 Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 49/53] hv_netvsc: Check status in SEND_RNDIS_PKT completion message Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 50/53] s390/kfence: fix page fault reporting Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 51/53] devlink: health: Fix nla_nest_end in error flow Sasha Levin
2023-02-27 18:13 ` Jakub Kicinski
2023-03-01 14:13 ` Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 52/53] devlink: Fix TP_STRUCT_entry in trace of devlink health report Sasha Levin
2023-02-26 14:44 ` [PATCH AUTOSEL 6.2 53/53] scm: add user copy checks to put_cmsg() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230226144446.824580-1-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=davem@davemloft.net \
--cc=dokyungs@yonsei.ac.kr \
--cc=edumazet@google.com \
--cc=jisoo.jang@yonsei.ac.kr \
--cc=kuba@kernel.org \
--cc=kvalo@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=linuxlovemin@yonsei.ac.kr \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=quic_kvalo@quicinc.com \
--cc=stable@vger.kernel.org \
--cc=toke@toke.dk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.