From: "Toke Høiland-Jørgensen" <toke@toke.dk>
To: Minsuk Kang <linuxlovemin@yonsei.ac.kr>, linux-wireless@vger.kernel.org
Cc: dokyungs@yonsei.ac.kr, jisoo.jang@yonsei.ac.kr,
Minsuk Kang <linuxlovemin@yonsei.ac.kr>
Subject: Re: [PATCH] ath9k: Fix use-after-free in ath9k_hif_usb_disconnect()
Date: Mon, 05 Dec 2022 14:12:37 +0100 [thread overview]
Message-ID: <875yequh8a.fsf@toke.dk> (raw)
In-Reply-To: <20221205014308.1617597-1-linuxlovemin@yonsei.ac.kr>
Minsuk Kang <linuxlovemin@yonsei.ac.kr> writes:
> This patch fixes a use-after-free in ath9k that occurs in
> ath9k_hif_usb_disconnect() when ath9k_destroy_wmi() is trying to access
> 'drv_priv' that has already been freed by ieee80211_free_hw(), called by
> ath9k_htc_hw_deinit(). The patch moves ath9k_destroy_wmi() before
> ieee80211_free_hw(). Note that urbs from the driver should be killed
> before freeing 'wmi' with ath9k_destroy_wmi() as their callbacks will
> access 'wmi'.
>
> Found by a modified version of syzkaller.
>
> ==================================================================
> BUG: KASAN: use-after-free in ath9k_destroy_wmi+0x38/0x40
> Read of size 8 at addr ffff8881069132a0 by task kworker/0:1/7
>
> CPU: 0 PID: 7 Comm: kworker/0:1 Tainted: G O 5.14.0+ #131
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
> Workqueue: usb_hub_wq hub_event
> Call Trace:
> dump_stack_lvl+0x8e/0xd1
> print_address_description.constprop.0.cold+0x93/0x334
> ? ath9k_destroy_wmi+0x38/0x40
> ? ath9k_destroy_wmi+0x38/0x40
> kasan_report.cold+0x83/0xdf
> ? ath9k_destroy_wmi+0x38/0x40
> ath9k_destroy_wmi+0x38/0x40
> ath9k_hif_usb_disconnect+0x329/0x3f0
> ? ath9k_hif_usb_suspend+0x120/0x120
> ? usb_disable_interface+0xfc/0x180
> usb_unbind_interface+0x19b/0x7e0
> ? usb_autoresume_device+0x50/0x50
> device_release_driver_internal+0x44d/0x520
> bus_remove_device+0x2e5/0x5a0
> device_del+0x5b2/0xe30
> ? __device_link_del+0x370/0x370
> ? usb_remove_ep_devs+0x43/0x80
> ? remove_intf_ep_devs+0x112/0x1a0
> usb_disable_device+0x1e3/0x5a0
> usb_disconnect+0x267/0x870
> hub_event+0x168d/0x3950
> ? rcu_read_lock_sched_held+0xa1/0xd0
> ? hub_port_debounce+0x2e0/0x2e0
> ? check_irq_usage+0x860/0xf20
> ? drain_workqueue+0x281/0x360
> ? lock_release+0x640/0x640
> ? rcu_read_lock_sched_held+0xa1/0xd0
> ? rcu_read_lock_bh_held+0xb0/0xb0
> ? lockdep_hardirqs_on_prepare+0x273/0x3e0
> process_one_work+0x92b/0x1460
> ? pwq_dec_nr_in_flight+0x330/0x330
> ? rwlock_bug.part.0+0x90/0x90
> worker_thread+0x95/0xe00
> ? __kthread_parkme+0x115/0x1e0
> ? process_one_work+0x1460/0x1460
> kthread+0x3a1/0x480
> ? set_kthread_struct+0x120/0x120
> ret_from_fork+0x1f/0x30
>
> The buggy address belongs to the page:
> page:ffffea00041a44c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106913
> flags: 0x200000000000000(node=0|zone=2)
> raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000
> raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
> page_owner tracks the page as freed
> page last allocated via order 3, migratetype Unmovable, gfp_mask 0x40dc0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), pid 7, ts 38347963444, free_ts 41399957635
> prep_new_page+0x1aa/0x240
> get_page_from_freelist+0x159a/0x27c0
> __alloc_pages+0x2da/0x6a0
> alloc_pages+0xec/0x1e0
> kmalloc_order+0x39/0xf0
> kmalloc_order_trace+0x19/0x120
> __kmalloc+0x308/0x390
> wiphy_new_nm+0x6f5/0x1dd0
> ieee80211_alloc_hw_nm+0x36d/0x2230
> ath9k_htc_probe_device+0x9d/0x1e10
> ath9k_htc_hw_init+0x34/0x50
> ath9k_hif_usb_firmware_cb+0x25f/0x4e0
> request_firmware_work_func+0x131/0x240
> process_one_work+0x92b/0x1460
> worker_thread+0x95/0xe00
> kthread+0x3a1/0x480
> page last free stack trace:
> free_pcp_prepare+0x3d3/0x7f0
> free_unref_page+0x1e/0x3d0
> device_release+0xa4/0x240
> kobject_put+0x186/0x4c0
> put_device+0x20/0x30
> ath9k_htc_disconnect_device+0x1cf/0x2c0
> ath9k_htc_hw_deinit+0x26/0x30
> ath9k_hif_usb_disconnect+0x2d9/0x3f0
> usb_unbind_interface+0x19b/0x7e0
> device_release_driver_internal+0x44d/0x520
> bus_remove_device+0x2e5/0x5a0
> device_del+0x5b2/0xe30
> usb_disable_device+0x1e3/0x5a0
> usb_disconnect+0x267/0x870
> hub_event+0x168d/0x3950
> process_one_work+0x92b/0x1460
>
> Memory state around the buggy address:
> ffff888106913180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff888106913200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>>ffff888106913280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ^
> ffff888106913300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff888106913380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ==================================================================
>
> Reported-by: Dokyung Song <dokyungs@yonsei.ac.kr>
> Reported-by: Jisoo Jang <jisoo.jang@yonsei.ac.kr>
> Reported-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
> Signed-off-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
next prev parent reply other threads:[~2022-12-05 13:12 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-05 1:43 [PATCH] ath9k: Fix use-after-free in ath9k_hif_usb_disconnect() Minsuk Kang
2022-12-05 13:12 ` Toke Høiland-Jørgensen [this message]
2022-12-08 17:59 ` Kalle Valo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=875yequh8a.fsf@toke.dk \
--to=toke@toke.dk \
--cc=dokyungs@yonsei.ac.kr \
--cc=jisoo.jang@yonsei.ac.kr \
--cc=linux-wireless@vger.kernel.org \
--cc=linuxlovemin@yonsei.ac.kr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).