From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 57DC7C433EF for ; Mon, 7 Feb 2022 08:27:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235106AbiBGIYx (ORCPT ); Mon, 7 Feb 2022 03:24:53 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53498 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245144AbiBGIQh (ORCPT ); Mon, 7 Feb 2022 03:16:37 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5AB81C043181 for ; Mon, 7 Feb 2022 00:16:36 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id B3FA3B8100C for ; Mon, 7 Feb 2022 08:16:33 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 712D0C004E1; Mon, 7 Feb 2022 08:16:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1644221792; bh=DZ/TevRXLvlgnq8pTj8RvXZLEkw9dYEGoSpuP91BtvY=; h=From:To:Cc:Subject:References:Date:In-Reply-To:From; b=hO+FpKnxNpsO/202oyRtbi2eSuEyugKLQOOd/r8qIUzk4Kz8UqeEmtw3e0TfrcySn dSC0L4ChT1G05WTcp9jWph90esxj7y33G4YWxFhPs47KfjG13L5cA2V6Pk+KZwLUiT URyhlRyzw5mZf0YuMKAL0RYtinHRz34ax92OL8elFpkGN9RtS/98BvukR0S6XKu0j5 nRRDVUoM48FLgtfeY1tccmARNwzbhLm1dK5qOSvEAJxuYCOxCSQUzTfFc5+K3ysjsO BYmYAsRAgCSh5EVFP/kFtOsSF8xdilfz1JwWr6Kdu5DvZoPACuvhC7b3Zo+QINQ6OG 1Ha0zB+MMTmDw== From: Kalle Valo To: Pavel Skripkin Cc: toke@toke.dk, ath9k-devel@qca.qualcomm.com, kuba@kernel.org, linville@tuxdriver.com, Sujith.Manoharan@atheros.com, syzbot+03110230a11411024147@syzkaller.appspotmail.com, syzbot+c6dde1f690b60e0b9fbe@syzkaller.appspotmail.com, linux-wireless@vger.kernel.org Subject: Re: [PATCH v2 1/2] ath9k: fix use-after-free in ath9k_hif_usb_rx_cb References: Date: Mon, 07 Feb 2022 10:16:26 +0200 In-Reply-To: (Pavel Skripkin's message of "Sat, 5 Feb 2022 16:09:15 +0300") Message-ID: <87sfsvay79.fsf@kernel.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Pavel Skripkin writes: > Syzbot reported use-after-free Read in ath9k_hif_usb_rx_cb(). The > problem was in incorrect htc_handle->drv_priv initialization. > > Probable call trace which can trigger use-after-free: > > ath9k_htc_probe_device() > /* htc_handle->drv_priv = priv; */ > ath9k_htc_wait_for_target() <--- Failed > ieee80211_free_hw() <--- priv pointer is freed > > > ... > ath9k_hif_usb_rx_cb() > ath9k_hif_usb_rx_stream() > RX_STAT_INC() <--- htc_handle->drv_priv access > > In order to not add fancy protection for drv_priv we can move > htc_handle->drv_priv initialization at the end of the > ath9k_htc_probe_device() and add helper macro to make > all *_STAT_* macros NULL save. > > Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") > Reported-and-tested-by: syzbot+03110230a11411024147@syzkaller.appspotmail.com > Reported-and-tested-by: syzbot+c6dde1f690b60e0b9fbe@syzkaller.appspotmail.com > Signed-off-by: Pavel Skripkin > --- > > Changes from v1: > - Removed clean-ups and moved them to 2/2 You forgot to CC linux-wireless so patchwork won't see it. Please submit v3 and include linux-wireless. -- https://patchwork.kernel.org/project/linux-wireless/list/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches