From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Qiujun Huang <hqjagain@gmail.com>,
syzbot+5d338854440137ea0fef@syzkaller.appspotmail.com,
Kalle Valo <kvalo@codeaurora.org>,
Sasha Levin <sashal@kernel.org>,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.14 23/72] ath9k: Fix use-after-free Read in ath9k_wmi_ctrl_rx
Date: Mon, 8 Jun 2020 19:24:11 -0400 [thread overview]
Message-ID: <20200608232500.3369581-23-sashal@kernel.org> (raw)
In-Reply-To: <20200608232500.3369581-1-sashal@kernel.org>
From: Qiujun Huang <hqjagain@gmail.com>
[ Upstream commit abeaa85054ff8cfe8b99aafc5c70ea067e5d0908 ]
Free wmi later after cmd urb has been killed, as urb cb will access wmi.
the case reported by syzbot:
https://lore.kernel.org/linux-usb/0000000000000002fc05a1d61a68@google.com
BUG: KASAN: use-after-free in ath9k_wmi_ctrl_rx+0x416/0x500
drivers/net/wireless/ath/ath9k/wmi.c:215
Read of size 1 at addr ffff8881cef1417c by task swapper/1/0
Call Trace:
<IRQ>
ath9k_wmi_ctrl_rx+0x416/0x500 drivers/net/wireless/ath/ath9k/wmi.c:215
ath9k_htc_rx_msg+0x2da/0xaf0
drivers/net/wireless/ath/ath9k/htc_hst.c:459
ath9k_hif_usb_reg_in_cb+0x1ba/0x630
drivers/net/wireless/ath/ath9k/hif_usb.c:718
__usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650
usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716
dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
Reported-and-tested-by: syzbot+5d338854440137ea0fef@syzkaller.appspotmail.com
Signed-off-by: Qiujun Huang <hqjagain@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20200404041838.10426-3-hqjagain@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath9k/hif_usb.c | 5 +++--
drivers/net/wireless/ath/ath9k/hif_usb.h | 1 +
drivers/net/wireless/ath/ath9k/htc_drv_init.c | 10 +++++++---
drivers/net/wireless/ath/ath9k/wmi.c | 5 ++++-
drivers/net/wireless/ath/ath9k/wmi.h | 3 ++-
5 files changed, 17 insertions(+), 7 deletions(-)
diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c
index 4399e1ebac15..805d88ecc7ac 100644
--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
@@ -976,7 +976,7 @@ static int ath9k_hif_usb_alloc_urbs(struct hif_device_usb *hif_dev)
return -ENOMEM;
}
-static void ath9k_hif_usb_dealloc_urbs(struct hif_device_usb *hif_dev)
+void ath9k_hif_usb_dealloc_urbs(struct hif_device_usb *hif_dev)
{
usb_kill_anchored_urbs(&hif_dev->regout_submitted);
ath9k_hif_usb_dealloc_reg_in_urbs(hif_dev);
@@ -1344,8 +1344,9 @@ static void ath9k_hif_usb_disconnect(struct usb_interface *interface)
if (hif_dev->flags & HIF_USB_READY) {
ath9k_htc_hw_deinit(hif_dev->htc_handle, unplugged);
- ath9k_htc_hw_free(hif_dev->htc_handle);
ath9k_hif_usb_dev_deinit(hif_dev);
+ ath9k_destoy_wmi(hif_dev->htc_handle->drv_priv);
+ ath9k_htc_hw_free(hif_dev->htc_handle);
}
usb_set_intfdata(interface, NULL);
diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.h b/drivers/net/wireless/ath/ath9k/hif_usb.h
index 7846916aa01d..a94e7e1c86e9 100644
--- a/drivers/net/wireless/ath/ath9k/hif_usb.h
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.h
@@ -133,5 +133,6 @@ struct hif_device_usb {
int ath9k_hif_usb_init(void);
void ath9k_hif_usb_exit(void);
+void ath9k_hif_usb_dealloc_urbs(struct hif_device_usb *hif_dev);
#endif /* HTC_USB_H */
diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_init.c b/drivers/net/wireless/ath/ath9k/htc_drv_init.c
index da2164b0cccc..66ef5cf16450 100644
--- a/drivers/net/wireless/ath/ath9k/htc_drv_init.c
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_init.c
@@ -933,8 +933,9 @@ static int ath9k_init_device(struct ath9k_htc_priv *priv,
int ath9k_htc_probe_device(struct htc_target *htc_handle, struct device *dev,
u16 devid, char *product, u32 drv_info)
{
- struct ieee80211_hw *hw;
+ struct hif_device_usb *hif_dev;
struct ath9k_htc_priv *priv;
+ struct ieee80211_hw *hw;
int ret;
hw = ieee80211_alloc_hw(sizeof(struct ath9k_htc_priv), &ath9k_htc_ops);
@@ -969,7 +970,10 @@ int ath9k_htc_probe_device(struct htc_target *htc_handle, struct device *dev,
return 0;
err_init:
- ath9k_deinit_wmi(priv);
+ ath9k_stop_wmi(priv);
+ hif_dev = (struct hif_device_usb *)htc_handle->hif_dev;
+ ath9k_hif_usb_dealloc_urbs(hif_dev);
+ ath9k_destoy_wmi(priv);
err_free:
ieee80211_free_hw(hw);
return ret;
@@ -984,7 +988,7 @@ void ath9k_htc_disconnect_device(struct htc_target *htc_handle, bool hotunplug)
htc_handle->drv_priv->ah->ah_flags |= AH_UNPLUGGED;
ath9k_deinit_device(htc_handle->drv_priv);
- ath9k_deinit_wmi(htc_handle->drv_priv);
+ ath9k_stop_wmi(htc_handle->drv_priv);
ieee80211_free_hw(htc_handle->drv_priv->hw);
}
}
diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c
index 64a354fa78ab..f57f48e4d7a0 100644
--- a/drivers/net/wireless/ath/ath9k/wmi.c
+++ b/drivers/net/wireless/ath/ath9k/wmi.c
@@ -112,14 +112,17 @@ struct wmi *ath9k_init_wmi(struct ath9k_htc_priv *priv)
return wmi;
}
-void ath9k_deinit_wmi(struct ath9k_htc_priv *priv)
+void ath9k_stop_wmi(struct ath9k_htc_priv *priv)
{
struct wmi *wmi = priv->wmi;
mutex_lock(&wmi->op_mutex);
wmi->stopped = true;
mutex_unlock(&wmi->op_mutex);
+}
+void ath9k_destoy_wmi(struct ath9k_htc_priv *priv)
+{
kfree(priv->wmi);
}
diff --git a/drivers/net/wireless/ath/ath9k/wmi.h b/drivers/net/wireless/ath/ath9k/wmi.h
index 380175d5ecd7..d8b912206232 100644
--- a/drivers/net/wireless/ath/ath9k/wmi.h
+++ b/drivers/net/wireless/ath/ath9k/wmi.h
@@ -179,7 +179,6 @@ struct wmi {
};
struct wmi *ath9k_init_wmi(struct ath9k_htc_priv *priv);
-void ath9k_deinit_wmi(struct ath9k_htc_priv *priv);
int ath9k_wmi_connect(struct htc_target *htc, struct wmi *wmi,
enum htc_endpoint_id *wmi_ctrl_epid);
int ath9k_wmi_cmd(struct wmi *wmi, enum wmi_cmd_id cmd_id,
@@ -189,6 +188,8 @@ int ath9k_wmi_cmd(struct wmi *wmi, enum wmi_cmd_id cmd_id,
void ath9k_wmi_event_tasklet(unsigned long data);
void ath9k_fatal_work(struct work_struct *work);
void ath9k_wmi_event_drain(struct ath9k_htc_priv *priv);
+void ath9k_stop_wmi(struct ath9k_htc_priv *priv);
+void ath9k_destoy_wmi(struct ath9k_htc_priv *priv);
#define WMI_CMD(_wmi_cmd) \
do { \
--
2.25.1
next prev parent reply other threads:[~2020-06-08 23:31 UTC|newest]
Thread overview: 76+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-08 23:23 [PATCH AUTOSEL 4.14 01/72] ath9x: Fix stack-out-of-bounds Write in ath9k_hif_usb_rx_cb Sasha Levin
2020-06-08 23:23 ` [PATCH AUTOSEL 4.14 02/72] ath9k: Fix use-after-free Write in ath9k_htc_rx_msg Sasha Levin
2020-06-08 23:23 ` [PATCH AUTOSEL 4.14 03/72] drm: bridge: adv7511: Extend list of audio sample rates Sasha Levin
2020-06-08 23:23 ` [PATCH AUTOSEL 4.14 04/72] crypto: ccp -- don't "select" CONFIG_DMADEVICES Sasha Levin
2020-06-08 23:23 ` [PATCH AUTOSEL 4.14 05/72] media: si2157: Better check for running tuner in init Sasha Levin
2020-06-08 23:23 ` [PATCH AUTOSEL 4.14 06/72] objtool: Ignore empty alternatives Sasha Levin
2020-06-08 23:23 ` [PATCH AUTOSEL 4.14 07/72] spi: pxa2xx: Apply CS clk quirk to BXT Sasha Levin
2020-06-08 23:23 ` [PATCH AUTOSEL 4.14 08/72] net: ena: fix error returning in ena_com_get_hash_function() Sasha Levin
2020-06-08 23:23 ` [PATCH AUTOSEL 4.14 09/72] spi: dw: Zero DMA Tx and Rx configurations on stack Sasha Levin
2020-06-08 23:23 ` [PATCH AUTOSEL 4.14 10/72] ixgbe: Fix XDP redirect on archs with PAGE_SIZE above 4K Sasha Levin
2020-06-08 23:23 ` [PATCH AUTOSEL 4.14 11/72] MIPS: Loongson: Build ATI Radeon GPU driver as module Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 12/72] Bluetooth: Add SCO fallback for invalid LMP parameters error Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 13/72] kgdb: Prevent infinite recursive entries to the debugger Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 14/72] spi: dw: Enable interrupts in accordance with DMA xfer mode Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 15/72] clocksource: dw_apb_timer: Make CPU-affiliation being optional Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 16/72] clocksource: dw_apb_timer_of: Fix missing clockevent timers Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 17/72] btrfs: do not ignore error from btrfs_next_leaf() when inserting checksums Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 18/72] ARM: 8978/1: mm: make act_mm() respect THREAD_SIZE Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 19/72] spi: dw: Fix Rx-only DMA transfers Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 20/72] x86/kvm/hyper-v: Explicitly align hcall param for kvm_hyperv_exit Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 21/72] net: vmxnet3: fix possible buffer overflow caused by bad DMA value in vmxnet3_get_rss() Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 22/72] staging: android: ion: use vmap instead of vm_map_ram Sasha Levin
2020-06-08 23:24 ` Sasha Levin [this message]
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 24/72] ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 25/72] brcmfmac: fix wrong location to get firmware feature Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 26/72] tools api fs: Make xxx__mountpoint() more scalable Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 27/72] e1000: Distribute switch variables for initialization Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 28/72] dt-bindings: display: mediatek: control dpi pins mode to avoid leakage Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 29/72] audit: fix a net reference leak in audit_send_reply() Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 30/72] media: dvb: return -EREMOTEIO on i2c transfer failure Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 31/72] media: platform: fcp: Set appropriate DMA parameters Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 32/72] MIPS: Make sparse_init() using top-down allocation Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 33/72] audit: fix a net reference leak in audit_list_rules_send() Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 34/72] netfilter: nft_nat: return EOPNOTSUPP if type or flags are not supported Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 35/72] net: bcmgenet: set Rx mode before starting netif Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 36/72] lib/mpi: Fix 64-bit MIPS build with Clang Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 37/72] perf: Add cond_resched() to task_function_call() Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 38/72] exit: Move preemption fixup up, move blocking operations down Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 39/72] net: lpc-enet: fix error return code in lpc_mii_init() Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 40/72] media: cec: silence shift wrapping warning in __cec_s_log_addrs() Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 41/72] net: allwinner: Fix use correct return type for ndo_start_xmit() Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 42/72] powerpc/spufs: fix copy_to_user while atomic Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 43/72] ath9k_htc: Silence undersized packet warnings Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 44/72] Crypto/chcr: fix for ccm(aes) failed test Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 45/72] MIPS: Truncate link address into 32bit for 32bit kernel Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 46/72] mips: cm: Fix an invalid error code of INTVN_*_ERR Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 47/72] kgdb: Fix spurious true from in_dbg_master() Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 48/72] nvme: refine the Qemu Identify CNS quirk Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 49/72] wcn36xx: Fix error handling path in 'wcn36xx_probe()' Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 50/72] net: qed*: Reduce RX and TX default ring count when running inside kdump kernel Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 51/72] md: don't flush workqueue unconditionally in md_open Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 52/72] rtlwifi: Fix a double free in _rtl_usb_tx_urb_setup() Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 53/72] mwifiex: Fix memory corruption in dump_station Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 54/72] x86/boot: Correct relocation destination on old linkers Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 55/72] mips: MAAR: Use more precise address mask Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 56/72] mips: Add udelay lpj numbers adjustment Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 57/72] x86/mm: Stop printing BRK addresses Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 58/72] m68k: mac: Don't call via_flush_cache() on Mac IIfx Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 59/72] macvlan: Skip loopback packets in RX handler Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 60/72] PCI: Don't disable decoding when mmio_always_on is set Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 61/72] MIPS: Fix IRQ tracing when call handle_fpe() and handle_msa_fpe() Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 62/72] xfs: gut error handling in xfs_trans_unreserve_and_mod_sb() Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 63/72] mmc: sdhci-msm: Set SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12 quirk Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 64/72] staging: greybus: sdio: Respect the cmd->busy_timeout from the mmc core Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 65/72] mmc: via-sdmmc: " Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 66/72] ixgbe: fix signed-integer-overflow warning Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 67/72] mmc: sdhci-esdhc-imx: fix the mask for tuning start point Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 68/72] spi: dw: Return any value retrieved from the dma_transfer callback Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 69/72] cpuidle: Fix three reference count leaks Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 70/72] platform/x86: hp-wmi: Convert simple_strtoul() to kstrtou32() Sasha Levin
2020-06-08 23:24 ` [PATCH AUTOSEL 4.14 71/72] vxlan: Avoid infinite loop when suppressing NS messages with invalid options Sasha Levin
2020-06-08 23:25 ` [PATCH AUTOSEL 4.14 72/72] string.h: fix incompatibility between FORTIFY_SOURCE and KASAN Sasha Levin
2020-06-08 23:46 ` Daniel Axtens
2020-06-09 11:20 ` Pavel Machek
2020-06-09 11:54 ` Greg KH
2020-06-09 13:55 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200608232500.3369581-23-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=hqjagain@gmail.com \
--cc=kvalo@codeaurora.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+5d338854440137ea0fef@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox