From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Brooke Basile <brookebasile@gmail.com>,
syzbot+89bd486af9427a9fc605@syzkaller.appspotmail.com,
Kalle Valo <kvalo@codeaurora.org>,
Sasha Levin <sashal@kernel.org>,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.8 057/101] ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs()
Date: Sun, 18 Oct 2020 15:19:42 -0400 [thread overview]
Message-ID: <20201018192026.4053674-57-sashal@kernel.org> (raw)
In-Reply-To: <20201018192026.4053674-1-sashal@kernel.org>
From: Brooke Basile <brookebasile@gmail.com>
[ Upstream commit 03fb92a432ea5abe5909bca1455b7e44a9380480 ]
Calls to usb_kill_anchored_urbs() after usb_kill_urb() on multiprocessor
systems create a race condition in which usb_kill_anchored_urbs() deallocates
the URB before the completer callback is called in usb_kill_urb(), resulting
in a use-after-free.
To fix this, add proper lock protection to usb_kill_urb() calls that can
possibly run concurrently with usb_kill_anchored_urbs().
Reported-by: syzbot+89bd486af9427a9fc605@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?id=cabffad18eb74197f84871802fd2c5117b61febf
Signed-off-by: Brooke Basile <brookebasile@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20200911071427.32354-1-brookebasile@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath9k/hif_usb.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c
index 3f563e02d17da..2ed98aaed6fb5 100644
--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
@@ -449,10 +449,19 @@ static void hif_usb_stop(void *hif_handle)
spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
/* The pending URBs have to be canceled. */
+ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags);
list_for_each_entry_safe(tx_buf, tx_buf_tmp,
&hif_dev->tx.tx_pending, list) {
+ usb_get_urb(tx_buf->urb);
+ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
usb_kill_urb(tx_buf->urb);
+ list_del(&tx_buf->list);
+ usb_free_urb(tx_buf->urb);
+ kfree(tx_buf->buf);
+ kfree(tx_buf);
+ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags);
}
+ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
usb_kill_anchored_urbs(&hif_dev->mgmt_submitted);
}
@@ -762,27 +771,37 @@ static void ath9k_hif_usb_dealloc_tx_urbs(struct hif_device_usb *hif_dev)
struct tx_buf *tx_buf = NULL, *tx_buf_tmp = NULL;
unsigned long flags;
+ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags);
list_for_each_entry_safe(tx_buf, tx_buf_tmp,
&hif_dev->tx.tx_buf, list) {
+ usb_get_urb(tx_buf->urb);
+ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
usb_kill_urb(tx_buf->urb);
list_del(&tx_buf->list);
usb_free_urb(tx_buf->urb);
kfree(tx_buf->buf);
kfree(tx_buf);
+ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags);
}
+ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
spin_lock_irqsave(&hif_dev->tx.tx_lock, flags);
hif_dev->tx.flags |= HIF_USB_TX_FLUSH;
spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
+ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags);
list_for_each_entry_safe(tx_buf, tx_buf_tmp,
&hif_dev->tx.tx_pending, list) {
+ usb_get_urb(tx_buf->urb);
+ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
usb_kill_urb(tx_buf->urb);
list_del(&tx_buf->list);
usb_free_urb(tx_buf->urb);
kfree(tx_buf->buf);
kfree(tx_buf);
+ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags);
}
+ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
usb_kill_anchored_urbs(&hif_dev->mgmt_submitted);
}
--
2.25.1
next prev parent reply other threads:[~2020-10-18 19:50 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20201018192026.4053674-1-sashal@kernel.org>
2020-10-18 19:19 ` [PATCH AUTOSEL 5.8 033/101] ipv6/icmp: l3mdev: Perform icmp error route lookup on source device routing table (v2) Sasha Levin
2020-10-18 19:19 ` [PATCH AUTOSEL 5.8 035/101] ip_gre: set dev->hard_header_len and dev->needed_headroom properly Sasha Levin
2020-10-18 19:19 ` [PATCH AUTOSEL 5.8 036/101] mac80211: handle lack of sband->bitrates in rates Sasha Levin
2020-10-18 19:19 ` [PATCH AUTOSEL 5.8 039/101] bpf: Use raw_spin_trylock() for pcpu_freelist_push/pop in NMI Sasha Levin
2020-10-18 19:19 ` [PATCH AUTOSEL 5.8 047/101] rtw88: pci: Power cycle device during shutdown Sasha Levin
2020-10-18 19:19 ` [PATCH AUTOSEL 5.8 050/101] rtw88: increse the size of rx buffer size Sasha Levin
2020-10-18 19:19 ` [PATCH AUTOSEL 5.8 051/101] selftests/bpf: Fix overflow tests to reflect iter size increase Sasha Levin
2020-10-18 19:19 ` [PATCH AUTOSEL 5.8 055/101] can: flexcan: flexcan_chip_stop(): add error handling and propagate error value Sasha Levin
2020-10-18 19:19 ` Sasha Levin [this message]
2020-10-18 19:19 ` [PATCH AUTOSEL 5.8 061/101] bpf: Limit caller's stack depth 256 for subprogs with tailcalls Sasha Levin
2020-10-18 19:19 ` [PATCH AUTOSEL 5.8 068/101] Bluetooth: Only mark socket zapped after unlocking Sasha Levin
2020-10-18 19:19 ` [PATCH AUTOSEL 5.8 073/101] selftests/bpf: Fix test_sysctl_loop{1, 2} failure due to clang change Sasha Levin
2020-10-18 19:19 ` [PATCH AUTOSEL 5.8 074/101] brcmsmac: fix memory leak in wlc_phy_attach_lcnphy Sasha Levin
2020-10-18 19:20 ` [PATCH AUTOSEL 5.8 075/101] rtl8xxxu: prevent potential memory leak Sasha Levin
2020-10-18 19:20 ` [PATCH AUTOSEL 5.8 086/101] ipvs: Fix uninit-value in do_ip_vs_set_ctl() Sasha Levin
2020-10-18 19:20 ` [PATCH AUTOSEL 5.8 089/101] mwifiex: don't call del_timer_sync() on uninitialized timer Sasha Levin
2020-10-18 19:20 ` [PATCH AUTOSEL 5.8 095/101] brcm80211: fix possible memleak in brcmf_proto_msgbuf_attach Sasha Levin
2020-10-18 19:20 ` [PATCH AUTOSEL 5.8 101/101] ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201018192026.4053674-57-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=brookebasile@gmail.com \
--cc=kvalo@codeaurora.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+89bd486af9427a9fc605@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).