From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Alexander Coffin <alex.coffin@matician.com>,
Kalle Valo <kvalo@kernel.org>, Sasha Levin <sashal@kernel.org>,
aspriel@gmail.com, franky.lin@broadcom.com,
hante.meuleman@broadcom.com, davem@davemloft.net,
edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
pavel@loebl.cz, wsa+renesas@sang-engineering.com,
bigeasy@linutronix.de, wright.feng@cypress.com,
hdegoede@redhat.com, linux-wireless@vger.kernel.org,
brcm80211-dev-list.pdl@broadcom.com,
SHA-cyfmac-dev-list@infineon.com, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.19 32/73] wifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit()
Date: Sun, 9 Oct 2022 18:14:10 -0400 [thread overview]
Message-ID: <20221009221453.1216158-32-sashal@kernel.org> (raw)
In-Reply-To: <20221009221453.1216158-1-sashal@kernel.org>
From: Alexander Coffin <alex.coffin@matician.com>
[ Upstream commit 3f42faf6db431e04bf942d2ebe3ae88975723478 ]
> ret = brcmf_proto_tx_queue_data(drvr, ifp->ifidx, skb);
may be schedule, and then complete before the line
> ndev->stats.tx_bytes += skb->len;
[ 46.912801] ==================================================================
[ 46.920552] BUG: KASAN: use-after-free in brcmf_netdev_start_xmit+0x718/0x8c8 [brcmfmac]
[ 46.928673] Read of size 4 at addr ffffff803f5882e8 by task systemd-resolve/328
[ 46.935991]
[ 46.937514] CPU: 1 PID: 328 Comm: systemd-resolve Tainted: G O 5.4.199-[REDACTED] #1
[ 46.947255] Hardware name: [REDACTED]
[ 46.954568] Call trace:
[ 46.957037] dump_backtrace+0x0/0x2b8
[ 46.960719] show_stack+0x24/0x30
[ 46.964052] dump_stack+0x128/0x194
[ 46.967557] print_address_description.isra.0+0x64/0x380
[ 46.972877] __kasan_report+0x1d4/0x240
[ 46.976723] kasan_report+0xc/0x18
[ 46.980138] __asan_report_load4_noabort+0x18/0x20
[ 46.985027] brcmf_netdev_start_xmit+0x718/0x8c8 [brcmfmac]
[ 46.990613] dev_hard_start_xmit+0x1bc/0xda0
[ 46.994894] sch_direct_xmit+0x198/0xd08
[ 46.998827] __qdisc_run+0x37c/0x1dc0
[ 47.002500] __dev_queue_xmit+0x1528/0x21f8
[ 47.006692] dev_queue_xmit+0x24/0x30
[ 47.010366] neigh_resolve_output+0x37c/0x678
[ 47.014734] ip_finish_output2+0x598/0x2458
[ 47.018927] __ip_finish_output+0x300/0x730
[ 47.023118] ip_output+0x2e0/0x430
[ 47.026530] ip_local_out+0x90/0x140
[ 47.030117] igmpv3_sendpack+0x14c/0x228
[ 47.034049] igmpv3_send_cr+0x384/0x6b8
[ 47.037895] igmp_ifc_timer_expire+0x4c/0x118
[ 47.042262] call_timer_fn+0x1cc/0xbe8
[ 47.046021] __run_timers+0x4d8/0xb28
[ 47.049693] run_timer_softirq+0x24/0x40
[ 47.053626] __do_softirq+0x2c0/0x117c
[ 47.057387] irq_exit+0x2dc/0x388
[ 47.060715] __handle_domain_irq+0xb4/0x158
[ 47.064908] gic_handle_irq+0x58/0xb0
[ 47.068581] el0_irq_naked+0x50/0x5c
[ 47.072162]
[ 47.073665] Allocated by task 328:
[ 47.077083] save_stack+0x24/0xb0
[ 47.080410] __kasan_kmalloc.isra.0+0xc0/0xe0
[ 47.084776] kasan_slab_alloc+0x14/0x20
[ 47.088622] kmem_cache_alloc+0x15c/0x468
[ 47.092643] __alloc_skb+0xa4/0x498
[ 47.096142] igmpv3_newpack+0x158/0xd78
[ 47.099987] add_grhead+0x210/0x288
[ 47.103485] add_grec+0x6b0/0xb70
[ 47.106811] igmpv3_send_cr+0x2e0/0x6b8
[ 47.110657] igmp_ifc_timer_expire+0x4c/0x118
[ 47.115027] call_timer_fn+0x1cc/0xbe8
[ 47.118785] __run_timers+0x4d8/0xb28
[ 47.122457] run_timer_softirq+0x24/0x40
[ 47.126389] __do_softirq+0x2c0/0x117c
[ 47.130142]
[ 47.131643] Freed by task 180:
[ 47.134712] save_stack+0x24/0xb0
[ 47.138041] __kasan_slab_free+0x108/0x180
[ 47.142146] kasan_slab_free+0x10/0x18
[ 47.145904] slab_free_freelist_hook+0xa4/0x1b0
[ 47.150444] kmem_cache_free+0x8c/0x528
[ 47.154292] kfree_skbmem+0x94/0x108
[ 47.157880] consume_skb+0x10c/0x5a8
[ 47.161466] __dev_kfree_skb_any+0x88/0xa0
[ 47.165598] brcmu_pkt_buf_free_skb+0x44/0x68 [brcmutil]
[ 47.171023] brcmf_txfinalize+0xec/0x190 [brcmfmac]
[ 47.176016] brcmf_proto_bcdc_txcomplete+0x1c0/0x210 [brcmfmac]
[ 47.182056] brcmf_sdio_sendfromq+0x8dc/0x1e80 [brcmfmac]
[ 47.187568] brcmf_sdio_dpc+0xb48/0x2108 [brcmfmac]
[ 47.192529] brcmf_sdio_dataworker+0xc8/0x238 [brcmfmac]
[ 47.197859] process_one_work+0x7fc/0x1a80
[ 47.201965] worker_thread+0x31c/0xc40
[ 47.205726] kthread+0x2d8/0x370
[ 47.208967] ret_from_fork+0x10/0x18
[ 47.212546]
[ 47.214051] The buggy address belongs to the object at ffffff803f588280
[ 47.214051] which belongs to the cache skbuff_head_cache of size 208
[ 47.227086] The buggy address is located 104 bytes inside of
[ 47.227086] 208-byte region [ffffff803f588280, ffffff803f588350)
[ 47.238814] The buggy address belongs to the page:
[ 47.243618] page:ffffffff00dd6200 refcount:1 mapcount:0 mapping:ffffff804b6bf800 index:0xffffff803f589900 compound_mapcount: 0
[ 47.255007] flags: 0x10200(slab|head)
[ 47.258689] raw: 0000000000010200 ffffffff00dfa980 0000000200000002 ffffff804b6bf800
[ 47.266439] raw: ffffff803f589900 0000000080190018 00000001ffffffff 0000000000000000
[ 47.274180] page dumped because: kasan: bad access detected
[ 47.279752]
[ 47.281251] Memory state around the buggy address:
[ 47.286051] ffffff803f588180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 47.293277] ffffff803f588200: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 47.300502] >ffffff803f588280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 47.307723] ^
[ 47.314343] ffffff803f588300: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc
[ 47.321569] ffffff803f588380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[ 47.328789] ==================================================================
Signed-off-by: Alexander Coffin <alex.coffin@matician.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20220808174925.3922558-1-alex.coffin@matician.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
index 87aef211b35f..12ee8b7163fd 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
@@ -296,6 +296,7 @@ static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb,
struct brcmf_pub *drvr = ifp->drvr;
struct ethhdr *eh;
int head_delta;
+ unsigned int tx_bytes = skb->len;
brcmf_dbg(DATA, "Enter, bsscfgidx=%d\n", ifp->bsscfgidx);
@@ -370,7 +371,7 @@ static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb,
ndev->stats.tx_dropped++;
} else {
ndev->stats.tx_packets++;
- ndev->stats.tx_bytes += skb->len;
+ ndev->stats.tx_bytes += tx_bytes;
}
/* Return ok: we always eat the packet */
--
2.35.1
next prev parent reply other threads:[~2022-10-09 22:28 UTC|newest]
Thread overview: 66+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20221009221453.1216158-1-sashal@kernel.org>
2022-10-09 22:13 ` [PATCH AUTOSEL 5.19 02/73] wifi: rtw88: phy: fix warning of possible buffer overflow Sasha Levin
2022-10-09 22:13 ` [PATCH AUTOSEL 5.19 03/73] wifi: ath10k: Set tx credit to one for WCN3990 snoc based devices Sasha Levin
2022-10-09 22:13 ` [PATCH AUTOSEL 5.19 04/73] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
2022-10-09 22:13 ` [PATCH AUTOSEL 5.19 06/73] ice: set tx_tstamps when creating new Tx rings via ethtool Sasha Levin
2022-10-09 22:13 ` [PATCH AUTOSEL 5.19 07/73] net: ethernet: ti: davinci_mdio: Add workaround for errata i2329 Sasha Levin
2022-10-09 22:13 ` [PATCH AUTOSEL 5.19 08/73] openvswitch: Fix double reporting of drops in dropwatch Sasha Levin
2022-10-09 22:13 ` [PATCH AUTOSEL 5.19 09/73] openvswitch: Fix overreporting " Sasha Levin
2022-10-09 22:13 ` [PATCH AUTOSEL 5.19 10/73] net: dsa: all DSA masters must be down when changing the tagging protocol Sasha Levin
2022-10-10 11:53 ` Vladimir Oltean
2022-10-09 22:13 ` [PATCH AUTOSEL 5.19 11/73] net: mscc: ocelot: adjust forwarding domain for CPU ports in a LAG Sasha Levin
2022-10-10 11:58 ` Vladimir Oltean
2022-10-09 22:13 ` [PATCH AUTOSEL 5.19 12/73] tcp: annotate data-race around tcp_md5sig_pool_populated Sasha Levin
2022-10-09 22:13 ` [PATCH AUTOSEL 5.19 13/73] micrel: ksz8851: fixes struct pointer issue Sasha Levin
2022-10-09 22:13 ` [PATCH AUTOSEL 5.19 14/73] genetlink: hold read cb_lock during iteration of genl_fam_idr in genl_bind() Sasha Levin
2022-10-09 22:13 ` [PATCH AUTOSEL 5.19 15/73] net: dsa: mv88e6xxx: Allow external SMI if serial Sasha Levin
2022-10-10 11:53 ` Vladimir Oltean
2022-10-09 22:13 ` [PATCH AUTOSEL 5.19 17/73] wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg() Sasha Levin
2022-10-09 22:13 ` [PATCH AUTOSEL 5.19 20/73] net: axienet: Switch to 64-bit RX/TX statistics Sasha Levin
2022-10-09 22:13 ` [PATCH AUTOSEL 5.19 21/73] net-next: Fix IP_UNICAST_IF option behavior for connected sockets Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 22/73] xfrm: Update ipcomp_scratches with NULL when freed Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 23/73] wifi: ath11k: Register shutdown handler for WCN6750 Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 24/73] rtw89: ser: leave lps with mutex Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 25/73] net: broadcom: Fix return type for implementation of Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 26/73] net: xscale: Fix return type for implementation of ndo_start_xmit Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 27/73] net: sunplus: " Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 28/73] net: lantiq_etop: " Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 29/73] netlink: Bounds-check struct nlmsgerr creation Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 30/73] net: ftmac100: fix endianness-related issues from 'sparse' Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 31/73] iavf: Fix race between iavf_close and iavf_reset_task Sasha Levin
2022-10-09 22:14 ` Sasha Levin [this message]
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 33/73] net: sparx5: fix function return type to match actual type Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 34/73] net: mscc: ocelot: report FIFO drop counters through stats->rx_dropped Sasha Levin
2022-10-10 11:58 ` Vladimir Oltean
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 37/73] wifi: ath11k: mhi: fix potential memory leak in ath11k_mhi_register() Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 38/73] wifi: mt76: mt7921: reset msta->airtime_ac while clearing up hw value Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 39/73] wifi: rtw89: free unused skb to prevent memory leak Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 40/73] wifi: rtw89: fix rx filter after scan Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 41/73] Bluetooth: L2CAP: initialize delayed works at l2cap_chan_create() Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 42/73] net: ax88796c: Fix return type of ax88796c_start_xmit Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 43/73] net: davicom: Fix return type of dm9000_start_xmit Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 44/73] net: ethernet: ti: davinci_emac: Fix return type of emac_dev_xmit Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 45/73] net: ethernet: litex: Fix return type of liteeth_start_xmit Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 46/73] net: korina: Fix return type of korina_send_packet Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 47/73] net: wwan: iosm: Fix return type of ipc_wwan_link_transmit Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 48/73] net: wwan: t7xx: Fix return type of t7xx_ccmni_start_xmit Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 49/73] net: sfp: re-implement soft state polling setup Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 50/73] net: sfp: move quirk handling into sfp.c Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 51/73] net: sfp: move Alcatel Lucent 3FE46541AA fixup Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 52/73] net/sched: taprio: taprio_dump and taprio_change are protected by rtnl_mutex Sasha Levin
2022-10-10 11:58 ` Vladimir Oltean
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 53/73] Bluetooth: hci_sysfs: Fix attempting to call device_add multiple times Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 54/73] wifi: ath10k: reset pointer after memory free to avoid potential use-after-free Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 55/73] bnxt_en: replace reset with config timestamps Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 57/73] can: bcm: check the result of can_send() in bcm_can_tx() Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 58/73] wifi: rt2x00: don't run Rt5592 IQ calibration on MT7620 Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 59/73] wifi: rt2x00: set correct TX_SW_CFG1 MAC register for MT7620 Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 60/73] wifi: rt2x00: set VGC gain for both chains of MT7620 Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 61/73] wifi: rt2x00: set SoC wmac clock register Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 62/73] wifi: rt2x00: correctly set BBP register 86 for MT7620 Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 64/73] net: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 66/73] bpf: use bpf_prog_pack for bpf_dispatcher Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 67/73] Bluetooth: L2CAP: Fix user-after-free Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 68/73] net: sched: cls_u32: Avoid memcpy() false-positive warning Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 71/73] net: sparx5: Fix return type of sparx5_port_xmit_impl Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 72/73] net: lan966x: Fix return type of lan966x_port_xmit Sasha Levin
2022-10-09 22:14 ` [PATCH AUTOSEL 5.19 73/73] r8152: Rate limit overflow messages Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221009221453.1216158-32-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=SHA-cyfmac-dev-list@infineon.com \
--cc=alex.coffin@matician.com \
--cc=aspriel@gmail.com \
--cc=bigeasy@linutronix.de \
--cc=brcm80211-dev-list.pdl@broadcom.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=franky.lin@broadcom.com \
--cc=hante.meuleman@broadcom.com \
--cc=hdegoede@redhat.com \
--cc=kuba@kernel.org \
--cc=kvalo@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pavel@loebl.cz \
--cc=stable@vger.kernel.org \
--cc=wright.feng@cypress.com \
--cc=wsa+renesas@sang-engineering.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).