From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Carl Huang <cjhuang@codeaurora.org>,
Brian Norris <briannorris@chromium.org>,
Kalle Valo <kvalo@codeaurora.org>,
Amit Pundir <amit.pundir@linaro.org>
Subject: [PATCH 4.14 30/45] ath10k: fix use-after-free in ath10k_wmi_cmd_send_nowait
Date: Thu, 11 Oct 2018 17:39:57 +0200 [thread overview]
Message-ID: <20181011152510.203844200@linuxfoundation.org> (raw)
In-Reply-To: <20181011152508.885515042@linuxfoundation.org>
4.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Carl Huang <cjhuang@codeaurora.org>
commit 9ef0f58ed7b4a55da4a64641d538e0d9e46579ac upstream.
The skb may be freed in tx completion context before
trace_ath10k_wmi_cmd is called. This can be easily captured when
KASAN(Kernel Address Sanitizer) is enabled. The fix is to move
trace_ath10k_wmi_cmd before the send operation. As the ret has no
meaning in trace_ath10k_wmi_cmd then, so remove this parameter too.
Signed-off-by: Carl Huang <cjhuang@codeaurora.org>
Tested-by: Brian Norris <briannorris@chromium.org>
Reviewed-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/ath/ath10k/trace.h | 12 ++++--------
drivers/net/wireless/ath/ath10k/wmi.c | 2 +-
2 files changed, 5 insertions(+), 9 deletions(-)
--- a/drivers/net/wireless/ath/ath10k/trace.h
+++ b/drivers/net/wireless/ath/ath10k/trace.h
@@ -152,10 +152,9 @@ TRACE_EVENT(ath10k_log_dbg_dump,
);
TRACE_EVENT(ath10k_wmi_cmd,
- TP_PROTO(struct ath10k *ar, int id, const void *buf, size_t buf_len,
- int ret),
+ TP_PROTO(struct ath10k *ar, int id, const void *buf, size_t buf_len),
- TP_ARGS(ar, id, buf, buf_len, ret),
+ TP_ARGS(ar, id, buf, buf_len),
TP_STRUCT__entry(
__string(device, dev_name(ar->dev))
@@ -163,7 +162,6 @@ TRACE_EVENT(ath10k_wmi_cmd,
__field(unsigned int, id)
__field(size_t, buf_len)
__dynamic_array(u8, buf, buf_len)
- __field(int, ret)
),
TP_fast_assign(
@@ -171,17 +169,15 @@ TRACE_EVENT(ath10k_wmi_cmd,
__assign_str(driver, dev_driver_string(ar->dev));
__entry->id = id;
__entry->buf_len = buf_len;
- __entry->ret = ret;
memcpy(__get_dynamic_array(buf), buf, buf_len);
),
TP_printk(
- "%s %s id %d len %zu ret %d",
+ "%s %s id %d len %zu",
__get_str(driver),
__get_str(device),
__entry->id,
- __entry->buf_len,
- __entry->ret
+ __entry->buf_len
)
);
--- a/drivers/net/wireless/ath/ath10k/wmi.c
+++ b/drivers/net/wireless/ath/ath10k/wmi.c
@@ -1741,8 +1741,8 @@ int ath10k_wmi_cmd_send_nowait(struct at
cmd_hdr->cmd_id = __cpu_to_le32(cmd);
memset(skb_cb, 0, sizeof(*skb_cb));
+ trace_ath10k_wmi_cmd(ar, cmd_id, skb->data, skb->len);
ret = ath10k_htc_send(&ar->htc, ar->wmi.eid, skb);
- trace_ath10k_wmi_cmd(ar, cmd_id, skb->data, skb->len, ret);
if (ret)
goto err_pull;
next prev parent reply other threads:[~2018-10-11 23:13 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-11 15:39 [PATCH 4.14 00/45] 4.14.76-stable review Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.14 01/45] perf/core: Add sanity check to deal with pinned event failure Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.14 02/45] mm: migration: fix migration of huge PMD shared pages Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.14 03/45] mm, thp: fix mlocking THP page with migration enabled Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.14 04/45] mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.14 05/45] KVM: x86: fix L1TFs MMIO GFN calculation Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.14 06/45] blk-mq: I/O and timer unplugs are inverted in blktrace Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.14 07/45] clocksource/drivers/timer-atmel-pit: Properly handle error cases Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.14 08/45] fbdev/omapfb: fix omapfb_memory_read infoleak Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.14 09/45] xen-netback: fix input validation in xenvif_set_hash_mapping() Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.14 10/45] drm/amdgpu: Fix vce work queue was not cancelled when suspend Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.14 11/45] drm/syncobj: Dont leak fences when WAIT_FOR_SUBMIT is set Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.14 12/45] x86/vdso: Fix asm constraints on vDSO syscall fallbacks Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.14 13/45] selftests/x86: Add clock_gettime() tests to test_vdso Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.14 14/45] x86/vdso: Only enable vDSO retpolines when enabled and supported Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.14 15/45] x86/vdso: Fix vDSO syscall fallback asm constraint regression Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.14 16/45] PCI: Reprogram bridge prefetch registers on resume Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.14 17/45] mac80211: fix setting IEEE80211_KEY_FLAG_RX_MGMT for AP mode keys Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.14 18/45] PM / core: Clear the direct_complete flag on errors Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.14 19/45] dm cache metadata: ignore hints array being too small during resize Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.14 20/45] dm cache: fix resize crash if user doesnt reload cache table Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.14 21/45] xhci: Add missing CAS workaround for Intel Sunrise Point xHCI Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.14 22/45] usb: xhci-mtk: resume USB3 roothub first Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.14 23/45] USB: serial: simple: add Motorola Tetra MTP6550 id Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.14 24/45] usb: cdc_acm: Do not leak URB buffers Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.14 25/45] tty: Drop tty->count on tty_reopen() failure Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.14 26/45] of: unittest: Disable interrupt node tests for old world MAC systems Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.14 27/45] perf annotate: Use asprintf when formatting objdump command line Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.14 28/45] perf tools: Fix python extension build for gcc 8 Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.14 29/45] cgroup/cpuset: remove circular dependency deadlock Greg Kroah-Hartman
2018-10-11 19:33 ` Sudip Mukherjee
2018-10-12 11:05 ` Greg Kroah-Hartman
2018-10-16 18:46 ` Amit Pundir
2018-10-11 15:39 ` Greg Kroah-Hartman [this message]
2018-10-11 15:39 ` [PATCH 4.14 31/45] ath10k: fix kernel panic issue during pci probe Greg Kroah-Hartman
2018-10-11 15:39 ` [PATCH 4.14 32/45] nvme_fc: fix ctrl create failures racing with workq items Greg Kroah-Hartman
2018-10-11 15:40 ` [PATCH 4.14 33/45] powerpc/lib/code-patching: refactor patch_instruction() Greg Kroah-Hartman
2018-10-11 15:40 ` [PATCH 4.14 34/45] powerpc: Avoid code patching freed init sections Greg Kroah-Hartman
2018-10-11 15:40 ` [PATCH 4.14 35/45] powerpc/lib: fix book3s/32 boot failure due to code patching Greg Kroah-Hartman
2018-10-11 15:40 ` [PATCH 4.14 36/45] ARC: clone syscall to setp r25 as thread pointer Greg Kroah-Hartman
2018-10-11 15:40 ` [PATCH 4.14 37/45] crypto: chelsio - Fix memory corruption in DMA Mapped buffers Greg Kroah-Hartman
2018-10-11 15:40 ` [PATCH 4.14 38/45] perf utils: Move is_directory() to path.h Greg Kroah-Hartman
2018-10-11 15:40 ` [PATCH 4.14 39/45] f2fs: fix invalid memory access Greg Kroah-Hartman
2018-10-11 15:40 ` [PATCH 4.14 40/45] ucma: fix a use-after-free in ucma_resolve_ip() Greg Kroah-Hartman
2018-10-11 15:40 ` [PATCH 4.14 41/45] ubifs: Check for name being NULL while mounting Greg Kroah-Hartman
2018-10-11 15:40 ` [PATCH 4.14 42/45] rds: rds_ib_recv_alloc_cache() should call alloc_percpu_gfp() instead Greg Kroah-Hartman
2018-10-11 15:40 ` [PATCH 4.14 43/45] virtio_balloon: fix deadlock on OOM Greg Kroah-Hartman
2018-10-11 15:40 ` [PATCH 4.14 44/45] virtio_balloon: fix increment of vb->num_pfns in fill_balloon() Greg Kroah-Hartman
2018-10-11 15:40 ` [PATCH 4.14 45/45] ath10k: fix scan crash due to incorrect length calculation Greg Kroah-Hartman
2018-10-11 22:37 ` [PATCH 4.14 00/45] 4.14.76-stable review Shuah Khan
2018-10-12 4:27 ` Naresh Kamboju
2018-10-12 7:50 ` Jon Hunter
2018-10-12 10:24 ` Greg Kroah-Hartman
2018-10-12 15:43 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181011152510.203844200@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=amit.pundir@linaro.org \
--cc=briannorris@chromium.org \
--cc=cjhuang@codeaurora.org \
--cc=kvalo@codeaurora.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).