From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+f9acff9bf08a845f225d@syzkaller.appspotmail.com,
Johannes Berg <johannes@sipsolutions.net>,
Siddh Raman Pant <code@siddh.me>,
Johannes Berg <johannes.berg@intel.com>
Subject: [PATCH 5.15 091/107] wifi: mac80211: Fix UAF in ieee80211_scan_rx()
Date: Tue, 6 Sep 2022 15:31:12 +0200 [thread overview]
Message-ID: <20220906132825.673203768@linuxfoundation.org> (raw)
In-Reply-To: <20220906132821.713989422@linuxfoundation.org>
From: Siddh Raman Pant <code@siddh.me>
commit 60deb9f10eec5c6a20252ed36238b55d8b614a2c upstream.
ieee80211_scan_rx() tries to access scan_req->flags after a
null check, but a UAF is observed when the scan is completed
and __ieee80211_scan_completed() executes, which then calls
cfg80211_scan_done() leading to the freeing of scan_req.
Since scan_req is rcu_dereference()'d, prevent the racing in
__ieee80211_scan_completed() by ensuring that from mac80211's
POV it is no longer accessed from an RCU read critical section
before we call cfg80211_scan_done().
Cc: stable@vger.kernel.org
Link: https://syzkaller.appspot.com/bug?extid=f9acff9bf08a845f225d
Reported-by: syzbot+f9acff9bf08a845f225d@syzkaller.appspotmail.com
Suggested-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Siddh Raman Pant <code@siddh.me>
Link: https://lore.kernel.org/r/20220819200340.34826-1-code@siddh.me
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mac80211/scan.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
--- a/net/mac80211/scan.c
+++ b/net/mac80211/scan.c
@@ -461,16 +461,19 @@ static void __ieee80211_scan_completed(s
scan_req = rcu_dereference_protected(local->scan_req,
lockdep_is_held(&local->mtx));
- if (scan_req != local->int_scan_req) {
- local->scan_info.aborted = aborted;
- cfg80211_scan_done(scan_req, &local->scan_info);
- }
RCU_INIT_POINTER(local->scan_req, NULL);
RCU_INIT_POINTER(local->scan_sdata, NULL);
local->scanning = 0;
local->scan_chandef.chan = NULL;
+ synchronize_rcu();
+
+ if (scan_req != local->int_scan_req) {
+ local->scan_info.aborted = aborted;
+ cfg80211_scan_done(scan_req, &local->scan_info);
+ }
+
/* Set power back to normal operating levels. */
ieee80211_hw_config(local, 0);
next prev parent reply other threads:[~2022-09-06 13:55 UTC|newest]
Thread overview: 132+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-06 13:29 [PATCH 5.15 000/107] 5.15.66-rc1 review Greg Kroah-Hartman
2022-09-06 13:29 ` [PATCH 5.15 001/107] drm/msm/dsi: fix the inconsistent indenting Greg Kroah-Hartman
2022-09-06 13:29 ` [PATCH 5.15 002/107] drm/msm/dp: delete DP_RECOVERED_CLOCK_OUT_EN to fix tps4 Greg Kroah-Hartman
2022-09-06 13:29 ` [PATCH 5.15 003/107] drm/msm/dsi: Fix number of regulators for msm8996_dsi_cfg Greg Kroah-Hartman
2022-09-06 13:29 ` [PATCH 5.15 004/107] drm/msm/dsi: Fix number of regulators for SDM660 Greg Kroah-Hartman
2022-09-06 13:29 ` [PATCH 5.15 005/107] platform/x86: pmc_atom: Fix SLP_TYPx bitfield mask Greg Kroah-Hartman
2022-09-06 13:29 ` [PATCH 5.15 006/107] iio: adc: mcp3911: make use of the sign bit Greg Kroah-Hartman
2022-09-06 13:29 ` [PATCH 5.15 007/107] skmsg: Fix wrong last sg check in sk_msg_recvmsg() Greg Kroah-Hartman
2022-09-06 13:29 ` [PATCH 5.15 008/107] bpf: Restrict bpf_sys_bpf to CAP_PERFMON Greg Kroah-Hartman
2022-09-06 13:29 ` [PATCH 5.15 009/107] bpf, cgroup: Fix kernel BUG in purge_effective_progs Greg Kroah-Hartman
2022-09-06 13:29 ` [PATCH 5.15 010/107] ieee802154/adf7242: defer destroy_workqueue call Greg Kroah-Hartman
2022-09-06 13:29 ` [PATCH 5.15 011/107] drm/i915/backlight: extract backlight code to a separate file Greg Kroah-Hartman
2022-09-06 22:13 ` Lyude Paul
2022-09-07 11:41 ` Sasha Levin
2022-09-07 20:37 ` Lyude Paul
2022-09-06 13:29 ` [PATCH 5.15 012/107] drm/i915/display: avoid warnings when registering dual panel backlight Greg Kroah-Hartman
2022-09-06 13:29 ` [PATCH 5.15 013/107] ALSA: hda: intel-nhlt: remove use of __func__ in dev_dbg Greg Kroah-Hartman
2022-09-06 13:29 ` [PATCH 5.15 014/107] ALSA: hda: intel-nhlt: Correct the handling of fmt_config flexible array Greg Kroah-Hartman
2022-09-06 13:29 ` [PATCH 5.15 015/107] wifi: cfg80211: debugfs: fix return type in ht40allow_map_read() Greg Kroah-Hartman
2022-09-06 13:29 ` [PATCH 5.15 016/107] Revert "xhci: turn off port power in shutdown" Greg Kroah-Hartman
2022-09-06 13:29 ` [PATCH 5.15 017/107] net: sparx5: fix handling uneven length packets in manual extraction Greg Kroah-Hartman
2022-09-06 13:29 ` [PATCH 5.15 018/107] net: smsc911x: Stop and start PHY during suspend and resume Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 019/107] openvswitch: fix memory leak at failed datapath creation Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 020/107] net: dsa: xrs700x: Use irqsave variant for u64 stats update Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 021/107] net: sched: tbf: dont call qdisc_put() while holding tree lock Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 022/107] net/sched: fix netdevice reference leaks in attach_default_qdiscs() Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 023/107] ethernet: rocker: fix sleep in atomic context bug in neigh_timer_handler Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 024/107] mlxbf_gige: compute MDIO period based on i1clk Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 025/107] kcm: fix strp_init() order and cleanup Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 026/107] sch_cake: Return __NET_XMIT_STOLEN when consuming enqueued skb Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 027/107] tcp: annotate data-race around challenge_timestamp Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 028/107] Revert "sch_cake: Return __NET_XMIT_STOLEN when consuming enqueued skb" Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 029/107] net/smc: Remove redundant refcount increase Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 030/107] soundwire: qcom: fix device status array range Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 031/107] serial: fsl_lpuart: RS485 RTS polariy is inverse Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 032/107] staging: rtl8712: fix use after free bugs Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 033/107] staging: r8188eu: add firmware dependency Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 034/107] powerpc: align syscall table for ppc32 Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 035/107] vt: Clear selection before changing the font Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 036/107] musb: fix USB_MUSB_TUSB6010 dependency Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 037/107] tty: serial: lpuart: disable flow control while waiting for the transmit engine to complete Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 038/107] Input: iforce - wake up after clearing IFORCE_XMIT_RUNNING flag Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 039/107] iio: ad7292: Prevent regulator double disable Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 040/107] iio: adc: mcp3911: use correct formula for AD conversion Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 041/107] misc: fastrpc: fix memory corruption on probe Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 042/107] misc: fastrpc: fix memory corruption on open Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 043/107] USB: serial: ftdi_sio: add Omron CS1W-CIF31 device id Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 044/107] mmc: core: Fix UHS-I SD 1.8V workaround branch Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 045/107] mmc: core: Fix inconsistent sd3_bus_mode at UHS-I SD voltage switch failure Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 046/107] binder: fix UAF of ref->proc caused by race condition Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 047/107] binder: fix alloc->vma_vm_mm null-ptr dereference Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 048/107] cifs: fix small mempool leak in SMB2_negotiate() Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 049/107] KVM: VMX: Heed the msr argument in msr_write_intercepted() Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 050/107] drm/i915/reg: Fix spelling mistake "Unsupport" -> "Unsupported" Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 051/107] clk: core: Honor CLK_OPS_PARENT_ENABLE for clk gate ops Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 052/107] Revert "clk: core: Honor CLK_OPS_PARENT_ENABLE for clk gate ops" Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 053/107] clk: core: Fix runtime PM sequence in clk_core_unprepare() Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 054/107] Input: rk805-pwrkey - fix module autoloading Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 055/107] clk: bcm: rpi: Fix error handling of raspberrypi_fw_get_rate Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 056/107] clk: bcm: rpi: Use correct order for the parameters of devm_kcalloc() Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 057/107] clk: bcm: rpi: Prevent out-of-bounds access Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 058/107] clk: bcm: rpi: Add missing newline Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 059/107] hwmon: (gpio-fan) Fix array out of bounds access Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 060/107] gpio: pca953x: Add mutex_lock for regcache sync in PM Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 061/107] KVM: x86: Mask off unsupported and unknown bits of IA32_ARCH_CAPABILITIES Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 062/107] xen/grants: prevent integer overflow in gnttab_dma_alloc_pages() Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 063/107] mm: pagewalk: Fix race between unmap and page walker Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 064/107] xen-blkback: Advertise feature-persistent as user requested Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 065/107] xen-blkfront: " Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 066/107] xen-blkfront: Cache feature_persistent value before advertisement Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 067/107] thunderbolt: Use the actual buffer in tb_async_error() Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 068/107] usb: dwc3: pci: Add support for Intel Raptor Lake Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 069/107] media: mceusb: Use new usb_control_msg_*() routines Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 070/107] xhci: Add grace period after xHC start to prevent premature runtime suspend Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 071/107] USB: serial: cp210x: add Decagon UCA device id Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 072/107] USB: serial: option: add support for OPPO R11 diag port Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 073/107] USB: serial: option: add Quectel EM060K modem Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 074/107] USB: serial: option: add support for Cinterion MV32-WA/WB RmNet mode Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 075/107] usb: typec: altmodes/displayport: correct pin assignment for UFP receptacles Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 076/107] usb: typec: intel_pmc_mux: Add new ACPI ID for Meteor Lake IOM device Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 077/107] usb: typec: tcpm: Return ENOTSUPP for power supply prop writes Greg Kroah-Hartman
2022-09-06 13:30 ` [PATCH 5.15 078/107] usb: dwc2: fix wrong order of phy_power_on and phy_init Greg Kroah-Hartman
2022-09-06 13:31 ` [PATCH 5.15 079/107] usb: cdns3: fix issue with rearming ISO OUT endpoint Greg Kroah-Hartman
2022-09-06 13:31 ` [PATCH 5.15 080/107] usb: cdns3: fix incorrect handling TRB_SMM flag for ISOC transfer Greg Kroah-Hartman
2022-09-06 13:31 ` [PATCH 5.15 081/107] USB: cdc-acm: Add Icom PMR F3400 support (0c26:0020) Greg Kroah-Hartman
2022-09-06 13:31 ` [PATCH 5.15 082/107] usb-storage: Add ignore-residue quirk for NXP PN7462AU Greg Kroah-Hartman
2022-09-06 13:31 ` [PATCH 5.15 083/107] s390/hugetlb: fix prepare_hugepage_range() check for 2 GB hugepages Greg Kroah-Hartman
2022-09-06 13:31 ` [PATCH 5.15 084/107] s390: fix nospec table alignments Greg Kroah-Hartman
2022-09-06 13:31 ` [PATCH 5.15 085/107] USB: core: Prevent nested device-reset calls Greg Kroah-Hartman
2022-09-06 13:31 ` [PATCH 5.15 086/107] usb: xhci-mtk: relax TT periodic bandwidth allocation Greg Kroah-Hartman
2022-09-06 13:31 ` [PATCH 5.15 087/107] usb: xhci-mtk: fix bandwidth release issue Greg Kroah-Hartman
2022-09-06 13:31 ` [PATCH 5.15 088/107] usb: gadget: mass_storage: Fix cdrom data transfers on MAC-OS Greg Kroah-Hartman
2022-09-06 13:31 ` [PATCH 5.15 089/107] driver core: Dont probe devices after bus_type.match() probe deferral Greg Kroah-Hartman
2022-09-06 13:31 ` [PATCH 5.15 090/107] wifi: mac80211: Dont finalize CSA in IBSS mode if state is disconnected Greg Kroah-Hartman
2022-09-06 13:31 ` Greg Kroah-Hartman [this message]
2022-09-06 13:31 ` [PATCH 5.15 092/107] ip: fix triggering of icmp redirect Greg Kroah-Hartman
2022-09-06 13:31 ` [PATCH 5.15 093/107] net: Use u64_stats_fetch_begin_irq() for stats fetch Greg Kroah-Hartman
2022-09-06 13:31 ` [PATCH 5.15 094/107] net: mac802154: Fix a condition in the receive path Greg Kroah-Hartman
2022-09-06 13:31 ` [PATCH 5.15 095/107] ALSA: hda/realtek: Add speaker AMP init for Samsung laptops with ALC298 Greg Kroah-Hartman
2022-09-06 13:31 ` [PATCH 5.15 096/107] ALSA: seq: oss: Fix data-race for max_midi_devs access Greg Kroah-Hartman
2022-09-06 13:31 ` [PATCH 5.15 097/107] ALSA: seq: Fix data-race at module auto-loading Greg Kroah-Hartman
2022-09-06 13:31 ` [PATCH 5.15 098/107] drm/i915/glk: ECS Liva Q2 needs GLK HDMI port timing quirk Greg Kroah-Hartman
2022-09-06 13:31 ` [PATCH 5.15 099/107] drm/i915: Skip wm/ddb readout for disabled pipes Greg Kroah-Hartman
2022-09-06 13:31 ` [PATCH 5.15 100/107] tty: n_gsm: add sanity check for gsm->receive in gsm_receive_buf() Greg Kroah-Hartman
2022-09-06 13:31 ` [PATCH 5.15 101/107] kbuild: Unify options for BTF generation for vmlinux and modules Greg Kroah-Hartman
2022-09-06 18:45 ` Florian Fainelli
2022-09-07 5:40 ` Greg Kroah-Hartman
2022-09-07 7:02 ` Jiri Olsa
2022-09-07 8:13 ` Ron Economos
2022-09-06 13:31 ` [PATCH 5.15 102/107] kbuild: Add skip_encoding_btf_enum64 option to pahole Greg Kroah-Hartman
2022-09-16 10:21 ` Thorsten Leemhuis
2022-09-16 13:01 ` Jiri Olsa
2022-09-16 16:25 ` Martin Rodriguez Reboredo
2022-09-06 13:31 ` [PATCH 5.15 103/107] usb: dwc3: fix PHY disable sequence Greg Kroah-Hartman
2022-09-06 13:31 ` [PATCH 5.15 104/107] usb: dwc3: qcom: fix use-after-free on runtime-PM wakeup Greg Kroah-Hartman
2022-09-06 13:31 ` [PATCH 5.15 105/107] usb: dwc3: disable USB core PHY management Greg Kroah-Hartman
2022-09-06 13:31 ` [PATCH 5.15 106/107] USB: serial: ch341: fix lost character on LCR updates Greg Kroah-Hartman
2022-09-06 13:31 ` [PATCH 5.15 107/107] USB: serial: ch341: fix disabled rx timer on older devices Greg Kroah-Hartman
2022-09-06 18:33 ` [PATCH 5.15 000/107] 5.15.66-rc1 review Florian Fainelli
2022-09-06 18:42 ` Florian Fainelli
2022-09-06 20:20 ` Naresh Kamboju
2022-09-06 20:46 ` Sudip Mukherjee
2022-09-07 5:49 ` Greg Kroah-Hartman
2022-09-07 9:27 ` Sudip Mukherjee (Codethink)
2022-09-06 21:48 ` Shuah Khan
2022-09-07 4:44 ` Guenter Roeck
2022-09-07 9:40 ` Sudip Mukherjee (Codethink)
2022-09-07 11:30 ` Sudip Mukherjee
2022-09-07 11:45 ` Greg Kroah-Hartman
2022-09-07 9:52 ` Bagas Sanjaya
2022-09-07 12:48 ` Ron Economos
2022-09-08 10:50 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220906132825.673203768@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=code@siddh.me \
--cc=johannes.berg@intel.com \
--cc=johannes@sipsolutions.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+f9acff9bf08a845f225d@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).