miaoqing pan <miaoqing@xxxxxxxxxxxxxx> wrote: > One scenario that could lead to UAF is two threads writing > simultaneously to the "tx99" debug file. One of them would > set the "start" value to true and follow to ath9k_tx99_init(). > Inside the function it would set the sc->tx99_state to true > after allocating sc->tx99skb. Then, the other thread would > execute write_file_tx99() and call ath9k_tx99_deinit(). > sc->tx99_state would be freed. After that, the first thread > would continue inside ath9k_tx99_init() and call > r = ath9k_tx99_send(sc, sc->tx99_skb, &txctl); > that would make use of the freed sc->tx99_skb memory. > > Signed-off-by: Miaoqing Pan <miaoqing@xxxxxxxxxxxxxx> > Signed-off-by: Kalle Valo <kvalo@xxxxxxxxxxxxxxxx> I added Cc stable to both patches. -- https://patchwork.kernel.org/patch/9798309/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
