miaoqing pan <miaoqing@xxxxxxxxxxxxxx> wrote: > One scenario that could lead to UAF is two threads writing > simultaneously to the "tx99" debug file. One of them would > set the "start" value to true and follow to ath9k_tx99_init(). > Inside the function it would set the sc->tx99_state to true > after allocating sc->tx99skb. Then, the other thread would > execute write_file_tx99() and call ath9k_tx99_deinit(). > sc->tx99_state would be freed. After that, the first thread > would continue inside ath9k_tx99_init() and call > r = ath9k_tx99_send(sc, sc->tx99_skb, &txctl); > that would make use of the freed sc->tx99_skb memory. > > Cc: <stable@xxxxxxxxxxxxxxx> > Signed-off-by: Miaoqing Pan <miaoqing@xxxxxxxxxxxxxx> > Signed-off-by: Kalle Valo <kvalo@xxxxxxxxxxxxxxxx> 2 patches applied to ath-next branch of ath.git, thanks. cf8ce1ea61b7 ath9k: fix tx99 use after free bde717ab4736 ath9k: fix tx99 bus error -- https://patchwork.kernel.org/patch/9798309/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
