Pavel Skripkin <paskripkin@xxxxxxxxx> writes:
> Syzbot reported use-after-free Read in ath9k_hif_usb_rx_cb(). The
> problem was in incorrect htc_handle->drv_priv initialization.
>
> Probable call trace which can trigger use-after-free:
>
> ath9k_htc_probe_device()
> /* htc_handle->drv_priv = priv; */
> ath9k_htc_wait_for_target() <--- Failed
> ieee80211_free_hw() <--- priv pointer is freed
>
> <IRQ>
> ...
> ath9k_hif_usb_rx_cb()
> ath9k_hif_usb_rx_stream()
> RX_STAT_INC() <--- htc_handle->drv_priv access
>
> In order to not add fancy protection for drv_priv we can move
> htc_handle->drv_priv initialization at the end of the
> ath9k_htc_probe_device() and add helper macro to make
> all *_STAT_* macros NULL save.
>
> Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
> Reported-and-tested-by: syzbot+03110230a11411024147@xxxxxxxxxxxxxxxxxxxxxxxxx
> Reported-and-tested-by: syzbot+c6dde1f690b60e0b9fbe@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Pavel Skripkin <paskripkin@xxxxxxxxx>
> ---
>
> Changes from v1:
> - Removed clean-ups and moved them to 2/2
You forgot to CC linux-wireless so patchwork won't see it. Please submit
v3 and include linux-wireless.
--
https://patchwork.kernel.org/project/linux-wireless/list/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
