Patch "wifi: ath9k: Fix use-after-free in ath9k_hif_usb_disconnect()" has been added to the 6.1-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    wifi: ath9k: Fix use-after-free in ath9k_hif_usb_disconnect()

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     wifi-ath9k-fix-use-after-free-in-ath9k_hif_usb_disco.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 8ee6131b5e259c9be7ef726e51e6e0ecc353c7a0
Author: Minsuk Kang <linuxlovemin@xxxxxxxxxxxx>
Date:   Mon Dec 5 10:43:08 2022 +0900

    wifi: ath9k: Fix use-after-free in ath9k_hif_usb_disconnect()
    
    [ Upstream commit f099c5c9e2ba08a379bd354a82e05ef839ae29ac ]
    
    This patch fixes a use-after-free in ath9k that occurs in
    ath9k_hif_usb_disconnect() when ath9k_destroy_wmi() is trying to access
    'drv_priv' that has already been freed by ieee80211_free_hw(), called by
    ath9k_htc_hw_deinit(). The patch moves ath9k_destroy_wmi() before
    ieee80211_free_hw(). Note that urbs from the driver should be killed
    before freeing 'wmi' with ath9k_destroy_wmi() as their callbacks will
    access 'wmi'.
    
    Found by a modified version of syzkaller.
    
    ==================================================================
    BUG: KASAN: use-after-free in ath9k_destroy_wmi+0x38/0x40
    Read of size 8 at addr ffff8881069132a0 by task kworker/0:1/7
    
    CPU: 0 PID: 7 Comm: kworker/0:1 Tainted: G O 5.14.0+ #131
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
    Workqueue: usb_hub_wq hub_event
    Call Trace:
     dump_stack_lvl+0x8e/0xd1
     print_address_description.constprop.0.cold+0x93/0x334
     ? ath9k_destroy_wmi+0x38/0x40
     ? ath9k_destroy_wmi+0x38/0x40
     kasan_report.cold+0x83/0xdf
     ? ath9k_destroy_wmi+0x38/0x40
     ath9k_destroy_wmi+0x38/0x40
     ath9k_hif_usb_disconnect+0x329/0x3f0
     ? ath9k_hif_usb_suspend+0x120/0x120
     ? usb_disable_interface+0xfc/0x180
     usb_unbind_interface+0x19b/0x7e0
     ? usb_autoresume_device+0x50/0x50
     device_release_driver_internal+0x44d/0x520
     bus_remove_device+0x2e5/0x5a0
     device_del+0x5b2/0xe30
     ? __device_link_del+0x370/0x370
     ? usb_remove_ep_devs+0x43/0x80
     ? remove_intf_ep_devs+0x112/0x1a0
     usb_disable_device+0x1e3/0x5a0
     usb_disconnect+0x267/0x870
     hub_event+0x168d/0x3950
     ? rcu_read_lock_sched_held+0xa1/0xd0
     ? hub_port_debounce+0x2e0/0x2e0
     ? check_irq_usage+0x860/0xf20
     ? drain_workqueue+0x281/0x360
     ? lock_release+0x640/0x640
     ? rcu_read_lock_sched_held+0xa1/0xd0
     ? rcu_read_lock_bh_held+0xb0/0xb0
     ? lockdep_hardirqs_on_prepare+0x273/0x3e0
     process_one_work+0x92b/0x1460
     ? pwq_dec_nr_in_flight+0x330/0x330
     ? rwlock_bug.part.0+0x90/0x90
     worker_thread+0x95/0xe00
     ? __kthread_parkme+0x115/0x1e0
     ? process_one_work+0x1460/0x1460
     kthread+0x3a1/0x480
     ? set_kthread_struct+0x120/0x120
     ret_from_fork+0x1f/0x30
    
    The buggy address belongs to the page:
    page:ffffea00041a44c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106913
    flags: 0x200000000000000(node=0|zone=2)
    raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000
    raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
    page dumped because: kasan: bad access detected
    page_owner tracks the page as freed
    page last allocated via order 3, migratetype Unmovable, gfp_mask 0x40dc0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), pid 7, ts 38347963444, free_ts 41399957635
     prep_new_page+0x1aa/0x240
     get_page_from_freelist+0x159a/0x27c0
     __alloc_pages+0x2da/0x6a0
     alloc_pages+0xec/0x1e0
     kmalloc_order+0x39/0xf0
     kmalloc_order_trace+0x19/0x120
     __kmalloc+0x308/0x390
     wiphy_new_nm+0x6f5/0x1dd0
     ieee80211_alloc_hw_nm+0x36d/0x2230
     ath9k_htc_probe_device+0x9d/0x1e10
     ath9k_htc_hw_init+0x34/0x50
     ath9k_hif_usb_firmware_cb+0x25f/0x4e0
     request_firmware_work_func+0x131/0x240
     process_one_work+0x92b/0x1460
     worker_thread+0x95/0xe00
     kthread+0x3a1/0x480
    page last free stack trace:
     free_pcp_prepare+0x3d3/0x7f0
     free_unref_page+0x1e/0x3d0
     device_release+0xa4/0x240
     kobject_put+0x186/0x4c0
     put_device+0x20/0x30
     ath9k_htc_disconnect_device+0x1cf/0x2c0
     ath9k_htc_hw_deinit+0x26/0x30
     ath9k_hif_usb_disconnect+0x2d9/0x3f0
     usb_unbind_interface+0x19b/0x7e0
     device_release_driver_internal+0x44d/0x520
     bus_remove_device+0x2e5/0x5a0
     device_del+0x5b2/0xe30
     usb_disable_device+0x1e3/0x5a0
     usb_disconnect+0x267/0x870
     hub_event+0x168d/0x3950
     process_one_work+0x92b/0x1460
    
    Memory state around the buggy address:
     ffff888106913180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
     ffff888106913200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
    >ffff888106913280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                   ^
     ffff888106913300: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
     ffff888106913380: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
    ==================================================================
    
    Reported-by: Dokyung Song <dokyungs@xxxxxxxxxxxx>
    Reported-by: Jisoo Jang <jisoo.jang@xxxxxxxxxxxx>
    Reported-by: Minsuk Kang <linuxlovemin@xxxxxxxxxxxx>
    Signed-off-by: Minsuk Kang <linuxlovemin@xxxxxxxxxxxx>
    Acked-by: Toke Høiland-Jørgensen <toke@xxxxxxx>
    Signed-off-by: Kalle Valo <quic_kvalo@xxxxxxxxxxx>
    Link: https://lore.kernel.org/r/20221205014308.1617597-1-linuxlovemin@xxxxxxxxxxxx
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c
index de6c0824c9cab..f521dfa2f1945 100644
--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
@@ -1424,8 +1424,6 @@ static void ath9k_hif_usb_disconnect(struct usb_interface *interface)
 
 	if (hif_dev->flags & HIF_USB_READY) {
 		ath9k_htc_hw_deinit(hif_dev->htc_handle, unplugged);
-		ath9k_hif_usb_dev_deinit(hif_dev);
-		ath9k_destroy_wmi(hif_dev->htc_handle->drv_priv);
 		ath9k_htc_hw_free(hif_dev->htc_handle);
 	}
 
diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_init.c b/drivers/net/wireless/ath/ath9k/htc_drv_init.c
index 07ac88fb1c577..96a3185a96d75 100644
--- a/drivers/net/wireless/ath/ath9k/htc_drv_init.c
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_init.c
@@ -988,6 +988,8 @@ void ath9k_htc_disconnect_device(struct htc_target *htc_handle, bool hotunplug)
 
 		ath9k_deinit_device(htc_handle->drv_priv);
 		ath9k_stop_wmi(htc_handle->drv_priv);
+		ath9k_hif_usb_dealloc_urbs((struct hif_device_usb *)htc_handle->hif_dev);
+		ath9k_destroy_wmi(htc_handle->drv_priv);
 		ieee80211_free_hw(htc_handle->drv_priv->hw);
 	}
 }



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux