From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Alexander Coffin <alex.coffin@matician.com>,
Kalle Valo <kvalo@kernel.org>, Sasha Levin <sashal@kernel.org>,
aspriel@gmail.com, franky.lin@broadcom.com,
hante.meuleman@broadcom.com, davem@davemloft.net,
edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
chi-hsien.lin@cypress.com, a.fatoum@pengutronix.de,
hdegoede@redhat.com, pavel@loebl.cz, bigeasy@linutronix.de,
wsa+renesas@sang-engineering.com, wright.feng@cypress.com,
linux-wireless@vger.kernel.org,
brcm80211-dev-list.pdl@broadcom.com,
SHA-cyfmac-dev-list@infineon.com, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.15 20/46] wifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit()
Date: Sun, 9 Oct 2022 18:18:45 -0400 [thread overview]
Message-ID: <20221009221912.1217372-20-sashal@kernel.org> (raw)
In-Reply-To: <20221009221912.1217372-1-sashal@kernel.org>
From: Alexander Coffin <alex.coffin@matician.com>
[ Upstream commit 3f42faf6db431e04bf942d2ebe3ae88975723478 ]
> ret = brcmf_proto_tx_queue_data(drvr, ifp->ifidx, skb);
may be schedule, and then complete before the line
> ndev->stats.tx_bytes += skb->len;
[ 46.912801] ==================================================================
[ 46.920552] BUG: KASAN: use-after-free in brcmf_netdev_start_xmit+0x718/0x8c8 [brcmfmac]
[ 46.928673] Read of size 4 at addr ffffff803f5882e8 by task systemd-resolve/328
[ 46.935991]
[ 46.937514] CPU: 1 PID: 328 Comm: systemd-resolve Tainted: G O 5.4.199-[REDACTED] #1
[ 46.947255] Hardware name: [REDACTED]
[ 46.954568] Call trace:
[ 46.957037] dump_backtrace+0x0/0x2b8
[ 46.960719] show_stack+0x24/0x30
[ 46.964052] dump_stack+0x128/0x194
[ 46.967557] print_address_description.isra.0+0x64/0x380
[ 46.972877] __kasan_report+0x1d4/0x240
[ 46.976723] kasan_report+0xc/0x18
[ 46.980138] __asan_report_load4_noabort+0x18/0x20
[ 46.985027] brcmf_netdev_start_xmit+0x718/0x8c8 [brcmfmac]
[ 46.990613] dev_hard_start_xmit+0x1bc/0xda0
[ 46.994894] sch_direct_xmit+0x198/0xd08
[ 46.998827] __qdisc_run+0x37c/0x1dc0
[ 47.002500] __dev_queue_xmit+0x1528/0x21f8
[ 47.006692] dev_queue_xmit+0x24/0x30
[ 47.010366] neigh_resolve_output+0x37c/0x678
[ 47.014734] ip_finish_output2+0x598/0x2458
[ 47.018927] __ip_finish_output+0x300/0x730
[ 47.023118] ip_output+0x2e0/0x430
[ 47.026530] ip_local_out+0x90/0x140
[ 47.030117] igmpv3_sendpack+0x14c/0x228
[ 47.034049] igmpv3_send_cr+0x384/0x6b8
[ 47.037895] igmp_ifc_timer_expire+0x4c/0x118
[ 47.042262] call_timer_fn+0x1cc/0xbe8
[ 47.046021] __run_timers+0x4d8/0xb28
[ 47.049693] run_timer_softirq+0x24/0x40
[ 47.053626] __do_softirq+0x2c0/0x117c
[ 47.057387] irq_exit+0x2dc/0x388
[ 47.060715] __handle_domain_irq+0xb4/0x158
[ 47.064908] gic_handle_irq+0x58/0xb0
[ 47.068581] el0_irq_naked+0x50/0x5c
[ 47.072162]
[ 47.073665] Allocated by task 328:
[ 47.077083] save_stack+0x24/0xb0
[ 47.080410] __kasan_kmalloc.isra.0+0xc0/0xe0
[ 47.084776] kasan_slab_alloc+0x14/0x20
[ 47.088622] kmem_cache_alloc+0x15c/0x468
[ 47.092643] __alloc_skb+0xa4/0x498
[ 47.096142] igmpv3_newpack+0x158/0xd78
[ 47.099987] add_grhead+0x210/0x288
[ 47.103485] add_grec+0x6b0/0xb70
[ 47.106811] igmpv3_send_cr+0x2e0/0x6b8
[ 47.110657] igmp_ifc_timer_expire+0x4c/0x118
[ 47.115027] call_timer_fn+0x1cc/0xbe8
[ 47.118785] __run_timers+0x4d8/0xb28
[ 47.122457] run_timer_softirq+0x24/0x40
[ 47.126389] __do_softirq+0x2c0/0x117c
[ 47.130142]
[ 47.131643] Freed by task 180:
[ 47.134712] save_stack+0x24/0xb0
[ 47.138041] __kasan_slab_free+0x108/0x180
[ 47.142146] kasan_slab_free+0x10/0x18
[ 47.145904] slab_free_freelist_hook+0xa4/0x1b0
[ 47.150444] kmem_cache_free+0x8c/0x528
[ 47.154292] kfree_skbmem+0x94/0x108
[ 47.157880] consume_skb+0x10c/0x5a8
[ 47.161466] __dev_kfree_skb_any+0x88/0xa0
[ 47.165598] brcmu_pkt_buf_free_skb+0x44/0x68 [brcmutil]
[ 47.171023] brcmf_txfinalize+0xec/0x190 [brcmfmac]
[ 47.176016] brcmf_proto_bcdc_txcomplete+0x1c0/0x210 [brcmfmac]
[ 47.182056] brcmf_sdio_sendfromq+0x8dc/0x1e80 [brcmfmac]
[ 47.187568] brcmf_sdio_dpc+0xb48/0x2108 [brcmfmac]
[ 47.192529] brcmf_sdio_dataworker+0xc8/0x238 [brcmfmac]
[ 47.197859] process_one_work+0x7fc/0x1a80
[ 47.201965] worker_thread+0x31c/0xc40
[ 47.205726] kthread+0x2d8/0x370
[ 47.208967] ret_from_fork+0x10/0x18
[ 47.212546]
[ 47.214051] The buggy address belongs to the object at ffffff803f588280
[ 47.214051] which belongs to the cache skbuff_head_cache of size 208
[ 47.227086] The buggy address is located 104 bytes inside of
[ 47.227086] 208-byte region [ffffff803f588280, ffffff803f588350)
[ 47.238814] The buggy address belongs to the page:
[ 47.243618] page:ffffffff00dd6200 refcount:1 mapcount:0 mapping:ffffff804b6bf800 index:0xffffff803f589900 compound_mapcount: 0
[ 47.255007] flags: 0x10200(slab|head)
[ 47.258689] raw: 0000000000010200 ffffffff00dfa980 0000000200000002 ffffff804b6bf800
[ 47.266439] raw: ffffff803f589900 0000000080190018 00000001ffffffff 0000000000000000
[ 47.274180] page dumped because: kasan: bad access detected
[ 47.279752]
[ 47.281251] Memory state around the buggy address:
[ 47.286051] ffffff803f588180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 47.293277] ffffff803f588200: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 47.300502] >ffffff803f588280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 47.307723] ^
[ 47.314343] ffffff803f588300: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc
[ 47.321569] ffffff803f588380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
[ 47.328789] ==================================================================
Signed-off-by: Alexander Coffin <alex.coffin@matician.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20220808174925.3922558-1-alex.coffin@matician.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
index db5f8535fdb5..e5bae6224521 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
@@ -295,6 +295,7 @@ static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb,
struct brcmf_pub *drvr = ifp->drvr;
struct ethhdr *eh;
int head_delta;
+ unsigned int tx_bytes = skb->len;
brcmf_dbg(DATA, "Enter, bsscfgidx=%d\n", ifp->bsscfgidx);
@@ -369,7 +370,7 @@ static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb,
ndev->stats.tx_dropped++;
} else {
ndev->stats.tx_packets++;
- ndev->stats.tx_bytes += skb->len;
+ ndev->stats.tx_bytes += tx_bytes;
}
/* Return ok: we always eat the packet */
--
2.35.1
next prev parent reply other threads:[~2022-10-09 22:36 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-09 22:18 [PATCH AUTOSEL 5.15 01/46] wifi: rtw88: phy: fix warning of possible buffer overflow Sasha Levin
2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 02/46] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 03/46] bpftool: Clear errno after libcap's checks Sasha Levin
2022-10-09 22:18 ` [Intel-wired-lan] [PATCH AUTOSEL 5.15 04/46] ice: set tx_tstamps when creating new Tx rings via ethtool Sasha Levin
2022-10-09 22:18 ` Sasha Levin
2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 05/46] net: ethernet: ti: davinci_mdio: Add workaround for errata i2329 Sasha Levin
2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 06/46] openvswitch: Fix double reporting of drops in dropwatch Sasha Levin
2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 07/46] openvswitch: Fix overreporting " Sasha Levin
2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 08/46] tcp: annotate data-race around tcp_md5sig_pool_populated Sasha Levin
2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 09/46] micrel: ksz8851: fixes struct pointer issue Sasha Levin
2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 10/46] genetlink: hold read cb_lock during iteration of genl_fam_idr in genl_bind() Sasha Levin
2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 11/46] x86/mce: Retrieve poison range from hardware Sasha Levin
2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 12/46] wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg() Sasha Levin
2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 13/46] thunderbolt: Add back Intel Falcon Ridge end-to-end flow control workaround Sasha Levin
2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 14/46] xfrm: Update ipcomp_scratches with NULL when freed Sasha Levin
2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 15/46] net: broadcom: Fix return type for implementation of Sasha Levin
2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 16/46] net: xscale: Fix return type for implementation of ndo_start_xmit Sasha Levin
2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 17/46] net: lantiq_etop: " Sasha Levin
2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 18/46] net: ftmac100: fix endianness-related issues from 'sparse' Sasha Levin
2022-10-09 22:18 ` [Intel-wired-lan] [PATCH AUTOSEL 5.15 19/46] iavf: Fix race between iavf_close and iavf_reset_task Sasha Levin
2022-10-09 22:18 ` Sasha Levin
2022-10-09 22:18 ` Sasha Levin [this message]
2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 21/46] Bluetooth: btintel: Mark Intel controller to support LE_STATES quirk Sasha Levin
2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 22/46] regulator: core: Prevent integer underflow Sasha Levin
2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 23/46] wifi: mt76: mt7921: reset msta->airtime_ac while clearing up hw value Sasha Levin
2022-10-09 22:18 ` Sasha Levin
2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 24/46] Bluetooth: L2CAP: initialize delayed works at l2cap_chan_create() Sasha Levin
2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 25/46] net: davicom: Fix return type of dm9000_start_xmit Sasha Levin
2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 26/46] net: ethernet: ti: davinci_emac: Fix return type of emac_dev_xmit Sasha Levin
2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 27/46] net: ethernet: litex: Fix return type of liteeth_start_xmit Sasha Levin
2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 28/46] net: korina: Fix return type of korina_send_packet Sasha Levin
2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 29/46] net: wwan: iosm: Fix return type of ipc_wwan_link_transmit Sasha Levin
2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 30/46] net: sfp: re-implement soft state polling setup Sasha Levin
2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 31/46] net: sfp: move quirk handling into sfp.c Sasha Levin
2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 32/46] net: sfp: move Alcatel Lucent 3FE46541AA fixup Sasha Levin
2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 33/46] net/sched: taprio: taprio_dump and taprio_change are protected by rtnl_mutex Sasha Levin
2022-10-10 13:33 ` Vladimir Oltean
2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 34/46] Bluetooth: hci_sysfs: Fix attempting to call device_add multiple times Sasha Levin
2022-10-09 22:19 ` [PATCH AUTOSEL 5.15 35/46] wifi: ath10k: reset pointer after memory free to avoid potential use-after-free Sasha Levin
2022-10-09 22:19 ` Sasha Levin
2022-10-09 22:19 ` [PATCH AUTOSEL 5.15 36/46] can: bcm: check the result of can_send() in bcm_can_tx() Sasha Levin
2022-10-09 22:19 ` [PATCH AUTOSEL 5.15 37/46] wifi: rt2x00: don't run Rt5592 IQ calibration on MT7620 Sasha Levin
2022-10-09 22:19 ` [PATCH AUTOSEL 5.15 38/46] wifi: rt2x00: set correct TX_SW_CFG1 MAC register for MT7620 Sasha Levin
2022-10-09 22:19 ` [PATCH AUTOSEL 5.15 39/46] wifi: rt2x00: set VGC gain for both chains of MT7620 Sasha Levin
2022-10-09 22:19 ` [PATCH AUTOSEL 5.15 40/46] wifi: rt2x00: set SoC wmac clock register Sasha Levin
2022-10-09 22:19 ` [PATCH AUTOSEL 5.15 41/46] wifi: rt2x00: correctly set BBP register 86 for MT7620 Sasha Levin
2022-10-09 22:19 ` [PATCH AUTOSEL 5.15 42/46] hwmon: (sht4x) do not overflow clamping operation on 32-bit platforms Sasha Levin
2022-10-09 22:19 ` [PATCH AUTOSEL 5.15 43/46] net: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory Sasha Levin
2022-10-09 22:19 ` [PATCH AUTOSEL 5.15 44/46] Bluetooth: L2CAP: Fix user-after-free Sasha Levin
2022-10-09 22:19 ` [PATCH AUTOSEL 5.15 45/46] libbpf: Fix overrun in netlink attribute iteration Sasha Levin
2022-10-09 22:19 ` [PATCH AUTOSEL 5.15 46/46] r8152: Rate limit overflow messages Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221009221912.1217372-20-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=SHA-cyfmac-dev-list@infineon.com \
--cc=a.fatoum@pengutronix.de \
--cc=alex.coffin@matician.com \
--cc=aspriel@gmail.com \
--cc=bigeasy@linutronix.de \
--cc=brcm80211-dev-list.pdl@broadcom.com \
--cc=chi-hsien.lin@cypress.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=franky.lin@broadcom.com \
--cc=hante.meuleman@broadcom.com \
--cc=hdegoede@redhat.com \
--cc=kuba@kernel.org \
--cc=kvalo@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pavel@loebl.cz \
--cc=stable@vger.kernel.org \
--cc=wright.feng@cypress.com \
--cc=wsa+renesas@sang-engineering.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.