From: Qiujun Huang <anenbupt@gmail.com>
To: syzbot <syzbot+b1c61e5f11be5782f192@syzkaller.appspotmail.com>
Cc: Andrey Konovalov <andreyknvl@google.com>,
ath9k-devel@qca.qualcomm.com, davem@davemloft.net,
kvalo@codeaurora.org, LKML <linux-kernel@vger.kernel.org>,
USB list <linux-usb@vger.kernel.org>,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>
Subject: Re: KASAN: use-after-free Write in ath9k_htc_rx_msg
Date: Fri, 3 Apr 2020 09:49:16 +0800 [thread overview]
Message-ID: <CADG63jC06pj4pSrKMKQeK1pedyRnjNTWWmTzg-6rNbQh5c6=Ug@mail.gmail.com> (raw)
In-Reply-To: <0000000000006ac55b05a1c05d72@google.com>
[-- Attachment #1: Type: text/plain, Size: 58 bytes --]
#syz test: https://github.com/google/kasan.git usb-fuzzer
[-- Attachment #2: 0001-ath9k-fix-use-after-free-read-in-htc_connect_service.patch --]
[-- Type: application/octet-stream, Size: 4880 bytes --]
From 61a77bb21792ba2323299880ac4a07c6fe0b94a0 Mon Sep 17 00:00:00 2001
From: Qiujun Huang <hqjagain@gmail.com>
Date: Tue, 31 Mar 2020 20:18:56 +0800
Subject: [PATCH] ath9k: fix use-after-free read in htc_connect_service
(1)The skb is consumed by htc_send_epid.
(2)free wmi later after urb has been killed.
(3)check the endpoint_id.
Signed-off-by: Qiujun Huang <hqjagain@gmail.com>
---
drivers/net/wireless/ath/ath9k/hif_usb.c | 4 +++-
drivers/net/wireless/ath/ath9k/htc_drv_init.c | 2 +-
drivers/net/wireless/ath/ath9k/htc_hst.c | 7 ++++---
drivers/net/wireless/ath/ath9k/wmi.c | 15 ++++++++++++++-
drivers/net/wireless/ath/ath9k/wmi.h | 2 ++
5 files changed, 24 insertions(+), 6 deletions(-)
diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c
index dd0c32379375..275607a74841 100644
--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
@@ -1341,8 +1341,10 @@ static void ath9k_hif_usb_disconnect(struct usb_interface *interface)
if (hif_dev->flags & HIF_USB_READY) {
ath9k_htc_hw_deinit(hif_dev->htc_handle, unplugged);
- ath9k_htc_hw_free(hif_dev->htc_handle);
ath9k_hif_usb_dev_deinit(hif_dev);
+ smp_mb();
+ ath9k_destoy_wmi(hif_dev->htc_handle->drv_priv);
+ ath9k_htc_hw_free(hif_dev->htc_handle);
}
usb_set_intfdata(interface, NULL);
diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_init.c b/drivers/net/wireless/ath/ath9k/htc_drv_init.c
index d961095ab01f..d1d0ed6e653c 100644
--- a/drivers/net/wireless/ath/ath9k/htc_drv_init.c
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_init.c
@@ -982,7 +982,7 @@ void ath9k_htc_disconnect_device(struct htc_target *htc_handle, bool hotunplug)
htc_handle->drv_priv->ah->ah_flags |= AH_UNPLUGGED;
ath9k_deinit_device(htc_handle->drv_priv);
- ath9k_deinit_wmi(htc_handle->drv_priv);
+ ath9k_stop_wmi(htc_handle->drv_priv);
ieee80211_free_hw(htc_handle->drv_priv->hw);
}
}
diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
index d091c8ebdcf0..86cf118c9e5f 100644
--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
+++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
@@ -115,6 +115,10 @@ static void htc_process_conn_rsp(struct htc_target *target,
epid = svc_rspmsg->endpoint_id;
service_id = be16_to_cpu(svc_rspmsg->service_id);
max_msglen = be16_to_cpu(svc_rspmsg->max_msg_len);
+
+ if (epid >= ENDPOINT_MAX)
+ return;
+
endpoint = &target->endpoint[epid];
for (tepid = (ENDPOINT_MAX - 1); tepid > ENDPOINT0; tepid--) {
@@ -170,7 +174,6 @@ static int htc_config_pipe_credits(struct htc_target *target)
time_left = wait_for_completion_timeout(&target->cmd_wait, HZ);
if (!time_left) {
dev_err(target->dev, "HTC credit config timeout\n");
- kfree_skb(skb);
return -ETIMEDOUT;
}
@@ -206,7 +209,6 @@ static int htc_setup_complete(struct htc_target *target)
time_left = wait_for_completion_timeout(&target->cmd_wait, HZ);
if (!time_left) {
dev_err(target->dev, "HTC start timeout\n");
- kfree_skb(skb);
return -ETIMEDOUT;
}
@@ -279,7 +281,6 @@ int htc_connect_service(struct htc_target *target,
if (!time_left) {
dev_err(target->dev, "Service connection timeout for: %d\n",
service_connreq->service_id);
- kfree_skb(skb);
return -ETIMEDOUT;
}
diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c
index cdc146091194..615e6e32f687 100644
--- a/drivers/net/wireless/ath/ath9k/wmi.c
+++ b/drivers/net/wireless/ath/ath9k/wmi.c
@@ -123,6 +123,20 @@ void ath9k_deinit_wmi(struct ath9k_htc_priv *priv)
kfree(priv->wmi);
}
+void ath9k_stop_wmi(struct ath9k_htc_priv *priv)
+{
+ struct wmi *wmi = priv->wmi;
+
+ mutex_lock(&wmi->op_mutex);
+ wmi->stopped = true;
+ mutex_unlock(&wmi->op_mutex);
+}
+
+void ath9k_destoy_wmi(struct ath9k_htc_priv *priv)
+{
+ kfree(priv->wmi);
+}
+
void ath9k_wmi_event_drain(struct ath9k_htc_priv *priv)
{
unsigned long flags;
@@ -336,7 +350,6 @@ int ath9k_wmi_cmd(struct wmi *wmi, enum wmi_cmd_id cmd_id,
ath_dbg(common, WMI, "Timeout waiting for WMI command: %s\n",
wmi_cmd_to_name(cmd_id));
mutex_unlock(&wmi->op_mutex);
- kfree_skb(skb);
return -ETIMEDOUT;
}
diff --git a/drivers/net/wireless/ath/ath9k/wmi.h b/drivers/net/wireless/ath/ath9k/wmi.h
index 380175d5ecd7..c3e278377365 100644
--- a/drivers/net/wireless/ath/ath9k/wmi.h
+++ b/drivers/net/wireless/ath/ath9k/wmi.h
@@ -189,6 +189,8 @@ int ath9k_wmi_cmd(struct wmi *wmi, enum wmi_cmd_id cmd_id,
void ath9k_wmi_event_tasklet(unsigned long data);
void ath9k_fatal_work(struct work_struct *work);
void ath9k_wmi_event_drain(struct ath9k_htc_priv *priv);
+void ath9k_stop_wmi(struct ath9k_htc_priv *priv);
+void ath9k_destoy_wmi(struct ath9k_htc_priv *priv);
#define WMI_CMD(_wmi_cmd) \
do { \
--
2.17.1
next prev parent reply other threads:[~2020-04-03 1:49 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-26 11:34 KASAN: use-after-free Write in ath9k_htc_rx_msg syzbot
2020-03-31 16:36 ` Qiujun Huang
2020-03-31 16:50 ` syzbot
2020-04-03 1:49 ` Qiujun Huang [this message]
2020-04-03 2:07 ` syzbot
2020-04-03 20:40 ` Qiujun Huang
2020-04-03 21:49 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CADG63jC06pj4pSrKMKQeK1pedyRnjNTWWmTzg-6rNbQh5c6=Ug@mail.gmail.com' \
--to=anenbupt@gmail.com \
--cc=andreyknvl@google.com \
--cc=ath9k-devel@qca.qualcomm.com \
--cc=davem@davemloft.net \
--cc=kvalo@codeaurora.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=syzbot+b1c61e5f11be5782f192@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).