From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Avraham Stern <avraham.stern@intel.com>,
Luca Coelho <luciano.coelho@intel.com>,
Kalle Valo <kvalo@codeaurora.org>,
Sasha Levin <sashal@kernel.org>,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.5 517/542] iwlwifi: mvm: avoid use after free for pmsr request
Date: Fri, 14 Feb 2020 10:48:29 -0500 [thread overview]
Message-ID: <20200214154854.6746-517-sashal@kernel.org> (raw)
In-Reply-To: <20200214154854.6746-1-sashal@kernel.org>
From: Avraham Stern <avraham.stern@intel.com>
[ Upstream commit cc4255eff523f25187bb95561642941de0e57497 ]
When a FTM request is aborted, the driver sends the abort command to
the fw and waits for a response. When the response arrives, the driver
calls cfg80211_pmsr_complete() for that request.
However, cfg80211 frees the requested data immediately after sending
the abort command, so this may lead to use after free.
Fix it by clearing the request data in the driver when the abort
command arrives and ignoring the fw notification that will come
afterwards.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Fixes: fc36ffda3267 ("iwlwifi: mvm: support FTM initiator")
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c b/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c
index 9f4b117db9d7f..d47f76890cf9a 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c
@@ -8,6 +8,7 @@
* Copyright(c) 2015 - 2017 Intel Deutschland GmbH
* Copyright (C) 2018 Intel Corporation
* Copyright (C) 2019 Intel Corporation
+ * Copyright (C) 2020 Intel Corporation
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of version 2 of the GNU General Public License as
@@ -30,6 +31,7 @@
* Copyright(c) 2015 - 2017 Intel Deutschland GmbH
* Copyright (C) 2018 Intel Corporation
* Copyright (C) 2019 Intel Corporation
+ * Copyright (C) 2020 Intel Corporation
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -389,6 +391,8 @@ void iwl_mvm_ftm_abort(struct iwl_mvm *mvm, struct cfg80211_pmsr_request *req)
if (req != mvm->ftm_initiator.req)
return;
+ iwl_mvm_ftm_reset(mvm);
+
if (iwl_mvm_send_cmd_pdu(mvm, iwl_cmd_id(TOF_RANGE_ABORT_CMD,
LOCATION_GROUP, 0),
0, sizeof(cmd), &cmd))
@@ -502,7 +506,6 @@ void iwl_mvm_ftm_range_resp(struct iwl_mvm *mvm, struct iwl_rx_cmd_buffer *rxb)
lockdep_assert_held(&mvm->mutex);
if (!mvm->ftm_initiator.req) {
- IWL_ERR(mvm, "Got FTM response but have no request?\n");
return;
}
--
2.20.1
next prev parent reply other threads:[~2020-02-14 16:00 UTC|newest]
Thread overview: 77+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20200214154854.6746-1-sashal@kernel.org>
2020-02-14 15:39 ` [PATCH AUTOSEL 5.5 004/542] ath10k: Fix qmi init error handling Sasha Levin
2020-02-14 15:39 ` [PATCH AUTOSEL 5.5 005/542] wil6210: fix break that is never reached because of zero'ing of a retry counter Sasha Levin
2020-02-14 15:40 ` [PATCH AUTOSEL 5.5 026/542] brcmfmac: Fix memory leak in brcmf_p2p_create_p2pdev() Sasha Levin
2020-02-14 15:40 ` [PATCH AUTOSEL 5.5 027/542] brcmfmac: Fix use after free in brcmf_sdio_readframes() Sasha Levin
2020-02-14 15:40 ` [PATCH AUTOSEL 5.5 034/542] gianfar: Fix TX timestamping with a stacked DSA driver Sasha Levin
2020-02-14 15:40 ` [PATCH AUTOSEL 5.5 057/542] arm64: dts: marvell: clearfog-gt-8k: fix switch cpu port node Sasha Levin
2020-02-14 15:40 ` [PATCH AUTOSEL 5.5 066/542] net: ethernet: ixp4xx: Standard module init Sasha Levin
2020-02-14 15:41 ` [PATCH AUTOSEL 5.5 091/542] wan/hdlc_x25: fix skb handling Sasha Levin
2020-02-14 15:41 ` [PATCH AUTOSEL 5.5 107/542] ath10k: Correct the DMA direction for management tx buffers Sasha Levin
2020-02-14 15:41 ` [PATCH AUTOSEL 5.5 108/542] IB/mlx5: Return the administrative GUID if exists Sasha Levin
2020-02-14 15:41 ` [PATCH AUTOSEL 5.5 109/542] rtw88: fix rate mask for 1SS chip Sasha Levin
2020-02-14 15:41 ` [PATCH AUTOSEL 5.5 110/542] brcmfmac: sdio: Fix OOB interrupt initialization on brcm43362 Sasha Levin
2020-02-14 15:41 ` [PATCH AUTOSEL 5.5 111/542] libertas: don't exit from lbs_ibss_join_existing() with RCU read lock held Sasha Levin
2020-02-14 15:41 ` [PATCH AUTOSEL 5.5 112/542] libertas: make lbs_ibss_join_existing() return error code on rates overflow Sasha Levin
2020-02-14 15:41 ` [PATCH AUTOSEL 5.5 125/542] netfilter: flowtable: Fix missing flush hardware on table free Sasha Levin
2020-02-14 15:41 ` [PATCH AUTOSEL 5.5 126/542] netfilter: flowtable: Fix hardware flush order on nf_flow_table_cleanup Sasha Levin
2020-02-14 15:42 ` [PATCH AUTOSEL 5.5 132/542] mt76: mt7615: fix max_nss in mt7615_eeprom_parse_hw_cap Sasha Levin
2020-02-14 15:42 ` [PATCH AUTOSEL 5.5 133/542] bpftool: Don't crash on missing xlated program instructions Sasha Levin
2020-02-14 15:42 ` [PATCH AUTOSEL 5.5 134/542] bpf, sockhash: Synchronize_rcu before free'ing map Sasha Levin
2020-02-14 15:42 ` [PATCH AUTOSEL 5.5 135/542] bpf, sockmap: Check update requirements after locking Sasha Levin
2020-02-14 15:42 ` [PATCH AUTOSEL 5.5 136/542] bpf: Improve bucket_log calculation logic Sasha Levin
2020-02-14 15:42 ` [PATCH AUTOSEL 5.5 137/542] bpf, sockmap: Don't sleep while holding RCU lock on tear-down Sasha Levin
2020-02-14 15:42 ` [PATCH AUTOSEL 5.5 167/542] ath10k: correct the tlv len of ath10k_wmi_tlv_op_gen_config_pno_start Sasha Levin
2020-02-14 15:42 ` [PATCH AUTOSEL 5.5 177/542] net/wan/fsl_ucc_hdlc: reject muram offsets above 64K Sasha Levin
2020-02-14 15:42 ` [PATCH AUTOSEL 5.5 180/542] NFC: port100: Convert cpu_to_le16(le16_to_cpu(E1) + E2) to use le16_add_cpu() Sasha Levin
2020-02-14 15:43 ` [PATCH AUTOSEL 5.5 191/542] enetc: remove variable 'tc_max_sized_frame' set but not used Sasha Levin
2020-02-14 15:43 ` [PATCH AUTOSEL 5.5 207/542] Revert "nfp: abm: fix memory leak in nfp_abm_u32_knode_replace" Sasha Levin
2020-02-14 15:43 ` [PATCH AUTOSEL 5.5 209/542] selftests/net: make so_txtime more robust to timer variance Sasha Levin
2020-02-14 15:43 ` [PATCH AUTOSEL 5.5 212/542] samples/bpf: Set -fno-stack-protector when building BPF programs Sasha Levin
2020-02-14 15:43 ` [PATCH AUTOSEL 5.5 213/542] r8169: check that Realtek PHY driver module is loaded Sasha Levin
2020-02-14 15:43 ` [PATCH AUTOSEL 5.5 214/542] fore200e: Fix incorrect checks of NULL pointer dereference Sasha Levin
2020-02-14 15:43 ` [PATCH AUTOSEL 5.5 215/542] isdn: don't mark kcapi_proc_exit as __exit Sasha Levin
2020-02-14 15:43 ` [PATCH AUTOSEL 5.5 220/542] netfilter: nft_tunnel: add the missing ERSPAN_VERSION nla_policy Sasha Levin
2020-02-14 15:43 ` [PATCH AUTOSEL 5.5 226/542] b43legacy: Fix -Wcast-function-type Sasha Levin
2020-02-14 15:43 ` [PATCH AUTOSEL 5.5 227/542] ipw2x00: " Sasha Levin
2020-02-14 15:43 ` [PATCH AUTOSEL 5.5 228/542] iwlegacy: " Sasha Levin
2020-02-14 15:43 ` [PATCH AUTOSEL 5.5 229/542] rtlwifi: rtl_pci: " Sasha Levin
2020-02-14 15:43 ` [PATCH AUTOSEL 5.5 231/542] orinoco: avoid assertion in case of NULL pointer Sasha Levin
2020-02-14 15:44 ` [PATCH AUTOSEL 5.5 263/542] bpf: Print error message for bpftool cgroup show Sasha Levin
2020-02-14 15:44 ` [PATCH AUTOSEL 5.5 264/542] net: phy: realtek: add logging for the RGMII TX delay configuration Sasha Levin
2020-02-14 15:44 ` [PATCH AUTOSEL 5.5 266/542] net/wan/fsl_ucc_hdlc: remove set but not used variables 'ut_info' and 'ret' Sasha Levin
2020-02-14 15:44 ` [PATCH AUTOSEL 5.5 278/542] ice: add extra check for null Rx descriptor Sasha Levin
2020-02-14 15:44 ` [PATCH AUTOSEL 5.5 285/542] net: phy: fixed_phy: fix use-after-free when checking link GPIO Sasha Levin
2020-02-14 15:44 ` [PATCH AUTOSEL 5.5 286/542] tools lib api fs: Fix gcc9 stringop-truncation compilation error Sasha Levin
2020-02-14 15:44 ` [PATCH AUTOSEL 5.5 294/542] mlx5: work around high stack usage with gcc Sasha Levin
2020-02-14 15:45 ` [PATCH AUTOSEL 5.5 325/542] bnxt: Detach page from page pool before sending up the stack Sasha Levin
2020-02-14 15:45 ` [PATCH AUTOSEL 5.5 327/542] wan: ixp4xx_hss: fix compile-testing on 64-bit Sasha Levin
2020-02-14 15:45 ` [PATCH AUTOSEL 5.5 352/542] bpf: Return -EBADRQC for invalid map type in __bpf_tx_xdp_map Sasha Levin
2020-02-14 15:46 ` [PATCH AUTOSEL 5.5 386/542] netfilter: flowtable: restrict flow dissector match on meta ingress device Sasha Levin
2020-02-14 15:46 ` [PATCH AUTOSEL 5.5 401/542] enetc: Don't print from enetc_sched_speed_set when link goes down Sasha Levin
2020-02-14 15:47 ` [PATCH AUTOSEL 5.5 438/542] bpf, btf: Always output invariant hit in pahole DWARF to BTF transform Sasha Levin
2020-02-14 15:47 ` [PATCH AUTOSEL 5.5 440/542] sunrpc: Fix potential leaks in sunrpc_cache_unhash() Sasha Levin
2020-02-14 15:47 ` [PATCH AUTOSEL 5.5 443/542] net/mlx5e: Fix printk format warning Sasha Levin
2020-02-14 15:47 ` [PATCH AUTOSEL 5.5 461/542] selftests: bpf: Reset global state between reuseport test runs Sasha Levin
2020-02-14 15:47 ` [PATCH AUTOSEL 5.5 471/542] ath10k: pci: Only dump ATH10K_MEM_REGION_TYPE_IOREG when safe Sasha Levin
2020-02-14 15:47 ` [PATCH AUTOSEL 5.5 472/542] hostap: Adjust indentation in prism2_hostapd_add_sta Sasha Levin
2020-02-14 15:47 ` [PATCH AUTOSEL 5.5 473/542] rtw88: fix potential NULL skb access in TX ISR Sasha Levin
2020-02-14 15:47 ` [PATCH AUTOSEL 5.5 474/542] rtlwifi: rtl8821ae: remove unused variables Sasha Levin
2020-02-14 15:47 ` [PATCH AUTOSEL 5.5 475/542] rtlwifi: rtl8192ee: " Sasha Levin
2020-02-14 15:47 ` [PATCH AUTOSEL 5.5 476/542] rtlwifi: rtl8723ae: " Sasha Levin
2020-02-14 15:47 ` [PATCH AUTOSEL 5.5 477/542] iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop Sasha Levin
2020-02-14 15:47 ` [PATCH AUTOSEL 5.5 482/542] bpf: map_seq_next should always increase position index Sasha Levin
2020-02-14 15:47 ` [PATCH AUTOSEL 5.5 484/542] mwifiex: Fix possible buffer overflows in mwifiex_ret_wmm_get_status() Sasha Levin
2020-02-14 15:47 ` [PATCH AUTOSEL 5.5 485/542] mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv() Sasha Levin
2020-02-14 15:48 ` [PATCH AUTOSEL 5.5 502/542] powerpc: Do not consider weak unresolved symbol relocations as bad Sasha Levin
2020-02-14 15:48 ` [PATCH AUTOSEL 5.5 516/542] iwlwifi: mvm: Fix thermal zone registration Sasha Levin
2020-02-14 15:48 ` Sasha Levin [this message]
2020-02-14 15:48 ` [PATCH AUTOSEL 5.5 518/542] iwlwifi: mvm: Check the sta is not NULL in iwl_mvm_cfg_he_sta() Sasha Levin
2020-02-14 15:48 ` [PATCH AUTOSEL 5.5 519/542] iwlwifi: mvm: fix TDLS discovery with the new firmware API Sasha Levin
2020-02-14 15:48 ` [PATCH AUTOSEL 5.5 521/542] netdevsim: fix using uninitialized resources Sasha Levin
2020-02-14 15:48 ` [PATCH AUTOSEL 5.5 522/542] netdevsim: disable devlink reload when resources are being used Sasha Levin
2020-02-14 15:48 ` [PATCH AUTOSEL 5.5 523/542] netdevsim: fix panic in nsim_dev_take_snapshot_write() Sasha Levin
2020-02-14 15:48 ` [PATCH AUTOSEL 5.5 524/542] netdevsim: use __GFP_NOWARN to avoid memalloc warning Sasha Levin
2020-02-14 16:23 ` Jakub Kicinski
2020-02-14 15:48 ` [PATCH AUTOSEL 5.5 535/542] i40e: Relax i40e_xsk_wakeup's return value when PF is busy Sasha Levin
2020-02-14 15:48 ` [PATCH AUTOSEL 5.5 540/542] mlxsw: core: Add validation of hardware device types for MGPIR register Sasha Levin
2020-02-14 15:48 ` [PATCH AUTOSEL 5.5 541/542] mlxsw: spectrum_dpipe: Add missing error path Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200214154854.6746-517-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=avraham.stern@intel.com \
--cc=kvalo@codeaurora.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=luciano.coelho@intel.com \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).