From: Greg Kroah-Hartman Date: Thu, 11 Oct 2018 09:32:47 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v3.18.124~25 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1a775b4c1984e1a5a9f966b0b7c706286d02b55b;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: ath10k-fix-use-after-free-in-ath10k_wmi_cmd_send_nowait.patch --- diff --git a/queue-4.4/ath10k-fix-use-after-free-in-ath10k_wmi_cmd_send_nowait.patch b/queue-4.4/ath10k-fix-use-after-free-in-ath10k_wmi_cmd_send_nowait.patch new file mode 100644 index 00000000000..aced58db52c --- /dev/null +++ b/queue-4.4/ath10k-fix-use-after-free-in-ath10k_wmi_cmd_send_nowait.patch @@ -0,0 +1,82 @@ +From 9ef0f58ed7b4a55da4a64641d538e0d9e46579ac Mon Sep 17 00:00:00 2001 +From: Carl Huang +Date: Mon, 5 Mar 2018 14:44:02 +0800 +Subject: ath10k: fix use-after-free in ath10k_wmi_cmd_send_nowait + +From: Carl Huang + +commit 9ef0f58ed7b4a55da4a64641d538e0d9e46579ac upstream. + +The skb may be freed in tx completion context before +trace_ath10k_wmi_cmd is called. This can be easily captured when +KASAN(Kernel Address Sanitizer) is enabled. The fix is to move +trace_ath10k_wmi_cmd before the send operation. As the ret has no +meaning in trace_ath10k_wmi_cmd then, so remove this parameter too. + +Signed-off-by: Carl Huang +Tested-by: Brian Norris +Reviewed-by: Brian Norris +Signed-off-by: Kalle Valo +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath10k/trace.h | 12 ++++-------- + drivers/net/wireless/ath/ath10k/wmi.c | 2 +- + 2 files changed, 5 insertions(+), 9 deletions(-) + +--- a/drivers/net/wireless/ath/ath10k/trace.h ++++ b/drivers/net/wireless/ath/ath10k/trace.h +@@ -152,10 +152,9 @@ TRACE_EVENT(ath10k_log_dbg_dump, + ); + + TRACE_EVENT(ath10k_wmi_cmd, +- TP_PROTO(struct ath10k *ar, int id, const void *buf, size_t buf_len, +- int ret), ++ TP_PROTO(struct ath10k *ar, int id, const void *buf, size_t buf_len), + +- TP_ARGS(ar, id, buf, buf_len, ret), ++ TP_ARGS(ar, id, buf, buf_len), + + TP_STRUCT__entry( + __string(device, dev_name(ar->dev)) +@@ -163,7 +162,6 @@ TRACE_EVENT(ath10k_wmi_cmd, + __field(unsigned int, id) + __field(size_t, buf_len) + __dynamic_array(u8, buf, buf_len) +- __field(int, ret) + ), + + TP_fast_assign( +@@ -171,17 +169,15 @@ TRACE_EVENT(ath10k_wmi_cmd, + __assign_str(driver, dev_driver_string(ar->dev)); + __entry->id = id; + __entry->buf_len = buf_len; +- __entry->ret = ret; + memcpy(__get_dynamic_array(buf), buf, buf_len); + ), + + TP_printk( +- "%s %s id %d len %zu ret %d", ++ "%s %s id %d len %zu", + __get_str(driver), + __get_str(device), + __entry->id, +- __entry->buf_len, +- __entry->ret ++ __entry->buf_len + ) + ); + +--- a/drivers/net/wireless/ath/ath10k/wmi.c ++++ b/drivers/net/wireless/ath/ath10k/wmi.c +@@ -1642,8 +1642,8 @@ int ath10k_wmi_cmd_send_nowait(struct at + cmd_hdr->cmd_id = __cpu_to_le32(cmd); + + memset(skb_cb, 0, sizeof(*skb_cb)); ++ trace_ath10k_wmi_cmd(ar, cmd_id, skb->data, skb->len); + ret = ath10k_htc_send(&ar->htc, ar->wmi.eid, skb); +- trace_ath10k_wmi_cmd(ar, cmd_id, skb->data, skb->len, ret); + + if (ret) + goto err_pull; diff --git a/queue-4.4/series b/queue-4.4/series index f1b2c6d45ea..fe1a3476e3f 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -12,3 +12,4 @@ of-unittest-disable-interrupt-node-tests-for-old-world-mac-systems.patch ext4-add-corruption-check-in-ext4_xattr_set_entry.patch ext4-always-verify-the-magic-number-in-xattr-blocks.patch cgroup-fix-deadlock-in-cpu-hotplug-path.patch +ath10k-fix-use-after-free-in-ath10k_wmi_cmd_send_nowait.patch