git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Fedor Pchelkin <pchelkin@ispras.ru>
	Tue, 25 Apr 2023 19:26:07 +0000 (22:26 +0300)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 13 Sep 2023 07:48:06 +0000 (09:48 +0200)
commit	64f72193ec17ba2e49984d9131c636b39438bd13
tree	51e66464346bddaf9b305aa11d836732f2b182cf	tree
parent	0a4bccf0dcce3a39c9bbe5cae8863efa0aefca01	commit \| diff

wifi: ath9k: protect WMI command response buffer replacement with a lock

[ Upstream commit 454994cfa9e4c18b6df9f78b60db8eadc20a6c25 ]

If ath9k_wmi_cmd() has exited with a timeout, it is possible that during
next ath9k_wmi_cmd() call the wmi_rsp callback for previous wmi command
writes to new wmi->cmd_rsp_buf and makes a completion. This results in an
invalid ath9k_wmi_cmd() return value.

Move the replacement of WMI command response buffer and length under
wmi_lock. Note that last_seq_id value is updated there, too.

Thus, the buffer cannot be written to by a belated wmi_rsp callback
because that path is properly rejected by the last_seq_id check.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.")
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20230425192607.18015-2-pchelkin@ispras.ru
Signed-off-by: Sasha Levin <sashal@kernel.org>