• Qiujun Huang's avatar
    ath9k: Fix use-after-free Read in ath9k_wmi_ctrl_rx · abeaa850
    Qiujun Huang authored
    Free wmi later after cmd urb has been killed, as urb cb will access wmi.
    
    the case reported by syzbot:
    https://lore.kernel.org/linux-usb/0000000000000002fc05a1d61a68@google.com
    BUG: KASAN: use-after-free in ath9k_wmi_ctrl_rx+0x416/0x500
    drivers/net/wireless/ath/ath9k/wmi.c:215
    Read of size 1 at addr ffff8881cef1417c by task swapper/1/0
    
    Call Trace:
    <IRQ>
    ath9k_wmi_ctrl_rx+0x416/0x500 drivers/net/wireless/ath/ath9k/wmi.c:215
    ath9k_htc_rx_msg+0x2da/0xaf0
    drivers/net/wireless/ath/ath9k/htc_hst.c:459
    ath9k_hif_usb_reg_in_cb+0x1ba/0x630
    drivers/net/wireless/ath/ath9k/hif_usb.c:718
    __usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650
    usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716
    dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
    call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
    expire_timers kernel/time/timer.c:1449 [inline]
    __run_timers kernel/time/timer.c:1773 [inline]
    __run_timers kernel/time/timer.c:1740 [inline]
    run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
    
    Reported-and-tested-by: syzbot+5d338854440137ea0fef@syzkaller.appspotmail.com
    Signed-off-by: default avatarQiujun Huang <hqjagain@gmail.com>
    Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
    Link: https://lore.kernel.org/r/20200404041838.10426-3-hqjagain@gmail.com
    abeaa850
htc_drv_init.c 26.1 KB