From patchwork Wed Oct 10 09:29:47 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amit Pundir X-Patchwork-Id: 148545 Delivered-To: patch@linaro.org Received: by 2002:a2e:8595:0:0:0:0:0 with SMTP id b21-v6csp617342lji; Wed, 10 Oct 2018 02:29:58 -0700 (PDT) X-Google-Smtp-Source: ACcGV61kja6DL2hiJc2Npzg74dj4q5Rd69AmoRht14a7fBdc7ZKTj7wySAYpukGgP3rLDv+WNBw4 X-Received: by 2002:a62:7604:: with SMTP id r4-v6mr34329983pfc.230.1539163798657; Wed, 10 Oct 2018 02:29:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539163798; cv=none; d=google.com; s=arc-20160816; b=E+FGvZtbaU4RKXopLsr92c/Z2AhfQxEhzB4h9dxrKkEbtLj6vr2b3Vma6OlCQEfOOk 99mOcnAZqRdySddvIzqw9z3kML2lTANY0hD8opBOIIGycPOYRKDzG8uN0j6WPz72QC8E YqVzeosnDK/9HmY//jgApNhOwPpnj8c9MQfPHzfw/d5cfviiOg5magjDodxd3j19g40E SMlZ/af1c+oJdkZwIn1gEO7pF0n+ciaYyR0hPeD0GVwQlhfdQg7fYBrERcZSKKYAz7Bn 1OK597OcHA4MlE20ahwQ5ue87cgW1Zss0HZsKzD8ipEnm0isUKI5tjw01KojaOJALVUR Hn0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature; bh=i9/fks+Ui8IICciChnvqF/Gou4A+KDqQNmSOaif6vQU=; b=hz9O/SFKE1fdOzvWwzE/qPeusIJNu+3kv+i4vFNsDq2mKImMoqR/7uSCUbh/Dznhdn k4R4DNj6jev1uvMqF3S7FwjWgTctyCWCz0rB5GrHaV0tbKiiLYxIzI+YMwX5bVGtKMBl e2Kr+yfxTdZHFrc4I8HPyDWfK4nJ+bwWZKQMszgi1LB2uveNz3Fi+FPIOemUfJkYAbdb CpskvolWX8lwqYoHPrO+FdqVJNnzH2sUgCdmd5ad4cu/lzspbm1+vyjIdvIthx05OGl5 fb5zWOwJWB8mPmSunxkUq61Gpq7mttEa78MieT0cTKDZCSplt8YjKKfbg4pOML6VnulH Y0nQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=i6YNGTgj; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o12-v6si27119281pfd.102.2018.10.10.02.29.58; Wed, 10 Oct 2018 02:29:58 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=i6YNGTgj; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726617AbeJJQvQ (ORCPT + 14 others); Wed, 10 Oct 2018 12:51:16 -0400 Received: from mail-pl1-f194.google.com ([209.85.214.194]:38001 "EHLO mail-pl1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726515AbeJJQvP (ORCPT ); Wed, 10 Oct 2018 12:51:15 -0400 Received: by mail-pl1-f194.google.com with SMTP id b5-v6so2253861plr.5 for ; Wed, 10 Oct 2018 02:29:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=i9/fks+Ui8IICciChnvqF/Gou4A+KDqQNmSOaif6vQU=; b=i6YNGTgjPLU6zT77xmc7h/Ahs8PtlqZ4WW/tJWx0tbaAk7d9qWwO1B5UEWf03oqFLr WyQz2csRsbqomsDLRpViLnQDolX+Hj42FVzKYTSIyLH1jZybL117NTU98ZN52fTviBxU JW7g32/ir1OYoNhMEvLf5Lk6KZphLOjP60eyA= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=i9/fks+Ui8IICciChnvqF/Gou4A+KDqQNmSOaif6vQU=; b=NLnupWigwR9/qvjtwkNwfzrEyMzJ67biMRCfTyKmpmGaB7xLhA1PR/XjChl5YeEGFG dgEBU/wFlMSwNIf6HwKC+ktSwqlDsUIXGswfOZ7ln5UYtFsli4aKZUkOV6jEIeEnaHMs KRySXIsqcAIJBDgnYPdkl0TsSP4jOTTYa18Z7QI9TTTmEDmpR6X8zh0jqQUcO+AixGKj 8E1/GEbQZofUv/sxCsvf2AamMDpRxr++yyFHEewj/bpR8BElVxjV2wpT1tEdpsP48sRW efkzlHir9tmGVLQ72wEH06cgEuARyForj9MFBgkZ4AVvFN74WXSNNCXHCcE/P7s4PYlY mZcQ== X-Gm-Message-State: ABuFfog+Z0hp0KbdngeUbQZ3GRYONh9sNeAOFfwrPO4p2md7EmHAryOv b5rifpzX+0Eb90Ko+Lgc36qLPA== X-Received: by 2002:a17:902:c6b:: with SMTP id 98-v6mr32739601pls.233.1539163797051; Wed, 10 Oct 2018 02:29:57 -0700 (PDT) Received: from localhost.localdomain ([106.51.16.178]) by smtp.gmail.com with ESMTPSA id k71-v6sm37977548pge.44.2018.10.10.02.29.54 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 10 Oct 2018 02:29:55 -0700 (PDT) From: Amit Pundir To: Greg KH Cc: Stable , Carl Huang , Kalle Valo Subject: [PATCH for-4.14.y 2/4] ath10k: fix use-after-free in ath10k_wmi_cmd_send_nowait Date: Wed, 10 Oct 2018 14:59:47 +0530 Message-Id: <1539163789-32338-2-git-send-email-amit.pundir@linaro.org> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1539163789-32338-1-git-send-email-amit.pundir@linaro.org> References: <1539163789-32338-1-git-send-email-amit.pundir@linaro.org> Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Carl Huang commit 9ef0f58ed7b4a55da4a64641d538e0d9e46579ac upstream. The skb may be freed in tx completion context before trace_ath10k_wmi_cmd is called. This can be easily captured when KASAN(Kernel Address Sanitizer) is enabled. The fix is to move trace_ath10k_wmi_cmd before the send operation. As the ret has no meaning in trace_ath10k_wmi_cmd then, so remove this parameter too. Signed-off-by: Carl Huang Tested-by: Brian Norris Reviewed-by: Brian Norris Signed-off-by: Kalle Valo Signed-off-by: Amit Pundir --- To be applied on 4.9.y and 4.4.y as well. Build tested on 4.14.74, 4.9.131 and 4.4.159 for ARCH=arm/arm64 allmodconfig. drivers/net/wireless/ath/ath10k/trace.h | 12 ++++-------- drivers/net/wireless/ath/ath10k/wmi.c | 2 +- 2 files changed, 5 insertions(+), 9 deletions(-) -- 2.7.4 diff --git a/drivers/net/wireless/ath/ath10k/trace.h b/drivers/net/wireless/ath/ath10k/trace.h index e0d00cef0bd8..5b974bb76e6c 100644 --- a/drivers/net/wireless/ath/ath10k/trace.h +++ b/drivers/net/wireless/ath/ath10k/trace.h @@ -152,10 +152,9 @@ TRACE_EVENT(ath10k_log_dbg_dump, ); TRACE_EVENT(ath10k_wmi_cmd, - TP_PROTO(struct ath10k *ar, int id, const void *buf, size_t buf_len, - int ret), + TP_PROTO(struct ath10k *ar, int id, const void *buf, size_t buf_len), - TP_ARGS(ar, id, buf, buf_len, ret), + TP_ARGS(ar, id, buf, buf_len), TP_STRUCT__entry( __string(device, dev_name(ar->dev)) @@ -163,7 +162,6 @@ TRACE_EVENT(ath10k_wmi_cmd, __field(unsigned int, id) __field(size_t, buf_len) __dynamic_array(u8, buf, buf_len) - __field(int, ret) ), TP_fast_assign( @@ -171,17 +169,15 @@ TRACE_EVENT(ath10k_wmi_cmd, __assign_str(driver, dev_driver_string(ar->dev)); __entry->id = id; __entry->buf_len = buf_len; - __entry->ret = ret; memcpy(__get_dynamic_array(buf), buf, buf_len); ), TP_printk( - "%s %s id %d len %zu ret %d", + "%s %s id %d len %zu", __get_str(driver), __get_str(device), __entry->id, - __entry->buf_len, - __entry->ret + __entry->buf_len ) ); diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c index 38a97086708b..2ab5311659ea 100644 --- a/drivers/net/wireless/ath/ath10k/wmi.c +++ b/drivers/net/wireless/ath/ath10k/wmi.c @@ -1741,8 +1741,8 @@ int ath10k_wmi_cmd_send_nowait(struct ath10k *ar, struct sk_buff *skb, cmd_hdr->cmd_id = __cpu_to_le32(cmd); memset(skb_cb, 0, sizeof(*skb_cb)); + trace_ath10k_wmi_cmd(ar, cmd_id, skb->data, skb->len); ret = ath10k_htc_send(&ar->htc, ar->wmi.eid, skb); - trace_ath10k_wmi_cmd(ar, cmd_id, skb->data, skb->len, ret); if (ret) goto err_pull;