diff mbox series

[1/5] ath9k: Fix use-after-free Read in htc_connect_service

Message ID 20200404041838.10426-2-hqjagain@gmail.com
State Awaiting Upstream
Delegated to: David Miller
Headers show
Series ath9k: bug fixes | expand

Commit Message

Qiujun Huang April 4, 2020, 4:18 a.m. UTC 
The skb is consumed by htc_send_epid, so it needn't release again.

The case reported by syzbot:

https://lore.kernel.org/linux-usb/000000000000590f6b05a1c05d15@google.com
usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size:
51008
usb 1-1: Service connection timeout for: 256
==================================================================
BUG: KASAN: use-after-free in atomic_read
include/asm-generic/atomic-instrumented.h:26 [inline]
BUG: KASAN: use-after-free in refcount_read include/linux/refcount.h:134
[inline]
BUG: KASAN: use-after-free in skb_unref include/linux/skbuff.h:1042
[inline]
BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0 net/core/skbuff.c:692
Read of size 4 at addr ffff8881d0957994 by task kworker/1:2/83

Call Trace:
kfree_skb+0x32/0x3d0 net/core/skbuff.c:692
htc_connect_service.cold+0xa9/0x109
drivers/net/wireless/ath/ath9k/htc_hst.c:282
ath9k_wmi_connect+0xd2/0x1a0 drivers/net/wireless/ath/ath9k/wmi.c:265
ath9k_init_htc_services.constprop.0+0xb4/0x650
drivers/net/wireless/ath/ath9k/htc_drv_init.c:146
ath9k_htc_probe_device+0x25a/0x1d80
drivers/net/wireless/ath/ath9k/htc_drv_init.c:959
ath9k_htc_hw_init+0x31/0x60
drivers/net/wireless/ath/ath9k/htc_hst.c:501
ath9k_hif_usb_firmware_cb+0x26b/0x500
drivers/net/wireless/ath/ath9k/hif_usb.c:1187
request_firmware_work_func+0x126/0x242
drivers/base/firmware_loader/main.c:976
process_one_work+0x94b/0x1620 kernel/workqueue.c:2264
worker_thread+0x96/0xe20 kernel/workqueue.c:2410
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 83:
kmem_cache_alloc_node+0xdc/0x330 mm/slub.c:2814
__alloc_skb+0xba/0x5a0 net/core/skbuff.c:198
alloc_skb include/linux/skbuff.h:1081 [inline]
htc_connect_service+0x2cc/0x840
drivers/net/wireless/ath/ath9k/htc_hst.c:257
ath9k_wmi_connect+0xd2/0x1a0 drivers/net/wireless/ath/ath9k/wmi.c:265
ath9k_init_htc_services.constprop.0+0xb4/0x650
drivers/net/wireless/ath/ath9k/htc_drv_init.c:146
ath9k_htc_probe_device+0x25a/0x1d80
drivers/net/wireless/ath/ath9k/htc_drv_init.c:959
ath9k_htc_hw_init+0x31/0x60
drivers/net/wireless/ath/ath9k/htc_hst.c:501
ath9k_hif_usb_firmware_cb+0x26b/0x500
drivers/net/wireless/ath/ath9k/hif_usb.c:1187
request_firmware_work_func+0x126/0x242
drivers/base/firmware_loader/main.c:976
process_one_work+0x94b/0x1620 kernel/workqueue.c:2264
worker_thread+0x96/0xe20 kernel/workqueue.c:2410
kthread+0x318/0x420 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Freed by task 0:
kfree_skb+0x102/0x3d0 net/core/skbuff.c:690
ath9k_htc_txcompletion_cb+0x1f8/0x2b0
drivers/net/wireless/ath/ath9k/htc_hst.c:356
hif_usb_regout_cb+0x10b/0x1b0
drivers/net/wireless/ath/ath9k/hif_usb.c:90
__usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650
usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716
dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
__do_softirq+0x21e/0x950 kernel/softirq.c:292

Reported-and-tested-by: syzbot+9505af1ae303dabdc646@syzkaller.appspotmail.com
Signed-off-by: Qiujun Huang <hqjagain@gmail.com>
---
 drivers/net/wireless/ath/ath9k/htc_hst.c | 3 ---
 drivers/net/wireless/ath/ath9k/wmi.c     | 1 -
 2 files changed, 4 deletions(-)

Comments

Kalle Valo April 7, 2020, 5:01 a.m. UTC | #1 
Qiujun Huang <hqjagain@gmail.com> wrote:

> The skb is consumed by htc_send_epid, so it needn't release again.
> 
> The case reported by syzbot:
> 
> https://lore.kernel.org/linux-usb/000000000000590f6b05a1c05d15@google.com
> usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
> usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size:
> 51008
> usb 1-1: Service connection timeout for: 256
> ==================================================================
> BUG: KASAN: use-after-free in atomic_read
> include/asm-generic/atomic-instrumented.h:26 [inline]
> BUG: KASAN: use-after-free in refcount_read include/linux/refcount.h:134
> [inline]
> BUG: KASAN: use-after-free in skb_unref include/linux/skbuff.h:1042
> [inline]
> BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0 net/core/skbuff.c:692
> Read of size 4 at addr ffff8881d0957994 by task kworker/1:2/83
> 
> Call Trace:
> kfree_skb+0x32/0x3d0 net/core/skbuff.c:692
> htc_connect_service.cold+0xa9/0x109
> drivers/net/wireless/ath/ath9k/htc_hst.c:282
> ath9k_wmi_connect+0xd2/0x1a0 drivers/net/wireless/ath/ath9k/wmi.c:265
> ath9k_init_htc_services.constprop.0+0xb4/0x650
> drivers/net/wireless/ath/ath9k/htc_drv_init.c:146
> ath9k_htc_probe_device+0x25a/0x1d80
> drivers/net/wireless/ath/ath9k/htc_drv_init.c:959
> ath9k_htc_hw_init+0x31/0x60
> drivers/net/wireless/ath/ath9k/htc_hst.c:501
> ath9k_hif_usb_firmware_cb+0x26b/0x500
> drivers/net/wireless/ath/ath9k/hif_usb.c:1187
> request_firmware_work_func+0x126/0x242
> drivers/base/firmware_loader/main.c:976
> process_one_work+0x94b/0x1620 kernel/workqueue.c:2264
> worker_thread+0x96/0xe20 kernel/workqueue.c:2410
> kthread+0x318/0x420 kernel/kthread.c:255
> ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
> 
> Allocated by task 83:
> kmem_cache_alloc_node+0xdc/0x330 mm/slub.c:2814
> __alloc_skb+0xba/0x5a0 net/core/skbuff.c:198
> alloc_skb include/linux/skbuff.h:1081 [inline]
> htc_connect_service+0x2cc/0x840
> drivers/net/wireless/ath/ath9k/htc_hst.c:257
> ath9k_wmi_connect+0xd2/0x1a0 drivers/net/wireless/ath/ath9k/wmi.c:265
> ath9k_init_htc_services.constprop.0+0xb4/0x650
> drivers/net/wireless/ath/ath9k/htc_drv_init.c:146
> ath9k_htc_probe_device+0x25a/0x1d80
> drivers/net/wireless/ath/ath9k/htc_drv_init.c:959
> ath9k_htc_hw_init+0x31/0x60
> drivers/net/wireless/ath/ath9k/htc_hst.c:501
> ath9k_hif_usb_firmware_cb+0x26b/0x500
> drivers/net/wireless/ath/ath9k/hif_usb.c:1187
> request_firmware_work_func+0x126/0x242
> drivers/base/firmware_loader/main.c:976
> process_one_work+0x94b/0x1620 kernel/workqueue.c:2264
> worker_thread+0x96/0xe20 kernel/workqueue.c:2410
> kthread+0x318/0x420 kernel/kthread.c:255
> ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
> 
> Freed by task 0:
> kfree_skb+0x102/0x3d0 net/core/skbuff.c:690
> ath9k_htc_txcompletion_cb+0x1f8/0x2b0
> drivers/net/wireless/ath/ath9k/htc_hst.c:356
> hif_usb_regout_cb+0x10b/0x1b0
> drivers/net/wireless/ath/ath9k/hif_usb.c:90
> __usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650
> usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716
> dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
> call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
> expire_timers kernel/time/timer.c:1449 [inline]
> __run_timers kernel/time/timer.c:1773 [inline]
> __run_timers kernel/time/timer.c:1740 [inline]
> run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
> __do_softirq+0x21e/0x950 kernel/softirq.c:292
> 
> Reported-and-tested-by: syzbot+9505af1ae303dabdc646@syzkaller.appspotmail.com
> Signed-off-by: Qiujun Huang <hqjagain@gmail.com>
> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>

5 patches applied to ath-next branch of ath.git, thanks.

ced21a4c726b ath9k: Fix use-after-free Read in htc_connect_service
abeaa85054ff ath9k: Fix use-after-free Read in ath9k_wmi_ctrl_rx
e4ff08a4d727 ath9k: Fix use-after-free Write in ath9k_htc_rx_msg
19d6c375d671 ath9x: Fix stack-out-of-bounds Write in ath9k_hif_usb_rx_cb
2bbcaaee1fcb ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb
Dan Carpenter April 7, 2020, 10:51 a.m. UTC | #2 
This patch is correct but there are a lot of error paths in
hif_usb_send() which don't free the skb.  Some error paths *do* free
the skb but most don't.  It's really a lot of work to sort through and
fix.

regards,
dan carpenter
diff mbox series

Patch

diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c
index d091c8ebdcf0..1bf63a4efb4c 100644
--- a/drivers/net/wireless/ath/ath9k/htc_hst.c
+++ b/drivers/net/wireless/ath/ath9k/htc_hst.c
@@ -170,7 +170,6 @@  static int htc_config_pipe_credits(struct htc_target *target)
 	time_left = wait_for_completion_timeout(&target->cmd_wait, HZ);
 	if (!time_left) {
 		dev_err(target->dev, "HTC credit config timeout\n");
-		kfree_skb(skb);
 		return -ETIMEDOUT;
 	}
 
@@ -206,7 +205,6 @@  static int htc_setup_complete(struct htc_target *target)
 	time_left = wait_for_completion_timeout(&target->cmd_wait, HZ);
 	if (!time_left) {
 		dev_err(target->dev, "HTC start timeout\n");
-		kfree_skb(skb);
 		return -ETIMEDOUT;
 	}
 
@@ -279,7 +277,6 @@  int htc_connect_service(struct htc_target *target,
 	if (!time_left) {
 		dev_err(target->dev, "Service connection timeout for: %d\n",
 			service_connreq->service_id);
-		kfree_skb(skb);
 		return -ETIMEDOUT;
 	}
 
diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c
index cdc146091194..d1f6710ca63b 100644
--- a/drivers/net/wireless/ath/ath9k/wmi.c
+++ b/drivers/net/wireless/ath/ath9k/wmi.c
@@ -336,7 +336,6 @@  int ath9k_wmi_cmd(struct wmi *wmi, enum wmi_cmd_id cmd_id,
 		ath_dbg(common, WMI, "Timeout waiting for WMI command: %s\n",
 			wmi_cmd_to_name(cmd_id));
 		mutex_unlock(&wmi->op_mutex);
-		kfree_skb(skb);
 		return -ETIMEDOUT;
 	}