• Qiujun Huang's avatar
    ath9k: Fix use-after-free Read in htc_connect_service · ced21a4c
    Qiujun Huang authored
    The skb is consumed by htc_send_epid, so it needn't release again.
    
    The case reported by syzbot:
    
    https://lore.kernel.org/linux-usb/000000000000590f6b05a1c05d15@google.com
    usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
    usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size:
    51008
    usb 1-1: Service connection timeout for: 256
    ==================================================================
    BUG: KASAN: use-after-free in atomic_read
    include/asm-generic/atomic-instrumented.h:26 [inline]
    BUG: KASAN: use-after-free in refcount_read include/linux/refcount.h:134
    [inline]
    BUG: KASAN: use-after-free in skb_unref include/linux/skbuff.h:1042
    [inline]
    BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0 net/core/skbuff.c:692
    Read of size 4 at addr ffff8881d0957994 by task kworker/1:2/83
    
    Call Trace:
    kfree_skb+0x32/0x3d0 net/core/skbuff.c:692
    htc_connect_service.cold+0xa9/0x109
    drivers/net/wireless/ath/ath9k/htc_hst.c:282
    ath9k_wmi_connect+0xd2/0x1a0 drivers/net/wireless/ath/ath9k/wmi.c:265
    ath9k_init_htc_services.constprop.0+0xb4/0x650
    drivers/net/wireless/ath/ath9k/htc_drv_init.c:146
    ath9k_htc_probe_device+0x25a/0x1d80
    drivers/net/wireless/ath/ath9k/htc_drv_init.c:959
    ath9k_htc_hw_init+0x31/0x60
    drivers/net/wireless/ath/ath9k/htc_hst.c:501
    ath9k_hif_usb_firmware_cb+0x26b/0x500
    drivers/net/wireless/ath/ath9k/hif_usb.c:1187
    request_firmware_work_func+0x126/0x242
    drivers/base/firmware_loader/main.c:976
    process_one_work+0x94b/0x1620 kernel/workqueue.c:2264
    worker_thread+0x96/0xe20 kernel/workqueue.c:2410
    kthread+0x318/0x420 kernel/kthread.c:255
    ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
    
    Allocated by task 83:
    kmem_cache_alloc_node+0xdc/0x330 mm/slub.c:2814
    __alloc_skb+0xba/0x5a0 net/core/skbuff.c:198
    alloc_skb include/linux/skbuff.h:1081 [inline]
    htc_connect_service+0x2cc/0x840
    drivers/net/wireless/ath/ath9k/htc_hst.c:257
    ath9k_wmi_connect+0xd2/0x1a0 drivers/net/wireless/ath/ath9k/wmi.c:265
    ath9k_init_htc_services.constprop.0+0xb4/0x650
    drivers/net/wireless/ath/ath9k/htc_drv_init.c:146
    ath9k_htc_probe_device+0x25a/0x1d80
    drivers/net/wireless/ath/ath9k/htc_drv_init.c:959
    ath9k_htc_hw_init+0x31/0x60
    drivers/net/wireless/ath/ath9k/htc_hst.c:501
    ath9k_hif_usb_firmware_cb+0x26b/0x500
    drivers/net/wireless/ath/ath9k/hif_usb.c:1187
    request_firmware_work_func+0x126/0x242
    drivers/base/firmware_loader/main.c:976
    process_one_work+0x94b/0x1620 kernel/workqueue.c:2264
    worker_thread+0x96/0xe20 kernel/workqueue.c:2410
    kthread+0x318/0x420 kernel/kthread.c:255
    ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
    
    Freed by task 0:
    kfree_skb+0x102/0x3d0 net/core/skbuff.c:690
    ath9k_htc_txcompletion_cb+0x1f8/0x2b0
    drivers/net/wireless/ath/ath9k/htc_hst.c:356
    hif_usb_regout_cb+0x10b/0x1b0
    drivers/net/wireless/ath/ath9k/hif_usb.c:90
    __usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650
    usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716
    dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
    call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
    expire_timers kernel/time/timer.c:1449 [inline]
    __run_timers kernel/time/timer.c:1773 [inline]
    __run_timers kernel/time/timer.c:1740 [inline]
    run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
    __do_softirq+0x21e/0x950 kernel/softirq.c:292
    
    Reported-and-tested-by: syzbot+9505af1ae303dabdc646@syzkaller.appspotmail.com
    Signed-off-by: default avatarQiujun Huang <hqjagain@gmail.com>
    Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
    Link: https://lore.kernel.org/r/20200404041838.10426-2-hqjagain@gmail.com
    ced21a4c
htc_hst.c 12.5 KB