Skip to content

GitLab

Switch branch/tag
History Find file
Clone
ath9k: Fix use-after-free Write in ath9k_htc_rx_msg
Qiujun Huang authored 
commit e4ff08a4 upstream.

Write out of slab bounds. We should check epid.

The case reported by syzbot:
https://lore.kernel.org/linux-usb/0000000000006ac55b05a1c05d72@google.com
BUG: KASAN: use-after-free in htc_process_conn_rsp
drivers/net/wireless/ath/ath9k/htc_hst.c:131 [inline]
BUG: KASAN: use-after-free in ath9k_htc_rx_msg+0xa25/0xaf0
drivers/net/wireless/ath/ath9k/htc_hst.c:443
Write of size 2 at addr ffff8881cea291f0 by task swapper/1/0

Call Trace:
 htc_process_conn_rsp drivers/net/wireless/ath/ath9k/htc_hst.c:131
[inline]
ath9k_htc_rx_msg+0xa25/0xaf0
drivers/net/wireless/ath/ath9k/htc_hst.c:443
ath9k_hif_usb_reg_in_cb+0x1ba/0x630
drivers/net/wireless/ath/ath9k/hif_usb.c:718
__usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650
usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716
dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
ex...
16ea1406
Name Last commit Last update
Documentation lib/lzo: fix ambiguous encoding bug in lzo-rle
LICENSES LICENSES: Rename other to deprecated
arch KVM: arm64: Make vcpu_cp1x() work on Big Endian hosts
block Revert "block: end bio with BLK_STS_AGAIN in case of non-mq devs and REQ_NOWAIT"
certs .gitignore: add SPDX License Identifier
crypto crypto: drbg - fix error return code in drbg_alloc_state()
drivers ath9k: Fix use-after-free Write in ath9k_htc_rx_msg
fs proc: Use new_inode not new_inode_pseudo
include media: videobuf2-dma-contig: fix bad kfree in vb2_dma_contig_clear_max_seg_size
init Merge tag 'x86_urgent_for_v5.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
ipc ipc/util.c: sysvipc_find_ipc() incorrectly updates position index
kernel padata: add separate cpuhp node for CPUHP_PADATA_DEAD
lib lib: fix bitmap_parse() on 64-bit big endian archs
mm gup: document and work around "COW can break either way" issue
net net: sched: export __netdev_watchdog_up()
samples Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
scripts checkpatch/coding-style: deprecate 80-column warning
security smack: avoid unused 'sip' variable warning
sound ALSA: usb-audio: Add vendor, product and profile name for HP Thunderbolt Dock
tools selftests/ftrace: Return unsupported if no error_log file
usr kbuild: fix comment about missing include guard detection
virt KVM: x86: Fix APIC page invalidation race
.clang-format clang-format: Update with the latest for_each macro list
.cocciconfig scripts: add Linux .cocciconfig for coccinelle
.get_maintainer.ignore Opt out of scripts/get_maintainer.pl
.gitattributes
.gitignore
.mailmap
COPYING
CREDITS
Kbuild
Kconfig
MAINTAINERS
Makefile
README
README
Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.