Skip to content

GitLab

Switch branch/tag
History Find file
Clone
ath9k: Fix use-after-free Read in htc_connect_service
Qiujun Huang authored 
commit ced21a4c upstream.

The skb is consumed by htc_send_epid, so it needn't release again.

The case reported by syzbot:

https://lore.kernel.org/linux-usb/000000000000590f6b05a1c05d15@google.com
usb 1-1: ath9k_htc: Firmware ath9k_htc/htc_9271-1.4.0.fw requested
usb 1-1: ath9k_htc: Transferred FW: ath9k_htc/htc_9271-1.4.0.fw, size:
51008
usb 1-1: Service connection timeout for: 256
==================================================================
BUG: KASAN: use-after-free in atomic_read
include/asm-generic/atomic-instrumented.h:26 [inline]
BUG: KASAN: use-after-free in refcount_read include/linux/refcount.h:134
[inline]
BUG: KASAN: use-after-free in skb_unref include/linux/skbuff.h:1042
[inline]
BUG: KASAN: use-after-free in kfree_skb+0x32/0x3d0 net/core/skbuff.c:692
Read of size 4 at addr ffff8881d0957994 by task kworker/1:2/83

Call Trace:
kfree_skb+0x32/0x3d0 net/core/skbuff.c:692
htc_connect_service.cold+0xa9/0x...
9ddf89d5
Name Last commit Last update
Documentation lib/lzo: fix ambiguous encoding bug in lzo-rle
LICENSES LICENSES: Rename other to deprecated
arch KVM: arm64: Make vcpu_cp1x() work on Big Endian hosts
block Revert "block: end bio with BLK_STS_AGAIN in case of non-mq devs and REQ_NOWAIT"
certs .gitignore: add SPDX License Identifier
crypto crypto: drbg - fix error return code in drbg_alloc_state()
drivers ath9k: Fix use-after-free Read in htc_connect_service
fs proc: Use new_inode not new_inode_pseudo
include media: videobuf2-dma-contig: fix bad kfree in vb2_dma_contig_clear_max_seg_size
init Merge tag 'x86_urgent_for_v5.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
ipc ipc/util.c: sysvipc_find_ipc() incorrectly updates position index
kernel padata: add separate cpuhp node for CPUHP_PADATA_DEAD
lib lib: fix bitmap_parse() on 64-bit big endian archs
mm gup: document and work around "COW can break either way" issue
net net: sched: export __netdev_watchdog_up()
samples Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
scripts checkpatch/coding-style: deprecate 80-column warning
security smack: avoid unused 'sip' variable warning
sound ALSA: usb-audio: Add vendor, product and profile name for HP Thunderbolt Dock
tools selftests/ftrace: Return unsupported if no error_log file
usr kbuild: fix comment about missing include guard detection
virt KVM: x86: Fix APIC page invalidation race
.clang-format clang-format: Update with the latest for_each macro list
.cocciconfig scripts: add Linux .cocciconfig for coccinelle
.get_maintainer.ignore Opt out of scripts/get_maintainer.pl
.gitattributes
.gitignore
.mailmap
COPYING
CREDITS
Kbuild
Kconfig
MAINTAINERS
Makefile
README
README
Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.