| From a163b122728cc285bf8d2002033e26f61feb3d11 Mon Sep 17 00:00:00 2001 |
| From: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com> |
| Date: Wed, 13 Nov 2019 11:06:47 +0000 |
| Subject: [PATCH] qtnfmac: fix using skb after free |
| |
| commit 4a33f21cef84b1b933958c99ed5dac1726214b35 upstream. |
| |
| KASAN reported use-after-free error: |
| |
| [ 995.220767] BUG: KASAN: use-after-free in qtnf_cmd_send_with_reply+0x169/0x3e0 [qtnfmac] |
| [ 995.221098] Read of size 2 at addr ffff888213d1ded0 by task kworker/1:1/71 |
| |
| The issue in qtnf_cmd_send_with_reply impacts all the commands that do |
| not need response other then return code. For such commands, consume_skb |
| is used for response skb and right after that return code in response |
| skb is accessed. |
| |
| Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com> |
| Signed-off-by: Kalle Valo <kvalo@codeaurora.org> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/drivers/net/wireless/quantenna/qtnfmac/commands.c b/drivers/net/wireless/quantenna/qtnfmac/commands.c |
| index 459f6b81d2eb..59051004f970 100644 |
| --- a/drivers/net/wireless/quantenna/qtnfmac/commands.c |
| +++ b/drivers/net/wireless/quantenna/qtnfmac/commands.c |
| @@ -83,6 +83,7 @@ static int qtnf_cmd_send_with_reply(struct qtnf_bus *bus, |
| struct qlink_cmd *cmd; |
| struct qlink_resp *resp = NULL; |
| struct sk_buff *resp_skb = NULL; |
| + int resp_res = 0; |
| u16 cmd_id; |
| u8 mac_id; |
| u8 vif_id; |
| @@ -113,6 +114,7 @@ static int qtnf_cmd_send_with_reply(struct qtnf_bus *bus, |
| } |
| |
| resp = (struct qlink_resp *)resp_skb->data; |
| + resp_res = le16_to_cpu(resp->result); |
| ret = qtnf_cmd_check_reply_header(resp, cmd_id, mac_id, vif_id, |
| const_resp_size); |
| if (ret) |
| @@ -128,8 +130,8 @@ static int qtnf_cmd_send_with_reply(struct qtnf_bus *bus, |
| else |
| consume_skb(resp_skb); |
| |
| - if (!ret && resp) |
| - return qtnf_cmd_resp_result_decode(le16_to_cpu(resp->result)); |
| + if (!ret) |
| + return qtnf_cmd_resp_result_decode(resp_res); |
| |
| pr_warn("VIF%u.%u: cmd 0x%.4X failed: %d\n", |
| mac_id, vif_id, cmd_id, ret); |
| -- |
| 2.7.4 |
| |