release/5.2.33/qtnfmac-fix-using-skb-after-free.patch - pub/scm/linux/kernel/git/paulg/longterm-queue-5.2 - Git at Google

 From a163b122728cc285bf8d2002033e26f61feb3d11 Mon Sep 17 00:00:00 2001
 From: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
 Date: Wed, 13 Nov 2019 11:06:47 +0000
 Subject: [PATCH] qtnfmac: fix using skb after free

 commit 4a33f21cef84b1b933958c99ed5dac1726214b35 upstream.

 KASAN reported use-after-free error:

 [  995.220767] BUG: KASAN: use-after-free in qtnf_cmd_send_with_reply+0x169/0x3e0 [qtnfmac]
 [  995.221098] Read of size 2 at addr ffff888213d1ded0 by task kworker/1:1/71

 The issue in qtnf_cmd_send_with_reply impacts all the commands that do
 not need response other then return code. For such commands, consume_skb
 is used for response skb and right after that return code in response
 skb is accessed.

 Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
 Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
 Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

 diff --git a/drivers/net/wireless/quantenna/qtnfmac/commands.c b/drivers/net/wireless/quantenna/qtnfmac/commands.c
 index 459f6b81d2eb..59051004f970 100644
 --- a/drivers/net/wireless/quantenna/qtnfmac/commands.c
 +++ b/drivers/net/wireless/quantenna/qtnfmac/commands.c
 @@ -83,6 +83,7 @@ static int qtnf_cmd_send_with_reply(struct qtnf_bus *bus,
  	struct qlink_cmd *cmd;
  	struct qlink_resp *resp = NULL;
  	struct sk_buff *resp_skb = NULL;
 +	int resp_res = 0;
  	u16 cmd_id;
  	u8 mac_id;
  	u8 vif_id;
 @@ -113,6 +114,7 @@ static int qtnf_cmd_send_with_reply(struct qtnf_bus *bus,
  	}

  	resp = (struct qlink_resp *)resp_skb->data;
 +	resp_res = le16_to_cpu(resp->result);
  	ret = qtnf_cmd_check_reply_header(resp, cmd_id, mac_id, vif_id,
  					  const_resp_size);
  	if (ret)
 @@ -128,8 +130,8 @@ static int qtnf_cmd_send_with_reply(struct qtnf_bus *bus,
  	else
  		consume_skb(resp_skb);

 -	if (!ret && resp)
 -		return qtnf_cmd_resp_result_decode(le16_to_cpu(resp->result));
 +	if (!ret)
 +		return qtnf_cmd_resp_result_decode(resp_res);

  	pr_warn("VIF%u.%u: cmd 0x%.4X failed: %d\n",
  		mac_id, vif_id, cmd_id, ret);
 --
 2.7.4
	From a163b122728cc285bf8d2002033e26f61feb3d11 Mon Sep 17 00:00:00 2001
	From: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
	Date: Wed, 13 Nov 2019 11:06:47 +0000
	Subject: [PATCH] qtnfmac: fix using skb after free

	commit 4a33f21cef84b1b933958c99ed5dac1726214b35 upstream.

	KASAN reported use-after-free error:

	[ 995.220767] BUG: KASAN: use-after-free in qtnf_cmd_send_with_reply+0x169/0x3e0 [qtnfmac]
	[ 995.221098] Read of size 2 at addr ffff888213d1ded0 by task kworker/1:1/71

	The issue in qtnf_cmd_send_with_reply impacts all the commands that do
	not need response other then return code. For such commands, consume_skb
	is used for response skb and right after that return code in response
	skb is accessed.

	Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
	Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
	Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>

	diff --git a/drivers/net/wireless/quantenna/qtnfmac/commands.c b/drivers/net/wireless/quantenna/qtnfmac/commands.c
	index 459f6b81d2eb..59051004f970 100644
	--- a/drivers/net/wireless/quantenna/qtnfmac/commands.c
	+++ b/drivers/net/wireless/quantenna/qtnfmac/commands.c
	@@ -83,6 +83,7 @@ static int qtnf_cmd_send_with_reply(struct qtnf_bus *bus,
	struct qlink_cmd *cmd;
	struct qlink_resp *resp = NULL;
	struct sk_buff *resp_skb = NULL;
	+ int resp_res = 0;
	u16 cmd_id;
	u8 mac_id;
	u8 vif_id;
	@@ -113,6 +114,7 @@ static int qtnf_cmd_send_with_reply(struct qtnf_bus *bus,
	}

	resp = (struct qlink_resp *)resp_skb->data;
	+ resp_res = le16_to_cpu(resp->result);
	ret = qtnf_cmd_check_reply_header(resp, cmd_id, mac_id, vif_id,
	const_resp_size);
	if (ret)
	@@ -128,8 +130,8 @@ static int qtnf_cmd_send_with_reply(struct qtnf_bus *bus,
	else
	consume_skb(resp_skb);

	- if (!ret && resp)
	- return qtnf_cmd_resp_result_decode(le16_to_cpu(resp->result));
	+ if (!ret)
	+ return qtnf_cmd_resp_result_decode(resp_res);

	pr_warn("VIF%u.%u: cmd 0x%.4X failed: %d\n",
	mac_id, vif_id, cmd_id, ret);
	--
	2.7.4