Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp2342259imm;
        Thu, 11 Oct 2018 08:48:18 -0700 (PDT)
X-Google-Smtp-Source: ACcGV62HRWo6CXD9rOyBaUfN+fsQfTjY2FTqY5wR+zaqoBTNLujFQBYRYPTr3R6R8bhW/9SKURNh
X-Received: by 2002:a63:3c46:: with SMTP id i6-v6mr1906669pgn.286.1539272898343;
        Thu, 11 Oct 2018 08:48:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1539272898; cv=none;
        d=google.com; s=arc-20160816;
        b=kGTRxr6LxiI2oJsDK84v+LxGc2AgvMz8uXf8AjIcLWn3tH9IxQ+/K55ZltFsOwTaGf
         ElGLtUmdhWwtjoFZZNfKcwGUrRcjqcgyCJqqWOjlt6B09a1q9cgIxX1mTjJkGZs3BolL
         bBo0T5vahWPWNK62SphujcDLXnIjp9rZXjqTowz3/vFtE+IE5bHvWXUsPMdbFR0IXPIu
         LonMwHXqM18jXl/NDw1j5T1f4aEnZJu3mtq/aRjV2fBie20yo7iC6fakZSF5V8r1sXpk
         t/Swr0mr7eiiS8QR5cO813Pi2/vvKoXU4aZ6P800n9AcIDpycm+j8p/p5Ixv/jjhmwCX
         tGdw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=kKAuU26iTzR9TRPrdRM5mMgQ5htyYXxuds/JKM1oc8c=;
        b=faab86QY3J8fHIekU8r5MYqX6vmeCgrl3lsgWZWTPDYOmY+HR0Zo4D4zGHuz0h4BH7
         qL64KrZAvdS2HQDB6U+1B8icNj9qbIONgseYPn7T1YwJwDp4/SM3XNF1UU9zTSF6tdf4
         28M/bRpEUqRLhbhPNkAaN5h/bbHjiAN6bRfo8o7DbujnqzVY/kH5PdK7dC3X3OBc3+2/
         RE/1POrhtl+4T9gRFBUmEsdBvDmn/90TAydJcve1hIRQKQ3+wwLzljfYAVrUYPOcTYH0
         pDg7/uBO4LQPGW+3VidB/dHvKcr8tT51DHJu1GypgqnQdgqmuMoWYe/tKQ2fQCDAHOrp
         g6fQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=W2fW4laK;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id q10-v6si26679986pgk.392.2018.10.11.08.48.03;
        Thu, 11 Oct 2018 08:48:18 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=W2fW4laK;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731495AbeJKXNw (ORCPT <rfc822;chaneybenjamini@gmail.com>
        + 99 others); Thu, 11 Oct 2018 19:13:52 -0400
Received: from mail.kernel.org ([198.145.29.99]:46674 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726700AbeJKXNv (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 11 Oct 2018 19:13:51 -0400
Received: from localhost (ip-213-127-77-176.ip.prioritytelecom.net [213.127.77.176])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 9582B21476;
        Thu, 11 Oct 2018 15:46:05 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1539272766;
        bh=pFh0cmYqQtvHgO6cy/AB0/Y0F6Ks8uWZYGbTZN20ieA=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=W2fW4laKYBO9aLOMtTRCTLbu1T5DSxMlsxo5iBeRQMpGAzmgOgN3k5rndG9HtWq8K
         hsq5yLS20PmE0chjFiPxWt0ttI8WjNdD2/5JK/jh3kMbh67YKtkuKuRFhHCpKcvGBe
         UTZZ9MYoxmY4169M8ogjlapp+9MBm5cOVB2b5r/k=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Carl Huang <cjhuang@codeaurora.org>,
        Brian Norris <briannorris@chromium.org>,
        Kalle Valo <kvalo@codeaurora.org>,
        Amit Pundir <amit.pundir@linaro.org>
Subject: [PATCH 4.14 30/45] ath10k: fix use-after-free in ath10k_wmi_cmd_send_nowait
Date:   Thu, 11 Oct 2018 17:39:57 +0200
Message-Id: <20181011152510.203844200@linuxfoundation.org>
X-Mailer: git-send-email 2.19.1
In-Reply-To: <20181011152508.885515042@linuxfoundation.org>
References: <20181011152508.885515042@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Carl Huang <cjhuang@codeaurora.org>

commit 9ef0f58ed7b4a55da4a64641d538e0d9e46579ac upstream.

The skb may be freed in tx completion context before
trace_ath10k_wmi_cmd is called. This can be easily captured when
KASAN(Kernel Address Sanitizer) is enabled. The fix is to move
trace_ath10k_wmi_cmd before the send operation. As the ret has no
meaning in trace_ath10k_wmi_cmd then, so remove this parameter too.

Signed-off-by: Carl Huang <cjhuang@codeaurora.org>
Tested-by: Brian Norris <briannorris@chromium.org>
Reviewed-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/ath/ath10k/trace.h |   12 ++++--------
 drivers/net/wireless/ath/ath10k/wmi.c   |    2 +-
 2 files changed, 5 insertions(+), 9 deletions(-)

--- a/drivers/net/wireless/ath/ath10k/trace.h
+++ b/drivers/net/wireless/ath/ath10k/trace.h
@@ -152,10 +152,9 @@ TRACE_EVENT(ath10k_log_dbg_dump,
 );
 
 TRACE_EVENT(ath10k_wmi_cmd,
-	TP_PROTO(struct ath10k *ar, int id, const void *buf, size_t buf_len,
-		 int ret),
+	TP_PROTO(struct ath10k *ar, int id, const void *buf, size_t buf_len),
 
-	TP_ARGS(ar, id, buf, buf_len, ret),
+	TP_ARGS(ar, id, buf, buf_len),
 
 	TP_STRUCT__entry(
 		__string(device, dev_name(ar->dev))
@@ -163,7 +162,6 @@ TRACE_EVENT(ath10k_wmi_cmd,
 		__field(unsigned int, id)
 		__field(size_t, buf_len)
 		__dynamic_array(u8, buf, buf_len)
-		__field(int, ret)
 	),
 
 	TP_fast_assign(
@@ -171,17 +169,15 @@ TRACE_EVENT(ath10k_wmi_cmd,
 		__assign_str(driver, dev_driver_string(ar->dev));
 		__entry->id = id;
 		__entry->buf_len = buf_len;
-		__entry->ret = ret;
 		memcpy(__get_dynamic_array(buf), buf, buf_len);
 	),
 
 	TP_printk(
-		"%s %s id %d len %zu ret %d",
+		"%s %s id %d len %zu",
 		__get_str(driver),
 		__get_str(device),
 		__entry->id,
-		__entry->buf_len,
-		__entry->ret
+		__entry->buf_len
 	)
 );
 
--- a/drivers/net/wireless/ath/ath10k/wmi.c
+++ b/drivers/net/wireless/ath/ath10k/wmi.c
@@ -1741,8 +1741,8 @@ int ath10k_wmi_cmd_send_nowait(struct at
 	cmd_hdr->cmd_id = __cpu_to_le32(cmd);
 
 	memset(skb_cb, 0, sizeof(*skb_cb));
+	trace_ath10k_wmi_cmd(ar, cmd_id, skb->data, skb->len);
 	ret = ath10k_htc_send(&ar->htc, ar->wmi.eid, skb);
-	trace_ath10k_wmi_cmd(ar, cmd_id, skb->data, skb->len, ret);
 
 	if (ret)
 		goto err_pull;