Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp2352640imm;
        Thu, 11 Oct 2018 08:58:28 -0700 (PDT)
X-Google-Smtp-Source: ACcGV60xVn7NcStlBJp1cCnx57sbwhbdpVbODG9cSSaefucSHSbnc6MoDMhCsSSPoM4C8Q0nl3o5
X-Received: by 2002:a63:5f03:: with SMTP id t3-v6mr1986669pgb.68.1539273508148;
        Thu, 11 Oct 2018 08:58:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1539273508; cv=none;
        d=google.com; s=arc-20160816;
        b=l8J4jLm9WW4q8rYZjbXqPSkcHlb/owUOvQjaxnbKHR0vlJlXiV1fy6xyEsR10FCCY9
         rsp0H9AfPD/HXTzBYT+5ZTq4jReJfWq6/taGnNJ3Bcpdn1KQH6S38oStOxLUH3R9se94
         l6lpa7z09f9oKwyMr3RBJCoF8YMt4NF7Q/s6021QKdGsQeYLoPZAaWtiTeKpdaZ2nmu8
         zS714ZxTuo+tJvesP1TEFj2W0I4FLx/Sb2TUydvG/5eTWZ1YRd8Ngtof6+NGjBRNTQlv
         xiIQ9tGUemrCeOO7IFCq7Klaa8pFQB47bwhzmZdxuLdVWH7f4o3D1snSILdx6J23NOc/
         OwHw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=tRVzks4i/ZwR1TWCjN0A0DoToyd5TeYj3uA91CBzmTA=;
        b=He0ggU0qDdlMPs4cgfSughRMMgmablV52euyl2zUNj+wN2t09L9s949NHBhiGRYb37
         5mbuPgbyu4wMnFp1h2Y6VVTWMVnfCNRoxpT/yUhUcSWZFVJ4BoncBPHM5a6R/mgm7a4I
         YcQxRd7PsysfUabzfNRRJxOeYQN01ehkhNquppL+o4l/S0XW6Epn5wWaDA6HEvHXF16l
         c/4jHX9c1BWwioAQg32tsACCC8o1MxChShb1Kw8Z5QO7OwKJ4KMX4kJT3CAkaLjtytsf
         4s47Va4fos9hl8PREzQRMrMjbNkbpaTz0aYmTxJiG1r9NajHBzSqVPnpgycF6Gt/LzV2
         F9kA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=0HVQJ043;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id h12-v6si3326736plt.240.2018.10.11.08.58.12;
        Thu, 11 Oct 2018 08:58:28 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=0HVQJ043;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730547AbeJKXJg (ORCPT <rfc822;chaneybenjamini@gmail.com>
        + 99 others); Thu, 11 Oct 2018 19:09:36 -0400
Received: from mail.kernel.org ([198.145.29.99]:40450 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726700AbeJKXJf (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 11 Oct 2018 19:09:35 -0400
Received: from localhost (ip-213-127-77-176.ip.prioritytelecom.net [213.127.77.176])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 890192098A;
        Thu, 11 Oct 2018 15:41:50 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1539272511;
        bh=pbX/S8sSWaNHKiNq00w5jHt7k9CqOJ/EanPAY46dlsU=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=0HVQJ043CWK0HqD608YitVuCwfMIHTczfYxSzEQS/5ZHP6e9lU4Q6w4KFr9JlMxj6
         6Pd+YzGqUnLYcRUW3dRGdU+AJMTroGVtpLijJUg5TXYhDR5/8HDMQBeyL1hc94yNFJ
         yHKH7IrcfCo5/WKSXlqprC5fKSJLuTt7IiEJfDcA=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Carl Huang <cjhuang@codeaurora.org>,
        Brian Norris <briannorris@chromium.org>,
        Kalle Valo <kvalo@codeaurora.org>,
        Amit Pundir <amit.pundir@linaro.org>
Subject: [PATCH 4.4 15/27] ath10k: fix use-after-free in ath10k_wmi_cmd_send_nowait
Date:   Thu, 11 Oct 2018 17:35:02 +0200
Message-Id: <20181011152534.761957746@linuxfoundation.org>
X-Mailer: git-send-email 2.19.1
In-Reply-To: <20181011152534.014964888@linuxfoundation.org>
References: <20181011152534.014964888@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Carl Huang <cjhuang@codeaurora.org>

commit 9ef0f58ed7b4a55da4a64641d538e0d9e46579ac upstream.

The skb may be freed in tx completion context before
trace_ath10k_wmi_cmd is called. This can be easily captured when
KASAN(Kernel Address Sanitizer) is enabled. The fix is to move
trace_ath10k_wmi_cmd before the send operation. As the ret has no
meaning in trace_ath10k_wmi_cmd then, so remove this parameter too.

Signed-off-by: Carl Huang <cjhuang@codeaurora.org>
Tested-by: Brian Norris <briannorris@chromium.org>
Reviewed-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/ath/ath10k/trace.h |   12 ++++--------
 drivers/net/wireless/ath/ath10k/wmi.c   |    2 +-
 2 files changed, 5 insertions(+), 9 deletions(-)

--- a/drivers/net/wireless/ath/ath10k/trace.h
+++ b/drivers/net/wireless/ath/ath10k/trace.h
@@ -152,10 +152,9 @@ TRACE_EVENT(ath10k_log_dbg_dump,
 );
 
 TRACE_EVENT(ath10k_wmi_cmd,
-	TP_PROTO(struct ath10k *ar, int id, const void *buf, size_t buf_len,
-		 int ret),
+	TP_PROTO(struct ath10k *ar, int id, const void *buf, size_t buf_len),
 
-	TP_ARGS(ar, id, buf, buf_len, ret),
+	TP_ARGS(ar, id, buf, buf_len),
 
 	TP_STRUCT__entry(
 		__string(device, dev_name(ar->dev))
@@ -163,7 +162,6 @@ TRACE_EVENT(ath10k_wmi_cmd,
 		__field(unsigned int, id)
 		__field(size_t, buf_len)
 		__dynamic_array(u8, buf, buf_len)
-		__field(int, ret)
 	),
 
 	TP_fast_assign(
@@ -171,17 +169,15 @@ TRACE_EVENT(ath10k_wmi_cmd,
 		__assign_str(driver, dev_driver_string(ar->dev));
 		__entry->id = id;
 		__entry->buf_len = buf_len;
-		__entry->ret = ret;
 		memcpy(__get_dynamic_array(buf), buf, buf_len);
 	),
 
 	TP_printk(
-		"%s %s id %d len %zu ret %d",
+		"%s %s id %d len %zu",
 		__get_str(driver),
 		__get_str(device),
 		__entry->id,
-		__entry->buf_len,
-		__entry->ret
+		__entry->buf_len
 	)
 );
 
--- a/drivers/net/wireless/ath/ath10k/wmi.c
+++ b/drivers/net/wireless/ath/ath10k/wmi.c
@@ -1642,8 +1642,8 @@ int ath10k_wmi_cmd_send_nowait(struct at
 	cmd_hdr->cmd_id = __cpu_to_le32(cmd);
 
 	memset(skb_cb, 0, sizeof(*skb_cb));
+	trace_ath10k_wmi_cmd(ar, cmd_id, skb->data, skb->len);
 	ret = ath10k_htc_send(&ar->htc, ar->wmi.eid, skb);
-	trace_ath10k_wmi_cmd(ar, cmd_id, skb->data, skb->len, ret);
 
 	if (ret)
 		goto err_pull;