Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1625025imu; Thu, 13 Dec 2018 19:56:34 -0800 (PST) X-Google-Smtp-Source: AFSGD/U2tnYeGGYd+96iBhIFP/2BWovewnDVkK9SKR7h1c2cRPrgstqSVSwwOCKeQV8ZM8imcvNv X-Received: by 2002:a63:d70e:: with SMTP id d14mr1345184pgg.159.1544759794882; Thu, 13 Dec 2018 19:56:34 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544759794; cv=none; d=google.com; s=arc-20160816; b=lgrFT3INPbVHgAmL0SLEJmh2xQuQ9umtN8pOV+CfuWX8H2wIeDNPlgkjMz5EKcHP6H bFizxnx5PMZR78NtpP1qAA0S9yhisJNfVzPFC4E/9ayt+OpsEZUPPaJsxFQ1DnZ8HwCS EHDUWQYQHYnkWAkTgtGiTeizsnSA4d7oUNhQ6EYr94txL/NSzr1EJ0etRRgxbO5DKS4P PRVYyCV3OLE7s7vX6aK+/8+821wdabgK1hccHrSdYpFMNsK5QE0xKukwNd580J3y6EJu qWpD67RgykSi5IShWAsIpA6nrA7SZJAB0kcBQ1ak9Ujgm5McygAZzps/LZ/DbpFlc3g7 WKpA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=33Ivcg+zKY4IJSFpoQuC8WL+BVd4+yqFaZLhoC52gcU=; b=ikPjI6eOW+sUrj5ruUc4wshV7Y6V9PtnacrNMWIKsKVqnNykZO3yGMVZFBk6svpVGj zccBWewnzK1pqmsEARsBOZ+USLDgpGg1yu3acHG9IaIDeccl1hzIEqsgUDiv/RmUOpib tNl8xZLDhhumMptqpwK1XwVwbf4DCn517PF//k26F1kY8EL4hNVhME9lNB4vshLYipO1 9a8wEwLje5rI80gP/U1CBwn3KLn+nSrVZ3CbGa7swS+EXSDJA6FXMT5sekstcvLgIZNX RADV+c47I/G2Bj0zKeCtqGrx+bDy+bllpVZFEAGmnAySvHoEYaq6GfB9B2SzdftDZ6jD SDFg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="SBJ5r/+8"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z9si2987209pgf.54.2018.12.13.19.56.20; Thu, 13 Dec 2018 19:56:34 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="SBJ5r/+8"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727099AbeLNDzb (ORCPT + 99 others); Thu, 13 Dec 2018 22:55:31 -0500 Received: from mail-pf1-f196.google.com ([209.85.210.196]:33398 "EHLO mail-pf1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726437AbeLNDza (ORCPT ); Thu, 13 Dec 2018 22:55:30 -0500 Received: by mail-pf1-f196.google.com with SMTP id c123so2166037pfb.0; Thu, 13 Dec 2018 19:55:30 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=33Ivcg+zKY4IJSFpoQuC8WL+BVd4+yqFaZLhoC52gcU=; b=SBJ5r/+8Ucd7I1Er4MOSSxKGDufo5jX5ud9DtvGEeeuDeN9IvB8O8DbWca9QppOKrC TwxfKWY2RjbPqRipsvKIEIJEl9vEyd0qUxVZClHBUtljQqoSoNpG4eH3gKvVuTn1hwpS 2MQa8CaWuFayaceex662ogdcUWBkO7XnFs6VBuHxJwAgZyeu5iOirf4FOPYN6UI/wIZn AKcT3McOoTh0cnUTDM4gHzx2BOPr73k23KhmtMBkWDJP7aq0y6oyXtDjc1EtjxR5aKVx PSNVLnAV+FHwLK9S9oeTSumA/xCjkMCcWJqZFOs4gOTPQyMIhx+Sx9IIY6vkc2BEsgcr c+Sw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=33Ivcg+zKY4IJSFpoQuC8WL+BVd4+yqFaZLhoC52gcU=; b=er85f83he9KLwzL/HexXduLTac89LdfiKVOVD0ibtO6qs91w54srczSM8TaHlJOGK2 yU1ZGeuFe5G27YTUXFpQ9ERlFttXmiOaDMXNG4x+BCiZP7ozXUPaBmu+/IYv89ejSFKx DRdyZbiAqrCuvO7f94B72qdKCBxJIJ8PQqRT3Kkrl4D9/sCcbj330kfM66PKo6xSOmRz yh8wEzZts+UDCYOV3LgkykUeIEd2wX32FBuARGR/sKpb21v7cb0WoM9HJGU8Ng0jLWSg WaIGT0Axl2kRg/Xitha7YTyP/Go25/Xaj631Y4Ln3iEVb8qiBa/JxiFOeQ31cQzgCwm+ RreQ== X-Gm-Message-State: AA+aEWZffp4sI6V4DUlWYQEr+vpHp8c4Baa7HjaXmPIu5COHL+XhfNBq f6JoXU/V/UgWaLxwcjjLcHc= X-Received: by 2002:a63:bd51:: with SMTP id d17mr1342112pgp.443.1544759729682; Thu, 13 Dec 2018 19:55:29 -0800 (PST) Received: from localhost.localdomain ([2402:f000:1:4414:74ca:bc02:ba8b:bd9e]) by smtp.gmail.com with ESMTPSA id z62sm6285757pfi.4.2018.12.13.19.55.26 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 13 Dec 2018 19:55:28 -0800 (PST) From: Jia-Ju Bai To: pizza@shaftnet.org, kvalo@codeaurora.org, davem@davemloft.net Cc: linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Jia-Ju Bai Subject: [PATCH] cw1200: Fix concurrency use-after-free bugs in cw1200_hw_scan() Date: Fri, 14 Dec 2018 11:55:21 +0800 Message-Id: <20181214035521.30388-1-baijiaju1990@gmail.com> X-Mailer: git-send-email 2.17.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The function cw1200_bss_info_changed() and cw1200_hw_scan() can be concurrently executed. The two functions both access a possible shared variable "frame.skb". This shared variable is freed by dev_kfree_skb() in cw1200_upload_beacon(), which is called by cw1200_bss_info_changed(). The free operation is protected by a mutex lock "priv->conf_mutex" in cw1200_bss_info_changed(). In cw1200_hw_scan(), this shared variable is accessed without the protection of the mutex lock "priv->conf_mutex". Thus, concurrency use-after-free bugs may occur. To fix these bugs, the original calls to mutex_lock(&priv->conf_mutex) and mutex_unlock(&priv->conf_mutex) are moved to the places, which can protect the accesses to the shared variable. Signed-off-by: Jia-Ju Bai --- drivers/net/wireless/st/cw1200/scan.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/drivers/net/wireless/st/cw1200/scan.c b/drivers/net/wireless/st/cw1200/scan.c index 67213f11acbd..0a9eac93dd01 100644 --- a/drivers/net/wireless/st/cw1200/scan.c +++ b/drivers/net/wireless/st/cw1200/scan.c @@ -78,6 +78,10 @@ int cw1200_hw_scan(struct ieee80211_hw *hw, if (req->n_ssids > WSM_SCAN_MAX_NUM_OF_SSIDS) return -EINVAL; + /* will be unlocked in cw1200_scan_work() */ + down(&priv->scan.lock); + mutex_lock(&priv->conf_mutex); + frame.skb = ieee80211_probereq_get(hw, priv->vif->addr, NULL, 0, req->ie_len); if (!frame.skb) @@ -86,19 +90,15 @@ int cw1200_hw_scan(struct ieee80211_hw *hw, if (req->ie_len) skb_put_data(frame.skb, req->ie, req->ie_len); - /* will be unlocked in cw1200_scan_work() */ - down(&priv->scan.lock); - mutex_lock(&priv->conf_mutex); - ret = wsm_set_template_frame(priv, &frame); if (!ret) { /* Host want to be the probe responder. */ ret = wsm_set_probe_responder(priv, true); } if (ret) { + dev_kfree_skb(frame.skb); mutex_unlock(&priv->conf_mutex); up(&priv->scan.lock); - dev_kfree_skb(frame.skb); return ret; } @@ -120,10 +120,9 @@ int cw1200_hw_scan(struct ieee80211_hw *hw, ++priv->scan.n_ssids; } - mutex_unlock(&priv->conf_mutex); - if (frame.skb) dev_kfree_skb(frame.skb); + mutex_unlock(&priv->conf_mutex); queue_work(priv->workqueue, &priv->scan.work); return 0; } -- 2.17.0