Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp517386imu; Thu, 20 Dec 2018 00:26:11 -0800 (PST) X-Google-Smtp-Source: AFSGD/WPvCQwvKI6Z6ZWMCwhF11yZng400quQLfa6cOHvCAMcDA6yWeJcXrPb22VuP1cRssLqngV X-Received: by 2002:a62:29c3:: with SMTP id p186mr23906989pfp.117.1545294371904; Thu, 20 Dec 2018 00:26:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1545294371; cv=none; d=google.com; s=arc-20160816; b=bPMZ+xLG2RbpyQGnm0Ci1lJL2q4S3HhQr+WIbFnYMVkAdtunyob/ywb0+KDJh4ahXA 0EV+vpI5P8boEN73rvzETOnK+N+7NbVTwG4Ow269dNEO9vXw19IqbHWfHZciJoxBvY1D Gz7Dgnx9QH+ypL5CWu8nYIuz3nEZ7kWMoaqXbQ+nfI2JkjXgkGkoWgoOPjO+DOCJXzkR Y/JY8M3XfWi7dlNaDCuLeCF0I5dEYOSaV5kdCLq6/PWxZS0I5HjTJKwlj0eBTj8zhKeH 2utZjr1yfCeF7mEXRJ/Gy7dwTi5w+D0ezQ4at6JhopfU1BXb9V0pTxDXrC4PVwDs4rue S65w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:date:message-id:user-agent:cc:to :references:in-reply-to:from:subject:content-transfer-encoding :mime-version:dmarc-filter:dkim-signature:dkim-signature; bh=QMWP6WLHZS0bauxsZr0iBa7Ykkaawtl2O1XjRubm4KE=; b=vwtfFv78KSQv95QAWUGwCIAfebN0/c06PlY97MiNOjOcSZWTeiCkUr6yH/q9Wc6cPE PpYT18QmspZS7L6Gu7Ssl2FJ6EyBnr9GIaXkAfKQXKtB11VOZvA3UKm1wwLckRRdczo4 XW1iIuITBb6aaJQ205W2x3OnHWHJwkYWRrzFRJ+0Wnas6kqHdfAfiGWSRSrPvp5NzrOL i4fFPOKKjVQIGQ2Zy7HNipqL3RKrIHzQ2FOyC4zr1CZ2Bohwr2w9Z0Wl2+qJBPcseK1H 9v6OsWvdLkNUL7HLRfDb1uFTkUcJeNsYr1glCEfSnv3wpqyo7iqf2qTHjmmFx6b3eUBT vC+g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@codeaurora.org header.s=default header.b=HGCrAO47; dkim=pass header.i=@codeaurora.org header.s=default header.b=F824Cwgq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m3si18329936pgc.232.2018.12.20.00.25.56; Thu, 20 Dec 2018 00:26:11 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@codeaurora.org header.s=default header.b=HGCrAO47; dkim=pass header.i=@codeaurora.org header.s=default header.b=F824Cwgq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729789AbeLTGt4 (ORCPT + 99 others); Thu, 20 Dec 2018 01:49:56 -0500 Received: from smtp.codeaurora.org ([198.145.29.96]:60462 "EHLO smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725300AbeLTGt4 (ORCPT ); Thu, 20 Dec 2018 01:49:56 -0500 Received: by smtp.codeaurora.org (Postfix, from userid 1000) id 02DAB60736; Thu, 20 Dec 2018 06:49:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1545288596; bh=nPKsurOyQZEjcmW6/Gl5OoYThzGf17qO9FTbrW0JGEA=; h=Subject:From:In-Reply-To:References:To:Cc:Date:From; b=HGCrAO4727G7gLUtxrUTKjqdGfI7BdR0T4HCGe+NNaF98tpTU/WvBlTlyT1eQ3NR/ Wdr9VMeN5o0qUzWoId4MSnj6PtrbBvFRNf1YWt4awxQPMUdd5c/pAxFXBlsU5/fguR q+qRorWxlat8hTMZ+hej54KPOI0lRkqiQYPC3qDc= X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on pdx-caf-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=2.0 tests=ALL_TRUSTED,BAYES_00, DKIM_INVALID,DKIM_SIGNED,MISSING_DATE,MISSING_MID autolearn=no autolearn_force=no version=3.4.0 Received: from potku.adurom.net (88-114-240-156.elisa-laajakaista.fi [88.114.240.156]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: kvalo@smtp.codeaurora.org) by smtp.codeaurora.org (Postfix) with ESMTPSA id 421C960591; Thu, 20 Dec 2018 06:49:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1545288595; bh=nPKsurOyQZEjcmW6/Gl5OoYThzGf17qO9FTbrW0JGEA=; h=Subject:From:In-Reply-To:References:To:Cc:From; b=F824CwgqSF+inPnCsRPmnV90RMhDWqiKgyC1JwjYbkwNMrGLHWOkeBBXrBFy7Xr5W 9ppguWCpgijh7VgUi1bRiyrKTpssoiCfnuzrseY/lsG4LQoUwLzfd6KqiP3UIsRtgy i/xzoVoIFqWglaBTRfMXiZqW7vN7SoOkSBRZQ6SU= DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 421C960591 Authentication-Results: pdx-caf-mail.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: pdx-caf-mail.web.codeaurora.org; spf=none smtp.mailfrom=kvalo@codeaurora.org Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: Re: [PATCH] cw1200: Fix concurrency use-after-free bugs in cw1200_hw_scan() From: Kalle Valo In-Reply-To: <20181214035521.30388-1-baijiaju1990@gmail.com> References: <20181214035521.30388-1-baijiaju1990@gmail.com> To: Jia-Ju Bai Cc: pizza@shaftnet.org, davem@davemloft.net, linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Jia-Ju Bai User-Agent: pwcli/0.0.0-git (https://github.com/kvalo/pwcli/) Python/2.7.12 Message-Id: <20181220064956.02DAB60736@smtp.codeaurora.org> Date: Thu, 20 Dec 2018 06:49:56 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Jia-Ju Bai wrote: > The function cw1200_bss_info_changed() and cw1200_hw_scan() can be > concurrently executed. > The two functions both access a possible shared variable "frame.skb". > > This shared variable is freed by dev_kfree_skb() in cw1200_upload_beacon(), > which is called by cw1200_bss_info_changed(). The free operation is > protected by a mutex lock "priv->conf_mutex" in cw1200_bss_info_changed(). > > In cw1200_hw_scan(), this shared variable is accessed without the > protection of the mutex lock "priv->conf_mutex". > Thus, concurrency use-after-free bugs may occur. > > To fix these bugs, the original calls to mutex_lock(&priv->conf_mutex) and > mutex_unlock(&priv->conf_mutex) are moved to the places, which can > protect the accesses to the shared variable. > > Signed-off-by: Jia-Ju Bai Patch applied to wireless-drivers-next.git, thanks. 4f68ef64cd7f cw1200: Fix concurrency use-after-free bugs in cw1200_hw_scan() -- https://patchwork.kernel.org/patch/10730469/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches