Received: by 2002:a25:c593:0:0:0:0:0 with SMTP id v141csp6235877ybe; Tue, 17 Sep 2019 23:31:48 -0700 (PDT) X-Google-Smtp-Source: APXvYqx1gtLB1Er92yWQhIYi5KM8NlHc5HFZ77/RAhny3gbTktEcihWVFCW1fg4WSVR1GBWfQJfA X-Received: by 2002:aa7:d98a:: with SMTP id u10mr8522151eds.61.1568788308416; Tue, 17 Sep 2019 23:31:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1568788308; cv=none; d=google.com; s=arc-20160816; b=lumk3ooa/kDNQtiZFwhHk9R6XceaIksLl/jb/NOxzkqjFJmf0nFh/BvfYSnjSwBjiU vf5x1Y5mcejguxxvDHYSoZfipNvQcbZwLEaXY6r8g8Xn9IK9KOkMK+50b7U+f8exnpI3 EHG7ny8vFrhDskrzIktj4N7v1cd3Curtf3OmQByFPafdA9P/lNxCm0ISk0IZVBSQJmzQ BmlgMOupJkF5VZEBuoyc9XuHM4oAK54T0GMrcdFDOIxDX92mBh2US5xKP8Jq+N1IJtp6 HtegC4/qpt0nDSTAhVEF4qXuYfz6TwY6Fc/5QuwYMaYopirCCpP1gHc0lrcgvA+dlu5J 3Y5g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=wZ7yqzdU8d1oHpdpcuEo1vdkfGNteAPdYPCFq2RwZJg=; b=Hz3Lcfw9ntlUFEr4qxAKDIm0Ctunz7sNLzLVkSH0s2b9cIplLshoFccfQtuCjDnPRe cxTPm7mD8QI1cdqqUo92XNcEWyp+AFRaeL0R9Wr8sU6v6mOL44WBYa0WPxULepiVhh57 epn6nIDue+yIlv3OaRZwBPIJxJzo2YF9FhX7Nd7fMOdwR4rQNlj1xkjSWRWvAkbjjTxT gZlh8xnMkdePFbOeHUhHig0ggKj+COcZc78JMOhSzG73nq1cjXinX6jPh9DXdrZiAuwn 72b80Np83MMxfoMQroMsnMRJEuGYF79OFlYE38pHtV16q/HPNnZ3uCJonwFoM/XzeZNa WW5w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ZAKuEauR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v3si2695458edc.404.2019.09.17.23.31.25; Tue, 17 Sep 2019 23:31:48 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ZAKuEauR; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730309AbfIRG01 (ORCPT + 99 others); Wed, 18 Sep 2019 02:26:27 -0400 Received: from mail.kernel.org ([198.145.29.99]:47790 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728779AbfIRG0X (ORCPT ); Wed, 18 Sep 2019 02:26:23 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 236F3218AF; Wed, 18 Sep 2019 06:26:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1568787982; bh=2Rhxi2ltz1jn8ido4NNuE6OMfLR8wk+kLgKNquYOYH0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ZAKuEauRprcy26jykmIRlSbm4QW910voQiE724STMuGyHdwjrIBZwiJRpyiTCmfh8 H+A/GIn1yxKrMaV0hhuihwTVbyC8RUVqHC+H1s0mrZYYDWL2eWkx4coF9GxMLz8CO1 kQ52BsT+a/W+MQynVt137pkrgH8RgU4JTTZfuegg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dan Carpenter , Lorenzo Bianconi , Felix Fietkau Subject: [PATCH 5.2 57/85] mt76: mt7615: Use after free in mt7615_mcu_set_bcn() Date: Wed, 18 Sep 2019 08:19:15 +0200 Message-Id: <20190918061235.909909051@linuxfoundation.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20190918061234.107708857@linuxfoundation.org> References: <20190918061234.107708857@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Dan Carpenter commit 9db1aec0c2d72a3b7b115ba56e8dbb5b46855333 upstream. We dereference "skb" when we assign: req.pkt_len = cpu_to_le16(MT_TXD_SIZE + skb->len); ^^^^^^^^ So this patch just moves the dev_kfree_skb() down a bit to avoid the use after free. Fixes: 04b8e65922f6 ("mt76: add mac80211 driver for MT7615 PCIe-based chipsets") Signed-off-by: Dan Carpenter Acked-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Greg Kroah-Hartman --- drivers/net/wireless/mediatek/mt76/mt7615/mcu.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c +++ b/drivers/net/wireless/mediatek/mt76/mt7615/mcu.c @@ -1270,7 +1270,6 @@ int mt7615_mcu_set_bcn(struct mt7615_dev mt7615_mac_write_txwi(dev, (__le32 *)(req.pkt), skb, wcid, NULL, 0, NULL); memcpy(req.pkt + MT_TXD_SIZE, skb->data, skb->len); - dev_kfree_skb(skb); req.omac_idx = mvif->omac_idx; req.enable = en; @@ -1281,6 +1280,7 @@ int mt7615_mcu_set_bcn(struct mt7615_dev req.pkt_len = cpu_to_le16(MT_TXD_SIZE + skb->len); req.tim_ie_pos = cpu_to_le16(MT_TXD_SIZE + tim_off); + dev_kfree_skb(skb); skb = mt7615_mcu_msg_alloc(&req, sizeof(req)); return mt7615_mcu_msg_send(dev, skb, MCU_EXT_CMD_BCN_OFFLOAD,