Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp732182ybl; Wed, 4 Dec 2019 09:58:51 -0800 (PST) X-Google-Smtp-Source: APXvYqz8pd8wF2rQu+EbvVkGjENRcFpbHdBP5S3vIiywhduUFk7UiV2AJq8yprNjsQDc9T5GgY9l X-Received: by 2002:a05:6830:124b:: with SMTP id s11mr3420548otp.333.1575482331443; Wed, 04 Dec 2019 09:58:51 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1575482331; cv=none; d=google.com; s=arc-20160816; b=D9eT7GXQLi3phWzzlRpuY//4zMMSSulks0LEmVKyfumRteLxxWQ3OtA5F/i/rJXeJR Eia12vvazuKmVLBHd86GawI0enpYW8pJ1Qfgs/o2idKi+emwbHbpc3SmI8iBcGszoMU9 4ULnH6K48WQT3p/66L4ZrWtUoMRTzPaARzOdqhceo3qlZc+haSz7cmA32oSDyzwKO04R D0+QXw8KGLyMmvGAaNW31BTryxMIH58w1QbUrwxkp+DGKtsEz0OJ6wopCfzDthpsFbgv AIqSurKhG4k5NO0ec2EAy7YSIrZQ54Fo6FJ6UAeQcaJNlW/yY1j8BNr2VY0sIMqS9HVy yvCA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=SREMdgKFH8E8B1YJ/ZhYUiRqEGe+nABGw7xwiRizJGQ=; b=REeEkABEeuB+HdHKPoSydFFHZXVRjksVqu9/g++xnVYegK0aDIwHIOwm3p0x6je2+i LTPJ0U8BRliGSMniz77p0Vvkt9ps4fer9ETHUYDFzqZ/CITQZ+7qoLUsQyNmakGKT88O Pn8dIfhzU4Dwk/v7GI+mIYknVjanbOvZcADVy2X1gpZV451bXL+GquTLqwbDx6LLvMYB 5/odB5CMKAg14PBiYats5vVKK/g5vkjJ5u+VRaFpS6unul4x7gXEj0ste5COLGRFHCDh GL2NQvgMEjVbLAS4Fukl9g4orZVTe7cxPj0LA5286QFt1gxe013GUpSH7WjKA0XDiwtA FE0w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=UB8hlB5b; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x184si3648164oig.208.2019.12.04.09.58.38; Wed, 04 Dec 2019 09:58:51 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=UB8hlB5b; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728463AbfLDR5z (ORCPT + 99 others); Wed, 4 Dec 2019 12:57:55 -0500 Received: from mail.kernel.org ([198.145.29.99]:59400 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728431AbfLDR5x (ORCPT ); Wed, 4 Dec 2019 12:57:53 -0500 Received: from localhost (unknown [217.68.49.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id AE7B22084B; Wed, 4 Dec 2019 17:57:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1575482273; bh=94Hv4Ms5a+mG/S8NzCllVzvp0s/I1gaMseaY+uS86uI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=UB8hlB5bYnhocPc+FuiGmOxpVsszCMhO7rlbMbtxnQNrEXMKEav+aszwNJ8gOky3K 6Szqb6Ylqpo9IoVOKt0HfWaNieKXEhhPrw5mlQXG8jnOgtTezj5EzUPwANkzrB3HZC R3MZgUL3LFVnDQjbF546IZm3pkrKNGdwlFf5ww9c= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Pan Bian , Larry Finger , Kalle Valo , Sasha Levin Subject: [PATCH 4.4 21/92] rtl818x: fix potential use after free Date: Wed, 4 Dec 2019 18:49:21 +0100 Message-Id: <20191204174331.107963668@linuxfoundation.org> X-Mailer: git-send-email 2.24.0 In-Reply-To: <20191204174327.215426506@linuxfoundation.org> References: <20191204174327.215426506@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Pan Bian [ Upstream commit afbb1947db94eacc5a13302eee88a9772fb78935 ] entry is released via usb_put_urb just after calling usb_submit_urb. However, entry is used if the submission fails, resulting in a use after free bug. The patch fixes this. Signed-off-by: Pan Bian ACKed-by: Larry Finger Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin --- drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c index b3691712df610..60e77eaa4ce94 100644 --- a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c +++ b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c @@ -446,12 +446,13 @@ static int rtl8187_init_urbs(struct ieee80211_hw *dev) skb_queue_tail(&priv->rx_queue, skb); usb_anchor_urb(entry, &priv->anchored); ret = usb_submit_urb(entry, GFP_KERNEL); - usb_put_urb(entry); if (ret) { skb_unlink(skb, &priv->rx_queue); usb_unanchor_urb(entry); + usb_put_urb(entry); goto err; } + usb_put_urb(entry); } return ret; -- 2.20.1