Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp757738ybl; Wed, 4 Dec 2019 10:20:59 -0800 (PST) X-Google-Smtp-Source: APXvYqxwhv5uLhlKh2hlGq1cDDCYlgGSePKyuS3Y8OWeSzk3AipeXsCu3+EeMBbQKKkDBMs9pRDh X-Received: by 2002:a05:6830:1257:: with SMTP id s23mr3614407otp.241.1575483659810; Wed, 04 Dec 2019 10:20:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1575483659; cv=none; d=google.com; s=arc-20160816; b=wrOEWvuDsZ1/c4wIAlb6IuNKJ667q6lb79Z9MRAXKTLRXc2v0wdPXLPsQLm6uPbRft Foc1iGZWy2fzQ4QAeAL1NhJbJZr7A4ye1RkoaPVIiK2D5ENJGpBnlP9d6NvXdCq41Naa cJE8W9LKLGKhlPprG8Aq/R7BgnWF18HpQfRbNJaRSZGAeCnnCZ4Nr3Uk1EGwuE+9J7zf SRvoq8H6t99upQ/gPdC7wCuQNYJggOo5o2wb5kWZPYEbBvInngPuYcC5igs58KbXU9g/ Ga64on98ZUwa3dUFAdRX+lO7cyAo0n/hTVzJOPVlO+NeSTqiHupKHeqLFyZGqcwRsQ22 3DYA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=YpzDp1MestAn4Gl0ZP52CW8PXBr5WW8bW8MDMa7mprI=; b=qRJwynEOi/Xq9wixT6EN0b4ZAMvefuLX5Ia9pVmwA0N7/rGBo3t76A79VoFQwt32n/ mwz+k8OGf4eIgstlrKxd4iUXztbtMGOFENjrgenSOrnkixqmq9feBOAw1miZ5qn7dXB2 /aHPbpywT3t3b84K1eYhXd+tDsdnhuYDKGsICVwx030KWGYswri1lPooKfPXqzz7SGqB RUHzC6jBL3pEi7dS1CXPwlVAjm/PnCRs43EYdz5NG+/arg2cH4YdPbiLzVjQp72EHFo3 UYQmHAZpX1EzoSmhT9in+55TPEzLQju+A4QtGZTPxqQXiUsEh1g7EgvtPJfnjtdj17Uf uAiw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=RoOp0NrX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k23si3809339otp.181.2019.12.04.10.20.47; Wed, 04 Dec 2019 10:20:59 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=RoOp0NrX; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731313AbfLDSKm (ORCPT + 99 others); Wed, 4 Dec 2019 13:10:42 -0500 Received: from mail.kernel.org ([198.145.29.99]:38206 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731308AbfLDSKl (ORCPT ); Wed, 4 Dec 2019 13:10:41 -0500 Received: from localhost (unknown [217.68.49.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 031922173B; Wed, 4 Dec 2019 18:10:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1575483040; bh=bj6XBP8ylTa1ul4GAmiTOHUvhP1gVcBdVe0nXVxbj4c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=RoOp0NrXSGITg2WBerP55ZwmCWRwtCn7T8NqpYIiZqPMGypuGtHSAfJ5ONl7S22QW NzIdX2818KAiMsNpUUV1KguzU8AS5pctvNEP+oZYyhYEwinftqoJ6rmReP91N1vwSD zReE6x1JoaCKOcyhaBOFuA9K7m6nbMMrWHbfBHQE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Pan Bian , Larry Finger , Kalle Valo , Sasha Levin Subject: [PATCH 4.9 027/125] rtl818x: fix potential use after free Date: Wed, 4 Dec 2019 18:55:32 +0100 Message-Id: <20191204175319.967225530@linuxfoundation.org> X-Mailer: git-send-email 2.24.0 In-Reply-To: <20191204175308.377746305@linuxfoundation.org> References: <20191204175308.377746305@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Pan Bian [ Upstream commit afbb1947db94eacc5a13302eee88a9772fb78935 ] entry is released via usb_put_urb just after calling usb_submit_urb. However, entry is used if the submission fails, resulting in a use after free bug. The patch fixes this. Signed-off-by: Pan Bian ACKed-by: Larry Finger Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin --- drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c index 6113624ccec39..17e3d5e830626 100644 --- a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c +++ b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c @@ -446,12 +446,13 @@ static int rtl8187_init_urbs(struct ieee80211_hw *dev) skb_queue_tail(&priv->rx_queue, skb); usb_anchor_urb(entry, &priv->anchored); ret = usb_submit_urb(entry, GFP_KERNEL); - usb_put_urb(entry); if (ret) { skb_unlink(skb, &priv->rx_queue); usb_unanchor_urb(entry); + usb_put_urb(entry); goto err; } + usb_put_urb(entry); } return ret; -- 2.20.1