Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp761651ybl; Wed, 4 Dec 2019 10:24:54 -0800 (PST) X-Google-Smtp-Source: APXvYqyDR2MKP3pM5EkOdyDWNOUYY7k5mP6O4uFl4lgQw34pyk5sBYY+i2KZ3W0iOOhxs0yHgci/ X-Received: by 2002:a9d:7ac9:: with SMTP id m9mr3535646otn.80.1575483893902; Wed, 04 Dec 2019 10:24:53 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1575483893; cv=none; d=google.com; s=arc-20160816; b=BT2AUGZVYBjQq/qjNXN+oOtJ+Jug0FL7xChgogu9Z+P3GLxJp78TdsK1jzWU2pJ1rr O3osvi6FGeb4WZVp1jzm5m0/5pMVkFEeRGqhupa3wL/pM7OYyKPTtzY8GxMDEkyxrEiW LSi3bluoREeV3AExLvPUp2aXA1NHbF8yspU/yY05IlPimjk5uj1oxlC+TdKmlS8i9+t/ v0+JNolz96gS0KuQD5uo0+hxHUoPRO15z88szoQlU6d1B8c9S/YH3ozw1BPjaX8RexCz Fzzl1PW1ZAKZtbwkLkHY9YeSXdWTgAgdUWMIkF/gs+8qqwAVIFzyWUXhVFrMdBlIj1SW tITw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Gz9D+JlYUs3cDwHna/83ywaIfq0j9Y2LPl9DbW+9hLY=; b=wkKdOQ+U+2a00oK1CmTHHQu+mBtlS8T34uWIBtPSO2NQ8AjYQe3JlFFlNGZMDkLaCt ikNZQ8oZgHdZEbjNjpEssQACSc1/hqbfQo6JOukeJPntr9wIP67b9v9vAfkUNbsRkBEF HOFndgQYxZmUGiOHXcniP4RYCJbO41sBqzZKRXks73520X5DNyvKU3aVcxnNEakB7NbJ mkbyaT09hzbW50aN4j/iHnR2C3oGeh8QbrZjPNgfKZwlLkn8TLnuCXSIoncCcQfiBGEc kW9ivkTAVJ00F4meoxjor00+qiLhGjn3QzHyeqw9JkgkfPKTvyG4uK8SUos4NF1Z2VyC UmGw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=E2ASZ2Wj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o128si3666501oia.72.2019.12.04.10.24.39; Wed, 04 Dec 2019 10:24:53 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=E2ASZ2Wj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729787AbfLDSXf (ORCPT + 99 others); Wed, 4 Dec 2019 13:23:35 -0500 Received: from mail.kernel.org ([198.145.29.99]:48642 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729723AbfLDSD4 (ORCPT ); Wed, 4 Dec 2019 13:03:56 -0500 Received: from localhost (unknown [217.68.49.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id CF4792073B; Wed, 4 Dec 2019 18:03:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1575482636; bh=nqrDeAiqwjw67y0i2EHRlzpeX2mJIKdZBClni9COesA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=E2ASZ2Wj1ijkpV0HIBxt8Q4FS/r47SJFer2BZYiNWsiKKShPMF6tjJDyA8y5+IWBF A1R0LLdTX4CwDxGfKbxBdihZvwrJxol6TzflavsIa9DAe8SXxJk7WxYwAJrF1ileIu EJNr7GyWfn2NpSH9ERy0fXnahxBAxuYRfNia2WfM= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Pan Bian , Larry Finger , Kalle Valo , Sasha Levin Subject: [PATCH 4.14 048/209] rtl818x: fix potential use after free Date: Wed, 4 Dec 2019 18:54:20 +0100 Message-Id: <20191204175324.678822977@linuxfoundation.org> X-Mailer: git-send-email 2.24.0 In-Reply-To: <20191204175321.609072813@linuxfoundation.org> References: <20191204175321.609072813@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Pan Bian [ Upstream commit afbb1947db94eacc5a13302eee88a9772fb78935 ] entry is released via usb_put_urb just after calling usb_submit_urb. However, entry is used if the submission fails, resulting in a use after free bug. The patch fixes this. Signed-off-by: Pan Bian ACKed-by: Larry Finger Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin --- drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c index 9a1d15b3ce453..518caaaf8a987 100644 --- a/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c +++ b/drivers/net/wireless/realtek/rtl818x/rtl8187/dev.c @@ -444,12 +444,13 @@ static int rtl8187_init_urbs(struct ieee80211_hw *dev) skb_queue_tail(&priv->rx_queue, skb); usb_anchor_urb(entry, &priv->anchored); ret = usb_submit_urb(entry, GFP_KERNEL); - usb_put_urb(entry); if (ret) { skb_unlink(skb, &priv->rx_queue); usb_unanchor_urb(entry); + usb_put_urb(entry); goto err; } + usb_put_urb(entry); } return ret; -- 2.20.1