Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp684270ybv; Thu, 13 Feb 2020 07:43:46 -0800 (PST) X-Google-Smtp-Source: APXvYqxC+06dkBvUHXhh3V2WJz3EcXsVkkbTgdjRCfQXA7xwxvWg4wewGpcwuTBW9tBvlS4JDgnj X-Received: by 2002:a9d:6ad6:: with SMTP id m22mr14255748otq.7.1581608626087; Thu, 13 Feb 2020 07:43:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581608626; cv=none; d=google.com; s=arc-20160816; b=GMJxW5nFkfPIraOE2/cVo4eqo1seUfGstO/JacYD2LFnrHP9WkDQacsB/NXnaUJWfA xiACTzDjdHnwnfLq2LshaBpSPrHSwmf1R4v/4NJIlvZUtMXNSRMEGwmsaE/NbHJGCbTG zN26rUbmiffMouvnvK1yHGprGTzE+OSYcehdQfex9+wxMYvPiQV/ns1CWTDJ/CFkt9bO aUGKsfNg10MAiydpHFU9mzHpqHGAWRoHpT/29ZPoPB0VxsNjpleRUzof157cR7mbbYHd oWFqNJKSFsML3srPd4gZOLNmNlunUekPjceq4y0AyBqyyRW5jW6vi6C/Iptaea9/HGQe a54w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=wBChJVSZ0CdGiM+DTKweEFNdUPCC+rzaqxCPVqkC+lU=; b=E/F02+66VYECrWaI0YATg0X/DxCBhLLYVi1jd7IVEG+aS66Gm1VOy5XJYOkYbA3bCY i8dzc2E1HkHQUgztTZGT1kR6XOYB4FTfdvIXSXullmZ2SVJyw/dACelQmgYA+QJqzJPy SdECv3MCiD0Ay3Bi9bqBj1D5ZewWZ7OaR3fQFeQvhV0VFMamOhC2lcL6VnU7rkUJKHQt IopIsbVF3IsITR2N/69rJ778yvnQCFCsa+7Bn2VIhunwGYciHFQa1xt5pejYDlvrgE2B 7dRM52KC9Vf3kZEajBcZI4u4G/6obgqKTzYcqaeOeounQbHl53qWw5NuLS6VDddUKkv+ jd7Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=kRjs4jL6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 9si1142465oiz.237.2020.02.13.07.43.32; Thu, 13 Feb 2020 07:43:46 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=kRjs4jL6; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729608AbgBMPmU (ORCPT + 99 others); Thu, 13 Feb 2020 10:42:20 -0500 Received: from mail.kernel.org ([198.145.29.99]:55084 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729604AbgBMP2R (ORCPT ); Thu, 13 Feb 2020 10:28:17 -0500 Received: from localhost (unknown [104.132.1.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C22E120661; Thu, 13 Feb 2020 15:28:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1581607696; bh=egsv0F3QI165Kw4Zy5KRqStiuf+/g6ZG+gWYqu5O9EA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=kRjs4jL69pyuq2VgIEa1gzJ2+1JoWluYdSFROUDu9KPP3I0PQ79g5h2xhxnBYp0y6 5ouPRXXE+KWd9djGvfKILj9Eg80hZ8MJeO45Jp4ueaLCixNvfSEzWQwm1m2vWjgq7X jRng+DCSwGPn9dYn1rA4ek59dafZBIM3SsGcNdb8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Avraham Stern , Luca Coelho , Kalle Valo Subject: [PATCH 5.5 021/120] iwlwifi: mvm: avoid use after free for pmsr request Date: Thu, 13 Feb 2020 07:20:17 -0800 Message-Id: <20200213151909.416453795@linuxfoundation.org> X-Mailer: git-send-email 2.25.0 In-Reply-To: <20200213151901.039700531@linuxfoundation.org> References: <20200213151901.039700531@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Avraham Stern commit cc4255eff523f25187bb95561642941de0e57497 upstream. When a FTM request is aborted, the driver sends the abort command to the fw and waits for a response. When the response arrives, the driver calls cfg80211_pmsr_complete() for that request. However, cfg80211 frees the requested data immediately after sending the abort command, so this may lead to use after free. Fix it by clearing the request data in the driver when the abort command arrives and ignoring the fw notification that will come afterwards. Signed-off-by: Avraham Stern Fixes: fc36ffda3267 ("iwlwifi: mvm: support FTM initiator") Signed-off-by: Luca Coelho Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman --- drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c +++ b/drivers/net/wireless/intel/iwlwifi/mvm/ftm-initiator.c @@ -8,6 +8,7 @@ * Copyright(c) 2015 - 2017 Intel Deutschland GmbH * Copyright (C) 2018 Intel Corporation * Copyright (C) 2019 Intel Corporation + * Copyright (C) 2020 Intel Corporation * * This program is free software; you can redistribute it and/or modify * it under the terms of version 2 of the GNU General Public License as @@ -30,6 +31,7 @@ * Copyright(c) 2015 - 2017 Intel Deutschland GmbH * Copyright (C) 2018 Intel Corporation * Copyright (C) 2019 Intel Corporation + * Copyright (C) 2020 Intel Corporation * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -389,6 +391,8 @@ void iwl_mvm_ftm_abort(struct iwl_mvm *m if (req != mvm->ftm_initiator.req) return; + iwl_mvm_ftm_reset(mvm); + if (iwl_mvm_send_cmd_pdu(mvm, iwl_cmd_id(TOF_RANGE_ABORT_CMD, LOCATION_GROUP, 0), 0, sizeof(cmd), &cmd)) @@ -502,7 +506,6 @@ void iwl_mvm_ftm_range_resp(struct iwl_m lockdep_assert_held(&mvm->mutex); if (!mvm->ftm_initiator.req) { - IWL_ERR(mvm, "Got FTM response but have no request?\n"); return; }