Received: by 2002:a05:6a10:9e8c:0:0:0:0 with SMTP id y12csp175888pxx; Wed, 28 Oct 2020 01:40:16 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwVqjDbrqcJfDtwgYa1eYZbXf/DR1G4fBpvEon1n/dgqbs0+rBG5SYa7+wuoN07hATo7iyv X-Received: by 2002:aa7:c4cc:: with SMTP id p12mr6464549edr.77.1603874416147; Wed, 28 Oct 2020 01:40:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1603874416; cv=none; d=google.com; s=arc-20160816; b=SZHyg2hH8swBNC9rOhUmgyr/NIQ1u9pTcsBn/dtpo9lxcav7it2zf+OUr8WoLnsQR5 Ih98Jz8u8gSFRXG+pEHCzAiGAT++r557VXjIxU+IalhQyeYFSA+UCHzR/nYcz5GZDTz+ ZXoDy/Ijq79k6lPhCNhTeUQU5/IieRroNZ0qwLPtQcaolLsQmuzQg8j48diiZAeTSBti M9RBvWG6fTHW1O/cwsJvRdBoBMTYSRDqTR5dr66oLurBTW6FlNqYx8xjC1PNhWMJNGH+ 5zE4KYOIZ6zXqpAeEC8QBWLypGn3Ni1UCzXY4GtrEMNS1/gephRUlFowR43VLeY3PybW QCzA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=OUufNjc3mhZubYAxDfEJ8w2hoNgz7grOFMDi4ikKUlM=; b=LDXYDZZok08LUstnY4Knh86NIRibUaXXiOBGbCv8QUCn5PjEht4hAshr6KJ7DPZGYH M4MlJUKO4IwASK492+kKV60TQpnYu+r4Ecb2S+g+mR2f+iS+TtveBK2ZTl5zINaZ5xko A6sXx2i5Zdna0S5M/LKoa3WndWofzFvta6H0ML7X+1SPY+Zofosk0++V8v2KJyagjJx4 OCasb9jyaP1pgH0zw6c4Fp95C5m8kO7c6Jyt9Ed0tuL+ZwvuiS1/KT3VpYbrmsUqmv/j axXFoGfnOfDZSknU+0XGICpd9IeJ6g5ENVvoZXI0C3D1Vox3YDd0tJEuHStJByL9mDy6 62ow== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=n9mnC4VG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l12si2820211edk.163.2020.10.28.01.39.54; Wed, 28 Oct 2020 01:40:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=n9mnC4VG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754872AbgJ0OHa (ORCPT + 99 others); Tue, 27 Oct 2020 10:07:30 -0400 Received: from mail.kernel.org ([198.145.29.99]:55608 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754769AbgJ0OHB (ORCPT ); Tue, 27 Oct 2020 10:07:01 -0400 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 56DF522263; Tue, 27 Oct 2020 14:07:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1603807620; bh=mpg2HUSFvohKzNRhXx9Ij/fVtBCR5yaCNXqozSTlQbE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=n9mnC4VGzNjQDXRbtGbkont5WR8B9jeT1iCgXjFXzn7/k51UeV2cL64Ong343eRH4 HxLS6illPKt6rjG8n1mXTWh0FsqMc1X7DRrD6xKupgKn25AjCYORNKB4YrxPOF7Z3b F0YVrHe2kf75beas/WchdyOdPAw26uUcAzEImM4E= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+89bd486af9427a9fc605@syzkaller.appspotmail.com, Brooke Basile , Kalle Valo , Sasha Levin Subject: [PATCH 4.9 119/139] ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs() Date: Tue, 27 Oct 2020 14:50:13 +0100 Message-Id: <20201027134907.792498196@linuxfoundation.org> X-Mailer: git-send-email 2.29.1 In-Reply-To: <20201027134902.130312227@linuxfoundation.org> References: <20201027134902.130312227@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Brooke Basile [ Upstream commit 03fb92a432ea5abe5909bca1455b7e44a9380480 ] Calls to usb_kill_anchored_urbs() after usb_kill_urb() on multiprocessor systems create a race condition in which usb_kill_anchored_urbs() deallocates the URB before the completer callback is called in usb_kill_urb(), resulting in a use-after-free. To fix this, add proper lock protection to usb_kill_urb() calls that can possibly run concurrently with usb_kill_anchored_urbs(). Reported-by: syzbot+89bd486af9427a9fc605@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?id=cabffad18eb74197f84871802fd2c5117b61febf Signed-off-by: Brooke Basile Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200911071427.32354-1-brookebasile@gmail.com Signed-off-by: Sasha Levin --- drivers/net/wireless/ath/ath9k/hif_usb.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c index fb5b7ce3d2c3d..7c409cd43b709 100644 --- a/drivers/net/wireless/ath/ath9k/hif_usb.c +++ b/drivers/net/wireless/ath/ath9k/hif_usb.c @@ -447,10 +447,19 @@ static void hif_usb_stop(void *hif_handle) spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); /* The pending URBs have to be canceled. */ + spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); list_for_each_entry_safe(tx_buf, tx_buf_tmp, &hif_dev->tx.tx_pending, list) { + usb_get_urb(tx_buf->urb); + spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); usb_kill_urb(tx_buf->urb); + list_del(&tx_buf->list); + usb_free_urb(tx_buf->urb); + kfree(tx_buf->buf); + kfree(tx_buf); + spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); } + spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); usb_kill_anchored_urbs(&hif_dev->mgmt_submitted); } @@ -760,27 +769,37 @@ static void ath9k_hif_usb_dealloc_tx_urbs(struct hif_device_usb *hif_dev) struct tx_buf *tx_buf = NULL, *tx_buf_tmp = NULL; unsigned long flags; + spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); list_for_each_entry_safe(tx_buf, tx_buf_tmp, &hif_dev->tx.tx_buf, list) { + usb_get_urb(tx_buf->urb); + spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); usb_kill_urb(tx_buf->urb); list_del(&tx_buf->list); usb_free_urb(tx_buf->urb); kfree(tx_buf->buf); kfree(tx_buf); + spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); } + spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); hif_dev->tx.flags |= HIF_USB_TX_FLUSH; spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); + spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); list_for_each_entry_safe(tx_buf, tx_buf_tmp, &hif_dev->tx.tx_pending, list) { + usb_get_urb(tx_buf->urb); + spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); usb_kill_urb(tx_buf->urb); list_del(&tx_buf->list); usb_free_urb(tx_buf->urb); kfree(tx_buf->buf); kfree(tx_buf); + spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); } + spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); usb_kill_anchored_urbs(&hif_dev->mgmt_submitted); } -- 2.25.1