Received: by 2002:a05:6a10:9e8c:0:0:0:0 with SMTP id y12csp428866pxx; Wed, 28 Oct 2020 08:09:22 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyYwA33/+PHrCqs80krmT1fZEqKi45OWMer0vYjdT/W2ICsmle12oX2COPegQ/OzOQyZu0A X-Received: by 2002:aa7:c2d9:: with SMTP id m25mr8405904edp.226.1603897762431; Wed, 28 Oct 2020 08:09:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1603897762; cv=none; d=google.com; s=arc-20160816; b=tQ9GJN5E3wVQErED7weZuUppL7AhTE89fhtt3AYJ0BJD51X6attyuqgCD98qfFNuFc u+031tigETx/fT7yjNnKtNZcQOuseJYh056630cXqJmTm0w6FZfD1275fS0INpKtBEzd fpN+TwNKq96MYeAYGExKkuq2bRuuBQk39/uxv53tKmJ2/ihXFGqGK/DitGl9t3A0lQSX +oqOEe39oJgMnn805Oun3OAhOK3cByx2mXuuXGodXob0xH6/IfWKi45IAMlUXpXFKrEw 07V1xLdPSCORj4XroBGFrul4CukPK7eHCFT/X61nuvT+Ind2C3W5YedaGLgVRF3Kvyx9 iEwQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=3fNWdN3nragtDSEo+0AQPWQU5vDt0R9ANt7U1TskCKI=; b=H6hWHdmNpaSrsxef4T8+sAPCK3T1UmmimcLWfd/US0WY5Kv+rtFhfcXmJwYmYYg0HE CB9HwW6XvZ9vEllBq6w0/p7Fq6IU4mAYMNlB+8QrVL38rippP9WlMcKG4iFpuXljjQvo wuJpnHGyMJMEeROkh6q9GS2CxyVlnK8YdBNSYSzKRt39WTztYCBaGkjVC7X8m56lNJGJ ZS7syWhb73vPbaHpjEuoEt6REjST8hXyCgRsOoHzFy+Y6ldfO/wzEWa5LZ09LeIpLQQm MV0vmT07SIlREB8hKgaSuD4QkFnpBMskdTdttYtsXvfNJX0W3OrqiPuQpez++IHxHvfh 8hhw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=qEBVcHU7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g8si3473416ejm.389.2020.10.28.08.08.59; Wed, 28 Oct 2020 08:09:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=qEBVcHU7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1809814AbgJ0Q3L (ORCPT + 99 others); Tue, 27 Oct 2020 12:29:11 -0400 Received: from mail.kernel.org ([198.145.29.99]:52608 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1802734AbgJ0PvI (ORCPT ); Tue, 27 Oct 2020 11:51:08 -0400 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 9FDCD2065C; Tue, 27 Oct 2020 15:51:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1603813868; bh=1/zcvT49Z0HRAXBRD5R7Zp7EgSGSNvitNfefz2WUyTM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=qEBVcHU7JntCVZ0KO4b3NKuekhxwqTdSDizKWNP8MQ90Pehgpmv5qdY7IVLQ1JBH7 bYHbZKotBloJhkEPXOzAf9BJqGBer9OrIu0op8RIfj3mHPZ5oJXNZ3fpnectQ6VuUf cbn5N1QfhD5CHZst+5eIWpxuPcIi2as59o3rNmpI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+89bd486af9427a9fc605@syzkaller.appspotmail.com, Brooke Basile , Kalle Valo , Sasha Levin Subject: [PATCH 5.9 697/757] ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs() Date: Tue, 27 Oct 2020 14:55:47 +0100 Message-Id: <20201027135523.207933349@linuxfoundation.org> X-Mailer: git-send-email 2.29.1 In-Reply-To: <20201027135450.497324313@linuxfoundation.org> References: <20201027135450.497324313@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Brooke Basile [ Upstream commit 03fb92a432ea5abe5909bca1455b7e44a9380480 ] Calls to usb_kill_anchored_urbs() after usb_kill_urb() on multiprocessor systems create a race condition in which usb_kill_anchored_urbs() deallocates the URB before the completer callback is called in usb_kill_urb(), resulting in a use-after-free. To fix this, add proper lock protection to usb_kill_urb() calls that can possibly run concurrently with usb_kill_anchored_urbs(). Reported-by: syzbot+89bd486af9427a9fc605@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?id=cabffad18eb74197f84871802fd2c5117b61febf Signed-off-by: Brooke Basile Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200911071427.32354-1-brookebasile@gmail.com Signed-off-by: Sasha Levin --- drivers/net/wireless/ath/ath9k/hif_usb.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c index 3f563e02d17da..2ed98aaed6fb5 100644 --- a/drivers/net/wireless/ath/ath9k/hif_usb.c +++ b/drivers/net/wireless/ath/ath9k/hif_usb.c @@ -449,10 +449,19 @@ static void hif_usb_stop(void *hif_handle) spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); /* The pending URBs have to be canceled. */ + spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); list_for_each_entry_safe(tx_buf, tx_buf_tmp, &hif_dev->tx.tx_pending, list) { + usb_get_urb(tx_buf->urb); + spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); usb_kill_urb(tx_buf->urb); + list_del(&tx_buf->list); + usb_free_urb(tx_buf->urb); + kfree(tx_buf->buf); + kfree(tx_buf); + spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); } + spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); usb_kill_anchored_urbs(&hif_dev->mgmt_submitted); } @@ -762,27 +771,37 @@ static void ath9k_hif_usb_dealloc_tx_urbs(struct hif_device_usb *hif_dev) struct tx_buf *tx_buf = NULL, *tx_buf_tmp = NULL; unsigned long flags; + spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); list_for_each_entry_safe(tx_buf, tx_buf_tmp, &hif_dev->tx.tx_buf, list) { + usb_get_urb(tx_buf->urb); + spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); usb_kill_urb(tx_buf->urb); list_del(&tx_buf->list); usb_free_urb(tx_buf->urb); kfree(tx_buf->buf); kfree(tx_buf); + spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); } + spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); hif_dev->tx.flags |= HIF_USB_TX_FLUSH; spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); + spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); list_for_each_entry_safe(tx_buf, tx_buf_tmp, &hif_dev->tx.tx_pending, list) { + usb_get_urb(tx_buf->urb); + spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); usb_kill_urb(tx_buf->urb); list_del(&tx_buf->list); usb_free_urb(tx_buf->urb); kfree(tx_buf->buf); kfree(tx_buf); + spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); } + spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); usb_kill_anchored_urbs(&hif_dev->mgmt_submitted); } -- 2.25.1