Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp3589012pxb;
        Mon, 24 Jan 2022 12:57:46 -0800 (PST)
X-Google-Smtp-Source: ABdhPJwwlLmdkNSM92WO9BKR60jXDC5JSj2rycum/tEd1TmalhA+i/GThqyAvSyWyFfV6yM88RFz
X-Received: by 2002:a62:cd89:0:b0:4c9:b1f4:e68e with SMTP id o131-20020a62cd89000000b004c9b1f4e68emr4904516pfg.8.1643057866407;
        Mon, 24 Jan 2022 12:57:46 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1643057866; cv=none;
        d=google.com; s=arc-20160816;
        b=V/EUtdWDtO4FAAafQZeqj4+VEN0kiUhPPk+4vsyk2Y3LRiV+bDWpOYQE9Wo4RlkPra
         ANeDWTJbuA9i5yOiNc4ZBT8lxQYJAHIfkcY0g3Uky7UkxaHC8LA7BzR1C+rarS4F/Zdl
         jRBLURf0Nje6Vdx6zsDi5nJR/KlmVvqvKajAo+W9/u65G4cO1MbVgbu6HitRwn0F+d73
         5E4PP4WwWFg1Z/+ky8X13kegu7CCi8nPdLoJYG6VSd93eG5Wq/vb7KhksaiKos6yg3qa
         4mvFznK+jIDcelWpGv8P8tBw2q4qhiYF8UFGrSzP03OVBqyUyf328xKgagHm2DdUzPg8
         4qrA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=2ceuGUU7ay/6vwNl3abU9nTDBBnsYge57lUZwrJDMf8=;
        b=KDgW9NWJCyeBuwbhV/umTDTSHOausjqlLYglRVZHuY8XKzxlXbNFrn8Gn5s7EUernt
         bdyB0xO2QYOvnlxvcY7nUTsTLKAsnWhDKGhwhTMdnS7AT2FB8oZI7ZBABCw1MC3+OKzR
         Fzni+Fyo0WP6W8TaGBMDzalSuPmDcB2QTnGyPoGcqqKe1Z+52+iPJTPaFxODRIEGbi8l
         dQLepMvQQh62RNsx9jy4JcHGgHPxCTxLQKY5t2YWt1VJcXJ5cWdFKbDKBGUwx3VQbb3O
         iCqKTf+fbJa+GhHvqQ0Qy72wSbEK9LIbkco1wNhSHh9kvjIr/AMnZd8cu22uswP42AOx
         CNaw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=rsnaQV91;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id z6si12977513pfb.209.2022.01.24.12.57.30;
        Mon, 24 Jan 2022 12:57:46 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=rsnaQV91;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1380655AbiAXUQk (ORCPT <rfc822;troverman@gmail.com> + 99 others);
        Mon, 24 Jan 2022 15:16:40 -0500
Received: from dfw.source.kernel.org ([139.178.84.217]:53960 "EHLO
        dfw.source.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1348223AbiAXT5e (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 24 Jan 2022 14:57:34 -0500
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id E493360B56;
        Mon, 24 Jan 2022 19:57:33 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id C0CB3C340E5;
        Mon, 24 Jan 2022 19:57:32 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1643054253;
        bh=cN3Y0NOmEgjX6lY6HpwrG6edABhYWBCKcpqZwy82Zp0=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=rsnaQV913iIOPQKVZvUWai+Mb8I2cYfqYGyugZLpNRV/eDlHqopS69BYadCsbgKfR
         e0TnhAHHTMoIggt8k7PhxDnGbgZO8DacR2loS98g7m3NqZecKMZSGRFnYdr78DKUUq
         NLJ5zFTXPmTXKLaKg+/Q4zSm39LKBQ7r1tzZPVeY=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Brendan Dolan-Gavitt <brendandg@nyu.edu>,
        Zekun Shen <bruceshenzk@gmail.com>,
        Kalle Valo <kvalo@codeaurora.org>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.10 329/563] rsi: Fix use-after-free in rsi_rx_done_handler()
Date:   Mon, 24 Jan 2022 19:41:34 +0100
Message-Id: <20220124184035.812021706@linuxfoundation.org>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20220124184024.407936072@linuxfoundation.org>
References: <20220124184024.407936072@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Zekun Shen <bruceshenzk@gmail.com>

[ Upstream commit b07e3c6ebc0c20c772c0f54042e430acec2945c3 ]

When freeing rx_cb->rx_skb, the pointer is not set to NULL,
a later rsi_rx_done_handler call will try to read the freed
address.
This bug will very likley lead to double free, although
detected early as use-after-free bug.

The bug is triggerable with a compromised/malfunctional usb
device. After applying the patch, the same input no longer
triggers the use-after-free.

Attached is the kasan report from fuzzing.

BUG: KASAN: use-after-free in rsi_rx_done_handler+0x354/0x430 [rsi_usb]
Read of size 4 at addr ffff8880188e5930 by task modprobe/231
Call Trace:
 <IRQ>
 dump_stack+0x76/0xa0
 print_address_description.constprop.0+0x16/0x200
 ? rsi_rx_done_handler+0x354/0x430 [rsi_usb]
 ? rsi_rx_done_handler+0x354/0x430 [rsi_usb]
 __kasan_report.cold+0x37/0x7c
 ? dma_direct_unmap_page+0x90/0x110
 ? rsi_rx_done_handler+0x354/0x430 [rsi_usb]
 kasan_report+0xe/0x20
 rsi_rx_done_handler+0x354/0x430 [rsi_usb]
 __usb_hcd_giveback_urb+0x1e4/0x380
 usb_giveback_urb_bh+0x241/0x4f0
 ? __usb_hcd_giveback_urb+0x380/0x380
 ? apic_timer_interrupt+0xa/0x20
 tasklet_action_common.isra.0+0x135/0x330
 __do_softirq+0x18c/0x634
 ? handle_irq_event+0xcd/0x157
 ? handle_edge_irq+0x1eb/0x7b0
 irq_exit+0x114/0x140
 do_IRQ+0x91/0x1e0
 common_interrupt+0xf/0xf
 </IRQ>

Reported-by: Brendan Dolan-Gavitt <brendandg@nyu.edu>
Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/YXxQL/vIiYcZUu/j@10-18-43-117.dynapool.wireless.nyu.edu
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/rsi/rsi_91x_usb.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/rsi/rsi_91x_usb.c b/drivers/net/wireless/rsi/rsi_91x_usb.c
index d881df9ebd0c3..7f34148c7dfe5 100644
--- a/drivers/net/wireless/rsi/rsi_91x_usb.c
+++ b/drivers/net/wireless/rsi/rsi_91x_usb.c
@@ -269,8 +269,12 @@ static void rsi_rx_done_handler(struct urb *urb)
 	struct rsi_91x_usbdev *dev = (struct rsi_91x_usbdev *)rx_cb->data;
 	int status = -EINVAL;
 
+	if (!rx_cb->rx_skb)
+		return;
+
 	if (urb->status) {
 		dev_kfree_skb(rx_cb->rx_skb);
+		rx_cb->rx_skb = NULL;
 		return;
 	}
 
@@ -294,8 +298,10 @@ out:
 	if (rsi_rx_urb_submit(dev->priv, rx_cb->ep_num, GFP_ATOMIC))
 		rsi_dbg(ERR_ZONE, "%s: Failed in urb submission", __func__);
 
-	if (status)
+	if (status) {
 		dev_kfree_skb(rx_cb->rx_skb);
+		rx_cb->rx_skb = NULL;
+	}
 }
 
 static void rsi_rx_urb_kill(struct rsi_hw *adapter, u8 ep_num)
-- 
2.34.1