Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp1276559pxb; Wed, 20 Oct 2021 01:40:42 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz5FQacc/x8OFcxJhKxc9xSFOJRyUi7EHePqAUVZRlg82+aMl9FSStqpTOe4YdrcVerDeo4 X-Received: by 2002:aa7:949c:0:b0:44c:a0df:2c7f with SMTP id z28-20020aa7949c000000b0044ca0df2c7fmr5098904pfk.34.1634719242399; Wed, 20 Oct 2021 01:40:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1634719242; cv=none; d=google.com; s=arc-20160816; b=dg6/dvwqxONfXZQ8ywoeDqgogKN8b0RpW0lmdQVeclSMxZ6xx9WcRqLGsH+Er04NEa PYUx0YyhOiXiYueA0JjIoa/J73t6WVWMLOi1ebDYJnsWahfw8CTdKXgRa7Wme8iviH7s 5PJH6fKIbkBGTDpK4Qb5P9r0yEHa+yLrLZ6p/xznbEgHzI1GYeiB6YZ8fzrak6RF1WHu 83AJzXR9quR40pbJB+Gk5JLpnz72H7JGV9qk8qOyNo9vAMxiI6EhnPYmskwQsgY5eYnH S5qLhZMPKYfjmP2v3+1SyVt5nMbS0uSErf19LDxREkw/NY6IkqYuxjuDI+D+rewgEarv fzYA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:date:message-id:user-agent:cc:to:references :in-reply-to:from:subject:content-transfer-encoding:mime-version :dmarc-filter:sender:dkim-signature; bh=ngiA4F+Xq1nJ5EtozeFV5N0OpfSzo6oaCKX4IXNUDKg=; b=SienOuwZ6DQJGFvK8qr5+h9Mkz8rywjMqqAfwkkc9DUTnn2QlES0Nhk4p4OVKtSjlG d7qhJtkJKD/NGqcQkaG5qxAddrdKqpnnr4Nqwql03/GoXUBfYgP9pAw4WDhiqNZ5EojW 5CaoZ1ahbyxuzrr+hX05WPn6ppqYxEi3rdbAix1DDDCShaZM+tlRA/sSr8nkaswWVf/w LCnLp0yAg54uEUx4b5rPg/jgwXVOM6R3NV1BPrOyXIowrw/AcohB57AJNkat/hYNbo/p vNZ3w/7liWBwkjCiZEkl0aafNqxP/jbZ2cw2p9luThNh9k9OBP4EUyWciYniHT5dUXd9 17rQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@mg.codeaurora.org header.s=smtp header.b=JNwZqNMZ; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h3si6686305pjz.157.2021.10.20.01.40.34; Wed, 20 Oct 2021 01:40:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@mg.codeaurora.org header.s=smtp header.b=JNwZqNMZ; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229921AbhJTImo (ORCPT + 64 others); Wed, 20 Oct 2021 04:42:44 -0400 Received: from so254-9.mailgun.net ([198.61.254.9]:36833 "EHLO so254-9.mailgun.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229910AbhJTImn (ORCPT ); Wed, 20 Oct 2021 04:42:43 -0400 DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=mg.codeaurora.org; q=dns/txt; s=smtp; t=1634719229; h=Date: Message-ID: Cc: To: References: In-Reply-To: From: Subject: Content-Transfer-Encoding: MIME-Version: Content-Type: Sender; bh=ngiA4F+Xq1nJ5EtozeFV5N0OpfSzo6oaCKX4IXNUDKg=; b=JNwZqNMZ43x5GxmqlExkjuUhcV6g/AXJiE/rCAClM/p/wny8BMFi+G14U2zuqQQsHhlCbKT1 u+Doi5ZdSD0p8A/Dv/uAqtLEjYW9oXGahMejrHmaFb7JBNWWmiQUYm0iMZySrhHYvGtihWAo VY1MhZ57zKR3EGBW7cEHqaJ6VpY= X-Mailgun-Sending-Ip: 198.61.254.9 X-Mailgun-Sid: WyI3YTAwOSIsICJsaW51eC13aXJlbGVzc0B2Z2VyLmtlcm5lbC5vcmciLCAiYmU5ZTRhIl0= Received: from smtp.codeaurora.org (ec2-35-166-182-171.us-west-2.compute.amazonaws.com [35.166.182.171]) by smtp-out-n05.prod.us-west-2.postgun.com with SMTP id 616fd5eb5ca800b6c12cb637 (version=TLS1.2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256); Wed, 20 Oct 2021 08:40:11 GMT Sender: kvalo=codeaurora.org@mg.codeaurora.org Received: by smtp.codeaurora.org (Postfix, from userid 1001) id 68239C43460; Wed, 20 Oct 2021 08:40:11 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-caf-mail-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.5 required=2.0 tests=ALL_TRUSTED,BAYES_00, MISSING_DATE,SPF_FAIL,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from tykki.adurom.net (tynnyri.adurom.net [51.15.11.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: kvalo) by smtp.codeaurora.org (Postfix) with ESMTPSA id EB110C4338F; Wed, 20 Oct 2021 08:40:03 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 smtp.codeaurora.org EB110C4338F Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; spf=fail smtp.mailfrom=codeaurora.org Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: Re: [PATCH net] rsi: stop thread firstly in rsi_91x_init() error handling From: Kalle Valo In-Reply-To: <20211015040335.1021546-1-william.xuanziyang@huawei.com> References: <20211015040335.1021546-1-william.xuanziyang@huawei.com> To: Ziyang Xuan Cc: , , , , , , User-Agent: pwcli/0.1.0-git (https://github.com/kvalo/pwcli/) Python/3.7.3 Message-ID: <163471920135.1743.399816436682216881.kvalo@codeaurora.org> Date: Wed, 20 Oct 2021 08:40:11 +0000 (UTC) Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org Ziyang Xuan wrote: > When fail to init coex module, free 'common' and 'adapter' directly, but > common->tx_thread which will access 'common' and 'adapter' is running at > the same time. That will trigger the UAF bug. > > ================================================================== > BUG: KASAN: use-after-free in rsi_tx_scheduler_thread+0x50f/0x520 [rsi_91x] > Read of size 8 at addr ffff8880076dc000 by task Tx-Thread/124777 > CPU: 0 PID: 124777 Comm: Tx-Thread Not tainted 5.15.0-rc5+ #19 > Call Trace: > dump_stack_lvl+0xe2/0x152 > print_address_description.constprop.0+0x21/0x140 > ? rsi_tx_scheduler_thread+0x50f/0x520 > kasan_report.cold+0x7f/0x11b > ? rsi_tx_scheduler_thread+0x50f/0x520 > rsi_tx_scheduler_thread+0x50f/0x520 > ... > > Freed by task 111873: > kasan_save_stack+0x1b/0x40 > kasan_set_track+0x1c/0x30 > kasan_set_free_info+0x20/0x30 > __kasan_slab_free+0x109/0x140 > kfree+0x117/0x4c0 > rsi_91x_init+0x741/0x8a0 [rsi_91x] > rsi_probe+0x9f/0x1750 [rsi_usb] > > Stop thread before free 'common' and 'adapter' to fix it. > > Fixes: 2108df3c4b18 ("rsi: add coex support") > Signed-off-by: Ziyang Xuan Patch applied to wireless-drivers-next.git, thanks. 515e7184bdf0 rsi: stop thread firstly in rsi_91x_init() error handling -- https://patchwork.kernel.org/project/linux-wireless/patch/20211015040335.1021546-1-william.xuanziyang@huawei.com/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches