From patchwork Wed Nov 27 14:08:54 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kalle Valo X-Patchwork-Id: 11264361 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id BFF7F14ED for ; Wed, 27 Nov 2019 15:15:45 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 9CC1C206F0 for ; Wed, 27 Nov 2019 15:15:45 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="ebWaYuia"; dkim=fail reason="key not found in DNS" (0-bit key) header.d=codeaurora.org header.i=@codeaurora.org header.b="hbe6LA3p"; dkim=fail reason="signature verification failed" (1024-bit key) header.d=amazonses.com header.i=@amazonses.com header.b="X3Rgz6mh" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 9CC1C206F0 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=ath11k-bounces+patchwork-ath11k=patchwork.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:References: In-Reply-To:Message-ID:Date:Subject:To:From:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Owner; bh=2PgHiD/wf8DLrFlQq3qH2mPjAckptHpl4/LOK+p3bWo=; b=ebWaYuiaKy3FInCjwxJEBN+5J1 HcQJptKivT/tskplqlpureJEYLDdetSsKfjnHDXqtLbsRi9WqHHUPKGIWH9Ld7lvlBekSxsBP+hKs 1YsCtM5+SFUHmrANCist/tWSuMGw9bHYmdjs5F/rYGLpRJjOQf7YAPepwFTJICc3o3dcGTP9MiCCk zO4uNMtVmj18hWntA4QfhCifBpepMWv/TZtIkuGP8P+EFFtOKP316IxMF80mNSjkUvTtfVB2gGZr/ TI22WQoT7K8A2NPADq934VIFjYEwWs81mEipo6HHOCLG4NlNRU2j0XAaHF/BBHptjydED7AGb53zg 9uhJjrpQ==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1iZz2d-0003OI-Qw; Wed, 27 Nov 2019 15:15:43 +0000 Received: from a27-21.smtp-out.us-west-2.amazonses.com ([54.240.27.21]) by bombadil.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1iZy01-0002Qy-D5 for ath11k@lists.infradead.org; Wed, 27 Nov 2019 14:08:58 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=zsmsymrwgfyinv5wlfyidntwsjeeldzt; d=codeaurora.org; t=1574863734; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References; bh=qsoBcCpSXIPRMWVBNr77qSnpbKOuIcZeG/v5nt7/43s=; b=hbe6LA3pOVZJHwqtBnURUpmy2jALnW6XaboqKl9AEMEkUVCBSReRXJiJOLIfNr9l BnY9Wn0te7KLZkSAQeRBhViXUvI2PE5DT7+b/lX0i/yCVB6JKmt5RUF8Wj6Kx7hJwEm JHuX+fUO7dGgkHJ6b1joEOSu9VzA8s2SayEWHRyI= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=gdwg2y3kokkkj5a55z2ilkup5wp5hhxx; d=amazonses.com; t=1574863734; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References:Feedback-ID; bh=qsoBcCpSXIPRMWVBNr77qSnpbKOuIcZeG/v5nt7/43s=; b=X3Rgz6mhOuy7z8P75mcDoo7PzqC8fuwilC7rZNWN6InioRV+Zf/Iwc4J9Ui5EF4u k8P4oulqshQ+C6J7rhLrNE+QnAH2aqJVod2+flq8TIpY+YFZeOaHF3jwsiFxXt8/WNW o47LiyRR1+eIMNhPQ+SnHUVxbA2XY2oI58NEGMIg= X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-caf-mail-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=2.0 tests=ALL_TRUSTED,SPF_NONE, URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 604F4C36E70 Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; spf=none smtp.mailfrom=kvalo@codeaurora.org From: Kalle Valo To: linux-wireless@vger.kernel.org Subject: [PATCH 06/10] ath11k: avoid use_after_free in ath11k_dp_rx_msdu_coalesce API Date: Wed, 27 Nov 2019 14:08:54 +0000 Message-ID: <0101016ead31856c-9a981fbf-c803-49d3-84e6-11bf72bd38c7-000000@us-west-2.amazonses.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1574863720-25728-1-git-send-email-kvalo@codeaurora.org> References: <1574863720-25728-1-git-send-email-kvalo@codeaurora.org> X-SES-Outgoing: 2019.11.27-54.240.27.21 Feedback-ID: 1.us-west-2.CZuq2qbDmUIuT3qdvXlRHZZCpfZqZ4GtG9v3VKgRyF0=:AmazonSES X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20191127_060857_473931_DC6B9FD9 X-CRM114-Status: UNSURE ( 9.39 ) X-CRM114-Notice: Please train this message. X-Spam-Score: 0.1 (/) X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary: Content analysis details: (0.1 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [54.240.27.21 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail domains are different 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-BeenThere: ath11k@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: ath11k@lists.infradead.org MIME-Version: 1.0 Sender: "ath11k" Errors-To: ath11k-bounces+patchwork-ath11k=patchwork.kernel.org@lists.infradead.org From: Karthikeyan Periyasamy Accessing already stored first msdu data after the skb expand trigger use_after_free, since first msdu got deleted. so do the descriptor copy operation before the skb expand operation. Signed-off-by: Karthikeyan Periyasamy Signed-off-by: Kalle Valo --- drivers/net/wireless/ath/ath11k/dp_rx.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c index 67efa247bf65..f87bd327b082 100644 --- a/drivers/net/wireless/ath/ath11k/dp_rx.c +++ b/drivers/net/wireless/ath/ath11k/dp_rx.c @@ -1376,6 +1376,11 @@ static int ath11k_dp_rx_msdu_coalesce(struct ath11k *ar, skb_put(first, DP_RX_BUFFER_SIZE); skb_pull(first, buf_first_hdr_len); + /* When an MSDU spread over multiple buffers attention, MSDU_END and + * MPDU_END tlvs are valid only in the last buffer. Copy those tlvs. + */ + ath11k_dp_rx_desc_end_tlv_copy(rxcb->rx_desc, ldesc); + space_extra = msdu_len - (buf_first_len + skb_tailroom(first)); if (space_extra > 0 && (pskb_expand_head(first, 0, space_extra, GFP_ATOMIC) < 0)) { @@ -1391,11 +1396,6 @@ static int ath11k_dp_rx_msdu_coalesce(struct ath11k *ar, return -ENOMEM; } - /* When an MSDU spread over multiple buffers attention, MSDU_END and - * MPDU_END tlvs are valid only in the last buffer. Copy those tlvs. - */ - ath11k_dp_rx_desc_end_tlv_copy(rxcb->rx_desc, ldesc); - rem_len = msdu_len - buf_first_len; while ((skb = __skb_dequeue(msdu_list)) != NULL && rem_len > 0) { rxcb = ATH11K_SKB_RXCB(skb);