From patchwork Wed Oct 30 07:46:15 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Karthikeyan periyasamy X-Patchwork-Id: 11219131 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 76BB014E5 for ; Wed, 30 Oct 2019 07:46:44 +0000 (UTC) Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 4B9A820663 for ; Wed, 30 Oct 2019 07:46:44 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="PJIWrNc7"; dkim=fail reason="key not found in DNS" (0-bit key) header.d=codeaurora.org header.i=@codeaurora.org header.b="f1aNBIKv"; dkim=fail reason="key not found in DNS" (0-bit key) header.d=codeaurora.org header.i=@codeaurora.org header.b="f1aNBIKv" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 4B9A820663 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: mail.kernel.org; spf=none smtp.mailfrom=ath11k-bounces+patchwork-ath11k=patchwork.kernel.org@lists.infradead.org DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Message-Id:Date: Subject:To:From:Reply-To:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Owner; bh=HWh0pd3vCEgfKbihTxKN2uXcC1UrO005znR/bLpYtTU=; b=PJI WrNc7jyAQ+yvNMraY/73Io1NxNbfIVWs9U07klf3X/L5Z+A5O00kpPHh0s7mGNi5f5DkMAT1EXGam w1l4vu2O/DyzbDMol4AG51JZrJcEeqQ8/Le1r6/7wxbg3QY8MkGm9HidghPep4XxBXdCsv3CVQiz0 9L5eKBR/2eXFxXWpmXqjr4+wC9C/n1XZ5dq3mEWnT3V2B+WEqJDfGjjeN/WCifRRAueOPIJm9Nd3a hQ/mlSrd7tEiljhDduZhsw/bcebGNdLlNGsUf3FsrQoYS5fo/BLXonh1U+ZL+tF1BVA2Jzd/HDmJj o7cOKZVW8Mj+CckgeNeR8zuMiDCDuvg==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1iPigl-0005Ft-03; Wed, 30 Oct 2019 07:46:43 +0000 Received: from smtp.codeaurora.org ([198.145.29.96]) by bombadil.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1iPigi-0005FU-4R for ath11k@lists.infradead.org; Wed, 30 Oct 2019 07:46:41 +0000 Received: by smtp.codeaurora.org (Postfix, from userid 1000) id B6E9660E06; Wed, 30 Oct 2019 07:46:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1572421599; bh=6HHjRcCr5yqCfNiirc/RxA6rosbAO60OMWMPDMwd74w=; h=From:To:Cc:Subject:Date:From; b=f1aNBIKvPx6E3ErGrjvw5dB3vQA2w24YB4gHJvaCnz00yG52IDdTIGkg4MB2NXXn9 BlIpYEOOipUNtHaWBvBQA8qRUyXyE6QQbkgnTcgkA/bMxGIorYhL0lNkTWUyKykBWo aFmPUTG3bTf7+4ys8shpbsha29GwrVdGTc1PeNBk= X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on pdx-caf-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.7 required=2.0 tests=ALL_TRUSTED,BAYES_00, DKIM_INVALID,DKIM_SIGNED,SPF_NONE autolearn=no autolearn_force=no version=3.4.0 Received: from CHECSTP284781-LIN.qualcomm.com (blr-c-bdr-fw-01_globalnat_allzones-outside.qualcomm.com [103.229.19.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: periyasa@codeaurora.org) by smtp.codeaurora.org (Postfix) with ESMTPSA id 5A3F760DD4; Wed, 30 Oct 2019 07:46:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1572421599; bh=6HHjRcCr5yqCfNiirc/RxA6rosbAO60OMWMPDMwd74w=; h=From:To:Cc:Subject:Date:From; b=f1aNBIKvPx6E3ErGrjvw5dB3vQA2w24YB4gHJvaCnz00yG52IDdTIGkg4MB2NXXn9 BlIpYEOOipUNtHaWBvBQA8qRUyXyE6QQbkgnTcgkA/bMxGIorYhL0lNkTWUyKykBWo aFmPUTG3bTf7+4ys8shpbsha29GwrVdGTc1PeNBk= DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 5A3F760DD4 Authentication-Results: pdx-caf-mail.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: pdx-caf-mail.web.codeaurora.org; spf=none smtp.mailfrom=periyasa@codeaurora.org From: Karthikeyan Periyasamy To: ath11k@lists.infradead.org Subject: [PATCH] ath11k: avoid use_after_free in ath11k_dp_rx_msdu_coalesce API Date: Wed, 30 Oct 2019 13:16:15 +0530 Message-Id: <1572421575-2904-1-git-send-email-periyasa@codeaurora.org> X-Mailer: git-send-email 1.9.1 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20191030_004640_194799_DF7684F7 X-CRM114-Status: GOOD ( 11.06 ) X-Spam-Score: -2.5 (--) X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary: Content analysis details: (-2.5 points) pts rule name description ---- ---------------------- -------------------------------------------------- -2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at https://www.dnswl.org/, medium trust [198.145.29.96 listed in list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature X-BeenThere: ath11k@lists.infradead.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Karthikeyan Periyasamy MIME-Version: 1.0 Sender: "ath11k" Errors-To: ath11k-bounces+patchwork-ath11k=patchwork.kernel.org@lists.infradead.org Accessing already stored first msdu data after the skb expand trigger use_after_free, since first msdu got deleted. so do the descriptor copy operation before the skb expand operation. Signed-off-by: Karthikeyan Periyasamy --- drivers/net/wireless/ath/ath11k/dp_rx.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c index acad746..475988b 100644 --- a/drivers/net/wireless/ath/ath11k/dp_rx.c +++ b/drivers/net/wireless/ath/ath11k/dp_rx.c @@ -1374,6 +1374,11 @@ static int ath11k_dp_rx_msdu_coalesce(struct ath11k *ar, skb_put(first, DP_RX_BUFFER_SIZE); skb_pull(first, buf_first_hdr_len); + /* When an MSDU spread over multiple buffers attention, MSDU_END and + * MPDU_END tlvs are valid only in the last buffer. Copy those tlvs. + */ + ath11k_dp_rx_desc_end_tlv_copy(rxcb->rx_desc, ldesc); + space_extra = msdu_len - (buf_first_len + skb_tailroom(first)); if (space_extra > 0 && (pskb_expand_head(first, 0, space_extra, GFP_ATOMIC) < 0)) { @@ -1389,11 +1394,6 @@ static int ath11k_dp_rx_msdu_coalesce(struct ath11k *ar, return -ENOMEM; } - /* When an MSDU spread over multiple buffers attention, MSDU_END and - * MPDU_END tlvs are valid only in the last buffer. Copy those tlvs. - */ - ath11k_dp_rx_desc_end_tlv_copy(rxcb->rx_desc, ldesc); - rem_len = msdu_len - buf_first_len; while ((skb = __skb_dequeue(msdu_list)) != NULL && rem_len > 0) { rxcb = ATH11K_SKB_RXCB(skb);