Commit 3511a3d6 authored Jul 17, 2017 by Miaoqing Pan

ath9k: fix tx99 use after free



One scenario that could lead to UAF is two threads writing
simultaneously to the "tx99" debug file. One of them would
set the "start" value to true and follow to ath9k_tx99_init().
Inside the function it would set the sc->tx99_state to true
after allocating sc->tx99skb. Then, the other thread would
execute write_file_tx99() and call ath9k_tx99_deinit().
sc->tx99_skb would be freed. After that, the first thread
would continue inside ath9k_tx99_init() and call
r = ath9k_tx99_send(sc, sc->tx99_skb, &txctl);
that would make use of the freed sc->tx99_skb memory.

CRs-Fixed: 2031398
Change-Id: I28b0b6375847a0a5f864c52e3886e352932edc41
Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org>

parent 4715b607

drivers/net/wireless/ath/ath9k/tx99.c

+9 −4

Original line number	Diff line number	Diff line
		@@ -190,22 +190,27 @@ static ssize_t write_file_tx99(struct file file, const char __user user_buf,
		if (strtobool(buf, &start))
		return -EINVAL;

		mutex_lock(&sc->mutex);

		if (start == sc->tx99_state) {
		if (!start)
		return count;
		goto out;
		ath_dbg(common, XMIT, "Resetting TX99\n");
		ath9k_tx99_deinit(sc);
		}

		if (!start) {
		ath9k_tx99_deinit(sc);
		return count;
		goto out;
		}

		r = ath9k_tx99_init(sc);
		if (r)
		if (r) {
		mutex_unlock(&sc->mutex);
		return r;

		}
		out:
		mutex_unlock(&sc->mutex);
		return count;
		}