ath9k: fix tx99 use after free
commitb729a1aea14d482e8a29186bd4a930282961a43c
authorMiaoqing Pan <miaoqing@codeaurora.org>
Tue, 27 Jun 2017 14:31:49 +0000 (27 17:31 +0300)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 27 Jul 2017 22:07:55 +0000 (27 15:07 -0700)
tree408b6c045cbdcb7a13058f71674858991adaaa3f
parent7cd7b56037ae4cbdfe5e7fa9e41b67ba15199d7f
ath9k: fix tx99 use after free

commit cf8ce1ea61b75712a154c93e40f2a5af2e4dd997 upstream.

One scenario that could lead to UAF is two threads writing
simultaneously to the "tx99" debug file. One of them would
set the "start" value to true and follow to ath9k_tx99_init().
Inside the function it would set the sc->tx99_state to true
after allocating sc->tx99skb. Then, the other thread would
execute write_file_tx99() and call ath9k_tx99_deinit().
sc->tx99_state would be freed. After that, the first thread
would continue inside ath9k_tx99_init() and call
r = ath9k_tx99_send(sc, sc->tx99_skb, &txctl);
that would make use of the freed sc->tx99_skb memory.

Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/net/wireless/ath/ath9k/tx99.c