public-mirrors/linux
1
0
Fork 0
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-08-05 16:54:27 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
linux/drivers/net/wireless/ath/ath9k
History
Qiujun Huang 19d6c375d6 ath9x: Fix stack-out-of-bounds Write in ath9k_hif_usb_rx_cb 
Add barrier to accessing the stack array skb_pool.

The case reported by syzbot:
https://lore.kernel.org/linux-usb/0000000000003d7c1505a2168418@google.com
BUG: KASAN: stack-out-of-bounds in ath9k_hif_usb_rx_stream
drivers/net/wireless/ath/ath9k/hif_usb.c:626 [inline]
BUG: KASAN: stack-out-of-bounds in ath9k_hif_usb_rx_cb+0xdf6/0xf70
drivers/net/wireless/ath/ath9k/hif_usb.c:666
Write of size 8 at addr ffff8881db309a28 by task swapper/1/0

Call Trace:
ath9k_hif_usb_rx_stream drivers/net/wireless/ath/ath9k/hif_usb.c:626
[inline]
ath9k_hif_usb_rx_cb+0xdf6/0xf70
drivers/net/wireless/ath/ath9k/hif_usb.c:666
__usb_hcd_giveback_urb+0x1f2/0x470 drivers/usb/core/hcd.c:1648
usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1713
dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786

Reported-and-tested-by: syzbot+d403396d4df67ad0bd5f@syzkaller.appspotmail.com
Signed-off-by: Qiujun Huang <hqjagain@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20200404041838.10426-5-hqjagain@gmail.com
2020-04-07 07:57:06 +03:00
..
ahb.c remove ioremap_nocache and devm_ioremap_nocache 2020-01-06 09:45:59 +01:00
ani.c
ani.h
antenna.c
ar953x_initvals.h
ar955x_1p0_initvals.h
ar956x_initvals.h
ar5008_initvals.h
ar5008_phy.c
ar9001_initvals.h
ar9002_calib.c
ar9002_hw.c
ar9002_initvals.h
ar9002_mac.c
ar9002_phy.c ath9k: ar9002_phy: mark expected switch fall-throughs 2018-11-05 13:15:34 +02:00
ar9002_phy.h
ar9003_2p2_initvals.h
ar9003_aic.c ath9k: use true,false for bool variable 2020-01-26 12:19:02 +02:00
ar9003_aic.h
ar9003_buffalo_initvals.h
ar9003_calib.c
ar9003_eeprom.c ath9k_hw: fix uninitialized variable data 2019-10-01 14:18:43 +03:00
ar9003_eeprom.h
ar9003_hw.c net: Fix misspellings of "configure" and "configuration" 2019-10-28 13:41:01 -07:00
ar9003_mac.c
ar9003_mac.h
ar9003_mci.c ath9k: remove set but not used variable 'new_flags' 2018-11-05 13:18:34 +02:00
ar9003_mci.h
ar9003_paprd.c
ar9003_phy.c ath9k: drop redundant code in ar9003_hw_set_channel 2019-04-29 17:56:03 +03:00
ar9003_phy.h
ar9003_rtt.c
ar9003_rtt.h
ar9003_wow.c
ar9330_1p1_initvals.h
ar9330_1p2_initvals.h
ar9340_initvals.h
ar9462_2p0_initvals.h
ar9462_2p1_initvals.h
ar9485_initvals.h
ar9565_1p0_initvals.h
ar9565_1p1_initvals.h
ar9580_1p0_initvals.h
ath9k.h ath9k: Switch to mac80211 TXQ scheduling and airtime APIs 2019-02-12 20:44:41 +02:00
ath9k_pci_owl_loader.c ath9k: use iowrite32 over __raw_writel 2019-11-28 10:18:51 +02:00
beacon.c
btcoex.c
btcoex.h
calib.c
calib.h
channel.c
common-beacon.c
common-beacon.h
common-debug.c
common-debug.h
common-init.c
common-init.h
common-spectral.c ath9k: do not return invalid pointers as a *dentry 2019-02-07 16:59:04 +02:00
common-spectral.h
common.c
common.h
debug.c ath9k: debugfs: Fix SPUR-DOWN field 2019-02-26 15:08:16 +02:00
debug.h ath9k: Switch to mac80211 TXQ scheduling and airtime APIs 2019-02-12 20:44:41 +02:00
debug_sta.c ath9k: Switch to mac80211 TXQ scheduling and airtime APIs 2019-02-12 20:44:41 +02:00
dfs.c
dfs.h
dfs_debug.c
dfs_debug.h
dynack.c ath9k: dynack: set ackto to max timeout in ath_dynack_reset 2019-09-04 09:15:31 +03:00
dynack.h ath9k: dynack: make ewma estimation faster 2018-11-06 18:26:50 +02:00
eeprom.c ath9k: Differentiate between max combined and per chain power 2019-04-29 17:53:43 +03:00
eeprom.h
eeprom_4k.c ath9k: Differentiate between max combined and per chain power 2019-04-29 17:53:43 +03:00
eeprom_9287.c
eeprom_def.c
gpio.c
hif_usb.c ath9x: Fix stack-out-of-bounds Write in ath9k_hif_usb_rx_cb 2020-04-07 07:57:06 +03:00
hif_usb.h ath9k: Fix use-after-free Read in ath9k_wmi_ctrl_rx 2020-04-07 07:56:26 +03:00
htc.h
htc_drv_beacon.c
htc_drv_debug.c
htc_drv_gpio.c
htc_drv_init.c ath9k: Fix use-after-free Read in ath9k_wmi_ctrl_rx 2020-04-07 07:56:26 +03:00
htc_drv_main.c mac80211: simplify TX aggregation start 2019-10-04 13:58:13 +02:00
htc_drv_txrx.c ath9k_htc: Discard undersized packets 2019-10-01 14:49:00 +03:00
htc_hst.c ath9k: Fix use-after-free Write in ath9k_htc_rx_msg 2020-04-07 07:56:45 +03:00
htc_hst.h
hw-ops.h
hw.c ath9k: Differentiate between max combined and per chain power 2019-04-29 17:53:43 +03:00
hw.h ath9k: Differentiate between max combined and per chain power 2019-04-29 17:53:43 +03:00
init.c Merge ath-next from git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git 2019-05-27 15:15:29 +03:00
Kconfig drivers: net: Fix Kconfig indentation, continued 2019-11-21 11:54:09 -08:00
link.c
mac.c
mac.h
main.c Merge ath-next from git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git 2020-03-16 07:29:55 +02:00
Makefile ath9k: add loader for AR92XX (and older) pci(e) 2019-09-04 09:12:35 +03:00
mci.c
mci.h
pci.c ath: Use dev_get_drvdata where possible 2019-09-23 11:25:22 +03:00
phy.h
recv.c ath9k: correctly handle short radar pulses 2019-06-27 20:43:40 +03:00
reg.h
reg_aic.h
reg_mci.h
reg_wow.h
rng.c
tx99.c
wmi.c ath9k: Fix use-after-free Read in ath9k_wmi_ctrl_rx 2020-04-07 07:56:26 +03:00
wmi.h ath9k: Fix use-after-free Read in ath9k_wmi_ctrl_rx 2020-04-07 07:56:26 +03:00
wow.c
xmit.c mac80211: Fix setting txpower to zero 2020-02-14 09:57:00 +01:00