superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/net
History
Remi Pommarel a104042e2b wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue() 
The ieee80211 skb control block key (set when skb was queued) could have
been removed before ieee80211_tx_dequeue() call. ieee80211_tx_dequeue()
already called ieee80211_tx_h_select_key() to get the current key, but
the latter do not update the key in skb control block in case it is
NULL. Because some drivers actually use this key in their TX callbacks
(e.g. ath1{1,2}k_mac_op_tx()) this could lead to the use after free
below:

  BUG: KASAN: slab-use-after-free in ath11k_mac_op_tx+0x590/0x61c
  Read of size 4 at addr ffffff803083c248 by task kworker/u16:4/1440

  CPU: 3 UID: 0 PID: 1440 Comm: kworker/u16:4 Not tainted 6.13.0-ge128f627f404 #2
  Hardware name: HW (DT)
  Workqueue: bat_events batadv_send_outstanding_bcast_packet
  Call trace:
   show_stack+0x14/0x1c (C)
   dump_stack_lvl+0x58/0x74
   print_report+0x164/0x4c0
   kasan_report+0xac/0xe8
   __asan_report_load4_noabort+0x1c/0x24
   ath11k_mac_op_tx+0x590/0x61c
   ieee80211_handle_wake_tx_queue+0x12c/0x1c8
   ieee80211_queue_skb+0xdcc/0x1b4c
   ieee80211_tx+0x1ec/0x2bc
   ieee80211_xmit+0x224/0x324
   __ieee80211_subif_start_xmit+0x85c/0xcf8
   ieee80211_subif_start_xmit+0xc0/0xec4
   dev_hard_start_xmit+0xf4/0x28c
   __dev_queue_xmit+0x6ac/0x318c
   batadv_send_skb_packet+0x38c/0x4b0
   batadv_send_outstanding_bcast_packet+0x110/0x328
   process_one_work+0x578/0xc10
   worker_thread+0x4bc/0xc7c
   kthread+0x2f8/0x380
   ret_from_fork+0x10/0x20

  Allocated by task 1906:
   kasan_save_stack+0x28/0x4c
   kasan_save_track+0x1c/0x40
   kasan_save_alloc_info+0x3c/0x4c
   __kasan_kmalloc+0xac/0xb0
   __kmalloc_noprof+0x1b4/0x380
   ieee80211_key_alloc+0x3c/0xb64
   ieee80211_add_key+0x1b4/0x71c
   nl80211_new_key+0x2b4/0x5d8
   genl_family_rcv_msg_doit+0x198/0x240
  <...>

  Freed by task 1494:
   kasan_save_stack+0x28/0x4c
   kasan_save_track+0x1c/0x40
   kasan_save_free_info+0x48/0x94
   __kasan_slab_free+0x48/0x60
   kfree+0xc8/0x31c
   kfree_sensitive+0x70/0x80
   ieee80211_key_free_common+0x10c/0x174
   ieee80211_free_keys+0x188/0x46c
   ieee80211_stop_mesh+0x70/0x2cc
   ieee80211_leave_mesh+0x1c/0x60
   cfg80211_leave_mesh+0xe0/0x280
   cfg80211_leave+0x1e0/0x244
  <...>

Reset SKB control block key before calling ieee80211_tx_h_select_key()
to avoid that.

Fixes: bb42f2d13f ("mac80211: Move reorder-sensitive TX handlers to after TXQ dequeue")
Signed-off-by: Remi Pommarel <repk@triplefau.lt>
Link: https://patch.msgid.link/06aa507b853ca385ceded81c18b0a6dd0f081bc8.1742833382.git.repk@triplefau.lt
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
 		2025-04-02 10:48:23 +02:00
..
6lowpan
9p net/9p/usbg: allow building as standalone module 2024-11-22 23:48:14 +09:00
802 net: 802: LLC+SNAP OID:PID lookup on start of skb data 2025-01-04 08:06:24 -08:00
8021q net: vlan: don't propagate flags on open 2025-03-20 09:57:37 +01:00
appletalk net: appletalk: Drop aarp_send_probe_phase1() 2025-01-20 10:08:19 +00:00
atm atm: Fix NULL pointer dereference 2025-03-25 13:54:36 -07:00
ax25 ax25: Remove broken autobind 2025-03-24 10:26:53 +00:00
batman-adv Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-03-20 21:38:01 +01:00
bluetooth Bluetooth: MGMT: Add LL Privacy Setting 2025-03-25 15:22:49 -04:00
bpf bpf, test_run: Fix use-after-free issue in eth_skb_pkt_type() 2025-01-29 08:51:51 -08:00
bridge Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-03-26 09:32:10 -07:00
caif rtnetlink: Pack newlink() params into struct 2025-02-21 15:28:02 -08:00
can Networking changes for 6.15. 2025-03-26 21:48:21 -07:00
ceph ceph: allocate sparse_ext map only for sparse reads 2024-12-16 23:25:44 +01:00
core Networking changes for 6.15. 2025-03-26 21:48:21 -07:00
dcb
dccp tcp/dccp: remove icsk->icsk_ack.timeout 2025-03-25 10:34:33 -07:00
devlink devlink: fix xa_alloc_cyclic() error handling 2025-03-19 09:57:36 +00:00
dns_resolver
dsa net: move misc netdev_lock flavors to a separate header 2025-03-08 09:06:50 -08:00
ethernet
ethtool net-timestamp: COMPLETION timestamp on packet tx completion 2025-03-25 12:48:05 -04:00
handshake module: Convert symbol namespace to string literal 2024-12-02 11:34:44 -08:00
hsr net: hsr: Add KUnit test for PRP 2025-03-13 10:04:22 +01:00
ieee802154 inet: frags: save a pair of atomic operations in reassembly 2025-03-18 13:18:36 +01:00
ife
ipv4 Networking changes for 6.15. 2025-03-26 21:48:21 -07:00
ipv6 tcp/dccp: remove icsk->icsk_timeout 2025-03-25 10:34:33 -07:00
iucv s390/iucv: MSG_PEEK causes memory leak in iucv_sock_destruct() 2024-11-26 10:02:53 +01:00
kcm
key
l2tp net: move misc netdev_lock flavors to a separate header 2025-03-08 09:06:50 -08:00
l3mdev
lapb
llc llc: do not use skb_get() before dev_queue_xmit() 2025-03-03 14:00:04 +00:00
mac80211 wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue() 2025-04-02 10:48:23 +02:00
mac802154 mac802154: Switch to use hrtimer_setup() 2025-02-18 10:35:44 +01:00
mctp net: mctp: unshare packets when reassembling 2025-03-11 13:12:19 +01:00
mpls
mptcp tcp/dccp: remove icsk->icsk_ack.timeout 2025-03-25 10:34:33 -07:00
ncsi net/ncsi: use dev_set_mac_address() for Get MC MAC Address handling 2025-01-27 09:20:07 +00:00
netfilter netfilter pull request 25-03-23 2025-03-25 08:29:13 -07:00
netlabel net: corrections for security_secid_to_secctx returns 2025-01-04 22:11:22 -05:00
netlink Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-02-27 10:20:58 -08:00
netrom netrom: check buffer length before accessing it 2024-12-23 10:04:55 -08:00
nfc nfc: hci: Remove unused nfc_llc_unregister 2025-02-19 19:04:26 -08:00
nsh
openvswitch net: openvswitch: fix kernel-doc warnings in internal headers 2025-03-24 09:30:21 -07:00
packet net: initialize mark in sockcm_init 2025-02-18 18:27:19 -08:00
phonet
psample psample: adjust size if rate_as_probability is set 2024-12-18 19:23:04 -08:00
qrtr
rds Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-02-27 10:20:58 -08:00
rfkill net: rfkill: gpio: allow booting in blocked state 2025-02-11 11:55:55 +01:00
rose net: rose: lock the socket in rose_bind() 2025-02-04 14:03:58 -08:00
rxrpc afs: Use the per-peer app data provided by rxrpc 2025-03-10 09:47:15 +00:00
sched Networking changes for 6.15. 2025-03-26 21:48:21 -07:00
sctp net: use sock_kmemdup for ip_options 2025-03-03 17:16:34 -08:00
shaper net: add netdev_lock() / netdev_unlock() helpers 2025-01-15 19:13:33 -08:00
smc net/smc: use the correct ndev to find pnetid by pnetid table 2025-03-14 12:54:40 +00:00
strparser strparser: Add read_sock callback 2025-01-29 13:32:08 -08:00
sunrpc Summary 2025-03-26 21:02:05 -07:00
switchdev net: switchdev: Convert blocking notification chain to a raw one 2025-03-11 11:30:28 +01:00
tipc tipc: Reduce scope for the variable “fdefq” in tipc_link_tnl_prepare() 2025-03-04 17:19:49 -08:00
tls tcp: move icsk_clean_acked to a better location 2025-03-24 09:55:18 -07:00
unix unix: fix up for "apparmor: add fine grained af_unix mediation" 2025-03-26 09:31:18 -07:00
vmw_vsock vsock/bpf: Warn on socket without transport 2025-02-18 12:00:01 +01:00
wireless wifi: nl80211: re-enable multi-link reconfiguration 2025-03-18 14:52:11 +01:00
x25
xdp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-03-20 21:38:01 +01:00
xfrm Networking changes for 6.15. 2025-03-26 21:48:21 -07:00
Kconfig
Kconfig.debug
Makefile
compat.c
devres.c
socket.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-03-26 09:32:10 -07:00
sysctl_net.c