CVE-2022-50881

In the Linux kernel, the following vulnerability has been resolved:

wifi: ath9k: Fix use-after-free in ath9khifusb_disconnect()

This patch fixes a use-after-free in ath9k that occurs in ath9khifusbdisconnect() when ath9kdestroywmi() is trying to access 'drvpriv' that has already been freed by ieee80211freehw(), called by ath9khtchwdeinit(). The patch moves ath9kdestroywmi() before ieee80211freehw(). Note that urbs from the driver should be killed before freeing 'wmi' with ath9kdestroy_wmi() as their callbacks will access 'wmi'.

Found by a modified version of syzkaller.

================================================================== BUG: KASAN: use-after-free in ath9kdestroywmi+0x38/0x40 Read of size 8 at addr ffff8881069132a0 by task kworker/0:1/7

CPU: 0 PID: 7 Comm: kworker/0:1 Tainted: G O 5.14.0+ #131 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 Workqueue: usbhubwq hubevent Call Trace: dumpstacklvl+0x8e/0xd1 printaddressdescription.constprop.0.cold+0x93/0x334 ? ath9kdestroywmi+0x38/0x40 ? ath9kdestroywmi+0x38/0x40 kasanreport.cold+0x83/0xdf ? ath9kdestroywmi+0x38/0x40 ath9kdestroywmi+0x38/0x40 ath9khifusbdisconnect+0x329/0x3f0 ? ath9khifusbsuspend+0x120/0x120 ? usbdisableinterface+0xfc/0x180 usbunbindinterface+0x19b/0x7e0 ? usbautoresumedevice+0x50/0x50 devicereleasedriverinternal+0x44d/0x520 busremovedevice+0x2e5/0x5a0 devicedel+0x5b2/0xe30 ? __devicelinkdel+0x370/0x370 ? usb_removeepdevs+0x43/0x80 ? removeintfepdevs+0x112/0x1a0 usbdisabledevice+0x1e3/0x5a0 usbdisconnect+0x267/0x870 hubevent+0x168d/0x3950 ? rcureadlockschedheld+0xa1/0xd0 ? hubportdebounce+0x2e0/0x2e0 ? checkirqusage+0x860/0xf20 ? drainworkqueue+0x281/0x360 ? lockrelease+0x640/0x640 ? rcureadlockschedheld+0xa1/0xd0 ? rcureadlockbhheld+0xb0/0xb0 ? lockdephardirqsonprepare+0x273/0x3e0 processonework+0x92b/0x1460 ? pwqdecnrinflight+0x330/0x330 ? rwlockbug.part.0+0x90/0x90 workerthread+0x95/0xe00 ? _kthreadparkme+0x115/0x1e0 ? processonework+0x1460/0x1460 kthread+0x3a1/0x480 ? setkthreadstruct+0x120/0x120 retfromfork+0x1f/0x30

The buggy address belongs to the page: page:ffffea00041a44c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x106913 flags: 0x200000000000000(node=0|zone=2) raw: 0200000000000000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected pageowner tracks the page as freed page last allocated via order 3, migratetype Unmovable, gfpmask 0x40dc0(GFP_KERNEL|__GFP_COMP|__GFPZERO), pid 7, ts 38347963444, freets 41399957635 prepnewpage+0x1aa/0x240 getpagefrom_freelist+0x159a/0x27c0 __allocpages+0x2da/0x6a0 allocpages+0xec/0x1e0 kmallocorder+0x39/0xf0 kmallocorder_trace+0x19/0x120 _kmalloc+0x308/0x390 wiphynewnm+0x6f5/0x1dd0 ieee80211allochwnm+0x36d/0x2230 ath9khtcprobedevice+0x9d/0x1e10 ath9khtchwinit+0x34/0x50 ath9khifusbfirmwarecb+0x25f/0x4e0 requestfirmwareworkfunc+0x131/0x240 processonework+0x92b/0x1460 workerthread+0x95/0xe00 kthread+0x3a1/0x480 page last free stack trace: freepcpprepare+0x3d3/0x7f0 freeunrefpage+0x1e/0x3d0 devicerelease+0xa4/0x240 kobjectput+0x186/0x4c0 putdevice+0x20/0x30 ath9khtcdisconnectdevice+0x1cf/0x2c0 ath9khtchwdeinit+0x26/0x30 ath9khifusbdisconnect+0x2d9/0x3f0 usbunbindinterface+0x19b/0x7e0 devicereleasedriverinternal+0x44d/0x520 busremovedevice+0x2e5/0x5a0 devicedel+0x5b2/0xe30 usbdisabledevice+0x1e3/0x5a0 usbdisconnect+0x267/0x870 hubevent+0x168d/0x3950 processonework+0x92b/0x1460

Memory state around the buggy address: ffff888106913180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff888106913200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

ffff888 ---truncated---