1. 29 6月, 2017 1 次提交
    • M
      ath9k: fix tx99 use after free · cf8ce1ea
      Miaoqing Pan 提交于
      One scenario that could lead to UAF is two threads writing
      simultaneously to the "tx99" debug file. One of them would
      set the "start" value to true and follow to ath9k_tx99_init().
      Inside the function it would set the sc->tx99_state to true
      after allocating sc->tx99skb. Then, the other thread would
      execute write_file_tx99() and call ath9k_tx99_deinit().
      sc->tx99_state would be freed. After that, the first thread
      would continue inside ath9k_tx99_init() and call
      r = ath9k_tx99_send(sc, sc->tx99_skb, &txctl);
      that would make use of the freed sc->tx99_skb memory.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NMiaoqing Pan <miaoqing@codeaurora.org>
      Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>
      cf8ce1ea
  2. 27 6月, 2017 9 次提交
  3. 26 6月, 2017 7 次提交
  4. 25 6月, 2017 21 次提交
  5. 24 6月, 2017 2 次提交