CVE-2024-56541

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> wifi: ath12k: fix use-after-free in ath12k_dp_cc_cleanup()<br /> <br /> During ath12k module removal, in ath12k_core_deinit(),<br /> ath12k_mac_destroy() un-registers ah-&gt;hw from mac80211 and frees<br /> the ah-&gt;hw as well as all the ar&amp;#39;s in it. After this<br /> ath12k_core_soc_destroy()-&gt; ath12k_dp_free()-&gt; ath12k_dp_cc_cleanup()<br /> tries to access one of the freed ar&amp;#39;s from pending skb.<br /> <br /> This is because during mac destroy, driver failed to flush few<br /> data packets, which were accessed later in ath12k_dp_cc_cleanup()<br /> and freed, but using ar from the packet led to this use-after-free.<br /> <br /> BUG: KASAN: use-after-free in ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k]<br /> Write of size 4 at addr ffff888150bd3514 by task modprobe/8926<br /> CPU: 0 UID: 0 PID: 8926 Comm: modprobe Not tainted<br /> 6.11.0-rc2-wt-ath+ #1746<br /> Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS<br /> HNKBLi70.86A.0067.2021.0528.1339 05/28/2021<br /> <br /> Call Trace:<br /> <br /> dump_stack_lvl+0x7d/0xe0<br /> print_address_description.constprop.0+0x33/0x3a0<br /> print_report+0xb5/0x260<br /> ? kasan_addr_to_slab+0x24/0x80<br /> kasan_report+0xd8/0x110<br /> ? ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k]<br /> ? ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k]<br /> kasan_check_range+0xf3/0x1a0<br /> __kasan_check_write+0x14/0x20<br /> ath12k_dp_cc_cleanup.part.0+0x5e2/0xd40 [ath12k]<br /> ath12k_dp_free+0x178/0x420 [ath12k]<br /> ath12k_core_stop+0x176/0x200 [ath12k]<br /> ath12k_core_deinit+0x13f/0x210 [ath12k]<br /> ath12k_pci_remove+0xad/0x1c0 [ath12k]<br /> pci_device_remove+0x9b/0x1b0<br /> device_remove+0xbf/0x150<br /> device_release_driver_internal+0x3c3/0x580<br /> ? __kasan_check_read+0x11/0x20<br /> driver_detach+0xc4/0x190<br /> bus_remove_driver+0x130/0x2a0<br /> driver_unregister+0x68/0x90<br /> pci_unregister_driver+0x24/0x240<br /> ? find_module_all+0x13e/0x1e0<br /> ath12k_pci_exit+0x10/0x20 [ath12k]<br /> __do_sys_delete_module+0x32c/0x580<br /> ? module_flags+0x2f0/0x2f0<br /> ? kmem_cache_free+0xf0/0x410<br /> ? __fput+0x56f/0xab0<br /> ? __fput+0x56f/0xab0<br /> ? debug_smp_processor_id+0x17/0x20<br /> __x64_sys_delete_module+0x4f/0x70<br /> x64_sys_call+0x522/0x9f0<br /> do_syscall_64+0x64/0x130<br /> entry_SYSCALL_64_after_hwframe+0x4b/0x53<br /> RIP: 0033:0x7f8182c6ac8b<br /> <br /> Commit 24de1b7b231c ("wifi: ath12k: fix flush failure in recovery<br /> scenarios") added the change to decrement the pending packets count<br /> in case of recovery which make sense as ah-&gt;hw as well all<br /> ar&amp;#39;s in it are intact during recovery, but during core deinit there<br /> is no use in decrementing packets count or waking up the empty waitq<br /> as the module is going to be removed also ar&amp;#39;s from pending skb&amp;#39;s<br /> can&amp;#39;t be used and the packets should just be released back.<br /> <br /> To fix this, avoid accessing ar from skb-&gt;cb when driver is being<br /> unregistered.<br /> <br /> Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.1.1-00214-QCAHKSWPL_SILICONZ-1<br /> Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3