ath11k/dp: Fix possible invalid skb memory access

Commit Message

Vasanthakumar Thiagarajan July 17, 2019, 4:13 a.m. UTC

In ath11k_dp_rx_null_q_desc_sg_drop(), Use skb_queue_walk_safe()
instead of skb_queue_walk() while processing skb from the queue
since this involves removing skb from the list. Using just
skb_queue_walk() could result in using invalid (or already freed)
skb memory.

Signed-off-by: Vasanthakumar Thiagarajan <vthiagar@codeaurora.org>
---
 drivers/net/wireless/ath/ath11k/dp_rx.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comments

Kalle Valo July 18, 2019, 11:21 a.m. UTC | #1

Vasanthakumar Thiagarajan <vthiagar@codeaurora.org> wrote:

> In ath11k_dp_rx_null_q_desc_sg_drop(), Use skb_queue_walk_safe()
> instead of skb_queue_walk() while processing skb from the queue
> since this involves removing skb from the list. Using just
> skb_queue_walk() could result in using invalid (or already freed)
> skb memory.
> 
> Signed-off-by: Vasanthakumar Thiagarajan <vthiagar@codeaurora.org>
> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>

Patch applied to ath11k-bringup branch of ath.git, thanks.

de542ad2ea10 ath11k/dp: Fix possible invalid skb memory access

Patch

diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c
index d074d90..fbe7f34 100644
--- a/drivers/net/wireless/ath/ath11k/dp_rx.c
+++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
@@ -2907,14 +2907,14 @@  static void ath11k_dp_rx_null_q_desc_sg_drop(struct ath11k *ar,
 					     int msdu_len,
 					     struct sk_buff_head *msdu_list)
 {
-	struct sk_buff *skb;
+	struct sk_buff *skb, *tmp;
 	struct ath11k_skb_rxcb *rxcb;
 	int n_buffs;
 
 	n_buffs = DIV_ROUND_UP(msdu_len,
 			       (DP_RX_BUFFER_SIZE - HAL_RX_DESC_SIZE));
 
-	skb_queue_walk(msdu_list, skb) {
+	skb_queue_walk_safe(msdu_list, skb, tmp) {
 		rxcb = ATH11K_SKB_RXCB(skb);
 		if (rxcb->err_rel_src == HAL_WBM_REL_SRC_MODULE_REO &&
 		    rxcb->err_code == HAL_REO_DEST_RING_ERROR_CODE_DESC_ADDR_ZERO) {