| Message ID | 20220505092248.787-1-quic_wgong@quicinc.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 1e1cb8e0b73e6f39a9d4a7a15d940b1265387eb5 |
| Delegated to: | Kalle Valo |
| Headers | show |
| Series | [v2] ath10k: reset pointer after memory free to avoid potential use-after-free | expand |
Wen Gong <quic_wgong@quicinc.com> wrote: > When running suspend test, kernel crash happened in ath10k, and it is > fixed by commit b72a4aff947b ("ath10k: skip ath10k_halt during suspend > for driver state RESTARTING"). > > Currently the crash is fixed, but as a common code style, it is better > to set the pointer to NULL after memory is free. > > This is to address the code style and it will avoid potential bug of > use-after-free. > > Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1 > Signed-off-by: Wen Gong <quic_wgong@quicinc.com> > Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com> Patch applied to ath-next branch of ath.git, thanks. 1e1cb8e0b73e wifi: ath10k: reset pointer after memory free to avoid potential use-after-free
diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c index 771252dd6d4e..f6645c7c55c2 100644 --- a/drivers/net/wireless/ath/ath10k/htt_rx.c +++ b/drivers/net/wireless/ath/ath10k/htt_rx.c @@ -301,12 +301,16 @@ void ath10k_htt_rx_free(struct ath10k_htt *htt) ath10k_htt_get_vaddr_ring(htt), htt->rx_ring.base_paddr); + ath10k_htt_config_paddrs_ring(htt, NULL); + dma_free_coherent(htt->ar->dev, sizeof(*htt->rx_ring.alloc_idx.vaddr), htt->rx_ring.alloc_idx.vaddr, htt->rx_ring.alloc_idx.paddr); + htt->rx_ring.alloc_idx.vaddr = NULL; kfree(htt->rx_ring.netbufs_ring); + htt->rx_ring.netbufs_ring = NULL; } static inline struct sk_buff *ath10k_htt_rx_netbuf_pop(struct ath10k_htt *htt) @@ -846,8 +850,10 @@ int ath10k_htt_rx_alloc(struct ath10k_htt *htt) ath10k_htt_get_rx_ring_size(htt), vaddr_ring, htt->rx_ring.base_paddr); + ath10k_htt_config_paddrs_ring(htt, NULL); err_dma_ring: kfree(htt->rx_ring.netbufs_ring); + htt->rx_ring.netbufs_ring = NULL; err_netbuf: return -ENOMEM; }
When running suspend test, kernel crash happened in ath10k, and it is fixed by commit b72a4aff947b ("ath10k: skip ath10k_halt during suspend for driver state RESTARTING"). Currently the crash is fixed, but as a common code style, it is better to set the pointer to NULL after memory is free. This is to address the code style and it will avoid potential bug of use-after-free. Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1 Signed-off-by: Wen Gong <quic_wgong@quicinc.com> --- v2: 1. change subject "ath10k: reset pointer after memory free to avoid kernel crash by multi-free" to "ath10k: reset pointer after memory free to avoid potential use-after-free" 2. change commit log drivers/net/wireless/ath/ath10k/htt_rx.c | 6 ++++++ 1 file changed, 6 insertions(+) base-commit: 3637b73b8e805d011202e2bf10947f2d206695d4