From patchwork Thu May 5 09:22:48 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Wen Gong X-Patchwork-Id: 12839281 X-Patchwork-Delegate: kvalo@adurom.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 84D53C433EF for ; Thu, 5 May 2022 09:23:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345263AbiEEJ0p (ORCPT ); Thu, 5 May 2022 05:26:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38316 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1352609AbiEEJ0o (ORCPT ); Thu, 5 May 2022 05:26:44 -0400 Received: from alexa-out.qualcomm.com (alexa-out.qualcomm.com [129.46.98.28]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 78EB44D25A for ; Thu, 5 May 2022 02:23:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; i=@quicinc.com; q=dns/txt; s=qcdkim; t=1651742585; x=1683278585; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=AO2UTTg5jOZILim0HF+Zqn4yFvVaM7U8Xgglo0OtAzk=; b=DPgUZk59iw4LOnxF+PC7OLF2j2weLbtDLtUsEq3D7qYOOXyA7sgrUHV2 FsrhVFIQpwEveQFMZkQqXZcoiLFfhWw7pm1dUvBgl1cpHG7aMPD3yR5sT Ne3ooXvWlSkR43mCY9g2DIm77dN5gRC/4KysEevAfZMJdMYVkR4abRFes Q=; Received: from ironmsg08-lv.qualcomm.com ([10.47.202.152]) by alexa-out.qualcomm.com with ESMTP; 05 May 2022 02:23:05 -0700 X-QCInternal: smtphost Received: from nasanex01c.na.qualcomm.com ([10.47.97.222]) by ironmsg08-lv.qualcomm.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 05 May 2022 02:23:05 -0700 Received: from nalasex01a.na.qualcomm.com (10.47.209.196) by nasanex01c.na.qualcomm.com (10.47.97.222) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.22; Thu, 5 May 2022 02:23:04 -0700 Received: from wgong-HP3-Z230-SFF-Workstation.qca.qualcomm.com (10.80.80.8) by nalasex01a.na.qualcomm.com (10.47.209.196) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.22; Thu, 5 May 2022 02:23:03 -0700 From: Wen Gong To: CC: , Subject: [PATCH v2] ath10k: reset pointer after memory free to avoid potential use-after-free Date: Thu, 5 May 2022 05:22:48 -0400 Message-ID: <20220505092248.787-1-quic_wgong@quicinc.com> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 X-Originating-IP: [10.80.80.8] X-ClientProxiedBy: nasanex01b.na.qualcomm.com (10.46.141.250) To nalasex01a.na.qualcomm.com (10.47.209.196) Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org When running suspend test, kernel crash happened in ath10k, and it is fixed by commit b72a4aff947b ("ath10k: skip ath10k_halt during suspend for driver state RESTARTING"). Currently the crash is fixed, but as a common code style, it is better to set the pointer to NULL after memory is free. This is to address the code style and it will avoid potential bug of use-after-free. Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1 Signed-off-by: Wen Gong --- v2: 1. change subject "ath10k: reset pointer after memory free to avoid kernel crash by multi-free" to "ath10k: reset pointer after memory free to avoid potential use-after-free" 2. change commit log drivers/net/wireless/ath/ath10k/htt_rx.c | 6 ++++++ 1 file changed, 6 insertions(+) base-commit: 3637b73b8e805d011202e2bf10947f2d206695d4 diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c index 771252dd6d4e..f6645c7c55c2 100644 --- a/drivers/net/wireless/ath/ath10k/htt_rx.c +++ b/drivers/net/wireless/ath/ath10k/htt_rx.c @@ -301,12 +301,16 @@ void ath10k_htt_rx_free(struct ath10k_htt *htt) ath10k_htt_get_vaddr_ring(htt), htt->rx_ring.base_paddr); + ath10k_htt_config_paddrs_ring(htt, NULL); + dma_free_coherent(htt->ar->dev, sizeof(*htt->rx_ring.alloc_idx.vaddr), htt->rx_ring.alloc_idx.vaddr, htt->rx_ring.alloc_idx.paddr); + htt->rx_ring.alloc_idx.vaddr = NULL; kfree(htt->rx_ring.netbufs_ring); + htt->rx_ring.netbufs_ring = NULL; } static inline struct sk_buff *ath10k_htt_rx_netbuf_pop(struct ath10k_htt *htt) @@ -846,8 +850,10 @@ int ath10k_htt_rx_alloc(struct ath10k_htt *htt) ath10k_htt_get_rx_ring_size(htt), vaddr_ring, htt->rx_ring.base_paddr); + ath10k_htt_config_paddrs_ring(htt, NULL); err_dma_ring: kfree(htt->rx_ring.netbufs_ring); + htt->rx_ring.netbufs_ring = NULL; err_netbuf: return -ENOMEM; }