diff mbox series

wireless: iwlwifi: Fix a double free in iwl_txq_dyn_alloc_dma

Message ID 20210403054755.4781-1-lyl2019@mail.ustc.edu.cn (mailing list archive)
State Awaiting Upstream
Delegated to: Netdev Maintainers
Headers show
Series wireless: iwlwifi: Fix a double free in iwl_txq_dyn_alloc_dma | expand

Checks

Context Check Description
netdev/tree_selection success Not a local patch

Commit Message

Lv Yunlong April 3, 2021, 5:47 a.m. UTC
In iwl_txq_dyn_alloc_dma, txq->tfds is freed at first time by:
iwl_txq_alloc()->goto err_free_tfds->dma_free_coherent(). But
it forgot to set txq->tfds to NULL.

Then the txq->tfds is freed again in iwl_txq_dyn_alloc_dma by:
goto error->iwl_txq_gen2_free_memory()->dma_free_coherent().

My patch sets txq->tfds to NULL after the first free to avoid the
double free.

Fixes: 0cd1ad2d7fd41 ("iwlwifi: move all bus-independent TX functions to common code")
Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
---
 drivers/net/wireless/intel/iwlwifi/queue/tx.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Lv Yunlong April 13, 2021, 4:29 p.m. UTC | #1
Hi, my dear maintainers.

     I'm very sorry to disturb you, that beacuse this patch has been not reviewed for one weeks.
     Could you help to review this patch? It will not cost you much time.

Sincerely.
  

> -----原始邮件-----
> 发件人: "Lv Yunlong" <lyl2019@mail.ustc.edu.cn>
> 发送时间: 2021-04-03 13:47:55 (星期六)
> 收件人: luciano.coelho@intel.com, kvalo@codeaurora.org, davem@davemloft.net, kuba@kernel.org, mordechay.goodstein@intel.com, johannes.berg@intel.com, emmanuel.grumbach@intel.com
> 抄送: linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, "Lv Yunlong" <lyl2019@mail.ustc.edu.cn>
> 主题: [PATCH] wireless: iwlwifi: Fix a double free in iwl_txq_dyn_alloc_dma
> 
> In iwl_txq_dyn_alloc_dma, txq->tfds is freed at first time by:
> iwl_txq_alloc()->goto err_free_tfds->dma_free_coherent(). But
> it forgot to set txq->tfds to NULL.
> 
> Then the txq->tfds is freed again in iwl_txq_dyn_alloc_dma by:
> goto error->iwl_txq_gen2_free_memory()->dma_free_coherent().
> 
> My patch sets txq->tfds to NULL after the first free to avoid the
> double free.
> 
> Fixes: 0cd1ad2d7fd41 ("iwlwifi: move all bus-independent TX functions to common code")
> Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
> ---
>  drivers/net/wireless/intel/iwlwifi/queue/tx.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/net/wireless/intel/iwlwifi/queue/tx.c b/drivers/net/wireless/intel/iwlwifi/queue/tx.c
> index 833f43d1ca7a..99c8e473031a 100644
> --- a/drivers/net/wireless/intel/iwlwifi/queue/tx.c
> +++ b/drivers/net/wireless/intel/iwlwifi/queue/tx.c
> @@ -1101,6 +1101,7 @@ int iwl_txq_alloc(struct iwl_trans *trans, struct iwl_txq *txq, int slots_num,
>  	return 0;
>  err_free_tfds:
>  	dma_free_coherent(trans->dev, tfd_sz, txq->tfds, txq->dma_addr);
> +	txq->tfds = NULL;
>  error:
>  	if (txq->entries && cmd_queue)
>  		for (i = 0; i < slots_num; i++)
> -- 
> 2.25.1
>
diff mbox series

Patch

diff --git a/drivers/net/wireless/intel/iwlwifi/queue/tx.c b/drivers/net/wireless/intel/iwlwifi/queue/tx.c
index 833f43d1ca7a..99c8e473031a 100644
--- a/drivers/net/wireless/intel/iwlwifi/queue/tx.c
+++ b/drivers/net/wireless/intel/iwlwifi/queue/tx.c
@@ -1101,6 +1101,7 @@  int iwl_txq_alloc(struct iwl_trans *trans, struct iwl_txq *txq, int slots_num,
 	return 0;
 err_free_tfds:
 	dma_free_coherent(trans->dev, tfd_sz, txq->tfds, txq->dma_addr);
+	txq->tfds = NULL;
 error:
 	if (txq->entries && cmd_queue)
 		for (i = 0; i < slots_num; i++)