From: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
To: Willmar Knikker <willmar@met-dubbel-l.nl>, jjohnson@kernel.org
Cc: linux-wireless@vger.kernel.org, ath11k@lists.infradead.org
Subject: Re: [PATCH] wifi: ath11k: fix use after free in ath11k_dp_rx_msdu_coalesce.
Date: Tue, 5 May 2026 08:08:48 -0700 [thread overview]
Message-ID: <7d3c5eae-233a-4c31-b64e-70f0afe74da6@oss.qualcomm.com> (raw)
In-Reply-To: <20260505143025.234292-1-willmar@met-dubbel-l.nl>
On 5/5/2026 7:30 AM, Willmar Knikker wrote:
> In ath11k_dp_rx_msdu_coalesce the loop uses ->is_continuation after
> the dev_kfree_skb_any. This can cause a use after free kfence.
>
> Move the use after the dev_kfree_skb_any after use of ->is_continuation
> inline with the while in the while loop above this one.
>
> Signed-off-by: Willmar Knikker <willmar@met-dubbel-l.nl>
> ---
> drivers/net/wireless/ath/ath11k/dp_rx.c | 7 ++++---
> 1 file changed, 4 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c
> index fe79109adc70..02bd9787d6b4 100644
> --- a/drivers/net/wireless/ath/ath11k/dp_rx.c
> +++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
> @@ -1825,11 +1825,12 @@ static int ath11k_dp_rx_msdu_coalesce(struct ath11k *ar,
> skb_pull(skb, hal_rx_desc_sz);
> skb_copy_from_linear_data(skb, skb_put(first, buf_len),
> buf_len);
> - dev_kfree_skb_any(skb);
> -
> rem_len -= buf_len;
> - if (!rxcb->is_continuation)
> + if (!rxcb->is_continuation) {
> + dev_kfree_skb_any(skb);
> break;
> + }
> + dev_kfree_skb_any(skb);
rather than repeating code imo it would be "better" to cache the flag before
freeing and then test the cached flag.
however as you note this proposed logic matches the logic already present in
the "Free up all buffers of the MSDU" portion of the function, so from that
perspective the proposal is consistent with that logic.
let's see if anyone else has an opinion...
/jeff
next prev parent reply other threads:[~2026-05-05 15:08 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-05 14:30 [PATCH] wifi: ath11k: fix use after free in ath11k_dp_rx_msdu_coalesce Willmar Knikker
2026-05-05 15:08 ` Jeff Johnson [this message]
2026-05-05 16:38 ` Rameshkumar Sundaram
2026-05-05 16:53 ` Willmar Knikker
2026-05-05 15:13 ` Jeff Johnson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7d3c5eae-233a-4c31-b64e-70f0afe74da6@oss.qualcomm.com \
--to=jeff.johnson@oss.qualcomm.com \
--cc=ath11k@lists.infradead.org \
--cc=jjohnson@kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=willmar@met-dubbel-l.nl \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox