From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Wen Gong <quic_wgong@quicinc.com>,
Kalle Valo <quic_kvalo@quicinc.com>,
Sasha Levin <sashal@kernel.org>,
kvalo@kernel.org, davem@davemloft.net, edumazet@google.com,
kuba@kernel.org, pabeni@redhat.com, ath10k@lists.infradead.org,
linux-wireless@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.10 24/34] wifi: ath10k: reset pointer after memory free to avoid potential use-after-free
Date: Sun, 9 Oct 2022 18:21:18 -0400 [thread overview]
Message-ID: <20221009222129.1218277-24-sashal@kernel.org> (raw)
In-Reply-To: <20221009222129.1218277-1-sashal@kernel.org>
From: Wen Gong <quic_wgong@quicinc.com>
[ Upstream commit 1e1cb8e0b73e6f39a9d4a7a15d940b1265387eb5 ]
When running suspend test, kernel crash happened in ath10k, and it is
fixed by commit b72a4aff947b ("ath10k: skip ath10k_halt during suspend
for driver state RESTARTING").
Currently the crash is fixed, but as a common code style, it is better
to set the pointer to NULL after memory is free.
This is to address the code style and it will avoid potential bug of
use-after-free.
Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1
Signed-off-by: Wen Gong <quic_wgong@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20220505092248.787-1-quic_wgong@quicinc.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath10k/htt_rx.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c
index 28ec3c5b4d1f..1b34f12b7eca 100644
--- a/drivers/net/wireless/ath/ath10k/htt_rx.c
+++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
@@ -297,12 +297,16 @@ void ath10k_htt_rx_free(struct ath10k_htt *htt)
ath10k_htt_get_vaddr_ring(htt),
htt->rx_ring.base_paddr);
+ ath10k_htt_config_paddrs_ring(htt, NULL);
+
dma_free_coherent(htt->ar->dev,
sizeof(*htt->rx_ring.alloc_idx.vaddr),
htt->rx_ring.alloc_idx.vaddr,
htt->rx_ring.alloc_idx.paddr);
+ htt->rx_ring.alloc_idx.vaddr = NULL;
kfree(htt->rx_ring.netbufs_ring);
+ htt->rx_ring.netbufs_ring = NULL;
}
static inline struct sk_buff *ath10k_htt_rx_netbuf_pop(struct ath10k_htt *htt)
@@ -823,8 +827,10 @@ int ath10k_htt_rx_alloc(struct ath10k_htt *htt)
ath10k_htt_get_rx_ring_size(htt),
vaddr_ring,
htt->rx_ring.base_paddr);
+ ath10k_htt_config_paddrs_ring(htt, NULL);
err_dma_ring:
kfree(htt->rx_ring.netbufs_ring);
+ htt->rx_ring.netbufs_ring = NULL;
err_netbuf:
return -ENOMEM;
}
--
2.35.1
next prev parent reply other threads:[~2022-10-09 22:48 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-09 22:20 [PATCH AUTOSEL 5.10 01/34] wifi: rtw88: phy: fix warning of possible buffer overflow Sasha Levin
2022-10-09 22:20 ` [PATCH AUTOSEL 5.10 02/34] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin
2022-10-09 22:20 ` [PATCH AUTOSEL 5.10 03/34] bpftool: Clear errno after libcap's checks Sasha Levin
2022-10-09 22:20 ` [PATCH AUTOSEL 5.10 04/34] openvswitch: Fix double reporting of drops in dropwatch Sasha Levin
2022-10-09 22:20 ` [PATCH AUTOSEL 5.10 05/34] openvswitch: Fix overreporting " Sasha Levin
2022-10-09 22:21 ` [PATCH AUTOSEL 5.10 06/34] tcp: annotate data-race around tcp_md5sig_pool_populated Sasha Levin
2022-10-09 22:21 ` [PATCH AUTOSEL 5.10 07/34] micrel: ksz8851: fixes struct pointer issue Sasha Levin
2022-10-09 22:21 ` [PATCH AUTOSEL 5.10 08/34] wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg() Sasha Levin
2022-10-09 22:21 ` [PATCH AUTOSEL 5.10 09/34] xfrm: Update ipcomp_scratches with NULL when freed Sasha Levin
2022-10-09 22:21 ` [PATCH AUTOSEL 5.10 10/34] net: xscale: Fix return type for implementation of ndo_start_xmit Sasha Levin
2022-10-09 22:21 ` [PATCH AUTOSEL 5.10 11/34] net: lantiq_etop: " Sasha Levin
2022-10-09 22:21 ` [PATCH AUTOSEL 5.10 12/34] net: ftmac100: fix endianness-related issues from 'sparse' Sasha Levin
2022-10-09 22:21 ` [PATCH AUTOSEL 5.10 13/34] wifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit() Sasha Levin
2022-10-09 22:21 ` [PATCH AUTOSEL 5.10 14/34] regulator: core: Prevent integer underflow Sasha Levin
2022-10-09 22:21 ` [PATCH AUTOSEL 5.10 15/34] Bluetooth: L2CAP: initialize delayed works at l2cap_chan_create() Sasha Levin
2022-10-09 22:21 ` [PATCH AUTOSEL 5.10 16/34] net: davicom: Fix return type of dm9000_start_xmit Sasha Levin
2022-10-09 22:21 ` [PATCH AUTOSEL 5.10 17/34] net: ethernet: ti: davinci_emac: Fix return type of emac_dev_xmit Sasha Levin
2022-10-09 22:21 ` [PATCH AUTOSEL 5.10 18/34] net: korina: Fix return type of korina_send_packet Sasha Levin
2022-10-09 22:21 ` [PATCH AUTOSEL 5.10 19/34] net: sfp: re-implement soft state polling setup Sasha Levin
2022-10-09 22:21 ` [PATCH AUTOSEL 5.10 20/34] net: sfp: move quirk handling into sfp.c Sasha Levin
2022-10-09 22:21 ` [PATCH AUTOSEL 5.10 21/34] net: sfp: move Alcatel Lucent 3FE46541AA fixup Sasha Levin
2022-10-18 9:43 ` Pavel Machek
2022-10-18 10:24 ` Russell King (Oracle)
2022-10-09 22:21 ` [PATCH AUTOSEL 5.10 22/34] net/sched: taprio: taprio_dump and taprio_change are protected by rtnl_mutex Sasha Levin
2022-10-10 13:33 ` Vladimir Oltean
2022-10-18 9:44 ` Pavel Machek
2022-10-18 9:46 ` Vladimir Oltean
2022-10-18 10:03 ` Vladimir Oltean
2022-10-09 22:21 ` [PATCH AUTOSEL 5.10 23/34] Bluetooth: hci_sysfs: Fix attempting to call device_add multiple times Sasha Levin
2022-10-09 22:21 ` Sasha Levin [this message]
2022-10-09 22:21 ` [PATCH AUTOSEL 5.10 25/34] can: bcm: check the result of can_send() in bcm_can_tx() Sasha Levin
2022-10-09 22:21 ` [PATCH AUTOSEL 5.10 26/34] wifi: rt2x00: don't run Rt5592 IQ calibration on MT7620 Sasha Levin
2022-10-09 22:21 ` [PATCH AUTOSEL 5.10 27/34] wifi: rt2x00: set correct TX_SW_CFG1 MAC register for MT7620 Sasha Levin
2022-10-09 22:21 ` [PATCH AUTOSEL 5.10 28/34] wifi: rt2x00: set VGC gain for both chains of MT7620 Sasha Levin
2022-10-09 22:21 ` [PATCH AUTOSEL 5.10 29/34] wifi: rt2x00: set SoC wmac clock register Sasha Levin
2022-10-09 22:21 ` [PATCH AUTOSEL 5.10 30/34] wifi: rt2x00: correctly set BBP register 86 for MT7620 Sasha Levin
2022-10-09 22:21 ` [PATCH AUTOSEL 5.10 31/34] net: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory Sasha Levin
2022-10-09 22:21 ` [PATCH AUTOSEL 5.10 32/34] Bluetooth: L2CAP: Fix user-after-free Sasha Levin
2022-10-09 22:21 ` [PATCH AUTOSEL 5.10 33/34] libbpf: Fix overrun in netlink attribute iteration Sasha Levin
2022-10-09 22:21 ` [PATCH AUTOSEL 5.10 34/34] r8152: Rate limit overflow messages Sasha Levin
2022-10-18 9:39 ` [PATCH AUTOSEL 5.10 01/34] wifi: rtw88: phy: fix warning of possible buffer overflow Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221009222129.1218277-24-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=ath10k@lists.infradead.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=kvalo@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=quic_kvalo@quicinc.com \
--cc=quic_wgong@quicinc.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox