* [PATCH] ath11k: avoid use_after_free in ath11k_dp_rx_msdu_coalesce API
@ 2019-10-30 7:46 Karthikeyan Periyasamy
2019-11-07 9:38 ` Kalle Valo
0 siblings, 1 reply; 2+ messages in thread
From: Karthikeyan Periyasamy @ 2019-10-30 7:46 UTC (permalink / raw)
To: ath11k; +Cc: Karthikeyan Periyasamy
Accessing already stored first msdu data after the skb expand trigger
use_after_free, since first msdu got deleted. so do the descriptor copy
operation before the skb expand operation.
Signed-off-by: Karthikeyan Periyasamy <periyasa@codeaurora.org>
---
drivers/net/wireless/ath/ath11k/dp_rx.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c
index acad746..475988b 100644
--- a/drivers/net/wireless/ath/ath11k/dp_rx.c
+++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
@@ -1374,6 +1374,11 @@ static int ath11k_dp_rx_msdu_coalesce(struct ath11k *ar,
skb_put(first, DP_RX_BUFFER_SIZE);
skb_pull(first, buf_first_hdr_len);
+ /* When an MSDU spread over multiple buffers attention, MSDU_END and
+ * MPDU_END tlvs are valid only in the last buffer. Copy those tlvs.
+ */
+ ath11k_dp_rx_desc_end_tlv_copy(rxcb->rx_desc, ldesc);
+
space_extra = msdu_len - (buf_first_len + skb_tailroom(first));
if (space_extra > 0 &&
(pskb_expand_head(first, 0, space_extra, GFP_ATOMIC) < 0)) {
@@ -1389,11 +1394,6 @@ static int ath11k_dp_rx_msdu_coalesce(struct ath11k *ar,
return -ENOMEM;
}
- /* When an MSDU spread over multiple buffers attention, MSDU_END and
- * MPDU_END tlvs are valid only in the last buffer. Copy those tlvs.
- */
- ath11k_dp_rx_desc_end_tlv_copy(rxcb->rx_desc, ldesc);
-
rem_len = msdu_len - buf_first_len;
while ((skb = __skb_dequeue(msdu_list)) != NULL && rem_len > 0) {
rxcb = ATH11K_SKB_RXCB(skb);
--
1.9.1
_______________________________________________
ath11k mailing list
ath11k@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/ath11k
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] ath11k: avoid use_after_free in ath11k_dp_rx_msdu_coalesce API
2019-10-30 7:46 [PATCH] ath11k: avoid use_after_free in ath11k_dp_rx_msdu_coalesce API Karthikeyan Periyasamy
@ 2019-11-07 9:38 ` Kalle Valo
0 siblings, 0 replies; 2+ messages in thread
From: Kalle Valo @ 2019-11-07 9:38 UTC (permalink / raw)
To: Karthikeyan Periyasamy; +Cc: ath11k
Karthikeyan Periyasamy <periyasa@codeaurora.org> wrote:
> Accessing already stored first msdu data after the skb expand trigger
> use_after_free, since first msdu got deleted. so do the descriptor copy
> operation before the skb expand operation.
>
> Signed-off-by: Karthikeyan Periyasamy <periyasa@codeaurora.org>
> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Patch applied to ath11k-post-bringup branch of ath.git, thanks.
88b53b57ad55 ath11k: avoid use_after_free in ath11k_dp_rx_msdu_coalesce API
--
https://patchwork.kernel.org/patch/11219131/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
_______________________________________________
ath11k mailing list
ath11k@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/ath11k
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-11-07 9:38 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-30 7:46 [PATCH] ath11k: avoid use_after_free in ath11k_dp_rx_msdu_coalesce API Karthikeyan Periyasamy
2019-11-07 9:38 ` Kalle Valo
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.