From: Sasha Levin <sashal@kernel.org> To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Wen Gong <quic_wgong@quicinc.com>, Kalle Valo <quic_kvalo@quicinc.com>, Sasha Levin <sashal@kernel.org>, kvalo@kernel.org, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, ath10k@lists.infradead.org, linux-wireless@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH AUTOSEL 5.15 35/46] wifi: ath10k: reset pointer after memory free to avoid potential use-after-free Date: Sun, 9 Oct 2022 18:19:00 -0400 [thread overview] Message-ID: <20221009221912.1217372-35-sashal@kernel.org> (raw) In-Reply-To: <20221009221912.1217372-1-sashal@kernel.org> From: Wen Gong <quic_wgong@quicinc.com> [ Upstream commit 1e1cb8e0b73e6f39a9d4a7a15d940b1265387eb5 ] When running suspend test, kernel crash happened in ath10k, and it is fixed by commit b72a4aff947b ("ath10k: skip ath10k_halt during suspend for driver state RESTARTING"). Currently the crash is fixed, but as a common code style, it is better to set the pointer to NULL after memory is free. This is to address the code style and it will avoid potential bug of use-after-free. Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1 Signed-off-by: Wen Gong <quic_wgong@quicinc.com> Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com> Link: https://lore.kernel.org/r/20220505092248.787-1-quic_wgong@quicinc.com Signed-off-by: Sasha Levin <sashal@kernel.org> --- drivers/net/wireless/ath/ath10k/htt_rx.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c index adbaeb67eedf..9458540b7dde 100644 --- a/drivers/net/wireless/ath/ath10k/htt_rx.c +++ b/drivers/net/wireless/ath/ath10k/htt_rx.c @@ -297,12 +297,16 @@ void ath10k_htt_rx_free(struct ath10k_htt *htt) ath10k_htt_get_vaddr_ring(htt), htt->rx_ring.base_paddr); + ath10k_htt_config_paddrs_ring(htt, NULL); + dma_free_coherent(htt->ar->dev, sizeof(*htt->rx_ring.alloc_idx.vaddr), htt->rx_ring.alloc_idx.vaddr, htt->rx_ring.alloc_idx.paddr); + htt->rx_ring.alloc_idx.vaddr = NULL; kfree(htt->rx_ring.netbufs_ring); + htt->rx_ring.netbufs_ring = NULL; } static inline struct sk_buff *ath10k_htt_rx_netbuf_pop(struct ath10k_htt *htt) @@ -823,8 +827,10 @@ int ath10k_htt_rx_alloc(struct ath10k_htt *htt) ath10k_htt_get_rx_ring_size(htt), vaddr_ring, htt->rx_ring.base_paddr); + ath10k_htt_config_paddrs_ring(htt, NULL); err_dma_ring: kfree(htt->rx_ring.netbufs_ring); + htt->rx_ring.netbufs_ring = NULL; err_netbuf: return -ENOMEM; } -- 2.35.1 _______________________________________________ ath10k mailing list ath10k@lists.infradead.org http://lists.infradead.org/mailman/listinfo/ath10k
WARNING: multiple messages have this Message-ID (diff)
From: Sasha Levin <sashal@kernel.org> To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Wen Gong <quic_wgong@quicinc.com>, Kalle Valo <quic_kvalo@quicinc.com>, Sasha Levin <sashal@kernel.org>, kvalo@kernel.org, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, ath10k@lists.infradead.org, linux-wireless@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH AUTOSEL 5.15 35/46] wifi: ath10k: reset pointer after memory free to avoid potential use-after-free Date: Sun, 9 Oct 2022 18:19:00 -0400 [thread overview] Message-ID: <20221009221912.1217372-35-sashal@kernel.org> (raw) In-Reply-To: <20221009221912.1217372-1-sashal@kernel.org> From: Wen Gong <quic_wgong@quicinc.com> [ Upstream commit 1e1cb8e0b73e6f39a9d4a7a15d940b1265387eb5 ] When running suspend test, kernel crash happened in ath10k, and it is fixed by commit b72a4aff947b ("ath10k: skip ath10k_halt during suspend for driver state RESTARTING"). Currently the crash is fixed, but as a common code style, it is better to set the pointer to NULL after memory is free. This is to address the code style and it will avoid potential bug of use-after-free. Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1 Signed-off-by: Wen Gong <quic_wgong@quicinc.com> Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com> Link: https://lore.kernel.org/r/20220505092248.787-1-quic_wgong@quicinc.com Signed-off-by: Sasha Levin <sashal@kernel.org> --- drivers/net/wireless/ath/ath10k/htt_rx.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c index adbaeb67eedf..9458540b7dde 100644 --- a/drivers/net/wireless/ath/ath10k/htt_rx.c +++ b/drivers/net/wireless/ath/ath10k/htt_rx.c @@ -297,12 +297,16 @@ void ath10k_htt_rx_free(struct ath10k_htt *htt) ath10k_htt_get_vaddr_ring(htt), htt->rx_ring.base_paddr); + ath10k_htt_config_paddrs_ring(htt, NULL); + dma_free_coherent(htt->ar->dev, sizeof(*htt->rx_ring.alloc_idx.vaddr), htt->rx_ring.alloc_idx.vaddr, htt->rx_ring.alloc_idx.paddr); + htt->rx_ring.alloc_idx.vaddr = NULL; kfree(htt->rx_ring.netbufs_ring); + htt->rx_ring.netbufs_ring = NULL; } static inline struct sk_buff *ath10k_htt_rx_netbuf_pop(struct ath10k_htt *htt) @@ -823,8 +827,10 @@ int ath10k_htt_rx_alloc(struct ath10k_htt *htt) ath10k_htt_get_rx_ring_size(htt), vaddr_ring, htt->rx_ring.base_paddr); + ath10k_htt_config_paddrs_ring(htt, NULL); err_dma_ring: kfree(htt->rx_ring.netbufs_ring); + htt->rx_ring.netbufs_ring = NULL; err_netbuf: return -ENOMEM; } -- 2.35.1
next prev parent reply other threads:[~2022-10-09 22:21 UTC|newest] Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top 2022-10-09 22:18 [PATCH AUTOSEL 5.15 01/46] wifi: rtw88: phy: fix warning of possible buffer overflow Sasha Levin 2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 02/46] wifi: brcmfmac: fix invalid address access when enabling SCAN log level Sasha Levin 2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 03/46] bpftool: Clear errno after libcap's checks Sasha Levin 2022-10-09 22:18 ` [Intel-wired-lan] [PATCH AUTOSEL 5.15 04/46] ice: set tx_tstamps when creating new Tx rings via ethtool Sasha Levin 2022-10-09 22:18 ` Sasha Levin 2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 05/46] net: ethernet: ti: davinci_mdio: Add workaround for errata i2329 Sasha Levin 2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 06/46] openvswitch: Fix double reporting of drops in dropwatch Sasha Levin 2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 07/46] openvswitch: Fix overreporting " Sasha Levin 2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 08/46] tcp: annotate data-race around tcp_md5sig_pool_populated Sasha Levin 2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 09/46] micrel: ksz8851: fixes struct pointer issue Sasha Levin 2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 10/46] genetlink: hold read cb_lock during iteration of genl_fam_idr in genl_bind() Sasha Levin 2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 11/46] x86/mce: Retrieve poison range from hardware Sasha Levin 2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 12/46] wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg() Sasha Levin 2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 13/46] thunderbolt: Add back Intel Falcon Ridge end-to-end flow control workaround Sasha Levin 2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 14/46] xfrm: Update ipcomp_scratches with NULL when freed Sasha Levin 2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 15/46] net: broadcom: Fix return type for implementation of Sasha Levin 2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 16/46] net: xscale: Fix return type for implementation of ndo_start_xmit Sasha Levin 2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 17/46] net: lantiq_etop: " Sasha Levin 2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 18/46] net: ftmac100: fix endianness-related issues from 'sparse' Sasha Levin 2022-10-09 22:18 ` [Intel-wired-lan] [PATCH AUTOSEL 5.15 19/46] iavf: Fix race between iavf_close and iavf_reset_task Sasha Levin 2022-10-09 22:18 ` Sasha Levin 2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 20/46] wifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit() Sasha Levin 2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 21/46] Bluetooth: btintel: Mark Intel controller to support LE_STATES quirk Sasha Levin 2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 22/46] regulator: core: Prevent integer underflow Sasha Levin 2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 23/46] wifi: mt76: mt7921: reset msta->airtime_ac while clearing up hw value Sasha Levin 2022-10-09 22:18 ` Sasha Levin 2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 24/46] Bluetooth: L2CAP: initialize delayed works at l2cap_chan_create() Sasha Levin 2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 25/46] net: davicom: Fix return type of dm9000_start_xmit Sasha Levin 2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 26/46] net: ethernet: ti: davinci_emac: Fix return type of emac_dev_xmit Sasha Levin 2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 27/46] net: ethernet: litex: Fix return type of liteeth_start_xmit Sasha Levin 2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 28/46] net: korina: Fix return type of korina_send_packet Sasha Levin 2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 29/46] net: wwan: iosm: Fix return type of ipc_wwan_link_transmit Sasha Levin 2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 30/46] net: sfp: re-implement soft state polling setup Sasha Levin 2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 31/46] net: sfp: move quirk handling into sfp.c Sasha Levin 2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 32/46] net: sfp: move Alcatel Lucent 3FE46541AA fixup Sasha Levin 2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 33/46] net/sched: taprio: taprio_dump and taprio_change are protected by rtnl_mutex Sasha Levin 2022-10-10 13:33 ` Vladimir Oltean 2022-10-09 22:18 ` [PATCH AUTOSEL 5.15 34/46] Bluetooth: hci_sysfs: Fix attempting to call device_add multiple times Sasha Levin 2022-10-09 22:19 ` Sasha Levin [this message] 2022-10-09 22:19 ` [PATCH AUTOSEL 5.15 35/46] wifi: ath10k: reset pointer after memory free to avoid potential use-after-free Sasha Levin 2022-10-09 22:19 ` [PATCH AUTOSEL 5.15 36/46] can: bcm: check the result of can_send() in bcm_can_tx() Sasha Levin 2022-10-09 22:19 ` [PATCH AUTOSEL 5.15 37/46] wifi: rt2x00: don't run Rt5592 IQ calibration on MT7620 Sasha Levin 2022-10-09 22:19 ` [PATCH AUTOSEL 5.15 38/46] wifi: rt2x00: set correct TX_SW_CFG1 MAC register for MT7620 Sasha Levin 2022-10-09 22:19 ` [PATCH AUTOSEL 5.15 39/46] wifi: rt2x00: set VGC gain for both chains of MT7620 Sasha Levin 2022-10-09 22:19 ` [PATCH AUTOSEL 5.15 40/46] wifi: rt2x00: set SoC wmac clock register Sasha Levin 2022-10-09 22:19 ` [PATCH AUTOSEL 5.15 41/46] wifi: rt2x00: correctly set BBP register 86 for MT7620 Sasha Levin 2022-10-09 22:19 ` [PATCH AUTOSEL 5.15 42/46] hwmon: (sht4x) do not overflow clamping operation on 32-bit platforms Sasha Levin 2022-10-09 22:19 ` [PATCH AUTOSEL 5.15 43/46] net: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory Sasha Levin 2022-10-09 22:19 ` [PATCH AUTOSEL 5.15 44/46] Bluetooth: L2CAP: Fix user-after-free Sasha Levin 2022-10-09 22:19 ` [PATCH AUTOSEL 5.15 45/46] libbpf: Fix overrun in netlink attribute iteration Sasha Levin 2022-10-09 22:19 ` [PATCH AUTOSEL 5.15 46/46] r8152: Rate limit overflow messages Sasha Levin
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20221009221912.1217372-35-sashal@kernel.org \ --to=sashal@kernel.org \ --cc=ath10k@lists.infradead.org \ --cc=davem@davemloft.net \ --cc=edumazet@google.com \ --cc=kuba@kernel.org \ --cc=kvalo@kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux-wireless@vger.kernel.org \ --cc=netdev@vger.kernel.org \ --cc=pabeni@redhat.com \ --cc=quic_kvalo@quicinc.com \ --cc=quic_wgong@quicinc.com \ --cc=stable@vger.kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.