[PATCH] wireless: iwlwifi: Fix a double free in iwl_txq_dyn_alloc_dma

[PATCH] wireless: iwlwifi: Fix a double free in iwl_txq_dyn_alloc_dma

[Lv Yunlong]

In iwl_txq_dyn_alloc_dma, txq->tfds is freed at first time by:
iwl_txq_alloc()->goto err_free_tfds->dma_free_coherent(). But
it forgot to set txq->tfds to NULL.

Then the txq->tfds is freed again in iwl_txq_dyn_alloc_dma by:
goto error->iwl_txq_gen2_free_memory()->dma_free_coherent().

My patch sets txq->tfds to NULL after the first free to avoid the
double free.

Fixes: 0cd1ad2d7fd41 ("iwlwifi: move all bus-independent TX functions to common code")
Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
---
 drivers/net/wireless/intel/iwlwifi/queue/tx.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/wireless/intel/iwlwifi/queue/tx.c b/drivers/net/wireless/intel/iwlwifi/queue/tx.c
index 833f43d1ca7a..99c8e473031a 100644
--- a/drivers/net/wireless/intel/iwlwifi/queue/tx.c
+++ b/drivers/net/wireless/intel/iwlwifi/queue/tx.c
@@ -1101,6 +1101,7 @@ int iwl_txq_alloc(struct iwl_trans *trans, struct iwl_txq *txq, int slots_num,
 	return 0;
 err_free_tfds:
 	dma_free_coherent(trans->dev, tfd_sz, txq->tfds, txq->dma_addr);
+	txq->tfds = NULL;
 error:
 	if (txq->entries && cmd_queue)
 		for (i = 0; i < slots_num; i++)
-- 
2.25.1

Re: [PATCH] wireless: iwlwifi: Fix a double free in iwl_txq_dyn_alloc_dma

[lyl2019]

Hi, my dear maintainers.

     I'm very sorry to disturb you, that beacuse this patch has been not reviewed for one weeks.
     Could you help to review this patch? It will not cost you much time.

Sincerely.
  

> -----原始邮件-----
> 发件人: "Lv Yunlong" <lyl2019@mail.ustc.edu.cn>
> 发送时间: 2021-04-03 13:47:55 (星期六)
> 收件人: luciano.coelho@intel.com, kvalo@codeaurora.org, davem@davemloft.net, kuba@kernel.org, mordechay.goodstein@intel.com, johannes.berg@intel.com, emmanuel.grumbach@intel.com
> 抄送: linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, "Lv Yunlong" <lyl2019@mail.ustc.edu.cn>
> 主题: [PATCH] wireless: iwlwifi: Fix a double free in iwl_txq_dyn_alloc_dma
> 
> In iwl_txq_dyn_alloc_dma, txq->tfds is freed at first time by:
> iwl_txq_alloc()->goto err_free_tfds->dma_free_coherent(). But
> it forgot to set txq->tfds to NULL.
> 
> Then the txq->tfds is freed again in iwl_txq_dyn_alloc_dma by:
> goto error->iwl_txq_gen2_free_memory()->dma_free_coherent().
> 
> My patch sets txq->tfds to NULL after the first free to avoid the
> double free.
> 
> Fixes: 0cd1ad2d7fd41 ("iwlwifi: move all bus-independent TX functions to common code")
> Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
> ---
>  drivers/net/wireless/intel/iwlwifi/queue/tx.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/net/wireless/intel/iwlwifi/queue/tx.c b/drivers/net/wireless/intel/iwlwifi/queue/tx.c
> index 833f43d1ca7a..99c8e473031a 100644
> --- a/drivers/net/wireless/intel/iwlwifi/queue/tx.c
> +++ b/drivers/net/wireless/intel/iwlwifi/queue/tx.c
> @@ -1101,6 +1101,7 @@ int iwl_txq_alloc(struct iwl_trans *trans, struct iwl_txq *txq, int slots_num,
>  	return 0;
>  err_free_tfds:
>  	dma_free_coherent(trans->dev, tfd_sz, txq->tfds, txq->dma_addr);
> +	txq->tfds = NULL;
>  error:
>  	if (txq->entries && cmd_queue)
>  		for (i = 0; i < slots_num; i++)
> -- 
> 2.25.1
>