Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp2334343iob; Thu, 5 May 2022 23:39:42 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw9LruDbPKFiqYYPZrMoAKqsx3eNuD85Mvf1a6XIsjUAeAEsCSO4fSjbTI5lEIpFezu+kCC X-Received: by 2002:a05:6402:520c:b0:428:25e3:a1e4 with SMTP id s12-20020a056402520c00b0042825e3a1e4mr1928600edd.198.1651819182309; Thu, 05 May 2022 23:39:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1651819182; cv=none; d=google.com; s=arc-20160816; b=rAxxZ8qEVAUC8a00Fn1xqbJMDUbX3+dBcV5xy2lbayKjw8dbPSvOr+tep7qyThFR6j UrEGlQnLhTZVcHMw+WtdkjbDKOPFL59sWlxx6ZCzMzsoh8PEHpRJfxwpFLIx2QbwNjOS VnhRX6eGdm7Iv1BLUgKsKd+AXXvfZJv00ght0pejkVExdst/pqGKZspZfbMSLZoFCII2 q6dvn+f4CzoEVUqbnQO+WWu9uDc74g8Fn/qwjHAYlsspNoN0RUtBqlmmU/0GgqsOEY8A 0f3S/mcQRHcwUyBXjTEd4p4gEhCf4Po21Skw/Vzh0IojqkltOIuQ/hxmf1Uq3e+g5KV4 DPDQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=AO2UTTg5jOZILim0HF+Zqn4yFvVaM7U8Xgglo0OtAzk=; b=kh71M5EeoqM0+SlLC1jXNJpjSp8IeHhebNdOfDr8ZCkR/XgVuK8KSMoQyu/8ygnLfF dUqmbNZapbsbgDz2ClQL+sunrYxC0enNsPnNjNmIPpM/dTVV+yzJQoesD0zPbUKAoxw2 zakihV9Z1s9/xxUbTJ6xX6tPLz2IqGa8ETSgAovAPXoSMeLkyUGvVWiQacnaeYkO0dsn b6jDYQ3LV9NAXN/kDii2brQ0tdUzB+v4xUyKJM8Po3rOGJ0fQMT8lg1oVUv2ntpHpdOD IOorywa74aIabgDXCqcoxG2AbdnptRYN1/NTHvXOp5IJDnFoq5gBJw9D/2TJBCb9V5Yd ijXA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcdkim header.b=DPgUZk59; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l7-20020a50d6c7000000b0042610f5f98asi3360209edj.376.2022.05.05.23.39.21; Thu, 05 May 2022 23:39:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@quicinc.com header.s=qcdkim header.b=DPgUZk59; spf=pass (google.com: domain of linux-wireless-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-wireless-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=quicinc.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345263AbiEEJ0p (ORCPT + 68 others); Thu, 5 May 2022 05:26:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:38316 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1352609AbiEEJ0o (ORCPT ); Thu, 5 May 2022 05:26:44 -0400 Received: from alexa-out.qualcomm.com (alexa-out.qualcomm.com [129.46.98.28]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 78EB44D25A for ; Thu, 5 May 2022 02:23:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com; i=@quicinc.com; q=dns/txt; s=qcdkim; t=1651742585; x=1683278585; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=AO2UTTg5jOZILim0HF+Zqn4yFvVaM7U8Xgglo0OtAzk=; b=DPgUZk59iw4LOnxF+PC7OLF2j2weLbtDLtUsEq3D7qYOOXyA7sgrUHV2 FsrhVFIQpwEveQFMZkQqXZcoiLFfhWw7pm1dUvBgl1cpHG7aMPD3yR5sT Ne3ooXvWlSkR43mCY9g2DIm77dN5gRC/4KysEevAfZMJdMYVkR4abRFes Q=; Received: from ironmsg08-lv.qualcomm.com ([10.47.202.152]) by alexa-out.qualcomm.com with ESMTP; 05 May 2022 02:23:05 -0700 X-QCInternal: smtphost Received: from nasanex01c.na.qualcomm.com ([10.47.97.222]) by ironmsg08-lv.qualcomm.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 05 May 2022 02:23:05 -0700 Received: from nalasex01a.na.qualcomm.com (10.47.209.196) by nasanex01c.na.qualcomm.com (10.47.97.222) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.22; Thu, 5 May 2022 02:23:04 -0700 Received: from wgong-HP3-Z230-SFF-Workstation.qca.qualcomm.com (10.80.80.8) by nalasex01a.na.qualcomm.com (10.47.209.196) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.22; Thu, 5 May 2022 02:23:03 -0700 From: Wen Gong To: CC: , Subject: [PATCH v2] ath10k: reset pointer after memory free to avoid potential use-after-free Date: Thu, 5 May 2022 05:22:48 -0400 Message-ID: <20220505092248.787-1-quic_wgong@quicinc.com> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Originating-IP: [10.80.80.8] X-ClientProxiedBy: nasanex01b.na.qualcomm.com (10.46.141.250) To nalasex01a.na.qualcomm.com (10.47.209.196) X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-wireless@vger.kernel.org When running suspend test, kernel crash happened in ath10k, and it is fixed by commit b72a4aff947b ("ath10k: skip ath10k_halt during suspend for driver state RESTARTING"). Currently the crash is fixed, but as a common code style, it is better to set the pointer to NULL after memory is free. This is to address the code style and it will avoid potential bug of use-after-free. Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1 Signed-off-by: Wen Gong --- v2: 1. change subject "ath10k: reset pointer after memory free to avoid kernel crash by multi-free" to "ath10k: reset pointer after memory free to avoid potential use-after-free" 2. change commit log drivers/net/wireless/ath/ath10k/htt_rx.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c index 771252dd6d4e..f6645c7c55c2 100644 --- a/drivers/net/wireless/ath/ath10k/htt_rx.c +++ b/drivers/net/wireless/ath/ath10k/htt_rx.c @@ -301,12 +301,16 @@ void ath10k_htt_rx_free(struct ath10k_htt *htt) ath10k_htt_get_vaddr_ring(htt), htt->rx_ring.base_paddr); + ath10k_htt_config_paddrs_ring(htt, NULL); + dma_free_coherent(htt->ar->dev, sizeof(*htt->rx_ring.alloc_idx.vaddr), htt->rx_ring.alloc_idx.vaddr, htt->rx_ring.alloc_idx.paddr); + htt->rx_ring.alloc_idx.vaddr = NULL; kfree(htt->rx_ring.netbufs_ring); + htt->rx_ring.netbufs_ring = NULL; } static inline struct sk_buff *ath10k_htt_rx_netbuf_pop(struct ath10k_htt *htt) @@ -846,8 +850,10 @@ int ath10k_htt_rx_alloc(struct ath10k_htt *htt) ath10k_htt_get_rx_ring_size(htt), vaddr_ring, htt->rx_ring.base_paddr); + ath10k_htt_config_paddrs_ring(htt, NULL); err_dma_ring: kfree(htt->rx_ring.netbufs_ring); + htt->rx_ring.netbufs_ring = NULL; err_netbuf: return -ENOMEM; } base-commit: 3637b73b8e805d011202e2bf10947f2d206695d4 -- 2.31.1