On 8/25/2024 10:33 PM, Balaji Pothunoori wrote: > From: Manikanta Pubbisetty <quic_mpubbise@xxxxxxxxxxx> > > Currently struct ath11k_hal::srng_config pointer is not assigned > to NULL after freeing the memory in ath11k_hal_srng_deinit(). > This could lead to double free issue in a scenario where > ath11k_hal_srng_deinit() is invoked back to back. > > In the current code, although the chances are very low, the above > said scenario could happen when hardware recovery has failed and > then there is another FW assert where ath11k_hal_srng_deinit() is > invoked once again as part of recovery. > > Fix this by assigning the struct ath11k_hal::srng_config pointer > to NULL after freeing the memory. > > Tested-on: WCN6750 hw1.0 AHB WLAN.MSL.1.0.1-00887-QCAMSLSWPLZ-1 > Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.16 > Tested-on: IPQ5018 hw1.0 AHB WLAN.HK.2.6.0.1-00861-QCAHKSWPL_SILICONZ-1 > Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1 > > Signed-off-by: Manikanta Pubbisetty <quic_mpubbise@xxxxxxxxxxx> > Signed-off-by: Balaji Pothunoori <quic_bpothuno@xxxxxxxxxxx> > --- > Resending the original patch as standalone patch: > https://patchwork.kernel.org/project/linux-wireless/patch/20230417054145.12359-2-quic_mpubbise@xxxxxxxxxxx/ > > drivers/net/wireless/ath/ath11k/hal.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/drivers/net/wireless/ath/ath11k/hal.c b/drivers/net/wireless/ath/ath11k/hal.c > index f02599bd1c36..61f4b6dd5380 100644 > --- a/drivers/net/wireless/ath/ath11k/hal.c > +++ b/drivers/net/wireless/ath/ath11k/hal.c > @@ -1351,6 +1351,7 @@ void ath11k_hal_srng_deinit(struct ath11k_base *ab) > ath11k_hal_free_cont_rdp(ab); > ath11k_hal_free_cont_wrp(ab); > kfree(hal->srng_config); > + hal->srng_config = NULL; > } > EXPORT_SYMBOL(ath11k_hal_srng_deinit); > Acked-by: Jeff Johnson <quic_jjohnson@xxxxxxxxxxx>
