On Tue, 01 Oct 2024 14:56:52 +0530, Rameshkumar Sundaram wrote:
> During ath12k module removal, in ath12k_core_deinit(),
> ath12k_mac_destroy() un-registers ah->hw from mac80211 and frees
> the ah->hw as well as all the ar's in it. After this
> ath12k_core_soc_destroy()-> ath12k_dp_free()-> ath12k_dp_cc_cleanup()
> tries to access one of the freed ar's from pending skb.
>
> This is because during mac destroy, driver failed to flush few
> data packets, which were accessed later in ath12k_dp_cc_cleanup()
> and freed, but using ar from the packet led to this use-after-free.
>
> [...]
Applied, thanks!
[1/1] wifi: ath12k: fix use-after-free in ath12k_dp_cc_cleanup()
commit: bdb281103373fd80eb5c91cede1e115ba270b4e9
Best regards,
--
Jeff Johnson <quic_jjohnson@xxxxxxxxxxx>
