Patch "wifi: ath10k: reset pointer after memory free to avoid potential use-after-free" has been added to the 6.0-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 16 Oct 2022 22:35:15 -0400

This is a note to let you know that I've just added the patch titled

    wifi: ath10k: reset pointer after memory free to avoid potential use-after-free

to the 6.0-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     wifi-ath10k-reset-pointer-after-memory-free-to-avoid.patch
and it can be found in the queue-6.0 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 3c40c49b26b3d3270cda809d326aa0b2a82eef63
Author: Wen Gong <quic_wgong@xxxxxxxxxxx>
Date:   Tue Sep 20 18:23:54 2022 +0300

    wifi: ath10k: reset pointer after memory free to avoid potential use-after-free
    
    [ Upstream commit 1e1cb8e0b73e6f39a9d4a7a15d940b1265387eb5 ]
    
    When running suspend test, kernel crash happened in ath10k, and it is
    fixed by commit b72a4aff947b ("ath10k: skip ath10k_halt during suspend
    for driver state RESTARTING").
    
    Currently the crash is fixed, but as a common code style, it is better
    to set the pointer to NULL after memory is free.
    
    This is to address the code style and it will avoid potential bug of
    use-after-free.
    
    Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1
    Signed-off-by: Wen Gong <quic_wgong@xxxxxxxxxxx>
    Signed-off-by: Kalle Valo <quic_kvalo@xxxxxxxxxxx>
    Link: https://lore.kernel.org/r/20220505092248.787-1-quic_wgong@xxxxxxxxxxx
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c
index 8a075a711b71..f84f6c4c2a7a 100644
--- a/drivers/net/wireless/ath/ath10k/htt_rx.c
+++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
@@ -301,12 +301,16 @@ void ath10k_htt_rx_free(struct ath10k_htt *htt)
 			  ath10k_htt_get_vaddr_ring(htt),
 			  htt->rx_ring.base_paddr);
 
+	ath10k_htt_config_paddrs_ring(htt, NULL);
+
 	dma_free_coherent(htt->ar->dev,
 			  sizeof(*htt->rx_ring.alloc_idx.vaddr),
 			  htt->rx_ring.alloc_idx.vaddr,
 			  htt->rx_ring.alloc_idx.paddr);
+	htt->rx_ring.alloc_idx.vaddr = NULL;
 
 	kfree(htt->rx_ring.netbufs_ring);
+	htt->rx_ring.netbufs_ring = NULL;
 }
 
 static inline struct sk_buff *ath10k_htt_rx_netbuf_pop(struct ath10k_htt *htt)
@@ -846,8 +850,10 @@ int ath10k_htt_rx_alloc(struct ath10k_htt *htt)
 			  ath10k_htt_get_rx_ring_size(htt),
 			  vaddr_ring,
 			  htt->rx_ring.base_paddr);
+	ath10k_htt_config_paddrs_ring(htt, NULL);
 err_dma_ring:
 	kfree(htt->rx_ring.netbufs_ring);
+	htt->rx_ring.netbufs_ring = NULL;
 err_netbuf:
 	return -ENOMEM;
 }






