lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20221018095356.GH1264@duo.ucw.cz>
Date:   Tue, 18 Oct 2022 11:53:56 +0200
From:   Pavel Machek <pavel@...x.de>
To:     Sasha Levin <sashal@...nel.org>
Cc:     linux-kernel@...r.kernel.org, stable@...r.kernel.org,
        Wen Gong <quic_wgong@...cinc.com>,
        Kalle Valo <quic_kvalo@...cinc.com>, kvalo@...nel.org,
        davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
        pabeni@...hat.com, ath10k@...ts.infradead.org,
        linux-wireless@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: [PATCH AUTOSEL 4.19 16/25] wifi: ath10k: reset pointer after
 memory free to avoid potential use-after-free

Hi!

> From: Wen Gong <quic_wgong@...cinc.com>
> 
> [ Upstream commit 1e1cb8e0b73e6f39a9d4a7a15d940b1265387eb5 ]
> 
> When running suspend test, kernel crash happened in ath10k, and it is
> fixed by commit b72a4aff947b ("ath10k: skip ath10k_halt during suspend
> for driver state RESTARTING").
> 
> Currently the crash is fixed, but as a common code style, it is better
> to set the pointer to NULL after memory is free.
> 
> This is to address the code style and it will avoid potential bug of
> use-after-free.

We don't have this patch in 4.19:

b72a4aff947b ("ath10k: skip ath10k_halt during suspend for driver state RESTARTING").

We probably should take that one, as this may depend on it. On the
other hand, we don't need this one as it is just a cleanup...

Best regards,
								Pavel
								
> +++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
> @@ -302,12 +302,16 @@ void ath10k_htt_rx_free(struct ath10k_htt *htt)
>  			  ath10k_htt_get_vaddr_ring(htt),
>  			  htt->rx_ring.base_paddr);
>  
> +	ath10k_htt_config_paddrs_ring(htt, NULL);
> +
>  	dma_free_coherent(htt->ar->dev,
>  			  sizeof(*htt->rx_ring.alloc_idx.vaddr),
>  			  htt->rx_ring.alloc_idx.vaddr,
>  			  htt->rx_ring.alloc_idx.paddr);
> +	htt->rx_ring.alloc_idx.vaddr = NULL;
>  
>  	kfree(htt->rx_ring.netbufs_ring);
> +	htt->rx_ring.netbufs_ring = NULL;
>  }
>  
>  static inline struct sk_buff *ath10k_htt_rx_netbuf_pop(struct ath10k_htt *htt)
> @@ -641,8 +645,10 @@ int ath10k_htt_rx_alloc(struct ath10k_htt *htt)
>  			  ath10k_htt_get_rx_ring_size(htt),
>  			  vaddr_ring,
>  			  htt->rx_ring.base_paddr);
> +	ath10k_htt_config_paddrs_ring(htt, NULL);
>  err_dma_ring:
>  	kfree(htt->rx_ring.netbufs_ring);
> +	htt->rx_ring.netbufs_ring = NULL;
>  err_netbuf:
>  	return -ENOMEM;
>  }
> -- 
> 2.35.1

-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

Download attachment "signature.asc" of type "application/pgp-signature" (196 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ