him411/openwrt-ipq-breeze303
1
0
Fork 0
mirror of https://github.com/breeze303/openwrt-ipq.git synced 2025-12-16 19:41:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

ath11k_nss: fix invalid access to memory

Browse Source 
In ath11k_dp_rx_msdu_coalesce(), rxcb is fetched from skb and bool
is_continuation is part of rxcb.

Currently, after freeing the skb, the rxcb->is_continuation accessed
again which is wrong since the memory is already freed.

Hence fix the issue by locally defining bool is_continuation from rxcb,
so that after freeing skb also we can use is_continuation.

Signed-off-by: Sean Khan <datapronix@protonmail.com>
This commit is contained in:
Sean Khan 2024-05-05 01:02:03 -04:00
parent a300e2e7c8
commit 59bd0865ce
1 changed files with 47 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
package/kernel/mac80211/patches/nss/ath11k/909-wifi-ath11k-fix-invalid-access-to-memory.patch Normal file
View File

@ -0,0 +1,47 @@
From cea94c73e068ce4e015327bf251f782545d8e365 Mon Sep 17 00:00:00 2001
From: Sarika Sharma <quic_sarishar@quicinc.com>
Date: Mon, 29 Jan 2024 16:01:23 +0530
Subject: [PATCH] wifi: ath11k: fix invalid access to memory
In ath11k_dp_rx_msdu_coalesce(), rxcb is fetched from skb and bool
is_continuation is part of rxcb.
Currently, after freeing the skb, the rxcb->is_continuation accessed
again which is wrong since the memory is already freed.
Hence fix the issue by locally defining bool is_continuation from rxcb,
so that after freeing skb also we can use is_continuation.
Signed-off-by: Sarika Sharma <quic_sarishar@quicinc.com>
---
drivers/net/wireless/ath/ath11k/dp_rx.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/net/wireless/ath/ath11k/dp_rx.c
+++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
@@ -2202,6 +2202,7 @@ static int ath11k_dp_rx_msdu_coalesce(st
struct hal_rx_desc *ldesc;
int space_extra, rem_len, buf_len;
u32 hal_rx_desc_sz = ar->ab->hw_params.hal_desc_sz;
+ bool is_continuation;
/* As the msdu is spread across multiple rx buffers,
* find the offset to the start of msdu for computing
@@ -2250,7 +2251,8 @@ static int ath11k_dp_rx_msdu_coalesce(st
rem_len = msdu_len - buf_first_len;
while ((skb = __skb_dequeue(msdu_list)) != NULL && rem_len > 0) {
rxcb = ATH11K_SKB_RXCB(skb);
- if (rxcb->is_continuation)
+ is_continuation = rxcb->is_continuation;
+ if (is_continuation)
buf_len = DP_RX_BUFFER_SIZE - hal_rx_desc_sz;
else
buf_len = rem_len;
@@ -2268,7 +2270,7 @@ static int ath11k_dp_rx_msdu_coalesce(st
dev_kfree_skb_any(skb);
rem_len -= buf_len;
- if (!rxcb->is_continuation)
+ if (!is_continuation)
break;
}