diff mbox series

ath11k: avoid use_after_free in ath11k_dp_rx_msdu_coalesce API

Message ID 1572421575-2904-1-git-send-email-periyasa@codeaurora.org (mailing list archive)
State Accepted
Commit 88b53b57ad5572918784d82d7aaba1a42cefe30b
Delegated to: Kalle Valo
Headers show
Series ath11k: avoid use_after_free in ath11k_dp_rx_msdu_coalesce API | expand

Commit Message

Karthikeyan periyasamy Oct. 30, 2019, 7:46 a.m. UTC 
Accessing already stored first msdu data after the skb expand trigger
use_after_free, since first msdu got deleted. so do the descriptor copy
operation before the skb expand operation.

Signed-off-by: Karthikeyan Periyasamy <periyasa@codeaurora.org>
---
 drivers/net/wireless/ath/ath11k/dp_rx.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

Comments

Kalle Valo Nov. 7, 2019, 9:38 a.m. UTC | #1 
Karthikeyan Periyasamy <periyasa@codeaurora.org> wrote:

> Accessing already stored first msdu data after the skb expand trigger
> use_after_free, since first msdu got deleted. so do the descriptor copy
> operation before the skb expand operation.
> 
> Signed-off-by: Karthikeyan Periyasamy <periyasa@codeaurora.org>
> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>

Patch applied to ath11k-post-bringup branch of ath.git, thanks.

88b53b57ad55 ath11k: avoid use_after_free in ath11k_dp_rx_msdu_coalesce API
diff mbox series

Patch

diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c
index acad746..475988b 100644
--- a/drivers/net/wireless/ath/ath11k/dp_rx.c
+++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
@@ -1374,6 +1374,11 @@  static int ath11k_dp_rx_msdu_coalesce(struct ath11k *ar,
 	skb_put(first, DP_RX_BUFFER_SIZE);
 	skb_pull(first, buf_first_hdr_len);
 
+	/* When an MSDU spread over multiple buffers attention, MSDU_END and
+	 * MPDU_END tlvs are valid only in the last buffer. Copy those tlvs.
+	 */
+	ath11k_dp_rx_desc_end_tlv_copy(rxcb->rx_desc, ldesc);
+
 	space_extra = msdu_len - (buf_first_len + skb_tailroom(first));
 	if (space_extra > 0 &&
 	    (pskb_expand_head(first, 0, space_extra, GFP_ATOMIC) < 0)) {
@@ -1389,11 +1394,6 @@  static int ath11k_dp_rx_msdu_coalesce(struct ath11k *ar,
 		return -ENOMEM;
 	}
 
-	/* When an MSDU spread over multiple buffers attention, MSDU_END and
-	 * MPDU_END tlvs are valid only in the last buffer. Copy those tlvs.
-	 */
-	ath11k_dp_rx_desc_end_tlv_copy(rxcb->rx_desc, ldesc);
-
 	rem_len = msdu_len - buf_first_len;
 	while ((skb = __skb_dequeue(msdu_list)) != NULL && rem_len > 0) {
 		rxcb = ATH11K_SKB_RXCB(skb);