From patchwork Thu Sep 20 05:04:26 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Govind Singh <govinds@codeaurora.org>
X-Patchwork-Id: 10606861
X-Patchwork-Delegate: kvalo@adurom.com
Return-Path: <linux-wireless-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 751A86CB
	for <patchwork-linux-wireless@patchwork.kernel.org>;
 Thu, 20 Sep 2018 05:04:39 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 649EA2B9D0
	for <patchwork-linux-wireless@patchwork.kernel.org>;
 Thu, 20 Sep 2018 05:04:39 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 575752BAD5; Thu, 20 Sep 2018 05:04:39 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.8 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI,T_DKIM_INVALID autolearn=ham
 version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0D7072B9D0
	for <patchwork-linux-wireless@patchwork.kernel.org>;
 Thu, 20 Sep 2018 05:04:39 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730965AbeITKqI (ORCPT
        <rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
        Thu, 20 Sep 2018 06:46:08 -0400
Received: from smtp.codeaurora.org ([198.145.29.96]:43910 "EHLO
        smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726982AbeITKqI (ORCPT
        <rfc822;linux-wireless@vger.kernel.org>);
        Thu, 20 Sep 2018 06:46:08 -0400
Received: by smtp.codeaurora.org (Postfix, from userid 1000)
        id 5D66760B7F; Thu, 20 Sep 2018 05:04:37 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org;
        s=default; t=1537419877;
        bh=GcidKvFMpTnl001YYjxOHhjYO3wM04hHe0pDftwrzMg=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=bwe8eBIu8qJdy+bpfXTLbn4U7TMsyK61+BF3qbdtUqtHqkJZ5RjHqtUkgje/iO5a5
         zkM8c0vJpqOg6bRP2a8Mc8SKu9qZWbo0N1VD1q5ROzqWO5SqfMe0aNPczldurP/I89
         Wx6ztF3ozPkWeciavK/AWKDptS0M0A6EVmZOGJA4=
Received: from govinds-linux.qualcomm.com
 (blr-c-bdr-fw-01_globalnat_allzones-outside.qualcomm.com [103.229.19.19])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits))
        (No client certificate requested)
        (Authenticated sender: govinds@smtp.codeaurora.org)
        by smtp.codeaurora.org (Postfix) with ESMTPSA id A8201607F7;
        Thu, 20 Sep 2018 05:04:35 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org;
        s=default; t=1537419877;
        bh=GcidKvFMpTnl001YYjxOHhjYO3wM04hHe0pDftwrzMg=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=bwe8eBIu8qJdy+bpfXTLbn4U7TMsyK61+BF3qbdtUqtHqkJZ5RjHqtUkgje/iO5a5
         zkM8c0vJpqOg6bRP2a8Mc8SKu9qZWbo0N1VD1q5ROzqWO5SqfMe0aNPczldurP/I89
         Wx6ztF3ozPkWeciavK/AWKDptS0M0A6EVmZOGJA4=
DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org A8201607F7
Authentication-Results: pdx-caf-mail.web.codeaurora.org;
 dmarc=none (p=none dis=none) header.from=codeaurora.org
Authentication-Results: pdx-caf-mail.web.codeaurora.org;
 spf=none smtp.mailfrom=govinds@codeaurora.org
From: Govind Singh <govinds@codeaurora.org>
To: ath10k@lists.infradead.org
Cc: linux-wireless@vger.kernel.org,
        Govind Singh <govinds@codeaurora.org>
Subject: [PATCH 2/2] ath10k: Disable napi before resource cleanup to avoid
 "use after free"
Date: Thu, 20 Sep 2018 10:34:26 +0530
Message-Id: <20180920050426.4113-2-govinds@codeaurora.org>
X-Mailer: git-send-email 2.19.0
In-Reply-To: <20180920050426.4113-1-govinds@codeaurora.org>
References: <20180920050426.4113-1-govinds@codeaurora.org>
MIME-Version: 1.0
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

CE buffers are cleaned up prior to napi disable and this is causing
NULL pointer dereference due to "use after free".

Disable napi before resource cleanup to avoid "use after free".

Signed-off-by: Govind Singh <govinds@codeaurora.org>
---
 drivers/net/wireless/ath/ath10k/snoc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ath/ath10k/snoc.c b/drivers/net/wireless/ath/ath10k/snoc.c
index dd043b858c8e..6da951eea345 100644
--- a/drivers/net/wireless/ath/ath10k/snoc.c
+++ b/drivers/net/wireless/ath/ath10k/snoc.c
@@ -911,9 +911,9 @@ static void ath10k_snoc_buffer_cleanup(struct ath10k *ar)
 static void ath10k_snoc_hif_stop(struct ath10k *ar)
 {
 	ath10k_snoc_irq_disable(ar);
-	ath10k_snoc_buffer_cleanup(ar);
 	napi_synchronize(&ar->napi);
 	napi_disable(&ar->napi);
+	ath10k_snoc_buffer_cleanup(ar);
 	ath10k_dbg(ar, ATH10K_DBG_BOOT, "boot hif stop\n");
 }