Commit 9f17747f authored by Sarika Sharma's avatar Sarika Sharma Committed by Jeff Johnson
Browse files

wifi: ath12k: fix invalid access to memory 



In ath12k_dp_rx_msdu_coalesce(), rxcb is fetched from skb and boolean
is_continuation is part of rxcb.
Currently, after freeing the skb, the rxcb->is_continuation accessed
again which is wrong since the memory is already freed.
This might lead use-after-free error.

Hence, fix by locally defining bool is_continuation from rxcb,
so that after freeing skb, is_continuation can be used.

Compile tested only.

Fixes: d8899132 ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices")
Signed-off-by: default avatarSarika Sharma <quic_sarishar@quicinc.com>
Reviewed-by: default avatarVasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
Link: https://patch.msgid.link/20250408045327.1632222-1-quic_sarishar@quicinc.com


Signed-off-by: default avatarJeff Johnson <jeff.johnson@oss.qualcomm.com>
parent 4541b0c8

drivers/net/wireless/ath/ath12k/dp_rx.c

+4 −2
Original line number Diff line number Diff line
@@ -1841,6 +1841,7 @@ static int ath12k_dp_rx_msdu_coalesce(struct ath12k *ar, 
	struct hal_rx_desc *ldesc;

	int space_extra, rem_len, buf_len;

	u32 hal_rx_desc_sz = ar->ab->hal.hal_desc_sz;

	bool is_continuation;



	/* As the msdu is spread across multiple rx buffers,

	 * find the offset to the start of msdu for computing
@@ -1889,7 +1890,8 @@ static int ath12k_dp_rx_msdu_coalesce(struct ath12k *ar, 
	rem_len = msdu_len - buf_first_len;

	while ((skb = __skb_dequeue(msdu_list)) != NULL && rem_len > 0) {

		rxcb = ATH12K_SKB_RXCB(skb);

		if (rxcb->is_continuation)

		is_continuation = rxcb->is_continuation;

		if (is_continuation)

			buf_len = DP_RX_BUFFER_SIZE - hal_rx_desc_sz;

		else

			buf_len = rem_len;
@@ -1907,7 +1909,7 @@ static int ath12k_dp_rx_msdu_coalesce(struct ath12k *ar, 
		dev_kfree_skb_any(skb);



		rem_len -= buf_len;

		if (!rxcb->is_continuation)

		if (!is_continuation)

			break;

	}