From 5094204ff5ae7e32ec56632cf0dd7208df621a9f Mon Sep 17 00:00:00 2001 From: Manikanta Pubbisetty Date: Mon, 26 Aug 2024 11:03:26 +0530 Subject: [PATCH] wifi: ath11k: Fix double free issue during SRNG deinit Currently struct ath11k_hal::srng_config pointer is not assigned to NULL after freeing the memory in ath11k_hal_srng_deinit(). This could lead to double free issue in a scenario where ath11k_hal_srng_deinit() is invoked back to back. In the current code, although the chances are very low, the above said scenario could happen when hardware recovery has failed and then there is another FW assert where ath11k_hal_srng_deinit() is invoked once again as part of recovery. Fix this by assigning the struct ath11k_hal::srng_config pointer to NULL after freeing the memory. Tested-on: WCN6750 hw1.0 AHB WLAN.MSL.1.0.1-00887-QCAMSLSWPLZ-1 Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.16 Tested-on: IPQ5018 hw1.0 AHB WLAN.HK.2.6.0.1-00861-QCAHKSWPL_SILICONZ-1 Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1 Signed-off-by: Manikanta Pubbisetty Signed-off-by: Balaji Pothunoori Acked-by: Jeff Johnson Signed-off-by: Kalle Valo Link: https://patch.msgid.link/20240826053326.8878-1-quic_bpothuno@quicinc.com --- drivers/net/wireless/ath/ath11k/hal.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/net/wireless/ath/ath11k/hal.c b/drivers/net/wireless/ath/ath11k/hal.c index f02599bd1c36b..61f4b6dd53807 100644 --- a/drivers/net/wireless/ath/ath11k/hal.c +++ b/drivers/net/wireless/ath/ath11k/hal.c @@ -1351,6 +1351,7 @@ void ath11k_hal_srng_deinit(struct ath11k_base *ab) ath11k_hal_free_cont_rdp(ab); ath11k_hal_free_cont_wrp(ab); kfree(hal->srng_config); + hal->srng_config = NULL; } EXPORT_SYMBOL(ath11k_hal_srng_deinit); -- 2.47.3