| Message ID | 20210402182627.4256-1-lyl2019@mail.ustc.edu.cn |
|---|---|
| State | New |
| Headers | show |
| Series | wireless: marvell: mwl8k: Fix a double Free in mwl8k_probe_hw | expand |
Dear maintainers,
I'm sorry to disturb you, but this patch has not been reviewed for more than a week.
Could you please help to review this patch? It will not take you a lot time.
Sincerely.
> -----原始邮件-----
> 发件人: "Lv Yunlong" <lyl2019@mail.ustc.edu.cn>
> 发送时间: 2021-04-03 02:26:27 (星期六)
> 收件人: buytenh@wantstofly.org, kvalo@codeaurora.org, davem@davemloft.net, kuba@kernel.org, gustavoars@kernel.org
> 抄送: linux-wireless@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, "Lv Yunlong" <lyl2019@mail.ustc.edu.cn>
> 主题: [PATCH] wireless: marvell: mwl8k: Fix a double Free in mwl8k_probe_hw
>
> In mwl8k_probe_hw, hw->priv->txq is freed at the first time by
> dma_free_coherent() in the call chain:
> if(!priv->ap_fw)->mwl8k_init_txqs(hw)->mwl8k_txq_init(hw, i).
>
> Then in err_free_queues of mwl8k_probe_hw, hw->priv->txq is freed
> at the second time by mwl8k_txq_deinit(hw, i)->dma_free_coherent().
>
> My patch set txq->txd to NULL after the first free to avoid the
> double free.
>
> Fixes: a66098daacee2 ("mwl8k: Marvell TOPDOG wireless driver")
> Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
> ---
> drivers/net/wireless/marvell/mwl8k.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/net/wireless/marvell/mwl8k.c b/drivers/net/wireless/marvell/mwl8k.c
> index c9f8c056aa51..84b32a5f01ee 100644
> --- a/drivers/net/wireless/marvell/mwl8k.c
> +++ b/drivers/net/wireless/marvell/mwl8k.c
> @@ -1473,6 +1473,7 @@ static int mwl8k_txq_init(struct ieee80211_hw *hw, int index)
> if (txq->skb == NULL) {
> dma_free_coherent(&priv->pdev->dev, size, txq->txd,
> txq->txd_dma);
> + txq->txd = NULL;
> return -ENOMEM;
> }
>
> --
> 2.25.1
>
Lv Yunlong <lyl2019@mail.ustc.edu.cn> wrote: > In mwl8k_probe_hw, hw->priv->txq is freed at the first time by > dma_free_coherent() in the call chain: > if(!priv->ap_fw)->mwl8k_init_txqs(hw)->mwl8k_txq_init(hw, i). > > Then in err_free_queues of mwl8k_probe_hw, hw->priv->txq is freed > at the second time by mwl8k_txq_deinit(hw, i)->dma_free_coherent(). > > My patch set txq->txd to NULL after the first free to avoid the > double free. > > Fixes: a66098daacee2 ("mwl8k: Marvell TOPDOG wireless driver") > Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn> Patch applied to wireless-drivers-next.git, thanks. a8e083ee8e2a mwl8k: Fix a double Free in mwl8k_probe_hw -- https://patchwork.kernel.org/project/linux-wireless/patch/20210402182627.4256-1-lyl2019@mail.ustc.edu.cn/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
diff --git a/drivers/net/wireless/marvell/mwl8k.c b/drivers/net/wireless/marvell/mwl8k.c index c9f8c056aa51..84b32a5f01ee 100644 --- a/drivers/net/wireless/marvell/mwl8k.c +++ b/drivers/net/wireless/marvell/mwl8k.c @@ -1473,6 +1473,7 @@ static int mwl8k_txq_init(struct ieee80211_hw *hw, int index) if (txq->skb == NULL) { dma_free_coherent(&priv->pdev->dev, size, txq->txd, txq->txd_dma); + txq->txd = NULL; return -ENOMEM; }
In mwl8k_probe_hw, hw->priv->txq is freed at the first time by dma_free_coherent() in the call chain: if(!priv->ap_fw)->mwl8k_init_txqs(hw)->mwl8k_txq_init(hw, i). Then in err_free_queues of mwl8k_probe_hw, hw->priv->txq is freed at the second time by mwl8k_txq_deinit(hw, i)->dma_free_coherent(). My patch set txq->txd to NULL after the first free to avoid the double free. Fixes: a66098daacee2 ("mwl8k: Marvell TOPDOG wireless driver") Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn> --- drivers/net/wireless/marvell/mwl8k.c | 1 + 1 file changed, 1 insertion(+)