[PATCH] ath10k: fix use-after-free in ath10k_wmi_cmd_send_nowait

Carl Huang cjhuang at qti.qualcomm.com
Sun Feb 11 03:03:48 PST 2018

> -----Original Message-----
> From: ath10k [mailto:ath10k-bounces at lists.infradead.org] On Behalf Of Felix
> Fietkau
> Sent: Sunday, February 11, 2018 5:59 PM
> To: Carl Huang <cjhuang at codeaurora.org>; ath10k at lists.infradead.org
> Cc: linux-wireless at vger.kernel.org
> Subject: Re: [PATCH] ath10k: fix use-after-free in
> ath10k_wmi_cmd_send_nowait
> On 2018-02-11 03:56, Carl Huang wrote:
> > The skb may be freed in tx completion context before
> > trace_ath10k_wmi_cmd is called. This can be easily captured when
> > KASAN(Kernel Address Sanitizer) is enabled. The fix is to add a
> > reference count to the skb and release it after trace_ath10k_wmi_cmd
> > is called.
> >
> > Signed-off-by: Carl Huang <cjhuang at codeaurora.org>
> I think it makes more sense to simply call the trace function before
> ath10k_htc_send. Also, for a trivial change like this it probably does not make
> sense to add a Copyright line either.
Agree that Moving the trace function before ath10k_htc_send is more simple, but then the parameter ret 
has no meaning and can't trace the return value of ath10k_htc_send.  Besides that, skb->data and skb->len 
have different value if putting trace function before ath10k_htc_send, and this may be fine since the main
purpose is to trace the wmi information and not htc header information.

For the Copyright line, need Kalle Valo to comment. 

> _______________________________________________
> ath10k mailing list
> ath10k at lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/ath10k

More information about the ath10k mailing list