[PATCH] wifi: ath11k: Fix double free issue during SRNG deinit

[Jeff Johnson]

On 8/25/2024 10:33 PM, Balaji Pothunoori wrote:
> From: Manikanta Pubbisetty <quic_mpubbise at quicinc.com>
> 
> Currently struct ath11k_hal::srng_config pointer is not assigned
> to NULL after freeing the memory in ath11k_hal_srng_deinit().
> This could lead to double free issue in a scenario where
> ath11k_hal_srng_deinit() is invoked back to back.
> 
> In the current code, although the chances are very low, the above
> said scenario could happen when hardware recovery has failed and
> then there is another FW assert where ath11k_hal_srng_deinit() is
> invoked once again as part of recovery.
> 
> Fix this by assigning the struct ath11k_hal::srng_config pointer
> to NULL after freeing the memory.
> 
> Tested-on: WCN6750 hw1.0 AHB WLAN.MSL.1.0.1-00887-QCAMSLSWPLZ-1
> Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.16
> Tested-on: IPQ5018 hw1.0 AHB WLAN.HK.2.6.0.1-00861-QCAHKSWPL_SILICONZ-1
> Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1
> 
> Signed-off-by: Manikanta Pubbisetty <quic_mpubbise at quicinc.com>
> Signed-off-by: Balaji Pothunoori <quic_bpothuno at quicinc.com>
> ---
> Resending the original patch as standalone patch:
> https://patchwork.kernel.org/project/linux-wireless/patch/20230417054145.12359-2-quic_mpubbise@quicinc.com/
> 
>  drivers/net/wireless/ath/ath11k/hal.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/net/wireless/ath/ath11k/hal.c b/drivers/net/wireless/ath/ath11k/hal.c
> index f02599bd1c36..61f4b6dd5380 100644
> --- a/drivers/net/wireless/ath/ath11k/hal.c
> +++ b/drivers/net/wireless/ath/ath11k/hal.c
> @@ -1351,6 +1351,7 @@ void ath11k_hal_srng_deinit(struct ath11k_base *ab)
>  	ath11k_hal_free_cont_rdp(ab);
>  	ath11k_hal_free_cont_wrp(ab);
>  	kfree(hal->srng_config);
> +	hal->srng_config = NULL;
>  }
>  EXPORT_SYMBOL(ath11k_hal_srng_deinit);
>  
Acked-by: Jeff Johnson <quic_jjohnson at quicinc.com>