Skip to content

Commit d869cbd

Browse files
author
CKI Backport Bot
committed
wifi: ath12k: fix invalid access to memory
JIRA: https://issues.redhat.com/browse/RHEL-103222 CVE: CVE-2025-38292 commit 9f17747 Author: Sarika Sharma <quic_sarishar@quicinc.com> Date: Tue Apr 8 10:23:27 2025 +0530 wifi: ath12k: fix invalid access to memory In ath12k_dp_rx_msdu_coalesce(), rxcb is fetched from skb and boolean is_continuation is part of rxcb. Currently, after freeing the skb, the rxcb->is_continuation accessed again which is wrong since the memory is already freed. This might lead use-after-free error. Hence, fix by locally defining bool is_continuation from rxcb, so that after freeing skb, is_continuation can be used. Compile tested only. Fixes: d889913 ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices") Signed-off-by: Sarika Sharma <quic_sarishar@quicinc.com> Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com> Link: https://patch.msgid.link/20250408045327.1632222-1-quic_sarishar@quicinc.com Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com> Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
1 parent c9f71b9 commit d869cbd

File tree

1 file changed

+4
-2
lines changed
  • drivers/net/wireless/ath/ath12k

1 file changed

+4
-2
lines changed

drivers/net/wireless/ath/ath12k/dp_rx.c

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1823,6 +1823,7 @@ static int ath12k_dp_rx_msdu_coalesce(struct ath12k *ar,
18231823
struct hal_rx_desc *ldesc;
18241824
int space_extra, rem_len, buf_len;
18251825
u32 hal_rx_desc_sz = ar->ab->hal.hal_desc_sz;
1826+
bool is_continuation;
18261827

18271828
/* As the msdu is spread across multiple rx buffers,
18281829
* find the offset to the start of msdu for computing
@@ -1871,7 +1872,8 @@ static int ath12k_dp_rx_msdu_coalesce(struct ath12k *ar,
18711872
rem_len = msdu_len - buf_first_len;
18721873
while ((skb = __skb_dequeue(msdu_list)) != NULL && rem_len > 0) {
18731874
rxcb = ATH12K_SKB_RXCB(skb);
1874-
if (rxcb->is_continuation)
1875+
is_continuation = rxcb->is_continuation;
1876+
if (is_continuation)
18751877
buf_len = DP_RX_BUFFER_SIZE - hal_rx_desc_sz;
18761878
else
18771879
buf_len = rem_len;
@@ -1889,7 +1891,7 @@ static int ath12k_dp_rx_msdu_coalesce(struct ath12k *ar,
18891891
dev_kfree_skb_any(skb);
18901892

18911893
rem_len -= buf_len;
1892-
if (!rxcb->is_continuation)
1894+
if (!is_continuation)
18931895
break;
18941896
}
18951897

0 commit comments

Comments
 (0)