[PATCH v3 15/18] baseband/la12xx: prevent use after free
Hemant Agrawal
hemant.agrawal at oss.nxp.com
Mon Sep 30 10:25:18 CEST 2024
On 29-09-2024 21:04, Stephen Hemminger wrote:
> It is possible that the info pointer (hp) could get freed twice.
> Fix by nulling after free.
>
> In function 'setup_la12xx_dev',
> inlined from 'la12xx_bbdev_create' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1029:8,
> inlined from 'la12xx_bbdev_probe' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1075:9:
> ../drivers/baseband/la12xx/bbdev_la12xx.c:901:9: error: pointer 'hp_info' may be used after 'rte_free' [-Werror=use-after-free]
> 901 | rte_free(hp);
> | ^~~~~~~~~~~~
> ../drivers/baseband/la12xx/bbdev_la12xx.c:791:17: note: call to 'rte_free' here
> 791 | rte_free(hp);
> | ^~~~~~~~~~~~
>
> Fixes: 24d0ba22546e ("baseband/la12xx: add queue and modem config")
> Cc: hemant.agrawal at nxp.com
> Cc: stable at dpdk.org
> Signed-off-by: Stephen Hemminger <stephen at networkplumber.org>
> ---
> drivers/baseband/la12xx/bbdev_la12xx.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/baseband/la12xx/bbdev_la12xx.c b/drivers/baseband/la12xx/bbdev_la12xx.c
> index 1a56e73abd..cad6f9490e 100644
> --- a/drivers/baseband/la12xx/bbdev_la12xx.c
> +++ b/drivers/baseband/la12xx/bbdev_la12xx.c
> @@ -789,6 +789,7 @@ setup_la12xx_dev(struct rte_bbdev *dev)
> ipc_priv->hugepg_start.size = hp->len;
>
> rte_free(hp);
> + hp = NULL;
> }
>
> dev_ipc = open_ipc_dev(priv->modem_id);
Reviewed-by: Hemant Agrawal <hemant.agrawal at nxp.com>
More information about the dev
mailing list