[PATCH v3 15/18] baseband/la12xx: prevent use after free

Hemant Agrawal hemant.agrawal at oss.nxp.com
Mon Sep 30 10:25:18 CEST 2024


On 29-09-2024 21:04, Stephen Hemminger wrote:
> It is possible that the info pointer (hp) could get freed twice.
> Fix by nulling after free.
>
> In function 'setup_la12xx_dev',
> inlined from 'la12xx_bbdev_create' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1029:8,
> inlined from 'la12xx_bbdev_probe' at ../drivers/baseband/la12xx/bbdev_la12xx.c:1075:9:
> ../drivers/baseband/la12xx/bbdev_la12xx.c:901:9: error: pointer 'hp_info' may be used after 'rte_free' [-Werror=use-after-free]
> 901 |         rte_free(hp);
> |         ^~~~~~~~~~~~
> ../drivers/baseband/la12xx/bbdev_la12xx.c:791:17: note: call to 'rte_free' here
> 791 |                 rte_free(hp);
> |                 ^~~~~~~~~~~~
>
> Fixes: 24d0ba22546e ("baseband/la12xx: add queue and modem config")
> Cc: hemant.agrawal at nxp.com
> Cc: stable at dpdk.org
> Signed-off-by: Stephen Hemminger <stephen at networkplumber.org>
> ---
>   drivers/baseband/la12xx/bbdev_la12xx.c | 1 +
>   1 file changed, 1 insertion(+)
>
> diff --git a/drivers/baseband/la12xx/bbdev_la12xx.c b/drivers/baseband/la12xx/bbdev_la12xx.c
> index 1a56e73abd..cad6f9490e 100644
> --- a/drivers/baseband/la12xx/bbdev_la12xx.c
> +++ b/drivers/baseband/la12xx/bbdev_la12xx.c
> @@ -789,6 +789,7 @@ setup_la12xx_dev(struct rte_bbdev *dev)
>   		ipc_priv->hugepg_start.size = hp->len;
>   
>   		rte_free(hp);
> +		hp = NULL;
>   	}
>   
>   	dev_ipc = open_ipc_dev(priv->modem_id);
Reviewed-by:  Hemant Agrawal <hemant.agrawal at nxp.com>


More information about the dev mailing list