net: stmmac: fix potential double free of dma descriptor resources

reset the dma descriptor related resource's pointer to NULL,otherwise a potential double free problem may be triggered: stmmac_open alloc_dma_desc_resources init_dma_desc_rings stmmac_hw_setup (Failed) goto init_error; free_dma_desc_resources(priv); (DMA related resource pointer not reset to NULL) ... stmmac_open alloc_dma_desc_resources alloc_dma_tx_desc_resources (Failed) free_dma_tx_desc_resources (Double free of tx_q->tx_skbuff_dma tx_q->tx_skbuff) Signed-off-by: Hongchen Zhang <[email protected]> Signed-off-by: Yanteng Si <[email protected]>
deepin-community · May 31, 2024 · c5c5681 · c5c5681
1 parent ef0556e
commit c5c5681
Showing 1 changed file with 11 additions and 0 deletions.
diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
@@ -1926,13 +1926,18 @@ static void __free_dma_rx_desc_resources(struct stmmac_priv *priv,
 		dma_free_coherent(priv->device, dma_conf->dma_rx_size *
 				  sizeof(struct dma_extended_desc),
 				  rx_q->dma_erx, rx_q->dma_rx_phy);
+	rx_q->dma_rx = NULL;
+	rx_q->dma_erx = NULL;
 
 	if (xdp_rxq_info_is_reg(&rx_q->xdp_rxq))
 		xdp_rxq_info_unreg(&rx_q->xdp_rxq);
 
 	kfree(rx_q->buf_pool);
+	rx_q->buf_pool = NULL;
+
 	if (rx_q->page_pool)
 		page_pool_destroy(rx_q->page_pool);
+	rx_q->page_pool = NULL;
 }
 
 static void free_dma_rx_desc_resources(struct stmmac_priv *priv,
@@ -1978,8 +1983,14 @@ static void __free_dma_tx_desc_resources(struct stmmac_priv *priv,
 
 	dma_free_coherent(priv->device, size, addr, tx_q->dma_tx_phy);
 
+	tx_q->dma_etx = NULL;
+	tx_q->dma_entx = NULL;
+	tx_q->dma_tx = NULL;
+
 	kfree(tx_q->tx_skbuff_dma);
+	tx_q->tx_skbuff_dma = NULL;
 	kfree(tx_q->tx_skbuff);
+	tx_q->tx_skbuff = NULL;
 }
 
 static void free_dma_tx_desc_resources(struct stmmac_priv *priv,