net: qualcomm: rmnet: Fix list handling of the page pool
Whenever the page list is updated from userspace, the previous
list elements are freed but are not deleted from the list.
This results in a use after free-
16963.086348: <6> list_add corruption. prev->next should be next
(fffffff3497a1b90), but was 6b6b6b6b6b6b6b6b.
(prev=fffffff29a170800).
16963.192049: <2> pc : __list_add_valid+0x84/0x88
16963.196351: <2> lr : __list_add_valid+0x84/0x88
16963.721175: <2> Call trace:
16963.723712: <2> __list_add_valid+0x84/0x88
16963.727663: <2> rmnet_map_update_ul_agg_config+0x16c/0x1d0
16963.733031: <2> rmnet_changelink+0x17c/0x190
16963.737154: <2> rtnl_newlink+0x3dc/0x798
16963.740933: <2> rtnetlink_rcv_msg+0x350/0x5d0
16963.745155: <2> netlink_rcv_skb+0xac/0x128
16963.749108: <2> rtnetlink_rcv+0x24/0x30
16963.752788: <2> netlink_unicast+0x1c0/0x268
16963.756822: <2> netlink_sendmsg+0x308/0x368
16963.760855: <2> __sys_sendto+0x120/0x1a0
16963.764628: <2> __arm64_sys_sendto+0x2c/0x40
16963.768761: <2> el0_svc_common+0xac/0x188
16963.772626: <2> el0_svc_handler+0x7c/0x98
16963.776490: <2> el0_svc+0x8/0xc
Fix this by initializing the list after allocation and deleting
the list before freeing the node.
CRs-Fixed: 2525999
Change-Id: I2476cf956168569bf30d13116fedf60049f439f7
Signed-off-by: 
Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Loading
Please register or sign in to comment