Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c231c5a4 authored by Alexander Aring's avatar Alexander Aring Committed by Marcel Holtmann
Browse files

at86rf230: fix race on error handling 



The resource "ctx" can be still used by at86rf230_async_state_change, we
need to free it at the complete handler of the async state change to
avoid a use after free.

Signed-off-by: default avatarAlexander Aring <aar@pengutronix.de>
Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
parent 07b0188a

drivers/net/ieee802154/at86rf230.c

+14 −4
Original line number Diff line number Diff line
@@ -343,16 +343,26 @@ static const struct regmap_config at86rf230_regmap_spi_config = { 
};



static void

at86rf230_async_error_recover(void *context)

at86rf230_async_error_recover_complete(void *context)

{

	struct at86rf230_state_change *ctx = context;

	struct at86rf230_local *lp = ctx->lp;



	lp->is_tx = 0;

	at86rf230_async_state_change(lp, ctx, STATE_RX_AACK_ON, NULL);

	ieee802154_wake_queue(lp->hw);

	if (ctx->free)

		kfree(ctx);



	ieee802154_wake_queue(lp->hw);

}



static void

at86rf230_async_error_recover(void *context)

{

	struct at86rf230_state_change *ctx = context;

	struct at86rf230_local *lp = ctx->lp;



	lp->is_tx = 0;

	at86rf230_async_state_change(lp, ctx, STATE_RX_AACK_ON,

				     at86rf230_async_error_recover_complete);

}



static inline void