Re: [PATCH net] net: wwan: iosm: fix potential memory leaks in ipc_imem_init()

Next message: Alvin Sun: "[PATCH 2/8] rust: driver: make `DriverModule` struct pub(crate) in `module_driver!`"
Previous message: Zhengyu He: "[PATCH 1/3] spi: dt-bindings: fsl-qspi: support SpacemiT K3"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Abdun Nihaal

Date: Tue May 19 2026 - 02:26:53 EST

On Sun, May 10, 2026 at 10:04:51AM -0700, Jakub Kicinski wrote:
> > diff --git a/drivers/net/wwan/iosm/iosm_ipc_imem.c b/drivers/net/wwan/iosm/iosm_ipc_imem.c
> > index 1b7bc7d63a2e8..f4edb277efd92 100644
> > --- a/drivers/net/wwan/iosm/iosm_ipc_imem.c
> > +++ b/drivers/net/wwan/iosm/iosm_ipc_imem.c
> > @@ -1422,6 +1422,7 @@ struct iosm_imem *ipc_imem_init(struct iosm_pcie *pcie, unsigned int device_id,
> > hrtimer_cancel(&ipc_imem->fast_update_timer);
> > hrtimer_cancel(&ipc_imem->tdupdate_timer);
> > hrtimer_cancel(&ipc_imem->startup_timer);
> > + ipc_protocol_deinit(ipc_imem->ipc_protocol);
> > protocol_init_fail:
> > cancel_work_sync(&ipc_imem->run_state_worker);
> > ipc_task_deinit(ipc_imem->ipc_task);

> Calling ipc_protocol_deinit() here frees the ipc_protocol structure.
> Since ipc_task_deinit() has not yet been called to flush the queue and
> kill the tasklet, any pending tasklet may still execute.
>
> Would it be safer to place the ipc_protocol_deinit() call after the
> tasklet and worker are fully destroyed?

Thanks for reviewing the patch. I agree that this change may introduce a
use after free since we are freeing the ipc_protocol while tasklets and
workers are running concurrently. I'll fix it and send a v2 patch.

The same UAF bug seems to exist in the ipc_imem_cleanup() function.
Will send a patch for that as well.

Regards,
Nihaal