ath11k: avoid use_after_free in ath11k_dp_rx_msdu_coalesce API

Accessing already stored first msdu data after the skb expand trigger
use_after_free, since first msdu got deleted. so do the descriptor copy
operation before the skb expand operation.

Signed-off-by: Karthikeyan Periyasamy <periyasa@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>

diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c
index 67efa24..f87bd32 100644 (file)
--- a/drivers/net/wireless/ath/ath11k/dp_rx.c
+++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
@@ -1376,6 +1376,11 @@ static int ath11k_dp_rx_msdu_coalesce(struct ath11k *ar,
        skb_put(first, DP_RX_BUFFER_SIZE);
        skb_pull(first, buf_first_hdr_len);
 
+       /* When an MSDU spread over multiple buffers attention, MSDU_END and
+        * MPDU_END tlvs are valid only in the last buffer. Copy those tlvs.
+        */
+       ath11k_dp_rx_desc_end_tlv_copy(rxcb->rx_desc, ldesc);
+
        space_extra = msdu_len - (buf_first_len + skb_tailroom(first));
        if (space_extra > 0 &&
            (pskb_expand_head(first, 0, space_extra, GFP_ATOMIC) < 0)) {
@@ -1391,11 +1396,6 @@ static int ath11k_dp_rx_msdu_coalesce(struct ath11k *ar,
                return -ENOMEM;
        }
 
-       /* When an MSDU spread over multiple buffers attention, MSDU_END and
-        * MPDU_END tlvs are valid only in the last buffer. Copy those tlvs.
-        */
-       ath11k_dp_rx_desc_end_tlv_copy(rxcb->rx_desc, ldesc);
-
        rem_len = msdu_len - buf_first_len;
        while ((skb = __skb_dequeue(msdu_list)) != NULL && rem_len > 0) {
                rxcb = ATH11K_SKB_RXCB(skb);