From nobody Mon May 25 03:53:09 2026 Received: from mail-pg1-f169.google.com (mail-pg1-f169.google.com [209.85.215.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 8DEB039E6FC for ; Tue, 19 May 2026 06:40:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779172845; cv=none; b=mcBmwpzzrradt1+TSU2Q8u3tXKVdES5p81WgCLs5qGUihHKo6TaMzoGlrTDPn6Vo78B6XE5wg8mCr0Hj+mRMoW35YehdJli0ZKyQ5jlVyBp7OSLP6PSLf9CnREdIP/aTiSzRj77fzZsmBWhaqPjJ3Xwu6zVvcJmxWZhkS+aYMJ0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779172845; c=relaxed/simple; bh=MQCFbZ3T0Cv/Ph/FRR02W3Cr8hDPWbgSkEbNklJIDjI=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=kbrWVdfWoOeacFmNdDEjpiVqPGX6m6WYozi5S9CTe/nE/o1T7ZmfaEU90L1EUtz8jM3ptst5LonSEStnV6biN8EyewlGXsaBHkDGS75C9P0yMil/6i7Lq9KOxRd8QS9h3RZp+DrPh+ucBl0vur2/XGWXeyA7Fj7Ua2aCqOt531E= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=cse.iitm.ac.in; spf=pass smtp.mailfrom=cse.iitm.ac.in; dkim=pass (2048-bit key) header.d=cse-iitm-ac-in.20251104.gappssmtp.com header.i=@cse-iitm-ac-in.20251104.gappssmtp.com header.b=kbXdHB8F; arc=none smtp.client-ip=209.85.215.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=cse.iitm.ac.in Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cse.iitm.ac.in Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cse-iitm-ac-in.20251104.gappssmtp.com header.i=@cse-iitm-ac-in.20251104.gappssmtp.com header.b="kbXdHB8F" Received: by mail-pg1-f169.google.com with SMTP id 41be03b00d2f7-c82a6278a4cso2444961a12.3 for ; Mon, 18 May 2026 23:40:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cse-iitm-ac-in.20251104.gappssmtp.com; s=20251104; t=1779172842; x=1779777642; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=ilstlfRPhBZeYWhJ1uRBmJ2rJZHG0b5shZT6RRPeE68=; b=kbXdHB8FKTUVidwzRYhRX4F/IMXm39wwq7483muiFfSgX/7rJoyq4Z4XdRohNgPCBO NKeW5rE5Xpb8BMX5ame8X3QUDN4W0xAm3CLFhEs3eaqb9fYMitYvUNArxSP9PMGWRWNk jsRYPLW4Jj8HSFoNuyImJlT96VxgPeTOOLMtcpC77/5R7f4E2/5cusKNnEJcaQYXmoP7 A/W6PExLTdkFTkOiEIziZu8HUs4Ffd2UeNHE9ooqPxaegKrQhU/KdqA4Pqyj187Nql2p L4K+npTTPGw5R8eIpawFJGrjhjhWexJAeKLCNQ7saqcohwvwxnP1mm8XmmiP1FQATNSS FqwQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779172842; x=1779777642; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=ilstlfRPhBZeYWhJ1uRBmJ2rJZHG0b5shZT6RRPeE68=; b=FqaTpvNbEzFA0zQ6B4n0zPRqoMbde2eGiJtADRJ7V+fAxJ9TA1I0Japc/XAWjF+0Jz KPvXwf/A/aRcFJqja1x3RT56Yd7AybGlYb0keRFPS3d6UxGVBf5g5p8bFy7oNEjEZhiN nnepfXI84158ilswxVrpuIW9eNmegFIQBRepWkUfIUlxeAGHBj7WTU3JKaJhokNG6sbr 72nT+YZ1dOQ1MbFej0mKb/m6R+hDvsBPKLD5obuFUE0TJpNqvPeQPf7HtW9juDmXUNzR EuTk2aMrR2YGWZ8kqQoBbMOWr9WUGLVT5bUk12iooatIGwD+cLUeECy2A40zR9SPEdEg T6FA== X-Forwarded-Encrypted: i=1; AFNElJ+Xj0V5+C1hALsaYy1mKTOjoLsq6dqwORbMwHwUytmbXsExxxV9O73iMuGnn/CDxW4tZ57hDc7dl+K6AyI=@vger.kernel.org X-Gm-Message-State: AOJu0YypBSPf6n+aIvus+RCOhLW7CSX8gpnFuIttNfRTWaVyxJCNeNz3 ra7tYara0e6AoKEpLVIl16Zf9SX2bHnzibOsBO9xyh4XMA4LN7lvIYs5KD3wfWuDWNE= X-Gm-Gg: Acq92OECQaMf5W8x9XAG7U3WNLI1NlFmtdf3oslmDD5AAs3hzZW9A09fiO+IuNlFcYj RfNV+2FHgW1NwxCUESozn+la+SYFQzL0T8nIUj0gG3Na+akiu0h3WehGhAOR4+COUUnN9EQtECe h/36X6VnS1ywdVemjLYUD0W1b0GpOTeuWHK+I6XIbNPx6I6XQwZtb7jebTrOpmeOxUO5nY4ZTAJ gg1Kh+pnI33IsuurktwUK9fb0b4zUfNvk8boCwxA8auvZ6duG7ksb0E4ng6efFKNXd7jtyu/ml4 7dfjz+e41/9gT/Tx84l07Kj5qBtJgc6KVX8xS4GpZjFOwgDECPQG/Dm/28YbFMrmKqcnwPmRGTq S/p7ZiLbSdYE06WOADTmyIiCPWeen7d1quFIRg1+zZuATdMEFIQNFYWx3N3YURB06xWNAMcUivz 2xOYyuBtMy1mxdn3+QpK/7YUQHR/SeCv/L0oP6YfXPH8womu6KUG0ET0Njisom3Jm7zWIHWnmdn pxPk8+kR23Ld9Op+y2E3ZETZzLgLuWtVOms5EhPDwqLzMY8XL8MejIWYA== X-Received: by 2002:a05:6a20:3d1d:b0:3a1:90ef:7e37 with SMTP id adf61e73a8af0-3b22ebe1b1amr21126082637.33.1779172841901; Mon, 18 May 2026 23:40:41 -0700 (PDT) Received: from localhost.localdomain ([103.158.43.41]) by smtp.googlemail.com with ESMTPSA id 41be03b00d2f7-c82bb0ff0edsm16016589a12.20.2026.05.18.23.40.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 May 2026 23:40:41 -0700 (PDT) From: Abdun Nihaal To: loic.poulain@oss.qualcomm.com Cc: Abdun Nihaal , ryazanov.s.a@gmail.com, johannes@sipsolutions.net, andrew+netdev@lunn.ch, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org Subject: [PATCH net] net: wwan: iosm: fix potential use after free in ipc_imem_cleanup() Date: Tue, 19 May 2026 12:10:26 +0530 Message-ID: <20260519064028.60992-1-nihaal@cse.iitm.ac.in> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" During cleanup, the ipc_protocol_deinit() is called before the tasklets are cleaned up. The tasklets may concurrently access the memory allocated for ipc_protocol and so it could result in a use-after-free. Fix that by moving ipc_protocol_deinit() after ipc_task_deinit(). Fixes: 3670970dd8c6 ("net: iosm: shared memory IPC interface") Cc: stable@vger.kernel.org Suggested-by: Jakub Kicinski Signed-off-by: Abdun Nihaal --- Compile tested only. Not tested on hardware. drivers/net/wwan/iosm/iosm_ipc_imem.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wwan/iosm/iosm_ipc_imem.c b/drivers/net/wwan/iosm/= iosm_ipc_imem.c index 4405c8531888..939364daf5c7 100644 --- a/drivers/net/wwan/iosm/iosm_ipc_imem.c +++ b/drivers/net/wwan/iosm/iosm_ipc_imem.c @@ -1256,8 +1256,8 @@ void ipc_imem_cleanup(struct iosm_imem *ipc_imem) ipc_imem_device_ipc_uninit(ipc_imem); ipc_imem_channel_reset(ipc_imem); =20 - ipc_protocol_deinit(ipc_imem->ipc_protocol); ipc_task_deinit(ipc_imem->ipc_task); + ipc_protocol_deinit(ipc_imem->ipc_protocol); =20 kfree(ipc_imem->ipc_task); kfree(ipc_imem->mmio); --=20 2.43.0