at86rf230: fix race on error handling

The resource "ctx" can be still used by at86rf230_async_state_change, we need to free it at the complete handler of the async state change to avoid a use after free. Signed-off-by: N Alexander Aring <aar@pengutronix.de> Signed-off-by: N Marcel Holtmann <marcel@holtmann.org>

at86rf230: fix race on error handling
The resource "ctx" can be still used by at86rf230_async_state_change, we need to free it at the complete handler of the async state change to avoid a use after free. Signed-off-by: N Alexander Aring <aar@pengutronix.de> Signed-off-by: N Marcel Holtmann <marcel@holtmann.org>
c231c5a4 · Alexander Aring · Marcel Holtmann · 07b0188a · c231c5a4
隐藏空白更改
内联并排

Showing with 14 addition and 4 deletion

drivers/net/ieee802154/at86rf230.c drivers/net/ieee802154/at86rf230.c +14 -4

未找到文件。
--- a/drivers/net/ieee802154/at86rf230.c
+++ b/drivers/net/ieee802154/at86rf230.c
@@ -343,16 +343,26 @@ static const struct regmap_config at86rf230_regmap_spi_config = {
 };

 static void
-at86rf230_async_error_recover(void *context)
+at86rf230_async_error_recover_complete(void *context)
 {
 	struct at86rf230_state_change *ctx = context;
 	struct at86rf230_local *lp = ctx->lp;

-	lp->is_tx = 0;
-	at86rf230_async_state_change(lp, ctx, STATE_RX_AACK_ON, NULL);
-	ieee802154_wake_queue(lp->hw);
 	if (ctx->free)
 		kfree(ctx);
+
+	ieee802154_wake_queue(lp->hw);
+}
+
+static void
+at86rf230_async_error_recover(void *context)
+{
+	struct at86rf230_state_change *ctx = context;
+	struct at86rf230_local *lp = ctx->lp;
+
+	lp->is_tx = 0;
+	at86rf230_async_state_change(lp, ctx, STATE_RX_AACK_ON,
+				     at86rf230_async_error_recover_complete);
 }

 static inline void