ath9k: Null out references to stale pointers.

This doesn't fix any problem that I'm aware of, but should
make it harder to add use-after-free type bugs in the
future.

Signed-off-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

3 files changed, 16 insertions, 0 deletions

diff --git a/drivers/net/wireless/ath/ath9k/beacon.c b/drivers/net/wireless/ath/ath9k/beacon.c
index af8fedda001b..4ed010d4ef96 100644
--- a/drivers/net/wireless/ath/ath9k/beacon.c
+++ b/drivers/net/wireless/ath/ath9k/beacon.c
@@ -139,6 +139,7 @@ static struct ath_buf *ath_beacon_generate(struct ieee80211_hw *hw,
                 dma_unmap_single(sc->dev, bf->bf_buf_addr,
                                  skb->len, DMA_TO_DEVICE);
                 dev_kfree_skb_any(skb);
+                bf->bf_buf_addr = 0;
         }
 
         /* Get a new beacon from mac80211 */
@@ -167,6 +168,7 @@ static struct ath_buf *ath_beacon_generate(struct ieee80211_hw *hw,
         if (unlikely(dma_mapping_error(sc->dev, bf->bf_buf_addr))) {
                 dev_kfree_skb_any(skb);
                 bf->bf_mpdu = NULL;
+                bf->bf_buf_addr = 0;
                 ath_print(common, ATH_DBG_FATAL,
                           "dma_mapping_error on beaconing\n");
                 return NULL;
@@ -255,6 +257,7 @@ int ath_beacon_alloc(struct ath_wiphy *aphy, struct ieee80211_vif *vif)
                                  skb->len, DMA_TO_DEVICE);
                 dev_kfree_skb_any(skb);
                 bf->bf_mpdu = NULL;
+                bf->bf_buf_addr = 0;
         }
 
         /* NB: the beacon data buffer must be 32-bit aligned. */
@@ -300,6 +303,7 @@ int ath_beacon_alloc(struct ath_wiphy *aphy, struct ieee80211_vif *vif)
         if (unlikely(dma_mapping_error(sc->dev, bf->bf_buf_addr))) {
                 dev_kfree_skb_any(skb);
                 bf->bf_mpdu = NULL;
+                bf->bf_buf_addr = 0;
                 ath_print(common, ATH_DBG_FATAL,
                           "dma_mapping_error on beacon alloc\n");
                 return -ENOMEM;
@@ -326,6 +330,7 @@ void ath_beacon_return(struct ath_softc *sc, struct ath_vif *avp)
                                          skb->len, DMA_TO_DEVICE);
                         dev_kfree_skb_any(skb);
                         bf->bf_mpdu = NULL;
+                        bf->bf_buf_addr = 0;
                 }
                 list_add_tail(&bf->list, &sc->beacon.bbuf);
 
diff --git a/drivers/net/wireless/ath/ath9k/recv.c b/drivers/net/wireless/ath/ath9k/recv.c
index 2e427522672d..fe73fc50082a 100644
--- a/drivers/net/wireless/ath/ath9k/recv.c
+++ b/drivers/net/wireless/ath/ath9k/recv.c
@@ -268,6 +268,7 @@ static int ath_rx_edma_init(struct ath_softc *sc, int nbufs)
                                                 bf->bf_buf_addr))) {
                                 dev_kfree_skb_any(skb);
                                 bf->bf_mpdu = NULL;
+                                bf->bf_buf_addr = 0;
                                 ath_print(common, ATH_DBG_FATAL,
                                         "dma_mapping_error() on RX init\n");
                                 error = -ENOMEM;
@@ -358,6 +359,7 @@ int ath_rx_init(struct ath_softc *sc, int nbufs)
                                                         bf->bf_buf_addr))) {
                                 dev_kfree_skb_any(skb);
                                 bf->bf_mpdu = NULL;
+                                bf->bf_buf_addr = 0;
                                 ath_print(common, ATH_DBG_FATAL,
                                           "dma_mapping_error() on RX init\n");
                                 error = -ENOMEM;
@@ -392,6 +394,8 @@ void ath_rx_cleanup(struct ath_softc *sc)
                                                 common->rx_bufsize,
                                                 DMA_FROM_DEVICE);
                                 dev_kfree_skb(skb);
+                                bf->bf_buf_addr = 0;
+                                bf->bf_mpdu = NULL;
                         }
                 }
 
@@ -1733,6 +1737,7 @@ int ath_rx_tasklet(struct ath_softc *sc, int flush, bool hp)
                           bf->bf_buf_addr))) {
                         dev_kfree_skb_any(requeue_skb);
                         bf->bf_mpdu = NULL;
+                        bf->bf_buf_addr = 0;
                         ath_print(common, ATH_DBG_FATAL,
                                   "dma_mapping_error() on RX\n");
                         ath_rx_send_to_mac80211(hw, sc, skb, rxs);
diff --git a/drivers/net/wireless/ath/ath9k/xmit.c b/drivers/net/wireless/ath/ath9k/xmit.c
index b053058ae5ea..d077186da870 100644
--- a/drivers/net/wireless/ath/ath9k/xmit.c
+++ b/drivers/net/wireless/ath/ath9k/xmit.c
@@ -1643,6 +1643,7 @@ static int ath_tx_setup_buffer(struct ieee80211_hw *hw, struct ath_buf *bf,
                                          skb->len, DMA_TO_DEVICE);
         if (unlikely(dma_mapping_error(sc->dev, bf->bf_buf_addr))) {
                 bf->bf_mpdu = NULL;
+                bf->bf_buf_addr = 0;
                 ath_print(ath9k_hw_common(sc->sc_ah), ATH_DBG_FATAL,
                           "dma_mapping_error() on TX\n");
                 return -ENOMEM;
@@ -1912,6 +1913,7 @@ static void ath_tx_complete_buf(struct ath_softc *sc, struct ath_buf *bf,
         }
 
         dma_unmap_single(sc->dev, bf->bf_buf_addr, skb->len, DMA_TO_DEVICE);
+        bf->bf_buf_addr = 0;
 
         if (bf->bf_state.bfs_paprd) {
                 if (time_after(jiffies,
@@ -1924,6 +1926,10 @@ static void ath_tx_complete_buf(struct ath_softc *sc, struct ath_buf *bf,
                 ath_debug_stat_tx(sc, txq, bf, ts);
                 ath_tx_complete(sc, skb, bf->aphy, tx_flags);
         }
+        /* At this point, skb (bf->bf_mpdu) is consumed...make sure we don't
+         * accidentally reference it later.
+         */
+        bf->bf_mpdu = NULL;
 
         /*
          * Return the list of ath_buf of this mpdu to free queue