From ccad254cc111bae2f94d2d72ccbd1bcfd1317de5 Mon Sep 17 00:00:00 2001
From: Ilia Lin <ilialin@codeaurora.org>
Date: Thu, 26 Aug 2021 11:14:33 +0300
Subject: [PATCH] ipa: Null persistent pointers after free

Assign NULL to pointers that may be used later
after calling kfree on them.

Change-Id: I3298eb484c92ee2373f0bc41aae8ae45fb373cf0
Signed-off-by: Ilia Lin <ilialin@codeaurora.org>
---
 drivers/platform/msm/ipa/ipa_clients/ipa_uc_offload.c | 3 +++
 drivers/platform/msm/ipa/ipa_v3/ipa.c                 | 5 +++++
 drivers/platform/msm/ipa/ipa_v3/ipa_dp.c              | 4 ++++
 drivers/platform/msm/ipa/ipa_v3/ipa_odl.c             | 1 +
 drivers/platform/msm/ipa/ipa_v3/ipa_pm.c              | 1 +
 drivers/platform/msm/ipa/ipa_v3/ipa_uc_wdi.c          | 3 +++
 drivers/platform/msm/ipa/ipa_v3/rmnet_ctl_ipa.c       | 1 +
 7 files changed, 18 insertions(+)

diff --git a/drivers/platform/msm/ipa/ipa_clients/ipa_uc_offload.c b/drivers/platform/msm/ipa/ipa_clients/ipa_uc_offload.c
index b8794cedd293..f4a854b702f2 100644
--- a/drivers/platform/msm/ipa/ipa_clients/ipa_uc_offload.c
+++ b/drivers/platform/msm/ipa/ipa_clients/ipa_uc_offload.c
@@ -356,6 +356,7 @@ static int ipa_uc_ntn_alloc_conn_smmu_info(struct ipa_ntn_setup_info *dest,
 		source->buff_pool_base_sgt);
 	if (result) {
 		kfree(dest->data_buff_list);
+		dest->data_buff_list = NULL;
 		return result;
 	}
 
@@ -363,6 +364,7 @@ static int ipa_uc_ntn_alloc_conn_smmu_info(struct ipa_ntn_setup_info *dest,
 		source->ring_base_sgt);
 	if (result) {
 		kfree(dest->data_buff_list);
+		dest->data_buff_list = NULL;
 		ipa_smmu_free_sgt(&dest->buff_pool_base_sgt);
 		return result;
 	}
@@ -373,6 +375,7 @@ static int ipa_uc_ntn_alloc_conn_smmu_info(struct ipa_ntn_setup_info *dest,
 static void ipa_uc_ntn_free_conn_smmu_info(struct ipa_ntn_setup_info *params)
 {
 	kfree(params->data_buff_list);
+	params->data_buff_list = NULL;
 	ipa_smmu_free_sgt(&params->buff_pool_base_sgt);
 	ipa_smmu_free_sgt(&params->ring_base_sgt);
 }
diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa.c b/drivers/platform/msm/ipa/ipa_v3/ipa.c
index 1f63f9b26f3e..cd5c4a7e7fa3 100644
--- a/drivers/platform/msm/ipa/ipa_v3/ipa.c
+++ b/drivers/platform/msm/ipa/ipa_v3/ipa.c
@@ -689,6 +689,7 @@ static void ipa3_active_clients_log_destroy(void)
 	kfree(active_clients_table_buf);
 	active_clients_table_buf = NULL;
 	kfree(ipa3_ctx->ipa3_active_clients_logging.log_buffer[0]);
+	ipa3_ctx->ipa3_active_clients_logging.log_buffer[0] = NULL;
 	ipa3_ctx->ipa3_active_clients_logging.log_head = 0;
 	ipa3_ctx->ipa3_active_clients_logging.log_tail =
 			IPA3_ACTIVE_CLIENTS_LOG_BUFFER_SIZE_LINES - 1;
@@ -7867,13 +7868,16 @@ fail_bus_reg:
 fail_init_mem_partition:
 fail_bind:
 	kfree(ipa3_ctx->ctrl);
+	ipa3_ctx->ctrl = NULL;
 fail_mem_ctrl:
 	kfree(ipa3_ctx->ipa_tz_unlock_reg);
+	ipa3_ctx->ipa_tz_unlock_reg = NULL;
 fail_tz_unlock_reg:
 	if (ipa3_ctx->logbuf)
 		ipc_log_context_destroy(ipa3_ctx->logbuf);
 fail_uc_file_alloc:
 	kfree(ipa3_ctx->gsi_fw_file_name);
+	ipa3_ctx->gsi_fw_file_name = NULL;
 fail_gsi_file_alloc:
 fail_mem_ctx:
 	return result;
@@ -8561,6 +8565,7 @@ static int get_ipa_dts_configuration(struct platform_device *pdev,
 			IPAERR("failed to read register addresses\n");
 			kfree(ipa_tz_unlock_reg);
 			kfree(ipa_drv_res->ipa_tz_unlock_reg);
+			ipa_drv_res->ipa_tz_unlock_reg = NULL;
 			return -EFAULT;
 		}
 
diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_dp.c b/drivers/platform/msm/ipa/ipa_v3/ipa_dp.c
index 8a396a023703..83d2d1476508 100644
--- a/drivers/platform/msm/ipa/ipa_v3/ipa_dp.c
+++ b/drivers/platform/msm/ipa/ipa_v3/ipa_dp.c
@@ -1383,10 +1383,12 @@ fail_repl:
 	ep->sys->repl_hdlr = ipa3_replenish_rx_cache;
 	ep->sys->repl->capacity = 0;
 	kfree(ep->sys->repl);
+	ep->sys->repl = NULL;
 fail_page_recycle_repl:
 	if (ep->sys->page_recycle_repl) {
 		ep->sys->page_recycle_repl->capacity = 0;
 		kfree(ep->sys->page_recycle_repl);
+		ep->sys->page_recycle_repl = NULL;
 	}
 fail_napi:
 	/* Delete NAPI TX object. */
@@ -2827,6 +2829,7 @@ static void ipa3_cleanup_rx(struct ipa3_sys_context *sys)
 
 		kfree(sys->repl->cache);
 		kfree(sys->repl);
+		sys->repl = NULL;
 	}
 	if (sys->page_recycle_repl) {
 		for (i = 0; i < sys->page_recycle_repl->capacity; i++) {
@@ -2845,6 +2848,7 @@ static void ipa3_cleanup_rx(struct ipa3_sys_context *sys)
 		}
 		kfree(sys->page_recycle_repl->cache);
 		kfree(sys->page_recycle_repl);
+		sys->page_recycle_repl = NULL;
 	}
 }
 
diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_odl.c b/drivers/platform/msm/ipa/ipa_v3/ipa_odl.c
index 69de447bd18a..a5dee263c49b 100644
--- a/drivers/platform/msm/ipa/ipa_v3/ipa_odl.c
+++ b/drivers/platform/msm/ipa/ipa_v3/ipa_odl.c
@@ -762,6 +762,7 @@ alloc_chrdev0_region_fail:
 	class_destroy(odl_cdev[0].class);
 create_char_dev0_fail:
 	kfree(ipa3_odl_ctx);
+	ipa3_odl_ctx = NULL;
 fail_mem_ctx:
 	return result;
 }
diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_pm.c b/drivers/platform/msm/ipa/ipa_v3/ipa_pm.c
index eb74bbac4c02..c2232d59b691 100644
--- a/drivers/platform/msm/ipa/ipa_v3/ipa_pm.c
+++ b/drivers/platform/msm/ipa/ipa_v3/ipa_pm.c
@@ -641,6 +641,7 @@ int ipa_pm_init(struct ipa_pm_init_params *params)
 	if (!ipa_pm_ctx->wq) {
 		IPA_PM_ERR("create workqueue failed\n");
 		kfree(ipa_pm_ctx);
+		ipa_pm_ctx = NULL;
 		return -ENOMEM;
 	}
 
diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_uc_wdi.c b/drivers/platform/msm/ipa/ipa_v3/ipa_uc_wdi.c
index be80025d27b6..e479a39cb75f 100644
--- a/drivers/platform/msm/ipa/ipa_v3/ipa_uc_wdi.c
+++ b/drivers/platform/msm/ipa/ipa_v3/ipa_uc_wdi.c
@@ -742,6 +742,7 @@ static void ipa_release_ap_smmu_mappings(enum ipa_client_type client)
 				ipa3_ctx->wdi_map_cnt--;
 			}
 			kfree(wdi_res[i].res);
+			wdi_res[i].res = NULL;
 			wdi_res[i].valid = false;
 		}
 	}
@@ -778,6 +779,7 @@ static void ipa_release_uc_smmu_mappings(enum ipa_client_type client)
 				ipa3_ctx->wdi_map_cnt--;
 			}
 			kfree(wdi_res[i].res);
+			wdi_res[i].res = NULL;
 			wdi_res[i].valid = false;
 		}
 	}
@@ -929,6 +931,7 @@ void ipa3_release_wdi3_gsi_smmu_mappings(u8 dir)
 				ipa3_ctx->wdi_map_cnt--;
 			}
 			kfree(wdi_res[i].res);
+			wdi_res[i].res = NULL;
 			wdi_res[i].valid = false;
 		}
 	}
diff --git a/drivers/platform/msm/ipa/ipa_v3/rmnet_ctl_ipa.c b/drivers/platform/msm/ipa/ipa_v3/rmnet_ctl_ipa.c
index 425e5f828901..8c58c1ece7b8 100644
--- a/drivers/platform/msm/ipa/ipa_v3/rmnet_ctl_ipa.c
+++ b/drivers/platform/msm/ipa/ipa_v3/rmnet_ctl_ipa.c
@@ -103,6 +103,7 @@ int ipa3_rmnet_ctl_init(void)
 		WQ_MEM_RECLAIM | WQ_UNBOUND | WQ_SYSFS, 1);
 	if (!rmnet_ctl_ipa3_ctx->wq) {
 		kfree(rmnet_ctl_ipa3_ctx);
+		rmnet_ctl_ipa3_ctx = NULL;
 		return -ENOMEM;
 	}
 	memset(&rmnet_ctl_ipa3_ctx->apps_to_ipa_low_lat_ep_cfg, 0,