From d91efadf011b4bbc34ff021803297317f8ff89b4 Mon Sep 17 00:00:00 2001
From: Ilia Lin <ilialin@codeaurora.org>
Date: Thu, 5 Aug 2021 13:27:53 +0300
Subject: [PATCH] ipa: Null persistent pointers after free

Assign NULL to pointers that may be used later
after calling kfree on them.

Change-Id: I3298eb484c92ee2373f0bc41aae8ae45fb373cf0
Signed-off-by: Ilia Lin <ilialin@codeaurora.org>
---
 drivers/platform/msm/ipa/ipa_clients/ipa_uc_offload.c | 3 +++
 drivers/platform/msm/ipa/ipa_v3/ipa.c                 | 5 +++++
 drivers/platform/msm/ipa/ipa_v3/ipa_dp.c              | 6 ++++--
 drivers/platform/msm/ipa/ipa_v3/ipa_hw_stats.c        | 1 +
 drivers/platform/msm/ipa/ipa_v3/ipa_odl.c             | 1 +
 drivers/platform/msm/ipa/ipa_v3/ipa_pm.c              | 1 +
 drivers/platform/msm/ipa/ipa_v3/ipa_uc_wdi.c          | 3 +++
 drivers/platform/msm/ipa/ipa_v3/rmnet_ctl_ipa.c       | 1 +
 drivers/platform/msm/ipa/ipa_v3/rmnet_ll_ipa.c        | 1 +
 9 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/drivers/platform/msm/ipa/ipa_clients/ipa_uc_offload.c b/drivers/platform/msm/ipa/ipa_clients/ipa_uc_offload.c
index e4d2d5ce63..0604c06f9e 100644
--- a/drivers/platform/msm/ipa/ipa_clients/ipa_uc_offload.c
+++ b/drivers/platform/msm/ipa/ipa_clients/ipa_uc_offload.c
@@ -356,6 +356,7 @@ static int ipa_uc_ntn_alloc_conn_smmu_info(struct ipa_ntn_setup_info *dest,
 		source->buff_pool_base_sgt);
 	if (result) {
 		kfree(dest->data_buff_list);
+		dest->data_buff_list = NULL;
 		return result;
 	}
 
@@ -363,6 +364,7 @@ static int ipa_uc_ntn_alloc_conn_smmu_info(struct ipa_ntn_setup_info *dest,
 		source->ring_base_sgt);
 	if (result) {
 		kfree(dest->data_buff_list);
+		dest->data_buff_list = NULL;
 		ipa_smmu_free_sgt(&dest->buff_pool_base_sgt);
 		return result;
 	}
@@ -373,6 +375,7 @@ static int ipa_uc_ntn_alloc_conn_smmu_info(struct ipa_ntn_setup_info *dest,
 static void ipa_uc_ntn_free_conn_smmu_info(struct ipa_ntn_setup_info *params)
 {
 	kfree(params->data_buff_list);
+	params->data_buff_list = NULL;
 	ipa_smmu_free_sgt(&params->buff_pool_base_sgt);
 	ipa_smmu_free_sgt(&params->ring_base_sgt);
 }
diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa.c b/drivers/platform/msm/ipa/ipa_v3/ipa.c
index 50590187fe..6129be22b5 100644
--- a/drivers/platform/msm/ipa/ipa_v3/ipa.c
+++ b/drivers/platform/msm/ipa/ipa_v3/ipa.c
@@ -732,6 +732,7 @@ static void ipa3_active_clients_log_destroy(void)
 	kfree(active_clients_table_buf);
 	active_clients_table_buf = NULL;
 	kfree(ipa3_ctx->ipa3_active_clients_logging.log_buffer[0]);
+	ipa3_ctx->ipa3_active_clients_logging.log_buffer[0] = NULL;
 	ipa3_ctx->ipa3_active_clients_logging.log_head = 0;
 	ipa3_ctx->ipa3_active_clients_logging.log_tail =
 			IPA3_ACTIVE_CLIENTS_LOG_BUFFER_SIZE_LINES - 1;
@@ -9119,13 +9120,16 @@ fail_bus_reg:
 fail_init_mem_partition:
 fail_bind:
 	kfree(ipa3_ctx->ctrl);
+	ipa3_ctx->ctrl = NULL;
 fail_mem_ctrl:
 	kfree(ipa3_ctx->ipa_tz_unlock_reg);
+	ipa3_ctx->ipa_tz_unlock_reg = NULL;
 fail_tz_unlock_reg:
 	if (ipa3_ctx->logbuf)
 		ipc_log_context_destroy(ipa3_ctx->logbuf);
 fail_uc_file_alloc:
 	kfree(ipa3_ctx->gsi_fw_file_name);
+	ipa3_ctx->gsi_fw_file_name = NULL;
 fail_gsi_file_alloc:
 fail_mem_ctx:
 	return result;
@@ -9929,6 +9933,7 @@ static int get_ipa_dts_configuration(struct platform_device *pdev,
 			IPAERR("failed to read register addresses\n");
 			kfree(ipa_tz_unlock_reg);
 			kfree(ipa_drv_res->ipa_tz_unlock_reg);
+			ipa_drv_res->ipa_tz_unlock_reg = NULL;
 			return -EFAULT;
 		}
 
diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_dp.c b/drivers/platform/msm/ipa/ipa_v3/ipa_dp.c
index 9bf54c2833..eba9358381 100644
--- a/drivers/platform/msm/ipa/ipa_v3/ipa_dp.c
+++ b/drivers/platform/msm/ipa/ipa_v3/ipa_dp.c
@@ -1588,13 +1588,13 @@ fail_gen3:
 fail_repl:
 	ep->sys->repl_hdlr = ipa3_replenish_rx_cache;
 	if (ep->sys->repl && !ep->sys->common_buff_pool) {
-		ep->sys->repl->capacity = 0;
 		kfree(ep->sys->repl);
+		ep->sys->repl = NULL;
 	}
 fail_page_recycle_repl:
 	if (ep->sys->page_recycle_repl && !ep->sys->common_buff_pool) {
-		ep->sys->page_recycle_repl->capacity = 0;
 		kfree(ep->sys->page_recycle_repl);
+		ep->sys->page_recycle_repl = NULL;
 	}
 fail_napi:
 	if (sys_in->client == IPA_CLIENT_APPS_WAN_LOW_LAT_DATA_CONS) {
@@ -3111,6 +3111,7 @@ static void ipa3_cleanup_rx(struct ipa3_sys_context *sys)
 
 		kfree(sys->repl->cache);
 		kfree(sys->repl);
+		sys->repl = NULL;
 	}
 	if (sys->page_recycle_repl) {
 		list_for_each_entry_safe(rx_pkt, r,
@@ -3127,6 +3128,7 @@ static void ipa3_cleanup_rx(struct ipa3_sys_context *sys)
 				rx_pkt);
 		}
 		kfree(sys->page_recycle_repl);
+		sys->page_recycle_repl = NULL;
 	}
 }
 
diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_hw_stats.c b/drivers/platform/msm/ipa/ipa_v3/ipa_hw_stats.c
index 415a5ab634..098c82d32c 100644
--- a/drivers/platform/msm/ipa/ipa_v3/ipa_hw_stats.c
+++ b/drivers/platform/msm/ipa/ipa_v3/ipa_hw_stats.c
@@ -441,6 +441,7 @@ int ipa_hw_stats_init(void)
 fail_free_stats_ctx:
 	kfree(teth_stats_init);
 	kfree(ipa3_ctx->hw_stats);
+	ipa3_ctx->hw_stats = NULL;
 	return ret;
 }
 
diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_odl.c b/drivers/platform/msm/ipa/ipa_v3/ipa_odl.c
index edfe67374b..db8ee50611 100644
--- a/drivers/platform/msm/ipa/ipa_v3/ipa_odl.c
+++ b/drivers/platform/msm/ipa/ipa_v3/ipa_odl.c
@@ -772,6 +772,7 @@ alloc_chrdev0_region_fail:
 	class_destroy(odl_cdev[0].class);
 create_char_dev0_fail:
 	kfree(ipa3_odl_ctx);
+	ipa3_odl_ctx = NULL;
 fail_mem_ctx:
 	return result;
 }
diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_pm.c b/drivers/platform/msm/ipa/ipa_v3/ipa_pm.c
index afee786a3d..bbf4c9fa4a 100644
--- a/drivers/platform/msm/ipa/ipa_v3/ipa_pm.c
+++ b/drivers/platform/msm/ipa/ipa_v3/ipa_pm.c
@@ -646,6 +646,7 @@ int ipa_pm_init(struct ipa_pm_init_params *params)
 	if (!ipa_pm_ctx->wq) {
 		IPA_PM_ERR("create workqueue failed\n");
 		kfree(ipa_pm_ctx);
+		ipa_pm_ctx = NULL;
 		return -ENOMEM;
 	}
 
diff --git a/drivers/platform/msm/ipa/ipa_v3/ipa_uc_wdi.c b/drivers/platform/msm/ipa/ipa_v3/ipa_uc_wdi.c
index d311adb1d8..e09581fc16 100644
--- a/drivers/platform/msm/ipa/ipa_v3/ipa_uc_wdi.c
+++ b/drivers/platform/msm/ipa/ipa_v3/ipa_uc_wdi.c
@@ -764,6 +764,7 @@ static void ipa_release_ap_smmu_mappings(enum ipa_client_type client)
 				ipa3_ctx->wdi_map_cnt--;
 			}
 			kfree(wdi_res[i].res);
+			wdi_res[i].res = NULL;
 			wdi_res[i].valid = false;
 		}
 	}
@@ -800,6 +801,7 @@ static void ipa_release_uc_smmu_mappings(enum ipa_client_type client)
 				ipa3_ctx->wdi_map_cnt--;
 			}
 			kfree(wdi_res[i].res);
+			wdi_res[i].res = NULL;
 			wdi_res[i].valid = false;
 		}
 	}
@@ -954,6 +956,7 @@ void ipa3_release_wdi3_gsi_smmu_mappings(u8 dir)
 				ipa3_ctx->wdi_map_cnt--;
 			}
 			kfree(wdi_res[i].res);
+			wdi_res[i].res = NULL;
 			wdi_res[i].valid = false;
 		}
 	}
diff --git a/drivers/platform/msm/ipa/ipa_v3/rmnet_ctl_ipa.c b/drivers/platform/msm/ipa/ipa_v3/rmnet_ctl_ipa.c
index b4d88315bf..1683015a4b 100644
--- a/drivers/platform/msm/ipa/ipa_v3/rmnet_ctl_ipa.c
+++ b/drivers/platform/msm/ipa/ipa_v3/rmnet_ctl_ipa.c
@@ -103,6 +103,7 @@ int ipa3_rmnet_ctl_init(void)
 		WQ_MEM_RECLAIM | WQ_UNBOUND | WQ_SYSFS, 1);
 	if (!rmnet_ctl_ipa3_ctx->wq) {
 		kfree(rmnet_ctl_ipa3_ctx);
+		rmnet_ctl_ipa3_ctx = NULL;
 		return -ENOMEM;
 	}
 	memset(&rmnet_ctl_ipa3_ctx->apps_to_ipa_low_lat_ep_cfg, 0,
diff --git a/drivers/platform/msm/ipa/ipa_v3/rmnet_ll_ipa.c b/drivers/platform/msm/ipa/ipa_v3/rmnet_ll_ipa.c
index 2258aa6f1c..931f5135b5 100644
--- a/drivers/platform/msm/ipa/ipa_v3/rmnet_ll_ipa.c
+++ b/drivers/platform/msm/ipa/ipa_v3/rmnet_ll_ipa.c
@@ -207,6 +207,7 @@ int ipa3_rmnet_ll_init(void)
 		WQ_MEM_RECLAIM | WQ_UNBOUND | WQ_SYSFS, 1);
 	if (!rmnet_ll_ipa3_ctx->wq) {
 		kfree(rmnet_ll_ipa3_ctx);
+		rmnet_ll_ipa3_ctx = NULL;
 		return -ENOMEM;
 	}
 	memset(&rmnet_ll_ipa3_ctx->apps_to_ipa_low_lat_data_ep_cfg, 0,