On (25/06/12 16:14), Baochen Qiang wrote: > > <4>[23562.576034] ath11k_qmi_driver_event_work+0xbd/0x1050 [ath11k (HASH:6cea 4)] > > <4>[23562.576058] worker_thread+0x389/0x930 > > <4>[23562.576065] kthread+0x149/0x170 > > <4>[23562.576074] ? start_flush_work+0x130/0x130 > > <4>[23562.576078] ? kthread_associate_blkcg+0xb0/0xb0 > > <4>[23562.576084] ret_from_fork+0x3b/0x50 > > <4>[23562.576090] ? kthread_associate_blkcg+0xb0/0xb0 > > <4>[23562.576096] ret_from_fork_asm+0x11/0x20 > > > > > > There are clearly two ath11k_hal_dump_srng_stats() calls, the first > > one happens before crash recovery, the second happens right after > > and presumably causes UAF, because ->initialized flag is not cleared. > > So with above we can confirm our guess. > > Could you refine your commit message with these details such that readers have a clear > understanding of this issue? Sure, I can do that. I didn't want to throw my guesses into the commit message, stale ->initialized flag looked like a good enough justification for the patch. But I can send out v3 with a more detailed commit message.
