samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacmn: Avoid invalid invalid_peer_head_msdu list

Browse Source 
Add a check to validate invalid_peer_head_msdu before accessing
to avoid NULL dereference.

Change-Id: I9218bdd1100b48a32240546f380b1437ae72c406
CRs-Fixed: 2585651
This commit is contained in:
Venkata Sharath Chandra Manchala
2020-01-03 16:42:00 -08:00
committed by nshrivas
parent ef9d824e14
commit 09d116aee9
2 changed files with 14 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
dp/wifi3.0/dp_rx.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2016-2019 The Linux Foundation. All rights reserved. * Copyright (c) 2016-2020 The Linux Foundation. All rights reserved.
* *
* Permission to use, copy, modify, and/or distribute this software for * Permission to use, copy, modify, and/or distribute this software for
* any purpose with or without fee is hereby granted, provided that the * any purpose with or without fee is hereby granted, provided that the
@@ -891,13 +891,6 @@ out:
if (soc->cdp_soc.ol_ops->rx_invalid_peer) if (soc->cdp_soc.ol_ops->rx_invalid_peer)
soc->cdp_soc.ol_ops->rx_invalid_peer(vdev->vdev_id, wh); soc->cdp_soc.ol_ops->rx_invalid_peer(vdev->vdev_id, wh);
free: free:
/* reset the head and tail pointers */
pdev = dp_get_pdev_for_mac_id(soc, mac_id);
if (pdev) {
pdev->invalid_peer_head_msdu = NULL;
pdev->invalid_peer_tail_msdu = NULL;
}
/* Drop and free packet */ /* Drop and free packet */
curr_nbuf = mpdu; curr_nbuf = mpdu;
while (curr_nbuf) { while (curr_nbuf) {
@@ -906,6 +899,13 @@ free:
curr_nbuf = next_nbuf; curr_nbuf = next_nbuf;
} }
/* Reset the head and tail pointers */
pdev = dp_get_pdev_for_mac_id(soc, mac_id);
if (pdev) {
pdev->invalid_peer_head_msdu = NULL;
pdev->invalid_peer_tail_msdu = NULL;
}
return 0; return 0;
} }

10
dp/wifi3.0/dp_rx_err.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2016-2019 The Linux Foundation. All rights reserved. * Copyright (c) 2016-2020 The Linux Foundation. All rights reserved.
* *
* Permission to use, copy, modify, and/or distribute this software for * Permission to use, copy, modify, and/or distribute this software for
* any purpose with or without fee is hereby granted, provided that the * any purpose with or without fee is hereby granted, provided that the
@@ -427,8 +427,8 @@ dp_rx_2k_jump_handle(struct dp_soc *soc, hal_ring_desc_t ring_desc,
* Return: bool: true for last msdu of mpdu * Return: bool: true for last msdu of mpdu
*/ */
static bool static bool
dp_rx_chain_msdus(struct dp_soc *soc, qdf_nbuf_t nbuf, uint8_t *rx_tlv_hdr, dp_rx_chain_msdus(struct dp_soc *soc, qdf_nbuf_t nbuf,
uint8_t mac_id) uint8_t *rx_tlv_hdr, uint8_t mac_id)
{ {
bool mpdu_done = false; bool mpdu_done = false;
qdf_nbuf_t curr_nbuf = NULL; qdf_nbuf_t curr_nbuf = NULL;
@@ -447,8 +447,9 @@ dp_rx_chain_msdus(struct dp_soc *soc, qdf_nbuf_t nbuf, uint8_t *rx_tlv_hdr,
* up * up
*/ */
if (!dp_pdev->first_nbuf || if (!dp_pdev->first_nbuf ||
(dp_pdev->invalid_peer_head_msdu &&
QDF_NBUF_CB_RX_NUM_ELEMENTS_IN_LIST QDF_NBUF_CB_RX_NUM_ELEMENTS_IN_LIST
(dp_pdev->invalid_peer_head_msdu) >= DP_MAX_INVALID_BUFFERS) { (dp_pdev->invalid_peer_head_msdu) >= DP_MAX_INVALID_BUFFERS)) {
qdf_nbuf_set_rx_chfrag_start(nbuf, 1); qdf_nbuf_set_rx_chfrag_start(nbuf, 1);
dp_pdev->ppdu_id = hal_rx_hw_desc_get_ppduid_get(soc->hal_soc, dp_pdev->ppdu_id = hal_rx_hw_desc_get_ppduid_get(soc->hal_soc,
rx_tlv_hdr); rx_tlv_hdr);
@@ -804,6 +805,7 @@ dp_rx_null_q_desc_handle(struct dp_soc *soc, qdf_nbuf_t nbuf,
pdev->invalid_peer_head_msdu = NULL; pdev->invalid_peer_head_msdu = NULL;
pdev->invalid_peer_tail_msdu = NULL; pdev->invalid_peer_tail_msdu = NULL;
} }
return QDF_STATUS_E_FAILURE; return QDF_STATUS_E_FAILURE;
} }