samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacld-3.0: Fix use-after-free in IPA exception path

Browse Source 
Currently when packets are routed from IPA to
HOST via the exception path, the system encounters
a use-after-free crash. This change eliminates
the access of nbuf pointer after being freed in the
hdd_ipa_send_nbuf_to_network().

Change-Id: Ib126ac9092562067cb8eeb2b1d6464941111796c
CRs-Fixed: 3410414
This commit is contained in:
Namita Nair
2023-02-16 23:24:12 -08:00
committed by Madan Koyyalamudi
parent 3064b4603c
commit 2e7dcc8c8f
1 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
core/hdd/src/wlan_hdd_ipa.c
View File

@@ -1,6 +1,6 @@
/* /*
* Copyright (c) 2013-2021 The Linux Foundation. All rights reserved. * Copyright (c) 2013-2021 The Linux Foundation. All rights reserved.
* Copyright (c) 2021-2022 Qualcomm Innovation Center, Inc. All rights reserved. * Copyright (c) 2021-2023 Qualcomm Innovation Center, Inc. All rights reserved.
* *
* Permission to use, copy, modify, and/or distribute this software for * Permission to use, copy, modify, and/or distribute this software for
* any purpose with or without fee is hereby granted, provided that the * any purpose with or without fee is hereby granted, provided that the
@@ -168,7 +168,7 @@ void hdd_ipa_send_nbuf_to_network(qdf_nbuf_t nbuf, qdf_netdev_t dev)
struct wlan_objmgr_vdev *vdev; struct wlan_objmgr_vdev *vdev;
int result; int result;
bool delivered = false; bool delivered = false;
uint32_t enabled; uint32_t enabled, len = 0;
struct hdd_tx_rx_stats *stats; struct hdd_tx_rx_stats *stats;
struct hdd_station_ctx *sta_ctx; struct hdd_station_ctx *sta_ctx;
bool is_eapol; bool is_eapol;
@@ -224,6 +224,7 @@ void hdd_ipa_send_nbuf_to_network(qdf_nbuf_t nbuf, qdf_netdev_t dev)
nbuf->dev = adapter->dev; nbuf->dev = adapter->dev;
nbuf->protocol = eth_type_trans(nbuf, nbuf->dev); nbuf->protocol = eth_type_trans(nbuf, nbuf->dev);
nbuf->ip_summed = CHECKSUM_NONE; nbuf->ip_summed = CHECKSUM_NONE;
len = nbuf->len;
/* /*
* Update STA RX exception packet stats. * Update STA RX exception packet stats.
@@ -264,7 +265,7 @@ void hdd_ipa_send_nbuf_to_network(qdf_nbuf_t nbuf, qdf_netdev_t dev)
* and also DP internally maintaining vdev ref count * and also DP internally maintaining vdev ref count
*/ */
ucfg_dp_inc_rx_pkt_stats(adapter->vdev, ucfg_dp_inc_rx_pkt_stats(adapter->vdev,
nbuf->len, len,
delivered); delivered);
/* /*
* Restore PF_WAKE_UP_IDLE flag in the task structure * Restore PF_WAKE_UP_IDLE flag in the task structure