samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacmn: OOB crash fix due to Invalid peer index

Browse Source 
In print_peer_stats function while printing REO Q
ref. table if the input peer is MLD peer then the
API to check a valid MLD peer, returns NULL, hence
calculated peer index is invalid causing OOB array
access for REO Q Ref. table resulting in crash.
Fix, For MLO Link Peer REO Q ref table is not
updated and hence return from function without
printing. For MLO MLD peer update the API to check
the peer type and update peer index accordingly.

Change-Id: I66208410bd7a44d381c470621d10c118040d903a
CRs-Fixed: 3401569
This commit is contained in:
Kenvish Butani
2023-02-09 18:39:23 +05:30
committed by Madan Koyyalamudi
parent 3f072d7829
commit 3062af6ed0
1 changed files with 11 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
dp/wifi3.0/dp_stats.c
View File

@@ -6703,7 +6703,6 @@ void dp_print_peer_txrx_stats_li(struct cdp_peer_stats *peer_stats,
static void dp_peer_print_reo_qref_table(struct dp_peer *peer) static void dp_peer_print_reo_qref_table(struct dp_peer *peer)
{ {
struct hal_soc *hal; struct hal_soc *hal;
struct dp_peer *mld_peer;
int i; int i;
uint64_t *reo_qref_addr; uint64_t *reo_qref_addr;
uint32_t peer_idx; uint32_t peer_idx;
@@ -6713,8 +6712,6 @@ static void dp_peer_print_reo_qref_table(struct dp_peer *peer)
if (!hal_reo_shared_qaddr_is_enable((hal_soc_handle_t)hal)) if (!hal_reo_shared_qaddr_is_enable((hal_soc_handle_t)hal))
return; return;
peer_idx = (peer->peer_id * DP_MAX_TIDS);
if ((!hal->reo_qref.non_mlo_reo_qref_table_vaddr) || if ((!hal->reo_qref.non_mlo_reo_qref_table_vaddr) ||
(!hal->reo_qref.mlo_reo_qref_table_vaddr)) { (!hal->reo_qref.mlo_reo_qref_table_vaddr)) {
QDF_TRACE(QDF_MODULE_ID_DP, QDF_TRACE_LEVEL_ERROR, QDF_TRACE(QDF_MODULE_ID_DP, QDF_TRACE_LEVEL_ERROR,
@@ -6722,15 +6719,20 @@ static void dp_peer_print_reo_qref_table(struct dp_peer *peer)
return; return;
} }
reo_qref_addr = &hal->reo_qref.non_mlo_reo_qref_table_vaddr[peer_idx]; if (IS_MLO_DP_LINK_PEER(peer))
mld_peer = DP_GET_MLD_PEER_FROM_PEER(peer); return;
if (mld_peer) {
peer = mld_peer; if (IS_MLO_DP_MLD_PEER(peer)) {
hal = (struct hal_soc *) hal = (struct hal_soc *)
peer->vdev->pdev->soc->hal_soc; peer->vdev->pdev->soc->hal_soc;
peer_idx = (mld_peer->peer_id - HAL_ML_PEER_ID_START) * peer_idx = (peer->peer_id - HAL_ML_PEER_ID_START) *
DP_MAX_TIDS; DP_MAX_TIDS;
reo_qref_addr = &hal->reo_qref.mlo_reo_qref_table_vaddr[peer_idx]; reo_qref_addr =
&hal->reo_qref.mlo_reo_qref_table_vaddr[peer_idx];
} else {
peer_idx = (peer->peer_id * DP_MAX_TIDS);
reo_qref_addr =
&hal->reo_qref.non_mlo_reo_qref_table_vaddr[peer_idx];
} }
DP_PRINT_STATS("Reo Qref table for peer_id: %d\n", peer->peer_id); DP_PRINT_STATS("Reo Qref table for peer_id: %d\n", peer->peer_id);