Prechádzať zdrojové kódy

qcacld-3.0: Add QDF_BUG to avoid use after free

There is a chance that cumulative peer_id_ref_cnt of different
peers can exceed peer ref cnt. This can result in use after free
issue during peer unref delete in ol_txrx_peer_remove_obj_map_
entries. Add QDF_BUG to catch such case and avoid access of peer
after delete.

Change-Id: I5a3cecc6a20747fce2fbf36a5ae733c42a3bc88b
CRs-Fixed: 2206589
Padma, Santhosh Kumar 7 rokov pred
rodič
commit
4cdbf7d8dc
1 zmenil súbory, kde vykonal 8 pridanie a 0 odobranie
  1. 8 0
      core/dp/txrx/ol_txrx_peer_find.c

+ 8 - 0
core/dp/txrx/ol_txrx_peer_find.c

@@ -726,6 +726,14 @@ void ol_txrx_peer_remove_obj_map_entries(ol_txrx_pdev_handle pdev,
 			  save_peer_ids[i], save_peer_id_ref_cnt[i], i);
 	}
 
+	if (num_deleted_maps > qdf_atomic_read(&peer->ref_cnt)) {
+		QDF_TRACE(QDF_MODULE_ID_TXRX, QDF_TRACE_LEVEL_ERROR,
+			  FL("num_deleted_maps %d ref_cnt %d"),
+			  num_deleted_maps, qdf_atomic_read(&peer->ref_cnt));
+		QDF_BUG(0);
+		return;
+	}
+
 	while (num_deleted_maps-- > 0)
 		ol_txrx_peer_release_ref(peer, PEER_DEBUG_ID_OL_INTERNAL);
 }