From 4df4138eb65fb5749f1e792bc971066831889f5e Mon Sep 17 00:00:00 2001 From: Ryan Hsu Date: Fri, 15 Jun 2018 15:45:22 -0700 Subject: [PATCH] qcacld-3.0: sanitize the mode and state in testmode handler This is to fix a null pointer dereference in testmode handler. In the case of driver is close state, userspace still sends testmode command to the callback, where the hdd_ctx->pdev is already deallocated, and reset to NULL that causes a null pointer reference. The failure callstack as below. 012|QDF_DEBUG_PANIC() 013|wlan_objmgr_pdev_get_comp_private_obj(pdev=null) 014|wlan_cfg80211_ftm_testmode_cmd() 015|__wlan_hdd_cfg80211_testmode(inline) Change-Id: I26cb132a3f5b2eb9cd83892a80bea25a8d511962 CRs-fixed: 2261847 --- core/hdd/src/wlan_hdd_cfg80211.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/core/hdd/src/wlan_hdd_cfg80211.c b/core/hdd/src/wlan_hdd_cfg80211.c index 954798cb7c..05efbeeb99 100644 --- a/core/hdd/src/wlan_hdd_cfg80211.c +++ b/core/hdd/src/wlan_hdd_cfg80211.c @@ -21412,6 +21412,11 @@ static int __wlan_hdd_cfg80211_testmode(struct wiphy *wiphy, if (err) return err; + if (hdd_ctx->driver_status == DRIVER_MODULES_CLOSED) { + hdd_err("Driver Modules are closed"); + return -EINVAL; + } + err = wlan_cfg80211_nla_parse(tb, WLAN_HDD_TM_ATTR_MAX, data, len, wlan_hdd_tm_policy); if (err) { @@ -21481,6 +21486,12 @@ static int __wlan_hdd_cfg80211_testmode(struct wiphy *wiphy, #if defined(QCA_WIFI_FTM) case WLAN_HDD_TM_CMD_WLAN_FTM: { + if (QDF_GLOBAL_FTM_MODE != hdd_get_conparam()) { + hdd_err("Command not allowed in FTM mode, mode %d", + hdd_get_conparam()); + return -EINVAL; + } + err = wlan_cfg80211_ftm_testmode_cmd(hdd_ctx->hdd_pdev, data, len); break;