qcacmn: fix use after free of hal_soc pointer
In case of WIN hal_soc will be freed in wifi down path, this pointer is not valid at pdev_detach or soc_detach. Change to populate dmac source ring flag to dp_soc as access is needed at pdev_detach or soc_detach Change-Id: I628746bdd05ba3791d3d0e6b6dfdf160ed368e9a
This commit is contained in:
Chaithanya Garrepalli
committed by
Madan Koyyalamudi
Madan Koyyalamudi
parent
733215d31f
commit
65ace7a19d
@@ -935,7 +935,7 @@ static void dp_soc_srng_deinit_be(struct dp_soc *soc)
|
||||
|
||||
dp_soc_ppe_srng_deinit(soc);
|
||||
|
||||
if (hal_dmac_cmn_src_rxbuf_ring_get(soc->hal_soc)) {
|
||||
if (soc->features.dmac_cmn_src_rxbuf_ring_enabled) {
|
||||
for (i = 0; i < soc->num_rx_refill_buf_rings; i++) {
|
||||
dp_srng_deinit(soc, &soc->rx_refill_buf_ring[i],
|
||||
RXDMA_BUF, 0);
|
||||
@@ -949,7 +949,7 @@ static void dp_soc_srng_free_be(struct dp_soc *soc)
|
||||
|
||||
dp_soc_ppe_srng_free(soc);
|
||||
|
||||
if (hal_dmac_cmn_src_rxbuf_ring_get(soc->hal_soc)) {
|
||||
if (soc->features.dmac_cmn_src_rxbuf_ring_enabled) {
|
||||
for (i = 0; i < soc->num_rx_refill_buf_rings; i++)
|
||||
dp_srng_free(soc, &soc->rx_refill_buf_ring[i]);
|
||||
}
|
||||
@@ -964,7 +964,7 @@ static QDF_STATUS dp_soc_srng_alloc_be(struct dp_soc *soc)
|
||||
soc_cfg_ctx = soc->wlan_cfg_ctx;
|
||||
|
||||
ring_size = wlan_cfg_get_dp_soc_rxdma_refill_ring_size(soc_cfg_ctx);
|
||||
if (hal_dmac_cmn_src_rxbuf_ring_get(soc->hal_soc)) {
|
||||
if (soc->features.dmac_cmn_src_rxbuf_ring_enabled) {
|
||||
for (i = 0; i < soc->num_rx_refill_buf_rings; i++) {
|
||||
if (dp_srng_alloc(soc, &soc->rx_refill_buf_ring[i],
|
||||
RXDMA_BUF, ring_size, 0)) {
|
||||
@@ -991,7 +991,7 @@ static QDF_STATUS dp_soc_srng_init_be(struct dp_soc *soc)
|
||||
{
|
||||
int i = 0;
|
||||
|
||||
if (hal_dmac_cmn_src_rxbuf_ring_get(soc->hal_soc)) {
|
||||
if (soc->features.dmac_cmn_src_rxbuf_ring_enabled) {
|
||||
for (i = 0; i < soc->num_rx_refill_buf_rings; i++) {
|
||||
if (dp_srng_init(soc, &soc->rx_refill_buf_ring[i],
|
||||
RXDMA_BUF, 0, 0)) {
|
||||
|
||||
@@ -12544,6 +12544,8 @@ dp_soc_attach(struct cdp_ctrl_objmgr_psoc *ctrl_psoc,
|
||||
&soc->rx_mon_pkt_tlv_size);
|
||||
soc->idle_link_bm_id = hal_get_idle_link_bm_id(soc->hal_soc,
|
||||
params->mlo_chip_id);
|
||||
soc->features.dmac_cmn_src_rxbuf_ring_enabled =
|
||||
hal_dmac_cmn_src_rxbuf_ring_get(soc->hal_soc);
|
||||
soc->arch_id = arch_id;
|
||||
soc->link_desc_id_start =
|
||||
dp_get_link_desc_id_start(soc->arch_id);
|
||||
@@ -13267,7 +13269,7 @@ static void dp_pdev_srng_deinit(struct dp_pdev *pdev)
|
||||
struct dp_soc *soc = pdev->soc;
|
||||
uint8_t i;
|
||||
|
||||
if (!hal_dmac_cmn_src_rxbuf_ring_get(soc->hal_soc))
|
||||
if (!soc->features.dmac_cmn_src_rxbuf_ring_enabled)
|
||||
dp_srng_deinit(soc, &soc->rx_refill_buf_ring[pdev->lmac_id],
|
||||
RXDMA_BUF,
|
||||
pdev->lmac_id);
|
||||
@@ -13308,7 +13310,7 @@ static QDF_STATUS dp_pdev_srng_init(struct dp_pdev *pdev)
|
||||
|
||||
soc_cfg_ctx = soc->wlan_cfg_ctx;
|
||||
|
||||
if (!hal_dmac_cmn_src_rxbuf_ring_get(soc->hal_soc)) {
|
||||
if (!soc->features.dmac_cmn_src_rxbuf_ring_enabled) {
|
||||
if (dp_srng_init(soc, &soc->rx_refill_buf_ring[pdev->lmac_id],
|
||||
RXDMA_BUF, 0, pdev->lmac_id)) {
|
||||
dp_init_err("%pK: dp_srng_init failed rx refill ring",
|
||||
@@ -13363,7 +13365,7 @@ static void dp_pdev_srng_free(struct dp_pdev *pdev)
|
||||
struct dp_soc *soc = pdev->soc;
|
||||
uint8_t i;
|
||||
|
||||
if (!hal_dmac_cmn_src_rxbuf_ring_get(soc->hal_soc))
|
||||
if (!soc->features.dmac_cmn_src_rxbuf_ring_enabled)
|
||||
dp_srng_free(soc, &soc->rx_refill_buf_ring[pdev->lmac_id]);
|
||||
|
||||
if (!soc->rxdma2sw_rings_not_supported) {
|
||||
@@ -13394,7 +13396,7 @@ static QDF_STATUS dp_pdev_srng_alloc(struct dp_pdev *pdev)
|
||||
soc_cfg_ctx = soc->wlan_cfg_ctx;
|
||||
|
||||
ring_size = wlan_cfg_get_dp_soc_rxdma_refill_ring_size(soc_cfg_ctx);
|
||||
if (!hal_dmac_cmn_src_rxbuf_ring_get(soc->hal_soc)) {
|
||||
if (!soc->features.dmac_cmn_src_rxbuf_ring_enabled) {
|
||||
if (dp_srng_alloc(soc, &soc->rx_refill_buf_ring[pdev->lmac_id],
|
||||
RXDMA_BUF, ring_size, 0)) {
|
||||
dp_init_err("%pK: dp_srng_alloc failed rx refill ring",
|
||||
|
||||
@@ -1701,9 +1701,12 @@ struct dp_arch_ops {
|
||||
/**
|
||||
* struct dp_soc_features: Data structure holding the SOC level feature flags.
|
||||
* @pn_in_reo_dest: PN provided by hardware in the REO destination ring.
|
||||
* @dmac_cmn_src_rxbuf_ring_enabled: Flag to indicate DMAC mode common Rx
|
||||
* buffer source rings
|
||||
*/
|
||||
struct dp_soc_features {
|
||||
uint8_t pn_in_reo_dest;
|
||||
uint8_t pn_in_reo_dest:1,
|
||||
dmac_cmn_src_rxbuf_ring_enabled:1;
|
||||
};
|
||||
|
||||
enum sysfs_printing_mode {
|
||||
|
||||
@@ -1947,7 +1947,6 @@ wlan_cfg_get_rx_rel_ring_id(struct wlan_cfg_dp_soc_ctxt *cfg);
|
||||
void
|
||||
wlan_cfg_set_rx_rel_ring_id(struct wlan_cfg_dp_soc_ctxt *cfg,
|
||||
uint8_t wbm2sw_ring_id);
|
||||
#endif
|
||||
|
||||
#if defined(WLAN_FEATURE_11BE_MLO) && defined(WLAN_MLO_MULTI_CHIP)
|
||||
/**
|
||||
@@ -1983,3 +1982,4 @@ uint8_t
|
||||
wlan_cfg_mlo_lmac_peer_id_msb_get_by_chip_id(struct wlan_cfg_dp_soc_ctxt *cfg,
|
||||
uint8_t chip_id);
|
||||
#endif
|
||||
#endif /*__WLAN_CFG_H*/
|
||||
|
||||
Reference in New Issue
Block a user