Home Explore Help
Sign In
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

qcacld-3.0: Fix race condition when fill mlo_ie in beacon template

When scheduler thread copy mlo_ie from pe_session to beacon template,
hostapd update EDCA params based on STA/SAP concurrency, zero and update
mlo_ie in pe_session for beacon template too, OOB happens for race
condition issue.

To fix it, serialize beacon template update to schedule thread.
Add length check to avoid OOB.

Change-Id: I756ea99e1f6c7280fb68acb8e0982b415dcb7ab6
CRs-Fixed: 3694478
Jianmin Zhu 1 year ago
parent
be9a0ab941
commit
6cf7f7aaec
2 changed files with 8 additions and 7 deletions
Split View Show Diff Stats
  1. 6 1
      core/mac/src/pe/lim/lim_mlo.c
  2. 2 6
      core/mac/src/pe/lim/lim_utils.c

+ 6 - 1
core/mac/src/pe/lim/lim_mlo.c
View File 

@@ -1,6 +1,6 @@
 
 /*
 
  * Copyright (c) 2021, The Linux Foundation. All rights reserved.
 
- * Copyright (c) 2021-2023 Qualcomm Innovation Center, Inc. All rights reserved.
 
+ * Copyright (c) 2021-2024 Qualcomm Innovation Center, Inc. All rights reserved.
 
  *
 
  * Permission to use, copy, modify, and/or distribute this software for any
 
  * purpose with or without fee is hereby granted, provided that the above
 
@@ -1065,6 +1065,11 @@ QDF_STATUS lim_fill_complete_mlo_ie(struct pe_session *session,
 
 	target[consumed++] = buf[index++];
 
 	target[consumed++] = buf[index++];
 
 	mlo_ie_total_len = pbuf - buf - MIN_IE_LEN;
 
+	if (mlo_ie_total_len > total_len - MIN_IE_LEN) {
 
+		pe_err("Invalid len: %u, %u", mlo_ie_total_len, total_len);
 
+		qdf_mem_free(buf);
 
+		return QDF_STATUS_E_INVAL;
 
+	}
 
 
 	for (i = 0; i < mlo_ie_total_len; i++) {
 
 		if (i && (i % WLAN_MAX_IE_LEN) == 0) {

+ 2 - 6
core/mac/src/pe/lim/lim_utils.c
View File 

@@ -1,6 +1,6 @@
 
 /*
 
  * Copyright (c) 2011-2021 The Linux Foundation. All rights reserved.
 
- * Copyright (c) 2021-2023 Qualcomm Innovation Center, Inc. All rights reserved.
 
+ * Copyright (c) 2021-2024 Qualcomm Innovation Center, Inc. All rights reserved.
 
  *
 
  * Permission to use, copy, modify, and/or distribute this software for
 
  * any purpose with or without fee is hereby granted, provided that the
 
@@ -5352,7 +5352,6 @@ static void lim_check_conc_and_send_edca(struct mac_context *mac,
 
 	bool params_update_required = false;
 
 	uint8_t i;
 
 	tpDphHashNode sta_ds = NULL;
 
-	QDF_STATUS status;
 
 	uint16_t assoc_id;
 
 
 	if (sta_session && sap_session &&
 
@@ -5419,10 +5418,7 @@ static void lim_check_conc_and_send_edca(struct mac_context *mac,
 
 				     sap_session->vdev_id, false);
 
 
 		sap_session->gLimEdcaParamSetCount++;
 
-		status = sch_set_fixed_beacon_fields(mac, sap_session);
 
-		if (QDF_IS_STATUS_ERROR(status))
 
-			pe_debug("Unable to set beacon fields!");
 
-
 
+		csr_update_beacon(mac);
 
 	} else if (!sap_session && sta_session) {
 
 	/*
 
 	 * Enable A-EDCA for standalone STA. The original EDCA parameters are