samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacmn: fix use after free in WDS aging timer

Browse Source 
In case of pdev attach failure reset pdev reference in
soc->pdev_list to NULL before free to avoid use after
free

Also initialize WDS aging timer only when ast hash is
allocated

Change-Id: I6a406bd94aa46a95d9e5bb970ae83b3dfde29d0a
This commit is contained in:
Chaithanya Garrepalli
2021-01-15 20:51:29 +05:30
committed by snandini
parent b52ff8c14b
commit 76d4ea4287
2 changed files with 11 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
dp/wifi3.0/dp_main.c
View File

@@ -3150,15 +3150,6 @@ void dp_link_desc_ring_replenish(struct dp_soc *soc, uint32_t mac_id)
#endif /* CONFIG_WIFI_EMULATION_WIFI_3_0 */ #endif /* CONFIG_WIFI_EMULATION_WIFI_3_0 */
#endif /* IPA_OFFLOAD */ #endif /* IPA_OFFLOAD */
#ifndef FEATURE_WDS
static void dp_soc_wds_attach(struct dp_soc *soc)
{
}
static void dp_soc_wds_detach(struct dp_soc *soc)
{
}
#endif
/* /*
* dp_soc_reset_ring_map() - Reset cpu ring map * dp_soc_reset_ring_map() - Reset cpu ring map
* @soc: Datapath soc handler * @soc: Datapath soc handler
@@ -4386,6 +4377,7 @@ fail3:
fail2: fail2:
wlan_cfg_pdev_detach(pdev->wlan_cfg_ctx); wlan_cfg_pdev_detach(pdev->wlan_cfg_ctx);
fail1: fail1:
soc->pdev_list[pdev_id] = NULL;
qdf_mem_free(pdev); qdf_mem_free(pdev);
fail0: fail0:
return QDF_STATUS_E_FAILURE; return QDF_STATUS_E_FAILURE;
@@ -4816,8 +4808,6 @@ static void dp_soc_deinit(void *txrx_soc)
qdf_nbuf_queue_free(&soc->htt_stats.msg); qdf_nbuf_queue_free(&soc->htt_stats.msg);
dp_soc_wds_detach(soc);
qdf_spinlock_destroy(&soc->rx.defrag.defrag_lock); qdf_spinlock_destroy(&soc->rx.defrag.defrag_lock);
qdf_spinlock_destroy(&soc->vdev_map_lock); qdf_spinlock_destroy(&soc->vdev_map_lock);
@@ -12392,8 +12382,6 @@ void *dp_soc_init(struct dp_soc *soc, HTC_HANDLE htc_handle,
qdf_atomic_set(&soc->cmn_init_done, 1); qdf_atomic_set(&soc->cmn_init_done, 1);
dp_soc_wds_attach(soc);
qdf_nbuf_queue_init(&soc->htt_stats.msg); qdf_nbuf_queue_init(&soc->htt_stats.msg);
qdf_spinlock_create(&soc->ast_lock); qdf_spinlock_create(&soc->ast_lock);

10
dp/wifi3.0/dp_peer.c
View File

@@ -67,6 +67,14 @@ dp_peer_ast_free_in_unmap_supported(struct dp_soc *soc,
{ {
return false; return false;
} }
static void dp_soc_wds_attach(struct dp_soc *soc)
{
}
static void dp_soc_wds_detach(struct dp_soc *soc)
{
}
#endif #endif
static inline void static inline void
@@ -1831,6 +1839,7 @@ int dp_peer_find_attach(struct dp_soc *soc)
return 1; return 1;
} }
dp_soc_wds_attach(soc);
return 0; /* success */ return 0; /* success */
} }
@@ -2166,6 +2175,7 @@ dp_rx_peer_unmap_handler(struct dp_soc *soc, uint16_t peer_id,
void void
dp_peer_find_detach(struct dp_soc *soc) dp_peer_find_detach(struct dp_soc *soc)
{ {
dp_soc_wds_detach(soc);
dp_peer_find_map_detach(soc); dp_peer_find_map_detach(soc);
dp_peer_find_hash_detach(soc); dp_peer_find_hash_detach(soc);
dp_peer_ast_hash_detach(soc); dp_peer_ast_hash_detach(soc);