samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacmn: Handle use-after-free scenario while stopping soft AP

Browse Source 
Currently, driver sets BSS peer and self peer to NULL
only in case of PEER AP/GO. It nither set BSS peer nor self peer
to NULL for GO/AP while de-attaching peers. This results in bss peer
use after free issue while stopping soft AP.

In order to fix this issue, the driver should set bss peer and self
peer to NULL for GO/AP as well.

Fix is to set bss peer and self peer to NULL for both PEER and AP
cases.

Change-Id: I055573c062c5a4e71fef2a699131e10fb6d97d71
CRs-Fixed: 2488371
This commit is contained in:
Abhinav Kumar
2019-07-12 15:00:24 +05:30
committed by nshrivas
parent db49e9de26
commit 8b51c23a16
1 changed files with 19 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
umac/cmn_services/obj_mgr/src/wlan_objmgr_vdev_obj.c
View File

@@ -823,29 +823,26 @@ QDF_STATUS wlan_objmgr_vdev_peer_detach(struct wlan_objmgr_vdev *vdev,
return QDF_STATUS_E_FAILURE;
}
if ((wlan_peer_get_peer_type(peer) == WLAN_PEER_AP) ||
(wlan_peer_get_peer_type(peer) == WLAN_PEER_P2P_GO)) {
if (wlan_vdev_get_selfpeer(vdev) == peer) {
/*
* There might be instances where new node is created
* before deleting existing node, in which case selfpeer
* will be pointing to the new node. So set selfpeer to
* NULL only if vdev->vdev_objmgr.self_peer is pointing
* to the peer processed for deletion
*/
wlan_vdev_set_selfpeer(vdev, NULL);
}
if (wlan_vdev_get_selfpeer(vdev) == peer) {
/*
* There might be instances where new node is created
* before deleting existing node, in which case selfpeer
* will be pointing to the new node. So set selfpeer to
* NULL only if vdev->vdev_objmgr.self_peer is pointing
* to the peer processed for deletion
*/
wlan_vdev_set_selfpeer(vdev, NULL);
}
if (wlan_vdev_get_bsspeer(vdev) == peer) {
/*
* There might be instances where new node is created
* before deleting existing node, in which case bsspeer
* in vdev will be pointing to the new node. So set
* bsspeer to NULL only if vdev->vdev_objmgr.bss_peer is
* pointing to the peer processed for deletion
*/
wlan_vdev_set_bsspeer(vdev, NULL);
}
if (wlan_vdev_get_bsspeer(vdev) == peer) {
/*
* There might be instances where new node is created
* before deleting existing node, in which case bsspeer
* in vdev will be pointing to the new node. So set
* bsspeer to NULL only if vdev->vdev_objmgr.bss_peer is
* pointing to the peer processed for deletion
*/
wlan_vdev_set_bsspeer(vdev, NULL);
}
/* remove peer from vdev's peer list */