samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacmn: Fix use-after-free issue in hal_srng_cleanup

Browse Source 
hal_srng_cleanup was called from dp_srng_cleanup after the
hal_soc was freed.
Move the call to dp_srng_deinit where the memory is still
valid.

Change-Id: Ida25ee48e527b5139fc05cd85c5634e70965ccd0
CRs-Fixed: 2367332
This commit is contained in:
Vinay Adella
2018-12-14 20:31:49 +05:30
committed by nshrivas
parent 5a453d8d40
commit a06e8c8bfb
1 changed files with 28 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
dp/wifi3.0/dp_main.c
View File

@@ -1245,6 +1245,15 @@ static int dp_srng_setup(struct dp_soc *soc, struct dp_srng *srng,
static void dp_srng_deinit(struct dp_soc *soc, struct dp_srng *srng, static void dp_srng_deinit(struct dp_soc *soc, struct dp_srng *srng,
int ring_type, int ring_num) int ring_type, int ring_num)
{ {
if (!srng->hal_srng) {
QDF_TRACE(QDF_MODULE_ID_DP, QDF_TRACE_LEVEL_ERROR,
FL("Ring type: %d, num:%d not setup"),
ring_type, ring_num);
return;
}
hal_srng_cleanup(soc->hal_soc, srng->hal_srng);
srng->hal_srng = NULL;
} }
/** /**
@@ -1255,20 +1264,27 @@ static void dp_srng_deinit(struct dp_soc *soc, struct dp_srng *srng,
static void dp_srng_cleanup(struct dp_soc *soc, struct dp_srng *srng, static void dp_srng_cleanup(struct dp_soc *soc, struct dp_srng *srng,
int ring_type, int ring_num) int ring_type, int ring_num)
{ {
if (!srng->hal_srng) { if (!soc->dp_soc_reinit) {
QDF_TRACE(QDF_MODULE_ID_DP, QDF_TRACE_LEVEL_ERROR, if (!srng->hal_srng && (srng->alloc_size == 0)) {
FL("Ring type: %d, num:%d not setup"), QDF_TRACE(QDF_MODULE_ID_DP, QDF_TRACE_LEVEL_ERROR,
ring_type, ring_num); FL("Ring type: %d, num:%d not setup"),
return; ring_type, ring_num);
return;
}
if (srng->hal_srng) {
hal_srng_cleanup(soc->hal_soc, srng->hal_srng);
srng->hal_srng = NULL;
}
} }
hal_srng_cleanup(soc->hal_soc, srng->hal_srng); if (srng->alloc_size) {
qdf_mem_free_consistent(soc->osdev, soc->osdev->dev,
qdf_mem_free_consistent(soc->osdev, soc->osdev->dev, srng->alloc_size,
srng->alloc_size, srng->base_vaddr_unaligned,
srng->base_vaddr_unaligned, srng->base_paddr_unaligned, 0);
srng->base_paddr_unaligned, 0); srng->alloc_size = 0;
srng->hal_srng = NULL; }
} }
/* TODO: Need this interface from HIF */ /* TODO: Need this interface from HIF */