qcacmn: Validate nbuf while processing MPDU/MSDU level TLVs
nbuf could be freed when some error conditions are hit so always validate nbuf while processing MPDU/MSDU level TLVs. Change-Id: I5e0756bc8ba0a8c68c6ce8d2886b5b63068626a0 CRs-Fixed: 3318966
This commit is contained in:
Jeevan Kukkalli
committed by
Madan Koyyalamudi
Madan Koyyalamudi
부모
7ca1ab9e0f
커밋
b0b3b2a793
@@ -1205,6 +1205,10 @@ uint8_t dp_rx_mon_process_tlv_status(struct dp_pdev *pdev,
|
||||
}
|
||||
|
||||
nbuf = qdf_nbuf_queue_last(&ppdu_info->mpdu_q[user_id]);
|
||||
if (qdf_unlikely(!nbuf)) {
|
||||
dp_mon_debug("nbuf is NULL");
|
||||
return num_buf_reaped;
|
||||
}
|
||||
|
||||
if (mpdu_info->decap_type == DP_MON_DECAP_FORMAT_INVALID) {
|
||||
/* decap type is invalid, drop the frame */
|
||||
@@ -1305,6 +1309,10 @@ uint8_t dp_rx_mon_process_tlv_status(struct dp_pdev *pdev,
|
||||
break;
|
||||
}
|
||||
nbuf = qdf_nbuf_queue_last(&ppdu_info->mpdu_q[user_id]);
|
||||
if (qdf_unlikely(!nbuf)) {
|
||||
dp_mon_debug("nbuf is NULL");
|
||||
break;
|
||||
}
|
||||
num_frags = qdf_nbuf_get_nr_frags(nbuf);
|
||||
if (ppdu_info->mpdu_info[user_id].decap_type ==
|
||||
HAL_HW_RX_DECAP_FORMAT_RAW) {
|
||||
@@ -1343,6 +1351,10 @@ uint8_t dp_rx_mon_process_tlv_status(struct dp_pdev *pdev,
|
||||
break;
|
||||
}
|
||||
nbuf = qdf_nbuf_queue_last(&ppdu_info->mpdu_q[user_id]);
|
||||
if (qdf_unlikely(!nbuf)) {
|
||||
dp_mon_debug("nbuf is NULL");
|
||||
break;
|
||||
}
|
||||
mpdu_meta = (struct hal_rx_mon_mpdu_info *)qdf_nbuf_data(nbuf);
|
||||
mpdu_info = &ppdu_info->mpdu_info[user_id];
|
||||
mpdu_meta->decap_type = mpdu_info->decap_type;
|
||||
@@ -1361,6 +1373,10 @@ uint8_t dp_rx_mon_process_tlv_status(struct dp_pdev *pdev,
|
||||
break;
|
||||
}
|
||||
nbuf = qdf_nbuf_queue_last(&ppdu_info->mpdu_q[user_id]);
|
||||
if (qdf_unlikely(!nbuf)) {
|
||||
dp_mon_debug("nbuf is NULL");
|
||||
break;
|
||||
}
|
||||
mpdu_meta = (struct hal_rx_mon_mpdu_info *)qdf_nbuf_data(nbuf);
|
||||
mpdu_meta->mpdu_length_err = mpdu_info->mpdu_length_err;
|
||||
mpdu_meta->fcs_err = mpdu_info->fcs_err;
|
||||
|
||||
@@ -1805,12 +1805,21 @@ __qdf_nbuf_queue_insert_head(__qdf_nbuf_queue_t *qhead, __qdf_nbuf_t skb)
|
||||
qhead->qlen++;
|
||||
}
|
||||
|
||||
/**
|
||||
* __qdf_nbuf_queue_remove_last() - remove a skb from the tail of the queue
|
||||
* @qhead: Queue head
|
||||
*
|
||||
* This is a lockless version. Driver should take care of the locks
|
||||
*
|
||||
* Return: skb or NULL
|
||||
*/
|
||||
static inline struct sk_buff *
|
||||
__qdf_nbuf_queue_remove_last(__qdf_nbuf_queue_t *qhead)
|
||||
{
|
||||
__qdf_nbuf_t tmp_tail, node = NULL;
|
||||
|
||||
if (qhead->head) {
|
||||
qhead->qlen--;
|
||||
tmp_tail = qhead->tail;
|
||||
node = qhead->head;
|
||||
if (qhead->head == qhead->tail) {
|
||||
|
||||
Reference in New Issue
Block a user