samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacmn: Validate nbuf while processing MPDU/MSDU level TLVs

Browse Source 
nbuf could be freed when some error conditions are hit so
always validate nbuf while processing MPDU/MSDU level TLVs.

Change-Id: I5e0756bc8ba0a8c68c6ce8d2886b5b63068626a0
CRs-Fixed: 3318966
This commit is contained in:
Jeevan Kukkalli
2022-11-17 15:27:19 +05:30
committed by Madan Koyyalamudi
parent 7ca1ab9e0f
commit b0b3b2a793
2 changed files with 25 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
dp/wifi3.0/monitor/2.0/dp_rx_mon_2.0.c
View File

@@ -1205,6 +1205,10 @@ uint8_t dp_rx_mon_process_tlv_status(struct dp_pdev *pdev,
} }
nbuf = qdf_nbuf_queue_last(&ppdu_info->mpdu_q[user_id]); nbuf = qdf_nbuf_queue_last(&ppdu_info->mpdu_q[user_id]);
if (qdf_unlikely(!nbuf)) {
dp_mon_debug("nbuf is NULL");
return num_buf_reaped;
}
if (mpdu_info->decap_type == DP_MON_DECAP_FORMAT_INVALID) { if (mpdu_info->decap_type == DP_MON_DECAP_FORMAT_INVALID) {
/* decap type is invalid, drop the frame */ /* decap type is invalid, drop the frame */
@@ -1305,6 +1309,10 @@ uint8_t dp_rx_mon_process_tlv_status(struct dp_pdev *pdev,
break; break;
} }
nbuf = qdf_nbuf_queue_last(&ppdu_info->mpdu_q[user_id]); nbuf = qdf_nbuf_queue_last(&ppdu_info->mpdu_q[user_id]);
if (qdf_unlikely(!nbuf)) {
dp_mon_debug("nbuf is NULL");
break;
}
num_frags = qdf_nbuf_get_nr_frags(nbuf); num_frags = qdf_nbuf_get_nr_frags(nbuf);
if (ppdu_info->mpdu_info[user_id].decap_type == if (ppdu_info->mpdu_info[user_id].decap_type ==
HAL_HW_RX_DECAP_FORMAT_RAW) { HAL_HW_RX_DECAP_FORMAT_RAW) {
@@ -1343,6 +1351,10 @@ uint8_t dp_rx_mon_process_tlv_status(struct dp_pdev *pdev,
break; break;
} }
nbuf = qdf_nbuf_queue_last(&ppdu_info->mpdu_q[user_id]); nbuf = qdf_nbuf_queue_last(&ppdu_info->mpdu_q[user_id]);
if (qdf_unlikely(!nbuf)) {
dp_mon_debug("nbuf is NULL");
break;
}
mpdu_meta = (struct hal_rx_mon_mpdu_info *)qdf_nbuf_data(nbuf); mpdu_meta = (struct hal_rx_mon_mpdu_info *)qdf_nbuf_data(nbuf);
mpdu_info = &ppdu_info->mpdu_info[user_id]; mpdu_info = &ppdu_info->mpdu_info[user_id];
mpdu_meta->decap_type = mpdu_info->decap_type; mpdu_meta->decap_type = mpdu_info->decap_type;
@@ -1361,6 +1373,10 @@ uint8_t dp_rx_mon_process_tlv_status(struct dp_pdev *pdev,
break; break;
} }
nbuf = qdf_nbuf_queue_last(&ppdu_info->mpdu_q[user_id]); nbuf = qdf_nbuf_queue_last(&ppdu_info->mpdu_q[user_id]);
if (qdf_unlikely(!nbuf)) {
dp_mon_debug("nbuf is NULL");
break;
}
mpdu_meta = (struct hal_rx_mon_mpdu_info *)qdf_nbuf_data(nbuf); mpdu_meta = (struct hal_rx_mon_mpdu_info *)qdf_nbuf_data(nbuf);
mpdu_meta->mpdu_length_err = mpdu_info->mpdu_length_err; mpdu_meta->mpdu_length_err = mpdu_info->mpdu_length_err;
mpdu_meta->fcs_err = mpdu_info->fcs_err; mpdu_meta->fcs_err = mpdu_info->fcs_err;

9
qdf/linux/src/i_qdf_nbuf.h
View File

@@ -1805,12 +1805,21 @@ __qdf_nbuf_queue_insert_head(__qdf_nbuf_queue_t *qhead, __qdf_nbuf_t skb)
qhead->qlen++; qhead->qlen++;
} }
/**
* __qdf_nbuf_queue_remove_last() - remove a skb from the tail of the queue
* @qhead: Queue head
*
* This is a lockless version. Driver should take care of the locks
*
* Return: skb or NULL
*/
static inline struct sk_buff * static inline struct sk_buff *
__qdf_nbuf_queue_remove_last(__qdf_nbuf_queue_t *qhead) __qdf_nbuf_queue_remove_last(__qdf_nbuf_queue_t *qhead)
{ {
__qdf_nbuf_t tmp_tail, node = NULL; __qdf_nbuf_t tmp_tail, node = NULL;
if (qhead->head) { if (qhead->head) {
qhead->qlen--;
tmp_tail = qhead->tail; tmp_tail = qhead->tail;
node = qhead->head; node = qhead->head;
if (qhead->head == qhead->tail) { if (qhead->head == qhead->tail) {