samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacld-3.0: Fix stack corruption in beacon request table mode

Browse Source 
When beacon report request is received from AP in table mode,
sme_rrm_issue_scan_req() is called recursively till scan results
in all channels for that country code is reached. In 6GHz, the
number of channels are high and recursively calling
sme_rrm_issue_scan_req for that much channels causes stack
corruption.

Remove recursive call to the function sme_rrm_issue_scan_req.
Instead, loop all the frequencies in the list and send
scan results on those channels.

Change-Id: Id75d00cfc98fcf218c6b1f85da3270e210697403
CRs-Fixed: 2654375
This commit is contained in:
Pragaspathi Thilagaraj
2020-04-01 00:57:24 +05:30
committed by nshrivas
parent 75a52a432a
commit bc52a55500
1 changed files with 30 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
core/sme/src/rrm/sme_rrm.c
View File

@@ -498,7 +498,8 @@ static QDF_STATUS sme_rrm_send_scan_result(struct mac_context *mac_ctx,
filter, &result_handle); filter, &result_handle);
qdf_mem_free(filter); qdf_mem_free(filter);
sme_debug("RRM Measurement Done %d", measurementdone); sme_debug("RRM Measurement Done %d for index:%d",
measurementdone, measurement_index);
if (!result_handle) { if (!result_handle) {
/* /*
* no scan results * no scan results
@@ -848,7 +849,7 @@ sme_rrm_issue_scan_req(struct mac_context *mac_ctx, uint8_t idx)
scan_type = sme_rrm_ctx->measMode[0]; scan_type = sme_rrm_ctx->measMode[0];
if ((eSIR_ACTIVE_SCAN == scan_type) || if ((eSIR_ACTIVE_SCAN == scan_type) ||
(eSIR_PASSIVE_SCAN == scan_type)) { (eSIR_PASSIVE_SCAN == scan_type)) {
uint32_t max_chan_time; uint32_t max_chan_time;
uint64_t current_time; uint64_t current_time;
struct scan_start_request *req; struct scan_start_request *req;
@@ -981,25 +982,34 @@ sme_rrm_issue_scan_req(struct mac_context *mac_ctx, uint8_t idx)
*/ */
rrm_scan_timer = 0; rrm_scan_timer = 0;
freq_list = sme_rrm_ctx->channelList.freq_list; freq_list = sme_rrm_ctx->channelList.freq_list;
if (!freq_list) {
sme_err("[802.11 RRM]: Global freq list is null");
sme_reset_ese_bcn_req_in_progress(sme_rrm_ctx);
status = QDF_STATUS_E_FAILURE;
goto send_ind;
}
ch_idx = sme_rrm_ctx->currentIndex; ch_idx = sme_rrm_ctx->currentIndex;
if ((ch_idx + 1) < sme_rrm_ctx->channelList.numOfChannels) { for (; ch_idx < sme_rrm_ctx->channelList.numOfChannels; ch_idx++) {
sme_rrm_send_scan_result(mac_ctx, idx, 1, if ((ch_idx + 1) <
&freq_list[ch_idx], false); sme_rrm_ctx->channelList.numOfChannels) {
/* Advance the current index. */ sme_rrm_send_scan_result(mac_ctx, idx, 1,
sme_rrm_ctx->currentIndex++; &freq_list[ch_idx],
sme_rrm_issue_scan_req(mac_ctx, idx); false);
#ifdef FEATURE_WLAN_ESE /* Advance the current index. */
sme_rrm_ctx->eseBcnReqInProgress = false; sme_rrm_ctx->currentIndex++;
#endif } else {
return status; /*
} else { * Done with the measurement. Clean up all
/* * context and send a message to PE with
* Done with the measurement. Clean up all context and * measurement done flag set.
* send a message to PE with measurement done flag set. */
*/ sme_rrm_send_scan_result(mac_ctx, idx, 1,
sme_rrm_send_scan_result(mac_ctx, idx, 1, &freq_list[ch_idx],
&freq_list[ch_idx], true); true);
goto free_ch_lst; sme_reset_ese_bcn_req_in_progress(sme_rrm_ctx);
goto free_ch_lst;
}
} }
} }