From c1b9dcf73439b173a3ac6dba100b6e2bc82782e2 Mon Sep 17 00:00:00 2001 From: Karthik Kantamneni Date: Fri, 27 Jul 2018 13:30:04 +0530 Subject: [PATCH] qcacmn: Fix invalid memory access while adding napi When new napi is added unique napi_id is assigned and an entry is allocated in kernel napi hash table of size 256, vice versa napi del will remove the entry from hash table. Currently during driver unload dummy rx napi's(added for GRO case) are not deleted which causes resource leakage in kernel napi hash table. While adding new napi if napi_id exceeds hash table size, then entry from zero index is accessed to find unclaimed hash entry which trigger invalid entry access since previous driver unload did not delete napis properly. In use case where multiple wlan driver instances are used this issue can be quickly reproducible since it triggers napi_id to exceed hash table size within less number of driver load/unload. Fix is to delete rx dummy napi's during driver unload Change-Id: Idfb24c5c09ebc131c2b19d894d08a8ea34675ed6 CRs-Fixed: 2288118 --- hif/src/hif_napi.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/hif/src/hif_napi.c b/hif/src/hif_napi.c index c04a54c873..796a08b9c7 100644 --- a/hif/src/hif_napi.c +++ b/hif/src/hif_napi.c @@ -82,10 +82,25 @@ static void hif_init_rx_thread_napi(struct qca_napi_info *napii) hif_rxthread_napi_poll, 64); napi_enable(&napii->rx_thread_napi); } + +/** + * hif_deinit_rx_thread_napi() - Deinitialize dummy Rx_thread NAPI + * @napii: Handle to napi_info holding rx_thread napi + * + * Return: None + */ +static void hif_deinit_rx_thread_napi(struct qca_napi_info *napii) +{ + netif_napi_del(&napii->rx_thread_napi); +} #else /* RECEIVE_OFFLOAD */ static void hif_init_rx_thread_napi(struct qca_napi_info *napii) { } + +static void hif_deinit_rx_thread_napi(struct qca_napi_info *napii) +{ +} #endif /** @@ -373,6 +388,7 @@ int hif_napi_destroy(struct hif_opaque_softc *hif_ctx, qdf_lro_deinit(napii->lro_ctx); netif_napi_del(&(napii->napi)); + hif_deinit_rx_thread_napi(napii); napid->ce_map &= ~(0x01 << ce); napid->napis[ce] = NULL;