samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacmn: Enhance debug info in rx descriptor

Browse Source 
Add previously freed nbuf and buffer start address info in rx descriptor.
This helps in debugging use after free access of rx buffers.

Change-Id: I1c883bf049ce75dd0413b85946fe2982648d8004
CRs-Fixed: 2827151
This commit is contained in:
Karthik Kantamneni
2020-11-24 11:42:26 +05:30
committed by snandini
parent 9b98e19b51
commit c4845219dc
1 changed files with 12 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
dp/wifi3.0/dp_rx.h
View File

@@ -91,12 +91,16 @@ enum dp_rx_desc_state {
* @replenish_caller: name of the function that last * @replenish_caller: name of the function that last
* replenished the rx desc * replenished the rx desc
* @replenish_ts: last replenish timestamp * @replenish_ts: last replenish timestamp
* @prev_nbuf: previous nbuf info
* @prev_nbuf_data_addr: previous nbuf data address
*/ */
struct dp_rx_desc_dbg_info { struct dp_rx_desc_dbg_info {
char freelist_caller[QDF_MEM_FUNC_NAME_SIZE]; char freelist_caller[QDF_MEM_FUNC_NAME_SIZE];
uint64_t freelist_ts; uint64_t freelist_ts;
char replenish_caller[QDF_MEM_FUNC_NAME_SIZE]; char replenish_caller[QDF_MEM_FUNC_NAME_SIZE];
uint64_t replenish_ts; uint64_t replenish_ts;
qdf_nbuf_t prev_nbuf;
uint8_t *prev_nbuf_data_addr;
}; };
#endif /* QCA_HOST_MODE_WIFI_DISABLED */ #endif /* QCA_HOST_MODE_WIFI_DISABLED */
@@ -121,6 +125,7 @@ struct dp_rx_desc_dbg_info {
* @unmapped used to mark rx_desc an unmapped if the corresponding * @unmapped used to mark rx_desc an unmapped if the corresponding
* nbuf is already unmapped * nbuf is already unmapped
* @in_err_state : Nbuf sanity failed for this descriptor. * @in_err_state : Nbuf sanity failed for this descriptor.
* @nbuf_data_addr : VA of nbuf data posted
*/ */
struct dp_rx_desc { struct dp_rx_desc {
qdf_nbuf_t nbuf; qdf_nbuf_t nbuf;
@@ -130,6 +135,7 @@ struct dp_rx_desc {
uint8_t pool_id; uint8_t pool_id;
#ifdef RX_DESC_DEBUG_CHECK #ifdef RX_DESC_DEBUG_CHECK
uint32_t magic; uint32_t magic;
uint8_t *nbuf_data_addr;
struct dp_rx_desc_dbg_info *dbg_info; struct dp_rx_desc_dbg_info *dbg_info;
#endif #endif
uint8_t in_use:1, uint8_t in_use:1,
@@ -806,6 +812,9 @@ void dp_rx_desc_update_dbg_info(struct dp_rx_desc *rx_desc,
qdf_str_lcopy(info->freelist_caller, func_name, qdf_str_lcopy(info->freelist_caller, func_name,
QDF_MEM_FUNC_NAME_SIZE); QDF_MEM_FUNC_NAME_SIZE);
info->freelist_ts = qdf_get_log_timestamp(); info->freelist_ts = qdf_get_log_timestamp();
info->prev_nbuf = rx_desc->nbuf;
info->prev_nbuf_data_addr = rx_desc->nbuf_data_addr;
rx_desc->nbuf_data_addr = NULL;
} }
} }
#else #else
@@ -851,6 +860,8 @@ void __dp_rx_add_to_free_desc_list(union dp_rx_desc_list_elem_t **head,
{ {
qdf_assert(head && new); qdf_assert(head && new);
dp_rx_desc_update_dbg_info(new, func_name, RX_DESC_IN_FREELIST);
new->nbuf = NULL; new->nbuf = NULL;
new->in_use = 0; new->in_use = 0;
@@ -859,8 +870,6 @@ void __dp_rx_add_to_free_desc_list(union dp_rx_desc_list_elem_t **head,
/* reset tail if head->next is NULL */ /* reset tail if head->next is NULL */
if (!*tail || !(*head)->next) if (!*tail || !(*head)->next)
*tail = *head; *tail = *head;
dp_rx_desc_update_dbg_info(new, func_name, RX_DESC_IN_FREELIST);
} }
uint8_t dp_rx_process_invalid_peer(struct dp_soc *soc, qdf_nbuf_t nbuf, uint8_t dp_rx_process_invalid_peer(struct dp_soc *soc, qdf_nbuf_t nbuf,
@@ -1366,6 +1375,7 @@ void dp_rx_desc_prep(struct dp_rx_desc *rx_desc,
rx_desc->magic = DP_RX_DESC_MAGIC; rx_desc->magic = DP_RX_DESC_MAGIC;
rx_desc->nbuf = (nbuf_frag_info_t->virt_addr).nbuf; rx_desc->nbuf = (nbuf_frag_info_t->virt_addr).nbuf;
rx_desc->unmapped = 0; rx_desc->unmapped = 0;
rx_desc->nbuf_data_addr = (uint8_t *)qdf_nbuf_data(rx_desc->nbuf);
} }
/** /**