samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
派生 0
代码 工单 合并请求 工作流 软件包 项目 发布 百科 活动

qcacmn: Fix bss peer use after free in stats

浏览代码 
wlan_vdev_get_bsspeer() return bss peer without taking the ref count
of the peer and thus if peer is deleted after wlan_vdev_get_bsspeer()
returns a valid peer, the caller will have stale entry of the peer.
Stale entry of peer can lead to Assert.

Use wlan_objmgr_vdev_try_get_bsspeer API for stats to get the BSS
peer which increment the refcount if peer is valid. With this the
peer won't be deleted till the caller release the ref count of the
peer.

Change-Id: I3690f1309cbc7643ed55d8e903814b06f9d8755f
CRs-Fixed: 2454080
这个提交包含在:
sheenam monga
2019-05-20 16:31:44 +05:30
提交者 nshrivas
父节点 5b8283fe08
当前提交 d74e1fdc5f
修改 3 个文件,包含 10 行新增4 行删除
下载 Patch 文件 下载 Diff 文件 展开所有文件 折叠所有文件

8
os_if/linux/cp_stats/src/wlan_cfg80211_mc_cp_stats.c
查看文件

@@ -254,13 +254,15 @@ int wlan_cfg80211_mc_cp_stats_get_tx_power(struct wlan_objmgr_vdev *vdev,
info.u.get_tx_power_cb = get_tx_power_cb;
info.vdev_id = wlan_vdev_get_id(vdev);
info.pdev_id = wlan_objmgr_pdev_get_pdev_id(wlan_vdev_get_pdev(vdev));
peer = wlan_vdev_get_bsspeer(vdev);
peer = wlan_objmgr_vdev_try_get_bsspeer(vdev, WLAN_CP_STATS_ID);
if (!peer) {
ret = -EINVAL;
goto peer_is_null;
}
qdf_mem_copy(info.peer_mac_addr, peer->macaddr, QDF_MAC_ADDR_SIZE);
wlan_objmgr_peer_release_ref(peer, WLAN_CP_STATS_ID);
status = ucfg_mc_cp_stats_send_stats_request(vdev,
TYPE_CONNECTION_TX_POWER,
&info);
@@ -506,7 +508,7 @@ wlan_cfg80211_mc_cp_stats_get_station_stats(struct wlan_objmgr_vdev *vdev,
info.u.get_station_stats_cb = get_station_stats_cb;
info.vdev_id = wlan_vdev_get_id(vdev);
info.pdev_id = wlan_objmgr_pdev_get_pdev_id(wlan_vdev_get_pdev(vdev));
peer = wlan_vdev_get_bsspeer(vdev);
peer = wlan_objmgr_vdev_try_get_bsspeer(vdev, WLAN_CP_STATS_ID);
if (!peer) {
cfg80211_err("peer is null");
*errno = -EINVAL;
@@ -514,6 +516,8 @@ wlan_cfg80211_mc_cp_stats_get_station_stats(struct wlan_objmgr_vdev *vdev,
}
qdf_mem_copy(info.peer_mac_addr, peer->macaddr, QDF_MAC_ADDR_SIZE);
wlan_objmgr_peer_release_ref(peer, WLAN_CP_STATS_ID);
status = ucfg_mc_cp_stats_send_stats_request(vdev, TYPE_STATION_STATS,
&info);
if (QDF_IS_STATUS_ERROR(status)) {