samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacld-3.0: Fix use after free for txrx_vdev_handle

Browse Source 
In wma_vdev_attach, if peer failed to create, it will detach
vdev, but without reset txrx_vdev_handle to NULL, so vdev
is still used in cdp_data_tx_cb_set.

Reset txrx_vdev_handle to NULL in wma_vdev_attach if create peer
fails.

Change-Id: Ie3963625ed7206eb1737f5820ec58d84f2ca9084
CRs-Fixed: 2407717
This commit is contained in:
Jingxiang Ge
2019-03-01 12:45:44 +08:00
committed by nshrivas
parent 899cbed508
commit e468bbdada
1 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
core/wma/src/wma_dev_if.c
View File

@@ -2989,6 +2989,7 @@ struct cdp_vdev *wma_vdev_attach(tp_wma_handle wma_handle,
wma_handle->interfaces[vdev_id].vdev_active = false;
wma_cdp_vdev_detach(soc, wma_handle, vdev_id);
wma_handle->interfaces[vdev_id].vdev = NULL;
txrx_vdev_handle = NULL;
goto end;
}
} else if (self_sta_req->type == WMI_VDEV_TYPE_STA) {
@@ -3005,6 +3006,7 @@ struct cdp_vdev *wma_vdev_attach(tp_wma_handle wma_handle,
wlan_objmgr_vdev_release_ref(vdev, WLAN_LEGACY_WMA_ID);
wma_handle->interfaces[vdev_id].vdev = NULL;
wma_cdp_vdev_detach(soc, wma_handle, vdev_id);
txrx_vdev_handle = NULL;
goto end;
}
}