samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacmn: Avoid possible NULL pointer dereference of msdu_ext_desc

Browse Source 
tso_desc is assigned to msdu_ext_desc in dp_tx_prepare_desc
for TSO packet even before msdu_ext_desc is configured which
could result in NULL pointer dereference.

Fix is to set the tso_desc and tso_num_desc in msdu_ext_desc
post dp_tx_prepare_ext_desc.

Change-Id: I62279c94ea7037b3f6a92644ae7eb6a5e63631f6
CRs-Fixed: 3083846
This commit is contained in:
Yeshwanth Sriram Guntuka
2021-11-29 12:49:29 +05:30
committed by Madan Koyyalamudi
parent 5afdccab42
commit eb82e858a6
1 changed files with 11 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
dp/wifi3.0/dp_tx.c
View File

@@ -499,15 +499,16 @@ dp_tx_desc_release(struct dp_tx_desc_s *tx_desc, uint8_t desc_pool_id)
dp_tx_outstanding_dec(pdev);
if (tx_desc->frm_type == dp_tx_frm_tso)
dp_tx_tso_desc_release(soc, tx_desc);
if (tx_desc->msdu_ext_desc) {
if (tx_desc->frm_type == dp_tx_frm_tso)
dp_tx_tso_desc_release(soc, tx_desc);
if (tx_desc->flags & DP_TX_DESC_FLAG_ME)
dp_tx_me_free_buf(tx_desc->pdev,
tx_desc->msdu_ext_desc->me_buffer);
if (tx_desc->flags & DP_TX_DESC_FLAG_FRAG)
dp_tx_ext_desc_free(soc, tx_desc->msdu_ext_desc, desc_pool_id);
if (tx_desc->flags & DP_TX_DESC_FLAG_ME)
dp_tx_me_free_buf(tx_desc->pdev, tx_desc->msdu_ext_desc->
me_buffer);
}
if (tx_desc->flags & DP_TX_DESC_FLAG_TO_FW)
qdf_atomic_dec(&soc->num_tx_exception);
@@ -1202,9 +1203,6 @@ static struct dp_tx_desc_s *dp_tx_prepare_desc(struct dp_vdev *vdev,
tx_desc->vdev_id = vdev->vdev_id;
tx_desc->pdev = pdev;
tx_desc->pkt_offset = 0;
tx_desc->msdu_ext_desc->tso_desc = msdu_info->u.tso_info.curr_seg;
tx_desc->msdu_ext_desc->tso_num_desc = msdu_info->u.tso_info.
tso_num_seg_list;
dp_tx_trace_pkt(soc, nbuf, tx_desc->id, vdev->vdev_id);
@@ -1227,6 +1225,9 @@ static struct dp_tx_desc_s *dp_tx_prepare_desc(struct dp_vdev *vdev,
tx_desc->msdu_ext_desc = msdu_ext_desc;
tx_desc->flags |= DP_TX_DESC_FLAG_FRAG;
msdu_ext_desc->tso_desc = msdu_info->u.tso_info.curr_seg;
msdu_ext_desc->tso_num_desc = msdu_info->u.tso_info.tso_num_seg_list;
tx_desc->dma_addr = msdu_ext_desc->paddr;
if (msdu_ext_desc->flags & DP_TX_EXT_DESC_FLAG_METADATA_VALID)