diff options
| author | Mukul Sharma <mukul@qti.qualcomm.com> | 2016-06-27 12:40:58 +0530 |
|---|---|---|
| committer | Anjaneedevi Kapparapu <akappa@codeaurora.org> | 2016-06-28 19:55:21 +0530 |
| commit | 37699ca29a56fb1fec966880d5b875fc12ef6aa5 (patch) | |
| tree | 868ae20b857a910658a347fb0dae82d2a37ab7b0 | |
| parent | ca81ec34ba5901d204c14ba78d9e4a0a62ae8571 (diff) | |
qcacld-2.0: Prevent use after free for packet trace buffer
Currently, Host free the packet trace buffer in the beginning
of hdd_driver_exit. But same freed packet trace buffer is used
during Hdd disconnect handler in MCThread context .
As a part of this fix, Host free packet trace buffer in the end
of hdd_driver_exit which ensure all thread's are stopped at that
moment. Apart from it, add few sanity checks and error logs.
Change-Id: Id574e1309db8d8b01b4765e27b3638bb92c3d5a0
CRs-Fixed: 1028095
| -rw-r--r-- | CORE/HDD/src/wlan_hdd_main.c | 11 | ||||
| -rw-r--r-- | CORE/VOSS/src/vos_packet.c | 17 |
2 files changed, 22 insertions, 6 deletions
diff --git a/CORE/HDD/src/wlan_hdd_main.c b/CORE/HDD/src/wlan_hdd_main.c index 3650b56c2a2a..ec8cd33208e7 100644 --- a/CORE/HDD/src/wlan_hdd_main.c +++ b/CORE/HDD/src/wlan_hdd_main.c @@ -15898,13 +15898,7 @@ static void hdd_driver_exit(void) } vos_wait_for_work_thread_completion(__func__); -#ifdef QCA_PKT_PROTO_TRACE - if (VOS_FTM_MODE != hdd_get_conparam()) - vos_pkt_proto_trace_close(); -#endif /* QCA_PKT_PROTO_TRACE */ - hif_unregister_driver(); - vos_preClose( &pVosContext ); #ifdef TIMER_MANAGER @@ -15918,6 +15912,11 @@ static void hdd_driver_exit(void) wlan_logging_sock_deinit_svc(); #endif +#ifdef QCA_PKT_PROTO_TRACE + if (VOS_FTM_MODE != hdd_get_conparam()) + vos_pkt_proto_trace_close(); +#endif /* QCA_PKT_PROTO_TRACE */ + done: hdd_wlan_wakelock_destroy(); pr_info("%s: driver unloaded\n", WLAN_MODULE_NAME); diff --git a/CORE/VOSS/src/vos_packet.c b/CORE/VOSS/src/vos_packet.c index 9a8179cbdd01..bd18d371b1c6 100644 --- a/CORE/VOSS/src/vos_packet.c +++ b/CORE/VOSS/src/vos_packet.c @@ -315,6 +315,14 @@ void vos_pkt_trace_buf_update VOS_TRACE(VOS_MODULE_ID_VOSS, VOS_TRACE_LEVEL_INFO, "%s %d, %s", __func__, __LINE__, event_string); spin_lock_bh(&trace_buffer_lock); + + if (!trace_buffer) { + VOS_TRACE(VOS_MODULE_ID_VOSS, VOS_TRACE_LEVEL_INFO, + "trace_buffer is already free"); + spin_unlock_bh(&trace_buffer_lock); + return; + } + slot = trace_buffer_order % VOS_PKT_TRAC_MAX_TRACE_BUF; trace_buffer[slot].order = trace_buffer_order; do_gettimeofday(&tv); @@ -342,6 +350,12 @@ void vos_pkt_trace_buf_dump unsigned long local_time; spin_lock_bh(&trace_buffer_lock); + if (!trace_buffer) { + VOS_TRACE(VOS_MODULE_ID_VOSS, VOS_TRACE_LEVEL_INFO, + "trace_buffer is already free"); + spin_unlock_bh(&trace_buffer_lock); + return; + } VOS_TRACE(VOS_MODULE_ID_VOSS, VOS_TRACE_LEVEL_INFO, "PACKET TRACE DUMP START Current Timestamp %u", (unsigned int)vos_timer_get_system_time()); @@ -423,7 +437,10 @@ void vos_pkt_proto_trace_close { VOS_TRACE(VOS_MODULE_ID_VOSS, VOS_TRACE_LEVEL_ERROR, "%s %d", __func__, __LINE__); + spin_lock_bh(&trace_buffer_lock); vos_mem_free(trace_buffer); + trace_buffer = NULL; + spin_unlock_bh(&trace_buffer_lock); return; } |