diff options
| author | Hong Shi <hongsh@codeaurora.org> | 2017-01-20 05:26:27 +0800 |
|---|---|---|
| committer | Hong Shi <hongsh@codeaurora.org> | 2017-01-20 06:43:04 +0800 |
| commit | 4104edce723596c7789b6e5f4ed21ca6abb37b2c (patch) | |
| tree | 6241dd4f4e3687b33cf6460a1e4c4df12debc267 | |
| parent | b86cddd1841fea9262aff09666485cf0b5194201 (diff) | |
qcacld-2.0: Fix potential crash in monitor mode
This change fix a potential crash in monitor mode. In monitor
mode rx handler, it need to check if peer reference count is 0 first
before increasing peer reference count and using it. Otherwise, it may
crash due to double free.
Change-Id: I5cd7c140b4486c563a9dbeb04364408668f1e437
CRs-Fixed: 1113705
| -rw-r--r-- | CORE/CLD_TXRX/TXRX/ol_rx.c | 9 | ||||
| -rw-r--r-- | CORE/CLD_TXRX/TXRX/ol_txrx.c | 10 |
2 files changed, 11 insertions, 8 deletions
diff --git a/CORE/CLD_TXRX/TXRX/ol_rx.c b/CORE/CLD_TXRX/TXRX/ol_rx.c index fdc84ba4a5db..c5034ae815cf 100644 --- a/CORE/CLD_TXRX/TXRX/ol_rx.c +++ b/CORE/CLD_TXRX/TXRX/ol_rx.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2011-2016 The Linux Foundation. All rights reserved. + * Copyright (c) 2011-2017 The Linux Foundation. All rights reserved. * * Previously licensed under the ISC license by Qualcomm Atheros, Inc. * @@ -253,12 +253,13 @@ ol_rx_mon_indication_handler( htt_pdev = pdev->htt_pdev; + adf_os_spin_lock_bh(&pdev->peer_ref_mutex); peer = pdev->self_peer; - if (peer) { - adf_os_atomic_inc(&peer->ref_cnt); - vdev = peer->vdev; + adf_os_atomic_inc(&peer->ref_cnt); + vdev = peer->vdev; } + adf_os_spin_unlock_bh(&pdev->peer_ref_mutex); for (mpdu_range = 0; mpdu_range < num_mpdu_ranges; mpdu_range++) { enum htt_rx_status status; diff --git a/CORE/CLD_TXRX/TXRX/ol_txrx.c b/CORE/CLD_TXRX/TXRX/ol_txrx.c index 9d005492e3b2..a8afc9923550 100644 --- a/CORE/CLD_TXRX/TXRX/ol_txrx.c +++ b/CORE/CLD_TXRX/TXRX/ol_txrx.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2011-2016 The Linux Foundation. All rights reserved. + * Copyright (c) 2011-2017 The Linux Foundation. All rights reserved. * * Previously licensed under the ISC license by Qualcomm Atheros, Inc. * @@ -1737,6 +1737,11 @@ ol_txrx_peer_unref_delete(ol_txrx_peer_handle peer) peer->mac_addr.raw[2], peer->mac_addr.raw[3], peer->mac_addr.raw[4], peer->mac_addr.raw[5]); + /* set self_peer to null, otherwise may crash when unload driver */ + if (peer == pdev->self_peer && + VOS_MONITOR_MODE == vos_get_conparam()) + pdev->self_peer = NULL; + peer_id = peer->local_id; /* remove the reference to the peer from the hash table */ ol_txrx_peer_find_hash_remove(pdev, peer); @@ -1842,9 +1847,6 @@ ol_txrx_peer_unref_delete(ol_txrx_peer_handle peer) } adf_os_mem_free(peer); - /* set self_peer to null, otherwise may crash when unload driver */ - if (VOS_MONITOR_MODE == vos_get_conparam()) - pdev->self_peer = NULL; } else { adf_os_spin_unlock_bh(&pdev->peer_ref_mutex); } |