diff options
| author | Amar Singhal <asinghal@qca.qualcomm.com> | 2015-09-23 10:18:53 -0700 |
|---|---|---|
| committer | Anjaneedevi Kapparapu <akappa@codeaurora.org> | 2015-10-08 15:38:11 +0530 |
| commit | 5249eb625c3d4aa4d68371c0678ffc674eee0970 (patch) | |
| tree | c1123ce80278a4156ef7a6bb8a1c9b7b31f66069 | |
| parent | 56d9ab955cd6d42b012a1d55a2d3f07a56c91212 (diff) | |
qcacld-2.0: Validate ops functions for NULL pointer de-reference
prima to qcacld-2.0 propagation
Access to driver data structures during driver load unload,
results in kernel panic.
To mitigate the issue, validate the context before accessing
driver data structures.
Change-Id: I5a513c491c73c8ab0514597839d19fcc5d80eaf8
CRs-Fixed: 787915
| -rw-r--r-- | CORE/HDD/src/wlan_hdd_cfg80211.c | 2 | ||||
| -rw-r--r-- | CORE/HDD/src/wlan_hdd_debugfs.c | 45 | ||||
| -rw-r--r-- | CORE/HDD/src/wlan_hdd_hostapd.c | 11 | ||||
| -rwxr-xr-x | CORE/HDD/src/wlan_hdd_main.c | 12 | ||||
| -rw-r--r-- | CORE/HDD/src/wlan_hdd_p2p.c | 9 |
5 files changed, 72 insertions, 7 deletions
diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c index 15afb268df89..43aebb354721 100644 --- a/CORE/HDD/src/wlan_hdd_cfg80211.c +++ b/CORE/HDD/src/wlan_hdd_cfg80211.c @@ -13714,7 +13714,7 @@ static int __wlan_hdd_change_station(struct wiphy *wiphy, #endif { VOS_STATUS status = VOS_STATUS_SUCCESS; - hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR( dev ); + hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev); hdd_context_t *pHddCtx; hdd_station_ctx_t *pHddStaCtx; v_MACADDR_t STAMacAddress; diff --git a/CORE/HDD/src/wlan_hdd_debugfs.c b/CORE/HDD/src/wlan_hdd_debugfs.c index e897e3640039..5871ae6a54af 100644 --- a/CORE/HDD/src/wlan_hdd_debugfs.c +++ b/CORE/HDD/src/wlan_hdd_debugfs.c @@ -46,16 +46,19 @@ static ssize_t __wcnss_wowenable_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos) { - hdd_adapter_t *pAdapter = (hdd_adapter_t *)file->private_data; + hdd_adapter_t *pAdapter; + hdd_context_t *hdd_ctx; char cmd[MAX_USER_COMMAND_SIZE_WOWL_ENABLE + 1]; char *sptr, *token; v_U8_t wow_enable = 0; v_U8_t wow_mp = 0; v_U8_t wow_pbm = 0; + int ret; ENTER(); + pAdapter = (hdd_adapter_t *)file->private_data; if ((NULL == pAdapter) || (WLAN_HDD_ADAPTER_MAGIC != pAdapter->magic)) { VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_FATAL, @@ -65,6 +68,11 @@ static ssize_t __wcnss_wowenable_write(struct file *file, return -EINVAL; } + hdd_ctx = WLAN_HDD_GET_CTX(pAdapter); + ret = wlan_hdd_validate_context(hdd_ctx); + if (0 != ret) + return ret; + if (!sme_IsFeatureSupportedByFW(WOW)) { VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR, @@ -173,13 +181,14 @@ static ssize_t __wcnss_wowpattern_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos) { hdd_adapter_t *pAdapter = (hdd_adapter_t *)file->private_data; - + hdd_context_t *hdd_ctx; char cmd[MAX_USER_COMMAND_SIZE_WOWL_PATTERN + 1]; char *sptr, *token; v_U8_t pattern_idx = 0; v_U8_t pattern_offset = 0; char *pattern_buf; char *pattern_mask; + int ret; if ((NULL == pAdapter) || (WLAN_HDD_ADAPTER_MAGIC != pAdapter->magic)) { @@ -190,6 +199,11 @@ static ssize_t __wcnss_wowpattern_write(struct file *file, return -EINVAL; } + hdd_ctx = WLAN_HDD_GET_CTX(pAdapter); + ret = wlan_hdd_validate_context(hdd_ctx); + if (0 != ret) + return ret; + if (!sme_IsFeatureSupportedByFW(WOW)) { VOS_TRACE( VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR, @@ -291,7 +305,7 @@ static ssize_t __wcnss_patterngen_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos) { - hdd_adapter_t *pAdapter = (hdd_adapter_t *)file->private_data; + hdd_adapter_t *pAdapter; hdd_context_t *pHddCtx; tSirAddPeriodicTxPtrn *addPeriodicTxPtrnParams; tSirDelPeriodicTxPtrn *delPeriodicTxPtrnParams; @@ -302,9 +316,11 @@ static ssize_t __wcnss_patterngen_write(struct file *file, char *pattern_buf; v_U16_t pattern_len = 0; v_U16_t i = 0; + int ret; ENTER(); + pAdapter = (hdd_adapter_t *)file->private_data; if ((NULL == pAdapter) || (WLAN_HDD_ADAPTER_MAGIC != pAdapter->magic)) { VOS_TRACE( VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_FATAL, @@ -313,7 +329,11 @@ static ssize_t __wcnss_patterngen_write(struct file *file, return -EINVAL; } + pHddCtx = WLAN_HDD_GET_CTX(pAdapter); + ret = wlan_hdd_validate_context(pHddCtx); + if (0 != ret) + return ret; if (!sme_IsFeatureSupportedByFW(WLAN_PERIODIC_TX_PTRN)) { @@ -523,9 +543,28 @@ static ssize_t wcnss_patterngen_write(struct file *file, */ static int __wcnss_debugfs_open(struct inode *inode, struct file *file) { + hdd_adapter_t *adapter; + hdd_context_t *hdd_ctx; + int ret; + ENTER(); + if (inode->i_private) file->private_data = inode->i_private; + + adapter = (hdd_adapter_t *)file->private_data; + if ((NULL == adapter) || (WLAN_HDD_ADAPTER_MAGIC != adapter->magic)) { + VOS_TRACE( VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_FATAL, + "%s: Invalid adapter or adapter has invalid magic.", + __func__); + return -EINVAL; + } + + hdd_ctx = WLAN_HDD_GET_CTX(adapter); + ret = wlan_hdd_validate_context(hdd_ctx); + if (0 != ret) + return ret; + EXIT(); return 0; } diff --git a/CORE/HDD/src/wlan_hdd_hostapd.c b/CORE/HDD/src/wlan_hdd_hostapd.c index a787022bdbef..3b761065be95 100644 --- a/CORE/HDD/src/wlan_hdd_hostapd.c +++ b/CORE/HDD/src/wlan_hdd_hostapd.c @@ -681,7 +681,18 @@ void hdd_restart_softap(hdd_context_t *pHddCtx, static int __hdd_hostapd_set_mac_address(struct net_device *dev, void *addr) { struct sockaddr *psta_mac_addr = addr; + hdd_adapter_t *adapter; + hdd_context_t *hdd_ctx; + int ret = 0; + ENTER(); + + adapter = WLAN_HDD_GET_PRIV_PTR(dev); + hdd_ctx = WLAN_HDD_GET_CTX(adapter); + ret = wlan_hdd_validate_context(hdd_ctx); + if (0 != ret) + return ret; + memcpy(dev->dev_addr, psta_mac_addr->sa_data, ETH_ALEN); EXIT(); return 0; diff --git a/CORE/HDD/src/wlan_hdd_main.c b/CORE/HDD/src/wlan_hdd_main.c index 41ad58a462ea..d9478955985d 100755 --- a/CORE/HDD/src/wlan_hdd_main.c +++ b/CORE/HDD/src/wlan_hdd_main.c @@ -7827,10 +7827,17 @@ VOS_STATUS hdd_read_cfg_file(v_VOID_t *pCtx, char *pFileName, static int __hdd_set_mac_address(struct net_device *dev, void *addr) { hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev); + hdd_context_t *hdd_ctx; struct sockaddr *psta_mac_addr = addr; + int ret; ENTER(); + hdd_ctx = WLAN_HDD_GET_CTX(pAdapter); + ret = wlan_hdd_validate_context(hdd_ctx); + if (0 != ret) + return ret; + memcpy(&pAdapter->macAddressCurrent, psta_mac_addr->sa_data, ETH_ALEN); memcpy(dev->dev_addr, psta_mac_addr->sa_data, ETH_ALEN); @@ -7901,17 +7908,18 @@ static void __hdd_set_multicast_list(struct net_device *dev) { static const uint8_t ipv6_router_solicitation[] = {0x33, 0x33, 0x00, 0x00, 0x00, 0x02}; - hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev); + hdd_adapter_t *pAdapter; + hdd_context_t *pHddCtx; int mc_count; int i = 0; struct netdev_hw_addr *ha; - hdd_context_t *pHddCtx; ENTER(); if (VOS_FTM_MODE == hdd_get_conparam()) return; + pAdapter = WLAN_HDD_GET_PRIV_PTR(dev); pHddCtx = WLAN_HDD_GET_CTX(pAdapter); if (0 != wlan_hdd_validate_context(pHddCtx)) return; diff --git a/CORE/HDD/src/wlan_hdd_p2p.c b/CORE/HDD/src/wlan_hdd_p2p.c index 298a7b8e892e..206537d0a16b 100644 --- a/CORE/HDD/src/wlan_hdd_p2p.c +++ b/CORE/HDD/src/wlan_hdd_p2p.c @@ -966,7 +966,8 @@ int __wlan_hdd_cfg80211_remain_on_channel( struct wiphy *wiphy, #if (LINUX_VERSION_CODE >= KERNEL_VERSION(3,6,0)) || defined(WITH_BACKPORTS) struct net_device *dev = wdev->netdev; #endif - hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR( dev ); + hdd_adapter_t *pAdapter; + hdd_context_t *hdd_ctx; int ret; ENTER(); @@ -976,6 +977,12 @@ int __wlan_hdd_cfg80211_remain_on_channel( struct wiphy *wiphy, return -EINVAL; } + pAdapter = WLAN_HDD_GET_PRIV_PTR(dev); + hdd_ctx = WLAN_HDD_GET_CTX(pAdapter); + ret = wlan_hdd_validate_context(hdd_ctx); + if (0 != ret) + return ret; + MTRACE(vos_trace(VOS_MODULE_ID_HDD, TRACE_CODE_HDD_REMAIN_ON_CHANNEL, pAdapter->sessionId, REMAIN_ON_CHANNEL_REQUEST)); |