From f9d4e6edce0fbdd2d904742ec23a4b0fbb1ebe9a Mon Sep 17 00:00:00 2001 From: Yeshwanth Sriram Guntuka Date: Wed, 8 May 2019 15:16:07 +0530 Subject: qcacmn: Fix potential double free in send_log_supported_evt_cmd_tlv In send_log_supported_evt_cmd_tlv, events_logs_list in wma handle is freed if previously allocated. If the num_of_diag_events_logs exceeds the max size, we exit from the function early without allocating memory for events_logs_list. This can result in potential double free scenario if we receive another DIAG_EVENT_LOG_SUPPORTED event from firmware. Fix is to set events_logs_list pointer to NULL after freeing memory. Change-Id: I9d6148dfc064d87e2947d1b5ec4492c08913dd4c CRs-Fixed: 2433802 --- wmi/src/wmi_unified_tlv.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/wmi/src/wmi_unified_tlv.c b/wmi/src/wmi_unified_tlv.c index ac85fe11b9d8..953628eb479b 100644 --- a/wmi/src/wmi_unified_tlv.c +++ b/wmi/src/wmi_unified_tlv.c @@ -10895,8 +10895,10 @@ QDF_STATUS send_log_supported_evt_cmd_tlv(wmi_unified_t wmi_handle, __func__, num_of_diag_events_logs); /* Free any previous allocation */ - if (wmi_handle->events_logs_list) + if (wmi_handle->events_logs_list) { qdf_mem_free(wmi_handle->events_logs_list); + wmi_handle->events_logs_list = NULL; + } if (num_of_diag_events_logs > (WMI_SVC_MSG_MAX_SIZE / sizeof(uint32_t))) { -- cgit v1.2.3 From 21a2827a62cebcc49e4a606bfadce3c6110a514f Mon Sep 17 00:00:00 2001 From: Alok Kumar Date: Fri, 10 May 2019 18:07:16 +0530 Subject: qcacmn: Add macros and prototypes for packet capture mode Add prototypes and macro definitions to support packet capture mode. Change-Id: Ibfc3362be1f105c6ae56c7dfc0468842330c5c90 CRs-Fixed: 2451580 --- dp/inc/cdp_txrx_cmn.h | 26 +++++++++++++++++++++++++- qdf/inc/qdf_types.h | 3 ++- 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/dp/inc/cdp_txrx_cmn.h b/dp/inc/cdp_txrx_cmn.h index a8c202da9c02..e0585491e755 100644 --- a/dp/inc/cdp_txrx_cmn.h +++ b/dp/inc/cdp_txrx_cmn.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2011-2018 The Linux Foundation. All rights reserved. + * Copyright (c) 2011-2019 The Linux Foundation. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -119,6 +119,18 @@ enum wlan_op_mode { wlan_op_mode_ndi, }; +/** + * mon_data_process_type - data pkt type for pkt capture mode + * @PROCESS_TYPE_DATA_RX: process RX data packet (normal rx + offloaded rx) + * @PROCESS_TYPE_DATA_TX: process TX data packet (ofloaded tx) + * @PROCESS_TYPE_DATA_TX_COMPL: process TX compl data packet (normal tx) + */ +enum mon_data_process_type { + PROCESS_TYPE_DATA_RX, + PROCESS_TYPE_DATA_TX, + PROCESS_TYPE_DATA_TX_COMPL, +}; + /** * connectivity_stats_pkt_status - data pkt type * @PKT_TYPE_REQ: Request packet @@ -183,6 +195,9 @@ typedef bool (*ol_txrx_tx_flow_control_is_pause_fp)(void *osif_dev); */ typedef QDF_STATUS (*ol_txrx_rx_fp)(void *osif_dev, qdf_nbuf_t msdu_list); +typedef QDF_STATUS(*ol_txrx_mon_callback_fp)(void *osif_dev, + qdf_nbuf_t msdu_list); + /** * ol_txrx_stats_rx_fp - receive function to hand batches of data * frames from txrx to OS shim @@ -410,6 +425,11 @@ ol_txrx_mgmt_tx_cb_set(ol_txrx_pdev_handle pdev, int ol_txrx_get_tx_pending(ol_txrx_pdev_handle pdev); +void ol_txrx_mon_cb_deregister(void); + +void ol_txrx_mon_cb_register(void *osif_vdev, + ol_txrx_mon_callback_fp mon_cb); + /** * enum data_stall_log_event_indicator - Module triggering data stall * @DATA_STALL_LOG_INDICATOR_UNUSED: Unused @@ -579,6 +599,10 @@ void ol_txrx_fw_stats_cfg( #define PER_RADIO_FW_STATS_REQUEST 0 #define PER_VDEV_FW_STATS_REQUEST 1 + +#define TXRX_PKT_FORMAT_8023 0 +#define TXRX_PKT_FORMAT_80211 1 + /** * ol_txrx_get_vdev_mac_addr() - Return mac addr of vdev * @vdev: vdev handle diff --git a/qdf/inc/qdf_types.h b/qdf/inc/qdf_types.h index 616b9bcf05de..009f1e2320e1 100644 --- a/qdf/inc/qdf_types.h +++ b/qdf/inc/qdf_types.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2014-2018 The Linux Foundation. All rights reserved. + * Copyright (c) 2014-2019 The Linux Foundation. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -457,6 +457,7 @@ void qdf_vtrace_msg(QDF_MODULE_ID module, QDF_TRACE_LEVEL level, #define QDF_SAP_MASK (1 << QDF_SAP_MODE) #define QDF_P2P_CLIENT_MASK (1 << QDF_P2P_CLIENT_MODE) #define QDF_P2P_GO_MASK (1 << QDF_P2P_GO_MODE) +#define QDF_MONITOR_MASK (1 << QDF_MONITOR_MODE) #ifdef FEATURE_WLAN_MCC_TO_SCC_SWITCH -- cgit v1.2.3 From 1083615c2ba0f9f973cc778082f842775e55e19b Mon Sep 17 00:00:00 2001 From: Rajeev Kumar Sirasanagandla Date: Wed, 8 May 2019 18:45:44 +0530 Subject: qcacmn: Fix possible NULL dereference in apf read While processing WMI_BPF_GET_VDEV_WORK_MEMORY_RESP_EVENTID, in wma_apf_read_work_memory_event_handler() apf read callback is invoked after wmi_extract_apf_read_memory_resp_event_tlv(). During extraction of apf attributes there is no NULL check of data tlv when data length is non-zero. If the firmware message is wrongly crafted with non-zero length in fixed param and NULL data then NULL pointer dereference is seen in apf read callback. To address this, avoid copy when data is NULL and data length is non-zero. Change-Id: Ie054c487ead5c929e5a293651a65383d6f87dc71 CRs-Fixed: 2446019 --- wmi/src/wmi_unified_apf_tlv.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/wmi/src/wmi_unified_apf_tlv.c b/wmi/src/wmi_unified_apf_tlv.c index 91ddd7022402..ab9613c4b430 100644 --- a/wmi/src/wmi_unified_apf_tlv.c +++ b/wmi/src/wmi_unified_apf_tlv.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2016-2018 The Linux Foundation. All rights reserved. + * Copyright (c) 2016-2019 The Linux Foundation. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -211,10 +211,11 @@ extract_apf_read_memory_resp_event_tlv(wmi_unified_t wmi_handle, void *evt_buf, param_buf->num_data); return QDF_STATUS_E_INVAL; } - resp->length = data_event->length; - if (resp->length) + if (data_event->length && param_buf->data) { + resp->length = data_event->length; resp->data = (uint8_t *)param_buf->data; + } return QDF_STATUS_SUCCESS; } -- cgit v1.2.3