lisa/android_kernel_xiaomi_sm8350
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacld-3.0: Fix Use-After-Free in ol_txrx_pdev_detach

Browse Source 
The use TAILQ_FOREACH for freeing the fw_stats list during
pdev detach causes a use-after-free condition, which can lead
to unexpected behavior during the driver load or unload.

Fix the possible Use-after-free condition in pdev detach, by
using TAILQ_FOREACH_SAFE instead of TAILQ_FOREACH for freeing
the fw_stats list.

CRs-Fixed: 2214520
Change-Id: I5dfcc5e3f0d2e77a5f6226eca06bc6ab1af4e643
This commit is contained in:
Rakesh Pillai 2018-05-09 11:45:38 +05:30 committed by nshrivas
parent 389e2bb771
commit 33942c4344
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
core/dp/txrx/ol_txrx.c
View File

@ -2172,7 +2172,7 @@ static void ol_txrx_debugfs_exit(ol_txrx_pdev_handle pdev)
static void ol_txrx_pdev_detach(struct cdp_pdev *ppdev, int force)
{
struct ol_txrx_pdev_t *pdev = (struct ol_txrx_pdev_t *)ppdev;
struct ol_txrx_stats_req_internal *req;
struct ol_txrx_stats_req_internal *req, *temp_req;
int i = 0;
/*checking to ensure txrx pdev structure is not NULL */
@ -2190,7 +2190,7 @@ static void ol_txrx_pdev_detach(struct cdp_pdev *ppdev, int force)
"Warning: the txrx req list is not empty, depth=%d\n",
pdev->req_list_depth
);
TAILQ_FOREACH(req, &pdev->req_list, req_list_elem) {
TAILQ_FOREACH_SAFE(req, &pdev->req_list, req_list_elem, temp_req) {
TAILQ_REMOVE(&pdev->req_list, req, req_list_elem);
pdev->req_list_depth--;
ol_txrx_err(