Commit 92cb9fa1 authored Jun 01, 2021 by Karthik Kantamneni Committed by Madan Koyyalamudi Jun 02, 2021

qcacld-3.0: Fix use after free during RX thread enqueue

Currently nbuf is being used to get gso segments after enqueue
to DP RX thread, this will lead to use after free issue because
RX thread may process and even free the buffer by the time nbuf
is accessed for getting gso segments in enqueue/softirq context.

Fix this by updating gso segments before nbuf enqueue to DP RX thread.

Change-Id: I2cc93bf9a44e2d487c1a6d474349cf5c0c5db76a
CRs-Fixed: 2958132

parent 1f90252f

core/dp/txrx3.0/dp_rx_thread.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -276,10 +276,10 @@ static QDF_STATUS dp_rx_tm_thread_enqueue(struct dp_rx_thread *rx_thread,
		num_elements_in_nbuf--;
		next_ptr_list = head_ptr->next;
		qdf_nbuf_set_next(head_ptr, NULL);
		qdf_nbuf_queue_head_enqueue_tail(&rx_thread->nbuf_queue,
		head_ptr);
		/* count aggregated RX frame into enqueued stats */
		nbuf_queued += qdf_nbuf_get_gso_segs(head_ptr);
		qdf_nbuf_queue_head_enqueue_tail(&rx_thread->nbuf_queue,
		head_ptr);
		head_ptr = next_ptr_list;
		}