Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 80af938a authored by Bala Venkatesh's avatar Bala Venkatesh Committed by nshrivas
Browse files

qcacld-3.0: Avoid NULL pointer access of tdls_priv 

tdls_priv is alloted per vdev and deleted after physical
vdev delete. Check the tdls_priv for NULL pointer before
accessing as there is possibility of NULL dereference
after vdev delete.

Change-Id: I47e30f6ed5dcf5c1ae6a07c3d56fa24db2ea4f6c
CRs-Fixed: 2469840
parent 70921661

os_if/linux/tdls/src/wlan_cfg80211_tdls.c

+34 −4
Original line number Diff line number Diff line
@@ -114,11 +114,11 @@ void hdd_notify_teardown_tdls_links(struct wlan_objmgr_psoc *psoc) 


	osif_priv = wlan_vdev_get_ospriv(vdev);



	tdls_priv = osif_priv->osif_tdls;

	if (!tdls_priv) {

		cfg80211_err("tdls_priv is NULL");

	if (!osif_priv || !osif_priv->osif_tdls) {

		cfg80211_err("osif priv or tdls priv is NULL");

		goto release_ref;

	}

	tdls_priv = osif_priv->osif_tdls;



	reinit_completion(&tdls_priv->tdls_teardown_comp);

	status = ucfg_tdls_teardown_links(psoc);
@@ -463,6 +463,12 @@ int wlan_cfg80211_tdls_update_peer(struct wlan_objmgr_pdev *pdev, 
	wlan_cfg80211_tdls_extract_params(req_info, params);



	osif_priv = wlan_vdev_get_ospriv(vdev);

	if (!osif_priv || !osif_priv->osif_tdls) {

		cfg80211_err("osif priv or tdls priv is NULL");

		status = -EINVAL;

		goto error;

	}



	tdls_priv = osif_priv->osif_tdls;

	req_info->vdev_id = wlan_vdev_get_id(vdev);

	qdf_mem_copy(req_info->peer_addr, mac, QDF_MAC_ADDR_SIZE);
@@ -609,6 +615,11 @@ int wlan_cfg80211_tdls_oper(struct wlan_objmgr_pdev *pdev, 
		break;

	case NL80211_TDLS_DISABLE_LINK:

		osif_priv = wlan_vdev_get_ospriv(vdev);

		if (!osif_priv || !osif_priv->osif_tdls) {

			cfg80211_err("osif priv or tdls priv is NULL");

			status = -EINVAL;

			goto error;

		}

		tdls_priv = osif_priv->osif_tdls;

		reinit_completion(&tdls_priv->tdls_del_peer_comp);

		status = ucfg_tdls_oper(vdev, peer, cmd);
@@ -718,8 +729,12 @@ int wlan_cfg80211_tdls_get_all_peers(struct wlan_objmgr_vdev *vdev, 
	}



	osif_priv = wlan_vdev_get_ospriv(vdev);

	tdls_priv = osif_priv->osif_tdls;

	if (!osif_priv || !osif_priv->osif_tdls) {

		cfg80211_err("osif_tdls_vdev or osif_priv is NULL for the current vdev");

		return -EINVAL;

	}



	tdls_priv = osif_priv->osif_tdls;

	reinit_completion(&tdls_priv->tdls_user_cmd_comp);

	status = ucfg_tdls_get_all_peers(vdev, buf, buflen);

	if (QDF_IS_STATUS_ERROR(status)) {
@@ -780,6 +795,11 @@ int wlan_cfg80211_tdls_mgmt(struct wlan_objmgr_pdev *pdev, 


	osif_priv = wlan_vdev_get_ospriv(vdev);



	if (!osif_priv || !osif_priv->osif_tdls) {

		cfg80211_err("osif priv or tdls priv is NULL");

		return -EINVAL;

	}



	tdls_priv = osif_priv->osif_tdls;



	/* make sure doesn't call send_mgmt() while it is pending */
@@ -887,6 +907,11 @@ int wlan_tdls_antenna_switch(struct wlan_objmgr_vdev *vdev, uint32_t mode) 
	}



	osif_priv = wlan_vdev_get_ospriv(vdev);

	if (!osif_priv || !osif_priv->osif_tdls) {

		cfg80211_err("osif priv or tdls priv is NULL");

		ret = -EINVAL;

		goto error;

	}

	tdls_priv = osif_priv->osif_tdls;



	reinit_completion(&tdls_priv->tdls_antenna_switch_comp);
@@ -965,6 +990,11 @@ void wlan_cfg80211_tdls_event_callback(void *user_data, 
		return;

	}

	osif_vdev = wlan_vdev_get_ospriv(ind->vdev);



	if (!osif_vdev || !osif_vdev->osif_tdls) {

		cfg80211_err("osif priv or tdls priv is NULL");

		return;

	}

	tdls_priv = osif_vdev->osif_tdls;



	switch (type) {