wlan: Fix memory leak and NULL pointer dereference issues
Few functions doesn't free the allocated memory during failure cases
and dereference the pointer before NULL check.
This includes fix to free the allocated memory during failure cases,
add NULL check before deferencing the pointer and
memory layering violation in SME.
Change-Id: Ia4717c29788612a9b0c6e0286e6d70cefcc81df7
CRs-Fixed: 996173
diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
index b41784a..c5a3a04 100644
--- a/CORE/HDD/src/wlan_hdd_cfg80211.c
+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
@@ -6400,12 +6400,12 @@
if (control == QCA_WLAN_RSSI_MONITORING_START) {
if (!tb[PARAM_MIN_RSSI]) {
hddLog(LOGE, FL("attr min rssi failed"));
- return -EINVAL;
+ goto fail;
}
if (!tb[PARAM_MAX_RSSI]) {
hddLog(LOGE, FL("attr max rssi failed"));
- return -EINVAL;
+ goto fail;
}
pReq->minRssi = nla_get_s8(tb[PARAM_MIN_RSSI]);
@@ -6415,7 +6415,7 @@
if (!(pReq->minRssi < pReq->maxRssi)) {
hddLog(LOGW, FL("min_rssi: %d must be less than max_rssi: %d"),
pReq->minRssi, pReq->maxRssi);
- return -EINVAL;
+ goto fail;
}
hddLog(LOG1, FL("Min_rssi: %d Max_rssi: %d"),
pReq->minRssi, pReq->maxRssi);
@@ -6428,16 +6428,19 @@
}
else {
hddLog(LOGE, FL("Invalid control cmd: %d"), control);
- return -EINVAL;
+ goto fail;
}
if (!HAL_STATUS_SUCCESS(status)) {
hddLog(LOGE,
FL("sme_set_rssi_monitoring failed(err=%d)"), status);
- return -EINVAL;
+ goto fail;
}
return 0;
+fail:
+ vos_mem_free(pReq);
+ return -EINVAL;
}
/*
@@ -6751,7 +6754,7 @@
if (request_id == 0)
{
hddLog(LOGE, FL("request_id cannot be zero"));
- return -EINVAL;
+ goto fail;
}
if (!tb[PARAM_PERIOD])
diff --git a/CORE/HDD/src/wlan_hdd_main.c b/CORE/HDD/src/wlan_hdd_main.c
index 9a8424a..1c81bd0 100644
--- a/CORE/HDD/src/wlan_hdd_main.c
+++ b/CORE/HDD/src/wlan_hdd_main.c
@@ -11081,7 +11081,7 @@
void hdd_init_frame_logging(hdd_context_t* pHddCtx)
{
eHalStatus halStatus = eHAL_STATUS_FAILURE;
- tpSirFWLoggingInitParam wlanFWLoggingInitParam;
+ tSirFWLoggingInitParam wlanFWLoggingInitParam = {0};
if (TRUE != sme_IsFeatureSupportedByFW(MGMT_FRAME_LOGGING) &&
TRUE != sme_IsFeatureSupportedByFW(LOGGING_ENHANCEMENT))
@@ -11090,15 +11090,6 @@
return;
}
- wlanFWLoggingInitParam = vos_mem_malloc(sizeof(tSirFWLoggingInitParam));
- if(NULL == wlanFWLoggingInitParam)
- {
- hddLog(VOS_TRACE_LEVEL_FATAL, "%s: vos_mem_alloc failed ", __func__);
- return;
- }
-
- vos_mem_set(wlanFWLoggingInitParam, sizeof(tSirFWLoggingInitParam), 0);
-
hddLog(VOS_TRACE_LEVEL_INFO, "%s: Configuring %s %s %s %s Logging",__func__,
pHddCtx->cfg_ini->enableFWLogging?"FW Log,":"",
pHddCtx->cfg_ini->enableContFWLogging ? "Cont FW log,":"",
@@ -11108,47 +11099,48 @@
if (pHddCtx->cfg_ini->enableFWLogging ||
pHddCtx->cfg_ini->enableContFWLogging)
{
- wlanFWLoggingInitParam->enableFlag |= WLAN_QXDM_LOG_EN;
+ wlanFWLoggingInitParam.enableFlag |= WLAN_QXDM_LOG_EN;
}
if (pHddCtx->cfg_ini->enableMgmtLogging)
{
- wlanFWLoggingInitParam->enableFlag |= WLAN_FRAME_LOG_EN;
+ wlanFWLoggingInitParam.enableFlag |= WLAN_FRAME_LOG_EN;
}
if (pHddCtx->cfg_ini->enableBMUHWtracing)
{
- wlanFWLoggingInitParam->enableFlag |= WLAN_BMUHW_TRACE_LOG_EN;
+ wlanFWLoggingInitParam.enableFlag |= WLAN_BMUHW_TRACE_LOG_EN;
}
if(pHddCtx->cfg_ini->enableFwrMemDump &&
(TRUE == sme_IsFeatureSupportedByFW(MEMORY_DUMP_SUPPORTED)))
{
- wlanFWLoggingInitParam->enableFlag |= WLAN_FW_MEM_DUMP_EN;
+ wlanFWLoggingInitParam.enableFlag |= WLAN_FW_MEM_DUMP_EN;
}
- if( wlanFWLoggingInitParam->enableFlag == 0 )
+ if( wlanFWLoggingInitParam.enableFlag == 0 )
{
hddLog(VOS_TRACE_LEVEL_ERROR, "%s: Logging not enabled", __func__);
return;
}
- wlanFWLoggingInitParam->frameType = WLAN_FRAME_LOGGING_FRAMETYPE_MGMT;
- wlanFWLoggingInitParam->frameSize = WLAN_MGMT_LOGGING_FRAMESIZE_128BYTES;
- wlanFWLoggingInitParam->bufferMode = WLAN_FRAME_LOGGING_BUFFERMODE_CIRCULAR;
- wlanFWLoggingInitParam->continuousFrameLogging =
+ wlanFWLoggingInitParam.frameType = WLAN_FRAME_LOGGING_FRAMETYPE_MGMT;
+ wlanFWLoggingInitParam.frameSize = WLAN_MGMT_LOGGING_FRAMESIZE_128BYTES;
+ wlanFWLoggingInitParam.bufferMode = WLAN_FRAME_LOGGING_BUFFERMODE_CIRCULAR;
+ wlanFWLoggingInitParam.continuousFrameLogging =
pHddCtx->cfg_ini->enableContFWLogging;
- wlanFWLoggingInitParam->enableFlag &= ~WLAN_DPU_TXP_LOG_EN;
+ wlanFWLoggingInitParam.enableFlag &= ~WLAN_DPU_TXP_LOG_EN;
- wlanFWLoggingInitParam->minLogBufferSize =
+ wlanFWLoggingInitParam.minLogBufferSize =
pHddCtx->cfg_ini->minLoggingBufferSize;
- wlanFWLoggingInitParam->maxLogBufferSize =
+ wlanFWLoggingInitParam.maxLogBufferSize =
pHddCtx->cfg_ini->maxLoggingBufferSize;
- wlanFWLoggingInitParam->fwlogInitCallback = hdd_init_frame_logging_done;
- wlanFWLoggingInitParam->fwlogInitCbContext= pHddCtx;
+ wlanFWLoggingInitParam.fwlogInitCallback = hdd_init_frame_logging_done;
+ wlanFWLoggingInitParam.fwlogInitCbContext= pHddCtx;
- halStatus = sme_InitMgmtFrameLogging(pHddCtx->hHal, wlanFWLoggingInitParam);
+ halStatus = sme_InitMgmtFrameLogging(pHddCtx->hHal, &wlanFWLoggingInitParam);
if (eHAL_STATUS_SUCCESS != halStatus)
{
- vos_mem_free(wlanFWLoggingInitParam);
+ hddLog(LOGE, FL("sme_InitMgmtFrameLogging failed, returned %d"),
+ halStatus);
}
return;
diff --git a/CORE/HDD/src/wlan_hdd_trace.c b/CORE/HDD/src/wlan_hdd_trace.c
index 2c82982..6901109 100644
--- a/CORE/HDD/src/wlan_hdd_trace.c
+++ b/CORE/HDD/src/wlan_hdd_trace.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2014-2015 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2014-2016 The Linux Foundation. All rights reserved.
*
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
*
@@ -151,14 +151,16 @@
/* get the global voss context */
vos_ctx_ptr = vos_get_global_context(VOS_MODULE_ID_VOSS, NULL);
- if (NULL != vos_ctx_ptr) {
- hdd_ctx_ptr = vos_get_context(VOS_MODULE_ID_HDD, vos_ctx_ptr);
- } else {
- VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
- "%s: Invalid Global VOSS Context", __func__);
+ if (!vos_ctx_ptr) {
+ hddLog(LOGE, FL("Invalid Global VOSS Context"));
VOS_ASSERT(0);
return;
}
+ hdd_ctx_ptr = vos_get_context(VOS_MODULE_ID_HDD, vos_ctx_ptr);
+ if (!hdd_ctx_ptr) {
+ hddLog(LOGE, FL("HDD context is Null"));
+ return;
+ }
hddLog(LOG1,
FL("mScanPending %d isWlanSuspended %d disable_dfs_flag %d"),