Commit 69c70445 authored by Chin-Yen Lee's avatar Chin-Yen Lee Committed by Kalle Valo

rtw88: wow: fix size access error of probe request

Current flow will lead to null ptr access because of trying
to get the size of freed probe-request packets. We store the
information of packet size into rsvd page instead and also fix
the size error issue, which will cause unstable behavoir of
sending probe request by wow firmware.
Signed-off-by: default avatarChin-Yen Lee <timlee@realtek.com>
Signed-off-by: default avatarPing-Ke Shih <pkshih@realtek.com>
Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20210728014335.8785-6-pkshih@realtek.com
parent 4bac10f2
...@@ -819,7 +819,7 @@ static u16 rtw_get_rsvd_page_probe_req_size(struct rtw_dev *rtwdev, ...@@ -819,7 +819,7 @@ static u16 rtw_get_rsvd_page_probe_req_size(struct rtw_dev *rtwdev,
continue; continue;
if ((!ssid && !rsvd_pkt->ssid) || if ((!ssid && !rsvd_pkt->ssid) ||
rtw_ssid_equal(rsvd_pkt->ssid, ssid)) rtw_ssid_equal(rsvd_pkt->ssid, ssid))
size = rsvd_pkt->skb->len; size = rsvd_pkt->probe_req_size;
} }
return size; return size;
...@@ -1047,6 +1047,8 @@ static struct sk_buff *rtw_get_rsvd_page_skb(struct ieee80211_hw *hw, ...@@ -1047,6 +1047,8 @@ static struct sk_buff *rtw_get_rsvd_page_skb(struct ieee80211_hw *hw,
ssid->ssid_len, 0); ssid->ssid_len, 0);
else else
skb_new = ieee80211_probereq_get(hw, vif->addr, NULL, 0, 0); skb_new = ieee80211_probereq_get(hw, vif->addr, NULL, 0, 0);
if (skb_new)
rsvd_pkt->probe_req_size = (u16)skb_new->len;
break; break;
case RSVD_NLO_INFO: case RSVD_NLO_INFO:
skb_new = rtw_nlo_info_get(hw); skb_new = rtw_nlo_info_get(hw);
...@@ -1643,6 +1645,7 @@ int rtw_fw_dump_fifo(struct rtw_dev *rtwdev, u8 fifo_sel, u32 addr, u32 size, ...@@ -1643,6 +1645,7 @@ int rtw_fw_dump_fifo(struct rtw_dev *rtwdev, u8 fifo_sel, u32 addr, u32 size,
static void __rtw_fw_update_pkt(struct rtw_dev *rtwdev, u8 pkt_id, u16 size, static void __rtw_fw_update_pkt(struct rtw_dev *rtwdev, u8 pkt_id, u16 size,
u8 location) u8 location)
{ {
struct rtw_chip_info *chip = rtwdev->chip;
u8 h2c_pkt[H2C_PKT_SIZE] = {0}; u8 h2c_pkt[H2C_PKT_SIZE] = {0};
u16 total_size = H2C_PKT_HDR_SIZE + H2C_PKT_UPDATE_PKT_LEN; u16 total_size = H2C_PKT_HDR_SIZE + H2C_PKT_UPDATE_PKT_LEN;
...@@ -1653,6 +1656,7 @@ static void __rtw_fw_update_pkt(struct rtw_dev *rtwdev, u8 pkt_id, u16 size, ...@@ -1653,6 +1656,7 @@ static void __rtw_fw_update_pkt(struct rtw_dev *rtwdev, u8 pkt_id, u16 size,
UPDATE_PKT_SET_LOCATION(h2c_pkt, location); UPDATE_PKT_SET_LOCATION(h2c_pkt, location);
/* include txdesc size */ /* include txdesc size */
size += chip->tx_pkt_desc_sz;
UPDATE_PKT_SET_SIZE(h2c_pkt, size); UPDATE_PKT_SET_SIZE(h2c_pkt, size);
rtw_fw_send_h2c_packet(rtwdev, h2c_pkt); rtw_fw_send_h2c_packet(rtwdev, h2c_pkt);
...@@ -1662,7 +1666,7 @@ void rtw_fw_update_pkt_probe_req(struct rtw_dev *rtwdev, ...@@ -1662,7 +1666,7 @@ void rtw_fw_update_pkt_probe_req(struct rtw_dev *rtwdev,
struct cfg80211_ssid *ssid) struct cfg80211_ssid *ssid)
{ {
u8 loc; u8 loc;
u32 size; u16 size;
loc = rtw_get_rsvd_page_probe_req_location(rtwdev, ssid); loc = rtw_get_rsvd_page_probe_req_location(rtwdev, ssid);
if (!loc) { if (!loc) {
......
...@@ -147,6 +147,7 @@ struct rtw_rsvd_page { ...@@ -147,6 +147,7 @@ struct rtw_rsvd_page {
u8 page; u8 page;
bool add_txdesc; bool add_txdesc;
struct cfg80211_ssid *ssid; struct cfg80211_ssid *ssid;
u16 probe_req_size;
}; };
enum rtw_keep_alive_pkt_type { enum rtw_keep_alive_pkt_type {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment