!13925 CVE-2024-50236 (a736cbd6) · Commits · EulixOS / Software / Kernel

drivers/net/wireless/ath/ath10k/mac.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -3852,6 +3852,9 @@ void ath10k_mgmt_over_wmi_tx_work(struct work_struct *work)
		if (ret) {
		ath10k_warn(ar, "failed to transmit management frame by ref via WMI: %d\n",
		ret);
		/* remove this msdu from idr tracking */
		ath10k_wmi_cleanup_mgmt_tx_send(ar, skb);

		dma_unmap_single(ar->dev, paddr, skb->len,
		DMA_FROM_DEVICE);
		ieee80211_free_txskb(ar->hw, skb);

+10 −0

Original line number	Diff line number	Diff line
		@@ -139,6 +139,7 @@ struct wmi_ops {
		struct sk_buff (gen_mgmt_tx_send)(struct ath10k *ar,
		struct sk_buff *skb,
		dma_addr_t paddr);
		int (cleanup_mgmt_tx_send)(struct ath10k ar, struct sk_buff *msdu);
		struct sk_buff (gen_dbglog_cfg)(struct ath10k *ar, u64 module_enable,
		u32 log_level);
		struct sk_buff (gen_pktlog_enable)(struct ath10k *ar, u32 filter);
		@@ -431,6 +432,15 @@ ath10k_wmi_get_txbf_conf_scheme(struct ath10k *ar)
		return ar->wmi.ops->get_txbf_conf_scheme(ar);
		}

		static inline int
		ath10k_wmi_cleanup_mgmt_tx_send(struct ath10k ar, struct sk_buff msdu)
		{
		if (!ar->wmi.ops->cleanup_mgmt_tx_send)
		return -EOPNOTSUPP;

		return ar->wmi.ops->cleanup_mgmt_tx_send(ar, msdu);
		}

		static inline int
		ath10k_wmi_mgmt_tx_send(struct ath10k ar, struct sk_buff msdu,
		dma_addr_t paddr)

+20 −0

Original line number	Diff line number	Diff line
		@@ -2642,6 +2642,23 @@ ath10k_wmi_tlv_op_gen_request_stats(struct ath10k *ar, u32 stats_mask)
		return skb;
		}

		static int
		ath10k_wmi_tlv_op_cleanup_mgmt_tx_send(struct ath10k *ar,
		struct sk_buff *msdu)
		{
		struct ath10k_skb_cb *cb = ATH10K_SKB_CB(msdu);
		struct ath10k_mgmt_tx_pkt_addr *pkt_addr;
		struct ath10k_wmi *wmi = &ar->wmi;

		spin_lock_bh(&ar->data_lock);
		pkt_addr = idr_remove(&wmi->mgmt_pending_tx, cb->msdu_id);
		spin_unlock_bh(&ar->data_lock);

		kfree(pkt_addr);

		return 0;
		}

		static int
		ath10k_wmi_mgmt_tx_alloc_msdu_id(struct ath10k ar, struct sk_buff skb,
		dma_addr_t paddr)
		@@ -2714,6 +2731,8 @@ ath10k_wmi_tlv_op_gen_mgmt_tx_send(struct ath10k ar, struct sk_buff msdu,
		if (desc_id < 0)
		goto err_free_skb;

		cb->msdu_id = desc_id;

		ptr = (void *)skb->data;
		tlv = ptr;
		tlv->tag = __cpu_to_le16(WMI_TLV_TAG_STRUCT_MGMT_TX_CMD);
		@@ -3953,6 +3972,7 @@ static const struct wmi_ops wmi_tlv_ops = {
		.gen_force_fw_hang = ath10k_wmi_tlv_op_gen_force_fw_hang,
		/* .gen_mgmt_tx = not implemented; HTT is used */
		.gen_mgmt_tx_send = ath10k_wmi_tlv_op_gen_mgmt_tx_send,
		.cleanup_mgmt_tx_send = ath10k_wmi_tlv_op_cleanup_mgmt_tx_send,
		.gen_dbglog_cfg = ath10k_wmi_tlv_op_gen_dbglog_cfg,
		.gen_pktlog_enable = ath10k_wmi_tlv_op_gen_pktlog_enable,
		.gen_pktlog_disable = ath10k_wmi_tlv_op_gen_pktlog_disable,

+2 −0

Original line number	Diff line number	Diff line
		@@ -2342,6 +2342,7 @@ static int wmi_process_mgmt_tx_comp(struct ath10k *ar, u32 desc_id,
		dma_unmap_single(ar->dev, pkt_addr->paddr,
		msdu->len, DMA_FROM_DEVICE);
		info = IEEE80211_SKB_CB(msdu);
		kfree(pkt_addr);

		if (status)
		info->flags &= ~IEEE80211_TX_STAT_ACK;
		@@ -9195,6 +9196,7 @@ static int ath10k_wmi_mgmt_tx_clean_up_pending(int msdu_id, void *ptr,
		dma_unmap_single(ar->dev, pkt_addr->paddr,
		msdu->len, DMA_FROM_DEVICE);
		ieee80211_free_txskb(ar->hw, msdu);
		kfree(pkt_addr);

		return 0;
		}