qcacld-3.0: Get vdev ref before accessing vdev

Get vdev ref before accessing vdev and release vdev ref after accessing
vdev, otherwise vdev may be accessed after free.

Change-Id: Idd6f7218ab70f399cb6bbfad8572df5c55e38a48
CRs-Fixed: 2480224

core/sap/src/sap_fsm.c

@@ -1893,6 +1893,44 @@ QDF_STATUS sap_signal_hdd_event(struct sap_context *sap_ctx,
 
 }
 
+bool sap_is_dfs_cac_wait_state(struct sap_context *sap_ctx)
+{
+	struct wlan_objmgr_vdev *vdev;
+	QDF_STATUS status;
+	struct mac_context *mac_ctx;
+	mac_handle_t mac_handle;
+
+	if (!sap_ctx) {
+		sap_err("Invalid sap context");
+		return false;
+	}
+
+	mac_handle = cds_get_context(QDF_MODULE_ID_SME);
+	if (!mac_handle) {
+		sap_err("invalid mac_handle");
+		return false;
+	}
+
+	mac_ctx = MAC_CONTEXT(mac_handle);
+	if (!mac_ctx) {
+		sap_err("Invalid MAC context");
+		return false;
+	}
+
+	vdev = wlan_objmgr_get_vdev_by_id_from_psoc(mac_ctx->psoc,
+						    sap_ctx->sessionId,
+						    WLAN_DFS_ID);
+	if (!vdev) {
+		sap_err("vdev is NULL for vdev_id: %u", sap_ctx->sessionId);
+		return false;
+	}
+
+	status = wlan_vdev_is_dfs_cac_wait(vdev);
+	wlan_objmgr_vdev_release_ref(vdev, WLAN_DFS_ID);
+
+	return QDF_IS_STATUS_SUCCESS(status);
+}
+
 /**
  * sap_find_cac_wait_session() - Get context of a SAP session in CAC wait state
  * @handle: Global MAC handle

core/sap/src/sap_internal.h

@@ -460,13 +460,7 @@ uint8_t sap_select_default_oper_chan(struct sap_acs_cfg *acs_cfg);
  *
  * Return: true if sap is in cac wait state
  */
-static inline bool sap_is_dfs_cac_wait_state(struct sap_context *sap_ctx)
-{
-	if (!sap_ctx)
-		return false;
-
-	return  QDF_IS_STATUS_SUCCESS(wlan_vdev_is_dfs_cac_wait(sap_ctx->vdev));
-}
+bool sap_is_dfs_cac_wait_state(struct sap_context *sap_ctx);
 
 /**
  * sap_channel_in_acs_channel_list() - check if channel in acs channel list