qca-wifi: remove DP peer back pointer in DP AST entry

Remove peer pointer in AST entry and store peer_id instead
to avoid access of peer memory without taking reference

Change-Id: I1e9c2a6880b3582866b821bf56a8400e056665f2

dp/wifi3.0/dp_rx_mon_feature.c

@@ -386,14 +386,19 @@ dp_rx_enh_capture_is_peer_enabled(struct dp_soc *soc,
 	struct dp_peer *peer;
 	struct dp_ast_entry *ast_entry;
 	uint32_t ast_index;
+	bool rx_cap_enabled;
 
 	ast_index = ppdu_info->rx_user_status[user_id].ast_index;
 	if (ast_index < wlan_cfg_get_max_ast_idx(soc->wlan_cfg_ctx)) {
 		ast_entry = soc->ast_table[ast_index];
 		if (ast_entry) {
-			peer = ast_entry->peer;
-			if (peer && (peer->peer_id != HTT_INVALID_PEER))
-				return peer->rx_cap_enabled;
+			peer = dp_peer_get_ref_by_id(soc, ast_entry->peer_id,
+						     DP_MOD_ID_AST);
+			if (peer) {
+				rx_cap_enabled = peer->rx_cap_enabled;
+				dp_peer_unref_delete(peer, DP_MOD_ID_AST);
+				return rx_cap_enabled;
+			}
 		}
 	}
 	return false;

dp/wifi3.0/dp_tx_capture.c

@@ -5455,12 +5455,7 @@ QDF_STATUS dp_send_cts_frame_to_stack(struct dp_soc *soc,
 		return QDF_STATUS_E_FAILURE;
 	}
 
-	peer = ast_entry->peer;
-	if (!peer || peer->peer_id == HTT_INVALID_PEER) {
-		qdf_spin_unlock_bh(&soc->ast_lock);
-		return QDF_STATUS_E_FAILURE;
-	}
-	peer_id = peer->peer_id;
+	peer_id = ast_entry->peer_id;
 	qdf_spin_unlock_bh(&soc->ast_lock);
 
 	peer = dp_peer_get_ref_by_id(soc, peer_id, DP_MOD_ID_TX_CAPTURE);
@@ -5596,12 +5591,7 @@ void dp_send_usr_ack_frm_to_stack(struct dp_soc *soc,
 		return;
 	}
 
-	peer = ast_entry->peer;
-	if (!peer || peer->peer_id == HTT_INVALID_PEER) {
-		qdf_spin_unlock_bh(&soc->ast_lock);
-		return;
-	}
-	peer_id = peer->peer_id;
+	peer_id = ast_entry->peer_id;
 	qdf_spin_unlock_bh(&soc->ast_lock);
 
 	peer = dp_peer_get_ref_by_id(soc, peer_id, DP_MOD_ID_TX_CAPTURE);
@@ -5864,12 +5854,7 @@ QDF_STATUS dp_send_noack_frame_to_stack(struct dp_soc *soc,
 		return QDF_STATUS_E_FAILURE;
 	}
 
-	peer = ast_entry->peer;
-	if (!peer || peer->peer_id == HTT_INVALID_PEER) {
-		qdf_spin_unlock_bh(&soc->ast_lock);
-		return QDF_STATUS_E_FAILURE;
-	}
-	peer_id = peer->peer_id;
+	peer_id = ast_entry->peer_id;
 	qdf_spin_unlock_bh(&soc->ast_lock);
 
 	peer = dp_peer_get_ref_by_id(soc, peer_id, DP_MOD_ID_TX_CAPTURE);

dp/wifi3.0/dp_txrx_wds.h

@@ -230,7 +230,6 @@ dp_rx_wds_add_or_update_ast(struct dp_soc *soc, struct dp_peer *ta_peer,
 		ast->is_active = TRUE;
 
 	if (sa_sw_peer_id != ta_peer->peer_id) {
-		sa_peer = ast->peer;
 
 		if ((ast->type != CDP_TXRX_AST_TYPE_STATIC) &&
 		    (ast->type != CDP_TXRX_AST_TYPE_SELF) &&
@@ -279,8 +278,13 @@ dp_rx_wds_add_or_update_ast(struct dp_soc *soc, struct dp_peer *ta_peer,
 		 * Kickout, when direct associated peer(SA) roams
 		 * to another AP and reachable via TA peer
 		 */
+		sa_peer = dp_peer_get_ref_by_id(soc, ast->peer_id,
+						DP_MOD_ID_RX);
+		if (!sa_peer)
+			return;
+
 		if ((sa_peer->vdev->opmode == wlan_op_mode_ap) &&
-		    !sa_peer->delete_in_progress) {
+		    sa_peer->delete_in_progress) {
 			qdf_mem_copy(wds_src_mac,
 				     (qdf_nbuf_data(nbuf) + QDF_MAC_ADDR_SIZE),
 				     QDF_MAC_ADDR_SIZE);
@@ -292,6 +296,7 @@ dp_rx_wds_add_or_update_ast(struct dp_soc *soc, struct dp_peer *ta_peer,
 					wds_src_mac);
 			}
 		}
+		dp_peer_unref_delete(sa_peer, DP_MOD_ID_RX);
 		return;
 	}