qcacmn: Fix use-after-free of MGMT Rx params in wlan_mgmt_rx_reo_algo_entry

Once an incoming MGMT frame is inserted in the MGMT Rx REO egress list from
wlan_mgmt_rx_reo_algo_entry(), there is always a possibility that the same
frame could be sent to upper layers from the other CPUs before
wlan_mgmt_rx_reo_algo_entry() completes its execution in the original
MGMT Rx path. This means that nbuf and MGMT Rx params of a given frame
could be freed before wlan_mgmt_rx_reo_algo_entry() completes.
Hence, make sure to not access frame's nbuf and MGMT Rx params once the
list updates are done for that frame.

Change-Id: I91cbdef4b1ea5b81d39606e47a46021f30193ce5
CRs-Fixed: 3433621

umac/cmn_services/mgmt_txrx/core/src/wlan_mgmt_txrx_rx_reo.c

@@ -4755,6 +4755,7 @@ wlan_mgmt_rx_reo_algo_entry(struct wlan_objmgr_pdev *pdev,
 	if (QDF_IS_STATUS_ERROR(ret))
 		goto failure;
 
+	ctx_info.in_reo_params = *desc->rx_params->reo_params;
 	/* Update ingress and egress list */
 	ret = mgmt_rx_reo_update_lists(ingress_list, egress_list, desc,
 				       is_queued);
@@ -4777,8 +4778,8 @@ wlan_mgmt_rx_reo_algo_entry(struct wlan_objmgr_pdev *pdev,
 		return ret;
 
 	ctx_info.context = MGMT_RX_REO_CONTEXT_MGMT_RX;
-	ctx_info.in_reo_params = *desc->rx_params->reo_params;
 	ctx_info.context_id = context_id;
+
 	/* Finally, release the entries for which pending frame is received */
 	return mgmt_rx_reo_release_egress_list_entries(reo_ctx, 1 << cur_link,
 						       &ctx_info);