qcacld-3.0: Avoid the use of add-sta pointer after free

In err case "add_sta ptr" is freed in wma_send_msg_high_priority
and referenced again in caller API

so fix this by removing references to "add_sta ptr" in the caller
API's after its freed

CRs-Fixed: 3197782
Change-Id: Id1424b2802108f7d7475ed5dbf28e938bb47b525

core/wma/src/wma_dev_if.c

@@ -5357,6 +5357,7 @@ void wma_add_sta(tp_wma_handle wma, tpAddStaParams add_sta)
 	uint8_t oper_mode = BSS_OPERATIONAL_MODE_STA;
 	void *htc_handle;
 	QDF_STATUS status = QDF_STATUS_SUCCESS;
+	uint8_t vdev_id = add_sta->smesessionId;
 
 	htc_handle = lmac_get_htc_hdl(wma->psoc);
 	if (!htc_handle) {
@@ -5364,13 +5365,13 @@ void wma_add_sta(tp_wma_handle wma, tpAddStaParams add_sta)
 		return;
 	}
 
-	wma_debug("Vdev %d BSSID "QDF_MAC_ADDR_FMT, add_sta->smesessionId,
+	wma_debug("Vdev %d BSSID "QDF_MAC_ADDR_FMT, vdev_id,
 		  QDF_MAC_ADDR_REF(add_sta->bssId));
 
-	if (wma_is_vdev_in_ap_mode(wma, add_sta->smesessionId))
+	if (wma_is_vdev_in_ap_mode(wma, vdev_id))
 		oper_mode = BSS_OPERATIONAL_MODE_AP;
 
-	if (WMA_IS_VDEV_IN_NDI_MODE(wma->interfaces, add_sta->smesessionId))
+	if (WMA_IS_VDEV_IN_NDI_MODE(wma->interfaces, vdev_id))
 		oper_mode = BSS_OPERATIONAL_MODE_NDI;
 	switch (oper_mode) {
 	case BSS_OPERATIONAL_MODE_STA:
@@ -5381,12 +5382,17 @@ void wma_add_sta(tp_wma_handle wma, tpAddStaParams add_sta)
 		wma_add_sta_req_ap_mode(wma, add_sta);
 		break;
 	case BSS_OPERATIONAL_MODE_NDI:
-		status = wma_add_sta_ndi_mode(wma, add_sta);
+		wma_add_sta_ndi_mode(wma, add_sta);
 		break;
 	}
 
+	/*
+	 * not use add_sta after this to avoid use after free
+	 * as it maybe freed.
+	 */
+
 	/* handle wow for sap with 1 or more peer in same way */
-	if (wma_is_vdev_in_sap_mode(wma, add_sta->smesessionId)) {
+	if (wma_is_vdev_in_sap_mode(wma, vdev_id)) {
 		bool is_bus_suspend_allowed_in_sap_mode =
 			(wlan_pmo_get_sap_mode_bus_suspend(wma->psoc) &&
 				wmi_service_enabled(wma->wmi_handle,
@@ -5404,7 +5410,7 @@ void wma_add_sta(tp_wma_handle wma, tpAddStaParams add_sta)
 	}
 
 	/* handle wow for p2pgo with 1 or more peer in same way */
-	if (wma_is_vdev_in_go_mode(wma, add_sta->smesessionId)) {
+	if (wma_is_vdev_in_go_mode(wma, vdev_id)) {
 		bool is_bus_suspend_allowed_in_go_mode =
 			(wlan_pmo_get_go_mode_bus_suspend(wma->psoc) &&
 				wmi_service_enabled(wma->wmi_handle,

core/wma/src/wma_nan_datapath.c

@@ -35,7 +35,7 @@
 #include "cdp_txrx_misc.h"
 #include <cdp_txrx_handle.h>
 
-QDF_STATUS wma_add_sta_ndi_mode(tp_wma_handle wma, tpAddStaParams add_sta)
+void wma_add_sta_ndi_mode(tp_wma_handle wma, tpAddStaParams add_sta)
 {
 	enum ol_txrx_peer_state state = OL_TXRX_PEER_STATE_CONN;
 	uint8_t pdev_id = WMI_PDEV_ID_SOC;
@@ -98,9 +98,10 @@ QDF_STATUS wma_add_sta_ndi_mode(tp_wma_handle wma, tpAddStaParams add_sta)
 send_rsp:
 	wma_debug("Sending add sta rsp to umac (mac:"QDF_MAC_ADDR_FMT", status:%d)",
 		  QDF_MAC_ADDR_REF(add_sta->staMac), add_sta->status);
+
 	wma_send_msg_high_priority(wma, WMA_ADD_STA_RSP, (void *)add_sta, 0);
 
-	return add_sta->status;
+	return;
 }
 
 QDF_STATUS wma_delete_sta_req_ndi_mode(tp_wma_handle wma,

core/wma/src/wma_nan_datapath.h

@@ -53,9 +53,9 @@ static inline uint32_t wma_ndp_get_eventid_from_tlvtag(uint32_t tag)
  * @add_sta: Parameters of ADD_STA command
  *
  * Sends CREATE_PEER command to firmware
- * Return: QDF_STATUS
+ * Return: none
  */
-QDF_STATUS wma_add_sta_ndi_mode(tp_wma_handle wma, tpAddStaParams add_sta);
+void wma_add_sta_ndi_mode(tp_wma_handle wma, tpAddStaParams add_sta);
 
 /**
  * wma_update_hdd_cfg_ndp() - Update target device NAN datapath capability