From 5ecc8a6cbc22084c2e7d82c2bd145e86e329eb83 Mon Sep 17 00:00:00 2001 From: Ananya Gupta Date: Thu, 2 Jul 2020 14:17:34 +0530 Subject: [PATCH] qcacmn: Release peer ref count after handle usage is complete Race condition is observed as dp_ipa_rx_intrabss_fwd is accessing da_peer after releasing the ref count of the peer while that peer is deleted parallelly. To fix this, da_peer and sa_peer are only assigned if the peers are found in the vdev. Change-Id: Ib03835a509d656eb11946c075b820555b04934f8 CRs-Fixed: 2723448 --- dp/wifi3.0/dp_ipa.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/dp/wifi3.0/dp_ipa.c b/dp/wifi3.0/dp_ipa.c index e728334e35..2d28337fc7 100644 --- a/dp/wifi3.0/dp_ipa.c +++ b/dp/wifi3.0/dp_ipa.c @@ -1775,20 +1775,20 @@ bool dp_ipa_rx_intrabss_fwd(struct cdp_soc_t *soc_hdl, uint8_t vdev_id, if (!qdf_mem_cmp(eh->h_dest, vdev->mac_addr.raw, QDF_MAC_ADDR_SIZE)) return false; - da_peer = dp_find_peer_by_addr((struct cdp_pdev *)pdev, eh->h_dest); + da_peer = dp_find_peer_by_addr_and_vdev(dp_pdev_to_cdp_pdev(pdev), + dp_vdev_to_cdp_vdev(vdev), + eh->h_dest); + if (!da_peer) return false; - if (da_peer->vdev != vdev) - return false; + sa_peer = dp_find_peer_by_addr_and_vdev(dp_pdev_to_cdp_pdev(pdev), + dp_vdev_to_cdp_vdev(vdev), + eh->h_source); - sa_peer = dp_find_peer_by_addr((struct cdp_pdev *)pdev, eh->h_source); if (!sa_peer) return false; - if (sa_peer->vdev != vdev) - return false; - /* * In intra-bss forwarding scenario, skb is allocated by IPA driver. * Need to add skb to internal tracking table to avoid nbuf memory