qcacmn: Release peer ref count after handle usage is complete
Race condition is observed as dp_ipa_rx_intrabss_fwd is accessing da_peer after releasing the ref count of the peer while that peer is deleted parallelly. To fix this, da_peer and sa_peer are only assigned if the peers are found in the vdev. Change-Id: Ib03835a509d656eb11946c075b820555b04934f8 CRs-Fixed: 2723448
This commit is contained in:
Ananya Gupta
@@ -1775,20 +1775,20 @@ bool dp_ipa_rx_intrabss_fwd(struct cdp_soc_t *soc_hdl, uint8_t vdev_id,
|
|||||||
if (!qdf_mem_cmp(eh->h_dest, vdev->mac_addr.raw, QDF_MAC_ADDR_SIZE))
|
if (!qdf_mem_cmp(eh->h_dest, vdev->mac_addr.raw, QDF_MAC_ADDR_SIZE))
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
da_peer = dp_find_peer_by_addr((struct cdp_pdev *)pdev, eh->h_dest);
|
da_peer = dp_find_peer_by_addr_and_vdev(dp_pdev_to_cdp_pdev(pdev),
|
||||||
|
dp_vdev_to_cdp_vdev(vdev),
|
||||||
|
eh->h_dest);
|
||||||
|
|
||||||
if (!da_peer)
|
if (!da_peer)
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
if (da_peer->vdev != vdev)
|
sa_peer = dp_find_peer_by_addr_and_vdev(dp_pdev_to_cdp_pdev(pdev),
|
||||||
return false;
|
dp_vdev_to_cdp_vdev(vdev),
|
||||||
|
eh->h_source);
|
||||||
|
|
||||||
sa_peer = dp_find_peer_by_addr((struct cdp_pdev *)pdev, eh->h_source);
|
|
||||||
if (!sa_peer)
|
if (!sa_peer)
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
if (sa_peer->vdev != vdev)
|
|
||||||
return false;
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* In intra-bss forwarding scenario, skb is allocated by IPA driver.
|
* In intra-bss forwarding scenario, skb is allocated by IPA driver.
|
||||||
* Need to add skb to internal tracking table to avoid nbuf memory
|
* Need to add skb to internal tracking table to avoid nbuf memory
|
||||||
|
|||||||
Reference in New Issue
Block a user