From 76112c241f5da78d5185fdc8f368e9f482a95f93 Mon Sep 17 00:00:00 2001
From: Chaithanya Garrepalli <cgarre@codeaurora.org>
Date: Fri, 26 Feb 2021 12:32:39 +0530
Subject: [PATCH] qcacmn: fix use after free of tx descriptor

In dp_tx_send_msdu_multiple API fix use after
free of tx_desc in case of HW enqueue failed

Change-Id: Iec0375e394c706fa0c39ee18728ac1c02090461c
---
 dp/wifi3.0/dp_tx.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dp/wifi3.0/dp_tx.c b/dp/wifi3.0/dp_tx.c
index ae8fa031de..5fe2ce945e 100644
--- a/dp/wifi3.0/dp_tx.c
+++ b/dp/wifi3.0/dp_tx.c
@@ -2316,7 +2316,6 @@ qdf_nbuf_t dp_tx_send_msdu_multiple(struct dp_vdev *vdev, qdf_nbuf_t nbuf,
 				    tid_tx_stats[tx_q->ring_id][msdu_info->tid];
 			tid_stats->swdrop_cnt[TX_HW_ENQUEUE]++;
 
-			dp_tx_desc_release(tx_desc, tx_q->desc_pool_id);
 			if (msdu_info->frm_type == dp_tx_frm_me) {
 				hw_enq_fail++;
 				if (hw_enq_fail == msdu_info->num_seg) {
@@ -2365,6 +2364,7 @@ qdf_nbuf_t dp_tx_send_msdu_multiple(struct dp_vdev *vdev, qdf_nbuf_t nbuf,
 				continue;
 			}
 
+			dp_tx_desc_release(tx_desc, tx_q->desc_pool_id);
 			goto done;
 		}