From 7a081368a16ae1d0ff1b7f72e0aecf201ed04db6 Mon Sep 17 00:00:00 2001 From: Debasis Das Date: Tue, 27 Aug 2019 13:40:21 +0530 Subject: [PATCH] qcacmn: Fix use-after-free while draining reo cmd ring While draining the pending reo cmd's during wifi down, the tid array from the peer structure is used in debug statement.However,the peer is freed much before the drain operation.This leads to use-after-free access. Change-Id: Idf92ccd0fe4eba3eed8a97ac83485de8fccb0f24 --- dp/wifi3.0/dp_peer.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/dp/wifi3.0/dp_peer.c b/dp/wifi3.0/dp_peer.c index f87fad6a39..4c893a41e4 100644 --- a/dp/wifi3.0/dp_peer.c +++ b/dp/wifi3.0/dp_peer.c @@ -1310,6 +1310,9 @@ void dp_rx_tid_stats_cb(struct dp_soc *soc, void *cb_ctxt, struct dp_rx_tid *rx_tid = (struct dp_rx_tid *)cb_ctxt; struct hal_reo_queue_status *queue_status = &(reo_status->queue_status); + if (queue_status->header.status == HAL_REO_CMD_DRAIN) + return; + if (queue_status->header.status != HAL_REO_CMD_SUCCESS) { DP_PRINT_STATS("REO stats failure %d for TID %d\n", queue_status->header.status, rx_tid->tid);