qcacmn: Fix use-after-free while draining reo cmd ring

While draining the pending reo cmd's during wifi down, the tid array from the peer structure is used in debug statement.However,the peer is freed much before the drain operation.This leads to use-after-free access. Change-Id: Idf92ccd0fe4eba3eed8a97ac83485de8fccb0f24
2019-08-27 13:40:21 +05:30
parent 5f1a994b1d
commit 7a081368a1
1 changed files with 3 additions and 0 deletions
--- a/dp/wifi3.0/dp_peer.c
+++ b/dp/wifi3.0/dp_peer.c
@@ -1310,6 +1310,9 @@ void dp_rx_tid_stats_cb(struct dp_soc *soc, void *cb_ctxt,
 	struct dp_rx_tid *rx_tid = (struct dp_rx_tid *)cb_ctxt;
 	struct hal_reo_queue_status *queue_status = &(reo_status->queue_status);

+	if (queue_status->header.status == HAL_REO_CMD_DRAIN)
+		return;
+
 	if (queue_status->header.status != HAL_REO_CMD_SUCCESS) {
 		DP_PRINT_STATS("REO stats failure %d for TID %d\n",
 			       queue_status->header.status, rx_tid->tid);