From 8b51c23a16f60c71c21ea3ca56040b1ee3a451c7 Mon Sep 17 00:00:00 2001
From: Abhinav Kumar <abhikuma@codeaurora.org>
Date: Fri, 12 Jul 2019 15:00:24 +0530
Subject: [PATCH] qcacmn: Handle use-after-free scenario while stopping soft AP

Currently, driver sets BSS peer and self peer to NULL
only in case of PEER AP/GO. It nither set BSS peer nor self peer
to NULL for GO/AP while de-attaching peers. This results in bss peer
use after free issue while stopping soft AP.

In order to fix this issue, the driver should set bss peer and self
peer to NULL for GO/AP as well.

Fix is to set bss peer and self peer to NULL for both PEER and AP
cases.

Change-Id: I055573c062c5a4e71fef2a699131e10fb6d97d71
CRs-Fixed: 2488371
---
 .../obj_mgr/src/wlan_objmgr_vdev_obj.c        | 41 +++++++++----------
 1 file changed, 19 insertions(+), 22 deletions(-)

diff --git a/umac/cmn_services/obj_mgr/src/wlan_objmgr_vdev_obj.c b/umac/cmn_services/obj_mgr/src/wlan_objmgr_vdev_obj.c
index db2be96e8d..b2c920dc60 100644
--- a/umac/cmn_services/obj_mgr/src/wlan_objmgr_vdev_obj.c
+++ b/umac/cmn_services/obj_mgr/src/wlan_objmgr_vdev_obj.c
@@ -823,29 +823,26 @@ QDF_STATUS wlan_objmgr_vdev_peer_detach(struct wlan_objmgr_vdev *vdev,
 		return QDF_STATUS_E_FAILURE;
 	}
 
-	if ((wlan_peer_get_peer_type(peer) == WLAN_PEER_AP) ||
-	    (wlan_peer_get_peer_type(peer) == WLAN_PEER_P2P_GO)) {
-		if (wlan_vdev_get_selfpeer(vdev) == peer) {
-			/*
-			 * There might be instances where new node is created
-			 * before deleting existing node, in which case selfpeer
-			 * will be pointing to the new node. So set selfpeer to
-			 * NULL only if vdev->vdev_objmgr.self_peer is pointing
-			 * to the peer processed for deletion
-			 */
-			wlan_vdev_set_selfpeer(vdev, NULL);
-		}
+	if (wlan_vdev_get_selfpeer(vdev) == peer) {
+		/*
+		 * There might be instances where new node is created
+		 * before deleting existing node, in which case selfpeer
+		 * will be pointing to the new node. So set selfpeer to
+		 * NULL only if vdev->vdev_objmgr.self_peer is pointing
+		 * to the peer processed for deletion
+		 */
+		wlan_vdev_set_selfpeer(vdev, NULL);
+	}
 
-		if (wlan_vdev_get_bsspeer(vdev) == peer) {
-			/*
-			 * There might be instances where new node is created
-			 * before deleting existing node, in which case bsspeer
-			 * in vdev will be pointing to the new node. So set
-			 * bsspeer to NULL only if vdev->vdev_objmgr.bss_peer is
-			 * pointing to the peer processed for deletion
-			 */
-			wlan_vdev_set_bsspeer(vdev, NULL);
-		}
+	if (wlan_vdev_get_bsspeer(vdev) == peer) {
+		/*
+		 * There might be instances where new node is created
+		 * before deleting existing node, in which case bsspeer
+		 * in vdev will be pointing to the new node. So set
+		 * bsspeer to NULL only if vdev->vdev_objmgr.bss_peer is
+		 * pointing to the peer processed for deletion
+		 */
+		wlan_vdev_set_bsspeer(vdev, NULL);
 	}
 
 	/* remove peer from vdev's peer list */