qcacld-3.0: Delete dp_link only after dp_vdev is freed

Currently the dp_link address is provided to CDP vdev as a part of vdev register. Also, as per the vdev deletion sequence, it is possible that dp_link can be destroyed before CDP vdev is detached. This can lead to use-after-free scenario when CDP vdev uses the osif_vdev handle (which is the dp_link handle). In order to fix this, do not free the dp_link till the CDP vdev has been detached. Change-Id: Ie5a1140a0d256b6115fa62e30e6bfd61d1dfc898 CRs-Fixed: 3696641
2023-10-16 09:58:54 -07:00
--- a/components/dp/dispatcher/src/wlan_dp_ucfg_api.c
+++ b/components/dp/dispatcher/src/wlan_dp_ucfg_api.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022-2023 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2022-2024 Qualcomm Innovation Center, Inc. All rights reserved.
 *
 * Permission to use, copy, modify, and/or distribute this software for
 * any purpose with or without fee is hereby granted, provided that the
@@ -1176,6 +1176,7 @@ QDF_STATUS ucfg_dp_sta_register_txrx_ops(struct wlan_objmgr_vdev *vdev)
 	txrx_ops.tx.tx_comp = dp_sta_notify_tx_comp_cb;
 	txrx_ops.tx.tx = NULL;
 	txrx_ops.get_tsf_time = wlan_dp_get_tsf_time;
+	txrx_ops.vdev_del_notify = wlan_dp_link_cdp_vdev_delete_notification;
 	cdp_vdev_register(soc, dp_link->link_id, (ol_osif_vdev_handle)dp_link,
 			  &txrx_ops);
 	if (!txrx_ops.tx.tx) {
@@ -1183,6 +1184,7 @@ QDF_STATUS ucfg_dp_sta_register_txrx_ops(struct wlan_objmgr_vdev *vdev)
 		return QDF_STATUS_E_FAILURE;
 	}

+	dp_link->cdp_vdev_registered = 1;
 	dp_intf->txrx_ops = txrx_ops;

 	return QDF_STATUS_SUCCESS;
@@ -1227,6 +1229,7 @@ QDF_STATUS ucfg_dp_tdlsta_register_txrx_ops(struct wlan_objmgr_vdev *vdev)
 	txrx_ops.tx.tx_comp = dp_sta_notify_tx_comp_cb;
 	txrx_ops.tx.tx = NULL;

+	txrx_ops.vdev_del_notify = wlan_dp_link_cdp_vdev_delete_notification;
 	cdp_vdev_register(soc, dp_link->link_id, (ol_osif_vdev_handle)dp_link,
 			  &txrx_ops);

@@ -1235,6 +1238,7 @@ QDF_STATUS ucfg_dp_tdlsta_register_txrx_ops(struct wlan_objmgr_vdev *vdev)
 		return QDF_STATUS_E_FAILURE;
 	}

+	dp_link->cdp_vdev_registered = 1;
 	dp_intf->txrx_ops = txrx_ops;

 	return QDF_STATUS_SUCCESS;
@@ -1259,6 +1263,7 @@ QDF_STATUS ucfg_dp_ocb_register_txrx_ops(struct wlan_objmgr_vdev *vdev)
 	qdf_mem_zero(&txrx_ops, sizeof(txrx_ops));
 	txrx_ops.rx.rx = dp_rx_packet_cbk;
 	txrx_ops.rx.stats_rx = dp_tx_rx_collect_connectivity_stats_info;
+	txrx_ops.vdev_del_notify = wlan_dp_link_cdp_vdev_delete_notification;

 	cdp_vdev_register(soc, dp_link->link_id, (ol_osif_vdev_handle)dp_link,
 			  &txrx_ops);
@@ -1267,6 +1272,7 @@ QDF_STATUS ucfg_dp_ocb_register_txrx_ops(struct wlan_objmgr_vdev *vdev)
 		return QDF_STATUS_E_FAILURE;
 	}

+	dp_link->cdp_vdev_registered = 1;
 	dp_intf->txrx_ops = txrx_ops;

 	qdf_copy_macaddr(&dp_link->conn_info.peer_macaddr,
@@ -1293,10 +1299,12 @@ QDF_STATUS ucfg_dp_mon_register_txrx_ops(struct wlan_objmgr_vdev *vdev)
 	qdf_mem_zero(&txrx_ops, sizeof(txrx_ops));
 	txrx_ops.rx.rx = dp_mon_rx_packet_cbk;
 	dp_monitor_set_rx_monitor_cb(&txrx_ops, dp_rx_monitor_callback);
+	txrx_ops.vdev_del_notify = wlan_dp_link_cdp_vdev_delete_notification;
 	cdp_vdev_register(soc, dp_link->link_id,
 			  (ol_osif_vdev_handle)dp_link,
 			  &txrx_ops);

+	dp_link->cdp_vdev_registered = 1;
 	dp_intf->txrx_ops = txrx_ops;

 	return QDF_STATUS_SUCCESS;
@@ -1333,6 +1341,7 @@ QDF_STATUS ucfg_dp_softap_register_txrx_ops(struct wlan_objmgr_vdev *vdev,
 	}

 	txrx_ops->get_tsf_time = wlan_dp_get_tsf_time;
+	txrx_ops->vdev_del_notify = wlan_dp_link_cdp_vdev_delete_notification;
 	cdp_vdev_register(soc,
 			  dp_link->link_id,
 			  (ol_osif_vdev_handle)dp_link,
@@ -1342,6 +1351,7 @@ QDF_STATUS ucfg_dp_softap_register_txrx_ops(struct wlan_objmgr_vdev *vdev,
 		return QDF_STATUS_E_FAILURE;
 	}

+	dp_link->cdp_vdev_registered = 1;
 	dp_intf->txrx_ops = *txrx_ops;
 	dp_intf->sap_tx_block_mask &= ~DP_TX_FN_CLR;