qcacld-3.0: Delete dp_link only after dp_vdev is freed

Currently the dp_link address is provided to CDP vdev
as a part of vdev register. Also, as per the vdev deletion
sequence, it is possible that dp_link can be destroyed
before CDP vdev is detached. This can lead to use-after-free
scenario when CDP vdev uses the osif_vdev handle (which is
the dp_link handle).

In order to fix this, do not free the dp_link till the CDP
vdev has been detached.

Change-Id: Ie5a1140a0d256b6115fa62e30e6bfd61d1dfc898
CRs-Fixed: 3696641

components/dp/core/inc/wlan_dp_main.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022-2023 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2022-2024 Qualcomm Innovation Center, Inc. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -967,6 +967,14 @@ QDF_STATUS wlan_dp_select_profile_cfg(struct wlan_objmgr_psoc *psoc)
 }
 #endif
 
+/**
+ * wlan_dp_link_cdp_vdev_delete_notification() - CDP vdev delete notification
+ * @context: osif_vdev handle
+ *
+ * Return: None
+ */
+void wlan_dp_link_cdp_vdev_delete_notification(void *context);
+
 /* DP CFG APIs - START */
 
 #ifdef WLAN_SUPPORT_RX_FISA

components/dp/core/inc/wlan_dp_priv.h

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022-2023 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2022-2024 Qualcomm Innovation Center, Inc. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -701,6 +701,11 @@ struct wlan_dp_intf {
  * @vdev: object manager vdev context
  * @vdev_lock: vdev spin lock
  * @conn_info: STA connection information
+ * @destroyed: flag to indicate dp_link destroyed (logical delete)
+ * @cdp_vdev_registered: flag to indicate if corresponding CDP vdev
+ *			 is registered
+ * @cdp_vdev_deleted: flag to indicate if corresponding CDP vdev is deleted
+ * @inactive_list_elem: list node for membership in dp link inactive list
  */
 struct wlan_dp_link {
 	qdf_list_node_t node;
@@ -710,6 +715,10 @@ struct wlan_dp_link {
 	struct wlan_objmgr_vdev *vdev;
 	qdf_spinlock_t vdev_lock;
 	struct wlan_dp_conn_info conn_info;
+	uint8_t destroyed : 1,
+		cdp_vdev_registered : 1,
+		cdp_vdev_deleted : 1;
+	TAILQ_ENTRY(wlan_dp_link) inactive_list_elem;
 };
 
 /**
@@ -805,6 +814,8 @@ struct dp_direct_link_context {
  * @skip_fisa_param.skip_fisa: Flag to skip FISA aggr inside @skip_fisa_param
  * @skip_fisa_param.fisa_force_flush: Force flush inside @skip_fisa_param
  * @fst_cmem_size: CMEM size for FISA flow table
+ * @inactive_dp_link_list: inactive DP links list
+ * @dp_link_del_lock: DP link delete operation lock
  */
 struct wlan_dp_psoc_context {
 	struct wlan_objmgr_psoc *psoc;
@@ -905,6 +916,8 @@ struct wlan_dp_psoc_context {
 	uint64_t fst_cmem_size;
 
 #endif
+	TAILQ_HEAD(, wlan_dp_link) inactive_dp_link_list;
+	qdf_spinlock_t dp_link_del_lock;
 };
 
 #ifdef WLAN_DP_PROFILE_SUPPORT

components/dp/core/src/wlan_dp_main.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022-2023 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2022-2024 Qualcomm Innovation Center, Inc. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -80,6 +80,7 @@ QDF_STATUS dp_allocate_ctx(void)
 
 	qdf_spinlock_create(&dp_ctx->intf_list_lock);
 	qdf_list_create(&dp_ctx->intf_list, 0);
+	TAILQ_INIT(&dp_ctx->inactive_dp_link_list);
 
 	dp_attach_ctx(dp_ctx);
 
@@ -1246,10 +1247,32 @@ dp_vdev_obj_create_notification(struct wlan_objmgr_vdev *vdev, void *arg)
 	return status;
 }
 
+static void dp_link_handle_cdp_vdev_delete(struct wlan_dp_psoc_context *dp_ctx,
+					   struct wlan_dp_link *dp_link)
+{
+	qdf_spin_lock_bh(&dp_ctx->dp_link_del_lock);
+
+	if (!dp_link->cdp_vdev_registered || dp_link->cdp_vdev_deleted) {
+		/* CDP vdev is not created/registered or already deleted */
+		qdf_mem_free(dp_link);
+	} else {
+		/*
+		 * Add it to inactive dp_link list, and it will be freed when
+		 * the CDP vdev gets deleted
+		 */
+		TAILQ_INSERT_TAIL(&dp_ctx->inactive_dp_link_list, dp_link,
+				  inactive_list_elem);
+		dp_link->destroyed = 1;
+	}
+
+	qdf_spin_unlock_bh(&dp_ctx->dp_link_del_lock);
+}
+
 QDF_STATUS
 dp_vdev_obj_destroy_notification(struct wlan_objmgr_vdev *vdev, void *arg)
 
 {
+	struct wlan_dp_psoc_context *dp_ctx;
 	struct wlan_dp_intf *dp_intf;
 	struct wlan_dp_link *dp_link;
 	QDF_STATUS status = QDF_STATUS_SUCCESS;
@@ -1264,6 +1287,7 @@ dp_vdev_obj_destroy_notification(struct wlan_objmgr_vdev *vdev, void *arg)
 	}
 
 	dp_intf = dp_link->dp_intf;
+	dp_ctx = dp_intf->dp_ctx;
 
 	qdf_spin_lock_bh(&dp_intf->dp_link_list_lock);
 	qdf_list_remove_node(&dp_intf->dp_link_list, &dp_link->node);
@@ -1324,7 +1348,8 @@ dp_vdev_obj_destroy_notification(struct wlan_objmgr_vdev *vdev, void *arg)
 		return status;
 	}
 
-	qdf_mem_free(dp_link);
+	dp_link_handle_cdp_vdev_delete(dp_ctx, dp_link);
+
 	return status;
 }
 
@@ -1978,6 +2003,53 @@ wlan_dp_fisa_resume(struct wlan_dp_psoc_context *dp_ctx)
 }
 #endif
 
+void wlan_dp_link_cdp_vdev_delete_notification(void *context)
+{
+	struct wlan_dp_link *dp_link = (struct wlan_dp_link *)context;
+	struct wlan_dp_link *tmp_dp_link;
+	struct wlan_dp_intf *dp_intf = NULL;
+	struct wlan_dp_psoc_context *dp_ctx = NULL;
+	uint8_t found = 0;
+
+	/* TODO - What will happen if cdp vdev was never created ? */
+
+	/* dp_link will not be freed before this point. */
+	if (!dp_link)
+		return;
+
+	dp_intf = dp_link->dp_intf;
+	dp_ctx = dp_intf->dp_ctx;
+
+	qdf_spin_lock_bh(&dp_ctx->dp_link_del_lock);
+
+	if (dp_link->destroyed) {
+		/*
+		 * dp_link has been destroyed as a part of vdev_obj_destroy
+		 * notification and will be present in inactive list
+		 */
+		TAILQ_FOREACH(tmp_dp_link, &dp_ctx->inactive_dp_link_list,
+			      inactive_list_elem) {
+			if (tmp_dp_link == dp_link) {
+				found = 1;
+				break;
+			}
+		}
+
+		if (found)
+			TAILQ_REMOVE(&dp_ctx->inactive_dp_link_list, dp_link,
+				     inactive_list_elem);
+		else
+			qdf_assert_always(0);
+
+		qdf_mem_free(dp_link);
+	} else {
+		/* dp_link not yet destroyed */
+		dp_link->cdp_vdev_deleted = 1;
+	}
+
+	qdf_spin_unlock_bh(&dp_ctx->dp_link_del_lock);
+}
+
 QDF_STATUS __wlan_dp_runtime_suspend(ol_txrx_soc_handle soc, uint8_t pdev_id)
 {
 	struct wlan_dp_psoc_context *dp_ctx;

components/dp/dispatcher/src/wlan_dp_ucfg_api.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022-2023 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2022-2024 Qualcomm Innovation Center, Inc. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -1176,6 +1176,7 @@ QDF_STATUS ucfg_dp_sta_register_txrx_ops(struct wlan_objmgr_vdev *vdev)
 	txrx_ops.tx.tx_comp = dp_sta_notify_tx_comp_cb;
 	txrx_ops.tx.tx = NULL;
 	txrx_ops.get_tsf_time = wlan_dp_get_tsf_time;
+	txrx_ops.vdev_del_notify = wlan_dp_link_cdp_vdev_delete_notification;
 	cdp_vdev_register(soc, dp_link->link_id, (ol_osif_vdev_handle)dp_link,
 			  &txrx_ops);
 	if (!txrx_ops.tx.tx) {
@@ -1183,6 +1184,7 @@ QDF_STATUS ucfg_dp_sta_register_txrx_ops(struct wlan_objmgr_vdev *vdev)
 		return QDF_STATUS_E_FAILURE;
 	}
 
+	dp_link->cdp_vdev_registered = 1;
 	dp_intf->txrx_ops = txrx_ops;
 
 	return QDF_STATUS_SUCCESS;
@@ -1227,6 +1229,7 @@ QDF_STATUS ucfg_dp_tdlsta_register_txrx_ops(struct wlan_objmgr_vdev *vdev)
 	txrx_ops.tx.tx_comp = dp_sta_notify_tx_comp_cb;
 	txrx_ops.tx.tx = NULL;
 
+	txrx_ops.vdev_del_notify = wlan_dp_link_cdp_vdev_delete_notification;
 	cdp_vdev_register(soc, dp_link->link_id, (ol_osif_vdev_handle)dp_link,
 			  &txrx_ops);
 
@@ -1235,6 +1238,7 @@ QDF_STATUS ucfg_dp_tdlsta_register_txrx_ops(struct wlan_objmgr_vdev *vdev)
 		return QDF_STATUS_E_FAILURE;
 	}
 
+	dp_link->cdp_vdev_registered = 1;
 	dp_intf->txrx_ops = txrx_ops;
 
 	return QDF_STATUS_SUCCESS;
@@ -1259,6 +1263,7 @@ QDF_STATUS ucfg_dp_ocb_register_txrx_ops(struct wlan_objmgr_vdev *vdev)
 	qdf_mem_zero(&txrx_ops, sizeof(txrx_ops));
 	txrx_ops.rx.rx = dp_rx_packet_cbk;
 	txrx_ops.rx.stats_rx = dp_tx_rx_collect_connectivity_stats_info;
+	txrx_ops.vdev_del_notify = wlan_dp_link_cdp_vdev_delete_notification;
 
 	cdp_vdev_register(soc, dp_link->link_id, (ol_osif_vdev_handle)dp_link,
 			  &txrx_ops);
@@ -1267,6 +1272,7 @@ QDF_STATUS ucfg_dp_ocb_register_txrx_ops(struct wlan_objmgr_vdev *vdev)
 		return QDF_STATUS_E_FAILURE;
 	}
 
+	dp_link->cdp_vdev_registered = 1;
 	dp_intf->txrx_ops = txrx_ops;
 
 	qdf_copy_macaddr(&dp_link->conn_info.peer_macaddr,
@@ -1293,10 +1299,12 @@ QDF_STATUS ucfg_dp_mon_register_txrx_ops(struct wlan_objmgr_vdev *vdev)
 	qdf_mem_zero(&txrx_ops, sizeof(txrx_ops));
 	txrx_ops.rx.rx = dp_mon_rx_packet_cbk;
 	dp_monitor_set_rx_monitor_cb(&txrx_ops, dp_rx_monitor_callback);
+	txrx_ops.vdev_del_notify = wlan_dp_link_cdp_vdev_delete_notification;
 	cdp_vdev_register(soc, dp_link->link_id,
 			  (ol_osif_vdev_handle)dp_link,
 			  &txrx_ops);
 
+	dp_link->cdp_vdev_registered = 1;
 	dp_intf->txrx_ops = txrx_ops;
 
 	return QDF_STATUS_SUCCESS;
@@ -1333,6 +1341,7 @@ QDF_STATUS ucfg_dp_softap_register_txrx_ops(struct wlan_objmgr_vdev *vdev,
 	}
 
 	txrx_ops->get_tsf_time = wlan_dp_get_tsf_time;
+	txrx_ops->vdev_del_notify = wlan_dp_link_cdp_vdev_delete_notification;
 	cdp_vdev_register(soc,
 			  dp_link->link_id,
 			  (ol_osif_vdev_handle)dp_link,
@@ -1342,6 +1351,7 @@ QDF_STATUS ucfg_dp_softap_register_txrx_ops(struct wlan_objmgr_vdev *vdev,
 		return QDF_STATUS_E_FAILURE;
 	}
 
+	dp_link->cdp_vdev_registered = 1;
 	dp_intf->txrx_ops = *txrx_ops;
 	dp_intf->sap_tx_block_mask &= ~DP_TX_FN_CLR;
 

core/dp/txrx/ol_txrx.c

@@ -2086,6 +2086,7 @@ static QDF_STATUS ol_txrx_vdev_register(struct cdp_soc_t *soc_hdl,
 	vdev->rx = txrx_ops->rx.rx;
 	vdev->stats_rx = txrx_ops->rx.stats_rx;
 	vdev->tx_comp = txrx_ops->tx.tx_comp;
+	vdev->vdev_del_notify = txrx_ops->vdev_del_notify;
 	txrx_ops->tx.tx = ol_tx_data;
 
 	return QDF_STATUS_SUCCESS;
@@ -2193,6 +2194,8 @@ ol_txrx_vdev_detach(struct cdp_soc_t *soc_hdl, uint8_t vdev_id,
 	ol_txrx_vdev_handle vdev = ol_txrx_get_vdev_from_soc_vdev_id(soc,
 								     vdev_id);
 	struct ol_txrx_pdev_t *pdev;
+	ol_txrx_vdev_delete_cb vdev_del_notify;
+	void *vdev_del_context;
 
 	if (qdf_unlikely(!vdev))
 		return QDF_STATUS_E_FAILURE;
@@ -2204,6 +2207,8 @@ ol_txrx_vdev_detach(struct cdp_soc_t *soc_hdl, uint8_t vdev_id,
 	/* prevent anyone from restarting the ll_pause timer again */
 	qdf_atomic_set(&vdev->delete.detaching, 1);
 
+	vdev_del_notify = vdev->vdev_del_notify;
+	vdev_del_context = vdev->osif_dev;
 	ol_txrx_vdev_tx_queue_free(vdev);
 
 	qdf_spin_lock_bh(&vdev->ll_pause.mutex);
@@ -2288,6 +2293,9 @@ ol_txrx_vdev_detach(struct cdp_soc_t *soc_hdl, uint8_t vdev_id,
 	if (callback)
 		callback(context);
 
+	if (vdev_del_notify)
+		vdev_del_notify(vdev_del_context);
+
 	return QDF_STATUS_SUCCESS;
 }
 
@@ -3331,6 +3339,9 @@ int ol_txrx_peer_release_ref(ol_txrx_peer_handle peer,
 					vdev->delete.callback;
 				void *vdev_delete_context =
 					vdev->delete.context;
+				ol_txrx_vdev_delete_cb vdev_del_notify =
+						vdev->vdev_del_notify;
+				void *vdev_del_context = vdev->osif_dev;
 				/*
 				 * Now that there are no references to the peer,
 				 * we can release the peer reference lock.
@@ -3357,6 +3368,9 @@ int ol_txrx_peer_release_ref(ol_txrx_peer_handle peer,
 				qdf_mem_free(vdev);
 				if (vdev_delete_cb)
 					vdev_delete_cb(vdev_delete_context);
+
+				if (vdev_del_notify)
+					vdev_del_notify(vdev_del_context);
 			} else {
 				qdf_spin_unlock_bh(&pdev->peer_ref_mutex);
 			}

core/dp/txrx/ol_txrx_types.h

@@ -1,6 +1,6 @@
 /*
  * Copyright (c) 2013-2021 The Linux Foundation. All rights reserved.
- * Copyright (c) 2022-2023 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2022-2024 Qualcomm Innovation Center, Inc. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -1218,6 +1218,9 @@ struct ol_txrx_vdev_t {
 	/* completion function used by this vdev*/
 	ol_txrx_completion_fp tx_comp;
 
+	/* delete notifier to DP component */
+	ol_txrx_vdev_delete_cb vdev_del_notify;
+
 	struct {
 		/*
 		 * If the vdev object couldn't be deleted immediately because