From c8d1c4bccf7a2ec6ab7f0999360eb053e689c857 Mon Sep 17 00:00:00 2001 From: Orhan K AKYILDIZ Date: Tue, 10 Jan 2017 14:32:18 -0800 Subject: [PATCH] qcacmn: fix a potential access after free Once the wmi command is send to the FW, a sequence of events (deletion of peer and sending of unmap messages to host) happens on FW. This could potentially make a subsequent access to peer_addr an access after the object is freed. Indeed a crash instance of such a case has been reported. Fix this by moving the print command before the actual wmi command send. Change-Id: I5a0d19b9b4a09687d5513acc52139a73b8490512 CRs-Fixed: 1108700 --- wmi_unified_tlv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wmi_unified_tlv.c b/wmi_unified_tlv.c index cd5e366eb7..2ba3543a99 100644 --- a/wmi_unified_tlv.c +++ b/wmi_unified_tlv.c @@ -499,12 +499,12 @@ QDF_STATUS send_peer_delete_cmd_tlv(wmi_unified_t wmi, WMI_CHAR_ARRAY_TO_MAC_ADDR(peer_addr, &cmd->peer_macaddr); cmd->vdev_id = vdev_id; + WMI_LOGD("%s: peer_addr %pM vdev_id %d", __func__, peer_addr, vdev_id); if (wmi_unified_cmd_send(wmi, buf, len, WMI_PEER_DELETE_CMDID)) { WMI_LOGP("%s: Failed to send peer delete command", __func__); wmi_buf_free(buf); return QDF_STATUS_E_FAILURE; } - WMI_LOGD("%s: peer_addr %pM vdev_id %d", __func__, peer_addr, vdev_id); return 0; }