Home Explore Help
Sign In
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

qcacmn: Fix vdev obj manager reference release in serialization

Vdev object manager reference should be taken before enqueuing
serialization command and it should be released after dequeuing the
command from serialization queue. Currently this reference release is
done before moving the command to active queue from pending queue.
This may lead to vdev object deletion before the command is moved to
active queue and result in use after free access for vdev object.

To resolve this, release vdev object reference after moving the
serialization command to active queue.

Change-Id: Ibef0814a245abb36f526997d848cf15ef6a49a44
CRs-Fixed: 2832676
Bapiraju Alla 4 years ago
parent
53b3234b8f
commit
f36047161f
1 changed files with 8 additions and 9 deletions
Split View Show Diff Stats
  1. 8 9
      umac/cmn_services/serialization/src/wlan_serialization_internal.c

+ 8 - 9
umac/cmn_services/serialization/src/wlan_serialization_internal.c
View File 

@@ -513,15 +513,6 @@ wlan_serialization_dequeue_cmd(struct wlan_serialization_command *cmd,
 
 
 	wlan_serialization_release_lock(&pdev_queue->pdev_queue_lock);
 
 
-	/* Call cmd cb for remove request*/
 
-	if (cmd_bkup.cmd_cb) {
 
-		/* caller should release the memory */
 
-		ser_debug("Release memory for type %d id %d",
 
-			  cmd_bkup.cmd_type, cmd_bkup.cmd_id);
 
-		cmd_bkup.cmd_cb(&cmd_bkup,
 
-				     WLAN_SER_CB_RELEASE_MEM_CMD);
 
-	}
 
-
 
 	if (active_cmd) {
 
 		ser_status = wlan_serialization_move_pending_to_active(
 
 			cmd_bkup.cmd_type, ser_pdev_obj,
 
@@ -529,6 +520,14 @@ wlan_serialization_dequeue_cmd(struct wlan_serialization_command *cmd,
 
 			blocking_cmd_removed);
 
 	}
 
 
+	/* Call cmd cb for remove request*/
 
+	if (cmd_bkup.cmd_cb) {
 
+		/* caller should release the memory */
 
+		ser_debug("Release memory for type %d id %d",
 
+			  cmd_bkup.cmd_type, cmd_bkup.cmd_id);
 
+		cmd_bkup.cmd_cb(&cmd_bkup, WLAN_SER_CB_RELEASE_MEM_CMD);
 
+	}
 
+
 
 	if (active_cmd)
 
 		status = WLAN_SER_CMD_IN_ACTIVE_LIST;
 
 	else