From fb93c36d8dd6ed2375e6acaaa4b5de256e0fe36c Mon Sep 17 00:00:00 2001 From: Rakesh Pillai Date: Tue, 10 Oct 2023 14:39:16 +0530 Subject: [PATCH] qcacmn: Do not call stats_cb after vdev is deleted Currently before calling the stats_cbk we do not check if the vdev has been deleted or not. There is a case where vdev might be deleted (but not freed due to pending ref-count) and the osif_vdev will be freed as a part of the delete sequence. In this case, calling stats_cbk with dangling pointer to osif_vdev will lead to an access to memory which has been freed. To mitigate this issue, check if the vdev has been marked for deletion, before calling the stats_cbk in tx completion path. Change-Id: I32ef68f45f172fc903ab597a62bb4b3e3cb0f574 CRs-Fixed: 3635454 --- dp/wifi3.0/dp_tx.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/dp/wifi3.0/dp_tx.c b/dp/wifi3.0/dp_tx.c index 6e6a8c084d..f5c6818ba3 100644 --- a/dp/wifi3.0/dp_tx.c +++ b/dp/wifi3.0/dp_tx.c @@ -5743,8 +5743,7 @@ void dp_tx_update_connectivity_stats(struct dp_soc *soc, qdf_assert(tx_desc); - if (!vdev || - !vdev->osif_vdev || + if (!vdev || vdev->delete.pending || !vdev->osif_vdev || !vdev->stats_cb) return;