Fix use-after-free of rt_tbl in __ipa_del_flt_rule by checking if the rt_tbl is already freed. Change-Id: I09541f65f474dc42f262c603d99f6bbcbb0ce8ec Signed-off-by: Goutam Bose <[email protected]>
@@ -1198,7 +1198,7 @@ static int __ipa_del_flt_rule(u32 rule_hdl)
list_del(&entry->link);
entry->tbl->rule_cnt--;
- if (entry->rt_tbl)
+ if (entry->rt_tbl && !ipa3_check_idr_if_freed(entry->rt_tbl))
entry->rt_tbl->ref_cnt--;
IPADBG("del flt rule rule_cnt=%d rule_id=%d\n",
entry->tbl->rule_cnt, entry->rule_id);
Goutam Bose