qcacld-3.0: Avoid use after free for SAP dev

There is a race between regulatory callback from restart SAP and
user space deleting the SAP dev, which can result into access of a
free adapter.

To avoid the above issue the SAP dev should be held before it gets
delete and release after the operation on SAP dev gets complete

Bug: 262228460
Test: Regression test
Change-Id: Idf7fc2adeb74ac62d2a63d8bc3ae0b1a0568693c
CRs-Fixed: 2789448
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>

1 files changed, 8 insertions, 4 deletions

diff --git a/core/hdd/src/wlan_hdd_main.c b/core/hdd/src/wlan_hdd_main.c
index f1c5c0bcd6..1490e3327b 100644
--- a/core/hdd/src/wlan_hdd_main.c
+++ b/core/hdd/src/wlan_hdd_main.c
@@ -9737,10 +9737,10 @@ void hdd_unsafe_channel_restart_sap(struct hdd_context *hdd_ctxt)
 	hdd_for_each_adapter(hdd_ctxt, adapter) {
 		if (!(adapter->device_mode == QDF_SAP_MODE &&
 		    adapter->session.ap.sap_config.acs_cfg.acs_mode)) {
-			hdd_debug("skip device mode:%d acs:%d",
-				  adapter->device_mode,
-				  adapter->session.ap.sap_config.
-				  acs_cfg.acs_mode);
+			hdd_debug_rl("skip device mode:%d acs:%d",
+				     adapter->device_mode,
+			adapter->session.ap.sap_config.acs_cfg.acs_mode);
+			dev_put(adapter->dev);
 			continue;
 		}
 
@@ -9779,6 +9779,7 @@ void hdd_unsafe_channel_restart_sap(struct hdd_context *hdd_ctxt)
 				restart_chan_store);
 			hdd_debug("ch:%d is safe. no need to change channel",
 				  adapter->session.ap.operating_channel);
+			dev_put(adapter->dev);
 			continue;
 		}
 
@@ -9797,6 +9798,7 @@ void hdd_unsafe_channel_restart_sap(struct hdd_context *hdd_ctxt)
 		if (is_vendor_acs_support && is_acs_support_for_dfs_ltecoex) {
 			hdd_update_acs_timer_reason(adapter,
 				QCA_WLAN_VENDOR_ACS_SELECT_REASON_LTE_COEX);
+			dev_put(adapter->dev);
 			continue;
 		}
 
@@ -9848,6 +9850,8 @@ void hdd_unsafe_channel_restart_sap(struct hdd_context *hdd_ctxt)
 				return;
 			}
 		}
+		/* dev_put has to be done here */
+		dev_put(adapter->dev);
 	}
 }