diff options
author | Hsiu-Chang Chen <hsiuchangchen@google.com> | 2020-10-05 14:40:06 +0530 |
---|---|---|
committer | Hsiu-Chang Chen <hsiuchangchen@google.com> | 2023-03-15 13:56:56 +0800 |
commit | df7aaff97f79048aec343ddc0a39b78da90bc5e0 (patch) | |
tree | c1240bace85cc9ffe0c2b27d43d3cf9d6198420e | |
parent | 5f8124bb66f4cd48b28470da12f1dd860aa0c3a3 (diff) | |
download | qcacld-df7aaff97f79048aec343ddc0a39b78da90bc5e0.tar.gz |
qcacld-3.0: Avoid use after free for SAP dev
There is a race between regulatory callback from restart SAP and
user space deleting the SAP dev, which can result into access of a
free adapter.
To avoid the above issue the SAP dev should be held before it gets
delete and release after the operation on SAP dev gets complete
Bug: 262228460
Test: Regression test
Change-Id: Idf7fc2adeb74ac62d2a63d8bc3ae0b1a0568693c
CRs-Fixed: 2789448
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
-rw-r--r-- | core/hdd/src/wlan_hdd_main.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/core/hdd/src/wlan_hdd_main.c b/core/hdd/src/wlan_hdd_main.c index f1c5c0bcd6..1490e3327b 100644 --- a/core/hdd/src/wlan_hdd_main.c +++ b/core/hdd/src/wlan_hdd_main.c @@ -9737,10 +9737,10 @@ void hdd_unsafe_channel_restart_sap(struct hdd_context *hdd_ctxt) hdd_for_each_adapter(hdd_ctxt, adapter) { if (!(adapter->device_mode == QDF_SAP_MODE && adapter->session.ap.sap_config.acs_cfg.acs_mode)) { - hdd_debug("skip device mode:%d acs:%d", - adapter->device_mode, - adapter->session.ap.sap_config. - acs_cfg.acs_mode); + hdd_debug_rl("skip device mode:%d acs:%d", + adapter->device_mode, + adapter->session.ap.sap_config.acs_cfg.acs_mode); + dev_put(adapter->dev); continue; } @@ -9779,6 +9779,7 @@ void hdd_unsafe_channel_restart_sap(struct hdd_context *hdd_ctxt) restart_chan_store); hdd_debug("ch:%d is safe. no need to change channel", adapter->session.ap.operating_channel); + dev_put(adapter->dev); continue; } @@ -9797,6 +9798,7 @@ void hdd_unsafe_channel_restart_sap(struct hdd_context *hdd_ctxt) if (is_vendor_acs_support && is_acs_support_for_dfs_ltecoex) { hdd_update_acs_timer_reason(adapter, QCA_WLAN_VENDOR_ACS_SELECT_REASON_LTE_COEX); + dev_put(adapter->dev); continue; } @@ -9848,6 +9850,8 @@ void hdd_unsafe_channel_restart_sap(struct hdd_context *hdd_ctxt) return; } } + /* dev_put has to be done here */ + dev_put(adapter->dev); } } |