Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / vendor / qcom-opensource / wlan / prima / bd3041e3f7ce63fba0db98bda741ebdaa8a5adb4^! / . / CORE / HDD / src / wlan_hdd_p2p.c
commitbd3041e3f7ce63fba0db98bda741ebdaa8a5adb4[log] [tgz]
authorAbhishek Singh <absingh@qti.qualcomm.com>Thu Jul 30 14:36:25 2015 +0530
committerSatyanarayana Dash <sadash@codeaurora.org>Sat Aug 01 17:31:47 2015 +0530
tree25d31dae32d94f543f11292ccffb4531d7144c49
parent58ec70ddae9885b23af4fa567e8598bde1f5b2d2 [diff] [blame]
wlan: Acquire lock before setting cancel ROC in progress flag.

When HDD receive a request to cancel ROC from supplicant, it check
if already cancel ROC in progress flag is set, and if not it sets
the cancel ROC in progress flag and calls resume link.
This is done while holding the ROC mutex.

ROC timeout also check and set cancel ROC in progress flag and
call resume link, but does it without holding the lock.

Thus a situation may arise when both will proceed to call resume
link. In this case gLimResumeLink callback is not set to NULL.
Thus next time when ROC is called the finish scan request is not
sent to firmware assuming finish scan is already sent as
gLimResumeLink callback is not NULL.
This leads to back to back init scan request to firmware which
cause crash.

Protect the cancel ROC in progress flag with mutex.

CRs-Fixed: 882047
Change-Id: Ida6cce3cef1a500bfb89dd19c4a19707575f3dac

diff --git a/CORE/HDD/src/wlan_hdd_p2p.c b/CORE/HDD/src/wlan_hdd_p2p.c
index 39593d8..322e4e1 100644
--- a/CORE/HDD/src/wlan_hdd_p2p.c
+++ b/CORE/HDD/src/wlan_hdd_p2p.c

@@ -402,12 +402,14 @@
     hdd_adapter_t *pAdapter = (hdd_adapter_t *)data;
     hdd_remain_on_chan_ctx_t *pRemainChanCtx;
     hdd_cfg80211_state_t *cfgState;
+    hdd_context_t *pHddCtx;
 
     if ((NULL == pAdapter) || (WLAN_HDD_ADAPTER_MAGIC != pAdapter->magic))
     {
         hddLog( LOGE, FL("pAdapter is invalid %p !!!"), pAdapter);
         return;
     }
+    pHddCtx = WLAN_HDD_GET_CTX( pAdapter );
     cfgState = WLAN_HDD_GET_CFG_STATE_PTR( pAdapter );
     pRemainChanCtx = cfgState->remain_on_chan_ctx;
     if (NULL == pRemainChanCtx)
@@ -415,13 +417,16 @@
         hddLog( LOGE, FL("No Remain on channel is pending"));
         return;
     }
+    mutex_lock(&pHddCtx->roc_lock);
     if ( TRUE == pRemainChanCtx->hdd_remain_on_chan_cancel_in_progress )
     {
+        mutex_unlock(&pHddCtx->roc_lock);
         hddLog( LOGE, FL("Cancellation already in progress"));
         return;
     }
 
     pRemainChanCtx->hdd_remain_on_chan_cancel_in_progress = TRUE;
+    mutex_unlock(&pHddCtx->roc_lock);
     INIT_COMPLETION(pAdapter->cancel_rem_on_chan_var);
     hddLog( LOG1,"%s: Cancel Remain on Channel on timeout", __func__);
     if ( ( WLAN_HDD_INFRA_STATION == pAdapter->device_mode ) ||