wlan: Fix race conditions with hdd_smeCloseSessionCallback()
An issue was observed where hdd_smeCloseSessionCallback() invoked
complete() on an uninitialized completion variable, resulting in a
kernel crash. Two separate issues are present in the code.
The first issue is that hdd_smeCloseSessionCallback() does not
validate that the adapter context is still valid when it executes.
Add tests to make sure the adapter context is valid when the callback
is invoked, as well as after flush_scheduled_work() returns, to
prevent access to an uninitialized completion variable.
The second issue is that the functions which invoke sme_CloseSession()
(and hence which eventually cause hdd_smeCloseSessionCallback() to be
invoked) currently use wait_for_completion_interruptible_timeout() to
wait for the callback to occur. Since these code paths cannot
guarantee they can gracefully handle the case when an interrupt
occurs, use wait_for_completion_timeout() instead.
Change-Id: I81f581f58fe6db4e85b7926ebba7ebb793c73f05
CRs-fixed: 474383
diff --git a/CORE/HDD/src/wlan_hdd_main.c b/CORE/HDD/src/wlan_hdd_main.c
index 89fa9ca..14d2ff9 100644
--- a/CORE/HDD/src/wlan_hdd_main.c
+++ b/CORE/HDD/src/wlan_hdd_main.c
@@ -2650,19 +2650,40 @@
return VOS_STATUS_SUCCESS;
}
-eHalStatus hdd_smeCloseSessionCallback(void *pContext)
+static eHalStatus hdd_smeCloseSessionCallback(void *pContext)
{
- if(pContext != NULL)
- {
- clear_bit(SME_SESSION_OPENED, &((hdd_adapter_t*)pContext)->event_flags);
+ hdd_adapter_t *pAdapter = pContext;
- /* need to make sure all of our scheduled work has completed.
- * This callback is called from MC thread context, so it is safe to
- * to call below flush workqueue API from here.
- */
- flush_scheduled_work();
- complete(&((hdd_adapter_t*)pContext)->session_close_comp_var);
+ if (NULL == pAdapter)
+ {
+ hddLog(VOS_TRACE_LEVEL_FATAL, "%s: NULL pAdapter", __func__);
+ return eHAL_STATUS_INVALID_PARAMETER;
}
+
+ if (WLAN_HDD_ADAPTER_MAGIC != pAdapter->magic)
+ {
+ hddLog(VOS_TRACE_LEVEL_FATAL, "%s: Invalid magic", __func__);
+ return eHAL_STATUS_NOT_INITIALIZED;
+ }
+
+ clear_bit(SME_SESSION_OPENED, &pAdapter->event_flags);
+
+ /* need to make sure all of our scheduled work has completed.
+ * This callback is called from MC thread context, so it is safe to
+ * to call below flush workqueue API from here.
+ */
+ flush_scheduled_work();
+
+ /* We can be blocked while waiting for scheduled work to be
+ * flushed, and the adapter structure can potentially be freed, in
+ * which case the magic will have been reset. So make sure the
+ * magic is still good, and hence the adapter structure is still
+ * valid, before signaling completion */
+ if (WLAN_HDD_ADAPTER_MAGIC == pAdapter->magic)
+ {
+ complete(&pAdapter->session_close_comp_var);
+ }
+
return eHAL_STATUS_SUCCESS;
}
@@ -2768,17 +2789,17 @@
error_init_txrx:
hdd_UnregisterWext(pWlanDev);
error_register_wext:
- if(test_bit(SME_SESSION_OPENED, &pAdapter->event_flags))
+ if (test_bit(SME_SESSION_OPENED, &pAdapter->event_flags))
{
INIT_COMPLETION(pAdapter->session_close_comp_var);
- if( eHAL_STATUS_SUCCESS == sme_CloseSession( pHddCtx->hHal,
+ if (eHAL_STATUS_SUCCESS == sme_CloseSession(pHddCtx->hHal,
pAdapter->sessionId,
- hdd_smeCloseSessionCallback, pAdapter ) )
+ hdd_smeCloseSessionCallback, pAdapter))
{
//Block on a completion variable. Can't wait forever though.
- wait_for_completion_interruptible_timeout(
+ wait_for_completion_timeout(
&pAdapter->session_close_comp_var,
- msecs_to_jiffies(WLAN_WAIT_TIME_SESSIONOPENCLOSE));
+ msecs_to_jiffies(WLAN_WAIT_TIME_SESSIONOPENCLOSE));
}
}
error_sme_open:
@@ -3411,7 +3432,7 @@
hdd_smeCloseSessionCallback, pAdapter))
{
//Block on a completion variable. Can't wait forever though.
- wait_for_completion_interruptible_timeout(
+ wait_for_completion_timeout(
&pAdapter->session_close_comp_var,
msecs_to_jiffies(WLAN_WAIT_TIME_SESSIONOPENCLOSE));
}