qcacmn: Check for in_use flag before using the txrx desc pool
While accessing txrx desc pool, in_use flags is not used and thus
caller may end up using a txrx desc which is not in use. Also
all the params of txrx desc are not reinitialized once in_use flag
is set to false. This can lead invalid pointers used by caller.
So check for in_use flag before using the txrx desc pool, to avoid
use after in_use is set to false and reinitialized all params to
invalid values.
Also In wlan_mgmt_txrx_mgmt_frame_tx driver forcefully get the peer
ref count. It should use wlan_objmgr_peer_try_get_ref api to get
the peer ref, so that after logical delete the frames are not sent
for the peer.
Change-Id: Ie59e622c095750de8eabc49985b114ec6197be00
CRs-Fixed: 2459212
diff --git a/umac/cmn_services/mgmt_txrx/core/src/wlan_mgmt_txrx_main.c b/umac/cmn_services/mgmt_txrx/core/src/wlan_mgmt_txrx_main.c
index 9540d9f..68b82de 100644
--- a/umac/cmn_services/mgmt_txrx/core/src/wlan_mgmt_txrx_main.c
+++ b/umac/cmn_services/mgmt_txrx/core/src/wlan_mgmt_txrx_main.c
@@ -148,6 +148,13 @@
return;
}
desc->in_use = false;
+ desc->context = NULL;
+ desc->peer = NULL;
+ desc->nbuf = NULL;
+ desc->tx_dwnld_cmpl_cb = NULL;
+ desc->tx_ota_cmpl_cb = NULL;
+ desc->vdev_id = WLAN_UMAC_VDEV_ID_MAX;
+
qdf_list_insert_front(&mgmt_txrx_pdev_ctx->mgmt_desc_pool.free_list,
&desc->entry);
diff --git a/umac/cmn_services/mgmt_txrx/dispatcher/src/wlan_mgmt_txrx_tgt_api.c b/umac/cmn_services/mgmt_txrx/dispatcher/src/wlan_mgmt_txrx_tgt_api.c
index bb31542..f79e64e 100644
--- a/umac/cmn_services/mgmt_txrx/dispatcher/src/wlan_mgmt_txrx_tgt_api.c
+++ b/umac/cmn_services/mgmt_txrx/dispatcher/src/wlan_mgmt_txrx_tgt_api.c
@@ -1076,7 +1076,7 @@
return QDF_STATUS_E_INVAL;
}
mgmt_desc = &mgmt_txrx_pdev_ctx->mgmt_desc_pool.pool[desc_id];
- if (!mgmt_desc) {
+ if (!mgmt_desc || !mgmt_desc->in_use) {
mgmt_txrx_err("Mgmt desc empty for id %d pdev %pK ",
desc_id, pdev);
return QDF_STATUS_E_NULL_VALUE;
@@ -1148,7 +1148,7 @@
}
mgmt_desc = &mgmt_txrx_pdev_ctx->mgmt_desc_pool.pool[desc_id];
- if (!mgmt_desc) {
+ if (!mgmt_desc || !mgmt_desc->in_use) {
mgmt_txrx_err("Mgmt descriptor unavailable for id %d pdev %pK",
desc_id, pdev);
goto fail;
@@ -1178,7 +1178,7 @@
}
mgmt_desc = &mgmt_txrx_pdev_ctx->mgmt_desc_pool.pool[desc_id];
- if (!mgmt_desc) {
+ if (!mgmt_desc || !mgmt_desc->in_use) {
mgmt_txrx_err("Mgmt descriptor unavailable for id %d pdev %pK",
desc_id, pdev);
goto fail;
@@ -1212,7 +1212,7 @@
}
mgmt_desc = &mgmt_txrx_pdev_ctx->mgmt_desc_pool.pool[desc_id];
- if (!mgmt_desc) {
+ if (!mgmt_desc || !mgmt_desc->in_use) {
mgmt_txrx_err("Mgmt descriptor unavailable for id %d pdev %pK",
desc_id, pdev);
goto fail;
diff --git a/umac/cmn_services/mgmt_txrx/dispatcher/src/wlan_mgmt_txrx_utils_api.c b/umac/cmn_services/mgmt_txrx/dispatcher/src/wlan_mgmt_txrx_utils_api.c
index 4bc6836..e3e2edf 100644
--- a/umac/cmn_services/mgmt_txrx/dispatcher/src/wlan_mgmt_txrx_utils_api.c
+++ b/umac/cmn_services/mgmt_txrx/dispatcher/src/wlan_mgmt_txrx_utils_api.c
@@ -366,13 +366,18 @@
struct wlan_objmgr_pdev *pdev;
struct mgmt_txrx_priv_pdev_context *txrx_ctx;
struct wlan_objmgr_vdev *vdev;
+ QDF_STATUS status;
if (!peer) {
mgmt_txrx_err("peer passed is NULL");
return QDF_STATUS_E_NULL_VALUE;
}
- wlan_objmgr_peer_get_ref(peer, WLAN_MGMT_NB_ID);
+ status = wlan_objmgr_peer_try_get_ref(peer, WLAN_MGMT_NB_ID);
+ if (QDF_IS_STATUS_ERROR(status)) {
+ mgmt_txrx_err("failed to get ref count for peer %pK", peer);
+ return QDF_STATUS_E_NULL_VALUE;
+ }
vdev = wlan_peer_get_vdev(peer);
if (!vdev) {