qcacld-3.0: Do objmgr vdev destroy before sme close session
Converged host driver code listens for a vdev_destroy event from
object manager to release vdev related resources. Currently, vdevs
are destroyed in firmware before they are destroyed by object manager,
leading to a possible use-after-free situation in firmware. Reverse
the order of vdev destroy, first in object manger, then in firmware,
to prevent the potential use-after-free.
Change-Id: I54bbede9732cecb3bec291692f452758976184c4
CRs-Fixed: 2024633
diff --git a/core/hdd/src/wlan_hdd_nan_datapath.c b/core/hdd/src/wlan_hdd_nan_datapath.c
index eb609b9..96d6c58 100644
--- a/core/hdd/src/wlan_hdd_nan_datapath.c
+++ b/core/hdd/src/wlan_hdd_nan_datapath.c
@@ -113,9 +113,8 @@
*/
static int hdd_close_ndi(hdd_adapter_t *adapter)
{
- int rc;
+ int errno;
hdd_context_t *hdd_ctx = WLAN_HDD_GET_CTX(adapter);
- uint32_t timeout = WLAN_WAIT_TIME_SESSIONOPENCLOSE;
ENTER();
@@ -138,24 +137,9 @@
cancel_work_sync(&adapter->ipv6NotifierWorkQueue);
#endif
#endif
- /* check if the session is open */
- if (test_bit(SME_SESSION_OPENED, &adapter->event_flags)) {
- INIT_COMPLETION(adapter->session_close_comp_var);
- if (QDF_STATUS_SUCCESS == sme_close_session(hdd_ctx->hHal,
- adapter->sessionId,
- hdd_sme_close_session_callback, adapter)) {
- /* Block on a timed completion variable */
- rc = wait_for_completion_timeout(
- &adapter->session_close_comp_var,
- msecs_to_jiffies(timeout));
- if (!rc)
- hdd_err("session close timeout");
-
- rc = hdd_objmgr_release_and_destroy_vdev(adapter);
- if (rc)
- hdd_err("vdev delete failed");
- }
- }
+ errno = hdd_vdev_destroy(adapter);
+ if (errno)
+ hdd_err("failed to destroy vdev: %d", errno);
/* We are good to close the adapter */
hdd_close_adapter(hdd_ctx, adapter, true);