Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / vendor / qcom-opensource / wlan / qcacld-3.0 / 0d2eeaeb873b06964e725192df21745cad1baab9^! / . / core / hdd / src / wlan_hdd_nan_datapath.c
commit0d2eeaeb873b06964e725192df21745cad1baab9[log] [tgz]
authorDustin Brown <dustinb@codeaurora.org>Fri Mar 24 15:21:32 2017 -0700
committerSandeep Puligilla <spuligil@codeaurora.org>Wed Mar 29 12:28:38 2017 -0700
treedc5091fdbceaaf4a077579445e6366b75fda4cff
parent7d043f6fec785f372e57ab10ba7a8b113d1ff6fe [diff] [blame]
qcacld-3.0: Do objmgr vdev destroy before sme close session

Converged host driver code listens for a vdev_destroy event from
object manager to release vdev related resources. Currently, vdevs
are destroyed in firmware before they are destroyed by object manager,
leading to a possible use-after-free situation in firmware. Reverse
the order of vdev destroy, first in object manger, then in firmware,
to prevent the potential use-after-free.

Change-Id: I54bbede9732cecb3bec291692f452758976184c4
CRs-Fixed: 2024633

diff --git a/core/hdd/src/wlan_hdd_nan_datapath.c b/core/hdd/src/wlan_hdd_nan_datapath.c
index eb609b9..96d6c58 100644
--- a/core/hdd/src/wlan_hdd_nan_datapath.c
+++ b/core/hdd/src/wlan_hdd_nan_datapath.c

@@ -113,9 +113,8 @@
  */
 static int hdd_close_ndi(hdd_adapter_t *adapter)
 {
-	int rc;
+	int errno;
 	hdd_context_t *hdd_ctx = WLAN_HDD_GET_CTX(adapter);
-	uint32_t timeout = WLAN_WAIT_TIME_SESSIONOPENCLOSE;
 
 	ENTER();
 
@@ -138,24 +137,9 @@
 	cancel_work_sync(&adapter->ipv6NotifierWorkQueue);
 #endif
 #endif
-	/* check if the session is open */
-	if (test_bit(SME_SESSION_OPENED, &adapter->event_flags)) {
-		INIT_COMPLETION(adapter->session_close_comp_var);
-		if (QDF_STATUS_SUCCESS == sme_close_session(hdd_ctx->hHal,
-				adapter->sessionId,
-				hdd_sme_close_session_callback, adapter)) {
-			/* Block on a timed completion variable */
-			rc = wait_for_completion_timeout(
-				&adapter->session_close_comp_var,
-				msecs_to_jiffies(timeout));
-			if (!rc)
-				hdd_err("session close timeout");
-
-			rc = hdd_objmgr_release_and_destroy_vdev(adapter);
-			if (rc)
-				hdd_err("vdev delete failed");
-		}
-	}
+	errno = hdd_vdev_destroy(adapter);
+	if (errno)
+		hdd_err("failed to destroy vdev: %d", errno);
 
 	/* We are good to close the adapter */
 	hdd_close_adapter(hdd_ctx, adapter, true);