qcacld-3.0: Avoid use after free for SAP dev
There is a race between regulatory callback from restart SAP and
user space deleting the SAP dev, which can result into access of a
free adapter.
To avoid the above issue the SAP dev should be held before it gets
delete and release after the operation on SAP dev gets complete.
Change-Id: Idf7fc2adeb74ac62d2a63d8bc3ae0b1a0568693c
CRs-Fixed: 2789448
diff --git a/core/hdd/src/wlan_hdd_main.c b/core/hdd/src/wlan_hdd_main.c
index 1130313..84f928a 100644
--- a/core/hdd/src/wlan_hdd_main.c
+++ b/core/hdd/src/wlan_hdd_main.c
@@ -10281,13 +10281,13 @@
bool is_vendor_acs_support =
cfg_default(CFG_USER_AUTO_CHANNEL_SELECTION);
- hdd_for_each_adapter(hdd_ctxt, adapter) {
+ hdd_for_each_adapter_dev_held(hdd_ctxt, adapter) {
if (!(adapter->device_mode == QDF_SAP_MODE &&
adapter->session.ap.sap_config.acs_cfg.acs_mode)) {
- hdd_debug("skip device mode:%d acs:%d",
- adapter->device_mode,
- adapter->session.ap.sap_config.
- acs_cfg.acs_mode);
+ hdd_debug_rl("skip device mode:%d acs:%d",
+ adapter->device_mode,
+ adapter->session.ap.sap_config.acs_cfg.acs_mode);
+ dev_put(adapter->dev);
continue;
}
@@ -10331,6 +10331,7 @@
restart_chan_store);
hdd_debug("ch:%d is safe. no need to change channel",
ap_chan);
+ dev_put(adapter->dev);
continue;
}
@@ -10349,6 +10350,7 @@
if (is_vendor_acs_support && is_acs_support_for_dfs_ltecoex) {
hdd_update_acs_timer_reason(adapter,
QCA_WLAN_VENDOR_ACS_SELECT_REASON_LTE_COEX);
+ dev_put(adapter->dev);
continue;
}
@@ -10392,6 +10394,7 @@
CSA_REASON_UNSAFE_CHANNEL);
hdd_switch_sap_channel(adapter, restart_chan,
true);
+ dev_put(adapter->dev);
return;
}
else {
@@ -10399,9 +10402,12 @@
wlan_hdd_send_svc_nlink_msg(
hdd_ctxt->radio_index,
WLAN_SVC_LTE_COEX_IND, NULL, 0);
+ dev_put(adapter->dev);
return;
}
}
+ /* dev_put has to be done here */
+ dev_put(adapter->dev);
}
}