qcacld-3.0: Fix peer poison overwritten issue
In the existing impementation, once wma_is_pkt_drop_candidate gets a
peer from ol_txrx_find_peer_by_addr, the peer can be deleted in the
SOFTIRQ path from the unmap handler. This would make the peer pointer
'stale' resulting in access to already freed memory.
- Use standard API OL_TXRX_PEER_UNREF_DELETE to decrement peer->ref_cnt
instead of directly referencing it.
- Add a new API - ol_txrx_find_peer_by_addr_inc_ref which does not
decrement the peer->ref_cnt until the usage of peer in the caller
function is finished. The existing API ol_txrx_find_peer_by_addr
can be replaced by the new API as and when the issues are seen.
Sample usage:
{
peer = ol_txrx_find_peer_by_addr_inc_ref
/* This API gets the peer and increments its ref_cnt */
...
...
/* Once peer usage is done */
OL_TXRX_PEER_UNREF_DELETE(peer);
/*
* This API deletes the reference to the peer or the peer itself
* if the peer->ref_cnt is 0. This way we no longer depend on
* peer unmaps to delete the peer.
*/
}
Change-Id: I69fb67a4b4c9e26344d2ed1a72c383be7ac62414
CRs-Fixed: 2008583
5 files changed