commit d91a6840f65bf1da50129f1c40af44e4e511b30c
author jiad <jiad@codeaurora.org> Tue Aug 01 14:46:02 2017 +0800
committer snandini <snandini@codeaurora.org> Sat Aug 05 23:53:31 2017 -0700
tree b433753615d3265974a9c7b72afb32b458472c91
parent 48c4709f8d97ee59b564c88e88f794a79c45c888

qcacld-3.0: fix a double-free in ipa uc ready callback

hdd_ipa_uc_loaded_uc_cb() allocates a msg buffer and passes it to
workqueue handler. Both hdd_ipa_uc_loaded_uc_cb() and workqueue
handler free the msg buffer, which leads to wrong memory dereference.

Fix is to return directly in hdd_ipa_uc_loaded_uc_cb() and let workqueue
handler free the msg buffer.

Change-Id: I842700e7fe94dc9a77fba966d918a054bc79f36a
CRs-Fixed: 2069189

core/hdd/src/wlan_hdd_ipa.c

diff --git a/core/hdd/src/wlan_hdd_ipa.c b/core/hdd/src/wlan_hdd_ipa.c
index d9fe1f0..b477766 100644
--- a/core/hdd/src/wlan_hdd_ipa.c
+++ b/core/hdd/src/wlan_hdd_ipa.c
@@ -699,6 +699,9 @@
 	uc_op_work->msg = msg;
 	schedule_work(&uc_op_work->work);
 
+	/* work handler will free the msg buffer */
+	return;
+
 done:
 	qdf_mem_free(msg);
 }
@@ -2348,6 +2351,7 @@
 	if (HDD_IPA_UC_OPCODE_MAX <= msg->op_code) {
 		HDD_IPA_LOG(QDF_TRACE_LEVEL_ERROR,
 			    "%s, INVALID OPCODE %d", __func__, msg->op_code);
+		qdf_mem_free(op_msg);
 		return;
 	}