qcacld-3.0: Fix possible double free in lim_handle_delete_bss_rsp

When disconnect is issued from userspace, lim_del_bss is invoked and vdev stop is sent to firmware. If sending vdev stop fails, WMA_DELETE_BSS_RSP is posted with failure. If an SSR is happening during this time, then cds_mc_thread is preempted, and as part of the pld uevent vdev resp queue cleanup is done . In this path, lim_process_sta_mlm_del_bss_rsp is called and msg->bodyptr is freed and pe session is deleted. After pld uevent execution, the delete bss response processing in cds_mc_thread as part of user space disconnect resumes and tries to free the msg->bodyptr again. This results in double free. Set msg->bodyptr to NULL after freeing the memory. Change-Id: I851a5ddcae47cffe450dffafa31570895620bd9c CRs-Fixed: 2332677
2018-10-12 09:48:45 -07:00 · 2018-10-12 09:48:45 -07:00 · 6368a26899
commit 6368a26899
parent 178a2900a7
1 changed files with 2 additions and 4 deletions
--- a/core/mac/src/pe/lim/lim_send_sme_rsp_messages.c
+++ b/core/mac/src/pe/lim/lim_send_sme_rsp_messages.c
@ -2224,10 +2224,8 @@ void lim_handle_delete_bss_rsp(tpAniSirGlobal pMac, struct scheduler_msg *MsgQ)
 	if (psessionEntry == NULL) {
 		pe_err("Session Does not exist for given sessionID: %d",
 			pDelBss->sessionId);
-		if (MsgQ->bodyptr) {
-			qdf_mem_free(MsgQ->bodyptr);
-			MsgQ->bodyptr = NULL;
-		}
+		qdf_mem_free(MsgQ->bodyptr);
+		MsgQ->bodyptr = NULL;
 		return;
 	}