qcacld-3.0: Check vdev state before ACS cb

Currently the driver calls the pre bss scan cb
which is used to calculate the weight to start
the SAP on best channel. This API depends upon
the SAP context pointer which is passed as a arg
to the scan module, which in turn returns the arg
as part of the scan cb. But it may happen that
the SAP was deleted before the scan cb was called.
In that case pre bss scan cb and weight calculation
does not matter to the driver as SAP in any case is
OFF. Here the sap context which was passed as an arg
to the ACS cb is used after free, and there is no way
currently to validate the pointer. But as part of scan
cb, the driver gets a vdev pointer, which would be in a
logically deleted state, if the stop adapter for SAP has
been done. Using this data, the driver can know the object
status, and then decide to continue with the weight calculation.

Fix is to try get vdev ref before the weight calculation algo
kicks in, and return if the reference cannot be taken to avoid
use after free for SAP-context.

Change-Id: Ib9c3bde4a36ee49efdadab3dc531991b8688f79e
CRs-Fixed: 2509249

core/sap/src/sap_api_link_cntl.c

@@ -1266,6 +1266,22 @@ void sap_scan_event_callback(struct wlan_objmgr_vdev *vdev,
 	bool success = false;
 	eCsrScanStatus scan_status = eCSR_SCAN_FAILURE;
 	mac_handle_t mac_handle;
+	QDF_STATUS status;
+
+	/*
+	 * It may happen that the SAP was deleted before the scan
+	 * cb was called. Here the sap context which was passed as an
+	 * arg to the ACS cb is used after free then, and there is no way
+	 * currently to validate the pointer. Now try get vdev ref before
+	 * the weight calculation algo kicks in, and return if the
+	 * reference cannot be taken to avoid use after free for SAP-context
+	 */
+	status = wlan_objmgr_vdev_try_get_ref(vdev, WLAN_LEGACY_SAP_ID);
+	if (QDF_IS_STATUS_ERROR(status)) {
+		sap_err("Hotspot fail, vdev ref get error");
+		return;
+	}
+	wlan_objmgr_vdev_release_ref(vdev, WLAN_LEGACY_SAP_ID);
 
 	session_id = wlan_vdev_get_id(vdev);
 	scan_id = event->scan_id;