android_kernel_xiaomi_sm8350

History

Pragaspathi Thilagaraj 210362a1c2 qcacld-3.0: Fix memory corruption in pe_free_nested_messages When peer creation fails in wma_set_link_state, wma sends the WMA_SET_LINK_STATE_RSP msg to LIM and Lim frees the msg->bodyptr But there is a situation occurs where after this wma_peer_create fails, mc thread stop sys event also occurs where the mac_stop is invoked which calls the pe_free_msg -> pe_free_nested_messages In pe_free_nested_messages, if the msg type is WMA_SET_LINK_STATE_RSP, we free the msg->bodyptr->callbackArg. This callbackArg points to the PE session. Trying to free the PE session results in memory corruption. Just pass the session id as callback argument when the callback is lim_post_join_set_link_state_callback. Change-Id: I27f9127685ac7ef8d215b135f1625e8e2f225fc0 CRs-Fixed: 2287827	2018-08-13 21:37:31 -07:00
..
inc	Release 5.2.0.92F	2018-08-13 18:12:40 -07:00
src	qcacld-3.0: Fix memory corruption in pe_free_nested_messages	2018-08-13 21:37:31 -07:00

Pragaspathi Thilagaraj 210362a1c2 qcacld-3.0: Fix memory corruption in pe_free_nested_messages

When peer creation fails in wma_set_link_state, wma sends the
WMA_SET_LINK_STATE_RSP msg to LIM and Lim frees the msg->bodyptr
But there is a situation occurs where after this wma_peer_create
fails, mc thread stop sys event also occurs where the mac_stop
is invoked which calls the pe_free_msg -> pe_free_nested_messages
In pe_free_nested_messages, if the msg type is
WMA_SET_LINK_STATE_RSP, we free the msg->bodyptr->callbackArg.
This callbackArg points to the PE session. Trying to free the
PE session results in memory corruption.

Just pass the session id as callback argument when the callback
is lim_post_join_set_link_state_callback.

Change-Id: I27f9127685ac7ef8d215b135f1625e8e2f225fc0
CRs-Fixed: 2287827

2018-08-13 21:37:31 -07:00

inc

Release 5.2.0.92F

2018-08-13 18:12:40 -07:00

src

qcacld-3.0: Fix memory corruption in pe_free_nested_messages

2018-08-13 21:37:31 -07:00