During Rome LFR2 roaming, after pre-auth with new AP finished,
current AP is disassociated. In disassoc rsp handler:
csr_roam_roaming_state_disassoc_rsp_processor,
csr_roam_copy_profile is called after csr_dequeue_command.
In csr_dequeue_command, cmd from active list is removed, cmd from
pending cmd list is moved to active list and executed, if the cmd
is disassoc from wpa supplicant, pSession->pCurRoamProfile is
freed, use after free happens in csr_roam_copy_profile
call stack when issue happens:
csr_roam_roaming_state_disassoc_rsp_processor
->csr_dequeue_command
->wlan_serialization_dequeue_cmd
->wlan_serialization_move_pending_to_active
->wlan_serialization_activate_cmd
->sme_ser_handle_active_cmd
->csr_roam_process_command
->csr_roam_process_disassoc_deauth
-> csr_free_roam_profile
->csr_roam_copy_profile
Fixed by calling csr_dequeue_command after csr_roam_copy_profile
Change-Id: I903795e830c153b94a7dc0476a0e8ea5ecf6be2f
CRs-Fixed: 2205645
3c83a848cb