b4539e1cf1
Currently the driver calls the pre bss scan cb which is used to calculate the weight to start the SAP on best channel. This API depends upon the SAP context pointer which is passed as a arg to the scan module, which in turn returns the arg as part of the scan cb. But it may happen that the SAP was deleted before the scan cb was called. In that case pre bss scan cb and weight calculation does not matter to the driver as SAP in any case is OFF. Here the sap context which was passed as an arg to the ACS cb is used after free, and there is no way currently to validate the pointer. But as part of scan cb, the driver gets a vdev pointer, which would be in a logically deleted state, if the stop adapter for SAP has been done. Using this data, the driver can know the object status, and then decide to continue with the weight calculation. Fix is to try get vdev ref before the weight calculation algo kicks in, and return if the reference cannot be taken to avoid use after free for SAP-context. Change-Id: Ib9c3bde4a36ee49efdadab3dc531991b8688f79e CRs-Fixed: 2509249 |
||
|---|---|---|
| .. | ||
| bmi | ||
| cds | ||
| dp | ||
| hdd | ||
| mac | ||
| pld | ||
| sap | ||
| sme | ||
| wma | ||