Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b0880953 authored by Ananya Gupta's avatar Ananya Gupta Committed by nshrivas
Browse files

qcacmn: Release peer ref count after handle usage is complete 

Race condition is observed as dp_ipa_rx_intrabss_fwd is
accessing da_peer after releasing the ref count of the peer
while that peer is deleted parallelly.
To fix this, da_peer and sa_peer are only assigned if the
peers are found in the vdev.

Change-Id: Ib03835a509d656eb11946c075b820555b04934f8
CRs-Fixed: 2723448
parent 90d6dd43

dp/wifi3.0/dp_ipa.c

+7 −7
Original line number Diff line number Diff line
@@ -1775,20 +1775,20 @@ bool dp_ipa_rx_intrabss_fwd(struct cdp_soc_t *soc_hdl, uint8_t vdev_id, 
	if (!qdf_mem_cmp(eh->h_dest, vdev->mac_addr.raw, QDF_MAC_ADDR_SIZE))

		return false;



	da_peer = dp_find_peer_by_addr((struct cdp_pdev *)pdev, eh->h_dest);

	da_peer = dp_find_peer_by_addr_and_vdev(dp_pdev_to_cdp_pdev(pdev),

						dp_vdev_to_cdp_vdev(vdev),

						eh->h_dest);



	if (!da_peer)

		return false;



	if (da_peer->vdev != vdev)

		return false;

	sa_peer = dp_find_peer_by_addr_and_vdev(dp_pdev_to_cdp_pdev(pdev),

						dp_vdev_to_cdp_vdev(vdev),

						eh->h_source);



	sa_peer = dp_find_peer_by_addr((struct cdp_pdev *)pdev, eh->h_source);

	if (!sa_peer)

		return false;



	if (sa_peer->vdev != vdev)

		return false;



	/*

	 * In intra-bss forwarding scenario, skb is allocated by IPA driver.

	 * Need to add skb to internal tracking table to avoid nbuf memory