qcacmn: fix use after free in send_add_wow_wakeup_event_cmd_tlv

WMI command buffer is freed after getting WMI TX complete interrupt
asynchronously hence do not access WMI cmd data after calling
wmi_unified_cmd_send API in send_add_wow_wakeup_event_cmd_tlv.

Change-Id: If3ba1228d40c9136f1354c5a78bfbcbdfee85e48
CRs-Fixed: 2039818

1 files changed, 7 insertions, 3 deletions

diff --git a/wmi/src/wmi_unified_tlv.c b/wmi/src/wmi_unified_tlv.c
index 8021b75dbd09..5c11dcb1330b 100644
--- a/wmi/src/wmi_unified_tlv.c
+++ b/wmi/src/wmi_unified_tlv.c
@@ -7770,6 +7770,10 @@ QDF_STATUS send_add_wow_wakeup_event_cmd_tlv(wmi_unified_t wmi_handle,
 	qdf_mem_copy(&(cmd->event_bitmaps[0]), bitmap, sizeof(uint32_t) *
 		     WMI_WOW_MAX_EVENT_BM_LEN);
 
+	WMI_LOGD("Wakeup pattern 0x%x%x%x%x %s in fw", cmd->event_bitmaps[0],
+		 cmd->event_bitmaps[1], cmd->event_bitmaps[2],
+		 cmd->event_bitmaps[3], enable ? "enabled" : "disabled");
+
 	ret = wmi_unified_cmd_send(wmi_handle, buf, len,
 				   WMI_WOW_ENABLE_DISABLE_WAKE_EVENT_CMDID);
 	if (ret) {
@@ -7778,9 +7782,9 @@ QDF_STATUS send_add_wow_wakeup_event_cmd_tlv(wmi_unified_t wmi_handle,
 		return QDF_STATUS_E_FAILURE;
 	}
 
-	WMI_LOGD("Wakeup pattern 0x%x%x%x%x %s in fw", cmd->event_bitmaps[0],
-		 cmd->event_bitmaps[1], cmd->event_bitmaps[2],
-		 cmd->event_bitmaps[3], enable ? "enabled" : "disabled");
+	/* Do not access buf or cmd data after this as WMI tx complete interrupt
+	 * could have freed the buffer in different context
+	 */
 
 	return QDF_STATUS_SUCCESS;
 }