qcacld-3.0: Fix possible double free in lim_handle_delete_bss_rsp

When disconnect is issued from userspace, lim_del_bss is invoked
and vdev stop is sent to firmware. If sending vdev stop fails,
WMA_DELETE_BSS_RSP is posted with failure. If an SSR is
happening during this time, then cds_mc_thread is preempted, and
as part of the pld uevent vdev resp queue cleanup is done . In
this path, lim_process_sta_mlm_del_bss_rsp is called and
msg->bodyptr is freed and pe session is deleted. After pld
uevent execution, the delete bss response processing in
cds_mc_thread as part of user space disconnect resumes and tries
to free the msg->bodyptr again. This results in double free.
Set msg->bodyptr to NULL after freeing the memory.

Change-Id: I851a5ddcae47cffe450dffafa31570895620bd9c
CRs-Fixed: 2332677

1 files changed, 2 insertions, 4 deletions

diff --git a/core/mac/src/pe/lim/lim_send_sme_rsp_messages.c b/core/mac/src/pe/lim/lim_send_sme_rsp_messages.c
index fbba7473c912..f359621f24dd 100644
--- a/core/mac/src/pe/lim/lim_send_sme_rsp_messages.c
+++ b/core/mac/src/pe/lim/lim_send_sme_rsp_messages.c
@@ -2395,10 +2395,8 @@ void lim_handle_delete_bss_rsp(tpAniSirGlobal pMac, tpSirMsgQ MsgQ)
 	if (psessionEntry == NULL) {
 		pe_err("Session Does not exist for given sessionID: %d",
 			pDelBss->sessionId);
-		if (MsgQ->bodyptr) {
-			qdf_mem_free(MsgQ->bodyptr);
-			MsgQ->bodyptr = NULL;
-		}
+		qdf_mem_free(MsgQ->bodyptr);
+		MsgQ->bodyptr = NULL;
 		return;
 	}