From 3866ef42761ba7c5365a3cd4444e37a63deb42fa Mon Sep 17 00:00:00 2001 From: Sushant Kaushik Date: Wed, 25 Feb 2015 17:36:52 -0800 Subject: qcacld-2.0: Fix kernel panic while TDLS exit prima to qcacld-2.0 propagation As a part of TDLS exit, tdls context is freed without explicitly setting tdls adapter as NULL. As a result, a race condition may arise when tdls exit is called immediately after tdls init. As a part of tdls init, driver start timers for peerDiscovery which use tdls adapater. Since as part of tdls exit, adapters are not set as null but are freed, timer function might end up using memory which is freed. As a part of fix, explicitly set adapter as null as part of tdls exit. Change-Id: I6eeb3f2b37000237583e17ee160b9c34b9b68957 CRs-Fixed: 800373 --- CORE/HDD/src/wlan_hdd_tdls.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/CORE/HDD/src/wlan_hdd_tdls.c b/CORE/HDD/src/wlan_hdd_tdls.c index 11e1b9dec208..2bc7d0ca0e0f 100644 --- a/CORE/HDD/src/wlan_hdd_tdls.c +++ b/CORE/HDD/src/wlan_hdd_tdls.c @@ -206,6 +206,12 @@ static v_VOID_t wlan_hdd_tdls_discover_peer_cb( v_PVOID_t userData ) return; } + if (WLAN_HDD_ADAPTER_MAGIC != pHddTdlsCtx->pAdapter->magic) { + hddLog(LOGE, FL("pAdapter has invalid magic")); + return; + } + + pHddCtx = WLAN_HDD_GET_CTX( pHddTdlsCtx->pAdapter ); if (0 != (wlan_hdd_validate_context(pHddCtx))) { @@ -374,6 +380,11 @@ static v_VOID_t wlan_hdd_tdls_discovery_timeout_peer_cb(v_PVOID_t userData) return; } + if (WLAN_HDD_ADAPTER_MAGIC != pHddTdlsCtx->pAdapter->magic) { + hddLog(LOGE, FL("pAdapter has invalid magic")); + return; + } + pHddCtx = WLAN_HDD_GET_CTX( pHddTdlsCtx->pAdapter ); if (0 != (wlan_hdd_validate_context(pHddCtx))) { @@ -896,6 +907,9 @@ void wlan_hdd_tdls_exit(hdd_adapter_t *pAdapter) } } + pHddTdlsCtx->magic = 0; + pHddTdlsCtx->pAdapter = NULL; + vos_mem_free(pHddTdlsCtx); pAdapter->sessionCtx.station.pHddTdlsCtx = NULL; pHddTdlsCtx = NULL; -- cgit v1.2.3