eap_proxy: Cancel eloop registration during eap_proxy_deinit

QMI callbacks are scheduled from QMI threads to supplicant eloop via eloop_regsiter_timeout. During deinit, callback data is freed. For cases where scheduled callbacks are invoked post deinit, it would result in heap use-after-free. This commit is to cancel the registered callback during deinit to avoid use-after-free. Change-Id: Ie734fbf7708e1c830fa88fe0694ba4fade48f386 CRs-Fixed: 2859124 (cherry picked from commit bde2d8f35a5ac5d268d11fd7cd2dbe6058c2c8c5)
author: Purushottam Kushwaha <pkushwah@codeaurora.org> 2021-01-29 16:08:36 +0530
committer: Purushottam Kushwaha <pkushwah@codeaurora.org> 2021-02-11 07:00:18 +0000
commit: ddffe981e88146adf777ce64c1c2dac2e1dad05e (patch)
tree: 0ec729893ab001e1105eb3469da3a4ca92148c78
parent: f9e66c7cbc3ebef30cc29b8c29eca36ed4bb75a1 (diff)
2 files changed, 14 insertions, 8 deletions
diff --git a/src/eap_peer/eap_proxy_qmi.c b/src/eap_peer/eap_proxy_qmi.c
index bbcca92..a7aac15 100644
--- a/src/eap_peer/eap_proxy_qmi.c
+++ b/src/eap_peer/eap_proxy_qmi.c
@@ -207,8 +207,8 @@ static int validate_qmi_cb_data(struct qmi_cb_data *cb_data) {
 
 static struct qmi_cb_data* eap_proxy_prepare_qmi_cb_data(
                  qmi_client_type user_handle, unsigned int msg_id,
-                 void *ind_buf_ptr, unsigned int ind_buf_len,
-                 void *ind_cb_data) {
+                 void *ind_buf_ptr, unsigned int ind_buf_len, void *ind_cb_data,
+                 eloop_timeout_handler handler) {
 
         struct qmi_cb_data *cb_data;
 
@@ -232,6 +232,7 @@ static struct qmi_cb_data* eap_proxy_prepare_qmi_cb_data(
         cb_data->msg_id = msg_id;
         cb_data->buflen = ind_buf_len;
         cb_data->userdata = ind_cb_data;
+        cb_data->handler = handler;
 
         return cb_data;
 }
@@ -335,14 +336,15 @@ static void wpa_qmi_client_indication_cb
         pthread_mutex_lock(&eloop_lock);       // Lock
         wpa_printf(MSG_ERROR, "eap_proxy: %s eap_proxy=%p", __func__, eap_proxy);
         cb_data = eap_proxy_prepare_qmi_cb_data(user_handle, msg_id, ind_buf_ptr,
-                                                ind_buf_len, ind_cb_data);
+                                                ind_buf_len, ind_cb_data,
+                                                __wpa_qmi_client_indication_cb);
         if (cb_data == NULL) {
                 pthread_mutex_unlock(&eloop_lock);      // Unlock
                 return;
         }
 
         dl_list_add(&eap_proxy->callback, &cb_data->list);
-        eloop_register_timeout(0, 0, __wpa_qmi_client_indication_cb, cb_data, NULL);
+        eloop_register_timeout(0, 0, cb_data->handler, cb_data, NULL);
         pthread_mutex_unlock(&eloop_lock);      // Unlock
 
 }
@@ -843,7 +845,8 @@ void eap_proxy_notifier_cb
             wpa_printf(MSG_DEBUG, "eap_proxy: %s Handle QMI_CLIENT_SERVICE_COUNT_INC event",
                        __func__);
             pthread_mutex_lock(&eloop_lock);       // Lock
-            cb_data = eap_proxy_prepare_qmi_cb_data(user_handle, 0, notify_cb_data, 0, NULL);
+            cb_data = eap_proxy_prepare_qmi_cb_data(user_handle, 0, notify_cb_data, 0, NULL,
+                                                    __eap_proxy_notifier_cb);
 
             if (cb_data == NULL) {
                     wpa_printf(MSG_ERROR, "eap_proxy: failed to allocate memory");
@@ -852,7 +855,7 @@ void eap_proxy_notifier_cb
             }
 
             dl_list_add(&eap_proxy->callback, &cb_data->list);
-            eloop_register_timeout(0, 0, __eap_proxy_notifier_cb, cb_data, NULL);
+            eloop_register_timeout(0, 0, cb_data->handler, cb_data, NULL);
             pthread_mutex_unlock(&eloop_lock);      // Unlock
             break;
 
@@ -1274,6 +1277,7 @@ static void eap_proxy_clear_callbacks(struct eap_proxy_sm *eap_proxy)
         struct qmi_cb_data *tmp, *prev;
         dl_list_for_each_safe(tmp, prev, &eap_proxy->callback,
                               struct qmi_cb_data, list) {
+                eloop_cancel_timeout(tmp->handler, tmp, NULL);
                 eap_proxy_clear_qmi_cb_data(tmp);
         }
 }
@@ -1387,7 +1391,8 @@ static void handle_qmi_eap_ind(qmi_client_type user_handle,
         wpa_printf(MSG_ERROR, "eap_proxy: %s eap_proxy=%p", __func__, eap_proxy);
 
         cb_data = eap_proxy_prepare_qmi_cb_data(user_handle, msg_id, ind_buf,
-                                                ind_buf_len, ind_cb_data);
+                                                ind_buf_len, ind_cb_data,
+                                                __handle_qmi_eap_ind);
         if (cb_data == NULL) {
                 pthread_mutex_unlock(&eloop_lock);      // Unlock
                 return;
@@ -1399,7 +1404,7 @@ static void handle_qmi_eap_ind(qmi_client_type user_handle,
         if (eap_proxy != NULL && eap_proxy->qmi_state == QMI_STATE_RESP_PENDING)
              __handle_qmi_eap_ind(cb_data, NULL);
         else
-            eloop_register_timeout(0, 0, __handle_qmi_eap_ind, cb_data, NULL);
+            eloop_register_timeout(0, 0, cb_data->handler, cb_data, NULL);
 
         pthread_mutex_unlock(&eloop_lock);      // Unlock
 }
diff --git a/src/eap_peer/eap_proxy_qmi.h b/src/eap_peer/eap_proxy_qmi.h
index 2a4a50a..b4a7eff 100644
--- a/src/eap_peer/eap_proxy_qmi.h
+++ b/src/eap_peer/eap_proxy_qmi.h
@@ -112,6 +112,7 @@ struct qmi_cb_data {
         void *buf;
         unsigned int buflen;
         void *userdata;
+        eloop_timeout_handler handler;
 
         /* additional data for eap_reply */
         qmi_client_error_type err_code;
author	Purushottam Kushwaha <pkushwah@codeaurora.org>	2021-01-29 16:08:36 +0530
committer	Purushottam Kushwaha <pkushwah@codeaurora.org>	2021-02-11 07:00:18 +0000
commit	ddffe981e88146adf777ce64c1c2dac2e1dad05e (patch)
tree	0ec729893ab001e1105eb3469da3a4ca92148c78
parent	f9e66c7cbc3ebef30cc29b8c29eca36ed4bb75a1 (diff)