From 2ce1c4952d871f2baad0bc69dd8500f830f43db4 Mon Sep 17 00:00:00 2001
From: Paul Stewart <pstew@google.com>
Date: Wed, 18 Nov 2015 10:28:32 -0800
Subject: Fix use-after-free in wifi_cleanup()

Release reference to cmd only after possibly calling getType().


BUG: 25753768
Change-Id: Id2156ce51acec04e8364706cf7eafc7d4adae9eb
(cherry picked from commit d7f3cb9915d9ac514393d0ad7767662958054b8f https://googleplex-android-review.git.corp.google.com/#/c/815223)
---
 bcmdhd/wifi_hal/wifi_hal.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/bcmdhd/wifi_hal/wifi_hal.cpp b/bcmdhd/wifi_hal/wifi_hal.cpp
index b27bac2..982702a 100644
--- a/bcmdhd/wifi_hal/wifi_hal.cpp
+++ b/bcmdhd/wifi_hal/wifi_hal.cpp
@@ -310,12 +310,12 @@ void wifi_cleanup(wifi_handle handle, wifi_cleaned_up_handler handler)
             pthread_mutex_unlock(&info->cb_lock);
             cmd->cancel();
             pthread_mutex_lock(&info->cb_lock);
-            /* release reference added when command is saved */
-            cmd->releaseRef();
             if (num_cmd == info->num_cmd) {
                 ALOGE("Cancelling command %p:%s did not work", cmd, cmd->getType());
                 bad_commands++;
             }
+            /* release reference added when command is saved */
+            cmd->releaseRef();
         }
     }
 
-- 
cgit v1.1