Fix use-after-free in wifi_cleanup() Release reference to cmd only after possibly calling getType(). BUG: 25753768 Change-Id: Id2156ce51acec04e8364706cf7eafc7d4adae9eb (cherry picked from commit d7f3cb9915d9ac514393d0ad7767662958054b8f https://googleplex-android-review.git.corp.google.com/#/c/815223)

commit: 2c5a4fac8bc8198f6a2635ede776f8de40a0c3e1 [log] [tgz]
author: Paul Stewart <[email protected]> Wed Nov 18 10:28:32 2015 -0800
committer: The Android Automerger <[email protected]> Thu Dec 10 16:11:56 2015 -0800
tree: 6dd20e95f82870642a05b05540957d6294922be8
parent: 06a2d34583130aa2c8d923f2f850dce1ffcf3349 [diff]
diff --git a/bcmdhd/wifi_hal/wifi_hal.cpp b/bcmdhd/wifi_hal/wifi_hal.cpp
index 28f5565..fdb7d7b 100644
--- a/bcmdhd/wifi_hal/wifi_hal.cpp
+++ b/bcmdhd/wifi_hal/wifi_hal.cpp

@@ -335,12 +335,12 @@
             pthread_mutex_unlock(&info->cb_lock);
             cmd->cancel();
             pthread_mutex_lock(&info->cb_lock);
-            /* release reference added when command is saved */
-            cmd->releaseRef();
             if (num_cmd == info->num_cmd) {
                 ALOGI("Cancelling command %p:%s did not work", cmd, (cmd ? cmd->getType(): ""));
                 bad_commands++;
             }
+            /* release reference added when command is saved */
+            cmd->releaseRef();
         }
     }
commit	2c5a4fac8bc8198f6a2635ede776f8de40a0c3e1	[log] [tgz]
author	Paul Stewart <[email protected]>	Wed Nov 18 10:28:32 2015 -0800
committer	The Android Automerger <[email protected]>	Thu Dec 10 16:11:56 2015 -0800
tree	6dd20e95f82870642a05b05540957d6294922be8
parent	06a2d34583130aa2c8d923f2f850dce1ffcf3349 [diff]