From 0eb3dd0ebeda49d5207b1ccb246c304cd2b104fe Mon Sep 17 00:00:00 2001 From: Naveen Rawat Date: Mon, 3 Apr 2017 20:18:30 -0700 Subject: [PATCH] qcacld-3.0: Avoid double free of req in wma_hold_req_timer Do not free request pointer in wma_hold_req_timer, if not found in the list, because firmware response would have consumed and freed it. Change-Id: Ibf561243c606b40e45c8b1cd7c0d2559e0ea85aa CRs-Fixed: 2027853 --- core/wma/src/wma_dev_if.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/core/wma/src/wma_dev_if.c b/core/wma/src/wma_dev_if.c index 101f43b1c8..a7087597a1 100644 --- a/core/wma/src/wma_dev_if.c +++ b/core/wma/src/wma_dev_if.c @@ -2360,7 +2360,7 @@ void wma_hold_req_timer(void *data) wma = cds_get_context(QDF_MODULE_ID_WMA); if (NULL == wma) { WMA_LOGE(FL("Failed to get wma")); - goto free_tgt_req; + return; } WMA_LOGA(FL("request %d is timed out for vdev_id - %d"), @@ -2370,7 +2370,11 @@ void wma_hold_req_timer(void *data) if (!msg) { WMA_LOGE(FL("Failed to lookup request message - %d"), tgt_req->msg_type); - goto free_tgt_req; + /* + * if find request failed, then firmware rsp should have + * consumed the buffer. Do not free. + */ + return; } if (tgt_req->msg_type == WMA_ADD_STA_REQ) { @@ -2422,9 +2426,6 @@ void wma_hold_req_timer(void *data) tgt_req->msg_type, tgt_req->type); QDF_BUG(0); } -free_tgt_req: - qdf_mc_timer_destroy(&tgt_req->event_timeout); - qdf_mem_free(tgt_req); } /**