qcacmn: Fix memory allocation in NDP firmware events

Fix memory allocation during NDP firmware events by allocating
memory before wmi_extract APIs are called.

Change-Id: I3af2f49895a79a45b3add246eeb9025b1df92faa
CRs-Fixed: 2183493

target_if/nan/src/target_if_nan.c

@@ -181,7 +181,7 @@ static int target_if_ndp_initiator_rsp_handler(ol_scn_t scn, uint8_t *data,
 	struct wmi_unified *wmi_handle;
 	struct wlan_objmgr_psoc *psoc;
 	struct scheduler_msg msg = {0};
-	struct nan_datapath_initiator_rsp *rsp = NULL;
+	struct nan_datapath_initiator_rsp *rsp;
 
 	psoc = target_if_get_psoc_from_scn_hdl(scn);
 	if (!psoc) {
@@ -195,9 +195,16 @@ static int target_if_ndp_initiator_rsp_handler(ol_scn_t scn, uint8_t *data,
 		return -EINVAL;
 	}
 
-	status = wmi_extract_ndp_initiator_rsp(wmi_handle, data, &rsp);
+	rsp = qdf_mem_malloc(sizeof(*rsp));
+	if (!rsp) {
+		target_if_err("malloc failed");
+		return -ENOMEM;
+	}
+
+	status = wmi_extract_ndp_initiator_rsp(wmi_handle, data, rsp);
 	if (QDF_IS_STATUS_ERROR(status)) {
 		target_if_err("parsing of event failed, %d", status);
+		qdf_mem_free(rsp);
 		return -EINVAL;
 	}
 
@@ -209,7 +216,7 @@ static int target_if_ndp_initiator_rsp_handler(ol_scn_t scn, uint8_t *data,
 	status = scheduler_post_msg(QDF_MODULE_ID_TARGET_IF, &msg);
 	if (QDF_IS_STATUS_ERROR(status)) {
 		target_if_err("failed to post msg, status: %d", status);
-		qdf_mem_free(rsp);
+		target_if_nan_event_flush_cb(&msg);
 		return -EINVAL;
 	}
 
@@ -223,7 +230,7 @@ static int target_if_ndp_ind_handler(ol_scn_t scn, uint8_t *data,
 	struct wlan_objmgr_psoc *psoc;
 	struct wmi_unified *wmi_handle;
 	struct scheduler_msg msg = {0};
-	struct nan_datapath_indication_event *rsp = NULL;
+	struct nan_datapath_indication_event *rsp;
 
 	psoc = target_if_get_psoc_from_scn_hdl(scn);
 	if (!psoc) {
@@ -237,9 +244,16 @@ static int target_if_ndp_ind_handler(ol_scn_t scn, uint8_t *data,
 		return -EINVAL;
 	}
 
-	status = wmi_extract_ndp_ind(wmi_handle, data, &rsp);
+	rsp = qdf_mem_malloc(sizeof(*rsp));
+	if (!rsp) {
+		target_if_err("malloc failed");
+		return -ENOMEM;
+	}
+
+	status = wmi_extract_ndp_ind(wmi_handle, data, rsp);
 	if (QDF_IS_STATUS_ERROR(status)) {
 		target_if_err("parsing of event failed, %d", status);
+		qdf_mem_free(rsp);
 		return -EINVAL;
 	}
 
@@ -251,7 +265,7 @@ static int target_if_ndp_ind_handler(ol_scn_t scn, uint8_t *data,
 	status = scheduler_post_msg(QDF_MODULE_ID_TARGET_IF, &msg);
 	if (QDF_IS_STATUS_ERROR(status)) {
 		target_if_err("failed to post msg, status: %d", status);
-		qdf_mem_free(rsp);
+		target_if_nan_event_flush_cb(&msg);
 		return -EINVAL;
 	}
 
@@ -265,7 +279,7 @@ static int target_if_ndp_confirm_handler(ol_scn_t scn, uint8_t *data,
 	struct wlan_objmgr_psoc *psoc;
 	struct wmi_unified *wmi_handle;
 	struct scheduler_msg msg = {0};
-	struct nan_datapath_confirm_event *rsp = NULL;
+	struct nan_datapath_confirm_event *rsp;
 
 	psoc = target_if_get_psoc_from_scn_hdl(scn);
 	if (!psoc) {
@@ -279,9 +293,16 @@ static int target_if_ndp_confirm_handler(ol_scn_t scn, uint8_t *data,
 		return -EINVAL;
 	}
 
-	status = wmi_extract_ndp_confirm(wmi_handle, data, &rsp);
+	rsp = qdf_mem_malloc(sizeof(*rsp));
+	if (!rsp) {
+		target_if_err("malloc failed");
+		return -ENOMEM;
+	}
+
+	status = wmi_extract_ndp_confirm(wmi_handle, data, rsp);
 	if (QDF_IS_STATUS_ERROR(status)) {
 		target_if_err("parsing of event failed, %d", status);
+		qdf_mem_free(rsp);
 		return -EINVAL;
 	}
 
@@ -293,7 +314,7 @@ static int target_if_ndp_confirm_handler(ol_scn_t scn, uint8_t *data,
 	status = scheduler_post_msg(QDF_MODULE_ID_TARGET_IF, &msg);
 	if (QDF_IS_STATUS_ERROR(status)) {
 		target_if_err("failed to post msg, status: %d", status);
-		qdf_mem_free(rsp);
+		target_if_nan_event_flush_cb(&msg);
 		return -EINVAL;
 	}
 
@@ -356,7 +377,7 @@ static int target_if_ndp_responder_rsp_handler(ol_scn_t scn, uint8_t *data,
 	struct wlan_objmgr_psoc *psoc;
 	struct wmi_unified *wmi_handle;
 	struct scheduler_msg msg = {0};
-	struct nan_datapath_responder_rsp *rsp = NULL;
+	struct nan_datapath_responder_rsp *rsp;
 
 	psoc = target_if_get_psoc_from_scn_hdl(scn);
 	if (!psoc) {
@@ -370,9 +391,16 @@ static int target_if_ndp_responder_rsp_handler(ol_scn_t scn, uint8_t *data,
 		return -EINVAL;
 	}
 
-	status = wmi_extract_ndp_responder_rsp(wmi_handle, data, &rsp);
+	rsp = qdf_mem_malloc(sizeof(*rsp));
+	if (!rsp) {
+		target_if_err("malloc failed");
+		return -ENOMEM;
+	}
+
+	status = wmi_extract_ndp_responder_rsp(wmi_handle, data, rsp);
 	if (QDF_IS_STATUS_ERROR(status)) {
 		target_if_err("parsing of event failed, %d", status);
+		qdf_mem_free(rsp);
 		return -EINVAL;
 	}
 
@@ -384,7 +412,7 @@ static int target_if_ndp_responder_rsp_handler(ol_scn_t scn, uint8_t *data,
 	status = scheduler_post_msg(QDF_MODULE_ID_TARGET_IF, &msg);
 	if (QDF_IS_STATUS_ERROR(status)) {
 		target_if_err("failed to post msg, status: %d", status);
-		qdf_mem_free(rsp);
+		target_if_nan_event_flush_cb(&msg);
 		return -EINVAL;
 	}
 
@@ -447,7 +475,7 @@ static int target_if_ndp_end_rsp_handler(ol_scn_t scn, uint8_t *data,
 	struct wlan_objmgr_psoc *psoc;
 	struct wmi_unified *wmi_handle;
 	struct scheduler_msg msg = {0};
-	struct nan_datapath_end_rsp_event *end_rsp = NULL;
+	struct nan_datapath_end_rsp_event *end_rsp;
 
 	psoc = target_if_get_psoc_from_scn_hdl(scn);
 	if (!psoc) {
@@ -461,9 +489,16 @@ static int target_if_ndp_end_rsp_handler(ol_scn_t scn, uint8_t *data,
 		return -EINVAL;
 	}
 
-	status = wmi_extract_ndp_end_rsp(wmi_handle, data, &end_rsp);
+	end_rsp = qdf_mem_malloc(sizeof(*end_rsp));
+	if (!end_rsp) {
+		target_if_err("malloc failed");
+		return -ENOMEM;
+	}
+
+	status = wmi_extract_ndp_end_rsp(wmi_handle, data, end_rsp);
 	if (QDF_IS_STATUS_ERROR(status)) {
 		target_if_err("parsing of event failed, %d", status);
+		qdf_mem_free(end_rsp);
 		return -EINVAL;
 	}
 
@@ -475,7 +510,7 @@ static int target_if_ndp_end_rsp_handler(ol_scn_t scn, uint8_t *data,
 	status = scheduler_post_msg(QDF_MODULE_ID_TARGET_IF, &msg);
 	if (QDF_IS_STATUS_ERROR(status)) {
 		target_if_err("failed to post msg, status: %d", status);
-		qdf_mem_free(end_rsp);
+		target_if_nan_event_flush_cb(&msg);
 		return -EINVAL;
 	}
 
@@ -517,7 +552,7 @@ static int target_if_ndp_end_ind_handler(ol_scn_t scn, uint8_t *data,
 	status = scheduler_post_msg(QDF_MODULE_ID_TARGET_IF, &msg);
 	if (QDF_IS_STATUS_ERROR(status)) {
 		target_if_err("failed to post msg, status: %d", status);
-		qdf_mem_free(rsp);
+		target_if_nan_event_flush_cb(&msg);
 		return -EINVAL;
 	}
 
@@ -649,42 +684,42 @@ QDF_STATUS target_if_nan_deregister_events(struct wlan_objmgr_psoc *psoc)
 	wmi_unified_t handle = GET_WMI_HDL_FROM_PSOC(psoc);
 
 	ret = wmi_unified_unregister_event_handler(handle,
-				wmi_ndp_initiator_rsp_event_id);
+				wmi_ndp_end_rsp_event_id);
 	if (ret) {
 		target_if_err("wmi event deregistration failed, ret: %d", ret);
 		status = ret;
 	}
 
 	ret = wmi_unified_unregister_event_handler(handle,
-				wmi_ndp_indication_event_id);
+				wmi_ndp_end_indication_event_id);
 	if (ret) {
 		target_if_err("wmi event deregistration failed, ret: %d", ret);
 		status = ret;
 	}
 
 	ret = wmi_unified_unregister_event_handler(handle,
-				wmi_ndp_confirm_event_id);
+				wmi_ndp_responder_rsp_event_id);
 	if (ret) {
 		target_if_err("wmi event deregistration failed, ret: %d", ret);
 		status = ret;
 	}
 
 	ret = wmi_unified_unregister_event_handler(handle,
-				wmi_ndp_responder_rsp_event_id);
+				wmi_ndp_confirm_event_id);
 	if (ret) {
 		target_if_err("wmi event deregistration failed, ret: %d", ret);
 		status = ret;
 	}
 
 	ret = wmi_unified_unregister_event_handler(handle,
-				wmi_ndp_end_indication_event_id);
+				wmi_ndp_indication_event_id);
 	if (ret) {
 		target_if_err("wmi event deregistration failed, ret: %d", ret);
 		status = ret;
 	}
 
 	ret = wmi_unified_unregister_event_handler(handle,
-				wmi_ndp_end_rsp_event_id);
+				wmi_ndp_initiator_rsp_event_id);
 	if (ret) {
 		target_if_err("wmi event deregistration failed, ret: %d", ret);
 		status = ret;

wmi/inc/wmi_unified_api.h

@@ -2019,7 +2019,7 @@ QDF_STATUS wmi_unified_ndp_end_req_cmd_send(void *wmi_hdl,
  * Return: status of operation
  */
 QDF_STATUS wmi_extract_ndp_initiator_rsp(wmi_unified_t wmi_handle,
-			uint8_t *data, struct nan_datapath_initiator_rsp **rsp);
+			uint8_t *data, struct nan_datapath_initiator_rsp *rsp);
 
 /**
  * wmi_extract_ndp_ind - api to extract ndp indication struct from even buffer
@@ -2030,7 +2030,7 @@ QDF_STATUS wmi_extract_ndp_initiator_rsp(wmi_unified_t wmi_handle,
  * Return: status of operation
  */
 QDF_STATUS wmi_extract_ndp_ind(wmi_unified_t wmi_handle, uint8_t *data,
-			struct nan_datapath_indication_event **ind);
+			struct nan_datapath_indication_event *ind);
 
 /**
  * wmi_extract_ndp_confirm - api to extract ndp confim struct from even buffer
@@ -2041,7 +2041,7 @@ QDF_STATUS wmi_extract_ndp_ind(wmi_unified_t wmi_handle, uint8_t *data,
  * Return: status of operation
  */
 QDF_STATUS wmi_extract_ndp_confirm(wmi_unified_t wmi_handle, uint8_t *data,
-			struct nan_datapath_confirm_event **ev);
+			struct nan_datapath_confirm_event *ev);
 
 /**
  * wmi_extract_ndp_responder_rsp - api to extract responder rsp from even buffer
@@ -2052,7 +2052,7 @@ QDF_STATUS wmi_extract_ndp_confirm(wmi_unified_t wmi_handle, uint8_t *data,
  * Return: status of operation
  */
 QDF_STATUS wmi_extract_ndp_responder_rsp(wmi_unified_t wmi_handle,
-			uint8_t *data, struct nan_datapath_responder_rsp **rsp);
+			uint8_t *data, struct nan_datapath_responder_rsp *rsp);
 
 /**
  * wmi_extract_ndp_end_rsp - api to extract ndp end rsp from even buffer
@@ -2063,7 +2063,7 @@ QDF_STATUS wmi_extract_ndp_responder_rsp(wmi_unified_t wmi_handle,
  * Return: status of operation
  */
 QDF_STATUS wmi_extract_ndp_end_rsp(wmi_unified_t wmi_handle, uint8_t *data,
-			struct nan_datapath_end_rsp_event **rsp);
+			struct nan_datapath_end_rsp_event *rsp);
 
 /**
  * wmi_extract_ndp_end_ind - api to extract ndp end indication from even buffer
@@ -2075,7 +2075,6 @@ QDF_STATUS wmi_extract_ndp_end_rsp(wmi_unified_t wmi_handle, uint8_t *data,
  */
 QDF_STATUS wmi_extract_ndp_end_ind(wmi_unified_t wmi_handle, uint8_t *data,
 			struct nan_datapath_end_indication_event **ind);
-
 #endif
 
 /**
@@ -2226,4 +2225,5 @@ QDF_STATUS wmi_unified_offload_11k_cmd(void *wmi_hdl,
  */
 QDF_STATUS wmi_unified_invoke_neighbor_report_cmd(void *wmi_hdl,
 			struct wmi_invoke_neighbor_report_params *params);
+
 #endif /* _WMI_UNIFIED_API_H_ */

wmi/inc/wmi_unified_priv.h

@@ -1516,18 +1516,19 @@ QDF_STATUS (*send_ndp_end_req_cmd)(wmi_unified_t wmi_handle,
 				struct nan_datapath_end_req *req);
 
 QDF_STATUS (*extract_ndp_initiator_rsp)(wmi_unified_t wmi_handle,
-		uint8_t *data, struct nan_datapath_initiator_rsp **rsp);
+		uint8_t *data, struct nan_datapath_initiator_rsp *rsp);
 QDF_STATUS (*extract_ndp_ind)(wmi_unified_t wmi_handle,
-		uint8_t *data, struct nan_datapath_indication_event **ind);
+		uint8_t *data, struct nan_datapath_indication_event *ind);
 QDF_STATUS (*extract_ndp_confirm)(wmi_unified_t wmi_handle,
-		uint8_t *data, struct nan_datapath_confirm_event **ev);
+		uint8_t *data, struct nan_datapath_confirm_event *ev);
 QDF_STATUS (*extract_ndp_responder_rsp)(wmi_unified_t wmi_handle,
-		uint8_t *data, struct nan_datapath_responder_rsp **rsp);
+		uint8_t *data, struct nan_datapath_responder_rsp *rsp);
 QDF_STATUS (*extract_ndp_end_rsp)(wmi_unified_t wmi_handle,
-		uint8_t *data, struct nan_datapath_end_rsp_event **rsp);
+		uint8_t *data, struct nan_datapath_end_rsp_event *rsp);
 QDF_STATUS (*extract_ndp_end_ind)(wmi_unified_t wmi_handle,
 		uint8_t *data, struct nan_datapath_end_indication_event **ind);
-#endif
+#endif /* WLAN_FEATURE_NAN_CONVERGENCE */
+
 QDF_STATUS (*send_btm_config)(wmi_unified_t wmi_handle,
 			      struct wmi_btm_config *params);
 QDF_STATUS (*send_obss_detection_cfg_cmd)(wmi_unified_t wmi_handle,

wmi/src/wmi_unified_api.c

@@ -7249,7 +7249,7 @@ QDF_STATUS wmi_unified_ndp_end_req_cmd_send(void *wmi_hdl,
 }
 
 QDF_STATUS wmi_extract_ndp_initiator_rsp(wmi_unified_t wmi_handle,
-			uint8_t *data, struct nan_datapath_initiator_rsp **rsp)
+			uint8_t *data, struct nan_datapath_initiator_rsp *rsp)
 {
 	if (wmi_handle->ops->extract_ndp_initiator_rsp)
 		return wmi_handle->ops->extract_ndp_initiator_rsp(wmi_handle,
@@ -7259,7 +7259,7 @@ QDF_STATUS wmi_extract_ndp_initiator_rsp(wmi_unified_t wmi_handle,
 }
 
 QDF_STATUS wmi_extract_ndp_ind(wmi_unified_t wmi_handle, uint8_t *data,
-			       struct nan_datapath_indication_event **ind)
+			       struct nan_datapath_indication_event *ind)
 {
 	if (wmi_handle->ops->extract_ndp_ind)
 		return wmi_handle->ops->extract_ndp_ind(wmi_handle,
@@ -7269,7 +7269,7 @@ QDF_STATUS wmi_extract_ndp_ind(wmi_unified_t wmi_handle, uint8_t *data,
 }
 
 QDF_STATUS wmi_extract_ndp_confirm(wmi_unified_t wmi_handle, uint8_t *data,
-				   struct nan_datapath_confirm_event **ev)
+				   struct nan_datapath_confirm_event *ev)
 {
 	if (wmi_handle->ops->extract_ndp_confirm)
 		return wmi_handle->ops->extract_ndp_confirm(wmi_handle,
@@ -7279,7 +7279,7 @@ QDF_STATUS wmi_extract_ndp_confirm(wmi_unified_t wmi_handle, uint8_t *data,
 }
 
 QDF_STATUS wmi_extract_ndp_responder_rsp(wmi_unified_t wmi_handle,
-			uint8_t *data, struct nan_datapath_responder_rsp **rsp)
+			uint8_t *data, struct nan_datapath_responder_rsp *rsp)
 {
 	if (wmi_handle->ops->extract_ndp_responder_rsp)
 		return wmi_handle->ops->extract_ndp_responder_rsp(wmi_handle,
@@ -7289,7 +7289,7 @@ QDF_STATUS wmi_extract_ndp_responder_rsp(wmi_unified_t wmi_handle,
 }
 
 QDF_STATUS wmi_extract_ndp_end_rsp(wmi_unified_t wmi_handle, uint8_t *data,
-				   struct nan_datapath_end_rsp_event **rsp)
+				   struct nan_datapath_end_rsp_event *rsp)
 {
 	if (wmi_handle->ops->extract_ndp_end_rsp)
 		return wmi_handle->ops->extract_ndp_end_rsp(wmi_handle,

wmi/src/wmi_unified_tlv.c

@@ -17517,7 +17517,7 @@ static QDF_STATUS nan_ndp_end_req_tlv(wmi_unified_t wmi_handle,
 }
 
 static QDF_STATUS extract_ndp_initiator_rsp_tlv(wmi_unified_t wmi_handle,
-			uint8_t *data, struct nan_datapath_initiator_rsp **rsp)
+			uint8_t *data, struct nan_datapath_initiator_rsp *rsp)
 {
 	WMI_NDP_INITIATOR_RSP_EVENTID_param_tlvs *event;
 	wmi_ndp_initiator_rsp_event_fixed_param  *fixed_params;
@@ -17525,32 +17525,25 @@ static QDF_STATUS extract_ndp_initiator_rsp_tlv(wmi_unified_t wmi_handle,
 	event = (WMI_NDP_INITIATOR_RSP_EVENTID_param_tlvs *)data;
 	fixed_params = event->fixed_param;
 
-	*rsp = qdf_mem_malloc(sizeof(**rsp));
-	if (!(*rsp)) {
-		WMI_LOGE("malloc failed");
-		return QDF_STATUS_E_NOMEM;
-	}
-
-	(*rsp)->vdev =
+	rsp->vdev =
 		wlan_objmgr_get_vdev_by_id_from_psoc(wmi_handle->soc->wmi_psoc,
 						     fixed_params->vdev_id,
 						     WLAN_NAN_ID);
-	if (!(*rsp)->vdev) {
+	if (!rsp->vdev) {
 		WMI_LOGE("vdev is null");
-		qdf_mem_free(*rsp);
 		return QDF_STATUS_E_INVAL;
 	}
 
-	(*rsp)->transaction_id = fixed_params->transaction_id;
-	(*rsp)->ndp_instance_id = fixed_params->ndp_instance_id;
-	(*rsp)->status = fixed_params->rsp_status;
-	(*rsp)->reason = fixed_params->reason_code;
+	rsp->transaction_id = fixed_params->transaction_id;
+	rsp->ndp_instance_id = fixed_params->ndp_instance_id;
+	rsp->status = fixed_params->rsp_status;
+	rsp->reason = fixed_params->reason_code;
 
 	return QDF_STATUS_SUCCESS;
 }
 
 static QDF_STATUS extract_ndp_ind_tlv(wmi_unified_t wmi_handle,
-		uint8_t *data, struct nan_datapath_indication_event **rsp)
+		uint8_t *data, struct nan_datapath_indication_event *rsp)
 {
 	WMI_NDP_INDICATION_EVENTID_param_tlvs *event;
 	wmi_ndp_indication_event_fixed_param *fixed_params;
@@ -17572,30 +17565,23 @@ static QDF_STATUS extract_ndp_ind_tlv(wmi_unified_t wmi_handle,
 		return QDF_STATUS_E_INVAL;
 	}
 
-	*rsp = qdf_mem_malloc(sizeof(**rsp));
-	if (!(*rsp)) {
-		WMI_LOGE("malloc failed");
-		return QDF_STATUS_E_NOMEM;
-	}
-
-	(*rsp)->vdev =
+	rsp->vdev =
 		wlan_objmgr_get_vdev_by_id_from_psoc(wmi_handle->soc->wmi_psoc,
 						     fixed_params->vdev_id,
 						     WLAN_NAN_ID);
-	if (!(*rsp)->vdev) {
+	if (!rsp->vdev) {
 		WMI_LOGE("vdev is null");
-		qdf_mem_free(*rsp);
 		return QDF_STATUS_E_INVAL;
 	}
-	(*rsp)->service_instance_id = fixed_params->service_instance_id;
-	(*rsp)->ndp_instance_id = fixed_params->ndp_instance_id;
-	(*rsp)->role = fixed_params->self_ndp_role;
-	(*rsp)->policy = fixed_params->accept_policy;
+	rsp->service_instance_id = fixed_params->service_instance_id;
+	rsp->ndp_instance_id = fixed_params->ndp_instance_id;
+	rsp->role = fixed_params->self_ndp_role;
+	rsp->policy = fixed_params->accept_policy;
 
 	WMI_MAC_ADDR_TO_CHAR_ARRAY(&fixed_params->peer_ndi_mac_addr,
-				(*rsp)->peer_mac_addr.bytes);
+				rsp->peer_mac_addr.bytes);
 	WMI_MAC_ADDR_TO_CHAR_ARRAY(&fixed_params->peer_discovery_mac_addr,
-				(*rsp)->peer_discovery_mac_addr.bytes);
+				rsp->peer_discovery_mac_addr.bytes);
 
 	WMI_LOGD("WMI_NDP_INDICATION_EVENTID(0x%X) received. vdev %d,\n"
 		"service_instance %d, ndp_instance %d, role %d, policy %d,\n"
@@ -17605,8 +17591,8 @@ static QDF_STATUS extract_ndp_ind_tlv(wmi_unified_t wmi_handle,
 		 fixed_params->ndp_instance_id, fixed_params->self_ndp_role,
 		 fixed_params->accept_policy,
 		 fixed_params->nan_csid, fixed_params->nan_scid_len,
-		 (*rsp)->peer_mac_addr.bytes,
-		 (*rsp)->peer_discovery_mac_addr.bytes);
+		 rsp->peer_mac_addr.bytes,
+		 rsp->peer_discovery_mac_addr.bytes);
 
 	WMI_LOGD("ndp_cfg - %d bytes", fixed_params->ndp_cfg_len);
 	QDF_TRACE_HEX_DUMP(QDF_MODULE_ID_WMA, QDF_TRACE_LEVEL_DEBUG,
@@ -17617,24 +17603,24 @@ static QDF_STATUS extract_ndp_ind_tlv(wmi_unified_t wmi_handle,
 	QDF_TRACE_HEX_DUMP(QDF_MODULE_ID_WMA, QDF_TRACE_LEVEL_DEBUG,
 			&event->ndp_app_info, fixed_params->ndp_app_info_len);
 
-	(*rsp)->ndp_config.ndp_cfg_len = fixed_params->ndp_cfg_len;
-	(*rsp)->ndp_info.ndp_app_info_len = fixed_params->ndp_app_info_len;
-	(*rsp)->ncs_sk_type = fixed_params->nan_csid;
-	(*rsp)->scid.scid_len = fixed_params->nan_scid_len;
-	qdf_mem_copy((*rsp)->ndp_config.ndp_cfg, event->ndp_cfg,
-		     (*rsp)->ndp_config.ndp_cfg_len);
-	qdf_mem_copy((*rsp)->ndp_info.ndp_app_info, event->ndp_app_info,
-		     (*rsp)->ndp_info.ndp_app_info_len);
-	qdf_mem_copy((*rsp)->scid.scid, event->ndp_scid, (*rsp)->scid.scid_len);
+	rsp->ndp_config.ndp_cfg_len = fixed_params->ndp_cfg_len;
+	rsp->ndp_info.ndp_app_info_len = fixed_params->ndp_app_info_len;
+	rsp->ncs_sk_type = fixed_params->nan_csid;
+	rsp->scid.scid_len = fixed_params->nan_scid_len;
+	qdf_mem_copy(rsp->ndp_config.ndp_cfg, event->ndp_cfg,
+		     rsp->ndp_config.ndp_cfg_len);
+	qdf_mem_copy(rsp->ndp_info.ndp_app_info, event->ndp_app_info,
+		     rsp->ndp_info.ndp_app_info_len);
+	qdf_mem_copy(rsp->scid.scid, event->ndp_scid, rsp->scid.scid_len);
 	WMI_LOGD("scid hex dump:");
 	QDF_TRACE_HEX_DUMP(QDF_MODULE_ID_WMA, QDF_TRACE_LEVEL_DEBUG,
-			   (*rsp)->scid.scid, (*rsp)->scid.scid_len);
+			   rsp->scid.scid, rsp->scid.scid_len);
 
 	return QDF_STATUS_SUCCESS;
 }
 
 static QDF_STATUS extract_ndp_confirm_tlv(wmi_unified_t wmi_handle,
-			uint8_t *data, struct nan_datapath_confirm_event **rsp)
+			uint8_t *data, struct nan_datapath_confirm_event *rsp)
 {
 	WMI_NDP_CONFIRM_EVENTID_param_tlvs *event;
 	wmi_ndp_confirm_event_fixed_param *fixed_params;
@@ -17669,36 +17655,29 @@ static QDF_STATUS extract_ndp_confirm_tlv(wmi_unified_t wmi_handle,
 	QDF_TRACE_HEX_DUMP(QDF_MODULE_ID_WMA, QDF_TRACE_LEVEL_DEBUG,
 		&event->ndp_app_info, fixed_params->ndp_app_info_len);
 
-	*rsp = qdf_mem_malloc(sizeof(**rsp));
-	if (!(*rsp)) {
-		WMI_LOGE("malloc failed");
-		return QDF_STATUS_E_NOMEM;
-	}
-
-	(*rsp)->vdev =
+	rsp->vdev =
 		wlan_objmgr_get_vdev_by_id_from_psoc(wmi_handle->soc->wmi_psoc,
 						     fixed_params->vdev_id,
 						     WLAN_NAN_ID);
-	if (!(*rsp)->vdev) {
+	if (!rsp->vdev) {
 		WMI_LOGE("vdev is null");
-		qdf_mem_free(*rsp);
 		return QDF_STATUS_E_INVAL;
 	}
-	(*rsp)->ndp_instance_id = fixed_params->ndp_instance_id;
-	(*rsp)->rsp_code = fixed_params->rsp_code;
-	(*rsp)->reason_code = fixed_params->reason_code;
-	(*rsp)->num_active_ndps_on_peer = fixed_params->num_active_ndps_on_peer;
+	rsp->ndp_instance_id = fixed_params->ndp_instance_id;
+	rsp->rsp_code = fixed_params->rsp_code;
+	rsp->reason_code = fixed_params->reason_code;
+	rsp->num_active_ndps_on_peer = fixed_params->num_active_ndps_on_peer;
 	WMI_MAC_ADDR_TO_CHAR_ARRAY(&fixed_params->peer_ndi_mac_addr,
-				   (*rsp)->peer_ndi_mac_addr.bytes);
-	(*rsp)->ndp_info.ndp_app_info_len = fixed_params->ndp_app_info_len;
-	qdf_mem_copy((*rsp)->ndp_info.ndp_app_info, event->ndp_app_info,
-		     (*rsp)->ndp_info.ndp_app_info_len);
+				   rsp->peer_ndi_mac_addr.bytes);
+	rsp->ndp_info.ndp_app_info_len = fixed_params->ndp_app_info_len;
+	qdf_mem_copy(rsp->ndp_info.ndp_app_info, event->ndp_app_info,
+		     rsp->ndp_info.ndp_app_info_len);
 
 	return QDF_STATUS_SUCCESS;
 }
 
 static QDF_STATUS extract_ndp_responder_rsp_tlv(wmi_unified_t wmi_handle,
-			uint8_t *data, struct nan_datapath_responder_rsp **rsp)
+			uint8_t *data, struct nan_datapath_responder_rsp *rsp)
 {
 	WMI_NDP_RESPONDER_RSP_EVENTID_param_tlvs *event;
 	wmi_ndp_responder_rsp_event_fixed_param  *fixed_params;
@@ -17708,36 +17687,29 @@ static QDF_STATUS extract_ndp_responder_rsp_tlv(wmi_unified_t wmi_handle,
 
 	WMI_LOGD("WMI_NDP_RESPONDER_RSP_EVENTID(0x%X) received. vdev_id: %d, peer_mac_addr: %pM,transaction_id: %d, status_code %d, reason_code: %d, create_peer: %d",
 		 WMI_NDP_RESPONDER_RSP_EVENTID, fixed_params->vdev_id,
-		 (*rsp)->peer_mac_addr.bytes, (*rsp)->transaction_id,
-		 (*rsp)->status, (*rsp)->reason, (*rsp)->create_peer);
+		 rsp->peer_mac_addr.bytes, rsp->transaction_id,
+		 rsp->status, rsp->reason, rsp->create_peer);
 
-	*rsp = qdf_mem_malloc(sizeof(**rsp));
-	if (!(*rsp)) {
-		WMI_LOGE("malloc failed");
-		return QDF_STATUS_E_NOMEM;
-	}
-
-	(*rsp)->vdev =
+	rsp->vdev =
 		wlan_objmgr_get_vdev_by_id_from_psoc(wmi_handle->soc->wmi_psoc,
 						     fixed_params->vdev_id,
 						     WLAN_NAN_ID);
-	if (!(*rsp)->vdev) {
+	if (!rsp->vdev) {
 		WMI_LOGE("vdev is null");
-		qdf_mem_free(*rsp);
 		return QDF_STATUS_E_INVAL;
 	}
-	(*rsp)->transaction_id = fixed_params->transaction_id;
-	(*rsp)->reason = fixed_params->reason_code;
-	(*rsp)->status = fixed_params->rsp_status;
-	(*rsp)->create_peer = fixed_params->create_peer;
+	rsp->transaction_id = fixed_params->transaction_id;
+	rsp->reason = fixed_params->reason_code;
+	rsp->status = fixed_params->rsp_status;
+	rsp->create_peer = fixed_params->create_peer;
 	WMI_MAC_ADDR_TO_CHAR_ARRAY(&fixed_params->peer_ndi_mac_addr,
-				(*rsp)->peer_mac_addr.bytes);
+				rsp->peer_mac_addr.bytes);
 
 	return QDF_STATUS_SUCCESS;
 }
 
 static QDF_STATUS extract_ndp_end_rsp_tlv(wmi_unified_t wmi_handle,
-			uint8_t *data, struct nan_datapath_end_rsp_event **rsp)
+			uint8_t *data, struct nan_datapath_end_rsp_event *rsp)
 {
 	WMI_NDP_END_RSP_EVENTID_param_tlvs *event;
 	wmi_ndp_end_rsp_event_fixed_param *fixed_params = NULL;
@@ -17748,22 +17720,15 @@ static QDF_STATUS extract_ndp_end_rsp_tlv(wmi_unified_t wmi_handle,
 		 WMI_NDP_END_RSP_EVENTID, fixed_params->transaction_id,
 		 fixed_params->rsp_status, fixed_params->reason_code);
 
-	*rsp = qdf_mem_malloc(sizeof(**rsp));
-	if (!(*rsp)) {
-		WMI_LOGE("malloc failed");
-		return QDF_STATUS_E_NOMEM;
-	}
-
-	(*rsp)->vdev = wlan_objmgr_get_vdev_by_opmode_from_psoc(
+	rsp->vdev = wlan_objmgr_get_vdev_by_opmode_from_psoc(
 			wmi_handle->soc->wmi_psoc, QDF_NDI_MODE, WLAN_NAN_ID);
-	if (!(*rsp)->vdev) {
+	if (!rsp->vdev) {
 		WMI_LOGE("vdev is null");
-		qdf_mem_free(*rsp);
 		return QDF_STATUS_E_INVAL;
 	}
-	(*rsp)->transaction_id = fixed_params->transaction_id;
-	(*rsp)->reason = fixed_params->reason_code;
-	(*rsp)->status = fixed_params->rsp_status;
+	rsp->transaction_id = fixed_params->transaction_id;
+	rsp->reason = fixed_params->reason_code;
+	rsp->status = fixed_params->rsp_status;
 
 	return QDF_STATUS_SUCCESS;
 }
@@ -17781,25 +17746,34 @@ static QDF_STATUS extract_ndp_end_ind_tlv(wmi_unified_t wmi_handle,
 
 	if (event->num_ndp_end_indication_list == 0) {
 		WMI_LOGE("Error: Event ignored, 0 ndp instances");
-		return -EINVAL;
-	}
-
-	(*rsp)->vdev = wlan_objmgr_get_vdev_by_opmode_from_psoc(
-			wmi_handle->soc->wmi_psoc, QDF_NDI_MODE, WLAN_NAN_ID);
-	if (!(*rsp)->vdev) {
-		WMI_LOGE("vdev is null");
-		qdf_mem_free(*rsp);
 		return QDF_STATUS_E_INVAL;
 	}
 
 	WMI_LOGD("number of ndp instances = %d",
 		 event->num_ndp_end_indication_list);
-	buf_size = sizeof(*rsp) + event->num_ndp_end_indication_list *
+
+	if (event->num_ndp_end_indication_list > ((UINT_MAX - sizeof(**rsp))/
+						sizeof((*rsp)->ndp_map[0]))) {
+		WMI_LOGE("num_ndp_end_ind_list %d too large",
+			 event->num_ndp_end_indication_list);
+		return QDF_STATUS_E_INVAL;
+	}
+
+	buf_size = sizeof(**rsp) + event->num_ndp_end_indication_list *
 			sizeof((*rsp)->ndp_map[0]);
 	*rsp = qdf_mem_malloc(buf_size);
 	if (!(*rsp)) {
 		WMI_LOGE("Failed to allocate memory");
-		return -ENOMEM;
+		return QDF_STATUS_E_NOMEM;
+	}
+
+	(*rsp)->vdev = wlan_objmgr_get_vdev_by_opmode_from_psoc(
+			wmi_handle->soc->wmi_psoc, QDF_NDI_MODE, WLAN_NAN_ID);
+	if (!(*rsp)->vdev) {
+		WMI_LOGE("vdev is null");
+		qdf_mem_free(*rsp);
+		*rsp = NULL;
+		return QDF_STATUS_E_INVAL;
 	}
 
 	(*rsp)->num_ndp_ids = event->num_ndp_end_indication_list;