qcacld-3.0: Fix slab-out-of-bounds in radio stats

When fixed_param->num_radio is 0 from FW, host allocates
struct tSirLLStatsResults with 0 count of struct wifi_radio_stats
to wma_handle->link_stats_results.
When the second radio stats comes, the driver will
not allocate wma_handle->link_stats_results because
wma_handle->link_stats_results is not NULL.
Later driver will access the wma_handle->link_stats_results based
on radio_stats->radio_id. This will access invalid memory
because the original wma_handle->link_stats_results memory
didn't include the wifi_radio_stats.
Fix by free the link_stats_results if
wma_handle->link_stats_results->num_radio is 0, then driver
will allocate wma_handle->link_stats_results memory including
the struct wifi_radio_stats based on num_radio.

Change-Id: Ie1d6bbe8c668d2fb475fddb60907fd13a7f8de66
CRs-Fixed: 3082779

core/wma/src/wma_utils.c

@@ -1,5 +1,6 @@
 /*
  * Copyright (c) 2013-2021 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2021 Qualcomm Innovation Center, Inc. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -2185,6 +2186,9 @@ __wma_unified_link_radio_stats_event_handler(tp_wma_handle wma_handle,
 			fixed_param->num_radio);
 		return -EINVAL;
 	}
+	if (wma_handle->link_stats_results &&
+	    !wma_handle->link_stats_results->num_radio)
+		__wma_unified_radio_tx_mem_free(wma_handle);
 
 	if (!wma_handle->link_stats_results) {
 		wma_handle->link_stats_results = qdf_mem_malloc(