From 30c0b8b4cdf5fdc60187ae1db3e8dd17d96f2a4a Mon Sep 17 00:00:00 2001
From: Sai Rupesh Chevuru <chevuru@codeaurora.org>
Date: Mon, 15 Nov 2021 15:25:49 +0530
Subject: [PATCH] qcacmn: Potential memory leak in dp_tx_process_htt_completion

In dp_tx_process_htt_completion(), when vdev is NULL,
returning without freeing nbuf and tx_desc.

Change-Id: I234f0a4f710cc9eb0fc5431fb26a1846326fd931
---
 dp/wifi3.0/dp_tx.c | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/dp/wifi3.0/dp_tx.c b/dp/wifi3.0/dp_tx.c
index f9d1946870..366f0eba55 100644
--- a/dp/wifi3.0/dp_tx.c
+++ b/dp/wifi3.0/dp_tx.c
@@ -4457,11 +4457,19 @@ void dp_tx_process_htt_completion(struct dp_soc *soc,
 	 * If the descriptor is already freed in vdev_detach,
 	 * continue to next descriptor
 	 */
-	if ((tx_desc->vdev_id == DP_INVALID_VDEV_ID) && !tx_desc->flags) {
+	if (qdf_unlikely(!tx_desc->flags)) {
 		dp_tx_comp_info_rl("Descriptor freed in vdev_detach %d", tx_desc->id);
 		return;
 	}
 
+	if (qdf_unlikely(tx_desc->vdev_id == DP_INVALID_VDEV_ID)) {
+		dp_tx_comp_info_rl("Invalid vdev_id %d", tx_desc->id);
+		tx_desc->flags |= DP_TX_DESC_FLAG_TX_COMP_ERR;
+		dp_tx_comp_free_buf(soc, tx_desc);
+		dp_tx_desc_release(tx_desc, tx_desc->pool_id);
+		return;
+	}
+
 	pdev = tx_desc->pdev;
 
 	if (qdf_unlikely(tx_desc->pdev->is_pdev_down)) {
@@ -4478,8 +4486,13 @@ void dp_tx_process_htt_completion(struct dp_soc *soc,
 	vdev = dp_vdev_get_ref_by_id(soc, vdev_id,
 			DP_MOD_ID_HTT_COMP);
 
-	if (!vdev)
+	if (qdf_unlikely(!vdev)) {
+		dp_tx_comp_info_rl("Unable to get vdev ref  %d", tx_desc->id);
+		tx_desc->flags |= DP_TX_DESC_FLAG_TX_COMP_ERR;
+		dp_tx_comp_free_buf(soc, tx_desc);
+		dp_tx_desc_release(tx_desc, tx_desc->pool_id);
 		return;
+	}
 
 	switch (tx_status) {
 	case HTT_TX_FW2WBM_TX_STATUS_OK: