From 4cfbb4b30c2b87c5c5ec820f28e61452fc4b5fa1 Mon Sep 17 00:00:00 2001 From: Srinivas Dasari Date: Thu, 27 Oct 2022 12:10:02 +0530 Subject: [PATCH] qcacld-3.0: Free the old bcn if new one is rcvd in sync frame ind Firmware may send two consecutive roam sync frame indications when it supports MLO roaming. The first event carries link beacon and second event carries assoc beacon. This is to let host driver have both the link scan results if host has to take care of link connect(e.g. OWE MLO roaming, EAP MLO roaming,.. ). If host driver doesn't have support/doesn't need link beacon, it would be overwritten by assoc beacon(e.g. wpa2 MLO roaming, SAE MLO roaming, ..). This results in a memleak as the previous cached beacon is not freed(vdev->rso_cfg->roam_sync_frame_ind->bcn_probe_rsp). Free the existing beacon if new one is received. Also, remove the current free's from extract_roam_sync_frame_event_tlv() which doesn't need any such freeing as the copy always happens to a freshly allocated buffer. Change-Id: If3b4d6e4b8e1e2af5306171ad7eda28e744da64e CRs-Fixed: 3322094 --- .../connection_mgr/core/src/wlan_cm_roam_offload_event.c | 6 ++++++ components/wmi/src/wmi_unified_roam_tlv.c | 8 -------- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/components/umac/mlme/connection_mgr/core/src/wlan_cm_roam_offload_event.c b/components/umac/mlme/connection_mgr/core/src/wlan_cm_roam_offload_event.c index 3c6cbd1c8e..38607e4d2d 100644 --- a/components/umac/mlme/connection_mgr/core/src/wlan_cm_roam_offload_event.c +++ b/components/umac/mlme/connection_mgr/core/src/wlan_cm_roam_offload_event.c @@ -416,6 +416,8 @@ cm_roam_sync_frame_event_handler(struct wlan_objmgr_psoc *psoc, sync_frame_ind->bcn_probe_rsp_len; roam_synch_frame_ind->is_beacon = sync_frame_ind->is_beacon; + if (roam_synch_frame_ind->bcn_probe_rsp) + qdf_mem_free(roam_synch_frame_ind->bcn_probe_rsp); roam_synch_frame_ind->bcn_probe_rsp = sync_frame_ind->bcn_probe_rsp; } @@ -423,6 +425,8 @@ cm_roam_sync_frame_event_handler(struct wlan_objmgr_psoc *psoc, if (sync_frame_ind->reassoc_req_len) { roam_synch_frame_ind->reassoc_req_len = sync_frame_ind->reassoc_req_len; + if (roam_synch_frame_ind->reassoc_req) + qdf_mem_free(roam_synch_frame_ind->reassoc_req); roam_synch_frame_ind->reassoc_req = sync_frame_ind->reassoc_req; } @@ -430,6 +434,8 @@ cm_roam_sync_frame_event_handler(struct wlan_objmgr_psoc *psoc, if (sync_frame_ind->reassoc_rsp_len) { roam_synch_frame_ind->reassoc_rsp_len = sync_frame_ind->reassoc_rsp_len; + if (roam_synch_frame_ind->reassoc_rsp) + qdf_mem_free(roam_synch_frame_ind->reassoc_rsp); roam_synch_frame_ind->reassoc_rsp = sync_frame_ind->reassoc_rsp; } diff --git a/components/wmi/src/wmi_unified_roam_tlv.c b/components/wmi/src/wmi_unified_roam_tlv.c index 5ac4ee24d1..0be3bff8c3 100644 --- a/components/wmi/src/wmi_unified_roam_tlv.c +++ b/components/wmi/src/wmi_unified_roam_tlv.c @@ -2707,9 +2707,6 @@ extract_roam_sync_frame_event_tlv(wmi_unified_t wmi_handle, void *event, roam_sync_frame_ind->is_beacon = synch_frame_event->is_beacon; - if (roam_sync_frame_ind->bcn_probe_rsp) - qdf_mem_free(roam_sync_frame_ind->bcn_probe_rsp); - roam_sync_frame_ind->bcn_probe_rsp = qdf_mem_malloc(roam_sync_frame_ind->bcn_probe_rsp_len); if (!roam_sync_frame_ind->bcn_probe_rsp) { @@ -2725,8 +2722,6 @@ extract_roam_sync_frame_event_tlv(wmi_unified_t wmi_handle, void *event, roam_sync_frame_ind->reassoc_req_len = synch_frame_event->reassoc_req_len; - if (roam_sync_frame_ind->reassoc_req) - qdf_mem_free(roam_sync_frame_ind->reassoc_req); roam_sync_frame_ind->reassoc_req = qdf_mem_malloc(roam_sync_frame_ind->reassoc_req_len); if (!roam_sync_frame_ind->reassoc_req) { @@ -2742,9 +2737,6 @@ extract_roam_sync_frame_event_tlv(wmi_unified_t wmi_handle, void *event, roam_sync_frame_ind->reassoc_rsp_len = synch_frame_event->reassoc_rsp_len; - if (roam_sync_frame_ind->reassoc_rsp) - qdf_mem_free(roam_sync_frame_ind->reassoc_rsp); - roam_sync_frame_ind->reassoc_rsp = qdf_mem_malloc(roam_sync_frame_ind->reassoc_rsp_len); if (!roam_sync_frame_ind->reassoc_rsp) {