samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacld-3.0: Add fix to avoid memory leak in mlo_roam_copy_reassoc_rsp()

Browse Source 
In current scenario during OWE roaming when HB failure occurs, it
should clean copied reassoc response and roaming info. But it is not
getting freed which leads to host driver crash while on idle shutdown.

In mlo_roam_copy_reassoc_rsp() memory is allocated for
sta_ctx->cpied_reassoc_rsp, sta_ctx->cpied_reassoc_rsp->roaming_info
and connect_ies->assoc_rsp.ptr but if memory allocation fails for
these it directly retuning without feeing previously allocated memory.

Add change to free the prevoiusly allocated memory if memory
sta_ctx->cpied_reassoc_rsp->roaming_info and connect_ies->assoc_rsp.ptr
fails to allocate memory which avoid the memory leak issue.

Change-Id: I7ca6ee526bf08c614ff25e4c3457db0dd58fc9aa
CRs-Fixed: 3507296
This commit is contained in:
Vijay Patil
2023-06-07 22:42:32 +05:30
committed by Rahul Choudhary
parent 085a77b29f
commit 68badfb043
1 changed files with 14 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
components/umac/mlme/mlo_mgr/src/wlan_mlo_mgr_roam.c
View File

@@ -895,6 +895,8 @@ mlo_roam_copy_reassoc_rsp(struct wlan_objmgr_vdev *vdev,
return QDF_STATUS_E_NULL_VALUE;
if (sta_ctx) {
wlan_cm_free_connect_resp(sta_ctx->copied_reassoc_rsp);
sta_ctx->copied_reassoc_rsp = qdf_mem_malloc(
sizeof(struct wlan_cm_connect_resp));
if (!sta_ctx->copied_reassoc_rsp)
@@ -906,8 +908,10 @@ mlo_roam_copy_reassoc_rsp(struct wlan_objmgr_vdev *vdev,
sta_ctx->copied_reassoc_rsp->roaming_info = qdf_mem_malloc(
sizeof(struct wlan_roam_sync_info));
if (!sta_ctx->copied_reassoc_rsp->roaming_info)
if (!sta_ctx->copied_reassoc_rsp->roaming_info) {
qdf_mem_free(sta_ctx->copied_reassoc_rsp);
return QDF_STATUS_E_NOMEM;
}
qdf_mem_copy(sta_ctx->copied_reassoc_rsp->roaming_info,
reassoc_rsp->roaming_info,
@@ -921,8 +925,11 @@ mlo_roam_copy_reassoc_rsp(struct wlan_objmgr_vdev *vdev,
connect_ies->assoc_rsp.ptr = qdf_mem_malloc(
connect_ies->assoc_rsp.len);
if (!connect_ies->assoc_rsp.ptr)
if (!connect_ies->assoc_rsp.ptr) {
qdf_mem_free(sta_ctx->copied_reassoc_rsp->roaming_info);
qdf_mem_free(sta_ctx->copied_reassoc_rsp);
return QDF_STATUS_E_NOMEM;
}
qdf_mem_copy(connect_ies->assoc_rsp.ptr,
reassoc_rsp->connect_ies.assoc_rsp.ptr,
@@ -942,52 +949,6 @@ mlo_roam_copy_reassoc_rsp(struct wlan_objmgr_vdev *vdev,
return QDF_STATUS_SUCCESS;
}
static void
mlo_roam_free_connect_rsp(struct wlan_cm_connect_resp *rsp)
{
struct wlan_connect_rsp_ies *connect_ie =
&rsp->connect_ies;
if (connect_ie->assoc_req.ptr) {
qdf_mem_free(connect_ie->assoc_req.ptr);
connect_ie->assoc_req.ptr = NULL;
}
if (connect_ie->bcn_probe_rsp.ptr) {
qdf_mem_free(connect_ie->bcn_probe_rsp.ptr);
connect_ie->bcn_probe_rsp.ptr = NULL;
}
if (connect_ie->link_bcn_probe_rsp.ptr) {
qdf_mem_free(connect_ie->link_bcn_probe_rsp.ptr);
connect_ie->link_bcn_probe_rsp.ptr = NULL;
}
if (connect_ie->assoc_rsp.ptr) {
qdf_mem_free(connect_ie->assoc_rsp.ptr);
connect_ie->assoc_rsp.ptr = NULL;
}
if (connect_ie->fils_ie && connect_ie->fils_ie->fils_pmk) {
qdf_mem_zero(connect_ie->fils_ie->fils_pmk,
connect_ie->fils_ie->fils_pmk_len);
qdf_mem_free(connect_ie->fils_ie->fils_pmk);
}
if (connect_ie->fils_ie) {
qdf_mem_zero(connect_ie->fils_ie, sizeof(*connect_ie->fils_ie));
qdf_mem_free(connect_ie->fils_ie);
}
if (rsp->roaming_info) {
qdf_mem_free(rsp->roaming_info);
rsp->roaming_info = NULL;
}
qdf_mem_zero(rsp, sizeof(*rsp));
qdf_mem_free(rsp);
}
static bool
mlo_roam_is_internal_disconnect(struct wlan_objmgr_vdev *link_vdev)
{
@@ -1058,7 +1019,7 @@ mlo_roam_validate_req(struct wlan_objmgr_vdev *vdev,
!mlo_roam_is_internal_disconnect(link_vdev)))) {
if (sta_ctx) {
if (sta_ctx->copied_reassoc_rsp) {
mlo_roam_free_connect_rsp(sta_ctx->copied_reassoc_rsp);
wlan_cm_free_connect_resp(sta_ctx->copied_reassoc_rsp);
sta_ctx->copied_reassoc_rsp = NULL;
}
copied_conn_req_lock_acquire(sta_ctx);
@@ -1082,7 +1043,7 @@ mlo_roam_validate_req(struct wlan_objmgr_vdev *vdev,
* flushed. Hence, ignore this event
*/
if (sta_ctx && sta_ctx->copied_reassoc_rsp) {
mlo_roam_free_connect_rsp(sta_ctx->copied_reassoc_rsp);
wlan_cm_free_connect_resp(sta_ctx->copied_reassoc_rsp);
sta_ctx->copied_reassoc_rsp = NULL;
}
return QDF_STATUS_E_FAILURE;
@@ -1224,7 +1185,7 @@ void mlo_roam_free_copied_reassoc_rsp(struct wlan_objmgr_vdev *vdev)
!sta_ctx->copied_reassoc_rsp->roaming_info)
return;
mlo_roam_free_connect_rsp(sta_ctx->copied_reassoc_rsp);
wlan_cm_free_connect_resp(sta_ctx->copied_reassoc_rsp);
sta_ctx->copied_reassoc_rsp = NULL;
}
@@ -1250,7 +1211,7 @@ void mlo_roam_connect_complete(struct wlan_objmgr_vdev *vdev)
auth_status = sta_ctx->copied_reassoc_rsp->roaming_info->auth_status;
if (!mlo_check_connect_req_bmap(vdev) &&
auth_status == ROAM_AUTH_STATUS_CONNECTED) {
mlo_roam_free_connect_rsp(sta_ctx->copied_reassoc_rsp);
wlan_cm_free_connect_resp(sta_ctx->copied_reassoc_rsp);
sta_ctx->copied_reassoc_rsp = NULL;
}
}
@@ -1369,7 +1330,7 @@ err:
if (link_vdev)
mlo_clear_connect_req_links_bmap(link_vdev);
if (sta_ctx && sta_ctx->copied_reassoc_rsp) {
mlo_roam_free_connect_rsp(sta_ctx->copied_reassoc_rsp);
wlan_cm_free_connect_resp(sta_ctx->copied_reassoc_rsp);
sta_ctx->copied_reassoc_rsp = NULL;
}
end: