From aefb2ac3d4b5a7934e9fdf3743e89c284f3f4bee Mon Sep 17 00:00:00 2001 From: Yeshwanth Sriram Guntuka Date: Thu, 27 Aug 2020 17:11:06 +0530 Subject: [PATCH] qcacmn: Free nbuf from htt misc list only when magic pattern is set In the scenario where htt packets fail to be transmitted to FW, they are added in both endpoint tx queue and misc list. On receiving FW down indication before these packets are sent to FW, endpoint tx queue is flushed and nbufs are freed. Post this, the aforementioned nbufs would be unmapped/freed again in htt_htc_misc_pkt_pool_free causing panic. Fix is to free the nbuf via misc pool free only when the magic pattern is set. Change-Id: Ie523a7ca0054eb4104a107b3bddd50cb9b585275 CRs-Fixed: 2762829 --- dp/wifi3.0/dp_htt.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/dp/wifi3.0/dp_htt.c b/dp/wifi3.0/dp_htt.c index 1ad9c2a1ff..f4cfa0c998 100644 --- a/dp/wifi3.0/dp_htt.c +++ b/dp/wifi3.0/dp_htt.c @@ -496,6 +496,12 @@ htt_htc_pkt_alloc(struct htt_soc *soc) if (!pkt) pkt = qdf_mem_malloc(sizeof(*pkt)); + + if (!pkt) + return NULL; + + htc_packet_set_magic_cookie(&(pkt->u.pkt.htc_pkt), 0); + return &pkt->u.pkt; /* not actually a dereference */ } @@ -510,6 +516,7 @@ htt_htc_pkt_free(struct htt_soc *soc, struct dp_htt_htc_pkt *pkt) (struct dp_htt_htc_pkt_union *)pkt; HTT_TX_MUTEX_ACQUIRE(&soc->htt_tx_mutex); + htc_packet_set_magic_cookie(&(u_pkt->u.pkt.htc_pkt), 0); u_pkt->u.next = soc->htt_htc_pkt_freelist; soc->htt_htc_pkt_freelist = u_pkt; HTT_TX_MUTEX_RELEASE(&soc->htt_tx_mutex); @@ -633,6 +640,11 @@ htt_htc_misc_pkt_pool_free(struct htt_soc *soc) while (pkt) { next = pkt->u.next; + if (htc_packet_get_magic_cookie(&(pkt->u.pkt.htc_pkt)) != + HTC_PACKET_MAGIC_COOKIE) { + pkt = next; + continue; + } netbuf = (qdf_nbuf_t) (pkt->u.pkt.htc_pkt.pNetBufContext); qdf_nbuf_unmap(soc->osdev, netbuf, QDF_DMA_TO_DEVICE);