qcacmn: Free nbuf from htt misc list only when magic pattern is set

In the scenario where htt packets fail to be transmitted to
FW, they are added in both endpoint tx queue and misc list.
On receiving FW down indication before these packets are sent
to FW, endpoint tx queue is flushed and nbufs are freed. Post
this, the aforementioned nbufs would be unmapped/freed again in
htt_htc_misc_pkt_pool_free causing panic.

Fix is to free the nbuf via misc pool free only when the magic
pattern is set.

Change-Id: Ie523a7ca0054eb4104a107b3bddd50cb9b585275
CRs-Fixed: 2762829

dp/wifi3.0/dp_htt.c

@@ -496,6 +496,12 @@ htt_htc_pkt_alloc(struct htt_soc *soc)
 
 	if (!pkt)
 		pkt = qdf_mem_malloc(sizeof(*pkt));
+
+	if (!pkt)
+		return NULL;
+
+	htc_packet_set_magic_cookie(&(pkt->u.pkt.htc_pkt), 0);
+
 	return &pkt->u.pkt; /* not actually a dereference */
 }
 
@@ -510,6 +516,7 @@ htt_htc_pkt_free(struct htt_soc *soc, struct dp_htt_htc_pkt *pkt)
 		(struct dp_htt_htc_pkt_union *)pkt;
 
 	HTT_TX_MUTEX_ACQUIRE(&soc->htt_tx_mutex);
+	htc_packet_set_magic_cookie(&(u_pkt->u.pkt.htc_pkt), 0);
 	u_pkt->u.next = soc->htt_htc_pkt_freelist;
 	soc->htt_htc_pkt_freelist = u_pkt;
 	HTT_TX_MUTEX_RELEASE(&soc->htt_tx_mutex);
@@ -633,6 +640,11 @@ htt_htc_misc_pkt_pool_free(struct htt_soc *soc)
 
 	while (pkt) {
 		next = pkt->u.next;
+		if (htc_packet_get_magic_cookie(&(pkt->u.pkt.htc_pkt)) !=
+		    HTC_PACKET_MAGIC_COOKIE) {
+			pkt = next;
+			continue;
+		}
 		netbuf = (qdf_nbuf_t) (pkt->u.pkt.htc_pkt.pNetBufContext);
 		qdf_nbuf_unmap(soc->osdev, netbuf, QDF_DMA_TO_DEVICE);