From cb37d704f8b33c3df4ceb1d844d7f5aa3218be4e Mon Sep 17 00:00:00 2001
From: Jinwei Chen <jinweic@codeaurora.org>
Date: Tue, 22 Oct 2019 17:47:14 +0800
Subject: [PATCH] qcacmn: Fix dst_ring_desc memory leak in defrag case

  For RX defrag, if incorrect SW peer ID is got from REO exception
ring descriptor, the expectation maybe is AP BSS peer ID but it
is replaced by other peer ID which like SAP self peer that won't
do dp_peer_rx_init, then in dp_rx_defrag_cleanup no chance to
run dp_rx_clear_saved_desc_info to free dst_ring_desc since
rx_tid[].array is NULL, memory leak happened.
  Call dp_rx_clear_saved_desc_info always in dp_rx_defrag_cleanup.

Change-Id: Ib1ebfbd976c817d5238ee48196388a8c88189ebc
CRs-Fixed: 2549913
---
 dp/wifi3.0/dp_rx_defrag.c | 20 +++++++-------------
 1 file changed, 7 insertions(+), 13 deletions(-)

diff --git a/dp/wifi3.0/dp_rx_defrag.c b/dp/wifi3.0/dp_rx_defrag.c
index b6e2172a38..b42bd167a4 100644
--- a/dp/wifi3.0/dp_rx_defrag.c
+++ b/dp/wifi3.0/dp_rx_defrag.c
@@ -84,6 +84,7 @@ static void dp_rx_clear_saved_desc_info(struct dp_peer *peer, unsigned tid)
 		qdf_mem_free(peer->rx_tid[tid].dst_ring_desc);
 
 	peer->rx_tid[tid].dst_ring_desc = NULL;
+	peer->rx_tid[tid].head_frag_desc = NULL;
 }
 
 static void dp_rx_return_head_frag_desc(struct dp_peer *peer,
@@ -1334,29 +1335,22 @@ void dp_rx_defrag_cleanup(struct dp_peer *peer, unsigned tid)
 	struct dp_rx_reorder_array_elem *rx_reorder_array_elem =
 				peer->rx_tid[tid].array;
 
-	if (!rx_reorder_array_elem) {
-		/*
-		 * if this condition is hit then somebody
-		 * must have reset this pointer to NULL.
-		 * array pointer usually points to base variable
-		 * of TID queue structure: "struct dp_rx_tid"
-		 */
+	if (rx_reorder_array_elem) {
+		/* Free up nbufs */
+		dp_rx_defrag_frames_free(rx_reorder_array_elem->head);
+		rx_reorder_array_elem->head = NULL;
+		rx_reorder_array_elem->tail = NULL;
+	} else {
 		dp_info("Cleanup self peer %pK and TID %u at MAC address %pM",
 			peer, tid, peer->mac_addr.raw);
-		return;
 	}
-	/* Free up nbufs */
-	dp_rx_defrag_frames_free(rx_reorder_array_elem->head);
 
 	/* Free up saved ring descriptors */
 	dp_rx_clear_saved_desc_info(peer, tid);
 
-	rx_reorder_array_elem->head = NULL;
-	rx_reorder_array_elem->tail = NULL;
 	peer->rx_tid[tid].defrag_timeout_ms = 0;
 	peer->rx_tid[tid].curr_frag_num = 0;
 	peer->rx_tid[tid].curr_seq_num = 0;
-	peer->rx_tid[tid].head_frag_desc = NULL;
 }
 
 /*