qcacld-3.0: Potential double free in lim_send_sme_wm_status_change_ntf()

lim_sys_process_mmh_msg_api() is a wrapper for sys_process_mmh_msg(),
and sys_process_mmh_msg() itself free the msg->bodyptr. So if
lim_sys_process_mmh_msg_api() returns an error, wm_status_change_ntf
would be freed by both sys_process_mmh_msg() and
lim_send_sme_wm_status_change_ntf()

Change-Id: Ib66d0263625fc2606b4fb4d16f007f3d155977ba
CRs-Fixed: 2411688

core/mac/src/pe/lim/lim_process_probe_req_frame.c

@@ -562,7 +562,6 @@ lim_send_sme_probe_req_ind(struct mac_context *mac,
 	qdf_mem_copy(pSirSmeProbeReqInd->WPSPBCProbeReq.probeReqIE, pProbeReqIE,
 		     ProbeReqIELen);
 
-	if (lim_sys_process_mmh_msg_api(mac, &msgQ) != QDF_STATUS_SUCCESS)
-		pe_err("couldnt send the probe req to hdd");
+	lim_sys_process_mmh_msg_api(mac, &msgQ);
 
 } /*** end lim_send_sme_probe_req_ind() ***/

core/mac/src/pe/lim/lim_send_sme_rsp_messages.c

@@ -1179,10 +1179,7 @@ lim_send_sme_wm_status_change_ntf(struct mac_context *mac_ctx,
 	}
 
 	MTRACE(mac_trace(mac_ctx, TRACE_CODE_TX_SME_MSG, session_id, msg.type));
-	if (QDF_STATUS_SUCCESS != lim_sys_process_mmh_msg_api(mac_ctx, &msg)) {
-		qdf_mem_free(wm_status_change_ntf);
-		pe_err("lim_sys_process_mmh_msg_api failed");
-	}
+	lim_sys_process_mmh_msg_api(mac_ctx, &msg);
 
 } /*** end lim_send_sme_wm_status_change_ntf() ***/
 

core/mac/src/pe/lim/lim_utils.h

@@ -269,12 +269,10 @@ void lim_handle_defer_msg_error(struct mac_context *mac,
 /* Deferred Message Queue Reset */
 void lim_reset_deferred_msg_q(struct mac_context *mac);
 
-static inline QDF_STATUS lim_sys_process_mmh_msg_api(struct mac_context *mac,
-						     struct scheduler_msg *msg)
+static inline void lim_sys_process_mmh_msg_api(struct mac_context *mac,
+					       struct scheduler_msg *msg)
 {
 	sys_process_mmh_msg(mac, msg);
-
-	return QDF_STATUS_SUCCESS;
 }
 
 void lim_handle_update_olbc_cache(struct mac_context *mac);

core/mac/src/pe/rrm/rrm_api.c

@@ -299,7 +299,7 @@ rrm_process_neighbor_report_response(struct mac_context *mac,
 				     tDot11fNeighborReportResponse *pNeighborRep,
 				     struct pe_session *pe_session)
 {
-	QDF_STATUS status = QDF_STATUS_E_FAILURE;
+	QDF_STATUS status = QDF_STATUS_SUCCESS;
 	tpSirNeighborReportInd pSmeNeighborRpt = NULL;
 	uint16_t length;
 	uint8_t i;
@@ -390,7 +390,7 @@ rrm_process_neighbor_report_response(struct mac_context *mac,
 	mmhMsg.bodyptr = pSmeNeighborRpt;
 	MTRACE(mac_trace(mac, TRACE_CODE_TX_SME_MSG,
 			 pe_session->peSessionId, mmhMsg.type));
-	status = lim_sys_process_mmh_msg_api(mac, &mmhMsg);
+	lim_sys_process_mmh_msg_api(mac, &mmhMsg);
 
 	return status;
 
@@ -637,9 +637,7 @@ rrm_process_beacon_report_req(struct mac_context *mac,
 	mmhMsg.bodyptr = pSmeBcnReportReq;
 	MTRACE(mac_trace(mac, TRACE_CODE_TX_SME_MSG,
 			 pe_session->peSessionId, mmhMsg.type));
-	if (QDF_STATUS_SUCCESS !=
-	    lim_sys_process_mmh_msg_api(mac, &mmhMsg))
-		return eRRM_FAILURE;
+	lim_sys_process_mmh_msg_api(mac, &mmhMsg);
 	return eRRM_SUCCESS;
 }