qcacld-3.0: RRM caller and callee needs to release bss descr memory

In RRM module, caller is creating memory for beacon report. for
each beacon report, it further creates memory for bss descriptors.

caller sends a entire becon report message to callee. Both caller and
callee are releasing memory for beacon report but they don't release
memory for bss descriptos correctly.

To fix the situation, caller needs to release bss descriptos memory up
on failure to deliver the message to callee. callee needs to release
bss descriptors' memory up on successful reception and after processing
it.

CRs-Fixed: 2040435
Change-Id: Ia4e0a1cdc56c177e86683847973acfab0e9a96bf

core/mac/src/pe/rrm/rrm_api.c

@@ -760,7 +760,7 @@ rrm_process_beacon_report_xmit(tpAniSirGlobal mac_ctx,
 	tpSirBssDescription bss_desc;
 	tpRRMReq curr_req = mac_ctx->rrm.rrmPEContext.pCurrentReq;
 	tpPESession session_entry;
-	uint8_t session_id;
+	uint8_t session_id, counter;
 	uint8_t bss_desc_count = 0;
 
 	pe_debug("Received beacon report xmit indication");
@@ -772,7 +772,8 @@ rrm_process_beacon_report_xmit(tpAniSirGlobal mac_ctx,
 
 	if (NULL == curr_req) {
 		pe_err("Received report xmit while there is no request pending in PE");
-		return eSIR_FAILURE;
+		status = eSIR_FAILURE;
+		goto end;
 	}
 
 	if ((beacon_xmit_ind->numBssDesc) || curr_req->sendEmptyBcnRpt) {
@@ -784,7 +785,8 @@ rrm_process_beacon_report_xmit(tpAniSirGlobal mac_ctx,
 				beacon_xmit_ind->bssId, &session_id);
 		if (NULL == session_entry) {
 			pe_err("session does not exist for given bssId");
-			return eSIR_FAILURE;
+			status = eSIR_FAILURE;
+			goto end;
 		}
 
 		report = qdf_mem_malloc(beacon_xmit_ind->numBssDesc *
@@ -792,7 +794,8 @@ rrm_process_beacon_report_xmit(tpAniSirGlobal mac_ctx,
 
 		if (NULL == report) {
 			pe_err("RRM Report is NULL, allocation failed");
-			return eSIR_MEM_ALLOC_FAILED;
+			status = eSIR_MEM_ALLOC_FAILED;
+			goto end;
 		}
 
 		for (bss_desc_count = 0; bss_desc_count <
@@ -872,7 +875,6 @@ rrm_process_beacon_report_xmit(tpAniSirGlobal mac_ctx,
 				break;
 			}
 		}
-
 		pe_info("Sending Action frame with %d bss info",
 			bss_desc_count);
 		lim_send_radio_measure_report_action_frame(mac_ctx,
@@ -882,6 +884,10 @@ rrm_process_beacon_report_xmit(tpAniSirGlobal mac_ctx,
 		curr_req->sendEmptyBcnRpt = false;
 	}
 
+end:
+	for (counter = 0; counter < beacon_xmit_ind->numBssDesc; counter++)
+		qdf_mem_free(beacon_xmit_ind->pBssDescription[counter]);
+
 	if (beacon_xmit_ind->fMeasureDone) {
 		pe_debug("Measurement done....cleanup the context");
 		rrm_cleanup(mac_ctx);

core/sme/src/rrm/sme_rrm.c

@@ -227,7 +227,7 @@ sme_rrm_send_beacon_report_xmit_ind(tpAniSirGlobal mac_ctx,
 				beacon_rep->pBssDescription[i]->bssId),
 				beacon_rep->pBssDescription[i]->channelId,
 				beacon_rep->pBssDescription[i]->rssi * (-1));
-				beacon_rep->numBssDesc++;
+			beacon_rep->numBssDesc++;
 			if (++i >= SIR_BCN_REPORT_MAX_BSS_DESC)
 				break;
 			cur_result =
@@ -248,8 +248,9 @@ sme_rrm_send_beacon_report_xmit_ind(tpAniSirGlobal mac_ctx,
 		sme_debug("SME Sending BcnRepXmit to PE numBss %d i %d j %d",
 			beacon_rep->numBssDesc, i, j);
 		status = umac_send_mb_message_to_mac(beacon_rep);
-		for (counter = 0; counter < i; ++counter)
-			qdf_mem_free(bss_desc_to_free[counter]);
+		if (status != QDF_STATUS_SUCCESS)
+			for (counter = 0; counter < i; ++counter)
+				qdf_mem_free(bss_desc_to_free[counter]);
 	} while (cur_result);
 
 	return status;