summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAbhishek Singh <absingh@codeaurora.org>2017-11-14 14:46:51 +0530
committerAbhishek Singh <absingh@codeaurora.org>2017-11-16 12:17:30 +0530
commit5e8de9c9ef19de7e4ea7f08a152d8b9cf638cf2f (patch)
treec5d9bb3ab2066e285b89c76269a28eb9219c7cd9
parent1729e3d337c89a9c86e529c655637ef6287f9230 (diff)
qcacld-3.0: Free LimMgmtFrameRegistratinQueue after MC thread shut down
LimMgmtFrameRegistratinQueue is freed in lim cleanup before MC thread shut down. After cleanup if MC thread process a request to register a management frame type, it will try to access stale list node address resulting in system crash. To fix this cleanup the LimMgmtFrameRegistratinQueue after MC thread shut down. Change-Id: Icca58bd18e67f5a215e9db2429ed0a6afd45ea0a CRs-Fixed: 2142713
-rw-r--r--core/mac/src/pe/lim/lim_api.c48
1 files changed, 26 insertions, 22 deletions
diff --git a/core/mac/src/pe/lim/lim_api.c b/core/mac/src/pe/lim/lim_api.c
index 8238659d6874..4cf02f82dc7f 100644
--- a/core/mac/src/pe/lim/lim_api.c
+++ b/core/mac/src/pe/lim/lim_api.c
@@ -552,9 +552,6 @@ tSirRetStatus lim_initialize(tpAniSirGlobal pMac)
rrm_initialize(pMac);
- qdf_mutex_create(&pMac->lim.lim_frame_register_lock);
- qdf_list_create(&pMac->lim.gLimMgmtFrameRegistratinQueue, 0);
-
/* Initialize the configurations needed by PE */
if (eSIR_FAILURE == __lim_init_config(pMac)) {
/* We need to undo everything in lim_start */
@@ -594,24 +591,7 @@ tSirRetStatus lim_initialize(tpAniSirGlobal pMac)
void lim_cleanup(tpAniSirGlobal pMac)
{
uint8_t i;
- /*
- * Before destroying the list making sure all the nodes have been
- * deleted Which should be the normal case, but a memory leak has been
- * reported
- */
-
- struct mgmt_frm_reg_info *pLimMgmtRegistration = NULL;
- qdf_mutex_acquire(&pMac->lim.lim_frame_register_lock);
- while (qdf_list_remove_front(
- &pMac->lim.gLimMgmtFrameRegistratinQueue,
- (qdf_list_node_t **) &pLimMgmtRegistration) ==
- QDF_STATUS_SUCCESS) {
- qdf_mem_free(pLimMgmtRegistration);
- }
- qdf_mutex_release(&pMac->lim.lim_frame_register_lock);
- qdf_list_destroy(&pMac->lim.gLimMgmtFrameRegistratinQueue);
- qdf_mutex_destroy(&pMac->lim.lim_frame_register_lock);
qdf_mem_free(pMac->lim.gpLimRemainOnChanReq);
pMac->lim.gpLimRemainOnChanReq = NULL;
lim_cleanup_mlm(pMac);
@@ -791,8 +771,18 @@ tSirRetStatus pe_open(tpAniSirGlobal pMac, struct cds_config_info *cds_cfg)
if (!QDF_IS_STATUS_SUCCESS(qdf_mutex_create(&pMac->lim.lkPeGlobalLock))) {
pe_err("pe lock init failed!");
status = eSIR_FAILURE;
- goto pe_open_lock_fail;
+ goto pe_open_lock_1_fail;
+ }
+
+ if (QDF_IS_STATUS_ERROR(qdf_mutex_create(
+ &pMac->lim.lim_frame_register_lock))) {
+ pe_err("pe lock init failed!");
+ status = eSIR_FAILURE;
+ goto pe_open_lock_2_fail;
}
+
+ qdf_list_create(&pMac->lim.gLimMgmtFrameRegistratinQueue, 0);
+
pMac->lim.retry_packet_cnt = 0;
pMac->lim.ibss_retry_cnt = 0;
@@ -813,7 +803,9 @@ tSirRetStatus pe_open(tpAniSirGlobal pMac, struct cds_config_info *cds_cfg)
return status; /* status here will be eSIR_SUCCESS */
-pe_open_lock_fail:
+pe_open_lock_2_fail:
+ qdf_mutex_destroy(&pMac->lim.lkPeGlobalLock);
+pe_open_lock_1_fail:
qdf_mem_free(pMac->lim.gpSession);
pMac->lim.gpSession = NULL;
pe_open_psession_fail:
@@ -833,9 +825,21 @@ pe_open_psession_fail:
tSirRetStatus pe_close(tpAniSirGlobal pMac)
{
uint8_t i;
+ qdf_list_node_t *lst_node;
if (ANI_DRIVER_TYPE(pMac) == QDF_DRIVER_TYPE_MFG)
return eSIR_SUCCESS;
+ /*
+ * Before destroying the list making sure all the nodes have been
+ * deleted
+ */
+ while (qdf_list_remove_front(
+ &pMac->lim.gLimMgmtFrameRegistratinQueue,
+ &lst_node) == QDF_STATUS_SUCCESS) {
+ qdf_mem_free(lst_node);
+ }
+ qdf_list_destroy(&pMac->lim.gLimMgmtFrameRegistratinQueue);
+ qdf_mutex_destroy(&pMac->lim.lim_frame_register_lock);
qdf_spinlock_destroy(&pMac->sys.bbt_mgmt_lock);
for (i = 0; i < pMac->lim.maxBssId; i++) {