diff options
| author | Poddar, Siddarth <siddpodd@codeaurora.org> | 2016-10-19 12:07:21 +0530 |
|---|---|---|
| committer | Anjaneedevi Kapparapu <akappa@codeaurora.org> | 2016-11-14 15:39:12 +0530 |
| commit | 85e40ff4bf4fc96f021bcb908f99ffdef8112e5c (patch) | |
| tree | 0cd856832483cbcf17a0eb4c8adaf7ea2a57ebc7 | |
| parent | a5276a8155c5e7251b8cca658a8af66b9c27f9e3 (diff) | |
qcacld-2.0: Fix to avoid skb buff leak when NBUF alloc fail
If we fail to allocate receive packet bundle buffer
it will return no memory without freeing receive pkt queue.
Fix is to free the receive pkt queue before returning from message handler.
Change-Id: I4bf2aeb7bc85cc68cfa1314e6dbf5057665ba7ce
CRs-Fixed: 1079623
| -rw-r--r-- | CORE/SERVICES/HIF/sdio/hif_sdio_recv.c | 13 | ||||
| -rw-r--r-- | CORE/SERVICES/HTC/htc.c | 18 |
2 files changed, 31 insertions, 0 deletions
diff --git a/CORE/SERVICES/HIF/sdio/hif_sdio_recv.c b/CORE/SERVICES/HIF/sdio/hif_sdio_recv.c index bec447162b14..0e15fb768720 100644 --- a/CORE/SERVICES/HIF/sdio/hif_sdio_recv.c +++ b/CORE/SERVICES/HIF/sdio/hif_sdio_recv.c @@ -39,6 +39,7 @@ #include <adf_os_defer.h> #include <adf_os_atomic.h> #include <adf_nbuf.h> +#include <vos_threads.h> #include <athdefs.h> #include <adf_net_types.h> #include <a_types.h> @@ -51,6 +52,7 @@ #include "regtable.h" #include "if_ath_sdio.h" +#define NBUF_ALLOC_FAIL_WAIT_TIME 100 static void HIFDevDumpRegisters(HIF_SDIO_DEVICE *pDev, MBOX_IRQ_PROC_REGISTERS *pIrqProcRegs, @@ -645,6 +647,7 @@ static A_STATUS HIFDevIssueRecvPacketBundle(HIF_SDIO_DEVICE *pDev, if (!pPacketRxBundle) { AR_DEBUG_PRINTF(ATH_DEBUG_ERR, ("%s: pPacketRxBundle is NULL \n", __FUNCTION__)); + vos_sleep(NBUF_ALLOC_FAIL_WAIT_TIME); /* 100 msec sleep */ return A_NO_MEMORY; } pBundleBuffer = pPacketRxBundle->pBuffer; @@ -823,6 +826,16 @@ A_STATUS HIFDevRecvMessagePendingHandler(HIF_SDIO_DEVICE *pDev, &pktsFetched, partialBundle); if (A_FAILED(status)) { + while (!HTC_QUEUE_EMPTY(&recvPktQueue)) { + adf_nbuf_t netbuf; + + pPacket = HTC_PACKET_DEQUEUE(&recvPktQueue); + if (pPacket == NULL) + break; + netbuf = (adf_nbuf_t) pPacket->pNetBufContext; + if (netbuf) + adf_nbuf_free(netbuf); + } break; } diff --git a/CORE/SERVICES/HTC/htc.c b/CORE/SERVICES/HTC/htc.c index 0600149dc55a..e876bf0725d3 100644 --- a/CORE/SERVICES/HTC/htc.c +++ b/CORE/SERVICES/HTC/htc.c @@ -36,6 +36,8 @@ #include "epping_main.h" #include "htc_api.h" +#define MAX_HTC_RX_BUNDLE 2 + #ifdef WLAN_DEBUG static ATH_DEBUG_MASK_DESCRIPTION g_HTCDebugDescription[] = { { ATH_DEBUG_SEND , "Send"}, @@ -534,6 +536,8 @@ A_STATUS HTCWaitTarget(HTC_HANDLE HTCHandle) HTC_SERVICE_CONNECT_RESP resp; HTC_READY_MSG *rdy_msg; A_UINT16 htc_rdy_msg_id; + A_UINT8 i = 0; + HTC_PACKET *pRxBundlePacket, *pTempBundlePacket; AR_DEBUG_PRINTF(ATH_DEBUG_TRC, ("HTCWaitTarget - Enter (target:0x%p) \n", HTCHandle)); AR_DEBUG_PRINTF(ATH_DEBUG_ANY, ("+HWT\n")); @@ -588,6 +592,20 @@ A_STATUS HTCWaitTarget(HTC_HANDLE HTCHandle) status = A_ECOMM; break; } + + /* Allocate expected number of RX bundle buffer allocation */ + pTempBundlePacket = NULL; + for (i = 0; i < MAX_HTC_RX_BUNDLE; i++) { + pRxBundlePacket = AllocateHTCBundleRxPacket(target); + if (pRxBundlePacket != NULL) { + pRxBundlePacket->ListLink.pNext = (DL_LIST *)pTempBundlePacket; + } else { + break; + } + pTempBundlePacket = pRxBundlePacket; + } + target->pBundleFreeRxList = pTempBundlePacket; + /* done processing */ target->CtrlResponseProcessing = FALSE; |