From 85e40ff4bf4fc96f021bcb908f99ffdef8112e5c Mon Sep 17 00:00:00 2001
From: "Poddar, Siddarth" <siddpodd@codeaurora.org>
Date: Wed, 19 Oct 2016 12:07:21 +0530
Subject: qcacld-2.0: Fix to avoid skb buff leak when NBUF alloc fail

If we fail to allocate receive packet bundle buffer
it will return no memory without freeing receive pkt queue.
Fix is to free the receive pkt queue before returning from message handler.

Change-Id: I4bf2aeb7bc85cc68cfa1314e6dbf5057665ba7ce
CRs-Fixed: 1079623
---
 CORE/SERVICES/HIF/sdio/hif_sdio_recv.c | 13 +++++++++++++
 CORE/SERVICES/HTC/htc.c                | 18 ++++++++++++++++++
 2 files changed, 31 insertions(+)

diff --git a/CORE/SERVICES/HIF/sdio/hif_sdio_recv.c b/CORE/SERVICES/HIF/sdio/hif_sdio_recv.c
index bec447162b14..0e15fb768720 100644
--- a/CORE/SERVICES/HIF/sdio/hif_sdio_recv.c
+++ b/CORE/SERVICES/HIF/sdio/hif_sdio_recv.c
@@ -39,6 +39,7 @@
 #include <adf_os_defer.h>
 #include <adf_os_atomic.h>
 #include <adf_nbuf.h>
+#include <vos_threads.h>
 #include <athdefs.h>
 #include <adf_net_types.h>
 #include <a_types.h>
@@ -51,6 +52,7 @@
 #include "regtable.h"
 #include "if_ath_sdio.h"
 
+#define NBUF_ALLOC_FAIL_WAIT_TIME 100
 
 static void HIFDevDumpRegisters(HIF_SDIO_DEVICE *pDev,
         MBOX_IRQ_PROC_REGISTERS *pIrqProcRegs,
@@ -645,6 +647,7 @@ static A_STATUS HIFDevIssueRecvPacketBundle(HIF_SDIO_DEVICE *pDev,
     if (!pPacketRxBundle) {
         AR_DEBUG_PRINTF(ATH_DEBUG_ERR, ("%s: pPacketRxBundle is NULL \n",
             __FUNCTION__));
+        vos_sleep(NBUF_ALLOC_FAIL_WAIT_TIME);  /* 100 msec sleep */
         return A_NO_MEMORY;
     }
     pBundleBuffer = pPacketRxBundle->pBuffer;
@@ -823,6 +826,16 @@ A_STATUS HIFDevRecvMessagePendingHandler(HIF_SDIO_DEVICE *pDev,
                         &pktsFetched,
                         partialBundle);
                 if (A_FAILED(status)) {
+                    while (!HTC_QUEUE_EMPTY(&recvPktQueue)) {
+                        adf_nbuf_t netbuf;
+
+                        pPacket = HTC_PACKET_DEQUEUE(&recvPktQueue);
+                        if (pPacket == NULL)
+                            break;
+                        netbuf = (adf_nbuf_t) pPacket->pNetBufContext;
+                        if (netbuf)
+                            adf_nbuf_free(netbuf);
+                    }
                     break;
                 }
 
diff --git a/CORE/SERVICES/HTC/htc.c b/CORE/SERVICES/HTC/htc.c
index 0600149dc55a..e876bf0725d3 100644
--- a/CORE/SERVICES/HTC/htc.c
+++ b/CORE/SERVICES/HTC/htc.c
@@ -36,6 +36,8 @@
 #include "epping_main.h"
 #include "htc_api.h"
 
+#define MAX_HTC_RX_BUNDLE  2
+
 #ifdef WLAN_DEBUG
 static ATH_DEBUG_MASK_DESCRIPTION g_HTCDebugDescription[] = {
     { ATH_DEBUG_SEND , "Send"},
@@ -534,6 +536,8 @@ A_STATUS HTCWaitTarget(HTC_HANDLE HTCHandle)
     HTC_SERVICE_CONNECT_RESP resp;
     HTC_READY_MSG *rdy_msg;
     A_UINT16 htc_rdy_msg_id;
+    A_UINT8 i = 0;
+    HTC_PACKET *pRxBundlePacket, *pTempBundlePacket;
 
     AR_DEBUG_PRINTF(ATH_DEBUG_TRC, ("HTCWaitTarget - Enter (target:0x%p) \n", HTCHandle));
     AR_DEBUG_PRINTF(ATH_DEBUG_ANY, ("+HWT\n"));
@@ -588,6 +592,20 @@ A_STATUS HTCWaitTarget(HTC_HANDLE HTCHandle)
             status = A_ECOMM;
             break;
         }
+
+        /* Allocate expected number of RX bundle buffer allocation */
+        pTempBundlePacket = NULL;
+        for (i = 0; i < MAX_HTC_RX_BUNDLE; i++) {
+            pRxBundlePacket = AllocateHTCBundleRxPacket(target);
+            if (pRxBundlePacket != NULL) {
+                pRxBundlePacket->ListLink.pNext = (DL_LIST *)pTempBundlePacket;
+            } else {
+                break;
+            }
+            pTempBundlePacket = pRxBundlePacket;
+        }
+        target->pBundleFreeRxList = pTempBundlePacket;
+
             /* done processing */
         target->CtrlResponseProcessing = FALSE;
 
-- 
cgit v1.2.3