Merge "wlan: Address memory corruption due to double free"
diff --git a/CORE/WDA/src/wlan_qct_wda.c b/CORE/WDA/src/wlan_qct_wda.c
index b1e534d..49d6f09 100644
--- a/CORE/WDA/src/wlan_qct_wda.c
+++ b/CORE/WDA/src/wlan_qct_wda.c
@@ -7998,18 +7998,65 @@
}
return CONVERT_WDI2VOS_STATUS(status) ;
}
+
+/*
+ * FUNCTION: WDA_ExitImpsRespCallback
+ * send Exit IMPS RSP back to PE
+ */
+void WDA_ExitImpsRespCallback(WDI_Status status, void* pUserData)
+{
+ tWDA_ReqParams *pWdaParams = (tWDA_ReqParams *)pUserData;
+ tWDA_CbContext *pWDA;
+
+ VOS_TRACE( VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_INFO,
+ "<------ %s " ,__func__);
+
+ if (NULL == pWdaParams)
+ {
+ VOS_TRACE( VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_ERROR,
+ "%s: pWdaParams received NULL", __func__);
+ VOS_ASSERT(0);
+ return;
+ }
+ pWDA = (tWDA_CbContext *)pWdaParams->pWdaContext;
+
+ vos_mem_free(pWdaParams->wdaWdiApiMsgParam);
+ vos_mem_free(pWdaParams);
+
+ WDA_SendMsg(pWDA, WDA_EXIT_IMPS_RSP, NULL , (status));
+ return;
+}
+
/*
* FUNCTION: WDA_ExitImpsReqCallback
- * send Exit IMPS RSP back to PE
*/
void WDA_ExitImpsReqCallback(WDI_Status status, void* pUserData)
{
- tWDA_CbContext *pWDA = (tWDA_CbContext *)pUserData ;
+ tWDA_ReqParams *pWdaParams = (tWDA_ReqParams *)pUserData;
VOS_TRACE( VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_INFO,
"<------ %s " ,__func__);
- WDA_SendMsg(pWDA, WDA_EXIT_IMPS_RSP, NULL , (status)) ;
- return ;
+ if(NULL == pWdaParams)
+ {
+ VOS_TRACE( VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_ERROR,
+ "%s: pWdaParams received NULL", __func__);
+ VOS_ASSERT(0);
+ return;
+ }
+
+ if (IS_WDI_STATUS_FAILURE(status))
+ {
+ vos_mem_free(pWdaParams->wdaWdiApiMsgParam);
+ vos_mem_free(pWdaParams);
+ if (WDI_STATUS_DEV_INTERNAL_FAILURE == status)
+ {
+ VOS_TRACE( VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_ERROR,
+ FL("reload wlan driver"));
+ wpalWlanReload();
+ }
+ }
+ return;
}
+
/*
* FUNCTION: WDA_ProcessExitImpsReq
* Request to WDI to Exit IMPS power state.
@@ -8017,23 +8064,47 @@
VOS_STATUS WDA_ProcessExitImpsReq(tWDA_CbContext *pWDA)
{
WDI_Status status = WDI_STATUS_SUCCESS ;
+ tWDA_ReqParams *pWdaParams;
+ WDI_ExitImpsReqParamsType *wdiExitImpsReqParams;
+
VOS_TRACE( VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_INFO,
"------> %s " ,__func__);
- status = WDI_ExitImpsReq((WDI_ExitImpsRspCb)WDA_ExitImpsReqCallback, pWDA);
- if(IS_WDI_STATUS_FAILURE(status))
+ wdiExitImpsReqParams = (WDI_ExitImpsReqParamsType *)vos_mem_malloc(
+ sizeof(WDI_ExitImpsReqParamsType));
+ if (NULL == wdiExitImpsReqParams)
{
- if (WDI_STATUS_DEV_INTERNAL_FAILURE == status)
- {
- VOS_TRACE( VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_ERROR,
- FL("reload wlan driver"));
- wpalWlanReload();
- }
- else
- {
- VOS_TRACE( VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_ERROR,
- "Failure in Exit IMPS REQ WDI API, free all the memory " );
- WDA_SendMsg(pWDA, WDA_EXIT_IMPS_RSP, NULL , CONVERT_WDI2SIR_STATUS(status)) ;
- }
+ VOS_TRACE( VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_ERROR,
+ "%s: VOS MEM Alloc Failure", __func__);
+ VOS_ASSERT(0);
+ return VOS_STATUS_E_NOMEM;
+ }
+ pWdaParams = (tWDA_ReqParams *)vos_mem_malloc(sizeof(tWDA_ReqParams));
+ if(NULL == pWdaParams)
+ {
+ VOS_TRACE( VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_ERROR,
+ "%s: VOS MEM Alloc Failure", __func__);
+ VOS_ASSERT(0);
+ vos_mem_free(wdiExitImpsReqParams);
+ return VOS_STATUS_E_NOMEM;
+ }
+ wdiExitImpsReqParams->wdiReqStatusCB = WDA_ExitImpsReqCallback;
+ wdiExitImpsReqParams->pUserData = pWdaParams;
+
+ /* Store param pointer as passed in by caller */
+ /* store Params pass it to WDI */
+ pWdaParams->wdaWdiApiMsgParam = wdiExitImpsReqParams;
+ pWdaParams->pWdaContext = pWDA;
+ pWdaParams->wdaMsgParam = wdiExitImpsReqParams;
+ status = WDI_ExitImpsReq(wdiExitImpsReqParams,
+ (WDI_ExitImpsRspCb)WDA_ExitImpsRespCallback,
+ pWdaParams);
+ if (IS_WDI_STATUS_FAILURE(status))
+ {
+ VOS_TRACE( VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_ERROR,
+ "Failure in Exit IMPS REQ WDI API, free all the memory " );
+ vos_mem_free(pWdaParams->wdaWdiApiMsgParam);
+ vos_mem_free(pWdaParams);
+ WDA_SendMsg(pWDA, WDA_EXIT_IMPS_RSP, NULL , CONVERT_WDI2SIR_STATUS(status)) ;
}
return CONVERT_WDI2VOS_STATUS(status) ;
}
diff --git a/CORE/WDI/CP/inc/wlan_qct_wdi.h b/CORE/WDI/CP/inc/wlan_qct_wdi.h
index a9cd910..1cd9fae 100644
--- a/CORE/WDI/CP/inc/wlan_qct_wdi.h
+++ b/CORE/WDI/CP/inc/wlan_qct_wdi.h
@@ -3801,6 +3801,20 @@
}WDI_EnterImpsReqParamsType;
/*---------------------------------------------------------------------------
+ WDI_ExitImpsReqParamsType
+ Exit IMPS parameters passed to WDI from WDA
+----------------------------------------------------------------------------*/
+typedef struct
+{
+ /*Request status callback offered by UMAC */
+ WDI_ReqStatusCb wdiReqStatusCB;
+ /*The user data passed in by UMAC, it will be sent back when the above
+ function pointer will be called */
+ void* pUserData;
+
+}WDI_ExitImpsReqParamsType;
+
+/*---------------------------------------------------------------------------
WDI_EnterBmpsReqParamsType
Enter BMPS parameters passed from WDI to WDA
---------------------------------------------------------------------------*/
@@ -9022,6 +9036,7 @@
WDI_Status
WDI_ExitImpsReq
(
+ WDI_ExitImpsReqParamsType *pwdiExitImpsReqParams,
WDI_ExitImpsRspCb wdiExitImpsRspCb,
void* pUserData
);
diff --git a/CORE/WDI/CP/src/wlan_qct_wdi.c b/CORE/WDI/CP/src/wlan_qct_wdi.c
index dc04d81..9f50dd8 100644
--- a/CORE/WDI/CP/src/wlan_qct_wdi.c
+++ b/CORE/WDI/CP/src/wlan_qct_wdi.c
@@ -3759,6 +3759,7 @@
WDI_Status
WDI_ExitImpsReq
(
+ WDI_ExitImpsReqParamsType *pwdiExitImpsReqParams,
WDI_ExitImpsRspCb wdiExitImpsRspCb,
void* pUserData
)
@@ -3781,8 +3782,8 @@
Fill in Event data and post to the Main FSM
------------------------------------------------------------------------*/
wdiEventData.wdiRequest = WDI_EXIT_IMPS_REQ;
- wdiEventData.pEventData = NULL;
- wdiEventData.uEventDataSize = 0;
+ wdiEventData.pEventData = pwdiExitImpsReqParams;
+ wdiEventData.uEventDataSize = sizeof(*pwdiExitImpsReqParams);
wdiEventData.pCBfnc = wdiExitImpsRspCb;
wdiEventData.pUserData = pUserData;
@@ -13797,13 +13798,16 @@
wpt_uint8* pSendBuffer = NULL;
wpt_uint16 usDataOffset = 0;
wpt_uint16 usSendSize = 0;
+ WDI_ExitImpsReqParamsType *pwdiExitImpsReqParams = NULL;
/*- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */
/*-------------------------------------------------------------------------
Sanity check
-------------------------------------------------------------------------*/
if (( NULL == pEventData ) ||
- ( NULL == (wdiExitImpsRspCb = (WDI_ExitImpsRspCb)pEventData->pCBfnc)))
+ ( NULL == (wdiExitImpsRspCb = (WDI_ExitImpsRspCb)pEventData->pCBfnc)) ||
+ (NULL == (pwdiExitImpsReqParams =
+ (WDI_ExitImpsReqParamsType*)pEventData->pEventData)))
{
WPAL_TRACE( eWLAN_MODULE_DAL_CTRL, eWLAN_PAL_TRACE_LEVEL_WARN,
"%s: Invalid parameters", __func__);
@@ -13826,7 +13830,8 @@
WDI_ASSERT(0);
return WDI_STATUS_E_FAILURE;
}
-
+ pWDICtx->wdiReqStatusCB = pwdiExitImpsReqParams->wdiReqStatusCB;
+ pWDICtx->pReqStatusUserData = pwdiExitImpsReqParams->pUserData;
/*-------------------------------------------------------------------------
Send Get STA Request to HAL
-------------------------------------------------------------------------*/
@@ -22083,7 +22088,8 @@
WDI_getRespMsgString(pWDICtx->wdiExpectedResponse),
pWDICtx->wdiExpectedResponse);
- wdiStatus = WDI_STATUS_E_FAILURE;
+ wdiStatus = (ret == eWLAN_PAL_STATUS_E_FAILURE) ?
+ WDI_STATUS_DEV_INTERNAL_FAILURE : WDI_STATUS_E_FAILURE;
}
else
{
@@ -22116,8 +22122,10 @@
(wdiStatus) to WDI_STATUS_PENDING. This makes sure that WDA doesnt
end up repeating the functonality in the req callback for the
WDI_STATUS_E_FAILURE case*/
- if (wdiStatus == WDI_STATUS_E_FAILURE)
+ if (wdiStatus != WDI_STATUS_SUCCESS)
+ {
wdiStatus = WDI_STATUS_PENDING;
+ }
}
if ( wdiStatus == WDI_STATUS_SUCCESS )
@@ -22133,10 +22141,6 @@
{
/*Inform upper stack layers that a transport fatal error occurred*/
WDI_DetectedDeviceError(pWDICtx, WDI_ERR_TRANSPORT_FAILURE);
- if (eWLAN_PAL_STATUS_E_FAILURE == ret)
- {
- wdiStatus = WDI_STATUS_DEV_INTERNAL_FAILURE;
- }
}
return wdiStatus;