wlan: Address memory corruption due to double free
If MC thread fails to post any WDI message over bus then failure
status is sent to the caller through registered request callback
and WDI_STATUS_PENDING is returned to the actual request funcion
to avoid repeated functionality done in the request callback for
failure case. But the commit "Reload driver if EXIT IMPS REQ fails
due to invalid SMD port" will modify the wdiStatus which results
in double free, i.e both WDA request and WDA request status callback
functions endup in freeing the same memory.
To mitigate this issue, return WDI_STATUS_PENDING to the request
function if we already returned WDI_STATUS_DEV_INTERNAL_FAILURE
or WDI_STATUS_E_FAILURE status through registered request callback.
And also handle the logic to reload the wlan driver if WDI_EXIT_IMPS
REQ fails due to closed SMD port in request callback function.
Change-Id: I932e6684c4272332c2b14cc4896b7c00c86fa4cd
CRs-Fixed: 767711
diff --git a/CORE/WDA/src/wlan_qct_wda.c b/CORE/WDA/src/wlan_qct_wda.c
index b1e534d..49d6f09 100644
--- a/CORE/WDA/src/wlan_qct_wda.c
+++ b/CORE/WDA/src/wlan_qct_wda.c
@@ -7998,18 +7998,65 @@
}
return CONVERT_WDI2VOS_STATUS(status) ;
}
+
+/*
+ * FUNCTION: WDA_ExitImpsRespCallback
+ * send Exit IMPS RSP back to PE
+ */
+void WDA_ExitImpsRespCallback(WDI_Status status, void* pUserData)
+{
+ tWDA_ReqParams *pWdaParams = (tWDA_ReqParams *)pUserData;
+ tWDA_CbContext *pWDA;
+
+ VOS_TRACE( VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_INFO,
+ "<------ %s " ,__func__);
+
+ if (NULL == pWdaParams)
+ {
+ VOS_TRACE( VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_ERROR,
+ "%s: pWdaParams received NULL", __func__);
+ VOS_ASSERT(0);
+ return;
+ }
+ pWDA = (tWDA_CbContext *)pWdaParams->pWdaContext;
+
+ vos_mem_free(pWdaParams->wdaWdiApiMsgParam);
+ vos_mem_free(pWdaParams);
+
+ WDA_SendMsg(pWDA, WDA_EXIT_IMPS_RSP, NULL , (status));
+ return;
+}
+
/*
* FUNCTION: WDA_ExitImpsReqCallback
- * send Exit IMPS RSP back to PE
*/
void WDA_ExitImpsReqCallback(WDI_Status status, void* pUserData)
{
- tWDA_CbContext *pWDA = (tWDA_CbContext *)pUserData ;
+ tWDA_ReqParams *pWdaParams = (tWDA_ReqParams *)pUserData;
VOS_TRACE( VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_INFO,
"<------ %s " ,__func__);
- WDA_SendMsg(pWDA, WDA_EXIT_IMPS_RSP, NULL , (status)) ;
- return ;
+ if(NULL == pWdaParams)
+ {
+ VOS_TRACE( VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_ERROR,
+ "%s: pWdaParams received NULL", __func__);
+ VOS_ASSERT(0);
+ return;
+ }
+
+ if (IS_WDI_STATUS_FAILURE(status))
+ {
+ vos_mem_free(pWdaParams->wdaWdiApiMsgParam);
+ vos_mem_free(pWdaParams);
+ if (WDI_STATUS_DEV_INTERNAL_FAILURE == status)
+ {
+ VOS_TRACE( VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_ERROR,
+ FL("reload wlan driver"));
+ wpalWlanReload();
+ }
+ }
+ return;
}
+
/*
* FUNCTION: WDA_ProcessExitImpsReq
* Request to WDI to Exit IMPS power state.
@@ -8017,23 +8064,47 @@
VOS_STATUS WDA_ProcessExitImpsReq(tWDA_CbContext *pWDA)
{
WDI_Status status = WDI_STATUS_SUCCESS ;
+ tWDA_ReqParams *pWdaParams;
+ WDI_ExitImpsReqParamsType *wdiExitImpsReqParams;
+
VOS_TRACE( VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_INFO,
"------> %s " ,__func__);
- status = WDI_ExitImpsReq((WDI_ExitImpsRspCb)WDA_ExitImpsReqCallback, pWDA);
- if(IS_WDI_STATUS_FAILURE(status))
+ wdiExitImpsReqParams = (WDI_ExitImpsReqParamsType *)vos_mem_malloc(
+ sizeof(WDI_ExitImpsReqParamsType));
+ if (NULL == wdiExitImpsReqParams)
{
- if (WDI_STATUS_DEV_INTERNAL_FAILURE == status)
- {
- VOS_TRACE( VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_ERROR,
- FL("reload wlan driver"));
- wpalWlanReload();
- }
- else
- {
- VOS_TRACE( VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_ERROR,
- "Failure in Exit IMPS REQ WDI API, free all the memory " );
- WDA_SendMsg(pWDA, WDA_EXIT_IMPS_RSP, NULL , CONVERT_WDI2SIR_STATUS(status)) ;
- }
+ VOS_TRACE( VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_ERROR,
+ "%s: VOS MEM Alloc Failure", __func__);
+ VOS_ASSERT(0);
+ return VOS_STATUS_E_NOMEM;
+ }
+ pWdaParams = (tWDA_ReqParams *)vos_mem_malloc(sizeof(tWDA_ReqParams));
+ if(NULL == pWdaParams)
+ {
+ VOS_TRACE( VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_ERROR,
+ "%s: VOS MEM Alloc Failure", __func__);
+ VOS_ASSERT(0);
+ vos_mem_free(wdiExitImpsReqParams);
+ return VOS_STATUS_E_NOMEM;
+ }
+ wdiExitImpsReqParams->wdiReqStatusCB = WDA_ExitImpsReqCallback;
+ wdiExitImpsReqParams->pUserData = pWdaParams;
+
+ /* Store param pointer as passed in by caller */
+ /* store Params pass it to WDI */
+ pWdaParams->wdaWdiApiMsgParam = wdiExitImpsReqParams;
+ pWdaParams->pWdaContext = pWDA;
+ pWdaParams->wdaMsgParam = wdiExitImpsReqParams;
+ status = WDI_ExitImpsReq(wdiExitImpsReqParams,
+ (WDI_ExitImpsRspCb)WDA_ExitImpsRespCallback,
+ pWdaParams);
+ if (IS_WDI_STATUS_FAILURE(status))
+ {
+ VOS_TRACE( VOS_MODULE_ID_WDA, VOS_TRACE_LEVEL_ERROR,
+ "Failure in Exit IMPS REQ WDI API, free all the memory " );
+ vos_mem_free(pWdaParams->wdaWdiApiMsgParam);
+ vos_mem_free(pWdaParams);
+ WDA_SendMsg(pWDA, WDA_EXIT_IMPS_RSP, NULL , CONVERT_WDI2SIR_STATUS(status)) ;
}
return CONVERT_WDI2VOS_STATUS(status) ;
}
diff --git a/CORE/WDI/CP/inc/wlan_qct_wdi.h b/CORE/WDI/CP/inc/wlan_qct_wdi.h
index a9cd910..1cd9fae 100644
--- a/CORE/WDI/CP/inc/wlan_qct_wdi.h
+++ b/CORE/WDI/CP/inc/wlan_qct_wdi.h
@@ -3801,6 +3801,20 @@
}WDI_EnterImpsReqParamsType;
/*---------------------------------------------------------------------------
+ WDI_ExitImpsReqParamsType
+ Exit IMPS parameters passed to WDI from WDA
+----------------------------------------------------------------------------*/
+typedef struct
+{
+ /*Request status callback offered by UMAC */
+ WDI_ReqStatusCb wdiReqStatusCB;
+ /*The user data passed in by UMAC, it will be sent back when the above
+ function pointer will be called */
+ void* pUserData;
+
+}WDI_ExitImpsReqParamsType;
+
+/*---------------------------------------------------------------------------
WDI_EnterBmpsReqParamsType
Enter BMPS parameters passed from WDI to WDA
---------------------------------------------------------------------------*/
@@ -9022,6 +9036,7 @@
WDI_Status
WDI_ExitImpsReq
(
+ WDI_ExitImpsReqParamsType *pwdiExitImpsReqParams,
WDI_ExitImpsRspCb wdiExitImpsRspCb,
void* pUserData
);
diff --git a/CORE/WDI/CP/src/wlan_qct_wdi.c b/CORE/WDI/CP/src/wlan_qct_wdi.c
index dc04d81..9f50dd8 100644
--- a/CORE/WDI/CP/src/wlan_qct_wdi.c
+++ b/CORE/WDI/CP/src/wlan_qct_wdi.c
@@ -3759,6 +3759,7 @@
WDI_Status
WDI_ExitImpsReq
(
+ WDI_ExitImpsReqParamsType *pwdiExitImpsReqParams,
WDI_ExitImpsRspCb wdiExitImpsRspCb,
void* pUserData
)
@@ -3781,8 +3782,8 @@
Fill in Event data and post to the Main FSM
------------------------------------------------------------------------*/
wdiEventData.wdiRequest = WDI_EXIT_IMPS_REQ;
- wdiEventData.pEventData = NULL;
- wdiEventData.uEventDataSize = 0;
+ wdiEventData.pEventData = pwdiExitImpsReqParams;
+ wdiEventData.uEventDataSize = sizeof(*pwdiExitImpsReqParams);
wdiEventData.pCBfnc = wdiExitImpsRspCb;
wdiEventData.pUserData = pUserData;
@@ -13797,13 +13798,16 @@
wpt_uint8* pSendBuffer = NULL;
wpt_uint16 usDataOffset = 0;
wpt_uint16 usSendSize = 0;
+ WDI_ExitImpsReqParamsType *pwdiExitImpsReqParams = NULL;
/*- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - */
/*-------------------------------------------------------------------------
Sanity check
-------------------------------------------------------------------------*/
if (( NULL == pEventData ) ||
- ( NULL == (wdiExitImpsRspCb = (WDI_ExitImpsRspCb)pEventData->pCBfnc)))
+ ( NULL == (wdiExitImpsRspCb = (WDI_ExitImpsRspCb)pEventData->pCBfnc)) ||
+ (NULL == (pwdiExitImpsReqParams =
+ (WDI_ExitImpsReqParamsType*)pEventData->pEventData)))
{
WPAL_TRACE( eWLAN_MODULE_DAL_CTRL, eWLAN_PAL_TRACE_LEVEL_WARN,
"%s: Invalid parameters", __func__);
@@ -13826,7 +13830,8 @@
WDI_ASSERT(0);
return WDI_STATUS_E_FAILURE;
}
-
+ pWDICtx->wdiReqStatusCB = pwdiExitImpsReqParams->wdiReqStatusCB;
+ pWDICtx->pReqStatusUserData = pwdiExitImpsReqParams->pUserData;
/*-------------------------------------------------------------------------
Send Get STA Request to HAL
-------------------------------------------------------------------------*/
@@ -22083,7 +22088,8 @@
WDI_getRespMsgString(pWDICtx->wdiExpectedResponse),
pWDICtx->wdiExpectedResponse);
- wdiStatus = WDI_STATUS_E_FAILURE;
+ wdiStatus = (ret == eWLAN_PAL_STATUS_E_FAILURE) ?
+ WDI_STATUS_DEV_INTERNAL_FAILURE : WDI_STATUS_E_FAILURE;
}
else
{
@@ -22116,8 +22122,10 @@
(wdiStatus) to WDI_STATUS_PENDING. This makes sure that WDA doesnt
end up repeating the functonality in the req callback for the
WDI_STATUS_E_FAILURE case*/
- if (wdiStatus == WDI_STATUS_E_FAILURE)
+ if (wdiStatus != WDI_STATUS_SUCCESS)
+ {
wdiStatus = WDI_STATUS_PENDING;
+ }
}
if ( wdiStatus == WDI_STATUS_SUCCESS )
@@ -22133,10 +22141,6 @@
{
/*Inform upper stack layers that a transport fatal error occurred*/
WDI_DetectedDeviceError(pWDICtx, WDI_ERR_TRANSPORT_FAILURE);
- if (eWLAN_PAL_STATUS_E_FAILURE == ret)
- {
- wdiStatus = WDI_STATUS_DEV_INTERNAL_FAILURE;
- }
}
return wdiStatus;