commit 0c325539a4acb9218957454f8a56275035b884d6
author Madan Mohan Koyyalamudi <c_mkoyya@qca.qualcomm.com> Mon Sep 24 13:24:42 2012 -0700
committer Jeff Johnson <jjohnson@qca.qualcomm.com> Fri Nov 30 13:12:21 2012 -0800
tree 27e26336c7542b8c1a763cf610c8b3a7629f4a10
parent 48e375a7696d40f707e31e43faa8f3a6e98402b6

Wlan: Fix for a double free and recover logic in DXE

DXE rx path frees a buffer which is already freed after a wrong recovery
logic trigger

Change-Id: I67003a2338ad16169e92a6d6131a8c83133a08c4
CR-Fixed: 400621

CORE/DXE/src/wlan_qct_dxe.c

diff --git a/CORE/DXE/src/wlan_qct_dxe.c b/CORE/DXE/src/wlan_qct_dxe.c
index 531b370..b63abb1 100644
--- a/CORE/DXE/src/wlan_qct_dxe.c
+++ b/CORE/DXE/src/wlan_qct_dxe.c
@@ -1638,6 +1638,7 @@
       /* Reap Rx frames */ 
       rx_reaped_buf[frameCount] = currentCtrlBlk->xfrFrame;
       frameCount++;
+      currentCtrlBlk->xfrFrame = NULL;
 
       /* Now try to refill the ring with empty Rx buffers to keep DXE busy */
       dxeRXFrameRefillRing(dxeCtxt,channelEntry);
@@ -1780,6 +1781,7 @@
             frameCount = dxeRXFrameRouteUpperLayer(dxeCtxt, channelEntry);
             HDXE_MSG(eWLAN_MODULE_DAL_DATA, eWLAN_PAL_TRACE_LEVEL_ERROR,
                      "re-sync routed %d frames to upper layer", (int)frameCount);
+            channelEntry->numFragmentCurrentChain = frameCount;
             frameCount = 0;
          }
          /* Successive Empty interrupt