Fixed not to free ringdump memory in cancel operation

[Analysis]
This is a concurrency issue when the framework calls HalStop operation during RingDump operation for Bugreport.
Context #1 - WifiLegacyHal::stop() => global_func_table_.wifi_cleanup() => wifi_cleanup() => RingDump::cancel() => free(mBuff);
Context #2 - RingDump::handleEvent(GOOGLE_FILE_DUMP_EVENT) => malloc mBuff => freeup(mBuff) => free(mBuff);

possible scenario - RingDump::handleEvent() on #2 => malloc mBuff on #2 => WifiLegacyHal::stop() on #1 => global_func_table_.wifi_cleanup() on #1 => wifi_cleanup() on #1 => RingDump::cancel() on #1=> free(mBuff) on #1 =>  freeup(mBuff) => free(mBuff) on #2;

[Reproduce]
Added sleep() in RingDump:handleEvent() to reproduce.
It will help to make concurrency case easily.

1. "lshal debug android.hardware.wifi@1.6::IWifi >> /dev/null"         # Trigger RingDump
2. During the sleep time, run "kill -9 $(pgrep wpa_supplicant)"        # It will trigger HAL stop operation

The crash signature is the same as the issue Google reported.

[Solution]
the mBuff should be manipulated in RingDump::handleEvent() and RingDump::handleResponse() only.
Need to avoid controlling mBuff in RingDump:cancel().

Bug: 254602785
Test: Passed the way to reproduce.

Signed-off-by: Dennis Jeon <dennis.jeon@broadcom.com>
Change-Id: I206abaf2200d5182de2ff5f0d8850f703279a870

1 files changed, 0 insertions, 3 deletions

diff --git a/bcmdhd/wifi_hal/wifi_logger.cpp b/bcmdhd/wifi_hal/wifi_logger.cpp
index 36f4202..809f1ae 100755
--- a/bcmdhd/wifi_hal/wifi_logger.cpp
+++ b/bcmdhd/wifi_hal/wifi_logger.cpp
@@ -1684,9 +1684,6 @@ public:
                 ring_name[i] = NULL;
             }
         }
-        if (mBuff) {
-            free(mBuff);
-        }
 
         DUMP_INFO(("Stop Ring Dump Successfully Completed, mErrCode = %d\n", mErrCode));
         return WIFI_SUCCESS;