From b7992c3cd5fd10d9c0a91b966ecca9a64656fb7b Mon Sep 17 00:00:00 2001 From: Brian Gix Date: Mon, 22 Jun 2020 11:00:04 -0700 Subject: [PATCH] mesh: Fix memory leak when queuing OB pkts rapidly If a new packet for outbound delivery is queued during the last transmission of the only other packet being sent, the prior packet got forgotten and leaked. This fix correctly deletes the prior packet, but also makes sure it is given the proper oportunity for transmission. --- mesh/mesh-io-generic.c | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/mesh/mesh-io-generic.c b/mesh/mesh-io-generic.c index 7a4008bd9..86952516e 100644 --- a/mesh/mesh-io-generic.c +++ b/mesh/mesh-io-generic.c @@ -569,6 +569,9 @@ static void send_pkt(struct mesh_io_private *pvt, struct tx_pkt *tx, { struct bt_hci_cmd_le_set_adv_enable cmd; + if (pvt->tx && pvt->tx->delete) + l_free(pvt->tx); + pvt->tx = tx; pvt->interval = interval; @@ -583,7 +586,7 @@ static void send_pkt(struct mesh_io_private *pvt, struct tx_pkt *tx, set_send_adv_params, pvt, NULL); } -static void tx_timeout(struct l_timeout *timeout, void *user_data) +static void tx_to(struct l_timeout *timeout, void *user_data) { struct mesh_io_private *pvt = user_data; struct tx_pkt *tx; @@ -616,8 +619,9 @@ static void tx_timeout(struct l_timeout *timeout, void *user_data) send_pkt(pvt, tx, ms); if (count == 1) { - /* send_pkt will delete when done */ + /* Recalculate wakeup if we are responding to POLL */ tx = l_queue_peek_head(pvt->tx_pkts); + if (tx && tx->info.type == MESH_IO_TIMING_TYPE_POLL_RSP) { ms = instant_remaining_ms(tx->info.u.poll_rsp.instant + tx->info.u.poll_rsp.delay); @@ -629,8 +633,7 @@ static void tx_timeout(struct l_timeout *timeout, void *user_data) pvt->tx_timeout = timeout; l_timeout_modify_ms(timeout, ms); } else - pvt->tx_timeout = l_timeout_create_ms(ms, tx_timeout, - pvt, NULL); + pvt->tx_timeout = l_timeout_create_ms(ms, tx_to, pvt, NULL); } static void tx_worker(void *user_data) @@ -679,12 +682,11 @@ static void tx_worker(void *user_data) } if (!delay) - tx_timeout(pvt->tx_timeout, pvt); + tx_to(pvt->tx_timeout, pvt); else if (pvt->tx_timeout) l_timeout_modify_ms(pvt->tx_timeout, delay); else - pvt->tx_timeout = l_timeout_create_ms(delay, tx_timeout, - pvt, NULL); + pvt->tx_timeout = l_timeout_create_ms(delay, tx_to, pvt, NULL); } static bool send_tx(struct mesh_io *io, struct mesh_io_send_info *info, @@ -698,8 +700,6 @@ static bool send_tx(struct mesh_io *io, struct mesh_io_send_info *info, return false; tx = l_new(struct tx_pkt, 1); - if (!tx) - return false; memcpy(&tx->info, info, sizeof(tx->info)); memcpy(&tx->pkt, data, len); @@ -708,7 +708,11 @@ static bool send_tx(struct mesh_io *io, struct mesh_io_send_info *info, if (info->type == MESH_IO_TIMING_TYPE_POLL_RSP) l_queue_push_head(pvt->tx_pkts, tx); else { - sending = !l_queue_isempty(pvt->tx_pkts); + if (pvt->tx) + sending = true; + else + sending = !l_queue_isempty(pvt->tx_pkts); + l_queue_push_tail(pvt->tx_pkts, tx); } -- 2.47.3