Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3455eeae authored by Ananya Gupta's avatar Ananya Gupta Committed by Gerrit - the friendly Code Review server
Browse files

qcacmn: rx desc sanity for reo error entry 

Same cookie was provided in REO srng and REO exception
ring. As a result, NULL pointer dereference occurred in
dp_rx_reo_err_entry_process.
To fix this, adding nbuf paddr sanity check in
function dp_rx_reo_err_entry_process.

CRs-Fixed: 2892345
Change-Id: Ie359921d8a270a3428b8286792941e84b0c68425
parent 883d041d

dp/wifi3.0/dp_rx_err.c

+9 −0
Original line number Diff line number Diff line
@@ -557,6 +557,7 @@ dp_rx_reo_err_entry_process(struct dp_soc *soc, 
	qdf_nbuf_t head_nbuf = NULL;

	qdf_nbuf_t tail_nbuf = NULL;

	uint16_t msdu_processed = 0;

	bool ret;



	peer_id = DP_PEER_METADATA_PEER_ID_GET(

					mpdu_desc_info->peer_meta_data);
@@ -575,6 +576,14 @@ dp_rx_reo_err_entry_process(struct dp_soc *soc, 
		pdev = dp_get_pdev_for_lmac_id(soc, rx_desc->pool_id);



		nbuf = rx_desc->nbuf;

		ret = dp_rx_desc_paddr_sanity_check(rx_desc,

						    msdu_list.paddr[i]);

		if (!ret) {

			DP_STATS_INC(soc, rx.err.nbuf_sanity_fail, 1);

			rx_desc->in_err_state = 1;

			continue;

		}



		rx_desc_pool = &soc->rx_desc_buf[rx_desc->pool_id];

		dp_ipa_handle_rx_buf_smmu_mapping(soc, nbuf,

						  rx_desc_pool->buf_size,