samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacld-3.0: Fix regression issue for ipa init failure

Browse Source 
When get length by HTT_WDI_IPA_OP_RESPONSE_RSP_LEN_GET,
the input msg_word needs to shift 4Bytes.
Failure length check will cause ipa uc event without processing.

Regression cause Iddf2df0fd65f5b33b54f1a608cdd34e400c0e03c.

Change-Id: I41a44ae26f84d974cbd3242f4454ec6068d7b68b
CRs-Fixed: 2206296
This commit is contained in:
Jingxiang Ge
2018-03-15 15:47:47 +08:00
committed by nshrivas
parent bf57c2c31e
commit 0b049a8a41
1 changed files with 6 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
core/dp/htt/htt_t2h.c
View File

@@ -512,10 +512,14 @@ static void htt_t2h_lp_msg_handler(void *context, qdf_nbuf_t htt_t2h_msg,
{ {
uint16_t len; uint16_t len;
int msg_len = qdf_nbuf_len(htt_t2h_msg); int msg_len = qdf_nbuf_len(htt_t2h_msg);
len = HTT_WDI_IPA_OP_RESPONSE_RSP_LEN_GET(*msg_word); len = HTT_WDI_IPA_OP_RESPONSE_RSP_LEN_GET(*(msg_word + 1));
if (sizeof(struct htt_wdi_ipa_op_response_t) + len > msg_len) { if (sizeof(struct htt_wdi_ipa_op_response_t) + len > msg_len) {
qdf_print("Invalid buffer length"); qdf_print("Invalid buffer length,"
"sizeof(struct htt_wdi_ipa_op_response_t) %lu"
"len %d, msg_len %d",
sizeof(struct htt_wdi_ipa_op_response_t),
len, msg_len);
WARN_ON(1); WARN_ON(1);
break; break;
} }