qcacmn: fix invalid accessing to rx_tlv_hdr due to scattered msdu

long length msdu is received and looks this msdu is spread across
multiple nbufs, there is no corresbonding logic for this case.
qdf_set_pkt_len will invoke pskb_expand_head to renew skb->head
buffer, but the rx_tlv_hdr is still pointed to original skb->data
buffer, invalid accessing will happen.
  As a WAR, drop this msdu related nbufs after dp_rx_sg_create is done.

Change-Id: Iceb09fd04e4d768325018a8ddd4261ab4f75991a
CRs-Fixed: 2597927
This commit is contained in:
Jinwei Chen
2020-01-14 13:52:06 +08:00
committed by nshrivas
parent f6485c72bb
commit 0b92469595
4 changed files with 53 additions and 22 deletions

View File

@@ -497,14 +497,13 @@ dp_rx_wbm_err_process(struct dp_intr *int_ctx, struct dp_soc *soc,
* dp_rx_sg_create() - create a frag_list for MSDUs which are spread across
* multiple nbufs.
* @nbuf: pointer to the first msdu of an amsdu.
* @rx_tlv_hdr: pointer to the start of RX TLV headers.
*
* This function implements the creation of RX frag_list for cases
* where an MSDU is spread across multiple nbufs.
*
* Return: returns the head nbuf which contains complete frag_list.
*/
qdf_nbuf_t dp_rx_sg_create(qdf_nbuf_t nbuf, uint8_t *rx_tlv_hdr);
qdf_nbuf_t dp_rx_sg_create(qdf_nbuf_t nbuf);
/*
* dp_rx_desc_pool_alloc() - create a pool of software rx_descs