From 19707a8b2f2b015e3d95ffb2ced07bc3ef69f3b0 Mon Sep 17 00:00:00 2001 From: Alok Kumar Date: Wed, 25 Apr 2018 12:37:25 +0530 Subject: [PATCH] qcacld-3.0: Fix null pointer dereference in htt_t2h_lp_msg_handler Apparently netbufs_ring is initialized only when reordering is not fully offloaded. When a message of type HTT_T2H_MSG_TYPE_RX_OFFLOAD_DELIVER_IND is sent, the driver does not check if reordering is offloaded. Add a check, if reordering is offloaded, when a message of type HTT_T2H_MSG_TYPE_RX_OFFLOAD_DELIVER_IND is sent. Change-Id: I303b52182d97aa8185c23ccd99c37a97fb75a3d2 CRs-Fixed: 2213216 --- core/dp/htt/htt_t2h.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/core/dp/htt/htt_t2h.c b/core/dp/htt/htt_t2h.c index 3740f2b496..1bafeb882e 100644 --- a/core/dp/htt/htt_t2h.c +++ b/core/dp/htt/htt_t2h.c @@ -247,6 +247,13 @@ static void htt_t2h_lp_msg_handler(void *context, qdf_nbuf_t htt_t2h_msg, { uint16_t msdu_cnt; + if (!pdev->cfg.is_high_latency && + pdev->cfg.is_full_reorder_offload) { + qdf_print("HTT_T2H_MSG_TYPE_RX_OFFLOAD_DELIVER_IND not "); + qdf_print("supported when full reorder offload is "); + qdf_print("enabled in the configuration.\n"); + break; + } msdu_cnt = HTT_RX_OFFLOAD_DELIVER_IND_MSDU_CNT_GET(*msg_word); ol_rx_offload_deliver_ind_handler(pdev->txrx_pdev,