qcacmn: Set local rx_desc list head to NULL
The issue sceanrio is as follows: 1) Packets are received in the rx exception ring and the rx_descs processed are put into the pdev rx_desc freelist. 2) In the buffers replenish path, the above pdev rx_desc freelist, on nbuf allocation or map error, is moved to the soc rx_desc_pool freelist. The tail of the pdev rx_desc freelist is set to NULL but not the head. 3) On receiving packets in the rx exception ring post above, the new rx_desc are added to the pdev rx_desc freelist but since the head of the list was not NULL prior to this, the tail of the new list will have its next pointing to the previous stale rx_desc list which is already moved to the soc rx_desc_pool list. 4) In the replenish path, the buffers would be replenished till tail of the new list but the desc_list would point to the same aforementioned stale rx_desc list instead of NULL. So even though replenish is successful, the desc_list check to add the list back to soc rx_desc_pool freelist would be true. This would cause next pointer of the tail and in effect the nbuf pointer of the rx_desc pointed by tail to get updated. 5) On receiving the rx_desc mentioned in the previous step, nbuf sanity check fails since nbuf address is pointing to another rx_desc. Fix is to set the local_desc_list also to NULL in dp_rx_add_desc_list_to_free_list. Change-Id: I984a4c122592547492b9d9625a71c0a90142b442 CRs-Fixed: 2704771
This commit is contained in:
Yeshwanth Sriram Guntuka
committed by
nshrivas
nshrivas
부모
80a5429aa1
커밋
261d19bcb4
@@ -446,6 +446,7 @@ void dp_rx_add_desc_list_to_free_list(struct dp_soc *soc,
|
||||
rx_desc_pool->freelist = *local_desc_list;
|
||||
(*tail)->next = temp_list;
|
||||
*tail = NULL;
|
||||
*local_desc_list = NULL;
|
||||
|
||||
qdf_spin_unlock_bh(&rx_desc_pool->lock);
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user