qcacmn: fix RX desc is using but freed back to pool

Crash scenario: (1) frag data A is dropped and related RX desc A is replenished and reused, but pdev->free_list_tail is still pointed to RX desc A. (2) frag data B/C is coming, defrag fails then pdev->free_list_head will point to B-->C RX desc, but pdev->free_list_tail still point to A. (3) for defrag failing case, host only will replenish 1 RX buffer for current case, RX desc B is replenished, while C will be free back to RX desc pool. (4) dp_rx_add_desc_list_to_free_list will set RX desc A-->next = free_list, free_list point to C insted. (5) when step (1) RX desc A replenished buffer indicated to host by REO2Dst ring, RX desc A -->nbuf actually is pointed to another RX desc, invalid skb accessing will happen. Solution: a. reset tail pointer in dp_rx_add_desc_list_to_free_list at last. b. reset tail pointer same as head in dp_rx_add_to_free_desc_list if head->next is NULL. c. set correct rx_bufs number for replenish when dp_rx_defrag fails. Change-Id: Ib297baea3605a09dd7d85d1f5ceb95db48a2e1f1 CRs-Fixed: 2603676
2020-01-16 19:52:41 +08:00
commit 3222184e14
--- a/dp/wifi3.0/dp_rx_desc.c
+++ b/dp/wifi3.0/dp_rx_desc.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2019 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2016-2020 The Linux Foundation. All rights reserved.
 *
 * Permission to use, copy, modify, and/or distribute this software for
 * any purpose with or without fee is hereby granted, provided that the
@@ -331,6 +331,7 @@ void dp_rx_add_desc_list_to_free_list(struct dp_soc *soc,
 	temp_list, *local_desc_list, *tail, (*tail)->next);
 	rx_desc_pool->freelist = *local_desc_list;
 	(*tail)->next = temp_list;
+	*tail = NULL;

 	qdf_spin_unlock_bh(&rx_desc_pool->lock);
 }