From 333ae2374e2bb3c2a1823f7e828829a4e0ddce37 Mon Sep 17 00:00:00 2001 From: Venkateswara Naralasetty Date: Fri, 15 Jul 2022 11:27:44 +0530 Subject: [PATCH] qcacmn: fix invalid rx desc pool access Only one rx desc pool is used for MCL for Rx data. Pool_id from the SW cookie is used to get the rx desc from the corresponding rx desc pool. Checking pool_id against MAX_RXDESC_POOLS may lead to kernel NULL pointer dereference Since, pool_id other than 0 is not valid for MCL. Fix this issue by checking pool_id against MAX_PDEV_CNT to get the rx desc from rx desc pool. Change-Id: Ib9b152ac2cfe2c16d388aca9e22440fbcdf7fe6c CRs-Fixed: 3244453 --- dp/wifi3.0/dp_rx.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dp/wifi3.0/dp_rx.h b/dp/wifi3.0/dp_rx.h index 52f66b5215..75548d8b05 100644 --- a/dp/wifi3.0/dp_rx.h +++ b/dp/wifi3.0/dp_rx.h @@ -545,7 +545,7 @@ struct dp_rx_desc *dp_get_rx_desc_from_cookie(struct dp_soc *soc, struct rx_desc_pool *rx_desc_pool; union dp_rx_desc_list_elem_t *rx_desc_elem; - if (qdf_unlikely(pool_id >= MAX_RXDESC_POOLS)) + if (qdf_unlikely(pool_id >= MAX_PDEV_CNT)) return NULL; rx_desc_pool = &pool[pool_id];