Accueil Explorer Aide
Connexion
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Fork 0
Fichiers Tickets 0 Pull Requests 0 Wiki
Parcourir la source

qcacld-3.0: Fix invalid tx_desc access

Wrong to pass parameter by value so caller doesn't get the real allocated
tx_desc. The fix is to let ol_tx_prepare_ll return the allocated tx_desc
or NULL if fail.

Change-Id: Ic3910e45c02290ebd74766aa8f88902044decaa6
CRs-Fixed: 2084824
Frank Liu il y a 7 ans
Parent
11c1928f86
commit
3717379f00
1 fichiers modifiés avec 15 ajouts et 9 suppressions
Vue séparée Afficher les stats Diff
  1. 15 9
      core/dp/txrx/ol_tx.c

+ 15 - 9
core/dp/txrx/ol_tx.c
Voir le fichier 

@@ -70,10 +70,12 @@ int ce_send_fast(struct CE_handle *copyeng, qdf_nbuf_t msdu,
 
  * succeeds, that guarantees that the target has room to accept
 
  * the new tx frame.
 
  */
 
-static inline qdf_nbuf_t ol_tx_prepare_ll(struct ol_tx_desc_t *tx_desc,
 
-			ol_txrx_vdev_handle vdev, qdf_nbuf_t msdu,
 
-			struct ol_txrx_msdu_info_t *msdu_info)
 
+static struct ol_tx_desc_t *
 
+ol_tx_prepare_ll(ol_txrx_vdev_handle vdev,
 
+		 qdf_nbuf_t msdu,
 
+		 struct ol_txrx_msdu_info_t *msdu_info)
 
 {
 
+	struct ol_tx_desc_t *tx_desc;
 
 	struct ol_txrx_pdev_t *pdev = vdev->pdev;
 
 
 	(msdu_info)->htt.info.frame_type = pdev->htt_pkt_type;
 
@@ -88,10 +90,10 @@ static inline qdf_nbuf_t ol_tx_prepare_ll(struct ol_tx_desc_t *tx_desc,
 
 					vdev, msdu_info, true);
 
 		TXRX_STATS_MSDU_LIST_INCR(
 
 				pdev, tx.dropped.host_reject, msdu);
 
-		return msdu; /* the list of unaccepted MSDUs */
 
+		return NULL;
 
 	}
 
 
-	return NULL;
 
+	return tx_desc;
 
 }
 
 
 #if defined(FEATURE_TSO)
 
@@ -421,7 +423,8 @@ qdf_nbuf_t ol_tx_ll(ol_txrx_vdev_handle vdev, qdf_nbuf_t msdu_list)
 
 
 			segments--;
 
 
-			if (ol_tx_prepare_ll(tx_desc, vdev, msdu, &msdu_info))
 
+			tx_desc = ol_tx_prepare_ll(vdev, msdu, &msdu_info);
 
+			if (!tx_desc)
 
 				return msdu;
 
 
 			/*
 
@@ -484,7 +487,8 @@ qdf_nbuf_t ol_tx_ll(ol_txrx_vdev_handle vdev, qdf_nbuf_t msdu_list)
 
 
 		msdu_info.htt.info.ext_tid = qdf_nbuf_get_tid(msdu);
 
 		msdu_info.peer = NULL;
 
-		if (ol_tx_prepare_ll(tx_desc, vdev, msdu, &msdu_info))
 
+		tx_desc = ol_tx_prepare_ll(vdev, msdu, &msdu_info);
 
+		if (!tx_desc)
 
 			return msdu;
 
 
 		TXRX_STATS_MSDU_INCR(vdev->pdev, tx.from_stack, msdu);
 
@@ -1296,7 +1300,8 @@ ol_tx_non_std_ll(struct ol_txrx_vdev_t *vdev,
 
 		msdu_info.peer = NULL;
 
 		msdu_info.tso_info.is_tso = 0;
 
 
-		if (ol_tx_prepare_ll(tx_desc, vdev, msdu, &msdu_info))
 
+		tx_desc = ol_tx_prepare_ll(vdev, msdu, &msdu_info);
 
+		if (!tx_desc)
 
 			return msdu;
 
 
 		/*
 
@@ -2022,7 +2027,8 @@ qdf_nbuf_t ol_tx_reinject(struct ol_txrx_vdev_t *vdev,
 
 	msdu_info.htt.action.tx_comp_req = 0;
 
 	msdu_info.tso_info.is_tso = 0;
 
 
-	if (ol_tx_prepare_ll(tx_desc, vdev, msdu, &msdu_info))
 
+	tx_desc = ol_tx_prepare_ll(vdev, msdu, &msdu_info);
 
+	if (!tx_desc)
 
 		return msdu;
 
 
 	HTT_TX_DESC_POSTPONED_SET(*((uint32_t *) (tx_desc->htt_tx_desc)), true);