From 3717379f00f314ee2c3a2e61c7ebcfc02ffbe6c3 Mon Sep 17 00:00:00 2001 From: Frank Liu Date: Mon, 31 Jul 2017 17:55:06 +0800 Subject: [PATCH] qcacld-3.0: Fix invalid tx_desc access Wrong to pass parameter by value so caller doesn't get the real allocated tx_desc. The fix is to let ol_tx_prepare_ll return the allocated tx_desc or NULL if fail. Change-Id: Ic3910e45c02290ebd74766aa8f88902044decaa6 CRs-Fixed: 2084824 --- core/dp/txrx/ol_tx.c | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/core/dp/txrx/ol_tx.c b/core/dp/txrx/ol_tx.c index 4192c4dbb1..0ed5376d17 100644 --- a/core/dp/txrx/ol_tx.c +++ b/core/dp/txrx/ol_tx.c @@ -70,10 +70,12 @@ int ce_send_fast(struct CE_handle *copyeng, qdf_nbuf_t msdu, * succeeds, that guarantees that the target has room to accept * the new tx frame. */ -static inline qdf_nbuf_t ol_tx_prepare_ll(struct ol_tx_desc_t *tx_desc, - ol_txrx_vdev_handle vdev, qdf_nbuf_t msdu, - struct ol_txrx_msdu_info_t *msdu_info) +static struct ol_tx_desc_t * +ol_tx_prepare_ll(ol_txrx_vdev_handle vdev, + qdf_nbuf_t msdu, + struct ol_txrx_msdu_info_t *msdu_info) { + struct ol_tx_desc_t *tx_desc; struct ol_txrx_pdev_t *pdev = vdev->pdev; (msdu_info)->htt.info.frame_type = pdev->htt_pkt_type; @@ -88,10 +90,10 @@ static inline qdf_nbuf_t ol_tx_prepare_ll(struct ol_tx_desc_t *tx_desc, vdev, msdu_info, true); TXRX_STATS_MSDU_LIST_INCR( pdev, tx.dropped.host_reject, msdu); - return msdu; /* the list of unaccepted MSDUs */ + return NULL; } - return NULL; + return tx_desc; } #if defined(FEATURE_TSO) @@ -421,7 +423,8 @@ qdf_nbuf_t ol_tx_ll(ol_txrx_vdev_handle vdev, qdf_nbuf_t msdu_list) segments--; - if (ol_tx_prepare_ll(tx_desc, vdev, msdu, &msdu_info)) + tx_desc = ol_tx_prepare_ll(vdev, msdu, &msdu_info); + if (!tx_desc) return msdu; /* @@ -484,7 +487,8 @@ qdf_nbuf_t ol_tx_ll(ol_txrx_vdev_handle vdev, qdf_nbuf_t msdu_list) msdu_info.htt.info.ext_tid = qdf_nbuf_get_tid(msdu); msdu_info.peer = NULL; - if (ol_tx_prepare_ll(tx_desc, vdev, msdu, &msdu_info)) + tx_desc = ol_tx_prepare_ll(vdev, msdu, &msdu_info); + if (!tx_desc) return msdu; TXRX_STATS_MSDU_INCR(vdev->pdev, tx.from_stack, msdu); @@ -1296,7 +1300,8 @@ ol_tx_non_std_ll(struct ol_txrx_vdev_t *vdev, msdu_info.peer = NULL; msdu_info.tso_info.is_tso = 0; - if (ol_tx_prepare_ll(tx_desc, vdev, msdu, &msdu_info)) + tx_desc = ol_tx_prepare_ll(vdev, msdu, &msdu_info); + if (!tx_desc) return msdu; /* @@ -2022,7 +2027,8 @@ qdf_nbuf_t ol_tx_reinject(struct ol_txrx_vdev_t *vdev, msdu_info.htt.action.tx_comp_req = 0; msdu_info.tso_info.is_tso = 0; - if (ol_tx_prepare_ll(tx_desc, vdev, msdu, &msdu_info)) + tx_desc = ol_tx_prepare_ll(vdev, msdu, &msdu_info); + if (!tx_desc) return msdu; HTT_TX_DESC_POSTPONED_SET(*((uint32_t *) (tx_desc->htt_tx_desc)), true);