From 5adc058835e8ab9d71d08d2fd2351a9d38f1d0fd Mon Sep 17 00:00:00 2001
From: Orhan K AKYILDIZ <oka@codeaurora.org>
Date: Tue, 4 Apr 2017 19:10:26 -0700
Subject: [PATCH] qcacmn: Add boundary check on TSO segments

In the error-path execution stream where number of tso segments
in a tso_descriptor, there was an assumption that the number would
be > 0 (normal case is 2). When it is zero, a segment at a wrong
index (-1=> (4M-1)) was being unmapped, which was a bad access.
Add code to make sure that the index in question is in the range.
Need still to understand the reason why num_segs were smaller (0)
then expected (2).

Change-Id: I5d6e16f48f29c98cfb2191cf497f4203ea56a78f
CRs-Fixed: 2028808
---
 qdf/linux/src/qdf_nbuf.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/qdf/linux/src/qdf_nbuf.c b/qdf/linux/src/qdf_nbuf.c
index 3ea668f21e..3de7c0a971 100644
--- a/qdf/linux/src/qdf_nbuf.c
+++ b/qdf/linux/src/qdf_nbuf.c
@@ -1944,7 +1944,10 @@ void __qdf_nbuf_unmap_tso_segment(qdf_device_t osdev,
 			  struct qdf_tso_seg_elem_t *tso_seg,
 			  bool is_last_seg)
 {
-	uint32_t num_frags = tso_seg->seg.num_frags - 1;
+	uint32_t num_frags = 0;
+
+	if (tso_seg->seg.num_frags > 0)
+		num_frags = tso_seg->seg.num_frags - 1;
 
 	/*Num of frags in a tso seg cannot be less than 2 */
 	if (num_frags < 1) {