Kezdőlap Felfedezés Súgó
Bejelentkezés
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Másolás 0
Fájlok Problémák 0 Beolvasztási kérések 0 Wiki
Forráskód Böngészése

qcacld-3.0: Fix potential BUG_ON in the htt_rx_offload_msdu_pop_ll

qcacld-2.0 to qcacld-3.0 propagation

For HTT_T2H_MSG_TYPE_RX_OFFLOAD_DELIVER_IND, the msdu_cnt is a signed
integer coming from firmware. If set the msdu_cnt to a negative value,
or be greater than the number of current elements in the queue, the loop
will execute lots of times in ol_rx_offload_deliver_ind_handler, the
htt_rx_netbuf_pop will cause the BUG_ON issue sooner or later if it is
low latency solution.

Change the msdu_cnt type from signed to unsigned and add the validity
msdu_cnt checking will fix this issue.

Change-Id: I436557a124074f59ab11fd937dfdc975b9caebe8
CRs-Fixed: 2149461
Tiger Yu 7 éve
szülő
ab09ed083c
commit
6211cd7436
5 módosított fájl, 43 hozzáadás és 3 törlés
Osztott Nézet Diff Statisztika Mutatása
  1. 20 0
      core/dp/htt/htt_rx.c
  2. 1 1
      core/dp/htt/htt_t2h.c
  3. 9 0
      core/dp/ol/inc/ol_htt_rx_api.h
  4. 1 1
      core/dp/ol/inc/ol_txrx_htt_api.h
  5. 12 1
      core/dp/txrx/ol_rx.c

+ 20 - 0
core/dp/htt/htt_rx.c
Fájl Megtekintése 

@@ -1472,6 +1472,13 @@ htt_rx_frag_pop_hl(
 
 	return 0;
 
 }
 
 
+static inline int
 
+htt_rx_offload_msdu_cnt_hl(
 
+    htt_pdev_handle pdev)
 
+{
 
+    return 1;
 
+}
 
+
 
 static inline int
 
 htt_rx_offload_msdu_pop_hl(htt_pdev_handle pdev,
 
 			   qdf_nbuf_t offload_deliver_msg,
 
@@ -1518,6 +1525,13 @@ htt_rx_offload_msdu_pop_hl(htt_pdev_handle pdev,
 
 }
 
 #endif
 
 
+static inline int
 
+htt_rx_offload_msdu_cnt_ll(
 
+    htt_pdev_handle pdev)
 
+{
 
+    return htt_rx_ring_elems(pdev);
 
+}
 
+
 
 static int
 
 htt_rx_offload_msdu_pop_ll(htt_pdev_handle pdev,
 
 			   qdf_nbuf_t offload_deliver_msg,
 
@@ -2856,6 +2870,10 @@ int (*htt_rx_frag_pop)(htt_pdev_handle pdev,
 
 		       qdf_nbuf_t *head_msdu, qdf_nbuf_t *tail_msdu,
 
 		       uint32_t *msdu_count);
 
 
+int
 
+(*htt_rx_offload_msdu_cnt)(
 
+    htt_pdev_handle pdev);
 
+
 
 int
 
 (*htt_rx_offload_msdu_pop)(htt_pdev_handle pdev,
 
 			   qdf_nbuf_t offload_deliver_msg,
 
@@ -3525,6 +3543,7 @@ int htt_rx_attach(struct htt_pdev_t *pdev)
 
 	pdev->rx_ring.base_paddr = 0;
 
 	htt_rx_amsdu_pop = htt_rx_amsdu_pop_hl;
 
 	htt_rx_frag_pop = htt_rx_frag_pop_hl;
 
+	htt_rx_offload_msdu_cnt = htt_rx_offload_msdu_cnt_hl;
 
 	htt_rx_offload_msdu_pop = htt_rx_offload_msdu_pop_hl;
 
 	htt_rx_mpdu_desc_list_next = htt_rx_mpdu_desc_list_next_hl;
 
 	htt_rx_mpdu_desc_retry = htt_rx_mpdu_desc_retry_hl;
 
@@ -3670,6 +3689,7 @@ int htt_rx_attach(struct htt_pdev_t *pdev)
 
 	if (cds_get_conparam() == QDF_GLOBAL_MONITOR_MODE)
 
 		htt_rx_amsdu_pop = htt_rx_mon_amsdu_rx_in_order_pop_ll;
 
 
+	htt_rx_offload_msdu_cnt = htt_rx_offload_msdu_cnt_ll;
 
 	htt_rx_offload_msdu_pop = htt_rx_offload_msdu_pop_ll;
 
 	htt_rx_mpdu_desc_retry = htt_rx_mpdu_desc_retry_ll;
 
 	htt_rx_mpdu_desc_seq_num = htt_rx_mpdu_desc_seq_num_ll;

+ 1 - 1
core/dp/htt/htt_t2h.c
Fájl Megtekintése 

@@ -254,7 +254,7 @@ static void htt_t2h_lp_msg_handler(void *context, qdf_nbuf_t htt_t2h_msg,
 
 	}
 
 	case HTT_T2H_MSG_TYPE_RX_OFFLOAD_DELIVER_IND:
 
 	{
 
-		int msdu_cnt;
 
+		uint16_t msdu_cnt;
 
 
 		msdu_cnt =
 
 			HTT_RX_OFFLOAD_DELIVER_IND_MSDU_CNT_GET(*msg_word);

+ 9 - 0
core/dp/ol/inc/ol_htt_rx_api.h
Fájl Megtekintése 

@@ -664,6 +664,15 @@ extern int
 
 		   qdf_nbuf_t *head_msdu, qdf_nbuf_t *tail_msdu,
 
 		   uint32_t *msdu_count);
 
 
+/**
 
+ * @brief Return the maximum number of available msdus currently
 
+ *
 
+ * @param pdev - the HTT instance the rx data was received on
 
+ */
 
+extern int
 
+(*htt_rx_offload_msdu_cnt)(
 
+    htt_pdev_handle pdev);
 
+
 
 /**
 
  * @brief Return a linked list of buffers holding one MSDU
 
  *  In some systems the buffers are delivered along with offload delivery

+ 1 - 1
core/dp/ol/inc/ol_txrx_htt_api.h
Fájl Megtekintése 

@@ -420,7 +420,7 @@ void ol_rx_frag_indication_handler(ol_txrx_pdev_handle pdev,
 
  */
 
 void
 
 ol_rx_offload_deliver_ind_handler(ol_txrx_pdev_handle pdev,
 
-				  qdf_nbuf_t msg, int msdu_cnt);
 
+				  qdf_nbuf_t msg, uint16_t msdu_cnt);
 
 
 /**
 
  * @brief Process a peer map message sent by the target.

+ 12 - 1
core/dp/txrx/ol_rx.c
Fájl Megtekintése 

@@ -920,7 +920,7 @@ ol_rx_inspect(struct ol_txrx_vdev_t *vdev,
 
 
 void
 
 ol_rx_offload_deliver_ind_handler(ol_txrx_pdev_handle pdev,
 
-				  qdf_nbuf_t msg, int msdu_cnt)
 
+				  qdf_nbuf_t msg, uint16_t msdu_cnt)
 
 {
 
 	int vdev_id, peer_id, tid;
 
 	qdf_nbuf_t head_buf, tail_buf, buf;
 
@@ -928,6 +928,17 @@ ol_rx_offload_deliver_ind_handler(ol_txrx_pdev_handle pdev,
 
 	uint8_t fw_desc;
 
 	htt_pdev_handle htt_pdev = pdev->htt_pdev;
 
 
+	if (msdu_cnt > htt_rx_offload_msdu_cnt(htt_pdev)) {
 
+		ol_txrx_err("%s: invalid msdu_cnt=%u\n",
 
+			__func__,
 
+			msdu_cnt);
 
+
 
+		if (pdev->cfg.is_high_latency)
 
+			htt_rx_desc_frame_free(htt_pdev, msg);
 
+
 
+		return;
 
+	}
 
+
 
 	while (msdu_cnt) {
 
 		if (!htt_rx_offload_msdu_pop(htt_pdev, msg, &vdev_id, &peer_id,
 
 					&tid, &fw_desc, &head_buf, &tail_buf)) {