qcacmn: fix dp_rx_defrag_add_last_frag peer tid array invalid access

In some case, HW will fill in unexpected peer_id into RX PKT TLV,
if this peer_id related peer is valid by coincidence, but actually
this peer won't do dp_peer_rx_init(like SAP Vdev self peer),
then invalid accessing to peer rx tid will happen.

do SW WAR that add checking about peer tid array, if not initialed,
free the rx nbuf.

Change-Id: Icf196b4f92eb341e1ace5128c681d24c41dff6cd
CRs-Fixed: 2468537

dp/wifi3.0/dp_rx_defrag.c

@@ -1702,7 +1702,7 @@ uint32_t dp_rx_frag_handle(struct dp_soc *soc, void *ring_desc,
 
 QDF_STATUS dp_rx_defrag_add_last_frag(struct dp_soc *soc,
 				      struct dp_peer *peer, uint16_t tid,
-		uint16_t rxseq, qdf_nbuf_t nbuf)
+				      uint16_t rxseq, qdf_nbuf_t nbuf)
 {
 	struct dp_rx_tid *rx_tid = &peer->rx_tid[tid];
 	struct dp_rx_reorder_array_elem *rx_reorder_array_elem;
@@ -1712,6 +1712,22 @@ QDF_STATUS dp_rx_defrag_add_last_frag(struct dp_soc *soc,
 
 	rx_reorder_array_elem = peer->rx_tid[tid].array;
 
+	/*
+	 * HW may fill in unexpected peer_id in RX PKT TLV,
+	 * if this peer_id related peer is valid by coincidence,
+	 * but actually this peer won't do dp_peer_rx_init(like SAP vdev
+	 * self peer), then invalid access to rx_reorder_array_elem happened.
+	 */
+	if (!rx_reorder_array_elem) {
+		dp_verbose_debug(
+			"peer id:%d mac:" QDF_MAC_ADDR_STR "drop rx frame!",
+			peer->peer_ids[0],
+			QDF_MAC_ADDR_ARRAY(peer->mac_addr.raw));
+		DP_STATS_INC(soc, rx.err.defrag_peer_uninit, 1);
+		qdf_nbuf_free(nbuf);
+		goto fail;
+	}
+
 	if (rx_reorder_array_elem->head &&
 	    rxseq != rx_tid->curr_seq_num) {
 		/* Drop stored fragments if out of sequence