qcacmn: rx desc sanity for reo error entry

Same cookie was provided in REO srng and REO exception
ring. As a result, NULL pointer dereference occurred in
dp_rx_reo_err_entry_process.
To fix this, adding nbuf paddr sanity check in
function dp_rx_reo_err_entry_process.

CRs-Fixed: 2892345
Change-Id: Ie359921d8a270a3428b8286792941e84b0c68425

dp/wifi3.0/dp_rx_err.c

@@ -539,6 +539,7 @@ dp_rx_reo_err_entry_process(struct dp_soc *soc,
 	qdf_nbuf_t head_nbuf = NULL;
 	qdf_nbuf_t tail_nbuf = NULL;
 	uint16_t msdu_processed = 0;
+	bool ret;
 
 	peer_id = DP_PEER_METADATA_PEER_ID_GET(
 					mpdu_desc_info->peer_meta_data);
@@ -557,6 +558,14 @@ more_msdu_link_desc:
 		pdev = dp_get_pdev_for_lmac_id(soc, rx_desc->pool_id);
 
 		nbuf = rx_desc->nbuf;
+		ret = dp_rx_desc_paddr_sanity_check(rx_desc,
+						    msdu_list.paddr[i]);
+		if (!ret) {
+			DP_STATS_INC(soc, rx.err.nbuf_sanity_fail, 1);
+			rx_desc->in_err_state = 1;
+			continue;
+		}
+
 		rx_desc_pool = &soc->rx_desc_buf[rx_desc->pool_id];
 		dp_ipa_handle_rx_buf_smmu_mapping(soc, nbuf,
 						  rx_desc_pool->buf_size,