qcacmn: Fix monitor status buffer double free issue

Currently in monitor mode for KIWI, interrupt for RXDMA2HOST is
enabled to process both monitor status srng and montior destination
srng, but low threshold interrupt for monitor status srng is also
enabled. so when available RX buffer in monitor status srng is less
then low threshold, it is possible that two kind of interrupt from
RXDMA2HOST ring and monitor status ring will call
dp_rx_mon_status_process_tlv() in different context and access to
mon_pdev->rx_status_q at the same time, this will lead to skb
double free issue.

solution:
(1) disable RXDMA2HOST srng interrupt in monitor mode.
(2) enable monitor status srng batch count interrupt for monitor
processing.

Change-Id: I1df8830cb7cc55468e5df5e49045c3d96f7c29a8
CRs-Fixed: 3245393

dp/wifi3.0/dp_main.c

@@ -2160,7 +2160,7 @@ static inline bool dp_skip_msi_cfg(struct dp_soc *soc, int ring_type)
 {
 	if (soc->cdp_soc.ol_ops->get_con_mode &&
 	    soc->cdp_soc.ol_ops->get_con_mode() == QDF_GLOBAL_MONITOR_MODE) {
-		if (ring_type == REO_DST)
+		if (ring_type == REO_DST || ring_type == RXDMA_DST)
 			return true;
 	} else if (ring_type == RXDMA_MONITOR_STATUS) {
 		return true;
@@ -2417,20 +2417,6 @@ dp_should_timer_irq_yield(struct dp_soc *soc, uint32_t work_done,
 
 qdf_export_symbol(dp_should_timer_irq_yield);
 
-#ifdef DP_CON_MON_MSI_ENABLED
-static int dp_process_rxdma_dst_ring(struct dp_soc *soc,
-				     struct dp_intr *int_ctx,
-				     int mac_for_pdev,
-				     int total_budget)
-{
-	if (dp_soc_get_con_mode(soc) == QDF_GLOBAL_MONITOR_MODE)
-		return dp_monitor_process(soc, int_ctx, mac_for_pdev,
-					  total_budget);
-	else
-		return dp_rxdma_err_process(int_ctx, soc, mac_for_pdev,
-					    total_budget);
-}
-#else
 static int dp_process_rxdma_dst_ring(struct dp_soc *soc,
 				     struct dp_intr *int_ctx,
 				     int mac_for_pdev,
@@ -2439,7 +2425,6 @@ static int dp_process_rxdma_dst_ring(struct dp_soc *soc,
 	return dp_rxdma_err_process(int_ctx, soc, mac_for_pdev,
 				    total_budget);
 }
-#endif
 
 /**
  * dp_process_lmac_rings() - Process LMAC rings

wlan_cfg/wlan_cfg.c

@@ -2183,11 +2183,28 @@ struct wlan_srng_cfg wlan_srng_rxdma_monitor_buf_cfg = {
 };
 
 /* RXDMA_MONITOR_STATUS ring configuration */
+#ifdef DP_CON_MON_MSI_ENABLED
+/*
+ * Configure batch count threshold as 1 to enable interrupt
+ * when HW updated TP (monitor status buffer DMA is done),
+ * then host could reap monitor status srng. timer threshold
+ * based interrupt is only used for low threshold interrupt which
+ * can not be used for monitor status buffer reaping directly
+ * unless configure low threshold value to a big value, perhaps
+ * (number of entries - 2).
+ */
+struct wlan_srng_cfg wlan_srng_rxdma_monitor_status_cfg = {
+	.timer_threshold = WLAN_CFG_INT_TIMER_THRESHOLD_RX,
+	.batch_count_threshold = 1,
+	.low_threshold = WLAN_CFG_RXDMA_MONITOR_STATUS_RING_SIZE >> 3,
+};
+#else
 struct wlan_srng_cfg wlan_srng_rxdma_monitor_status_cfg = {
 	.timer_threshold = WLAN_CFG_INT_TIMER_THRESHOLD_RX,
 	.batch_count_threshold = 0,
 	.low_threshold = WLAN_CFG_RXDMA_MONITOR_STATUS_RING_SIZE >> 3,
 };
+#endif
 
 /* TX_MONITOR_BUF ring configuration */
 struct wlan_srng_cfg wlan_srng_tx_monitor_buf_cfg = {