From dbf2ff57bcda5508c690a7870408be30601f3e49 Mon Sep 17 00:00:00 2001
From: Sravan Goud <sgoud@codeaurora.org>
Date: Fri, 7 Feb 2020 08:12:08 +0530
Subject: [PATCH] qcacmn: Do not process rxdma err decrypt frames

Do not process or drop rxdma error decrpt frames. In case of
decrypt error the decryption is not proper and Rx OLE gets
corrupted bytes. So accessing these can lead to invalid buffers.

Change-Id: Idb3f942facf08fc26bde0fd9826db28955ca01d5
CRs-Fixed: 2613068
---
 dp/wifi3.0/dp_rx.h     | 18 ------------------
 dp/wifi3.0/dp_rx_err.c | 28 ++++++++++++++++++++++++----
 2 files changed, 24 insertions(+), 22 deletions(-)

diff --git a/dp/wifi3.0/dp_rx.h b/dp/wifi3.0/dp_rx.h
index 365dc2e944..286989d5cc 100644
--- a/dp/wifi3.0/dp_rx.h
+++ b/dp/wifi3.0/dp_rx.h
@@ -1071,24 +1071,6 @@ static inline void dp_rx_desc_prep(struct dp_rx_desc *rx_desc, qdf_nbuf_t nbuf)
 }
 #endif /* RX_DESC_DEBUG_CHECK */
 
-#ifdef RXDMA_ERR_PKT_DROP
-/**
- * dp_rxdma_err_nbuf_drop(): Function to drop rxdma err frame
- * @nbuf: buffer pointer
- *
- * return: bool: true if RXDMA_ERR_PKT_DROP is enabled
- */
-static inline bool dp_rxdma_err_nbuf_drop(void)
-{
-	return true;
-}
-#else
-static inline bool dp_rxdma_err_nbuf_drop(void)
-{
-	return false;
-}
-#endif
-
 void dp_rx_process_rxdma_err(struct dp_soc *soc, qdf_nbuf_t nbuf,
 			     uint8_t *rx_tlv_hdr, struct dp_peer *peer,
 			     uint8_t err_code, uint8_t mac_id);
diff --git a/dp/wifi3.0/dp_rx_err.c b/dp/wifi3.0/dp_rx_err.c
index 01fd722151..1a3abb9506 100644
--- a/dp/wifi3.0/dp_rx_err.c
+++ b/dp/wifi3.0/dp_rx_err.c
@@ -951,10 +951,6 @@ dp_rx_process_rxdma_err(struct dp_soc *soc, qdf_nbuf_t nbuf,
 
 		hal_rx_dump_pkt_tlvs(soc->hal_soc, rx_tlv_hdr,
 				     QDF_TRACE_LEVEL_INFO);
-		if (dp_rxdma_err_nbuf_drop()) {
-			qdf_nbuf_free(nbuf);
-			return;
-		}
 		qdf_assert(0);
 	}
 
@@ -1373,6 +1369,23 @@ done:
 	return rx_bufs_used; /* Assume no scale factor for now */
 }
 
+#ifdef DROP_RXDMA_DECRYPT_ERR
+/**
+ * dp_handle_rxdma_decrypt_err() - Check if decrypt err frames can be handled
+ *
+ * Return: true if rxdma decrypt err frames are handled and false otheriwse
+ */
+static inline bool dp_handle_rxdma_decrypt_err(void)
+{
+	return false;
+}
+#else
+static inline bool dp_handle_rxdma_decrypt_err(void)
+{
+	return true;
+}
+#endif
+
 uint32_t
 dp_rx_wbm_err_process(struct dp_intr *int_ctx, struct dp_soc *soc,
 		      hal_ring_handle_t hal_ring_hdl, uint32_t quota)
@@ -1643,6 +1656,13 @@ done:
 					continue;
 
 				case HAL_RXDMA_ERR_DECRYPT:
+					if (!dp_handle_rxdma_decrypt_err()) {
+						if (peer)
+							DP_STATS_INC(peer,
+							rx.err.decrypt_err, 1);
+						break;
+					}
+
 					pool_id = wbm_err_info.pool_id;
 					err_code = wbm_err_info.rxdma_err_code;
 					tlv_hdr = rx_tlv_hdr;