qcacld-3.0: Add sanity check for tx desc

qcacld-2.0 to qcacld-3.0 propagation

Add sanity check for tx desc to avoid crash if firmware report the invalid
msdu id to the host.

Change-Id: I5a339e81f3de882b5f7cc42b0628ea4738141c58
CRs-Fixed: 1071620

Kbuild

@@ -131,6 +131,11 @@ ifeq ($(KERNEL_BUILD), 0)
 		CONFIG_WLAN_FEATURE_11W := y
 	endif
 
+	#Flag to enable the tx desc sanity check
+	ifeq ($(CONFIG_ROME_IF),usb)
+		CONFIG_QCA_TXDESC_SANITY_CHECKS := y
+	endif
+
 	ifneq ($(CONFIG_MOBILE_ROUTER), y)
 		#Flag to enable NAN
 		CONFIG_QCACLD_FEATURE_NAN := y
@@ -1277,6 +1282,10 @@ ifeq ($(CONFIG_WLAN_FEATURE_11W),y)
 CDEFINES += -DWLAN_FEATURE_11W
 endif
 
+ifeq ($(CONFIG_QCA_TXDESC_SANITY_CHECKS), 1)
+CDEFINES += -DQCA_SUPPORT_TXDESC_SANITY_CHECKS
+endif
+
 ifeq ($(CONFIG_QCOM_LTE_COEX),y)
 CDEFINES += -DFEATURE_WLAN_CH_AVOID
 endif

core/dp/htt/htt_tx.c

@@ -90,10 +90,6 @@ do {                                                                           \
 
 /*--- setup / tear-down functions -------------------------------------------*/
 
-#ifdef QCA_SUPPORT_TXDESC_SANITY_CHECKS
-uint32_t *g_dbg_htt_desc_end_addr, *g_dbg_htt_desc_start_addr;
-#endif
-
 static qdf_dma_addr_t htt_tx_get_paddr(htt_pdev_handle pdev,
 				char *target_vaddr);
 

core/dp/txrx/ol_tx_desc.c

@@ -42,33 +42,20 @@
 #endif
 #include <ol_txrx.h>
 
-#ifdef QCA_SUPPORT_TXDESC_SANITY_CHECKS
-extern uint32_t *g_dbg_htt_desc_end_addr, *g_dbg_htt_desc_start_addr;
-#endif
-
 #ifdef QCA_SUPPORT_TXDESC_SANITY_CHECKS
 static inline void ol_tx_desc_sanity_checks(struct ol_txrx_pdev_t *pdev,
 					struct ol_tx_desc_t *tx_desc)
 {
-	if (tx_desc->pkt_type != 0xff) {
+	if (tx_desc->pkt_type != ol_tx_frm_freed) {
 		TXRX_PRINT(TXRX_PRINT_LEVEL_ERR,
 				   "%s Potential tx_desc corruption pkt_type:0x%x pdev:0x%p",
 				   __func__, tx_desc->pkt_type, pdev);
 		qdf_assert(0);
 	}
-	if ((uint32_t *) tx_desc->htt_tx_desc <
-		    g_dbg_htt_desc_start_addr
-		    || (uint32_t *) tx_desc->htt_tx_desc >
-		    g_dbg_htt_desc_end_addr) {
-			TXRX_PRINT(TXRX_PRINT_LEVEL_ERR,
-				   "%s Potential htt_desc curruption:0x%p pdev:0x%p\n",
-				   __func__, tx_desc->htt_tx_desc, pdev);
-			qdf_assert(0);
-	}
 }
 static inline void ol_tx_desc_reset_pkt_type(struct ol_tx_desc_t *tx_desc)
 {
-	tx_desc->pkt_type = 0xff;
+	tx_desc->pkt_type = ol_tx_frm_freed;
 }
 #ifdef QCA_COMPUTE_TX_DELAY
 static inline void ol_tx_desc_compute_delay(struct ol_tx_desc_t *tx_desc)
@@ -693,7 +680,7 @@ void ol_tx_desc_frame_free_nonstd(struct ol_txrx_pdev_t *pdev,
 	qdf_nbuf_unmap(pdev->osdev, tx_desc->netbuf, QDF_DMA_TO_DEVICE);
 	/* check the frame type to see what kind of special steps are needed */
 	if ((tx_desc->pkt_type >= OL_TXRX_MGMT_TYPE_BASE) &&
-		   (tx_desc->pkt_type != 0xff)) {
+		   (tx_desc->pkt_type != ol_tx_frm_freed)) {
 		qdf_dma_addr_t frag_desc_paddr = 0;
 
 #if defined(HELIUMPLUS_PADDR64)

core/dp/txrx/ol_tx_desc.h

@@ -115,6 +115,40 @@ static inline struct ol_tx_desc_t *ol_tx_desc_find(
 		(tx_desc_id & pdev->tx_desc.offset_filter))))->tx_desc;
 }
 
+/**
+ * @brief Use a tx descriptor ID to find the corresponding desriptor object
+ *    and add sanity check.
+ *
+ * @param pdev - the data physical device sending the data
+ * @param tx_desc_id - the ID of the descriptor in question
+ * @return the descriptor object that has the specified ID,
+ *    if failure, will return NULL.
+ */
+
+#ifdef QCA_SUPPORT_TXDESC_SANITY_CHECKS
+static inline struct ol_tx_desc_t *
+ol_tx_desc_find_check(struct ol_txrx_pdev_t *pdev, u_int16_t tx_desc_id)
+{
+	struct ol_tx_desc_t *tx_desc;
+
+	tx_desc = ol_tx_desc_find(pdev, tx_desc_id);
+
+	if (tx_desc->pkt_type == ol_tx_frm_freed) {
+		return NULL;
+	}
+
+	return tx_desc;
+}
+
+#else
+
+static inline struct ol_tx_desc_t *
+ol_tx_desc_find_check(struct ol_txrx_pdev_t *pdev, u_int16_t tx_desc_id)
+{
+	return ol_tx_desc_find(pdev, tx_desc_id);
+}
+#endif
+
 /**
  * @brief Free a list of tx descriptors and the tx frames they refer to.
  * @details

core/dp/txrx/ol_tx_send.c

@@ -588,7 +588,7 @@ ol_tx_completion_handler(ol_txrx_pdev_handle pdev,
 					    lcl_freelist, tx_desc_last, status);
 		}
 #ifdef QCA_SUPPORT_TXDESC_SANITY_CHECKS
-		tx_desc->pkt_type = 0xff;
+		tx_desc->pkt_type = ol_tx_frm_freed;
 #ifdef QCA_COMPUTE_TX_DELAY
 		tx_desc->entry_timestamp_ticks = 0xffffffff;
 #endif
@@ -775,7 +775,15 @@ ol_tx_single_completion_handler(ol_txrx_pdev_handle pdev,
 	struct ol_tx_desc_t *tx_desc;
 	qdf_nbuf_t netbuf;
 
-	tx_desc = ol_tx_desc_find(pdev, tx_desc_id);
+	tx_desc = ol_tx_desc_find_check(pdev, tx_desc_id);
+	if (tx_desc == NULL) {
+		TXRX_PRINT(TXRX_PRINT_LEVEL_ERR,
+				"%s: invalid desc_id(%u), ignore it.\n",
+				__func__,
+				tx_desc_id);
+		return;
+	}
+
 	tx_desc->status = status;
 	netbuf = tx_desc->netbuf;
 
@@ -852,6 +860,13 @@ ol_tx_inspect_handler(ol_txrx_pdev_handle pdev,
 			ol_tx_msdu_complete(pdev, tx_desc, tx_descs, netbuf,
 					    lcl_freelist, tx_desc_last,
 					    htt_tx_status_ok);
+
+#ifdef QCA_SUPPORT_TXDESC_SANITY_CHECKS
+			tx_desc->pkt_type = ol_tx_frm_freed;
+#ifdef QCA_COMPUTE_TX_DELAY
+			tx_desc->entry_timestamp_ticks = 0xffffffff;
+#endif
+#endif
 		}
 	}
 

core/dp/txrx/ol_txrx_types.h

@@ -117,6 +117,7 @@ enum ol_tx_frm_type {
 	OL_TX_FRM_TSO,     /* TSO segment, with a modified IP header added */
 	OL_TX_FRM_AUDIO,   /* audio frames, with a custom LLC/SNAP hdr added */
 	OL_TX_FRM_NO_FREE, /* frame requires special tx completion callback */
+	ol_tx_frm_freed = 0xff, /* the tx desc is in free list */
 };
 
 #if defined(CONFIG_HL_SUPPORT) && defined(QCA_BAD_PEER_TX_FLOW_CL)