From eb82e858a6e555770f19ffbc76dee2691c2d55e9 Mon Sep 17 00:00:00 2001 From: Yeshwanth Sriram Guntuka Date: Mon, 29 Nov 2021 12:49:29 +0530 Subject: [PATCH] qcacmn: Avoid possible NULL pointer dereference of msdu_ext_desc tso_desc is assigned to msdu_ext_desc in dp_tx_prepare_desc for TSO packet even before msdu_ext_desc is configured which could result in NULL pointer dereference. Fix is to set the tso_desc and tso_num_desc in msdu_ext_desc post dp_tx_prepare_ext_desc. Change-Id: I62279c94ea7037b3f6a92644ae7eb6a5e63631f6 CRs-Fixed: 3083846 --- dp/wifi3.0/dp_tx.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/dp/wifi3.0/dp_tx.c b/dp/wifi3.0/dp_tx.c index e41cb722b3..f97b86069a 100644 --- a/dp/wifi3.0/dp_tx.c +++ b/dp/wifi3.0/dp_tx.c @@ -499,15 +499,16 @@ dp_tx_desc_release(struct dp_tx_desc_s *tx_desc, uint8_t desc_pool_id) dp_tx_outstanding_dec(pdev); - if (tx_desc->frm_type == dp_tx_frm_tso) - dp_tx_tso_desc_release(soc, tx_desc); + if (tx_desc->msdu_ext_desc) { + if (tx_desc->frm_type == dp_tx_frm_tso) + dp_tx_tso_desc_release(soc, tx_desc); + + if (tx_desc->flags & DP_TX_DESC_FLAG_ME) + dp_tx_me_free_buf(tx_desc->pdev, + tx_desc->msdu_ext_desc->me_buffer); - if (tx_desc->flags & DP_TX_DESC_FLAG_FRAG) dp_tx_ext_desc_free(soc, tx_desc->msdu_ext_desc, desc_pool_id); - - if (tx_desc->flags & DP_TX_DESC_FLAG_ME) - dp_tx_me_free_buf(tx_desc->pdev, tx_desc->msdu_ext_desc-> - me_buffer); + } if (tx_desc->flags & DP_TX_DESC_FLAG_TO_FW) qdf_atomic_dec(&soc->num_tx_exception); @@ -1202,9 +1203,6 @@ static struct dp_tx_desc_s *dp_tx_prepare_desc(struct dp_vdev *vdev, tx_desc->vdev_id = vdev->vdev_id; tx_desc->pdev = pdev; tx_desc->pkt_offset = 0; - tx_desc->msdu_ext_desc->tso_desc = msdu_info->u.tso_info.curr_seg; - tx_desc->msdu_ext_desc->tso_num_desc = msdu_info->u.tso_info. - tso_num_seg_list; dp_tx_trace_pkt(soc, nbuf, tx_desc->id, vdev->vdev_id); @@ -1227,6 +1225,9 @@ static struct dp_tx_desc_s *dp_tx_prepare_desc(struct dp_vdev *vdev, tx_desc->msdu_ext_desc = msdu_ext_desc; tx_desc->flags |= DP_TX_DESC_FLAG_FRAG; + msdu_ext_desc->tso_desc = msdu_info->u.tso_info.curr_seg; + msdu_ext_desc->tso_num_desc = msdu_info->u.tso_info.tso_num_seg_list; + tx_desc->dma_addr = msdu_ext_desc->paddr; if (msdu_ext_desc->flags & DP_TX_EXT_DESC_FLAG_METADATA_VALID)