samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacmn: Do not set pkt len to HTT_MAX_MSG_SIZE in PPDU ind handling

Browse Source 
Skbs allocated for CE1 ring are of size 2048 bytes. On
receiving PPDU stats HTT message, skb is pulled for 8
bytes corresponding to the HTC header length. As part of
dp_ppdu_stats_ind_handler, skb len is set to HTT_MAX_MSG_SIZE.
In the case where skb allocation is exactly of 2048 bytes,
including HTC header length, the aforementioned set_len
causes the skb to be expanded due to lack of tailroom.
This causes the skb data pointer to be changed which results
in invalid memory access.

Fix is to remove the qdf_nbuf_set_pktlen as skb len is
appropriately set by HTC layer.

Change-Id: Ied68c30456dc0e263ccfd03102962233a0e43d9f
CRs-Fixed: 2777516
This commit is contained in:
Yeshwanth Sriram Guntuka
2020-09-15 22:32:06 +05:30
committed by snandini
parent c8c0eee515
commit fcdcc1005f
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
dp/wifi3.0/dp_htt.c
View File

@@ -4286,7 +4286,7 @@ dp_ppdu_stats_ind_handler(struct htt_soc *soc,
u_int8_t pdev_id;
u_int8_t target_pdev_id;
bool free_buf;
qdf_nbuf_set_pktlen(htt_t2h_msg, HTT_T2H_MAX_MSG_SIZE);
target_pdev_id = HTT_T2H_PPDU_STATS_PDEV_ID_GET(*msg_word);
pdev_id = dp_get_host_pdev_id_for_target_pdev_id(soc->dp_soc,
target_pdev_id);