e4046fd3ac6dc867cbe5bc18cc2a24bb5c3921c6 - imx-board-wlan-src

commit	e4046fd3ac6dc867cbe5bc18cc2a24bb5c3921c6	[log] [tgz]
author	Tiger Yu <tfyu@codeaurora.org>	Fri Dec 08 15:41:29 2017 +0800
committer	Anjaneedevi Kapparapu <akappara@codeaurora.org>	Thu Feb 01 15:22:40 2018 +0530
tree	f4b432e2ef55ac9968f564badf5e68db2d39cb95
parent	6293898c0a32f9dcb6c67ddd9298048d10e19fc9 [diff]

qcacld-2.0: Fix potential BUG_ON in the htt_rx_offload_msdu_pop_ll

For HTT_T2H_MSG_TYPE_RX_OFFLOAD_DELIVER_IND, the msdu_cnt is a signed
integer coming from firmware. If set the msdu_cnt to a negative value,
or be greater than the number of current elements in the queue, the loop
will execute lots of times in ol_rx_offload_deliver_ind_handler, the
htt_rx_netbuf_pop will cause the BUG_ON issue sooner or later if it is
low latency solution.

Change the msdu_cnt type from signed to unsigned and add the validity
msdu_cnt checking will fix this issue.

Change-Id: I436557a124074f59ab11fd937dfdc975b9caebe8
CRs-Fixed: 2149461

CORE/CLD_TXRX/HTT/htt_rx.c[diff]
CORE/CLD_TXRX/HTT/htt_t2h.c[diff]
CORE/CLD_TXRX/TXRX/ol_rx.c[diff]
CORE/SERVICES/COMMON/ol_htt_rx_api.h[diff]
CORE/SERVICES/COMMON/ol_txrx_htt_api.h[diff]

5 files changed

tree: f4b432e2ef55ac9968f564badf5e68db2d39cb95

CORE/
firmware_bin/
wcnss/
Android.mk
Kbuild
Kconfig
Makefile