qcacld-3.0: Add sanity check for tx desc
qcacld-2.0 to qcacld-3.0 propagation
Add sanity check for tx desc to avoid crash if firmware report the invalid
msdu id to the host.
Change-Id: I5a339e81f3de882b5f7cc42b0628ea4738141c58
CRs-Fixed: 1071620
diff --git a/Kbuild b/Kbuild
index bb458b6..eda2e78 100644
--- a/Kbuild
+++ b/Kbuild
@@ -131,6 +131,11 @@
CONFIG_WLAN_FEATURE_11W := y
endif
+ #Flag to enable the tx desc sanity check
+ ifeq ($(CONFIG_ROME_IF),usb)
+ CONFIG_QCA_TXDESC_SANITY_CHECKS := y
+ endif
+
ifneq ($(CONFIG_MOBILE_ROUTER), y)
#Flag to enable NAN
CONFIG_QCACLD_FEATURE_NAN := y
@@ -1277,6 +1282,10 @@
CDEFINES += -DWLAN_FEATURE_11W
endif
+ifeq ($(CONFIG_QCA_TXDESC_SANITY_CHECKS), 1)
+CDEFINES += -DQCA_SUPPORT_TXDESC_SANITY_CHECKS
+endif
+
ifeq ($(CONFIG_QCOM_LTE_COEX),y)
CDEFINES += -DFEATURE_WLAN_CH_AVOID
endif
diff --git a/core/dp/htt/htt_tx.c b/core/dp/htt/htt_tx.c
index b647cec..62dae82 100644
--- a/core/dp/htt/htt_tx.c
+++ b/core/dp/htt/htt_tx.c
@@ -90,10 +90,6 @@
/*--- setup / tear-down functions -------------------------------------------*/
-#ifdef QCA_SUPPORT_TXDESC_SANITY_CHECKS
-uint32_t *g_dbg_htt_desc_end_addr, *g_dbg_htt_desc_start_addr;
-#endif
-
static qdf_dma_addr_t htt_tx_get_paddr(htt_pdev_handle pdev,
char *target_vaddr);
diff --git a/core/dp/txrx/ol_tx_desc.c b/core/dp/txrx/ol_tx_desc.c
index 8b5a220..af610fd 100644
--- a/core/dp/txrx/ol_tx_desc.c
+++ b/core/dp/txrx/ol_tx_desc.c
@@ -43,32 +43,19 @@
#include <ol_txrx.h>
#ifdef QCA_SUPPORT_TXDESC_SANITY_CHECKS
-extern uint32_t *g_dbg_htt_desc_end_addr, *g_dbg_htt_desc_start_addr;
-#endif
-
-#ifdef QCA_SUPPORT_TXDESC_SANITY_CHECKS
static inline void ol_tx_desc_sanity_checks(struct ol_txrx_pdev_t *pdev,
struct ol_tx_desc_t *tx_desc)
{
- if (tx_desc->pkt_type != 0xff) {
+ if (tx_desc->pkt_type != ol_tx_frm_freed) {
TXRX_PRINT(TXRX_PRINT_LEVEL_ERR,
"%s Potential tx_desc corruption pkt_type:0x%x pdev:0x%p",
__func__, tx_desc->pkt_type, pdev);
qdf_assert(0);
}
- if ((uint32_t *) tx_desc->htt_tx_desc <
- g_dbg_htt_desc_start_addr
- || (uint32_t *) tx_desc->htt_tx_desc >
- g_dbg_htt_desc_end_addr) {
- TXRX_PRINT(TXRX_PRINT_LEVEL_ERR,
- "%s Potential htt_desc curruption:0x%p pdev:0x%p\n",
- __func__, tx_desc->htt_tx_desc, pdev);
- qdf_assert(0);
- }
}
static inline void ol_tx_desc_reset_pkt_type(struct ol_tx_desc_t *tx_desc)
{
- tx_desc->pkt_type = 0xff;
+ tx_desc->pkt_type = ol_tx_frm_freed;
}
#ifdef QCA_COMPUTE_TX_DELAY
static inline void ol_tx_desc_compute_delay(struct ol_tx_desc_t *tx_desc)
@@ -693,7 +680,7 @@
qdf_nbuf_unmap(pdev->osdev, tx_desc->netbuf, QDF_DMA_TO_DEVICE);
/* check the frame type to see what kind of special steps are needed */
if ((tx_desc->pkt_type >= OL_TXRX_MGMT_TYPE_BASE) &&
- (tx_desc->pkt_type != 0xff)) {
+ (tx_desc->pkt_type != ol_tx_frm_freed)) {
qdf_dma_addr_t frag_desc_paddr = 0;
#if defined(HELIUMPLUS_PADDR64)
diff --git a/core/dp/txrx/ol_tx_desc.h b/core/dp/txrx/ol_tx_desc.h
index 9c56ebf..466510f 100644
--- a/core/dp/txrx/ol_tx_desc.h
+++ b/core/dp/txrx/ol_tx_desc.h
@@ -116,6 +116,40 @@
}
/**
+ * @brief Use a tx descriptor ID to find the corresponding desriptor object
+ * and add sanity check.
+ *
+ * @param pdev - the data physical device sending the data
+ * @param tx_desc_id - the ID of the descriptor in question
+ * @return the descriptor object that has the specified ID,
+ * if failure, will return NULL.
+ */
+
+#ifdef QCA_SUPPORT_TXDESC_SANITY_CHECKS
+static inline struct ol_tx_desc_t *
+ol_tx_desc_find_check(struct ol_txrx_pdev_t *pdev, u_int16_t tx_desc_id)
+{
+ struct ol_tx_desc_t *tx_desc;
+
+ tx_desc = ol_tx_desc_find(pdev, tx_desc_id);
+
+ if (tx_desc->pkt_type == ol_tx_frm_freed) {
+ return NULL;
+ }
+
+ return tx_desc;
+}
+
+#else
+
+static inline struct ol_tx_desc_t *
+ol_tx_desc_find_check(struct ol_txrx_pdev_t *pdev, u_int16_t tx_desc_id)
+{
+ return ol_tx_desc_find(pdev, tx_desc_id);
+}
+#endif
+
+/**
* @brief Free a list of tx descriptors and the tx frames they refer to.
* @details
* Free a batch of "standard" tx descriptors and their tx frames.
diff --git a/core/dp/txrx/ol_tx_send.c b/core/dp/txrx/ol_tx_send.c
index b5f2759..2ca1a8d 100644
--- a/core/dp/txrx/ol_tx_send.c
+++ b/core/dp/txrx/ol_tx_send.c
@@ -588,7 +588,7 @@
lcl_freelist, tx_desc_last, status);
}
#ifdef QCA_SUPPORT_TXDESC_SANITY_CHECKS
- tx_desc->pkt_type = 0xff;
+ tx_desc->pkt_type = ol_tx_frm_freed;
#ifdef QCA_COMPUTE_TX_DELAY
tx_desc->entry_timestamp_ticks = 0xffffffff;
#endif
@@ -775,7 +775,15 @@
struct ol_tx_desc_t *tx_desc;
qdf_nbuf_t netbuf;
- tx_desc = ol_tx_desc_find(pdev, tx_desc_id);
+ tx_desc = ol_tx_desc_find_check(pdev, tx_desc_id);
+ if (tx_desc == NULL) {
+ TXRX_PRINT(TXRX_PRINT_LEVEL_ERR,
+ "%s: invalid desc_id(%u), ignore it.\n",
+ __func__,
+ tx_desc_id);
+ return;
+ }
+
tx_desc->status = status;
netbuf = tx_desc->netbuf;
@@ -852,6 +860,13 @@
ol_tx_msdu_complete(pdev, tx_desc, tx_descs, netbuf,
lcl_freelist, tx_desc_last,
htt_tx_status_ok);
+
+#ifdef QCA_SUPPORT_TXDESC_SANITY_CHECKS
+ tx_desc->pkt_type = ol_tx_frm_freed;
+#ifdef QCA_COMPUTE_TX_DELAY
+ tx_desc->entry_timestamp_ticks = 0xffffffff;
+#endif
+#endif
}
}
diff --git a/core/dp/txrx/ol_txrx_types.h b/core/dp/txrx/ol_txrx_types.h
index 50df88b..66f8a0f 100644
--- a/core/dp/txrx/ol_txrx_types.h
+++ b/core/dp/txrx/ol_txrx_types.h
@@ -117,6 +117,7 @@
OL_TX_FRM_TSO, /* TSO segment, with a modified IP header added */
OL_TX_FRM_AUDIO, /* audio frames, with a custom LLC/SNAP hdr added */
OL_TX_FRM_NO_FREE, /* frame requires special tx completion callback */
+ ol_tx_frm_freed = 0xff, /* the tx desc is in free list */
};
#if defined(CONFIG_HL_SUPPORT) && defined(QCA_BAD_PEER_TX_FLOW_CL)