Currently variable "num_flows" and "len" is used directly, from
message, without any validation which causes buffer over-write.
To address this issue add check for the num_flows and len
Change-Id: Iddf2df0fd65f5b33b54f1a608cdd34e400c0e03c
CRs-Fixed: 2148489
Currently type conversion issues are for variables compl_msg
and pool_numap_payload. This may cause potential buffer over-read.
To address this issue add check for structure size.
Change-Id: Id4804eeaf5e80a9045f1c057fa4cb9db15c1ab7d
CRs-Fixed: 2148306
Currently variable "num_mpdu_ranges" is from message, which is used
directly without any validation which causes buffer over-write.
To address this issue add check for the valid num_mpdu_ranges
Change-Id: I3f340b913f3063b24c14644ea723a99690e89dcf
CRs-Fixed: 2146934
Count of htt tx buffer pool should be power of 2 for fail case. For
Rome platform, it does not unmap nbuf when free htt tx buffer pool.
Change-Id: I85a9a1d02bf403f1be7289b1a0a89f86ef25f763
CRs-Fixed: 2179770
Currently variable "tid" is from message, which is used directly
as array size which causes buffer over-write.
To address this issue add check for the array size.
Change-Id: I9b9d028ddb9566938f93ff8155284876c1ef9c03
CRs-Fixed: 2146949
Optimize driver init time log from HIF layer to avoid any console
logging related side effect.
Change-Id: If4331eb857d52330dc270cc8ebf6b559daa9413b
CRs-Fixed: 2170144
Move module init/deinit and function entry/exit logs to DEBUG level,
and keep only minimum logs in kernel log buffer.
Change-Id: Ia9fe82934638683079d308acfc9e7014e1d1a0e3
CRs-Fixed: 2169416
Change some of info/warn log levels to debug log levels to
avoid excessive console logging during driver load.
Change-Id: I042a8f8f735fb2eb7c135c120cbc6644c46bcc31
CRs-Fixed: 2169378
Enable 64-bit htt rx addr tracking based on HTT_PADDR64
when ENABLE_DEBUG_ADDRESS_MARKING is disabled.
CRs-Fixed: 2166963
Change-Id: I47cfcb3f082bc969cd27630cfd96eb53b31cc40d
Presently, OFDM packets are assigned preamble type of
LONG_PREAMBLE when the type should be SHORT_PREAMBLE.
Assign the preamble type correctly.
Change-Id: Ie16936ba54cb8e1dfa5e96ccc52f3fc6693a5d48
CRs-Fixed: 2159511
Fix is to get correct 64-bit htt rx in order address
when ENABLE_DEBUG_ADDRESS_MARKING is disabled.
Change-Id: I479ed4a2dd5cee3427f9a3714cda4ed50afa271a
CRs-Fixed: 2161207
qcacld-2.0 to qcacld-3.0 propagation
For HTT_T2H_MSG_TYPE_RX_OFFLOAD_DELIVER_IND, the msdu_cnt is a signed
integer coming from firmware. If set the msdu_cnt to a negative value,
or be greater than the number of current elements in the queue, the loop
will execute lots of times in ol_rx_offload_deliver_ind_handler, the
htt_rx_netbuf_pop will cause the BUG_ON issue sooner or later if it is
low latency solution.
Change the msdu_cnt type from signed to unsigned and add the validity
msdu_cnt checking will fix this issue.
Change-Id: I436557a124074f59ab11fd937dfdc975b9caebe8
CRs-Fixed: 2149461
qcacld-2.0 to qcacld-3.0 propagation
Check for the validity of peer_id when received the htt message of
HTT_T2H_MSG_TYPE_PEER_MAP or HTT_T2H_MSG_TYPE_PEER_UNMAP from firmware
to ensure the buffer overflow does not happen.
Change-Id: Ib3f92f4de0b406a78bf34d348c07cb3981277513
CRs-Fixed: 2147119
qcacld-2.0 to qcacld-3.0 propagation
Check for the validity of tid when received the htt message of
HTT_T2H_MSG_TYPE_RX_FLUSH & HTT_T2H_MSG_TYPE_RX_PN_IND from firmware
to ensure the buffer overflow does not happen.
And correct the sequence number type from signed int to unsigned.
Change-Id: Ibff86e891c335bfe8c2f9db82410545036463ed3
CRs-Fixed: 2149399
qcacld-2.0 to qcacld-3.0 propagation
Check for the validity of num_msdus when received the htt message of
HTT_T2H_MSG_TYPE_TX_COMPL_IND or HTT_T2H_MSG_TYPE_TX_INSPECT_IND from
firmware to ensure the buffer overflow does not happen.
Change-Id: Ic6ce75f34c5e2705d174eda014350e6ef0391388
CRs-Fixed: 2146869
qcacld-2.0 to qcacld-3.0 propagation
Check for the validity of credits when received the htt message of
HTT_T2H_MSG_TYPE_TX_CREDIT_UPDATE_IND or HTT_T2H_MSG_TYPE_TX_COMPL_IND
from firmware to ensure the integer overflow does not happen if these
messages invoked many times.
Change-Id: I01386b88f1b677153f3e51e055b7fbac073cd6b3
CRs-Fixed: 2147127
The current tx & rx member of skb->cb structure has lot of common members
duplicated across CONFIG_WIN and CONFIG_MCL.
The common members are now moved out and new members are added as per the
requirement. Also the members are organized to avoid additional padding
and fit within the 48 byte boundary for both 32bit & 64 bit platforms.
Change-Id: I27abc95d51127513cf2e7e9657a4ee84324b2cc9
CRs-Fixed: 2142792
Check length of the data passed in the hw tx desc and
assert it is not zero-length.
This will make it then easy to debug it on host side.
Change-Id: I7d77ac5ee6f5a4992c4a91b9d5661d207732862f
CRs-Fixed: 2136638
htt_tx_mutex, NBUF_QUEUE_MUTEX and HTT credit_mutex should all be
initialized before the related message handlers are connected to
their corresponding services, or there will be racing conditions
happening during WLAN driver initialization which will cause
the Linux kernel complaining for bad magic of spin locks and
triggers watch dog bite.
Change-Id: Id89185d811bcbed95732f142ed6fd611e0d6e2a4
CRs-Fixed: 2109674
1) The htt htc free packet list is accessed without being protected
by a lock when packets are being removed from it, which may
introduce a potential racing condition during stability stress
test. Protect the list by htt tx mutex before any pakcets are freed
from it.
2) The same protection should be done to the htt htc packet misc
list.
Change-Id: Ife075a24f119ccfff9b56ec6ce3bee5dd73c9dea
CRs-Fixed: 2137038
When CONFIG_HL_SUPPORT is defined, htt_rx_dbg_rxbuf_init is not called,
and rx_buff_list_lock is not initialized. rx_buff_list_lock should not
be destroyed if it is not initialized.
Do not call htt_rx_dbg_rxbuf_deinit when CONFIG_HL_SUPPORT is defined.
Change-Id: I9d64313efd5a9978b3fb953ac5d7ffb466abe010
CRs-Fixed: 2134345
Add warning log at the critical code path of IPA session transition
for the race condition detection
Set INFO log level to enter/exit logs for IPA session transition
code path.
Change-Id: I5089db5f53d13e5f78093171672ad86f7bd1cdc2
CRs-Fixed: 2124144
In case host receives a paddr in a HTT_RX_IN_ORDER_IND_PADDR msg
from FW that is not found in the rx_hash, instead of forcing an
APPS crash, iniate a host-triggered recovery. If the feature
is not enabled, this would be equivalent to the old code.
Change-Id: Iaab5329c13d626c4b94c690f5537899eecf2637b
CRs-Fixed: 2084522
For WLAN FW-host interface file automation, need to pull in WDI IPA
interface definition file wdi_ipa.h, into WLAN host driver.
This change is to match host dirver MACRO names with wdi_ipa.h.
Enable back CONFIG_IPA_OFFLOAD flag in Kbuild.
Change-Id: I9cd0c3b942c0a7b5e98f589090ae51cc0acf67c2
CRs-Fixed: 2085741
Introduce a new parameter in the ini file for the maximum
number of MSDUs per HTT_RX_INORDERIND message.
This parameter is now sent over to the FW through the RFS
configuration message.
Change-Id: Id0057861bc172a36483804170274b202198b6824
CRs-Fixed: 2106760
Some data path code change didn't consider SDIO code path, so
introducing some build error for SDIO driver. Fix them in one
submission to enable ACI
Change-Id: I3d1b81c57a8ae854f18db3eccb546b7b552899b7
CRs-Fixed: 2033757
Add debug logs to capture htt rx_ring info during data stall
detection for FW_RX_REFILL failure reason.
Change-Id: I6733a37677ebccfef5096ac38858c4505e8665b6
CRs-Fixed: 2121686
Add net buff pop fail counter which helps to debug issues
related to scenario when RX ring fill count exceeds the fill
level.
Change-Id: I00f4a4e245e0732ef04518e4c1db95999edc6687
CRs-Fixed: 2106523
HTT_RX_HOST_LATENCY_WORST_LIKELY_MS is changed from 10 to 20
for Helium support. But 20 is aggressive for Rome and traffic
hang is seen.
Fix is to define HTT_RX_HOST_LATENCY_WORST_LIKELY_MS as 10
for Rome support.
Change-Id: Iaaa86ed70d145ac9898300e9b678008781215617
CRs-Fixed: 2050912
Stats printing with excessive loops should not go to the console.
Avoids watch-dog bites.
Change-Id: I2ff67827d8bb975bc4ddbb4d70c88283e8ea231e
CRs-Fixed: 2088027
At IPA UC detach after free IPA TX resource TX comp
ring and TX CE index pointers reset them to NULL.
Change-Id: If6a1b2857d14f5fff2f47e541156ce2c27fb33a3
CRs-Fixed: 2111959
When system is under low memory condition and skb allocation fails,
RX ring msdu is not attached in ring replenish logic and Ring refill retry
timer refills the ring debt at the interval of 50 ms.
If refill retry fails to allocate the memory, refill debt is not updated and
this is resulting in retry logic failure.
Update refill debt when retry allocation fails to allocate
rx ring msdu.
Change-Id: I4d2230e4984e26b44db663e7e7f20c73ae90b0f0
Add logic to mark first wakeup packet even if offload bit is not set in
the htt rx indication message sent by fw.
Change-Id: Ide50dcfcf88ecd0c71b32b0e746742dc49d08567
CRs-Fixed: 2110627
Currently, in monitor mode, beacon frames are showing an incorrect phy
rate (0). This is because the values in the RX descriptor for
interpreting the legacy rates have changed in ihelium.
Make changes in host to interpret the new values into data rates correctly.
Change-Id: Ibf845666943fd718b657c0128758dabfb64a38ef
CRs-Fixed: 2082456
* Log EAPOL, ARP, DHCP, MGMT, ROAM Events, ICMP, Data packets,
TX-Completions by default.
* Set default verbosity as low (existing is high)
* Throttle ICMP and Data packets if threshold exceeds.
* Enable live mode by default. Added ini entry to disable
it and configure high throughput thresh - gDptraceConfig
* Log only SA and DA for proto packets (and not 32 bytes)
* Format prints to fit in 1 line.
CRs-Fixed: 2051134
Change-Id: Ia94732e49023950f458a7402650d4b8f5e1d5563
Pointer head_buf returned from call to function
htt_rx_offload_paddr_msdu_pop_ll may be NULL and will be
dereferenced
Change-Id: I6e1db520d525a42d59ebfb675325e37c4097ad71
CRs-Fixed: 2085696
RX hash lock is not unlocked in case hash_table is
NULL and context is returned immediately without
unlocking the rx hash lock.
Unlock the rx hash lock before returning from the context.
Change-Id: I4ec2c272ac92cf5c0e93c64e34ce96cafe5cc11c
CRs-Fixed: 2104297
When DUT connects to specific AP, it receives the frame whose
SA is self MAC and MIC failure flag is set at the same time.
This will cause disconnection with the AP because MIC failure.
To fix this unexpected disconnection issue, do not check MIC
failure if discard flag is set by fw.
Change-Id: I9029da9d329679bf0fd61be234690c764cceb57c
CRs-Fixed: 2090575
In the case of low memory allocation failures, the system should be able to
continue functioning after the connect_service failure.
Change-Id: Icd054d541aa95dbf4099426cf73f3dfe6c2c4565
CRs-Fixed: 2097391
During target attach procedure, there are a number of messages sent
to the FW. Some of these sends did not check return codes. Add
return code checks and treat the codes accordingly.
Change-Id: Ib515e040b6c7e2ecc23d2d422bb359e83342fcfa
CRs-Fixed: 2064904
When replenishing Rx buffers driver updates the address of the
buffer and the index of rx buffer in rx ring to the firmware.
Make sure alloc index write is reflected in the memory before
FW polls the remote ring write index as compiler can reorder
the instructions based on optimizations.
Disable compile time reorder by adding a write memory barrier.
Change-Id: Icb37598e6c36b4a128b1bcd91bfb9d643bf083e2
CRs-Fixed: 2084210
The target_delta and bus_delta combined with target_tx_credit
to fulfil the credit function of host.
A global lock is needed to ensure reenterable.
Change-Id: I71c006ccfe05b442706283490cd7bba4cc8a6f5f
CRs-Fixed: 964530
When HTT attached, driver allocates DMA buffer to record each RX ring
entry, with element size - target_paddr_t, which is bus size, and may be
different from kernel's physical address size.
While in htt_rx_detach, size of qdf_dma_addr_t used for buffer free.
In case kernel built as 64-bit, and bus size as default 32-bit,
it will crash when free.
Use same element size to avoid it.
CRs-Fixed: 2087592
Change-Id: Iabe95f92ea82b736213a8b81453163229b2a3a3b
warning: implicit conversion from enumeration type
'qdf_nbuf_l4_rx_cksum_result_t' to different enumeration
type 'qdf_nbuf_l4_rx_cksum_type_t
Change-Id: If2b7ee179fa260c14cde450cc72272c41a9f4adb
CRs-Fixed: 2055487
Rx hash deinit sets hash_table to NULL, at the same time
there can be active tasklet context accessing the rx hash list.
Prevent rx hashlist access after rx hash deinit and set the netbuf
to NULL once netbuff is popped out of the list.
Change-Id: I4e30dd69ece33c3cc768842274d5307c0bf29a37
CRs-Fixed: 2049121
The function is not present as inline in the non debug build, which will
cause a compilation error.
Fix issue by having an empty inline function in the header file.
Some counters need to be defined outside of DEBUG_RX_RING_BUFFER.
Change-Id: I755616aa55c2f38bca017137e91cc469de7fbdcf
CRs-Fixed: 2004927
