Currently variable "tid" is from message, which is used directly
as array size which causes buffer over-write.
To address this issue add check for the array size.
Change-Id: I9b9d028ddb9566938f93ff8155284876c1ef9c03
CRs-Fixed: 2146949
Currently variable "tx_desc_id" is from message and it
is used without check.This may cause buffer over-write.
To address this issue add check for valid "tx_desc_id"
Change-Id: Ifcdbf60ce1e0f81be77308185ab51b59746c21af
CRs-Fixed: 2146878
Currently variable "tid" is from message, which is used
directly as array size which causes buffer over-write.
To address this issue add check for the array size.
Change-Id: I9fae424d19ce5e886d385071863cbfca9633dd84
CRs-Fixed: 2148184
When calling ol_txrx_flush_rx_frames from rx thread, it is possible
that rx thread is scheduled out, if peer detach happens from MC thread,
after return back to rx thread, the peer may have been deleted which
causes panic.
Add ref_cnt to protect peer info and move delete peer_info_lock/
bufq_lock when finally delete peer rather than in the beginning
of ol_txrx_peer_detach.
Change-Id: I24a85de4551f93c379da59eb21a388e8eaf5f1d2
CRs-Fixed: 2164432
Check for the validity of group_id when received the htt message of
HTT_T2H_MSG_TYPE_TX_CREDIT_UPDATE_IND from firmware to ensure the buffer
overflow does not happen.
Change-Id: I17ac9f37a1450f32fb080c3b22f6317b6238068c
CRs-Fixed: 2148610
1) Local peer ID freeing is currently done before peer ref count
decreasing and peer releasing, which imposes a potential race
condition, in which the same local peer ID map will be accessed
before the peer object is fully released.
Fix the issue by relocating the local peer ID freeing to the
point where the peer object is to be freed.
2) Add changes to the return value description of function
ol_txrx_peer_release_ref
Change-Id: Id7722bd54afd6110b91634ca7f1632cade766704
CRs-Fixed: 2155759
Historically, OL peers were forcibly destroyed during pdev detach. This
logic was mistakenly removed as part of another change. This led to peer
leaks during Sub-System Restart (SSR). Restore the peer delete logic to
close peer leaks during SSR.
Change-Id: I72d980750a2f97e6717f720a63f4a651f7615aee
CRs-Fixed: 2167237
qcacld-2.0 to qcacld-3.0 propagation
Check for the validity of tx_desc_id when received the htt message of
HTT_T2H_MSG_TYPE_MGMT_TX_COMPL_IND from firmware to ensure the buffer
overwrite does not happen.
Change-Id: I0afc781b7fff303525352b817e7eb60b8b05e4d3
CRs-Fixed: 2164705
With the existing implementation of TAILQ_FOREACH_REVERSE
in ol_txrx_remove_peers_for_vdev() function, host traverses
the list, stores the peer in the var, releases the lock and
later temp var is getting deleted as part of peer unmap and
host end up in accessing the stale peer entry.
To avoid this, host should check the peer delete in progress
first before assigning it to the temp var.
Change-Id: I5b9a401ae062efc6d2fbe608b25424a27c9d9f94
CRs-Fixed: 2159446
Since struct sps_iovc is obsolete in the latest kernel,
use a local macro instead of sizeof() . It should be
updated with the correct IPA size macro once it is
avaiable in the latest kernel.
CRs-Fixed: 2160658
Change-Id: Ifc2926d5182c96e07de6b4ddd50156764b7ad51e
In case of Monitor mode, headroom of skb, which originally
contains rx_desc data, is overwritten by radio tap header.
Host pulls skb data by radio tap header and the same skb is
passed on to packet log function which expects payload to
point to skb-> data and end up in wrong access.
Moreover, pktlog is meant to log rx_desc information which is
already overwritten by radio header and hence pkt logging is
of no use in this case.
CRs-Fixed: 2159130
Change-Id: Id19c0371a0ed31c70ada788fc2b396a8b1eac1f1
The existing peer API cdp_peer_find_by_add does not maintain any peer
references. So a peer which is returned by the API may get deleted in a
different context. This may lead to access to a already deleted memory.
Fix the issue by introducing new APIs "peer_get_ref" and
"peer_release_ref" which make sure the peer is valid until it is
"released" (peer_release_ref is called).
Change-Id: I60175ee1d67f01e3ee4b48cb655d1728d29d08f4
CRs-Fixed: 2139801
qcacld-2.0 to qcacld-3.0 propagation
For HTT_T2H_MSG_TYPE_RX_OFFLOAD_DELIVER_IND, the msdu_cnt is a signed
integer coming from firmware. If set the msdu_cnt to a negative value,
or be greater than the number of current elements in the queue, the loop
will execute lots of times in ol_rx_offload_deliver_ind_handler, the
htt_rx_netbuf_pop will cause the BUG_ON issue sooner or later if it is
low latency solution.
Change the msdu_cnt type from signed to unsigned and add the validity
msdu_cnt checking will fix this issue.
Change-Id: I436557a124074f59ab11fd937dfdc975b9caebe8
CRs-Fixed: 2149461
qcacld-2.0 to qcacld-3.0 propagation
Check for the validity of tid when received the htt message of
HTT_T2H_MSG_TYPE_RX_FLUSH & HTT_T2H_MSG_TYPE_RX_PN_IND from firmware
to ensure the buffer overflow does not happen.
And correct the sequence number type from signed int to unsigned.
Change-Id: Ibff86e891c335bfe8c2f9db82410545036463ed3
CRs-Fixed: 2149399
Save peer_ids[] array during cleanup and print it later, after
releasing peer_map_unmap_lock. It avoids usage of multiple QDF_TRACE()
calls inside critical region.
CRs-Fixed: 2027795
Change-Id: I77474f75d0889604e30ba637a04d39fddcaf754c
Add support for periodic stats for data packets to be displayed in
wlan driver logs.
Change-Id: Iee6759ae75657ae93e94ea1bb1343f2ea489c087
CRs-Fixed: 2120047
With current implementation in case of an SSR/PDR threads that are
waiting on events will only get purged after the wait timeout has
occurred, increasing the recovery time for the driver. Utilize new
APIs that maintain a list of events. In case of an SSR/PDR
forcefully set these events.
Change-Id: I83b4f576a65f8da5762288ac8dfccdef7d05d82a
CRs-Fixed: 2045156
When define MEMORY_DEBUG macro for debugging memory issue,
even in normal case it still will report double free for ipa
i2w SKB.
Fix is to add ipa i2w SKB to internal tracking table.
Change-Id: I27b0afc79e8c39c99a73ec9a65a348ebf85960b6
CRs-Fixed: 2145344
To abstract kernel header inclusion, create new QDF APIs for all IPA
APIs and redirect all IPA API calls through QDF interfaces.
Change-Id: I7bff975ad7cb32fc128320c124633594471e0a1f
CRs-Fixed: 2098903
Add wlan_objmgr_peer_debug_log() calls in WMA, ol_txrx for
tracking of peer create/delete/map/unmap events and related roaming
events. These calls, added in lnx.1.1 driver in different change lists,
are consolidated in this change.
Add wlan_roam_debug_dump_table() call to the functions that perform
recovery after detecting peer deletion error.
CRs-Fixed: 2130256
Change-Id: Ia3bb6a01b2f62889fe542a02ca42ffab5a8a76aa
Add "static" before some functions which only be used in 1 file to
resolve compilation error.
Change-Id: Id1b1101c3bb04910ad1e3639887f74e44d5b7c36
CRs-Fixed: 2010227
Currently there is no support for management MGMT TXRX
component over HTT endpoint and supports only over WMI.
As a result for platforms which does not support MGMT
over WMI will break other components which uses MGMT TXRX
component to send mgmt packets. In this change support MGMT
TXRX component over HTT.
Change-Id: I414269abb5a5c616cc890dab450a7782e6829d0e
CRs-Fixed: 2128213
Packet log ops are protected against load-unload and SSR, but not
against module stop. Take care to add check for module stop.
Also takecare to NULLing of wdi_event_list and NULL check before accessing.
Change-Id: I20d49ff587719fc14f60a53e86092383de6ef5b8
CRs-Fixed: 2082135
It has been observed that prints are adding significant overhead
to the period a lock is being held. Move the prints outside of lock.
Change-Id: Ifc84b562bc294ae2348f6d152b2852c21c963762
CRs-Fixed: 2040486
Fix NAPI and flow pool info logging levels. NAPI stats are showing up in
kmsg, when they should not. flow pool stats are simply not showing up
since debug levels are disabled for TXRX module.
Change-Id: I5fa3ca24cf3c31c2cf5183ccf9044eb085153da7
CRs-Fixed: 2127633
There is a gap for the NON_QOS queue setting in the SDIO WLAN TX
scheduler, which will cause certification test case fails.
Change the setting same as qcacld2.0.
CRs-Fixed: 2123022
Change-Id: Iedfa048ec9c3d293b05903ce4f2eba4ef07c020e
Some data path code change didn't consider SDIO code path, so
introducing some build error for SDIO driver. Fix them in one
submission to enable ACI
Change-Id: I3d1b81c57a8ae854f18db3eccb546b7b552899b7
CRs-Fixed: 2033757
Currently during peer initialization (ol_txrx_peer_attach), we are
initializing peer refcount to 2. This is done to prevent peer
deletion, in case some logic tries to delete a peer when the host has
not received peer map events.
The above logic fails to address the condition when there is roaming
failure, followed by peer deletion from userpace. In this case, host
tries to create a peer and initializes refcount to 2. However, since
roaming fails, firmware does not send out peer map events. In the
meanwhile, the framework tries to delete the existing peer. This
deletion following the peer creation and absence of peer map leads to an
incorrect peer refcount even after deletion and hence this peer does not
get deleted.
Initialize peer with refcount of 2 but 1 instead. In case a map or
unmap arrives after peer deletion, the existing logic will
try to find a peer in the peer hash bins or peer_id_obj_map and will
not find the peer.
Change-Id: Ia3ba6842122dba49281d7bd00303cbe7685ef91c
CRs-Fixed: 2087373
Add debug logs to capture htt rx_ring info during data stall
detection for FW_RX_REFILL failure reason.
Change-Id: I6733a37677ebccfef5096ac38858c4505e8665b6
CRs-Fixed: 2121686
Add ini param 'gtsf_ptp_options' to control
PTP options, it's a bitmap:
bit0 - PTP_OPT_RX(0x1)
set this bit to enable RX time stamping
bit1 - PTP_OPT_TX(0x2)
set this bit to enable TX time stamping
bit2 - PTP_OPT_RAW(0x4)
set this bit to use raw time as timestamp
bit3 - TSF_DBG_FS(0x8)
set this bit to add device attriubte 'tsf' for iface
The default value of gtsf_ptp_options is 0xf
Propagated from qcacld-2.0.
Change-Id: Ie53d503bdd2e85790502583a238ee138f4bcf6c6
CRs-Fixed: 2079466
Add support to post data stall event to sys message queue
to handle it in data detection module and finally post
diag event to QXDM. Add support to send NUD failure
diag event.
CRs-Fixed: 2086176
Change-Id: I72ba36d4c2f6ef2eb495ad1586f74af0f3c69254
Add data stall detection module in hdd which handles data
stall reported by host or fw and take necessary recovery
steps based on the data stall type.
Change-Id: Idf6c43f55d1bc115a0c06b4c6ef766ff3ed09bee
CRs-Fixed: 2090643
Add Vendor Event to get the driver hang reason indicating to the
user space that the driver has detected an internal failure.
This event carries the information indicating the reason that triggered
this detection.
Change-Id: I3934f2a18c796ed3b53175dcbe7efd7f4d1409b9
CRs-fixed: 2098498
Currently ol_rx_data_cb() calls cds_get_global_context() but then
doesn't do anything with the context other than verify it is not
NULL. Since the context itself is unused, remove the unnecessary call
to cds_get_global_context().
Change-Id: I42a0aa1adba5ba25a95cf22523153356e3976b47
CRs-Fixed: 2115512
ARP/NS/NA packets will not get chance to be transmitted if
netif queues are paused due to low tx descriptor availability.
Send ARP/NS/NA packets from HI PRIO queue so that it can be transmitted
in noisy environment.
Change-Id: Ibb414463d1471c19d5db99e12517c77b02564318
CRs-Fixed: 2081348
Clear the tx desc ref_cnt in ol_tx_desc_free_common as
ol_tx_desc_free independently get called from some places
during failure cases.
Change-Id: I705061558a0419785091e0e1d0605e317e479188
CRs-Fixed: 2071116
Make the following changes to fix the issue:
- Wrap TSO seg unmap code inside a spinlock
- Add TSO descriptor DUP detection logic before unmapping TSO segs
- De-initialize TSO seg freepool after in-use Tx descriptors have been
de-inited
Change-Id: I63b100879b302e4919c2952143509e76c14b36ec
CRs-Fixed: 2018317
Stats printing with excessive loops should not go to the console.
Avoids watch-dog bites.
Change-Id: I2ff67827d8bb975bc4ddbb4d70c88283e8ea231e
CRs-Fixed: 2088027
qcacld-2.0 to qcacld-3.0 propagation
The txrx_fw_stats cmd will allocate a req object before sending the cmd
to the firmware, this memory is only freed when get response from firmware.
The memory leak will appear if the firmware doesn't response in time before
the driver unloading.
This fix will add a pending queue to trace this req object in the pdev.
when pdev is detaching, it will clean up this queue to avoid memory leak.
Change-Id: I35f6216d35befbab978bba161252b305488bd34c
CRs-Fixed: 2116408
Recovery is triggered if rx hash table look up fails due to invalid
physical address. Since netbuf is not found in this case and null
netbuf is de-referenced after recovery is completed and this leads
to null pointer exception.
Exit gracefully if netbuf pop fails from rx hash table.
Change-Id: I66b3d1cf9aa05da235212923a551e58d86153e55
CRs-Fixed: 2094521
