Count of htt tx buffer pool should be power of 2 for fail case. For
Rome platform, it does not unmap nbuf when free htt tx buffer pool.
Change-Id: I85a9a1d02bf403f1be7289b1a0a89f86ef25f763
CRs-Fixed: 2179770
In ol_txrx_peer_release_ref, it is possible that this function is
scheduled out when just unlock peer_ref_mutex, unmap event will
come to decrease ref_cnt and free peer object, when
ol_txrx_peer_release_ref is scheduled back and access peer info,
it will cause use-after-free.
Get peer info in the protection of peer_ref_mutex.
Change-Id: Ic442f53e0993a931c4411d9dbc85f04d6a85dc46
CRs-Fixed: 2180584
When getting vdev by sta_id, peer could be deleted after retrieved,
so garbage vdev is returned.
To protect peer info, increase ref_cnt and delete peer when the ref
count is 0.
Change-Id: I850d38166d7c16d7f5e580baf3e0d17db22583f8
CRs-Fixed: 2171619
There is a very rare race condition between
ol_txrx_peer_find_by_local_id_inc_ref(running in OL RX
thread context) and ol_txrx_peer_detach(running in MC
thread context) where MC thread 1st got chance and cleared
the peer->valid flag before OL RX thread can increment the
ref count and this led to OL RX thread got a peer without
any ref count which was freed later while OL RX thread was
still using it.
Change:
1 Set peer to NULL if peer valid check fails in
ol_txrx_peer_find_by_local_id_inc_ref
2 release peer ref cnt for error case in ol_rx_data_cb
Change-Id: Id21350933386464e5814babcb078d9719572af86
CRs-Fixed: 2176704
Currently variable "tid" is from message, which is used directly
as array size which causes buffer over-write.
To address this issue add check for the array size.
Change-Id: I9b9d028ddb9566938f93ff8155284876c1ef9c03
CRs-Fixed: 2146949
Currently variable "tx_desc_id" is from message and it
is used without check.This may cause buffer over-write.
To address this issue add check for valid "tx_desc_id"
Change-Id: Ifcdbf60ce1e0f81be77308185ab51b59746c21af
CRs-Fixed: 2146878
Currently variable "tid" is from message, which is used
directly as array size which causes buffer over-write.
To address this issue add check for the array size.
Change-Id: I9fae424d19ce5e886d385071863cbfca9633dd84
CRs-Fixed: 2148184
Optimize driver init time log from HIF layer to avoid any console
logging related side effect.
Change-Id: If4331eb857d52330dc270cc8ebf6b559daa9413b
CRs-Fixed: 2170144
When calling ol_txrx_flush_rx_frames from rx thread, it is possible
that rx thread is scheduled out, if peer detach happens from MC thread,
after return back to rx thread, the peer may have been deleted which
causes panic.
Add ref_cnt to protect peer info and move delete peer_info_lock/
bufq_lock when finally delete peer rather than in the beginning
of ol_txrx_peer_detach.
Change-Id: I24a85de4551f93c379da59eb21a388e8eaf5f1d2
CRs-Fixed: 2164432
Check for the validity of group_id when received the htt message of
HTT_T2H_MSG_TYPE_TX_CREDIT_UPDATE_IND from firmware to ensure the buffer
overflow does not happen.
Change-Id: I17ac9f37a1450f32fb080c3b22f6317b6238068c
CRs-Fixed: 2148610
Move module init/deinit and function entry/exit logs to DEBUG level,
and keep only minimum logs in kernel log buffer.
Change-Id: Ia9fe82934638683079d308acfc9e7014e1d1a0e3
CRs-Fixed: 2169416
Change some of info/warn log levels to debug log levels to
avoid excessive console logging during driver load.
Change-Id: I042a8f8f735fb2eb7c135c120cbc6644c46bcc31
CRs-Fixed: 2169378
Enable 64-bit htt rx addr tracking based on HTT_PADDR64
when ENABLE_DEBUG_ADDRESS_MARKING is disabled.
CRs-Fixed: 2166963
Change-Id: I47cfcb3f082bc969cd27630cfd96eb53b31cc40d
1) Local peer ID freeing is currently done before peer ref count
decreasing and peer releasing, which imposes a potential race
condition, in which the same local peer ID map will be accessed
before the peer object is fully released.
Fix the issue by relocating the local peer ID freeing to the
point where the peer object is to be freed.
2) Add changes to the return value description of function
ol_txrx_peer_release_ref
Change-Id: Id7722bd54afd6110b91634ca7f1632cade766704
CRs-Fixed: 2155759
Historically, OL peers were forcibly destroyed during pdev detach. This
logic was mistakenly removed as part of another change. This led to peer
leaks during Sub-System Restart (SSR). Restore the peer delete logic to
close peer leaks during SSR.
Change-Id: I72d980750a2f97e6717f720a63f4a651f7615aee
CRs-Fixed: 2167237
qcacld-2.0 to qcacld-3.0 propagation
Check for the validity of tx_desc_id when received the htt message of
HTT_T2H_MSG_TYPE_MGMT_TX_COMPL_IND from firmware to ensure the buffer
overwrite does not happen.
Change-Id: I0afc781b7fff303525352b817e7eb60b8b05e4d3
CRs-Fixed: 2164705
With the existing implementation of TAILQ_FOREACH_REVERSE
in ol_txrx_remove_peers_for_vdev() function, host traverses
the list, stores the peer in the var, releases the lock and
later temp var is getting deleted as part of peer unmap and
host end up in accessing the stale peer entry.
To avoid this, host should check the peer delete in progress
first before assigning it to the temp var.
Change-Id: I5b9a401ae062efc6d2fbe608b25424a27c9d9f94
CRs-Fixed: 2159446
Presently, OFDM packets are assigned preamble type of
LONG_PREAMBLE when the type should be SHORT_PREAMBLE.
Assign the preamble type correctly.
Change-Id: Ie16936ba54cb8e1dfa5e96ccc52f3fc6693a5d48
CRs-Fixed: 2159511
Since struct sps_iovc is obsolete in the latest kernel,
use a local macro instead of sizeof() . It should be
updated with the correct IPA size macro once it is
avaiable in the latest kernel.
CRs-Fixed: 2160658
Change-Id: Ifc2926d5182c96e07de6b4ddd50156764b7ad51e
Fix is to get correct 64-bit htt rx in order address
when ENABLE_DEBUG_ADDRESS_MARKING is disabled.
Change-Id: I479ed4a2dd5cee3427f9a3714cda4ed50afa271a
CRs-Fixed: 2161207
In case of Monitor mode, headroom of skb, which originally
contains rx_desc data, is overwritten by radio tap header.
Host pulls skb data by radio tap header and the same skb is
passed on to packet log function which expects payload to
point to skb-> data and end up in wrong access.
Moreover, pktlog is meant to log rx_desc information which is
already overwritten by radio header and hence pkt logging is
of no use in this case.
CRs-Fixed: 2159130
Change-Id: Id19c0371a0ed31c70ada788fc2b396a8b1eac1f1
The existing peer API cdp_peer_find_by_add does not maintain any peer
references. So a peer which is returned by the API may get deleted in a
different context. This may lead to access to a already deleted memory.
Fix the issue by introducing new APIs "peer_get_ref" and
"peer_release_ref" which make sure the peer is valid until it is
"released" (peer_release_ref is called).
Change-Id: I60175ee1d67f01e3ee4b48cb655d1728d29d08f4
CRs-Fixed: 2139801
qcacld-2.0 to qcacld-3.0 propagation
For HTT_T2H_MSG_TYPE_RX_OFFLOAD_DELIVER_IND, the msdu_cnt is a signed
integer coming from firmware. If set the msdu_cnt to a negative value,
or be greater than the number of current elements in the queue, the loop
will execute lots of times in ol_rx_offload_deliver_ind_handler, the
htt_rx_netbuf_pop will cause the BUG_ON issue sooner or later if it is
low latency solution.
Change the msdu_cnt type from signed to unsigned and add the validity
msdu_cnt checking will fix this issue.
Change-Id: I436557a124074f59ab11fd937dfdc975b9caebe8
CRs-Fixed: 2149461
qcacld-2.0 to qcacld-3.0 propagation
Check for the validity of peer_id when received the htt message of
HTT_T2H_MSG_TYPE_PEER_MAP or HTT_T2H_MSG_TYPE_PEER_UNMAP from firmware
to ensure the buffer overflow does not happen.
Change-Id: Ib3f92f4de0b406a78bf34d348c07cb3981277513
CRs-Fixed: 2147119
qcacld-2.0 to qcacld-3.0 propagation
Check for the validity of tid when received the htt message of
HTT_T2H_MSG_TYPE_RX_FLUSH & HTT_T2H_MSG_TYPE_RX_PN_IND from firmware
to ensure the buffer overflow does not happen.
And correct the sequence number type from signed int to unsigned.
Change-Id: Ibff86e891c335bfe8c2f9db82410545036463ed3
CRs-Fixed: 2149399
qcacld-2.0 to qcacld-3.0 propagation
Check for the validity of num_msdus when received the htt message of
HTT_T2H_MSG_TYPE_TX_COMPL_IND or HTT_T2H_MSG_TYPE_TX_INSPECT_IND from
firmware to ensure the buffer overflow does not happen.
Change-Id: Ic6ce75f34c5e2705d174eda014350e6ef0391388
CRs-Fixed: 2146869
qcacld-2.0 to qcacld-3.0 propagation
Check for the validity of credits when received the htt message of
HTT_T2H_MSG_TYPE_TX_CREDIT_UPDATE_IND or HTT_T2H_MSG_TYPE_TX_COMPL_IND
from firmware to ensure the integer overflow does not happen if these
messages invoked many times.
Change-Id: I01386b88f1b677153f3e51e055b7fbac073cd6b3
CRs-Fixed: 2147127
Save peer_ids[] array during cleanup and print it later, after
releasing peer_map_unmap_lock. It avoids usage of multiple QDF_TRACE()
calls inside critical region.
CRs-Fixed: 2027795
Change-Id: I77474f75d0889604e30ba637a04d39fddcaf754c
Add support for periodic stats for data packets to be displayed in
wlan driver logs.
Change-Id: Iee6759ae75657ae93e94ea1bb1343f2ea489c087
CRs-Fixed: 2120047
The current tx & rx member of skb->cb structure has lot of common members
duplicated across CONFIG_WIN and CONFIG_MCL.
The common members are now moved out and new members are added as per the
requirement. Also the members are organized to avoid additional padding
and fit within the 48 byte boundary for both 32bit & 64 bit platforms.
Change-Id: I27abc95d51127513cf2e7e9657a4ee84324b2cc9
CRs-Fixed: 2142792
With current implementation in case of an SSR/PDR threads that are
waiting on events will only get purged after the wait timeout has
occurred, increasing the recovery time for the driver. Utilize new
APIs that maintain a list of events. In case of an SSR/PDR
forcefully set these events.
Change-Id: I83b4f576a65f8da5762288ac8dfccdef7d05d82a
CRs-Fixed: 2045156
Check length of the data passed in the hw tx desc and
assert it is not zero-length.
This will make it then easy to debug it on host side.
Change-Id: I7d77ac5ee6f5a4992c4a91b9d5661d207732862f
CRs-Fixed: 2136638
When define MEMORY_DEBUG macro for debugging memory issue,
even in normal case it still will report double free for ipa
i2w SKB.
Fix is to add ipa i2w SKB to internal tracking table.
Change-Id: I27b0afc79e8c39c99a73ec9a65a348ebf85960b6
CRs-Fixed: 2145344
htt_tx_mutex, NBUF_QUEUE_MUTEX and HTT credit_mutex should all be
initialized before the related message handlers are connected to
their corresponding services, or there will be racing conditions
happening during WLAN driver initialization which will cause
the Linux kernel complaining for bad magic of spin locks and
triggers watch dog bite.
Change-Id: Id89185d811bcbed95732f142ed6fd611e0d6e2a4
CRs-Fixed: 2109674
To abstract kernel header inclusion, create new QDF APIs for all IPA
APIs and redirect all IPA API calls through QDF interfaces.
Change-Id: I7bff975ad7cb32fc128320c124633594471e0a1f
CRs-Fixed: 2098903
1) The htt htc free packet list is accessed without being protected
by a lock when packets are being removed from it, which may
introduce a potential racing condition during stability stress
test. Protect the list by htt tx mutex before any pakcets are freed
from it.
2) The same protection should be done to the htt htc packet misc
list.
Change-Id: Ife075a24f119ccfff9b56ec6ce3bee5dd73c9dea
CRs-Fixed: 2137038
When CONFIG_HL_SUPPORT is defined, htt_rx_dbg_rxbuf_init is not called,
and rx_buff_list_lock is not initialized. rx_buff_list_lock should not
be destroyed if it is not initialized.
Do not call htt_rx_dbg_rxbuf_deinit when CONFIG_HL_SUPPORT is defined.
Change-Id: I9d64313efd5a9978b3fb953ac5d7ffb466abe010
CRs-Fixed: 2134345
Add wlan_objmgr_peer_debug_log() calls in WMA, ol_txrx for
tracking of peer create/delete/map/unmap events and related roaming
events. These calls, added in lnx.1.1 driver in different change lists,
are consolidated in this change.
Add wlan_roam_debug_dump_table() call to the functions that perform
recovery after detecting peer deletion error.
CRs-Fixed: 2130256
Change-Id: Ia3bb6a01b2f62889fe542a02ca42ffab5a8a76aa
Add "static" before some functions which only be used in 1 file to
resolve compilation error.
Change-Id: Id1b1101c3bb04910ad1e3639887f74e44d5b7c36
CRs-Fixed: 2010227
Add warning log at the critical code path of IPA session transition
for the race condition detection
Set INFO log level to enter/exit logs for IPA session transition
code path.
Change-Id: I5089db5f53d13e5f78093171672ad86f7bd1cdc2
CRs-Fixed: 2124144
