Packetlog initialization is failing as txrx_get_pldev API is missing,
which returns paketlog object from the given pdev.
Add txrx_get_pldev API to get packet log object for the given pdev.
Change-Id: I2219a5c0964e76637ff8dbef92661b98cd22fb28
CRs-Fixed: 2189211
Size allocate with sizeof(target_paddr_t) which is following DMA
device, but free with sizeof(qdf_nbuf_t) which is a pointer following
system. Maybe not same size on some platform.
Fix it by using same type when allocate/free.
Change-Id: Iadcb68b05ca5798f38c4341323b9fd1e32f5d693
CRs-Fixed: 2189671
STA peer can be cleared from peer detach and HDD. If the
peer is cleared by peer detach, then return success to
HDD request.
Change-Id: I7aa564e7f2a1c9ce336ae96679d93a6e11703c37
CRs-Fixed: 2181163
The TX buffers in the vdev->ll_pause pending queue, which haven't mapped
the physical address.
Adding nbuf physical address checking to avoid the mis-matching unmap
especially when the MEMORY_DEBUG is enabled.
Change-Id: I6b0fcd1c7d07ca358d07b9931dea321ee8c6169a
CRs-Fixed: 2183678
Remove panic after peer_delete timeout and fail corresponding peer
operation. Peer reference count can be taken by kworker thread which
may get pre-empted by other higher priority threads or stuck, leading
to delay in releasing reference. This delay cannot be completely
removed, hence rather than panic after timeout, enhance logging and
fail corresponding peer operation.
Change-Id: I42c379c0cf91d29d293c3c53c3a378421aef07f9
CRs-Fixed: 2181097
Currently variable "num_flows" and "len" is used directly, from
message, without any validation which causes buffer over-write.
To address this issue add check for the num_flows and len
Change-Id: Iddf2df0fd65f5b33b54f1a608cdd34e400c0e03c
CRs-Fixed: 2148489
Currently type conversion issues are for variables compl_msg
and pool_numap_payload. This may cause potential buffer over-read.
To address this issue add check for structure size.
Change-Id: Id4804eeaf5e80a9045f1c057fa4cb9db15c1ab7d
CRs-Fixed: 2148306
Currently variable "num_mpdu_ranges" is from message, which is used
directly without any validation which causes buffer over-write.
To address this issue add check for the valid num_mpdu_ranges
Change-Id: I3f340b913f3063b24c14644ea723a99690e89dcf
CRs-Fixed: 2146934
Count of htt tx buffer pool should be power of 2 for fail case. For
Rome platform, it does not unmap nbuf when free htt tx buffer pool.
Change-Id: I85a9a1d02bf403f1be7289b1a0a89f86ef25f763
CRs-Fixed: 2179770
In ol_txrx_peer_release_ref, it is possible that this function is
scheduled out when just unlock peer_ref_mutex, unmap event will
come to decrease ref_cnt and free peer object, when
ol_txrx_peer_release_ref is scheduled back and access peer info,
it will cause use-after-free.
Get peer info in the protection of peer_ref_mutex.
Change-Id: Ic442f53e0993a931c4411d9dbc85f04d6a85dc46
CRs-Fixed: 2180584
When getting vdev by sta_id, peer could be deleted after retrieved,
so garbage vdev is returned.
To protect peer info, increase ref_cnt and delete peer when the ref
count is 0.
Change-Id: I850d38166d7c16d7f5e580baf3e0d17db22583f8
CRs-Fixed: 2171619
There is a very rare race condition between
ol_txrx_peer_find_by_local_id_inc_ref(running in OL RX
thread context) and ol_txrx_peer_detach(running in MC
thread context) where MC thread 1st got chance and cleared
the peer->valid flag before OL RX thread can increment the
ref count and this led to OL RX thread got a peer without
any ref count which was freed later while OL RX thread was
still using it.
Change:
1 Set peer to NULL if peer valid check fails in
ol_txrx_peer_find_by_local_id_inc_ref
2 release peer ref cnt for error case in ol_rx_data_cb
Change-Id: Id21350933386464e5814babcb078d9719572af86
CRs-Fixed: 2176704
Currently variable "tid" is from message, which is used directly
as array size which causes buffer over-write.
To address this issue add check for the array size.
Change-Id: I9b9d028ddb9566938f93ff8155284876c1ef9c03
CRs-Fixed: 2146949
Currently variable "tx_desc_id" is from message and it
is used without check.This may cause buffer over-write.
To address this issue add check for valid "tx_desc_id"
Change-Id: Ifcdbf60ce1e0f81be77308185ab51b59746c21af
CRs-Fixed: 2146878
Currently variable "tid" is from message, which is used
directly as array size which causes buffer over-write.
To address this issue add check for the array size.
Change-Id: I9fae424d19ce5e886d385071863cbfca9633dd84
CRs-Fixed: 2148184
Optimize driver init time log from HIF layer to avoid any console
logging related side effect.
Change-Id: If4331eb857d52330dc270cc8ebf6b559daa9413b
CRs-Fixed: 2170144
When calling ol_txrx_flush_rx_frames from rx thread, it is possible
that rx thread is scheduled out, if peer detach happens from MC thread,
after return back to rx thread, the peer may have been deleted which
causes panic.
Add ref_cnt to protect peer info and move delete peer_info_lock/
bufq_lock when finally delete peer rather than in the beginning
of ol_txrx_peer_detach.
Change-Id: I24a85de4551f93c379da59eb21a388e8eaf5f1d2
CRs-Fixed: 2164432
Check for the validity of group_id when received the htt message of
HTT_T2H_MSG_TYPE_TX_CREDIT_UPDATE_IND from firmware to ensure the buffer
overflow does not happen.
Change-Id: I17ac9f37a1450f32fb080c3b22f6317b6238068c
CRs-Fixed: 2148610
Move module init/deinit and function entry/exit logs to DEBUG level,
and keep only minimum logs in kernel log buffer.
Change-Id: Ia9fe82934638683079d308acfc9e7014e1d1a0e3
CRs-Fixed: 2169416
Change some of info/warn log levels to debug log levels to
avoid excessive console logging during driver load.
Change-Id: I042a8f8f735fb2eb7c135c120cbc6644c46bcc31
CRs-Fixed: 2169378
Enable 64-bit htt rx addr tracking based on HTT_PADDR64
when ENABLE_DEBUG_ADDRESS_MARKING is disabled.
CRs-Fixed: 2166963
Change-Id: I47cfcb3f082bc969cd27630cfd96eb53b31cc40d
1) Local peer ID freeing is currently done before peer ref count
decreasing and peer releasing, which imposes a potential race
condition, in which the same local peer ID map will be accessed
before the peer object is fully released.
Fix the issue by relocating the local peer ID freeing to the
point where the peer object is to be freed.
2) Add changes to the return value description of function
ol_txrx_peer_release_ref
Change-Id: Id7722bd54afd6110b91634ca7f1632cade766704
CRs-Fixed: 2155759
Historically, OL peers were forcibly destroyed during pdev detach. This
logic was mistakenly removed as part of another change. This led to peer
leaks during Sub-System Restart (SSR). Restore the peer delete logic to
close peer leaks during SSR.
Change-Id: I72d980750a2f97e6717f720a63f4a651f7615aee
CRs-Fixed: 2167237
qcacld-2.0 to qcacld-3.0 propagation
Check for the validity of tx_desc_id when received the htt message of
HTT_T2H_MSG_TYPE_MGMT_TX_COMPL_IND from firmware to ensure the buffer
overwrite does not happen.
Change-Id: I0afc781b7fff303525352b817e7eb60b8b05e4d3
CRs-Fixed: 2164705
With the existing implementation of TAILQ_FOREACH_REVERSE
in ol_txrx_remove_peers_for_vdev() function, host traverses
the list, stores the peer in the var, releases the lock and
later temp var is getting deleted as part of peer unmap and
host end up in accessing the stale peer entry.
To avoid this, host should check the peer delete in progress
first before assigning it to the temp var.
Change-Id: I5b9a401ae062efc6d2fbe608b25424a27c9d9f94
CRs-Fixed: 2159446
Presently, OFDM packets are assigned preamble type of
LONG_PREAMBLE when the type should be SHORT_PREAMBLE.
Assign the preamble type correctly.
Change-Id: Ie16936ba54cb8e1dfa5e96ccc52f3fc6693a5d48
CRs-Fixed: 2159511
Since struct sps_iovc is obsolete in the latest kernel,
use a local macro instead of sizeof() . It should be
updated with the correct IPA size macro once it is
avaiable in the latest kernel.
CRs-Fixed: 2160658
Change-Id: Ifc2926d5182c96e07de6b4ddd50156764b7ad51e
Fix is to get correct 64-bit htt rx in order address
when ENABLE_DEBUG_ADDRESS_MARKING is disabled.
Change-Id: I479ed4a2dd5cee3427f9a3714cda4ed50afa271a
CRs-Fixed: 2161207
In case of Monitor mode, headroom of skb, which originally
contains rx_desc data, is overwritten by radio tap header.
Host pulls skb data by radio tap header and the same skb is
passed on to packet log function which expects payload to
point to skb-> data and end up in wrong access.
Moreover, pktlog is meant to log rx_desc information which is
already overwritten by radio header and hence pkt logging is
of no use in this case.
CRs-Fixed: 2159130
Change-Id: Id19c0371a0ed31c70ada788fc2b396a8b1eac1f1
The existing peer API cdp_peer_find_by_add does not maintain any peer
references. So a peer which is returned by the API may get deleted in a
different context. This may lead to access to a already deleted memory.
Fix the issue by introducing new APIs "peer_get_ref" and
"peer_release_ref" which make sure the peer is valid until it is
"released" (peer_release_ref is called).
Change-Id: I60175ee1d67f01e3ee4b48cb655d1728d29d08f4
CRs-Fixed: 2139801
qcacld-2.0 to qcacld-3.0 propagation
For HTT_T2H_MSG_TYPE_RX_OFFLOAD_DELIVER_IND, the msdu_cnt is a signed
integer coming from firmware. If set the msdu_cnt to a negative value,
or be greater than the number of current elements in the queue, the loop
will execute lots of times in ol_rx_offload_deliver_ind_handler, the
htt_rx_netbuf_pop will cause the BUG_ON issue sooner or later if it is
low latency solution.
Change the msdu_cnt type from signed to unsigned and add the validity
msdu_cnt checking will fix this issue.
Change-Id: I436557a124074f59ab11fd937dfdc975b9caebe8
CRs-Fixed: 2149461
qcacld-2.0 to qcacld-3.0 propagation
Check for the validity of peer_id when received the htt message of
HTT_T2H_MSG_TYPE_PEER_MAP or HTT_T2H_MSG_TYPE_PEER_UNMAP from firmware
to ensure the buffer overflow does not happen.
Change-Id: Ib3f92f4de0b406a78bf34d348c07cb3981277513
CRs-Fixed: 2147119
qcacld-2.0 to qcacld-3.0 propagation
Check for the validity of tid when received the htt message of
HTT_T2H_MSG_TYPE_RX_FLUSH & HTT_T2H_MSG_TYPE_RX_PN_IND from firmware
to ensure the buffer overflow does not happen.
And correct the sequence number type from signed int to unsigned.
Change-Id: Ibff86e891c335bfe8c2f9db82410545036463ed3
CRs-Fixed: 2149399
qcacld-2.0 to qcacld-3.0 propagation
Check for the validity of num_msdus when received the htt message of
HTT_T2H_MSG_TYPE_TX_COMPL_IND or HTT_T2H_MSG_TYPE_TX_INSPECT_IND from
firmware to ensure the buffer overflow does not happen.
Change-Id: Ic6ce75f34c5e2705d174eda014350e6ef0391388
CRs-Fixed: 2146869
qcacld-2.0 to qcacld-3.0 propagation
Check for the validity of credits when received the htt message of
HTT_T2H_MSG_TYPE_TX_CREDIT_UPDATE_IND or HTT_T2H_MSG_TYPE_TX_COMPL_IND
from firmware to ensure the integer overflow does not happen if these
messages invoked many times.
Change-Id: I01386b88f1b677153f3e51e055b7fbac073cd6b3
CRs-Fixed: 2147127
Save peer_ids[] array during cleanup and print it later, after
releasing peer_map_unmap_lock. It avoids usage of multiple QDF_TRACE()
calls inside critical region.
CRs-Fixed: 2027795
Change-Id: I77474f75d0889604e30ba637a04d39fddcaf754c
Add support for periodic stats for data packets to be displayed in
wlan driver logs.
Change-Id: Iee6759ae75657ae93e94ea1bb1343f2ea489c087
CRs-Fixed: 2120047
The current tx & rx member of skb->cb structure has lot of common members
duplicated across CONFIG_WIN and CONFIG_MCL.
The common members are now moved out and new members are added as per the
requirement. Also the members are organized to avoid additional padding
and fit within the 48 byte boundary for both 32bit & 64 bit platforms.
Change-Id: I27abc95d51127513cf2e7e9657a4ee84324b2cc9
CRs-Fixed: 2142792
With current implementation in case of an SSR/PDR threads that are
waiting on events will only get purged after the wait timeout has
occurred, increasing the recovery time for the driver. Utilize new
APIs that maintain a list of events. In case of an SSR/PDR
forcefully set these events.
Change-Id: I83b4f576a65f8da5762288ac8dfccdef7d05d82a
CRs-Fixed: 2045156
Check length of the data passed in the hw tx desc and
assert it is not zero-length.
This will make it then easy to debug it on host side.
Change-Id: I7d77ac5ee6f5a4992c4a91b9d5661d207732862f
CRs-Fixed: 2136638
When define MEMORY_DEBUG macro for debugging memory issue,
even in normal case it still will report double free for ipa
i2w SKB.
Fix is to add ipa i2w SKB to internal tracking table.
Change-Id: I27b0afc79e8c39c99a73ec9a65a348ebf85960b6
CRs-Fixed: 2145344
htt_tx_mutex, NBUF_QUEUE_MUTEX and HTT credit_mutex should all be
initialized before the related message handlers are connected to
their corresponding services, or there will be racing conditions
happening during WLAN driver initialization which will cause
the Linux kernel complaining for bad magic of spin locks and
triggers watch dog bite.
Change-Id: Id89185d811bcbed95732f142ed6fd611e0d6e2a4
CRs-Fixed: 2109674
To abstract kernel header inclusion, create new QDF APIs for all IPA
APIs and redirect all IPA API calls through QDF interfaces.
Change-Id: I7bff975ad7cb32fc128320c124633594471e0a1f
CRs-Fixed: 2098903
