Currently %p is used in ol_txrx_peer_release_ref function in
ol_txrx.c which violates security guidelines
To address this issue change %p to %pK.
Change-Id: I06fd9eb260d1c53e4de235b710cd0ea05125b976
CRs-Fixed: 2170905
When debug traffic stall issues, target credit number is also one
key point to trace beside status of TX queues. So add such info
in TX_QUEUE_STATS.
Change-Id: I2615545c1e041af920a4d0d6d0a8e3990768b762
CRs-Fixed: 2060945
Currently data in "pl_tgt_hdr" is used directly from firmware without
any length check which may cause buffer over-read.
To address this issue add length check before accessing data offset
Change-Id: Ic2930fdf7168b79a8522be282b0e1cd19214742a
CRs-Fixed: 2148631
Track connectivity stats for data rx packets through a
callback function hdd_tx_rx_collect_connectivity_stats_info().
Change-Id: I045ba694495876273691373a9d0a8995d4aa9c34
CRs-Fixed: 2161889
Extend to collect connectivity check stats other
than ARP such as DNS, TCP SYN/SYN-ACK/ACK, and Ipv4.
Add extra attributes in existing vendor command(set/reset
and get NUD debug stats) for above connectvitiy stats.
CRs-Fixed: 2161889
Change-Id: I037c4ec29b181a0b3117ae2abbc7a2229b373ac2
In htt_rx_ring_fill_n, when debt_served is non-zero,
mem_map_table is being updated for extra buffers even
though memory to store mem_info has not been allocated
for those buffers. As a result of this overflow, memory
corruption is happening.
Fix overflowing of mem_map_table array in htt_rx_ring_fill_n.
Change-Id: I3ff96f57baf07799fd69d7ba196e44e7819f58dc
CRS-Fixed: 2103792
Update WLAN-IPA WDI-2 datapath buffer sharing for SMMU Stage 1
translation support. When SMMU Stage 1 translation is enabled
DMA APIs return IO virtual address(IOVA) instead of physical
address. This IOVA need to mapped to physical address by IPA
module before accessing them
Change-Id: I969ad020d5b423c785539f346286b212ea5830a1
CRS-Fixed: 2072960
When get length by HTT_WDI_IPA_OP_RESPONSE_RSP_LEN_GET,
the input msg_word needs to shift 4Bytes.
Failure length check will cause ipa uc event without processing.
Regression cause Iddf2df0fd65f5b33b54f1a608cdd34e400c0e03c.
Change-Id: I41a44ae26f84d974cbd3242f4454ec6068d7b68b
CRs-Fixed: 2206296
The packets in the vdev ll_pause queue hasn't been doing the qdf_nbuf_map,
or they might be mapped by other module like ipa. So do not unmap in the
ol_txrx_vdev_detach to avoid the mis-match operation.
Change-Id: I498c09152be95464bc6343f2a48d63e13d621a82
CRs-Fixed: 2198903
One of the arrays defined in data-path's API is not initialized
and this API assumes that subsequent loop will fill up the array to
correct default value. This assumption is wrong.
Intialize the array "save_peer_id_ref_cnt" in API
"ol_txrx_peer_remove_obj_map_entries" to default value "0" to avoid
any issue.
CRs-Fixed: 2196084
Change-Id: If0080708662fc44e6583823717798a9f505ec1d0
In MCC tx path, skb is owned by IPA driver, where IPA driver provides
wlan driver directly DMA mapped address. Doing dma unmap of the skb
will lead to skb dma map check failure.
Fix is to skip dma unmap for IPA owned skb and let IPA driver handle
dma unmap.
Change-Id: Ib38ca949ba915785e460c05172b70088a3564b1c
CRs-Fixed: 2189889
Change to collect arp packet stats along with
existing hdd stats to debug arp packet related
issues.
Change-Id: Idce70799bd3698dc8a8ecd8cfc8ef7d9bf1f5764
CRs-Fixed: 2019787
Packetlog initialization is failing as txrx_get_pldev API is missing,
which returns paketlog object from the given pdev.
Add txrx_get_pldev API to get packet log object for the given pdev.
Change-Id: I2219a5c0964e76637ff8dbef92661b98cd22fb28
CRs-Fixed: 2189211
Size allocate with sizeof(target_paddr_t) which is following DMA
device, but free with sizeof(qdf_nbuf_t) which is a pointer following
system. Maybe not same size on some platform.
Fix it by using same type when allocate/free.
Change-Id: Iadcb68b05ca5798f38c4341323b9fd1e32f5d693
CRs-Fixed: 2189671
STA peer can be cleared from peer detach and HDD. If the
peer is cleared by peer detach, then return success to
HDD request.
Change-Id: I7aa564e7f2a1c9ce336ae96679d93a6e11703c37
CRs-Fixed: 2181163
The TX buffers in the vdev->ll_pause pending queue, which haven't mapped
the physical address.
Adding nbuf physical address checking to avoid the mis-matching unmap
especially when the MEMORY_DEBUG is enabled.
Change-Id: I6b0fcd1c7d07ca358d07b9931dea321ee8c6169a
CRs-Fixed: 2183678
Remove panic after peer_delete timeout and fail corresponding peer
operation. Peer reference count can be taken by kworker thread which
may get pre-empted by other higher priority threads or stuck, leading
to delay in releasing reference. This delay cannot be completely
removed, hence rather than panic after timeout, enhance logging and
fail corresponding peer operation.
Change-Id: I42c379c0cf91d29d293c3c53c3a378421aef07f9
CRs-Fixed: 2181097
Currently variable "num_flows" and "len" is used directly, from
message, without any validation which causes buffer over-write.
To address this issue add check for the num_flows and len
Change-Id: Iddf2df0fd65f5b33b54f1a608cdd34e400c0e03c
CRs-Fixed: 2148489
Currently type conversion issues are for variables compl_msg
and pool_numap_payload. This may cause potential buffer over-read.
To address this issue add check for structure size.
Change-Id: Id4804eeaf5e80a9045f1c057fa4cb9db15c1ab7d
CRs-Fixed: 2148306
Currently variable "num_mpdu_ranges" is from message, which is used
directly without any validation which causes buffer over-write.
To address this issue add check for the valid num_mpdu_ranges
Change-Id: I3f340b913f3063b24c14644ea723a99690e89dcf
CRs-Fixed: 2146934
Count of htt tx buffer pool should be power of 2 for fail case. For
Rome platform, it does not unmap nbuf when free htt tx buffer pool.
Change-Id: I85a9a1d02bf403f1be7289b1a0a89f86ef25f763
CRs-Fixed: 2179770
In ol_txrx_peer_release_ref, it is possible that this function is
scheduled out when just unlock peer_ref_mutex, unmap event will
come to decrease ref_cnt and free peer object, when
ol_txrx_peer_release_ref is scheduled back and access peer info,
it will cause use-after-free.
Get peer info in the protection of peer_ref_mutex.
Change-Id: Ic442f53e0993a931c4411d9dbc85f04d6a85dc46
CRs-Fixed: 2180584
When getting vdev by sta_id, peer could be deleted after retrieved,
so garbage vdev is returned.
To protect peer info, increase ref_cnt and delete peer when the ref
count is 0.
Change-Id: I850d38166d7c16d7f5e580baf3e0d17db22583f8
CRs-Fixed: 2171619
There is a very rare race condition between
ol_txrx_peer_find_by_local_id_inc_ref(running in OL RX
thread context) and ol_txrx_peer_detach(running in MC
thread context) where MC thread 1st got chance and cleared
the peer->valid flag before OL RX thread can increment the
ref count and this led to OL RX thread got a peer without
any ref count which was freed later while OL RX thread was
still using it.
Change:
1 Set peer to NULL if peer valid check fails in
ol_txrx_peer_find_by_local_id_inc_ref
2 release peer ref cnt for error case in ol_rx_data_cb
Change-Id: Id21350933386464e5814babcb078d9719572af86
CRs-Fixed: 2176704
Currently variable "tid" is from message, which is used directly
as array size which causes buffer over-write.
To address this issue add check for the array size.
Change-Id: I9b9d028ddb9566938f93ff8155284876c1ef9c03
CRs-Fixed: 2146949
Currently variable "tx_desc_id" is from message and it
is used without check.This may cause buffer over-write.
To address this issue add check for valid "tx_desc_id"
Change-Id: Ifcdbf60ce1e0f81be77308185ab51b59746c21af
CRs-Fixed: 2146878
Currently variable "tid" is from message, which is used
directly as array size which causes buffer over-write.
To address this issue add check for the array size.
Change-Id: I9fae424d19ce5e886d385071863cbfca9633dd84
CRs-Fixed: 2148184
Optimize driver init time log from HIF layer to avoid any console
logging related side effect.
Change-Id: If4331eb857d52330dc270cc8ebf6b559daa9413b
CRs-Fixed: 2170144
When calling ol_txrx_flush_rx_frames from rx thread, it is possible
that rx thread is scheduled out, if peer detach happens from MC thread,
after return back to rx thread, the peer may have been deleted which
causes panic.
Add ref_cnt to protect peer info and move delete peer_info_lock/
bufq_lock when finally delete peer rather than in the beginning
of ol_txrx_peer_detach.
Change-Id: I24a85de4551f93c379da59eb21a388e8eaf5f1d2
CRs-Fixed: 2164432
Check for the validity of group_id when received the htt message of
HTT_T2H_MSG_TYPE_TX_CREDIT_UPDATE_IND from firmware to ensure the buffer
overflow does not happen.
Change-Id: I17ac9f37a1450f32fb080c3b22f6317b6238068c
CRs-Fixed: 2148610
Move module init/deinit and function entry/exit logs to DEBUG level,
and keep only minimum logs in kernel log buffer.
Change-Id: Ia9fe82934638683079d308acfc9e7014e1d1a0e3
CRs-Fixed: 2169416
Change some of info/warn log levels to debug log levels to
avoid excessive console logging during driver load.
Change-Id: I042a8f8f735fb2eb7c135c120cbc6644c46bcc31
CRs-Fixed: 2169378
Enable 64-bit htt rx addr tracking based on HTT_PADDR64
when ENABLE_DEBUG_ADDRESS_MARKING is disabled.
CRs-Fixed: 2166963
Change-Id: I47cfcb3f082bc969cd27630cfd96eb53b31cc40d
1) Local peer ID freeing is currently done before peer ref count
decreasing and peer releasing, which imposes a potential race
condition, in which the same local peer ID map will be accessed
before the peer object is fully released.
Fix the issue by relocating the local peer ID freeing to the
point where the peer object is to be freed.
2) Add changes to the return value description of function
ol_txrx_peer_release_ref
Change-Id: Id7722bd54afd6110b91634ca7f1632cade766704
CRs-Fixed: 2155759
Historically, OL peers were forcibly destroyed during pdev detach. This
logic was mistakenly removed as part of another change. This led to peer
leaks during Sub-System Restart (SSR). Restore the peer delete logic to
close peer leaks during SSR.
Change-Id: I72d980750a2f97e6717f720a63f4a651f7615aee
CRs-Fixed: 2167237
qcacld-2.0 to qcacld-3.0 propagation
Check for the validity of tx_desc_id when received the htt message of
HTT_T2H_MSG_TYPE_MGMT_TX_COMPL_IND from firmware to ensure the buffer
overwrite does not happen.
Change-Id: I0afc781b7fff303525352b817e7eb60b8b05e4d3
CRs-Fixed: 2164705
With the existing implementation of TAILQ_FOREACH_REVERSE
in ol_txrx_remove_peers_for_vdev() function, host traverses
the list, stores the peer in the var, releases the lock and
later temp var is getting deleted as part of peer unmap and
host end up in accessing the stale peer entry.
To avoid this, host should check the peer delete in progress
first before assigning it to the temp var.
Change-Id: I5b9a401ae062efc6d2fbe608b25424a27c9d9f94
CRs-Fixed: 2159446
Presently, OFDM packets are assigned preamble type of
LONG_PREAMBLE when the type should be SHORT_PREAMBLE.
Assign the preamble type correctly.
Change-Id: Ie16936ba54cb8e1dfa5e96ccc52f3fc6693a5d48
CRs-Fixed: 2159511
Since struct sps_iovc is obsolete in the latest kernel,
use a local macro instead of sizeof() . It should be
updated with the correct IPA size macro once it is
avaiable in the latest kernel.
CRs-Fixed: 2160658
Change-Id: Ifc2926d5182c96e07de6b4ddd50156764b7ad51e
