In monitor mode, current implementation
uses the preample type, vht_sig_a_1 and vht_sig_a_1
values associated with each mpdu, instead of reusing
the values from the first mpdu, to calculate data rates.
This is causing incorrect rates to be recorded in monitor mode logs
Reuse preample type, vht_sig_a_1 and vht_sig_a_1 of first
mpdu till the last mpdu is reached.
Change-Id: Ia6e5c1b3b0cc8d8b27f16cdfbd469fdba5c4a8f2
CRs-Fixed: 2276766
Separate out HL and LL Rx Data Path in different files
to compile out features cleanly
Change-Id: Ifc0e2d7e740142f0115d1fcd53db2936f7a30979
CRs-Fixed: 2287351
The kernel address is used as cookie to keep track
of stats request. This address can be disclosed to
target leading to a security vulnerability.
Implement a FW stats descriptor pool, and use a
descriptor ID to keep track of stats requests,
instead of the kernel address, to prevent
kernel address leak.
Change-Id: Ib49150da899c0b9314f614868a90867f4aa92d3d
CRs-Fixed: 2246110
1) Genoa FW by default enables HI_ACS_FLAGS_SDIO_REDUCE_TX_COMPL_SET.
When this flag is enabled, credits are reported through
HTT_T2H_MSG_TYPE_TX_CREDIT_UPDATE_IND and not through
HTT_T2H_MSG_TYPE_TX_COMPL_IND.
However when TSF and PTP features are enabled we need to get TX
Completions from FW.
Since credits can also be updated through TX Completions
we need to disable updation of credits through TX Completion for Genoa.
2) Enable flag : cfg_ctx->tx_free_at_download to free ol tx descriptors at
download.
Change-Id: I176dc8391ded9fc57f8be2b465effd8ae84eda49
CRs-fixed: 2268757
Add support for HTT_T2H_MSG_TYPE_FLOW_POOL_RESIZE
command from firmware to resize flow pool and call appropriate
function to handle it.
Change-Id: I7d2ca6ed459383ec5c456b15a71290264d5d2408
CRs-Fixed: 2261265
IPA SMMU mapping for RX buffers is needed only when IPA offload
and IPA pipes are enabled. Currently in STA only case where IPA
is not enabled SMMU map/unmap is done for RX buffers. So enable
SMMU mapping only when IPA pipes are enabled.
Change-Id: I88db2cc8606bdf4586644a7ffccd0415f85c8241
CRs-Fixed: 2213795
Introducing integer overflow checks in htt_t2h_tx_ppdu_log_print()
contained use of %p which violates security guidelines.
Change %p to %pK.
Change-Id: I9e886e9b065ea6902aeedc3d9c25aac76a07d6de
CRs-Fixed: 2252217
Currently in htt_t2h_msg_handler_fast, msg_len, which is in number of
bytes, is directly compared with pdev->rx_mpdu_range_offset_words,
which is in number of words. Thus their comparison becomes invalid.
In htt_t2h_msg_handler, in addition to similar issue as above, the
checks for message offset validations do not consider integer overflows
occurring.
In htt_t2h_msg_handler_fast, the check condition involving
pdev_rx_mpdu_range_offset_words were corrected to work with bytes,
and in htt_t2h_msg_handler checks for integer overflow were also
added.
Change-Id: I9ec7d30cc24d288ddcabd3bb30674a2ca21f2251
CRs-Fixed: 2248069
Currently, the message type HTT_T2H_MSG_TYPE_RX_ADDBA and
HTT_T2H_MSG_TYPE_RX_DELBA is not supported as firmware is
no more sending this message to host.
Clean up the unreachable code for HTT_T2H_MSG_TYPE_RX_ADDBA
and HTT_T2H_MSG_TYPE_RX_DELBA message type.
Change-Id: I7a32fb53fec00e0507ef32d29494968188c98bfd
CRs-Fixed: 2226328
Currently SMMU mem map table allocation size is very high and may
lead to allocation failure if system memory is fragmented or in low
memory cases. Do not allocate SMMU mem table buffer instead update
for each rx nbuff.
Change-Id: Ib48199387abc942980cef1ef57a00e44c729e95f
CRs-Fixed: 2238629
mpdu_bytes_array_len, mpdu_msdus_array_len, and msdu_bytes_array_len
are used to calculate the record size, as well as used as
buffer offset, without any verification. This can cause to multiple
overflows and underflow leading to OOB reads.
Add checks for each arithmetic operation with these variables.
Change-Id: Ib6ec6ac6932eb8c541bc2357d45d3feaf39fdb7d
CRs-Fixed: 2226125
Address the following issues in the core/dp folder:
CHECK: 'accomodate' may be misspelled - perhaps 'accommodate'?
CHECK: 'acess' may be misspelled - perhaps 'access'?
CHECK: 'bahavior' may be misspelled - perhaps 'behavior'?
CHECK: 'catagory' may be misspelled - perhaps 'category'?
CHECK: 'continous' may be misspelled - perhaps 'continuous'?
CHECK: 'controler' may be misspelled - perhaps 'controller'?
CHECK: 'curently' may be misspelled - perhaps 'currently'?
CHECK: 'defintion' may be misspelled - perhaps 'definition'?
CHECK: 'Defintions' may be misspelled - perhaps 'Definitions'?
CHECK: 'desriptor' may be misspelled - perhaps 'descriptor'?
CHECK: 'extention' may be misspelled - perhaps 'extension'?
CHECK: 'informations' may be misspelled - perhaps 'information'?
CHECK: 'lenght' may be misspelled - perhaps 'length'?
CHECK: 'managment' may be misspelled - perhaps 'management'?
CHECK: 'messsage' may be misspelled - perhaps 'message'?
CHECK: 'neccessary' may be misspelled - perhaps 'necessary'?
CHECK: 'recieved' may be misspelled - perhaps 'received'?
CHECK: 'Recieve' may be misspelled - perhaps 'Receive'?
Change-Id: Ib8c1b94b5bb3bb5798e41dbb4c1461be80fd1398
CRs-Fixed: 2241941
Currently, "channel_freq" is declared as uint16_t. But
htt_get_channel_freq returns "int" which is assigned to
"channel_freq". So, channel_freq != -1 is always true
regardless of the values of its operands.
Declare "channel_freq" as int and add the check if
channel_freq is positive.
Change-Id: I13ae35c1bee3cdf293227e320ede8d8cd2e968fe
CRs-Fixed: 2233556
Apparently netbufs_ring is initialized only when reordering is not fully
offloaded. When a message of type HTT_T2H_MSG_TYPE_RX_OFFLOAD_DELIVER_IND
is sent, the driver does not check if reordering is offloaded.
Add a check, if reordering is offloaded, when a message of type
HTT_T2H_MSG_TYPE_RX_OFFLOAD_DELIVER_IND is sent.
Change-Id: I303b52182d97aa8185c23ccd99c37a97fb75a3d2
CRs-Fixed: 2213216
To avoid out-of-bounds access of mem_map_table from htt_rx_hash_deinit
, allocate mem_map_table size the same as maximum number of hash
entries, which is RX_NUM_HASH_BUCKETS * RX_ENTRIES_SIZE.
Change-Id: If25f97b47350196ceb2e8c60e7d5430a1484a01d
CRs-Fixed: 2214158
Add GRO support and make it configurable through INI(GROEnable).
GRO and LRO are mutually exclusive. Only one of them can be enabled.
And disable GRO during following conditions
1) Low TPUT scenario
2) Concurrency cases
3) For Rx packets when Peer is not connected
Change-Id: I15535827a03953231670d4138235c4876b16e045
CRs-Fixed: 2098772
Currently variable "num_mpdu_ranges" is from message, which is used
directly without any validation which causes buffer over-write.
To avoid buffer over-write add check for the valid num_mpdu_ranges
Change-Id: I54e138d4bd63cbe7a0ae4faf0fe9d8e59ca92c71
CRs-Fixed: 2213655
Some of the platforms delivers the msdu with skb head and skb data
pointing to same address, in such cases do skb pull to create a room
for radiotap hdr and let qdf_nbuf_update_radiotap() API handle creating
room for radiotap header.
Note: When skb head and skb data pointer points to same
address, it indicates that radiotap size is already considered in
headroom.
CRs-Fixed: 2230412
Change-Id: Ide49544873554ae38a49af1511fd5bafd0d25102
While handling a multi-segment TSO packet, there is a race condition
where, if tx complete arrives fast enough, the un-sent TSO segments
may be lost forever and a previously sent segment would be attempted
to be sent over.
Fix the race condition. Dont use the segment after send to go to the
next one.
Change-Id: I4abd9d26f50c749141925894a8845cf82df4d222
CRs-Fixed: 2168778
Several packets are sent to firmware in htt_htc_attach_all(), back to
back. However, if one of the latter packets fails to send for some
reason, the previous packets are not flushed. This leads to a number of
leaks under error conditions.
If a packet fails to send in htt_htc_attach_all(), flush the endpoint
before returning failure to the upper layers.
Change-Id: If9b33a645f7bcc77442e18566525ae57b544f1a0
CRs-Fixed: 2219137
Currently data in "pl_tgt_hdr" is used directly from firmware without
any length check which may cause buffer over-read.
To address this issue add length check before accessing data offset
Change-Id: Ic2930fdf7168b79a8522be282b0e1cd19214742a
CRs-Fixed: 2148631
In htt_rx_ring_fill_n, when debt_served is non-zero,
mem_map_table is being updated for extra buffers even
though memory to store mem_info has not been allocated
for those buffers. As a result of this overflow, memory
corruption is happening.
Fix overflowing of mem_map_table array in htt_rx_ring_fill_n.
Change-Id: I3ff96f57baf07799fd69d7ba196e44e7819f58dc
CRS-Fixed: 2103792
Update WLAN-IPA WDI-2 datapath buffer sharing for SMMU Stage 1
translation support. When SMMU Stage 1 translation is enabled
DMA APIs return IO virtual address(IOVA) instead of physical
address. This IOVA need to mapped to physical address by IPA
module before accessing them
Change-Id: I969ad020d5b423c785539f346286b212ea5830a1
CRS-Fixed: 2072960
When get length by HTT_WDI_IPA_OP_RESPONSE_RSP_LEN_GET,
the input msg_word needs to shift 4Bytes.
Failure length check will cause ipa uc event without processing.
Regression cause Iddf2df0fd65f5b33b54f1a608cdd34e400c0e03c.
Change-Id: I41a44ae26f84d974cbd3242f4454ec6068d7b68b
CRs-Fixed: 2206296
Size allocate with sizeof(target_paddr_t) which is following DMA
device, but free with sizeof(qdf_nbuf_t) which is a pointer following
system. Maybe not same size on some platform.
Fix it by using same type when allocate/free.
Change-Id: Iadcb68b05ca5798f38c4341323b9fd1e32f5d693
CRs-Fixed: 2189671
Currently variable "num_flows" and "len" is used directly, from
message, without any validation which causes buffer over-write.
To address this issue add check for the num_flows and len
Change-Id: Iddf2df0fd65f5b33b54f1a608cdd34e400c0e03c
CRs-Fixed: 2148489
Currently type conversion issues are for variables compl_msg
and pool_numap_payload. This may cause potential buffer over-read.
To address this issue add check for structure size.
Change-Id: Id4804eeaf5e80a9045f1c057fa4cb9db15c1ab7d
CRs-Fixed: 2148306
Currently variable "num_mpdu_ranges" is from message, which is used
directly without any validation which causes buffer over-write.
To address this issue add check for the valid num_mpdu_ranges
Change-Id: I3f340b913f3063b24c14644ea723a99690e89dcf
CRs-Fixed: 2146934
Count of htt tx buffer pool should be power of 2 for fail case. For
Rome platform, it does not unmap nbuf when free htt tx buffer pool.
Change-Id: I85a9a1d02bf403f1be7289b1a0a89f86ef25f763
CRs-Fixed: 2179770
Currently variable "tid" is from message, which is used directly
as array size which causes buffer over-write.
To address this issue add check for the array size.
Change-Id: I9b9d028ddb9566938f93ff8155284876c1ef9c03
CRs-Fixed: 2146949
Optimize driver init time log from HIF layer to avoid any console
logging related side effect.
Change-Id: If4331eb857d52330dc270cc8ebf6b559daa9413b
CRs-Fixed: 2170144
Move module init/deinit and function entry/exit logs to DEBUG level,
and keep only minimum logs in kernel log buffer.
Change-Id: Ia9fe82934638683079d308acfc9e7014e1d1a0e3
CRs-Fixed: 2169416
Change some of info/warn log levels to debug log levels to
avoid excessive console logging during driver load.
Change-Id: I042a8f8f735fb2eb7c135c120cbc6644c46bcc31
CRs-Fixed: 2169378
Enable 64-bit htt rx addr tracking based on HTT_PADDR64
when ENABLE_DEBUG_ADDRESS_MARKING is disabled.
CRs-Fixed: 2166963
Change-Id: I47cfcb3f082bc969cd27630cfd96eb53b31cc40d
