Propagation from qcacld-3.0 to qcacld-2.0
There are currently three issues which can result in a buffer overread
when processing PNO vendor commands:
1) __wlan_hdd_cfg80211_set_passpoint_list() specifies the wrong policy
when invoking nla_parse().
2) hdd_extscan_passpoint_fill_network_list() does not specify a policy
when invoking nla_parse().
3) __wlan_hdd_cfg80211_set_epno_list() specifies a policy but not all
of the attributes that are parsed are present in the policy.
To prevent buffer overread:
1) Update __wlan_hdd_cfg80211_set_passpoint_list() and
hdd_extscan_passpoint_fill_network_list() to use the policy
wlan_hdd_pno_config_policy.
2) Update wlan_hdd_pno_config_policy to contain all the fixed-length
attributes needed by __wlan_hdd_cfg80211_set_passpoint_list(),
hdd_extscan_passpoint_fill_network_list(), and
__wlan_hdd_cfg80211_set_epno_list().
Bug: 36817548
Bug: 36815952
Change-Id: I4a20e77ce87967ae78323b83a2aa9085fed2647f
CRs-Fixed: 2058447
Signed-off-by: Ecco Park <eccopark@google.com>
Buffer overflow in ConvertQosMapsetFrame function
when num_dscp_exceptions value is less than 16.
Fix is to return from function if num_dscp_exceptions
is less than 16.
Change-Id: I2fcce60b7fe5e988348cee786e9a4d493d9512fe
CRs-Fixed: 2061544
Bug: 36895857
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Currently the QCA_WLAN_VENDOR_ATTR_NDP_IFACE_STR nla_policy specifies
a type of NLA_STRING, but the underlying implementation expects a
NUL-terminated string. Update the policy to correctly use a type of
NLA_NUL_STRING with the len updated to remove the allocation needed
for the terminating NUL.
Bug: 37687303
Change-Id: Ic73241511ab73ae63fd7c1a8d6422da91931919c
CRs-Fixed: 2061688
Currently there are multiple cfg80211 vendor commands where MAC
address attributes are defined in a nla_policy table with a type of
NLA_UNSPEC but without a minimum length. Add the proper minimum length
to avoid buffer overread.
Bug: 37713609
Change-Id: I11ff2bd813dc4e6784a7cdee66a0c10ca0e69fcf
CRs-Fixed: 2061251
Signed-off-by: Ecco Park <eccopark@google.com>
Currently attributes are not validated in __wlan_hdd_cfg80211_do_acs,
this can lead to a buffer overread.
To resolve this issue, Define an nla_policy and validate the
attributes.
Bug: 37720349
CRs-Fixed: 2058448
Change-Id: Ic1bd5abbef09407f925625b709f10cf9cb7c3d7f
Signed-off-by: Ecco Park <eccopark@google.com>
Currently QCA_WLAN_VENDOR_ATTR_CONFIG_FINE_TIME_MEASUREMENT is not
properly represented in the wlan_hdd_wifi_config_policy table, so add
a proper initializer.
Bug: 37721426
Change-Id: I95ba66337c30cae67b23c9942b9360522ad60df0
CRs-Fixed: 2061241
Signed-off-by: Ecco Park <eccopark@google.com>
Athdiag procfs entry does not have address sanity check, this is
resulting in invalid ioread32/iowrite32 if out of PCIE BAR address
is used.
Fix this by allowing address with in PCIE BAR range.
Change-Id: I8365eacca7ccc4f489b7d0bda6c998384d0fec7b
CRs-Fixed: 2062012
Bug: 62058746
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Restrict the pktlog buffer size to a minimum of 1MB and maximum
of 16MB using pktlogconf tool or through sysctl command.
Bug: 62085265
CRs-Fixed: 2064785
Change-Id: I2951de86de083b610bb114ff4b9ddcb51c4c3042
Signed-off-by: Ecco Park <eccopark@google.com>
There is a possibility to read uninitialized memory within api
__wlan_hdd_cfg80211_testmode.
To resolve this issue, initilaize buffer hb_params with zero.
Bug: 62456806
Change-Id: Ia8061610a8c35aa7290177c0dcd2c5c36d9fcb35
CRs-Fixed: 2061755
Signed-off-by: Ecco Park <eccopark@google.com>
Add changes to drop assoc request and return error if RSNIE or
WPAIE parsing fail during parsing of assoc request.
Bug: 63868020
CRs-Fixed: 2046578
Change-Id: I88d779399c2eba5d33c30144bf9600a1f3a00b77
Signed-off-by: Ecco Park <eccopark@google.com>
qcacld-3.0 to qcacld-2.0 propagation
Currently there is no nl policy defined for vendor sub command
QCA_NL80211_VENDOR_SUBCMD_GET_CONCURRENCY_MATRIX which may result in
buffer overread error.
To resolve this, add nl policy.
Change-Id: I155efdbb07f1c5fe300bb2be0c2a3fe07c7e134b
CRs-Fixed: 2058452
Bug: 37712167
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Length of the MAC address is not checked which may cause out of bound
read issue.
To resolve this add a check for MAC address length.
CRs-Fixed: 2051433
Change-Id: I58454b84c28b157cef35984d612a9bc6fdd9ec56
Bug: 36815555
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
While RTT ranging happens, userspace application initiates FTM
request via host to FW. After sending the FTM request, host
might go to sleep mode sometimes so FW will not be able to send
the OEM response event resulting in poor ranging results.
This change registers OEM response event as WOW wakeable so FW
wakes up host whenever it receives OEM response which helps OEM
response to reach userspace application on time for better
ranging results.
Bug: 37948902
Change-Id: I71b77cfa09c5039b487e9a93490837a084314fb3
Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>
commit cb4855b49deb1acce27706ad9509d63c4fe8e988 upstream.
We fixed this to use free_netdev() instead of kfree() but unfortunately
free_netdev() doesn't accept NULL pointers. Smatch complains about
this, it's not something I discovered through testing.
Fixes: 3030d40b5036 ('staging: vt6655: use free_netdev instead of kfree')
Fixes: 0a438d5b38 ('staging: vt6656: use free_netdev instead of kfree')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[wt: only vt6656 was converted to free_netdev in 3.10]
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit b321a38d2407c7e425c54bc09be909a34e49f740 upstream.
The oversampling ratio is controlled using the oversampling pins,
OS [2:0] with OS2 being the MSB control bit, and OS0 the LSB control
bit.
The gpio connected to the OS2 pin is not being set correctly, only OS0
and OS1 pins are being set. Fix the typo to allow proper control of the
oversampling pins.
Signed-off-by: Eva Rachel Retuya <eraretuya@gmail.com>
Fixes: b9618c0 ("staging: IIO: ADC: New driver for AD7606/AD7606-6/AD7606-4")
Acked-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
extn capabilities can be controlled by user, which can
be sent greater than the max supported value. This results
in stack overflow in change station command.
Add check to validate extn capability param given by user
and if it exceeds max supported value, set it to max supported
value.
CRs-Fixed: 2044820
Change-Id: I531799dd06c41069e85ad969de6182363dbf9f05
Bug: 36817798
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Incorrect validation of
QCA_WLAN_VENDOR_ATTR_EXTSCAN_BSSID_HOTLIST_PARAMS_LOST_AP_SAMPLE_SIZE
results in assigning an unchecked user-controller value.
This can lead to buffer overflow.
validate
QCA_WLAN_VENDOR_ATTR_EXTSCAN_BSSID_HOTLIST_PARAMS_LOST_AP_SAMPLE_SIZE.
CRs-Fixed: 2045470
Change-Id: I7c33b6d78054672e9effbe9100c29e5604c250c6
Bug: 36818198
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
After SSR has triggered, BPF and llstats are not working
because callbacks are NULL. Initialization of BPF and
llstats callbacks are done during WLAN startup, but
when SSR is triggered HDD context is invalidated.
Hence the fix is to initialize the callbacks during re-init also.
Change-Id: I0b7571c66e90a84a80b675a433a7a752c82865d3
CRs-Fixed: 1107505
Bug: 37741956
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Merge 'android-msm-bullhead-3.10-nyc-mr2' into
'android-msm-bullhead-3.10'
July 2017.1
Bug: 38137577
Change-Id: Id2935b141bbaa52d6ec63648551ac5dec3e21487
The cache maintenance routines in ashmem were causing
several security issues. Since they are not being used
anymore by any drivers, its well to remove them entirely.
Bug: 34126808
Bug: 34173755
Bug: 34203176
CRs-Fixed: 1107034, 2001129, 2007786
Change-Id: I955e33d90b888d58db5cf6bb490905283374425b
Signed-off-by: Sudarshan Rajagopalan <sudaraja@codeaurora.org>
Signed-off-by: Dennis Cagle <d-cagle@codeaurora.org>
There can be a race condition if two different threads use the
pkt log buffer at the same time. This issue can lead to Use-After-Free
of the packet log buffer.
To address this issue, protect the pktlog buffer access using spinlock.
Bug: 35468665
Change-Id: I8098bb78a8e2462e109cee3407683c669f151fd5
CRs-Fixed: 2021363
In hdd_set_rx_filter API multicastAddr array being accessed beyond
its size.
Add boundary check for multicastAddr.
CRs-Fixed: 1104565
Bug: 38182308
Change-Id: I8e1543a8f42ac40c04d2c6a17e69718d13cbd706
Signed-off-by: Ahmed ElArabawy <arabawy@google.com>
oem data request len size should be of 4 byte instead of
1 byte. Add changes to correct len size in oem data structure across the
layers.
Increase maximum size of oem data request from 280 to 500. This
change set also remove the following unused macros in UMAC
- OEM_DATA_REQ_SIZE
- OEM_DATA_RSP_SIZE
Bug: 37948902
Change-Id: I44f1aaf8af0b7f14ea356186d1aa40b9c31cba88
Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>
When IE whitelisting is enabled, only probe requests from INFRA STA
during scan should contain selective IEs, but in current code,
probe requests of P2P scans are also containing selective IEs which is
bug.
To fix this, invoke IE whitelisting only for INFRA STA.
Change-Id: Icd2984013b3f29714b1e852389110ef2257be94b
Bug: 37214129
Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>
If there is a mismatch in channel number present in BD and
Beacon/probe response, corresponding BSSID entry is not added in
scan cache. This can result in reconnection failure. If the entry
is not present then add this entry even in case of mismatch.
Bug: 36494510
Change-Id: Id8c45ff88731288144fe39f5da56748f403dfdb7
Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>
In oemData_SendMBOemDataReq(), messageLen of struct 'tSirOemDataReq'
is updated with more memory than allocated to the structure.
Fix is to update messageLen with size of struct.
Bug: 34203184
Change-Id: Ib60fd07543f630985fe29427809d822275bbb8e0
CRs-Fixed: 1069175
As part of the dual driver support radio id is enabled in the wlan
driver. Adjust the firmware log nl structure to include the radio id.
The radio id is always zero. All the other dual driver changes
are not included into this branch.
Change-Id: I7b28440780b20c5a0b4248f93a7a95ad3faf0b6f
Bug: 32775496
Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
The binder allocator assumes that the thread that
called binder_open will never die for the lifetime of
that proc. That thread is normally the group_leader,
however it may not be. Use the group_leader instead
of current.
Bug: 35707103
Test: Created test case to open with temporary thread
Change-Id: Id693f74b3591f3524a8c6e9508e70f3e5a80c588
Signed-off-by: Todd Kjos <tkjos@google.com>
binder_fd_array_object starts with a 4-byte header,
followed by a few fields that are 8 bytes when
ANDROID_BINDER_IPC_32BIT=N.
This can cause alignment issues in a 64-bit kernel
with a 32-bit userspace, as on x86_32 an 8-byte primitive
may be aligned to a 4-byte address. Pad with a __u32
to fix this.
Change-Id: I4374ed2cc3ccd3c6a1474cb7209b53ebfd91077b
Signed-off-by: Martijn Coenen <maco@android.com>
Memory should be allocated to radar_event only when radar phy
event needs to be sent to WMA layer.
Add changes to fix memory leak.
CRs-Fixed: 1065466
Bug: 34514463
Change-Id: Ia3e93ddd47913956c27487472b6a70eb68d63fd9
Signed-off-by: Ecco Park <eccopark@google.com>
Operation classes supported can be controlled by user, which can
be sent greater than the max supported operations. This results
in stack overflow in change station command.
Add check to validate operations supported param given by user
and if it exceeds max supported value, set it to max supported
value.
CRs-Fixed: 2002052
Change-Id: Idd3a35e38b091546a17d7ec6329f19429e5c289c
Bug: 32094986
Two threads accessing the procfs entry might end up in race condition and
lead to use-after-free for hdd_ctx->driver_dump_mem.
Hence, acquire a lock to protect hdd_ctx.
Change-Id: If871f4ceadf650978e16b4a336f688a0dae1c494
CRs-Fixed: 2005832
Bug: 34327795
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
In oemData_SendMBOemDataReq(), messageLen of struct 'tSirOemDataReq'
is updated with more memory than allocated to the structure.
Fix is to update messageLen with size of struct.
Change-Id: Ib60fd07543f630985fe29427809d822275bbb8e0
CRs-Fixed: 1069175
Bug: 35893040
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
BTC code is only used for WCN chipset where BT COEX module was running
on host. While for Rome solution, BT COEX module is moved down to FW.
Remove it to reduce driver size.
Change-Id: I0548dd704a2a2b6bd36d01e3e3f4963b8c19d02b
CRs-Fixed: 1058780
Bug: 32775496
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Currently user space communication functions[cnss diag, PTT socket app]
in host driver uses netlink user sockets which is a security concern from
Linux Android SE policies.
Add support for to use netlink family cld80211 which uses generic
netlink sockets.
Change-Id: I4ea49ac6d7c9381212c93567fdc40f90e04dfba4
CRs-Fixed: 1112784
Bug: 32775496
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
SPI_MIN_DMA can cause a request for greater than the number
of bytes needed to complete a packet. Limit the number of bytes
copied into the rx buffer by the rx buffer length.
Bug: 35804737
Change-Id: Ibb02272fa549879f716519f541bff656104f8a1c
Signed-off-by: Ben Fennema <fennema@google.com>
Signed-off-by: Siqi Lin <siqilin@google.com>
In disconnected state, invalid argument is passed to memset during
probe req ie whitelisting in sched scan start due to which
buffer overflow can happen.
To fix this, add check for connection state and pass the valid argument
to memset.
Change-Id: I5e52a16081156722f460bf061a052b31bf76170f
CRs-Fixed: 1105131
Bug: 35436707
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
In probe request IE white listing feature, memory allocated for vendor
OUIs during init are not de-allocated during de-init which is causing
memory leak.
To fix this, de-allocate memory for vendor OUIs in de-init.
Change-Id: Ia60002a56565604856b69e38c7bb72057cab5d4c
CRs-Fixed: 1107927
Bug: 35436707
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
In the current implementation, probe req ie whitelisting feature is
also enabled in connected state due to which, probe reqs in corresponding
state are including selective IEs only.
To avoid this, disable IE whitelisting feature in connected state.
Change-Id: I52c78d40e8b97d89ff7cf63ef0bd6025e019a0db
CRs-Fixed: 1101697
Bug: 35436707
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Add support to include only selective IEs in probe requests in
order to improve user's privacy.
Change-Id: Ib874af7ec2f5453282ffe0e8fc2e50934460b745
CRs-Fixed: 1086582
Bug: 35436707
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
WIPHY_VENDOR_CMD_NEED_RUNNING flag is not required for these
vendor sub-commands.
Hence, remove WIPHY_VENDOR_CMD_NEED_RUNNING flag from
wlan_hdd_cfg80211_extscan_get_capabilities and
wlan_hdd_cfg80211_get_bus_size
Change-Id: I2df673f2b38759c7c4973db19d535fba1e8ddd97
Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>
BUG: 35113704
This separates the kref for ion handles into two components.
Userspace requests through the ioctl will hold at most one
reference to the internally used kref. All additional requests
will increment a separate counter, and the original reference is
only put once that counter hits 0. This protects the kernel from
a poorly behaving userspace.
Bug: 34276203
Change-Id: Ibc36bc4405788ed0fea7337b541cad3be2b934c0
Signed-off-by: Daniel Rosenberg <drosen@google.com>
ATH diag procfs read is copying read_buffer to user space
unconditionally, causing kernel heap information leak of
uninitialized read_buffer if hif diag read fails.
Do not copy buffer to user space if diag read fails to
avoid information leak to user space.
Change-Id: I5e07cad4f90e5e9b3c461268b8fa3635c3128b9f
CRs-Fixed: 1104731
Bug: 32074353
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Currently In WLANSAP_Set_WPARSNIes() the parameter WPARSNIEsLen
is user-controllable and never validates which uses as the length
for a memory copy. This enables user-space applications to corrupt
heap memory and potentially crash the kernel.
Fix is to validate the WPARSNIes length to its max before use as the
length for a memory copy.
Change-Id: I7aff731aeae22bfd84beb955439a799abef37f68
CRs-Fixed: 1102648
Bug: 32086742
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
In the function wma_enable_arp_ns_offload(), the len variable is
defined as signed 32 bit, whereas wmi_buf_alloc() takes unsigned
16 bit as input also there is no limit on input of
num_ns_offload_count.
Fix is to define the len variable in wma_enable_arp_ns_offload()
as unsigned 32 bit. The length input for wmi_buf_alloc() is also
extended and re-defined as unsigned 32 bit. Add limit check before
using num_ns_offload_count.
Change-Id: I5063df9551074e964eef67abeb8afcf104e50808
CRs-Fixed: 1103099
Bug: 32658595
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
commit 34eee70a7b82b09dbda4cb453e0e21d460dae226 upstream.
The ad5933_i2c_read function returns an error code to indicate
whether it could read data or not. However ad5933_work() ignores
this return code and just accesses the data unconditionally,
which gets detected by gcc as a possible bug:
drivers/staging/iio/impedance-analyzer/ad5933.c: In function 'ad5933_work':
drivers/staging/iio/impedance-analyzer/ad5933.c:649:16: warning: 'status' may be used uninitialized in this function [-Wmaybe-uninitialized]
This adds minimal error handling so we only evaluate the
data if it was correctly read.
Link: https://patchwork.kernel.org/patch/8110281/
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
In __wlan_hdd_cfg80211_testmode API no checks are in place that
ensure that buflen is smaller or equal the size of the stack
variable hb_params. Hence, the vos_mem_copy() call can overflow
stack memory.
Add buf len check to avoid stack overflow
CRs-Fixed: 1105085
Bug: 33979145
Change-Id: I6af6a74cc38ebce3337120adcf7e9595f22d3d8c
Userspace can cause the kref to handles to increment
arbitrarily high. Ensure it does not overflow.
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Bug: 31992382
Test: See bug for poc
Change-Id: I6bff1df385742b1d836d43180dc87fadcea80782
'wrqu->data.length' holds the total number of IE data buffer.
Add a check to make sure the number of remaining data to be read is
greater than or equal to IE length.
Also, advance the buffer pointer to point to the next element only
if next element is present.
Change-Id: Ic60f3e0650f365955dab4099eb8740e9789e00cc
CRs-Fixed: 1100132
Bug: 32073794
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
To reduce no. of error logs in smeTraceDump(), change the log level
from LOGE to LOG1.
Change-Id: I1fb81226f90e90d6a5d3870d5b585c7df22db755
CRs-Fixed: 1032026
Bug: 31240601
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Memory should be allocated to radar_event only when radar phy
event needs to be sent to WMA layer.
Add changes to fix memory leak.
CRs-Fixed: 1065466
Change-Id: Ia3e93ddd47913956c27487472b6a70eb68d63fd9
Bug: 33007108
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
The wlan driver supports the following vendor command:
QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_BSSID_HOTLIST
This command supplies a "number of APs" attribute as well as a list of
per-AP attributes. However there is no validation that the number of
APs provided won't overflow the destination buffer. In addition there
is no validation that the number of APs actually provided matches the
number of APs expected.
To address these issues:
* Verify that the expected number of APs doesn't exceed the maximum
allowed number of APs
* Verify that the actual number of APs supplied doesn't exceed the
expected number of APs
* Only process the actual number of supplied APs if it is less than
the expected number of APs.
Change-Id: I41e36d11bc3e71928866a27afc2fbf046b59f0f5
CRs-Fixed: 1095770
Bug: 33252788
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
The wlan driver supports the following vendor command:
QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_SIGNIFICANT_CHANGE
This command supplies a "number of APs" attribute as well as a list of
per-AP attributes. However there is no validation that the number of
APs provided won't overflow the destination buffer. In addition there
is no validation that the number of APs actually provided matches the
number of APs expected.
To address these issues:
* Verify that the expected number of APs doesn't exceed the maximum
allowed number of APs
* Verify that the actual number of APs supplied doesn't exceed the
expected number of APs
* Only process the actual number of supplied APs if it is less than
the expected number of APs.
Change-Id: I0513ffbc4a38f1d7ddbc0815d3618fc9a2ea4f77
CRs-Fixed: 1095009
Bug: 32872662
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Currently when processing the QCA_NL80211_VENDOR_SUBCMD_ROAM vendor
command, for the following roam commands there are input validation
issues:
QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BSSID_PREFS
QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BLACKLIST_BSSID
Both of these commands have a "number of BSSIDs" attribute as well as a
list of BSSIDs. However there is no validation that the number of
BSSIDs provided won't overflow the destination buffer. In addition
there is no validation that the number of BSSIDs actually provided
matches the number of BSSIDs expected.
To address these issues, for the above mentioned commands:
* Verify that the expected number of BSSIDs doesn't exceed the maximum
allowed number of BSSIDs
* Verify that the actual number of BSSIDs supplied doesn't exceed the
expected number of BSSIDs
* Only process the actual number of supplied BSSIDs if it is less than
the expected number of BSSIDs.
Change-Id: Ifa6121ee1b1441ec415198897ef815b40cb5aff6
CRs-Fixed: 1092497
Bug: 32402310 32402604 32871330
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Currently when processing a passpoint vendor command the "num
networks" attribute is limit checked and if it exceeds a MAX value
then the command is rejected. Otherwise this value is used to
calculate the size of the buffer allocated to hold the internal
representation of the request. However later when the network
attributes are parsed there is no check to make sure the number of
networks processed does not exceed the "num networks" used to allocate
memory, and as a result a buffer overflow can occur. Address this
issue by aborting the network parsing once "num networks" records have
been parsed.
Change-Id: I38d9f19b08b42fa9a850eb70a42920fbc3b99cf6
CRs-Fixed: 1092059
Bug: 32450647
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Currently when processing the "set passpoint list" vendor command the
"number of networks" parameter is not limit checked. This value is
subsequently used to calculate the size of a buffer. Add a limit check
to ensure that an appropriately sized buffer is always allocated.
Change-Id: Ibc2346b8a62898fc47e2d1efe457c57c08b0cada
CRs-Fixed: 1091940
Bug: 32879283
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Currently when processing an EXTSCAN vendor command the "num buckets"
attribute is limit checked and if it exceeds a MAX value then a
warning message is issued. But beyond that the "num buckets" attribute
is not used. Instead when the buckets are actually parsed the number
of buckets is calculated dynamically based upon the number of
attributes present in the request. Unfortunately when the bucket
attributes are parsed there is no check to make sure the number of
buckets processed does not exceed the MAX value, and as a result a
buffer overflow can occur. Address this issue by aborting the bucket
parsing once the expected number of records have been parsed.
Change-Id: Ic260dd65dc99118afbb8042d102acb5b26d1e123
CRs-Fixed: 1087797
Bug: 32451104
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Currently when processing an EPNO vendor command the "num networks"
attribute is limit checked and if it exceeds a MAX value then it is
reset to that MAX value. This value is then used to calculate the size
of the buffer allocated to hold the internal representation of the
request. However later when the network attributes are parsed there is
no check to make sure the number of networks processed does not exceed
the (possibly modified) "num networks" used to allocate memory, and as
a result a buffer overflow can occur. Address this issue by aborting
the network parsing once "num networks" records have been parsed.
Change-Id: I6e5f321d23471d082bb000ad0422ea9baa76577a
CRs-Fixed: 1087807
Bug: 32451171
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Currently there is a single wlan_hdd_extscan_config_policy which
contains entries for both EXTSCAN and PNO attributes. However the
EXTSCAN and PNO attributes have separate and overlapping
assignments. Therefore one policy cannot be used by both types of
commands. In addition, when parsing nested PNO attributes the policy
is not used, and hence no checking is performed on the nested
data. This can result in a buffer overflow.
To address these issues introduce a new policy for PNO vendor
commands, and use that policy both when parsing the initial command
and when parsing the nested attributes.
Change-Id: I92c8fc7ca1c44971502ea68b5486a2b3ae941cc5
CRs-Fixed: 1087209
Bug: 32454494
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
If a user happens to call ION_IOC_FREE during an
ION_IOC_ALLOC on the just allocated id, and the
copy_to_user fails, the cleanup code will attempt
to free an already freed handle.
This adds a wrapper for ion_alloc that adds an
ion_handle_get to avoid this.
Bug: 31568617
Change-Id: I476e5bd5372b5178a213f1fea143d270cf9361ed
Signed-off-by: Daniel Rosenberg <drosen@google.com>
(cherry picked from commit 60f893c76b1aaa446624c46363bfc51ca75e8d87)
prima to qcacld-2.0 propagation.
Validate ssid length before accessing the ssid
if the length exceeds max ssid length then return.
CRs-Fixed: 1059205
Bug: 32506333
Change-Id: I96c366cd9f136f43b5f212d22b1032ee8e126e5b
Signed-off-by: Ecco Park <eccopark@google.com>
hdd_ocb_config_new() takes four "length" parameters, currently defined
to be of type 'int'. Since these are summed to calculate the size of a
dynamic memory allocation they must be non-negative so change them to
'uint32_t'.
Change-Id: Ie66bbb7c69aba92d9d846cb90628110b3bea8f74
CRs-Fixed: 1079596
Bug: 31750554
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
From kernel 3.19-rc4, size of struct station_info is around 600 bytes,
so stack frame size of such routine use this struct will easily
exceed 1024 bytes, the default value of stack frame size.
So use heap memory for this struct instead.
CRs-Fixed: 1050323
Bug: 32506396
Change-Id: I64835329dc2e46ae33c12585f92c6a75401cfc5c
Signed-off-by: Ecco Park <eccopark@google.com>
To keep the driver consistent, and until we have
fine-grained locking in place.
Change-Id: Ia75b61bb5635b3b299402d276d1edc3053c48d2a
Signed-off-by: Martijn Coenen <maco@android.com>
This patch introduces a new binder_fd_array object,
that allows us to support one or more file descriptors
embedded in a buffer that is scatter-gathered.
Change-Id: Id9a15ce4ee06138ecb1c3adb4fdccbe5c749767f
Signed-off-by: Martijn Coenen <maco@google.com>
Previously all data passed over binder needed
to be serialized, with the exception of Binder
objects and file descriptors.
This patchs adds support for scatter-gathering raw
memory buffers into a binder transaction, avoiding
the need to first serialize them into a Parcel.
To remain backwards compatibile with existing
binder clients, it introduces two new command
ioctls for this purpose - BC_TRANSACTION_SG and
BC_REPLY_SG. These commands may only be used with
the new binder_transaction_data_sg structure,
which adds a field for the total size of the
buffers we are scatter-gathering.
Because memory buffers may contain pointers to
other buffers, we allow callers to specify
a parent buffer and an offset into it, to indicate
this is a location pointing to the buffer that
we are fixing up. The kernel will then take care
of fixing up the pointer to that buffer as well.
Change-Id: I0bd78a441a698b058dd4b4071e3ab7116216dbe2
Signed-off-by: Martijn Coenen <maco@google.com>
The binder_buffer allocator currently only allocates
space for the data and offsets buffers of a Parcel.
This change allows for requesting an additional chunk
of data in the buffer, which can for example be used
to hold additional meta-data about the transaction
(eg a security context).
Change-Id: I3595b4212975f31303cfcd0b9ae4bbc41624a52d
Signed-off-by: Martijn Coenen <maco@google.com>
Moved handling of fixup for binder objects,
handles and file descriptors into separate
functions.
Change-Id: If0f67016d951a1ee16da0654163f911edc61ac0d
Signed-off-by: Martijn Coenen <maco@google.com>
Add a new module parameter 'devices', that can be
used to specify the names of the binder device
nodes we want to populate in /dev.
Each device node has its own context manager, and
is therefore logically separated from all the other
device nodes.
The config option CONFIG_ANDROID_BINDER_DEVICES can
be used to set the default value of the parameter.
This approach was favored over using IPC namespaces,
mostly because we require a single process to be a
part of multiple binder contexts, which seemed harder
to achieve with namespaces.
Change-Id: I3d8531c44e82ef7db4d8b9fa0c1761d4ec282e3d
Signed-off-by: Martijn Coenen <maco@google.com>
Move the context manager state into a separate
struct context, and allow for each process to have
its own context associated with it.
Change-Id: I6a9dfacb7b73a29760e367ff0b4e0ee21f2d0380
Signed-off-by: Martijn Coenen <maco@google.com>
flat_binder_object is used for both handling
binder objects and file descriptors, even though
the two are mostly independent. Since we'll
have more fixup objects in binder in the future,
instead of extending flat_binder_object again,
split out file descriptors to their own object
while retaining backwards compatibility to
existing user-space clients. All binder objects
just share a header.
Change-Id: I6bb3c5d2bc20eababd07df0a72617cb444b6db0e
Signed-off-by: Martijn Coenen <maco@google.com>
commit 80e162ee9b31d77d851b10f8c5299132be1e120f upstream.
`daqboard2000_find_boardinfo()` is supposed to check if the
DaqBoard/2000 series model is supported, based on the PCI subvendor and
subdevice ID. The current code is wrong as it is comparing the PCI
device's subdevice ID to an expected, fixed value for the subvendor ID.
It should be comparing the PCI device's subvendor ID to this fixed
value. Correct it.
Fixes: 7e8401b23e ("staging: comedi: daqboard2000: add back
subsystem_device check")
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Cc: <stable@vger.kernel.org> # 3.7+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
There is a use-after-free problem in the ion driver.
This is caused by a race condition in the ion_ioctl()
function.
A handle has ref count of 1 and two tasks on different
cpus calls ION_IOC_FREE simultaneously.
cpu 0 cpu 1
-------------------------------------------------------
ion_handle_get_by_id()
(ref == 2)
ion_handle_get_by_id()
(ref == 3)
ion_free()
(ref == 2)
ion_handle_put()
(ref == 1)
ion_free()
(ref == 0 so ion_handle_destroy() is
called
and the handle is freed.)
ion_handle_put() is called and it
decreases the slub's next free pointer
The problem is detected as an unaligned access in the
spin lock functions since it uses load exclusive
instruction. In some cases it corrupts the slub's
free pointer which causes a mis-aligned access to the
next free pointer.(kmalloc returns a pointer like
ffffc0745b4580aa). And it causes lots of other
hard-to-debug problems.
This symptom is caused since the first member in the
ion_handle structure is the reference count and the
ion driver decrements the reference after it has been
freed.
To fix this problem client->lock mutex is extended
to protect all the codes that uses the handle.
Signed-off-by: Eun Taik Lee <eun.taik.lee@samsung.com>
Reviewed-by: Laura Abbott <labbott@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 9590232bb4f4cc824f3425a6e1349afbe6d6d2b7)
bug: 31568617
Change-Id: I4ea2be0cad3305c4e196126a02e2ab7108ef0976
TDLS teardown event sent by firmware is not processed whenever
host is in WOW mode which will lead to failure of TDLS
teardown.
Fix is to handle this event in WOW mode.
Change-Id: I3649bfdf4381f49483a3ffe2c80d5339b52a3764
CRs-Fixed: 1009456
Bug: 31681053
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Before configuring to firmware, validate multicast
filter count does not exceed the max allowed value.
Change-Id: I1bcb1c820a5154109565a8c283bf5131a3b90855
CRs-Fixed: 1059974
Bug: 31037507
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
As Current WMI interface need both the ARP/NS configuration
in single command. To support active offload host need to
cache the ARP/NS at wma layer so host can fill the other
request and configure down to firmware complete request
(ARP+NS).
Change-Id: Ie0a57d216379817ff0ae48f4f582c9108e8ecca1
CRs-Fixed: 1059739
Bug: 30989414
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
In case of PMF connection pmfcomeback timer is initialized
for the old session and not for new FT session and thus
gives warning while stopping the timer when FT session is
deleted.
Fix this issue by initializing PMF timer for FT session.
Change-Id: I7ef1db436c39a824aeb199e51d28a011d527f7bd
CRs-Fixed: 1050380
Bug: 31358630
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Currently pmfComebackTimer is not initialized during roaming. This
can lead to error in peDeleteSession when driver tries to destroy
pmfComebackTimer. Fix this by initializing pmfComebackTimer during
roaming. Also, handle status eSIR_MAC_TRY_AGAIN_LATER as failure
during roaming.
Change-Id: Ic9c4e996c4078d09ef7cd9b3b073105d94eb53fb
CRs-Fixed: 1037640
Bug: 30017324 31358630
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
lowmemorykiller was not taking into account unevictable pages when
deciding what level to kill. If significant amounts of memory were
pinned, this caused lowmemorykiller to effectively stop at a much higher
level than it should.
bug 31255977
Change-Id: I763ecbfef8c56d65bb8f6147ae810692bd81b6e2
Do not hold the spinlock for packet trace dumping and
dump the trace only for connection related errors.
Change-Id: Ia33137fc924f8a860cf9ae281b8167fe3832c5b4
CRs-Fixed: 1053314
Bug: 30784832
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Currently driver flushes driver and firmware logs irrespective of ring id.
Host should flush the logs only for driver ring id.
Add changes to fix the same issue.
Change-Id: I50cfde1baaf18c1a3992f956182b49044ccc4b1d
CRs-Fixed: 1053219
Bug: 30784832
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Add API to find IPV6 mcast packet to use it in wma_wow_wake_up_stats
func. This is required to know if there is a IPV6 mcast packet embedded
in a link layer unicast packet.
Change-Id: Ic2af69032262237b8751019817ae181913346818
CRs-Fixed: 1049254
Bug: 30138831
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Correct the updation of various wow wakeup counts.
Change wow_icmpv6_uc_bc_count to wow_icmpv6_count
as there is no broadcast in case of ipv6.
Change-Id: Iceaf1226edbf909ca3881e049c33f7d121860ef2
CRs-Fixed: 1049254
Bug: 30138831
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Presently in updating wma_wow_wake_up_stats, icmpv4 and icmpv6
counts are increased just by checking ICMP protocol offset byte
and ICMPV6 protocol offset byte without checking for whether it
is a IPV4 or IPV6 packet. So it is possible that for ICMPV6 packet,
the IPV4 protol offset byte is equal to ICMP protocol or for some
ICMP packet, the IPV6 protocol byte is equal to ICMPV6 protocol and
thus both the icmpv4 and icmpv6 counts will get increased for that
packet.
Add ipv4 and ipv6 packet checks as well in addition to the present checks
to avoid wrong increment in the counts.
Change-Id: I2d6e5d095d2f4b2dd474b9338bfc830b04bfa533
CRs-fixed: 1048651
Bug: 30138831
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
WLAN host driver access the inet6_dev address list without acquiring
the read lock, if the kernel network stack deletes the address while
driver is accessing the list, it can lead to referencing already
freed address by the driver.
Hence, fix is to take the read lock before accessing the address list
Change-Id: I934e9f2039f3ab8540e439b9e8a87efced98807c
CRs-Fixed: 1048897
Bug: 30557396
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
1. Optimize the spinlock usage in suspend callback by keeping
target wakeup sequence outside the spinlock such that
spinlock is not held for longer time.
2. Remove duplicate target sleep call as anyway bus suspend callback
puts target into sleep before returning.
Change-Id: I08c3d1a72e0b6d3aadd590222130e33ee3db02b2
CRs-Fixed: 1048112
Bug: 30293222
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Currently when the firmware sends WOW_REASON_RA_MATCH event,
only wow_ipv6_mcast_ra_stats is incremented. Since it is a ipv6 multicast
RA packet which is waking up the APPS, we also need to increment
wow_ipv6_mcast_wake_up_count to report the correct statistics.
Change-Id: I7b5181ec1c8548ff9e7d4d56a59ac3814040c187
CRs-Fixed: 1047268
Bug: 30138831
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Presently when the active mode offload is enabled, only disable request
from the upper layer are sent to the firmware. Enable the nsoffload
request is dropped.
Changes are made to adhere the request of enable/disable nsoffload
when the active mode is enabled.
Change-Id: I5d14f3a4b33e961c0b66678258b5ed0fc007b47f
CRs-Fixed: 1043855
Bug: 30252489
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Dump more info for WOW wakeup packet:
1) ether_type
2) proto_type in case of IPV4 and IPV6 packets
3) src port and dst port in case of TCP/UDP
Change-Id: I1578aa5322af50f0ae43248c48a2f754ea081970
CRs-Fixed: 1043939
Bug: 30253865
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Propagation from qcacld-3.0 to qcacld-2.0.
- Add INI item to enable/disable active mode offload
- By default enable active mode offload as it helps to save more
power in static display usecase(APPS stand alone power collapse)
- If active mode offload is enabled then all applicable data
offload/filtering is enabled immediately once config is available
in WLAN driver and FW caches it accross suspend/resume
- If active mode offload is disabled then all applicable data
offload/filtering is enabled during cfg80211 suspend and disabled
during cfg80211 resume.
Change-Id: Ib0207cee6a1812a81354f638e6bf55441d52c6e1
CRs-Fixed: 880416
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
The issue is when host re-enables QPower after resume, it is setting
WMI_STA_PS_ENABLE_QPOWER to 1 (which is for QPower = 2) always and never
WMI_STA_PS_ENABLE_QPOWER to 2 (which is for QPower = 5).
This means one suspend/resume is enough to disable QPower = 5 and
change to QPower = 2.
Fix this by removing the hardcoded value of 1 and use qpower_config instead.
Change-Id: I553c1691d5d7e98c2db8c9e56e2ba68ae27af506
CRs-Fixed: 1040737
Bug: 30092816
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
To find optimal rx wakelock duration, change hard coded wakelock
to configurable parameter.
Added new ini item.
rx_wakelock_timeout, default 0, max 100msec.
If duration is 0msec, wakelock will not be called.
Do not take wakelock for Rx multicast/broadcast packets.
Change-Id: I7e91d32bc9cddc1a507b84ce68e90319360d1df2
CRs-Fixed: 1040730
Bug: 29404209
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
If BSS is present in kernel and driver scan cache, supplicant
tries to connect to the BSS multiple time even if the BSS is
unreachable. Due to multiple failures to connect supplicant
disable the network.
To avoid this, remove the BSS from scan cache:
- If connect fails due to BSS unreachable i.e. probe
resp/auth/assoc timeout and scan for ssid failure.
- If disconnect is due to Link lost.
Change-Id: I3263dd02691000d83d4aef61c75b72d78c28f582
CRs-Fixed: 1039104
Bug: 30008590
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Some WMI Commands can be send in Runtime PM context and MC thread context.
Packets coming via MC Thread Context can be tagged as Runtime PM packets
when runtime pm in progress.
Packets should be tagged in the same caller context to avoid any race
condition. Being stability issue, addressing this issue by not tagging
any non-wow commands as runtime pm after wow suspend. This will ensure
all the non-wow packets coming after wow_suspend flag is set as non
runtime pm packets and will trigger a runtime resume.
CRs-Fixed: 1037430
Change-Id: I03528a395e1d88ca2c5aaeca27fa505c3426f778
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
It doesn't set tag HTC_TX_PACKET_TAG_AUTO_PM when attempt to suspend
and set vdev suspend dtim, which cause host wake up frequently.
Change-Id: Iba32c715694e64ce7d941f198990b25b9c87240d
CRs-Fixed: 1003313
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
prima to qcacld-2.0 propagation
From Kernel-3.18 onwards pending scan request is handled
as part of NETDEV_DOWN event, by invoking the cfg80211_scan_done
callback which frees the scan request structure. To support this,
driver will not invoke scan_done_callback if interface is down.
In case, if interface down and up are called back to back there
is a chance that kernel frees scan request as part of NETDEV_DOWN
and after which before driver triggers scan_done_callback if
interface is made up, driver scan_done_callback is through its
execution and accesses the freed scan request results in kernel
panic.
To mitigate this, don't return from hdd_stop until scan request
is aborted. Though this fix is to avoid kernel panic due to 3.18
kernel specific changes, it is acceptable across all the kernel
versions.
Change-Id: Iba8bd7a32fac33e8a0c3eea293aad682a1105397
CRs-Fixed: 977264
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Due to commit Id574e1309db8d8b01b4765e27b3638bb92c3d5a0,
Host stop memory tracking before trace-buffer get free.
Later host try to free the trace_buffer but memory list
is empty hence vos_bug raised in SLUB enabled build.
As a part of fix, Free trace-buffer before vos_mem_exit
and free trace_buffer in insmod failure case.
Change-Id: I75ef52a7dc286d8bea012b1e2b8ccf57343a3575
CRs-Fixed: 1036271
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
In the hdd_wlan_startup function correct the error conditions in case of
any initialization failure, there is crash instance where in the nl socket is
initialized but not released by the driver incase of vos_open failure.
Release the nl socket during the load failure and also correct the other
error conditions.
Change-Id: I5eb63b42de0f2327b391427dd5b43235103ed06b
CRs-Fixed: 1033220
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Currently, Host free the packet trace buffer in the beginning
of hdd_driver_exit. But same freed packet trace buffer is used
during Hdd disconnect handler in MCThread context .
As a part of this fix, Host free packet trace buffer in the end
of hdd_driver_exit which ensure all thread's are stopped at that
moment. Apart from it, add few sanity checks and error logs.
Change-Id: Id574e1309db8d8b01b4765e27b3638bb92c3d5a0
CRs-Fixed: 1028095
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Source and destination mac address are swapped in logs.
Fix this to print in correct order
Change-Id: Ifc6e14031ce1427247093e185ee16510ed3168da
CRs-Fixed: 1029923
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
vos_pkt_trace_buf_update() is not available in case
QCA_PKT_PROTO_TRACE is not defined.
Add dummy defination for hdd_dhcp_pkt_trace_buf_update() api to
correct this.
CRs-Fixed: 1029971
Change-Id: Id49390b21185c57878d1bf08d5db07230a0abd54
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Free proto trace buffer after disconnection, as proto
trace buffer is getting freed prior disconnection
from AP and resulting in invalid access.
Change-Id: Ief7ded29ea04be547d355f96e817aee776422142
CRs-Fixed: 1028262
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
When number of link MC addresses configured are more than the
maximum firmware MC address list size, host sets the firmware's
MC filters up to the max and skipping the rest. As a result
firmware drops the MC packets for the addresses whose MC filter
is not set.
To fix this clear the firmware MC filters when the number of kernel
MC addresses list is greater than the firmware's MC filter list size.
When no filters are configured firmware allows all the MC frames
to the host.
Change-Id: I6d8e8b2f5a646b914a7568ceae593b45b58f84d0
CRs-Fixed: 1025279
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Currently the size of the ethernet MC address list that host communicate
to firmware is 10. Whenever a new IPv6 address is configured HDD deletes
the previously set MC address filter list at HOST and firmware and again
configures the MC address list. When the number of addresses configured
reaches more than 10 then HDD erases the previously set filters and return
from there. Hence the registered multicast address list is not set in the
firmware and due to this firmware when NS offload disabled won't wake up
the host for the incoming NS packets.
In this change increase the ethernet MC address list size to the firmware
supported size and configure up to the max size, skipping the rest when
number of addresses are greater than the max.
Change-Id: Ie911f083ef99dbd84f9b500ff27c43bbdf06d6c6
CRs-Fixed: 997943
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
To relate logcat messages and driver logs in bugreport both should
have same time format.
Add changes to print local time while printing proto trace buffer.
Change-Id: Ib3210394ba4b43045edfcdbcf0a63da5c2ecd458
CRs-Fixed: 1025909
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Add a capability in service bitmask to indicate that fw also supports
this feature of marking first packet after wow wakeup to maintain backward
compatibilty.
Change-Id: I3d41f5425e3a170c046941a439d17e06df0c6bef
CRs-Fixed: 1021382
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Fix union in WMI_MAC_PHY_CAPABILITIES
WMI changes to control transmit power for beacon frames
Change-Id: I4acd731ec8850766d4d47715ff78b813281d0b6a
CRs-Fixed: 865207
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Merge WMI_VDEV_VOW_ENABLED flag
Add a new config to set preferable audio during WLAN connection
Change-Id: I86ed461a5d3d6d7f48e5ce2eb9370771a619d667
CRs-Fixed: 865207
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Add place holder enums for new feature under development.
Change-Id: I3af426b0120e46e56bc0e2ff2831a471016d30e1
CRs-Fixed: 865207
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
NAN Data Path WMI changes DATA END and CONFIRM messages
Change-Id: I6edaff37931db83d057e1ddb1e9952e2b0dc87aa
CRs-Fixed: 865207
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Currently host sends only clear AC stats mask to firmware during
disconnection hence PEER stats have large random garbage values.
As a part of this fix, host ensure to send clear all PEER stats
mask to firmware.
Change-Id: I804735d8e85769b04a33008c3b9b72029d0c4368
CRs-Fixed: 1019043
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
1.Fix argument type mismatch with format specifier in sscanf used by
hdd_hex_string_to_u16_array.
2.Fix bitwise operation on different size by typecasting.
Change-Id: Iccec386d8d88d69ccc4eacd2031d5664ed948acc
CRs-Fixed: 1018489
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
prima to qcacld-2.0 propagation.
Due to pre-emption there could be probability that tdls context
is accessed in wlan_hdd_tdls_check_power_save_prohibited after its
released. This will result in kernel panic.
To Fix: protect tdls context with mutex lock before accessing
Change-Id: I33369320de5b0aadae661d7d27fbc5ba18e9e409
CRs-Fixed: 990645
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
The QCSAP_IOCTL_VERSION IOCTL is registered with a maximum GET
buffer length of QCSAP_MAX_SC_IE = 256 bytes. But while filling
buffer, Host allows to fill till WE_MAX_STR_LEN which may lead to
buffer overflow.
As a part of this fix, Host ensure to register with maximum
WE_MAX_STR_LEN buffer length.
Change-Id: I5ba0268e978c7ddadabc96a4eba18140ff7db3c6
CRs-Fixed: 1001142
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Currently, in FTM and EEPING mode pkt trace is not initialized
but during driver unload, pkt trace deinit is called which leads
to crash.
Change the code to avoid calling pkt trace close in case of
FTM and EEPING mode.
Change-Id: I7c6faa8594a5168d78c1fbba7b8f968411093e0f
CRs-Fixed: 1023524
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Dump information such as source MAC address, destination
MAC address, sequence number, packet type, subtype and other
important information for the first mgmt. packet after WOW wakeup.
Change-Id: I4f39d93e8aeb243ec3df5cc1a916aec0a1aa4819
CRs-Fixed: 1019037
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Dump information such as source MAC address, destination
MAC address, sequence number, packet type, subtype and other
important information for the first data packet after WOW wakeup.
Change-Id: I3c83991f56be34412f3f10adf58bd991ecb536ca
CRs-Fixed: 1019037
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Add APIs to get DHCP, EAPOL, ARP, ICMP, ICMPV6, TCP
and UDP packets type and subtype from the netbuf.
Change-Id: I8837ad1b976744eeb0e7f0a836eded3a5d34124b
CRs-Fixed: 1019037
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Return type of adf_dp_get_proto_bitmap function is
incorrectly handled when DP trace macro is not defined.
Change-Id: I7a8bc74f5cbb2124dec36fd922679b05ba1c58d1
CRs-Fixed: 1008087
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Whenever queues are paused by fw and the driver goes in runtime suspend
mode, it is a kind of deadlock condition as for HOST to receive unpause
event from fw, it has to come out of WOW mode but fw does not wakeup the
HOST for unpause event.
Add logic to do runtime pm resume when vdev tx ll queues are paused
by fw and the driver is in runtime suspend mode and then a tx packet
comes to txrx layer from networking stack. Also, add logic to prevent
the driver from going in runtime suspend mode if the tx ll queues are
paused by fw and all the queues are not empty.
Change-Id: Ie9a0c88cb76e4bfebcce16f5e250612330dae893
CRs-Fixed: 1018401
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Driver Upper layers are not aware of runtime pm state. We have seen
cases, where upper layers want to do driver to be runtime active.
One such case is, during MCC, Firmware sends pause event to host,
and driver is runtime suspended.
Host got a DHCP or ARP packet, which gets queued in the tx layer,
as the vdev queues are paused.
Firmware doesn't have wakeup capability for un pause events so
driver doesn't unpause the queues, which results in a data stall.
The fix is to do runtime resume so driver can recieve unpause events
and allow data packets to flow through.
Hence provide an API to do runtime resume when needed.
CRs-Fixed: 1018401
Change-Id: Ie0d080ff1a8f6c05677af6f575fb93a62f13a0c6
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Currently ICMP counter is incremented only for IPV4 multicast packets.
But ICMP count includes total unicast/multicast/broadcast ICMP packets.
Add changes to update ICMP counter for unicast/multicast/broadcast
ICMP packets.
Change-Id: I00f9fb0c8231fd69f6c108ced8028eb19315006e
CRs-Fixed: 1020079
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
If ll stats provided by FW has more than one peer then
Driver is allocating memory for all the peers but copying stats
for only first peer before sending it to upper layer.
Fix the issue to copy stats for all the peers.
Change-Id: I91b14377acfed6ccdde4315c4796ef1adbfd18c3
CRs-Fixed: 1018539
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
prima to qcacld-2.0 propagation
Out of bound access is reported by kernel address
sanitizer (KASAN) tool.
=================================================================
BUG: KASAN: slab-out-of-bounds in memcpy+0x28/0x54 at addr
ffffffc03f9b1f94
Read of size 1024 by task WifiLogger_app/662
=================================================================
page dumped because: kasan: bad access detected
-----------------------------------------------------------------
[<ffffffc00008c80c>] dump_backtrace+0x0/0x284
[<ffffffc00008caa0>] show_stack+0x10/0x1c
[<ffffffc001e98084>] dump_stack+0x74/0xfc
[<ffffffc0002f2fac>] print_trailer+0x150/0x164
[<ffffffc0002f3374>] object_err+0x38/0x4c
[<ffffffc0002f88ac>] kasan_report+0x34c/0x504
[<ffffffc0002f7b74>] __asan_loadN+0x20/0x14c
[<ffffffc0002f8078>] memcpy+0x24/0x54
[<ffffffbffc3958ec>] vos_mem_copy+0x68/0x7c [wlan]
[<ffffffbffc307648>] wlan_logging_proc_sock_rx_msg+0x39c/0x3f0 [wlan]
[<ffffffbffc3042f0>] nl_srv_rcv+0x1c0/0x218 [wlan]
[<ffffffc001a28b20>] netlink_unicast+0x3b0/0x4c0
[<ffffffc001a2975c>] netlink_sendmsg+0xa2c/0xb30
[<ffffffc00196b658>] sock_sendmsg+0x1d4/0x22c
[<ffffffc001970278>] SyS_sendto+0x194/0x224
================================================================
There is possibility of out of bound memory access, if user sends
a netlink packet with message length greater than skb data_len.
Don't process netlink packet if message length is greater than
skb data_len.
Change-Id: Ice6492aa191da0af3fe4fc9b58dfddcb2a59d6d0
CRs-Fixed: 975923
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
prima to qcacld-2.0 propagation
Out of bound access is reported by kernel address
sanitizer (KASan) tool.
=================================================================
BUG: KASAN: slab-out-of-bounds in csrScanSmeScanResponse+0x148/0x35c
[wlan] at addr ffffffc01745b208
Read of size 4 by task VosMCThread/32563
=================================================================
BUG kmalloc-128 (Tainted: P B W O ): kasan: bad access detected
----------------------------------------------------------------------
[<ffffffc00008c80c>] dump_backtrace+0x0/0x284
[<ffffffc00008caa0>] show_stack+0x10/0x1c
[<ffffffc001e992fc>] dump_stack+0x74/0xfc
[<ffffffc0002f3094>] print_trailer+0x150/0x164
[<ffffffc0002f345c>] object_err+0x38/0x4c
[<ffffffc0002f8994>] kasan_report+0x34c/0x504
[<ffffffc0002f8ba0>] __asan_report_load4_noabort+0x14/0x20
[<ffffffbffc2adea8>] csrScanSmeScanResponse+0x144/0x35c [wlan]
[<ffffffbffc2ae1b0>] csrScanningStateMsgProcessor+0xf0/0x6e4 [wlan]
[<ffffffbffc2b6e10>] csrMsgProcessor+0x1f8/0x2c8 [wlan]
[<ffffffbffc252ff0>] sme_ProcessMsg+0x1024/0x115c [wlan]
[<ffffffbffc3a29d0>] VosMCThread+0x798/0x950 [wlan]
[<ffffffc0000f1f24>] kthread+0x22c/0x240
=================================================================
Improper type-casting of a buffer leads to out of bound access
of a buffer which may result in kernel panic.
To mitigate this issue typecast a buffer as per the caller function.
Change-Id: I7861ead27dff6b8dd45fbeafae8cf4c6f1ca4523
CRs-Fixed: 972671
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
There is a potential deadlock scenario with a spin lock between
a tasklet and a thread context. Fix it by using spin_lock_bh
because that will disable bottom halves on that CPU and thus
prevent a dead lock that could otherwise occur if the process
context code took the lock and then a software IRQ was run which
attempt to acquire the same lock.
Change-Id: I5f83cb7cecd7227e0ea9c9db001bb0420bf09c94
CRs-Fixed: 1014766
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
There is potential memory leakage in limStaSendAddBss().
pAddBssParams should be released once failed to look
up a STA state node in hash table.
In limAddSta(), there is another potential memory leakage
once failed to find a IBSS peer.
Change-Id: I28ecb1f5a449e3d471798185fd30ec38563b34de
CRs-Fixed: 1002063
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
In wma_dfs_indicate_radar, radar_event buffer should be
released in the failure case.
Change-Id: I7857bcf29958be054749affbf5df18485c2c7238
CRs-Fixed: 1002063
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Store the skb data in DP trace records when packet moves across data
path layers. DP trace determines which packet needs to be stored based
on the proto type, verbosity etc.
Change-Id: I369ad95949ffbc2bc629d0cc3f3d6479249cdd6a
CRs-Fixed: 988801
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
The DP TRACE framework allows various events in the data path to be
recorded and retrieves the recent records whenever necessary.
Change-Id: I716469468c1dce2a401aad60caf729aac4c3a963
CRs-Fixed: 988801
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Dump the count of packets that are currently present in each
data path layer. These stats can be used in case of data stall.
Change-Id: Ia6a9683908c1571edaaa7d7a6339a8e205b9c859
CRs-Fixed: 988801
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
FW sends NACK for WOW command to indicate Host to abort on going
suspend. Host prevents suspend by holding a wakelock for 1sec.
The wakelock prevents APPS supsend, but doesn't have impact on
Runtime PM. Hence Skip Holding Wakelock when NACK is recieved
in Runtime PM.
And Log the runtime stats when link resume fails.
Change-Id: I6d9385565c6d06a082e226d5211c733d124bd3a7
CRs-Fixed: 1053252
Bug: 31062353
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Currently, vos_trigger_recovery does not support silent recovery
instead host send WMI_FORCE_FW_HANG_CMDID and wait for timeout.
In cases where wmi cmd cannot be sent to firmware, host needs
silent recovery.
As a part of this fix, Parameterize the vos_trigger_recovery
function for silent recovery.
Change-Id: I9bb631f7346a267a10348037c49606af43c6be4f
CRs-Fixed: 1053303
Bug: 31062353
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Some Fatal events requires SSR to be triggered after bug report is
completed. The API used to trigger SSR is vos_trigger_recovery(),
but vos_wlanRestart() is used in this case.
To fix this use vos_trigger_recovery() API to initiate SSR on
fatal events.
Change-Id: I29d45f69a9c0e4eb528d017cb54c151366513d67
CRs-Fixed: 1049133
Bug: 31062353
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
PCIe link training failure will not be indicated to cnss client driver
as a link down indication.
In System/Runtime PM resume callbacks, client driver will access the target
registers results in L2 errors.
Fix it by ensuring the PCIe link resume training is completed by reading
config space device-id.
Change-Id: I8be902330215cf3c8cb0700e6f0da5b69e274c96
CRs-Fixed: 1052965
Bug: 31062353
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Do not probe MC thread when its suspended during cfg80211
suspend and increase thread stuck detection threshold to
avoid reporting false alarm.
Change-Id: Ia93289eaf89538818a8e1264dfcf3306d682bd9b
CRs-Fixed: 1047257
Bug: 30407099
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Add recovery logic when wmi command buffer reaches its threshold.
This recovery logic collects ramdump and trigger SSR to recover
from bad state.
Change-Id: I0f04bcc0573eafb303ae1af434dbc60eb753e9e1
CRs-Fixed: 1037713
Bug: 29242387
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Add error log to print channel number and frequency in
wlan_hdd_cfg80211_inform_bss_frame() if it fails to retrieve the
channel.
CRs-Fixed: 1010559
Change-Id: I8fe77db17ffa40ea07206a3701c02f02564ea8fd
Bug: 25862282
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>