In probe request IE white listing feature, memory allocated for vendor
OUIs during init are not de-allocated during de-init which is causing
memory leak.
To fix this, de-allocate memory for vendor OUIs in de-init.
Change-Id: Ia60002a56565604856b69e38c7bb72057cab5d4c
CRs-Fixed: 1107927
Bug: 35436707
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
In the current implementation, probe req ie whitelisting feature is
also enabled in connected state due to which, probe reqs in corresponding
state are including selective IEs only.
To avoid this, disable IE whitelisting feature in connected state.
Change-Id: I52c78d40e8b97d89ff7cf63ef0bd6025e019a0db
CRs-Fixed: 1101697
Bug: 35436707
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Add support to include only selective IEs in probe requests in
order to improve user's privacy.
Change-Id: Ib874af7ec2f5453282ffe0e8fc2e50934460b745
CRs-Fixed: 1086582
Bug: 35436707
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
WIPHY_VENDOR_CMD_NEED_RUNNING flag is not required for these
vendor sub-commands.
Hence, remove WIPHY_VENDOR_CMD_NEED_RUNNING flag from
wlan_hdd_cfg80211_extscan_get_capabilities and
wlan_hdd_cfg80211_get_bus_size
Change-Id: I2df673f2b38759c7c4973db19d535fba1e8ddd97
Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>
BUG: 35113704
This separates the kref for ion handles into two components.
Userspace requests through the ioctl will hold at most one
reference to the internally used kref. All additional requests
will increment a separate counter, and the original reference is
only put once that counter hits 0. This protects the kernel from
a poorly behaving userspace.
Bug: 34276203
Change-Id: Ibc36bc4405788ed0fea7337b541cad3be2b934c0
Signed-off-by: Daniel Rosenberg <drosen@google.com>
ATH diag procfs read is copying read_buffer to user space
unconditionally, causing kernel heap information leak of
uninitialized read_buffer if hif diag read fails.
Do not copy buffer to user space if diag read fails to
avoid information leak to user space.
Change-Id: I5e07cad4f90e5e9b3c461268b8fa3635c3128b9f
CRs-Fixed: 1104731
Bug: 32074353
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Currently In WLANSAP_Set_WPARSNIes() the parameter WPARSNIEsLen
is user-controllable and never validates which uses as the length
for a memory copy. This enables user-space applications to corrupt
heap memory and potentially crash the kernel.
Fix is to validate the WPARSNIes length to its max before use as the
length for a memory copy.
Change-Id: I7aff731aeae22bfd84beb955439a799abef37f68
CRs-Fixed: 1102648
Bug: 32086742
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
In the function wma_enable_arp_ns_offload(), the len variable is
defined as signed 32 bit, whereas wmi_buf_alloc() takes unsigned
16 bit as input also there is no limit on input of
num_ns_offload_count.
Fix is to define the len variable in wma_enable_arp_ns_offload()
as unsigned 32 bit. The length input for wmi_buf_alloc() is also
extended and re-defined as unsigned 32 bit. Add limit check before
using num_ns_offload_count.
Change-Id: I5063df9551074e964eef67abeb8afcf104e50808
CRs-Fixed: 1103099
Bug: 32658595
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
commit 34eee70a7b82b09dbda4cb453e0e21d460dae226 upstream.
The ad5933_i2c_read function returns an error code to indicate
whether it could read data or not. However ad5933_work() ignores
this return code and just accesses the data unconditionally,
which gets detected by gcc as a possible bug:
drivers/staging/iio/impedance-analyzer/ad5933.c: In function 'ad5933_work':
drivers/staging/iio/impedance-analyzer/ad5933.c:649:16: warning: 'status' may be used uninitialized in this function [-Wmaybe-uninitialized]
This adds minimal error handling so we only evaluate the
data if it was correctly read.
Link: https://patchwork.kernel.org/patch/8110281/
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
In __wlan_hdd_cfg80211_testmode API no checks are in place that
ensure that buflen is smaller or equal the size of the stack
variable hb_params. Hence, the vos_mem_copy() call can overflow
stack memory.
Add buf len check to avoid stack overflow
CRs-Fixed: 1105085
Bug: 33979145
Change-Id: I6af6a74cc38ebce3337120adcf7e9595f22d3d8c
Userspace can cause the kref to handles to increment
arbitrarily high. Ensure it does not overflow.
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Bug: 31992382
Test: See bug for poc
Change-Id: I6bff1df385742b1d836d43180dc87fadcea80782
'wrqu->data.length' holds the total number of IE data buffer.
Add a check to make sure the number of remaining data to be read is
greater than or equal to IE length.
Also, advance the buffer pointer to point to the next element only
if next element is present.
Change-Id: Ic60f3e0650f365955dab4099eb8740e9789e00cc
CRs-Fixed: 1100132
Bug: 32073794
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
To reduce no. of error logs in smeTraceDump(), change the log level
from LOGE to LOG1.
Change-Id: I1fb81226f90e90d6a5d3870d5b585c7df22db755
CRs-Fixed: 1032026
Bug: 31240601
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Memory should be allocated to radar_event only when radar phy
event needs to be sent to WMA layer.
Add changes to fix memory leak.
CRs-Fixed: 1065466
Change-Id: Ia3e93ddd47913956c27487472b6a70eb68d63fd9
Bug: 33007108
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
The wlan driver supports the following vendor command:
QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_BSSID_HOTLIST
This command supplies a "number of APs" attribute as well as a list of
per-AP attributes. However there is no validation that the number of
APs provided won't overflow the destination buffer. In addition there
is no validation that the number of APs actually provided matches the
number of APs expected.
To address these issues:
* Verify that the expected number of APs doesn't exceed the maximum
allowed number of APs
* Verify that the actual number of APs supplied doesn't exceed the
expected number of APs
* Only process the actual number of supplied APs if it is less than
the expected number of APs.
Change-Id: I41e36d11bc3e71928866a27afc2fbf046b59f0f5
CRs-Fixed: 1095770
Bug: 33252788
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
The wlan driver supports the following vendor command:
QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_SIGNIFICANT_CHANGE
This command supplies a "number of APs" attribute as well as a list of
per-AP attributes. However there is no validation that the number of
APs provided won't overflow the destination buffer. In addition there
is no validation that the number of APs actually provided matches the
number of APs expected.
To address these issues:
* Verify that the expected number of APs doesn't exceed the maximum
allowed number of APs
* Verify that the actual number of APs supplied doesn't exceed the
expected number of APs
* Only process the actual number of supplied APs if it is less than
the expected number of APs.
Change-Id: I0513ffbc4a38f1d7ddbc0815d3618fc9a2ea4f77
CRs-Fixed: 1095009
Bug: 32872662
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Currently when processing the QCA_NL80211_VENDOR_SUBCMD_ROAM vendor
command, for the following roam commands there are input validation
issues:
QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BSSID_PREFS
QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BLACKLIST_BSSID
Both of these commands have a "number of BSSIDs" attribute as well as a
list of BSSIDs. However there is no validation that the number of
BSSIDs provided won't overflow the destination buffer. In addition
there is no validation that the number of BSSIDs actually provided
matches the number of BSSIDs expected.
To address these issues, for the above mentioned commands:
* Verify that the expected number of BSSIDs doesn't exceed the maximum
allowed number of BSSIDs
* Verify that the actual number of BSSIDs supplied doesn't exceed the
expected number of BSSIDs
* Only process the actual number of supplied BSSIDs if it is less than
the expected number of BSSIDs.
Change-Id: Ifa6121ee1b1441ec415198897ef815b40cb5aff6
CRs-Fixed: 1092497
Bug: 32402310 32402604 32871330
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Currently when processing a passpoint vendor command the "num
networks" attribute is limit checked and if it exceeds a MAX value
then the command is rejected. Otherwise this value is used to
calculate the size of the buffer allocated to hold the internal
representation of the request. However later when the network
attributes are parsed there is no check to make sure the number of
networks processed does not exceed the "num networks" used to allocate
memory, and as a result a buffer overflow can occur. Address this
issue by aborting the network parsing once "num networks" records have
been parsed.
Change-Id: I38d9f19b08b42fa9a850eb70a42920fbc3b99cf6
CRs-Fixed: 1092059
Bug: 32450647
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Currently when processing the "set passpoint list" vendor command the
"number of networks" parameter is not limit checked. This value is
subsequently used to calculate the size of a buffer. Add a limit check
to ensure that an appropriately sized buffer is always allocated.
Change-Id: Ibc2346b8a62898fc47e2d1efe457c57c08b0cada
CRs-Fixed: 1091940
Bug: 32879283
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Currently when processing an EXTSCAN vendor command the "num buckets"
attribute is limit checked and if it exceeds a MAX value then a
warning message is issued. But beyond that the "num buckets" attribute
is not used. Instead when the buckets are actually parsed the number
of buckets is calculated dynamically based upon the number of
attributes present in the request. Unfortunately when the bucket
attributes are parsed there is no check to make sure the number of
buckets processed does not exceed the MAX value, and as a result a
buffer overflow can occur. Address this issue by aborting the bucket
parsing once the expected number of records have been parsed.
Change-Id: Ic260dd65dc99118afbb8042d102acb5b26d1e123
CRs-Fixed: 1087797
Bug: 32451104
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Currently when processing an EPNO vendor command the "num networks"
attribute is limit checked and if it exceeds a MAX value then it is
reset to that MAX value. This value is then used to calculate the size
of the buffer allocated to hold the internal representation of the
request. However later when the network attributes are parsed there is
no check to make sure the number of networks processed does not exceed
the (possibly modified) "num networks" used to allocate memory, and as
a result a buffer overflow can occur. Address this issue by aborting
the network parsing once "num networks" records have been parsed.
Change-Id: I6e5f321d23471d082bb000ad0422ea9baa76577a
CRs-Fixed: 1087807
Bug: 32451171
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Currently there is a single wlan_hdd_extscan_config_policy which
contains entries for both EXTSCAN and PNO attributes. However the
EXTSCAN and PNO attributes have separate and overlapping
assignments. Therefore one policy cannot be used by both types of
commands. In addition, when parsing nested PNO attributes the policy
is not used, and hence no checking is performed on the nested
data. This can result in a buffer overflow.
To address these issues introduce a new policy for PNO vendor
commands, and use that policy both when parsing the initial command
and when parsing the nested attributes.
Change-Id: I92c8fc7ca1c44971502ea68b5486a2b3ae941cc5
CRs-Fixed: 1087209
Bug: 32454494
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
If a user happens to call ION_IOC_FREE during an
ION_IOC_ALLOC on the just allocated id, and the
copy_to_user fails, the cleanup code will attempt
to free an already freed handle.
This adds a wrapper for ion_alloc that adds an
ion_handle_get to avoid this.
Bug: 31568617
Change-Id: I476e5bd5372b5178a213f1fea143d270cf9361ed
Signed-off-by: Daniel Rosenberg <drosen@google.com>
(cherry picked from commit 60f893c76b1aaa446624c46363bfc51ca75e8d87)
prima to qcacld-2.0 propagation.
Validate ssid length before accessing the ssid
if the length exceeds max ssid length then return.
CRs-Fixed: 1059205
Bug: 32506333
Change-Id: I96c366cd9f136f43b5f212d22b1032ee8e126e5b
Signed-off-by: Ecco Park <eccopark@google.com>
hdd_ocb_config_new() takes four "length" parameters, currently defined
to be of type 'int'. Since these are summed to calculate the size of a
dynamic memory allocation they must be non-negative so change them to
'uint32_t'.
Change-Id: Ie66bbb7c69aba92d9d846cb90628110b3bea8f74
CRs-Fixed: 1079596
Bug: 31750554
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
From kernel 3.19-rc4, size of struct station_info is around 600 bytes,
so stack frame size of such routine use this struct will easily
exceed 1024 bytes, the default value of stack frame size.
So use heap memory for this struct instead.
CRs-Fixed: 1050323
Bug: 32506396
Change-Id: I64835329dc2e46ae33c12585f92c6a75401cfc5c
Signed-off-by: Ecco Park <eccopark@google.com>
To keep the driver consistent, and until we have
fine-grained locking in place.
Change-Id: Ia75b61bb5635b3b299402d276d1edc3053c48d2a
Signed-off-by: Martijn Coenen <maco@android.com>
This patch introduces a new binder_fd_array object,
that allows us to support one or more file descriptors
embedded in a buffer that is scatter-gathered.
Change-Id: Id9a15ce4ee06138ecb1c3adb4fdccbe5c749767f
Signed-off-by: Martijn Coenen <maco@google.com>
Previously all data passed over binder needed
to be serialized, with the exception of Binder
objects and file descriptors.
This patchs adds support for scatter-gathering raw
memory buffers into a binder transaction, avoiding
the need to first serialize them into a Parcel.
To remain backwards compatibile with existing
binder clients, it introduces two new command
ioctls for this purpose - BC_TRANSACTION_SG and
BC_REPLY_SG. These commands may only be used with
the new binder_transaction_data_sg structure,
which adds a field for the total size of the
buffers we are scatter-gathering.
Because memory buffers may contain pointers to
other buffers, we allow callers to specify
a parent buffer and an offset into it, to indicate
this is a location pointing to the buffer that
we are fixing up. The kernel will then take care
of fixing up the pointer to that buffer as well.
Change-Id: I0bd78a441a698b058dd4b4071e3ab7116216dbe2
Signed-off-by: Martijn Coenen <maco@google.com>
The binder_buffer allocator currently only allocates
space for the data and offsets buffers of a Parcel.
This change allows for requesting an additional chunk
of data in the buffer, which can for example be used
to hold additional meta-data about the transaction
(eg a security context).
Change-Id: I3595b4212975f31303cfcd0b9ae4bbc41624a52d
Signed-off-by: Martijn Coenen <maco@google.com>
Moved handling of fixup for binder objects,
handles and file descriptors into separate
functions.
Change-Id: If0f67016d951a1ee16da0654163f911edc61ac0d
Signed-off-by: Martijn Coenen <maco@google.com>
Add a new module parameter 'devices', that can be
used to specify the names of the binder device
nodes we want to populate in /dev.
Each device node has its own context manager, and
is therefore logically separated from all the other
device nodes.
The config option CONFIG_ANDROID_BINDER_DEVICES can
be used to set the default value of the parameter.
This approach was favored over using IPC namespaces,
mostly because we require a single process to be a
part of multiple binder contexts, which seemed harder
to achieve with namespaces.
Change-Id: I3d8531c44e82ef7db4d8b9fa0c1761d4ec282e3d
Signed-off-by: Martijn Coenen <maco@google.com>
Move the context manager state into a separate
struct context, and allow for each process to have
its own context associated with it.
Change-Id: I6a9dfacb7b73a29760e367ff0b4e0ee21f2d0380
Signed-off-by: Martijn Coenen <maco@google.com>
flat_binder_object is used for both handling
binder objects and file descriptors, even though
the two are mostly independent. Since we'll
have more fixup objects in binder in the future,
instead of extending flat_binder_object again,
split out file descriptors to their own object
while retaining backwards compatibility to
existing user-space clients. All binder objects
just share a header.
Change-Id: I6bb3c5d2bc20eababd07df0a72617cb444b6db0e
Signed-off-by: Martijn Coenen <maco@google.com>
commit 80e162ee9b31d77d851b10f8c5299132be1e120f upstream.
`daqboard2000_find_boardinfo()` is supposed to check if the
DaqBoard/2000 series model is supported, based on the PCI subvendor and
subdevice ID. The current code is wrong as it is comparing the PCI
device's subdevice ID to an expected, fixed value for the subvendor ID.
It should be comparing the PCI device's subvendor ID to this fixed
value. Correct it.
Fixes: 7e8401b23e ("staging: comedi: daqboard2000: add back
subsystem_device check")
Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
Cc: <stable@vger.kernel.org> # 3.7+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
There is a use-after-free problem in the ion driver.
This is caused by a race condition in the ion_ioctl()
function.
A handle has ref count of 1 and two tasks on different
cpus calls ION_IOC_FREE simultaneously.
cpu 0 cpu 1
-------------------------------------------------------
ion_handle_get_by_id()
(ref == 2)
ion_handle_get_by_id()
(ref == 3)
ion_free()
(ref == 2)
ion_handle_put()
(ref == 1)
ion_free()
(ref == 0 so ion_handle_destroy() is
called
and the handle is freed.)
ion_handle_put() is called and it
decreases the slub's next free pointer
The problem is detected as an unaligned access in the
spin lock functions since it uses load exclusive
instruction. In some cases it corrupts the slub's
free pointer which causes a mis-aligned access to the
next free pointer.(kmalloc returns a pointer like
ffffc0745b4580aa). And it causes lots of other
hard-to-debug problems.
This symptom is caused since the first member in the
ion_handle structure is the reference count and the
ion driver decrements the reference after it has been
freed.
To fix this problem client->lock mutex is extended
to protect all the codes that uses the handle.
Signed-off-by: Eun Taik Lee <eun.taik.lee@samsung.com>
Reviewed-by: Laura Abbott <labbott@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 9590232bb4f4cc824f3425a6e1349afbe6d6d2b7)
bug: 31568617
Change-Id: I4ea2be0cad3305c4e196126a02e2ab7108ef0976
TDLS teardown event sent by firmware is not processed whenever
host is in WOW mode which will lead to failure of TDLS
teardown.
Fix is to handle this event in WOW mode.
Change-Id: I3649bfdf4381f49483a3ffe2c80d5339b52a3764
CRs-Fixed: 1009456
Bug: 31681053
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Before configuring to firmware, validate multicast
filter count does not exceed the max allowed value.
Change-Id: I1bcb1c820a5154109565a8c283bf5131a3b90855
CRs-Fixed: 1059974
Bug: 31037507
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
As Current WMI interface need both the ARP/NS configuration
in single command. To support active offload host need to
cache the ARP/NS at wma layer so host can fill the other
request and configure down to firmware complete request
(ARP+NS).
Change-Id: Ie0a57d216379817ff0ae48f4f582c9108e8ecca1
CRs-Fixed: 1059739
Bug: 30989414
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
In case of PMF connection pmfcomeback timer is initialized
for the old session and not for new FT session and thus
gives warning while stopping the timer when FT session is
deleted.
Fix this issue by initializing PMF timer for FT session.
Change-Id: I7ef1db436c39a824aeb199e51d28a011d527f7bd
CRs-Fixed: 1050380
Bug: 31358630
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Currently pmfComebackTimer is not initialized during roaming. This
can lead to error in peDeleteSession when driver tries to destroy
pmfComebackTimer. Fix this by initializing pmfComebackTimer during
roaming. Also, handle status eSIR_MAC_TRY_AGAIN_LATER as failure
during roaming.
Change-Id: Ic9c4e996c4078d09ef7cd9b3b073105d94eb53fb
CRs-Fixed: 1037640
Bug: 30017324 31358630
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
lowmemorykiller was not taking into account unevictable pages when
deciding what level to kill. If significant amounts of memory were
pinned, this caused lowmemorykiller to effectively stop at a much higher
level than it should.
bug 31255977
Change-Id: I763ecbfef8c56d65bb8f6147ae810692bd81b6e2
Do not hold the spinlock for packet trace dumping and
dump the trace only for connection related errors.
Change-Id: Ia33137fc924f8a860cf9ae281b8167fe3832c5b4
CRs-Fixed: 1053314
Bug: 30784832
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Currently driver flushes driver and firmware logs irrespective of ring id.
Host should flush the logs only for driver ring id.
Add changes to fix the same issue.
Change-Id: I50cfde1baaf18c1a3992f956182b49044ccc4b1d
CRs-Fixed: 1053219
Bug: 30784832
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Add API to find IPV6 mcast packet to use it in wma_wow_wake_up_stats
func. This is required to know if there is a IPV6 mcast packet embedded
in a link layer unicast packet.
Change-Id: Ic2af69032262237b8751019817ae181913346818
CRs-Fixed: 1049254
Bug: 30138831
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Correct the updation of various wow wakeup counts.
Change wow_icmpv6_uc_bc_count to wow_icmpv6_count
as there is no broadcast in case of ipv6.
Change-Id: Iceaf1226edbf909ca3881e049c33f7d121860ef2
CRs-Fixed: 1049254
Bug: 30138831
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Presently in updating wma_wow_wake_up_stats, icmpv4 and icmpv6
counts are increased just by checking ICMP protocol offset byte
and ICMPV6 protocol offset byte without checking for whether it
is a IPV4 or IPV6 packet. So it is possible that for ICMPV6 packet,
the IPV4 protol offset byte is equal to ICMP protocol or for some
ICMP packet, the IPV6 protocol byte is equal to ICMPV6 protocol and
thus both the icmpv4 and icmpv6 counts will get increased for that
packet.
Add ipv4 and ipv6 packet checks as well in addition to the present checks
to avoid wrong increment in the counts.
Change-Id: I2d6e5d095d2f4b2dd474b9338bfc830b04bfa533
CRs-fixed: 1048651
Bug: 30138831
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
WLAN host driver access the inet6_dev address list without acquiring
the read lock, if the kernel network stack deletes the address while
driver is accessing the list, it can lead to referencing already
freed address by the driver.
Hence, fix is to take the read lock before accessing the address list
Change-Id: I934e9f2039f3ab8540e439b9e8a87efced98807c
CRs-Fixed: 1048897
Bug: 30557396
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
1. Optimize the spinlock usage in suspend callback by keeping
target wakeup sequence outside the spinlock such that
spinlock is not held for longer time.
2. Remove duplicate target sleep call as anyway bus suspend callback
puts target into sleep before returning.
Change-Id: I08c3d1a72e0b6d3aadd590222130e33ee3db02b2
CRs-Fixed: 1048112
Bug: 30293222
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Currently when the firmware sends WOW_REASON_RA_MATCH event,
only wow_ipv6_mcast_ra_stats is incremented. Since it is a ipv6 multicast
RA packet which is waking up the APPS, we also need to increment
wow_ipv6_mcast_wake_up_count to report the correct statistics.
Change-Id: I7b5181ec1c8548ff9e7d4d56a59ac3814040c187
CRs-Fixed: 1047268
Bug: 30138831
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Presently when the active mode offload is enabled, only disable request
from the upper layer are sent to the firmware. Enable the nsoffload
request is dropped.
Changes are made to adhere the request of enable/disable nsoffload
when the active mode is enabled.
Change-Id: I5d14f3a4b33e961c0b66678258b5ed0fc007b47f
CRs-Fixed: 1043855
Bug: 30252489
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Dump more info for WOW wakeup packet:
1) ether_type
2) proto_type in case of IPV4 and IPV6 packets
3) src port and dst port in case of TCP/UDP
Change-Id: I1578aa5322af50f0ae43248c48a2f754ea081970
CRs-Fixed: 1043939
Bug: 30253865
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Propagation from qcacld-3.0 to qcacld-2.0.
- Add INI item to enable/disable active mode offload
- By default enable active mode offload as it helps to save more
power in static display usecase(APPS stand alone power collapse)
- If active mode offload is enabled then all applicable data
offload/filtering is enabled immediately once config is available
in WLAN driver and FW caches it accross suspend/resume
- If active mode offload is disabled then all applicable data
offload/filtering is enabled during cfg80211 suspend and disabled
during cfg80211 resume.
Change-Id: Ib0207cee6a1812a81354f638e6bf55441d52c6e1
CRs-Fixed: 880416
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
The issue is when host re-enables QPower after resume, it is setting
WMI_STA_PS_ENABLE_QPOWER to 1 (which is for QPower = 2) always and never
WMI_STA_PS_ENABLE_QPOWER to 2 (which is for QPower = 5).
This means one suspend/resume is enough to disable QPower = 5 and
change to QPower = 2.
Fix this by removing the hardcoded value of 1 and use qpower_config instead.
Change-Id: I553c1691d5d7e98c2db8c9e56e2ba68ae27af506
CRs-Fixed: 1040737
Bug: 30092816
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
To find optimal rx wakelock duration, change hard coded wakelock
to configurable parameter.
Added new ini item.
rx_wakelock_timeout, default 0, max 100msec.
If duration is 0msec, wakelock will not be called.
Do not take wakelock for Rx multicast/broadcast packets.
Change-Id: I7e91d32bc9cddc1a507b84ce68e90319360d1df2
CRs-Fixed: 1040730
Bug: 29404209
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
If BSS is present in kernel and driver scan cache, supplicant
tries to connect to the BSS multiple time even if the BSS is
unreachable. Due to multiple failures to connect supplicant
disable the network.
To avoid this, remove the BSS from scan cache:
- If connect fails due to BSS unreachable i.e. probe
resp/auth/assoc timeout and scan for ssid failure.
- If disconnect is due to Link lost.
Change-Id: I3263dd02691000d83d4aef61c75b72d78c28f582
CRs-Fixed: 1039104
Bug: 30008590
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Some WMI Commands can be send in Runtime PM context and MC thread context.
Packets coming via MC Thread Context can be tagged as Runtime PM packets
when runtime pm in progress.
Packets should be tagged in the same caller context to avoid any race
condition. Being stability issue, addressing this issue by not tagging
any non-wow commands as runtime pm after wow suspend. This will ensure
all the non-wow packets coming after wow_suspend flag is set as non
runtime pm packets and will trigger a runtime resume.
CRs-Fixed: 1037430
Change-Id: I03528a395e1d88ca2c5aaeca27fa505c3426f778
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
It doesn't set tag HTC_TX_PACKET_TAG_AUTO_PM when attempt to suspend
and set vdev suspend dtim, which cause host wake up frequently.
Change-Id: Iba32c715694e64ce7d941f198990b25b9c87240d
CRs-Fixed: 1003313
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
prima to qcacld-2.0 propagation
From Kernel-3.18 onwards pending scan request is handled
as part of NETDEV_DOWN event, by invoking the cfg80211_scan_done
callback which frees the scan request structure. To support this,
driver will not invoke scan_done_callback if interface is down.
In case, if interface down and up are called back to back there
is a chance that kernel frees scan request as part of NETDEV_DOWN
and after which before driver triggers scan_done_callback if
interface is made up, driver scan_done_callback is through its
execution and accesses the freed scan request results in kernel
panic.
To mitigate this, don't return from hdd_stop until scan request
is aborted. Though this fix is to avoid kernel panic due to 3.18
kernel specific changes, it is acceptable across all the kernel
versions.
Change-Id: Iba8bd7a32fac33e8a0c3eea293aad682a1105397
CRs-Fixed: 977264
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Due to commit Id574e1309db8d8b01b4765e27b3638bb92c3d5a0,
Host stop memory tracking before trace-buffer get free.
Later host try to free the trace_buffer but memory list
is empty hence vos_bug raised in SLUB enabled build.
As a part of fix, Free trace-buffer before vos_mem_exit
and free trace_buffer in insmod failure case.
Change-Id: I75ef52a7dc286d8bea012b1e2b8ccf57343a3575
CRs-Fixed: 1036271
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
In the hdd_wlan_startup function correct the error conditions in case of
any initialization failure, there is crash instance where in the nl socket is
initialized but not released by the driver incase of vos_open failure.
Release the nl socket during the load failure and also correct the other
error conditions.
Change-Id: I5eb63b42de0f2327b391427dd5b43235103ed06b
CRs-Fixed: 1033220
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Currently, Host free the packet trace buffer in the beginning
of hdd_driver_exit. But same freed packet trace buffer is used
during Hdd disconnect handler in MCThread context .
As a part of this fix, Host free packet trace buffer in the end
of hdd_driver_exit which ensure all thread's are stopped at that
moment. Apart from it, add few sanity checks and error logs.
Change-Id: Id574e1309db8d8b01b4765e27b3638bb92c3d5a0
CRs-Fixed: 1028095
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Source and destination mac address are swapped in logs.
Fix this to print in correct order
Change-Id: Ifc6e14031ce1427247093e185ee16510ed3168da
CRs-Fixed: 1029923
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
vos_pkt_trace_buf_update() is not available in case
QCA_PKT_PROTO_TRACE is not defined.
Add dummy defination for hdd_dhcp_pkt_trace_buf_update() api to
correct this.
CRs-Fixed: 1029971
Change-Id: Id49390b21185c57878d1bf08d5db07230a0abd54
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Free proto trace buffer after disconnection, as proto
trace buffer is getting freed prior disconnection
from AP and resulting in invalid access.
Change-Id: Ief7ded29ea04be547d355f96e817aee776422142
CRs-Fixed: 1028262
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
When number of link MC addresses configured are more than the
maximum firmware MC address list size, host sets the firmware's
MC filters up to the max and skipping the rest. As a result
firmware drops the MC packets for the addresses whose MC filter
is not set.
To fix this clear the firmware MC filters when the number of kernel
MC addresses list is greater than the firmware's MC filter list size.
When no filters are configured firmware allows all the MC frames
to the host.
Change-Id: I6d8e8b2f5a646b914a7568ceae593b45b58f84d0
CRs-Fixed: 1025279
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Currently the size of the ethernet MC address list that host communicate
to firmware is 10. Whenever a new IPv6 address is configured HDD deletes
the previously set MC address filter list at HOST and firmware and again
configures the MC address list. When the number of addresses configured
reaches more than 10 then HDD erases the previously set filters and return
from there. Hence the registered multicast address list is not set in the
firmware and due to this firmware when NS offload disabled won't wake up
the host for the incoming NS packets.
In this change increase the ethernet MC address list size to the firmware
supported size and configure up to the max size, skipping the rest when
number of addresses are greater than the max.
Change-Id: Ie911f083ef99dbd84f9b500ff27c43bbdf06d6c6
CRs-Fixed: 997943
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
To relate logcat messages and driver logs in bugreport both should
have same time format.
Add changes to print local time while printing proto trace buffer.
Change-Id: Ib3210394ba4b43045edfcdbcf0a63da5c2ecd458
CRs-Fixed: 1025909
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Add a capability in service bitmask to indicate that fw also supports
this feature of marking first packet after wow wakeup to maintain backward
compatibilty.
Change-Id: I3d41f5425e3a170c046941a439d17e06df0c6bef
CRs-Fixed: 1021382
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Fix union in WMI_MAC_PHY_CAPABILITIES
WMI changes to control transmit power for beacon frames
Change-Id: I4acd731ec8850766d4d47715ff78b813281d0b6a
CRs-Fixed: 865207
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Merge WMI_VDEV_VOW_ENABLED flag
Add a new config to set preferable audio during WLAN connection
Change-Id: I86ed461a5d3d6d7f48e5ce2eb9370771a619d667
CRs-Fixed: 865207
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Add place holder enums for new feature under development.
Change-Id: I3af426b0120e46e56bc0e2ff2831a471016d30e1
CRs-Fixed: 865207
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
NAN Data Path WMI changes DATA END and CONFIRM messages
Change-Id: I6edaff37931db83d057e1ddb1e9952e2b0dc87aa
CRs-Fixed: 865207
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Currently host sends only clear AC stats mask to firmware during
disconnection hence PEER stats have large random garbage values.
As a part of this fix, host ensure to send clear all PEER stats
mask to firmware.
Change-Id: I804735d8e85769b04a33008c3b9b72029d0c4368
CRs-Fixed: 1019043
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
1.Fix argument type mismatch with format specifier in sscanf used by
hdd_hex_string_to_u16_array.
2.Fix bitwise operation on different size by typecasting.
Change-Id: Iccec386d8d88d69ccc4eacd2031d5664ed948acc
CRs-Fixed: 1018489
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
prima to qcacld-2.0 propagation.
Due to pre-emption there could be probability that tdls context
is accessed in wlan_hdd_tdls_check_power_save_prohibited after its
released. This will result in kernel panic.
To Fix: protect tdls context with mutex lock before accessing
Change-Id: I33369320de5b0aadae661d7d27fbc5ba18e9e409
CRs-Fixed: 990645
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
The QCSAP_IOCTL_VERSION IOCTL is registered with a maximum GET
buffer length of QCSAP_MAX_SC_IE = 256 bytes. But while filling
buffer, Host allows to fill till WE_MAX_STR_LEN which may lead to
buffer overflow.
As a part of this fix, Host ensure to register with maximum
WE_MAX_STR_LEN buffer length.
Change-Id: I5ba0268e978c7ddadabc96a4eba18140ff7db3c6
CRs-Fixed: 1001142
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Currently, in FTM and EEPING mode pkt trace is not initialized
but during driver unload, pkt trace deinit is called which leads
to crash.
Change the code to avoid calling pkt trace close in case of
FTM and EEPING mode.
Change-Id: I7c6faa8594a5168d78c1fbba7b8f968411093e0f
CRs-Fixed: 1023524
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Dump information such as source MAC address, destination
MAC address, sequence number, packet type, subtype and other
important information for the first mgmt. packet after WOW wakeup.
Change-Id: I4f39d93e8aeb243ec3df5cc1a916aec0a1aa4819
CRs-Fixed: 1019037
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Dump information such as source MAC address, destination
MAC address, sequence number, packet type, subtype and other
important information for the first data packet after WOW wakeup.
Change-Id: I3c83991f56be34412f3f10adf58bd991ecb536ca
CRs-Fixed: 1019037
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Add APIs to get DHCP, EAPOL, ARP, ICMP, ICMPV6, TCP
and UDP packets type and subtype from the netbuf.
Change-Id: I8837ad1b976744eeb0e7f0a836eded3a5d34124b
CRs-Fixed: 1019037
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Return type of adf_dp_get_proto_bitmap function is
incorrectly handled when DP trace macro is not defined.
Change-Id: I7a8bc74f5cbb2124dec36fd922679b05ba1c58d1
CRs-Fixed: 1008087
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Whenever queues are paused by fw and the driver goes in runtime suspend
mode, it is a kind of deadlock condition as for HOST to receive unpause
event from fw, it has to come out of WOW mode but fw does not wakeup the
HOST for unpause event.
Add logic to do runtime pm resume when vdev tx ll queues are paused
by fw and the driver is in runtime suspend mode and then a tx packet
comes to txrx layer from networking stack. Also, add logic to prevent
the driver from going in runtime suspend mode if the tx ll queues are
paused by fw and all the queues are not empty.
Change-Id: Ie9a0c88cb76e4bfebcce16f5e250612330dae893
CRs-Fixed: 1018401
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Driver Upper layers are not aware of runtime pm state. We have seen
cases, where upper layers want to do driver to be runtime active.
One such case is, during MCC, Firmware sends pause event to host,
and driver is runtime suspended.
Host got a DHCP or ARP packet, which gets queued in the tx layer,
as the vdev queues are paused.
Firmware doesn't have wakeup capability for un pause events so
driver doesn't unpause the queues, which results in a data stall.
The fix is to do runtime resume so driver can recieve unpause events
and allow data packets to flow through.
Hence provide an API to do runtime resume when needed.
CRs-Fixed: 1018401
Change-Id: Ie0d080ff1a8f6c05677af6f575fb93a62f13a0c6
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Currently ICMP counter is incremented only for IPV4 multicast packets.
But ICMP count includes total unicast/multicast/broadcast ICMP packets.
Add changes to update ICMP counter for unicast/multicast/broadcast
ICMP packets.
Change-Id: I00f9fb0c8231fd69f6c108ced8028eb19315006e
CRs-Fixed: 1020079
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
If ll stats provided by FW has more than one peer then
Driver is allocating memory for all the peers but copying stats
for only first peer before sending it to upper layer.
Fix the issue to copy stats for all the peers.
Change-Id: I91b14377acfed6ccdde4315c4796ef1adbfd18c3
CRs-Fixed: 1018539
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
prima to qcacld-2.0 propagation
Out of bound access is reported by kernel address
sanitizer (KASAN) tool.
=================================================================
BUG: KASAN: slab-out-of-bounds in memcpy+0x28/0x54 at addr
ffffffc03f9b1f94
Read of size 1024 by task WifiLogger_app/662
=================================================================
page dumped because: kasan: bad access detected
-----------------------------------------------------------------
[<ffffffc00008c80c>] dump_backtrace+0x0/0x284
[<ffffffc00008caa0>] show_stack+0x10/0x1c
[<ffffffc001e98084>] dump_stack+0x74/0xfc
[<ffffffc0002f2fac>] print_trailer+0x150/0x164
[<ffffffc0002f3374>] object_err+0x38/0x4c
[<ffffffc0002f88ac>] kasan_report+0x34c/0x504
[<ffffffc0002f7b74>] __asan_loadN+0x20/0x14c
[<ffffffc0002f8078>] memcpy+0x24/0x54
[<ffffffbffc3958ec>] vos_mem_copy+0x68/0x7c [wlan]
[<ffffffbffc307648>] wlan_logging_proc_sock_rx_msg+0x39c/0x3f0 [wlan]
[<ffffffbffc3042f0>] nl_srv_rcv+0x1c0/0x218 [wlan]
[<ffffffc001a28b20>] netlink_unicast+0x3b0/0x4c0
[<ffffffc001a2975c>] netlink_sendmsg+0xa2c/0xb30
[<ffffffc00196b658>] sock_sendmsg+0x1d4/0x22c
[<ffffffc001970278>] SyS_sendto+0x194/0x224
================================================================
There is possibility of out of bound memory access, if user sends
a netlink packet with message length greater than skb data_len.
Don't process netlink packet if message length is greater than
skb data_len.
Change-Id: Ice6492aa191da0af3fe4fc9b58dfddcb2a59d6d0
CRs-Fixed: 975923
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
prima to qcacld-2.0 propagation
Out of bound access is reported by kernel address
sanitizer (KASan) tool.
=================================================================
BUG: KASAN: slab-out-of-bounds in csrScanSmeScanResponse+0x148/0x35c
[wlan] at addr ffffffc01745b208
Read of size 4 by task VosMCThread/32563
=================================================================
BUG kmalloc-128 (Tainted: P B W O ): kasan: bad access detected
----------------------------------------------------------------------
[<ffffffc00008c80c>] dump_backtrace+0x0/0x284
[<ffffffc00008caa0>] show_stack+0x10/0x1c
[<ffffffc001e992fc>] dump_stack+0x74/0xfc
[<ffffffc0002f3094>] print_trailer+0x150/0x164
[<ffffffc0002f345c>] object_err+0x38/0x4c
[<ffffffc0002f8994>] kasan_report+0x34c/0x504
[<ffffffc0002f8ba0>] __asan_report_load4_noabort+0x14/0x20
[<ffffffbffc2adea8>] csrScanSmeScanResponse+0x144/0x35c [wlan]
[<ffffffbffc2ae1b0>] csrScanningStateMsgProcessor+0xf0/0x6e4 [wlan]
[<ffffffbffc2b6e10>] csrMsgProcessor+0x1f8/0x2c8 [wlan]
[<ffffffbffc252ff0>] sme_ProcessMsg+0x1024/0x115c [wlan]
[<ffffffbffc3a29d0>] VosMCThread+0x798/0x950 [wlan]
[<ffffffc0000f1f24>] kthread+0x22c/0x240
=================================================================
Improper type-casting of a buffer leads to out of bound access
of a buffer which may result in kernel panic.
To mitigate this issue typecast a buffer as per the caller function.
Change-Id: I7861ead27dff6b8dd45fbeafae8cf4c6f1ca4523
CRs-Fixed: 972671
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
There is a potential deadlock scenario with a spin lock between
a tasklet and a thread context. Fix it by using spin_lock_bh
because that will disable bottom halves on that CPU and thus
prevent a dead lock that could otherwise occur if the process
context code took the lock and then a software IRQ was run which
attempt to acquire the same lock.
Change-Id: I5f83cb7cecd7227e0ea9c9db001bb0420bf09c94
CRs-Fixed: 1014766
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
There is potential memory leakage in limStaSendAddBss().
pAddBssParams should be released once failed to look
up a STA state node in hash table.
In limAddSta(), there is another potential memory leakage
once failed to find a IBSS peer.
Change-Id: I28ecb1f5a449e3d471798185fd30ec38563b34de
CRs-Fixed: 1002063
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
In wma_dfs_indicate_radar, radar_event buffer should be
released in the failure case.
Change-Id: I7857bcf29958be054749affbf5df18485c2c7238
CRs-Fixed: 1002063
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Store the skb data in DP trace records when packet moves across data
path layers. DP trace determines which packet needs to be stored based
on the proto type, verbosity etc.
Change-Id: I369ad95949ffbc2bc629d0cc3f3d6479249cdd6a
CRs-Fixed: 988801
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
The DP TRACE framework allows various events in the data path to be
recorded and retrieves the recent records whenever necessary.
Change-Id: I716469468c1dce2a401aad60caf729aac4c3a963
CRs-Fixed: 988801
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Dump the count of packets that are currently present in each
data path layer. These stats can be used in case of data stall.
Change-Id: Ia6a9683908c1571edaaa7d7a6339a8e205b9c859
CRs-Fixed: 988801
Bug: 31438853
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
FW sends NACK for WOW command to indicate Host to abort on going
suspend. Host prevents suspend by holding a wakelock for 1sec.
The wakelock prevents APPS supsend, but doesn't have impact on
Runtime PM. Hence Skip Holding Wakelock when NACK is recieved
in Runtime PM.
And Log the runtime stats when link resume fails.
Change-Id: I6d9385565c6d06a082e226d5211c733d124bd3a7
CRs-Fixed: 1053252
Bug: 31062353
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Currently, vos_trigger_recovery does not support silent recovery
instead host send WMI_FORCE_FW_HANG_CMDID and wait for timeout.
In cases where wmi cmd cannot be sent to firmware, host needs
silent recovery.
As a part of this fix, Parameterize the vos_trigger_recovery
function for silent recovery.
Change-Id: I9bb631f7346a267a10348037c49606af43c6be4f
CRs-Fixed: 1053303
Bug: 31062353
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Some Fatal events requires SSR to be triggered after bug report is
completed. The API used to trigger SSR is vos_trigger_recovery(),
but vos_wlanRestart() is used in this case.
To fix this use vos_trigger_recovery() API to initiate SSR on
fatal events.
Change-Id: I29d45f69a9c0e4eb528d017cb54c151366513d67
CRs-Fixed: 1049133
Bug: 31062353
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
PCIe link training failure will not be indicated to cnss client driver
as a link down indication.
In System/Runtime PM resume callbacks, client driver will access the target
registers results in L2 errors.
Fix it by ensuring the PCIe link resume training is completed by reading
config space device-id.
Change-Id: I8be902330215cf3c8cb0700e6f0da5b69e274c96
CRs-Fixed: 1052965
Bug: 31062353
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Do not probe MC thread when its suspended during cfg80211
suspend and increase thread stuck detection threshold to
avoid reporting false alarm.
Change-Id: Ia93289eaf89538818a8e1264dfcf3306d682bd9b
CRs-Fixed: 1047257
Bug: 30407099
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Add recovery logic when wmi command buffer reaches its threshold.
This recovery logic collects ramdump and trigger SSR to recover
from bad state.
Change-Id: I0f04bcc0573eafb303ae1af434dbc60eb753e9e1
CRs-Fixed: 1037713
Bug: 29242387
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Add error log to print channel number and frequency in
wlan_hdd_cfg80211_inform_bss_frame() if it fails to retrieve the
channel.
CRs-Fixed: 1010559
Change-Id: I8fe77db17ffa40ea07206a3701c02f02564ea8fd
Bug: 25862282
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
STA is not processing the disassociate frame with invalid reason
code from AP, it's dropping the frame and hence STA is not disconnecting
from the AP.
Fix is to disassociate even if it receives invalid reason code.
Change-Id: Icebc46062b1ea4b7f5affa171f760123dbb9fcb7
CRs-Fixed: 1015244
Bug: 30507021
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
If firmware crashed during the runtime suspend and SSR
triggered. The SSR is doing the runtime resume and if
resume process failed its triggering the VOS_BUG.
Ignore the VOS_BUG if SSR is already in progress to
avoid unnecessary device crash.
Change-Id: I482117ec5be02a34cd290e8495a3a7f99be4c57e
CRs-Fixed: 1038254
Bug: 29986876
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
APPS crash due to invalid access of device pointer during self recovery
as the Ramdump Global Pointer is not initialized.
Initialize Ramdump Global pointer before scheduling work for self recovery.
Change-Id: I856e591415f6237eb126151048fb6a822bab1812
CRs-Fixed: 1033917
Bug: 28912263
Bug: 29941999
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
commit ef3149eb3ddb7f9125e11c90f8330e371b55cffd upstream.
sca3000_read_ctrl_reg() returns a negative number on failure, check for
this instead of zero.
Signed-off-by: Luis de Bethencourt <luisbg@osg.samsung.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
FW sends NACK for WOW command to indicate Host to abort on going
suspend. Host prevents suspend by holding a wakelock for 1sec.
The wakelock prevents APPS supsend, but doesn't have impact on
Runtime PM. Hence Skip Holding Wakelock when NACK is recieved
in Runtime PM.
And Log the runtime stats when link resume fails.
Change-Id: I6d9385565c6d06a082e226d5211c733d124bd3a7
CRs-Fixed: 1053252
Bug: 31062353
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Currently, vos_trigger_recovery does not support silent recovery
instead host send WMI_FORCE_FW_HANG_CMDID and wait for timeout.
In cases where wmi cmd cannot be sent to firmware, host needs
silent recovery.
As a part of this fix, Parameterize the vos_trigger_recovery
function for silent recovery.
Change-Id: I9bb631f7346a267a10348037c49606af43c6be4f
CRs-Fixed: 1053303
Bug: 31062353
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Some Fatal events requires SSR to be triggered after bug report is
completed. The API used to trigger SSR is vos_trigger_recovery(),
but vos_wlanRestart() is used in this case.
To fix this use vos_trigger_recovery() API to initiate SSR on
fatal events.
Change-Id: I29d45f69a9c0e4eb528d017cb54c151366513d67
CRs-Fixed: 1049133
Bug: 31062353
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
PCIe link training failure will not be indicated to cnss client driver
as a link down indication.
In System/Runtime PM resume callbacks, client driver will access the target
registers results in L2 errors.
Fix it by ensuring the PCIe link resume training is completed by reading
config space device-id.
Change-Id: I8be902330215cf3c8cb0700e6f0da5b69e274c96
CRs-Fixed: 1052965
Bug: 31062353
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Prevent using a binder_ref with only weak references where a strong
reference is required.
BUG: 30445380
Change-Id: I66c15b066808f28bd27bfe50fd0e03ff45a09fca
Signed-off-by: Arve Hjønnevåg <arve@android.com>
Prevent using a binder_ref with only weak references where a strong
reference is required.
BUG: 30445380
Change-Id: I66c15b066808f28bd27bfe50fd0e03ff45a09fca
Signed-off-by: Arve Hjønnevåg <arve@android.com>
This ioctl gets call during the start of SAP/hostapd with wext
interface and which is obsolete, currently using nl80211 interface
for the same
Remove the code related to setwpaie ioctl
Bug: 29915601
CRs-Fixed: 1000913
Change-Id: Ia45860d7143639aa62d02afe8c08e283e20ba27a
This ioctl gets call during the start of SAP/hostapd with wext
interface and which is obsolete, currently using nl80211 interface
for the same
Remove the code related to setwpaie ioctl
Bug: 29915601
CRs-Fixed: 1000913
Change-Id: Ia45860d7143639aa62d02afe8c08e283e20ba27a
iw_set_priv is obsolete, now hdd_ioctl handles the
driver commands.
Remove the code related to iw_set_priv ioctl
CRs-Fixed: 1048052
Change-Id: Ic64a45aab2d23669d6d1219f6d2d8a465d34ac10
Bug: 29982678
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
iw_set_priv is obsolete, now hdd_ioctl handles the
driver commands.
Remove the code related to iw_set_priv ioctl
CRs-Fixed: 1048052
Change-Id: Ic64a45aab2d23669d6d1219f6d2d8a465d34ac10
Bug: 29982678
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
The format specifier %p can leak kernel addresses
while not valuing the kptr_restrict system settings.
Use %pK instead of %p, which also evaluates whether
kptr_restrict is set.
Bug: 30148243
Change-Id: Ib1adf14e9620ad7b1bd3e962001c852610210d46
Signed-off-by: Divya Ponnusamy <pdivya@codeaurora.org>
The format specifier %p can leak kernel addresses
while not valuing the kptr_restrict system settings.
Use %pK instead of %p, which also evaluates whether
kptr_restrict is set.
Bug: 30148243
Change-Id: Ib1adf14e9620ad7b1bd3e962001c852610210d46
Signed-off-by: Divya Ponnusamy <pdivya@codeaurora.org>
Validate the ashmem memory entry against f_op pointer
rather then comparing its name with path of the dentry.
This is to avoid any invalid access to ashmem area in cases
where some one deliberately set the dentry name to /ashmem.
Bug: 30652312
Change-Id: I74e50cd244f68cb13009cf2355e528485f4de34b
Signed-off-by: Sunil Khatri <sunilkh@codeaurora.org>
Validate the ashmem memory entry against f_op pointer
rather then comparing its name with path of the dentry.
This is to avoid any invalid access to ashmem area in cases
where some one deliberately set the dentry name to /ashmem.
Bug: 30652312
Change-Id: I74e50cd244f68cb13009cf2355e528485f4de34b
Signed-off-by: Sunil Khatri <sunilkh@codeaurora.org>
Do not probe MC thread when its suspended during cfg80211
suspend and increase thread stuck detection threshold to
avoid reporting false alarm.
Change-Id: Ia93289eaf89538818a8e1264dfcf3306d682bd9b
CRs-Fixed: 1047257
Bug: 30407099
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Add recovery logic when wmi command buffer reaches its threshold.
This recovery logic collects ramdump and trigger SSR to recover
from bad state.
Change-Id: I0f04bcc0573eafb303ae1af434dbc60eb753e9e1
CRs-Fixed: 1037713
Bug: 29242387
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Add error log to print channel number and frequency in
wlan_hdd_cfg80211_inform_bss_frame() if it fails to retrieve the
channel.
CRs-Fixed: 1010559
Change-Id: I8fe77db17ffa40ea07206a3701c02f02564ea8fd
Bug: 25862282
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
STA is not processing the disassociate frame with invalid reason
code from AP, it's dropping the frame and hence STA is not disconnecting
from the AP.
Fix is to disassociate even if it receives invalid reason code.
Change-Id: Icebc46062b1ea4b7f5affa171f760123dbb9fcb7
CRs-Fixed: 1015244
Bug: 30507021
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Commit f1e7f0a724f6 ("android: binder: Disable preemption while holding
the global binder lock.") re-enabled preemption around most of the sites
where calls to potentially sleeping functions were made, but missed
__alloc_fd(), which can sleep if the fdtable needs to be resized.
Re-enable preemption around __alloc_fd() as well as __fd_install() which
can now sleep in upstream kernels as of commit 8a81252b774b ("fs/file.c:
don't acquire files->file_lock in fd_install()").
BUG=chrome-os-partner:44012
TEST=Build and boot on Smaug.
Change-Id: I9819c4b95876f697e75b1b84810b6c520d9c33ec
Signed-off-by: Andrew Bresticker <abrestic@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/308582
Reviewed-by: Stephen Barber <smbarber@chromium.org>
Reviewed-by: Riley Andrews <riandrews@google.com>
In current driver, WE_UNIT_TEST_CMD has below problem.
- apps_arg[1] can have zero value and can lead to
buffer overead
Change the code to handle the number of args if user has
given zero.
CRs-Fixed: 1029540
Change-Id: Idc8e1d77d9623daeb98d0c4b7ad8a8d6cfa9c2d2
Bug: 29941999
Bug: 29944562
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
In current driver, WE_UNIT_TEST_CMD has below problem.
- apps_arg[1] can have zero value and can lead to
buffer overead
Change the code to handle the number of args if user has
given zero.
CRs-Fixed: 1029540
Change-Id: Idc8e1d77d9623daeb98d0c4b7ad8a8d6cfa9c2d2
Bug: 29941999
Bug: 29944562
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
If firmware crashed during the runtime suspend and SSR
triggered. The SSR is doing the runtime resume and if
resume process failed its triggering the VOS_BUG.
Ignore the VOS_BUG if SSR is already in progress to
avoid unnecessary device crash.
CRs-Fixed: 1038254
Change-Id: Id7f2e8b16767cd4b03671e34d999ef14e7a1c6ce
Bug: 29986876
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
APPS crash due to invalid access of device pointer during self recovery
as the Ramdump Global Pointer is not initialized.
Initialize Ramdump Global pointer before scheduling work for self recovery.
Change-Id: Icc606743da144958bc936f5ee22393dc135731bf
CRs-Fixed: 1033917
Bug: 28912263
Bug: 29941999
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Fix WMI command path Tx failure case as current WMI command path
frees the packet with dummy completion when hif fails to send the
packet down.
Fix it by putting back wmi cmd to endpoint Tx queue for retry.
Change-Id: Ic7753b1961c005dfee5ac2c43d4df6c2d598a4f5
CRs-Fixed: 1013264
Bug: 29242387
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
When STA process Neighbor report from AP, session_id is declared
as one byte variable and its overwritten with four bytes value
in csrRoamGetSessionIdFromBSSID. This is observed on enabling stack
protection in kernel config(CONFIG_CC_STACKPROTECTOR).
Fix is to declare session_id as four bytes variable.
Change-Id: Ieda0d13e2ccbe11dc9e56ad653430aa39306c707
CRs-Fixed: 1025272
Bug: 29194700
Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>
commit b348d7dddb6c4fbfc810b7a0626e8ec9e29f7cbb upstream.
Fix potential out-of-bounds write to urb->transfer_buffer
usbip handles network communication directly in the kernel. When receiving a
packet from its peer, usbip code parses headers according to protocol. As
part of this parsing urb->actual_length is filled. Since the input for
urb->actual_length comes from the network, it should be treated as untrusted.
Any entity controlling the network may put any value in the input and the
preallocated urb->transfer_buffer may not be large enough to hold the data.
Thus, the malicious entity is able to write arbitrary data to kernel memory.
Signed-off-by: Ignat Korchagin <ignat.korchagin@gmail.com>
Cc: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
During roaming the connected AP's operating channel is used instead of
preauth channel to fetch the band, based on which the data rate is set.
Due to this incorect data rate is set.
To address this, use the preauth channel during roaming to fetch the band
and set the data rate accordingly.
CRs-Fixed: 1017943
Change-Id: Ia3bf13c1a93a156eba8461bcdcf3490b9f49c2a2
Bug: 28983161
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
FW can enter into suspend mode even if the BMPS is not enabled.
Hence power save check is not required in suspend request.
Change-Id: Ic2b774cea10516ea0b23141922ba1e16aa33f395
CRs-Fixed: 974918
Bug: 28912263
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
During allocation of memory for program field of bpf_set_offload,
return value of vos_mem_malloc has to be checked for NULL to avoid
NULL pointer exception
Change-Id: Ib7a3da08ee73a3ec09e21baf6da08d489649725f
CRs-Fixed: 1015601
Bug: 28836052
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
If ieee80211w=2 or pmf=2 is an explicit configuration in the
supplicant configuration MFPEnabled is set and driver assume it
as a PMF required connection, even if AP is in open security
mode.
Now when disconnect is received from supplicant driver sends a
protected deauth and assert is observed as firmware do not have
any valid key.
To fix this if ieee80211w=2 or pmf=2 is an explicit configuration
in the supplicant configuration but peer AP is non-PMF drop the
connection request.
Change-Id: I40faf63df4e95b367d66e9b51ff165759989a1d1
CRs-Fixed: 1011976
Bug: 28388202
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
In hdd_wlan_re_init(), SSR timer is deleted and isLogpInProgress is set to FALSE
but between these two there are NL socket related calls which can sleep
under low memory conditions (or etc) because of which timer is deleted but
isLogpInProgress is not reset to FALSE. This can potentially fail the
south-bound requests for a brief amount of time.
Hence it is always better to delete the SSR timer only after
isLogpInProgress is reset to FALSE.
Change-Id: I699438ff3e0c2f7b81e0bbf81be6f514841e194b
CRs-Fixed: 1017011
Bug: 28836050
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
prima to qcacld-2.0 propagation
In SME, if command posting fails then memory allocated for
command is not freed.
Free the memory if SME fails to post command.
Change-Id: I281ef5eb9492fe75d639b2bef7ed588aacee8e74
CRs-Fixed: 974567
Bug: 28831798
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Calculate and add wlan phy mode for each channel in OEM channel
info response.
Also send ANI_MSG_PEER_STATUS_IND indication for STA mode when
STA gets connected.
Change-Id: I91363e90698cabda72028135eb7fe9adeb1fbc86
CRs-Fixed: 1007004
Bug: 28834961
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
We recently change the logic for loading and unload driver for mode
change (CL5999313).
However, with this code, in case of getting loading driver request
with same mode, we unload driver and return -INVAL.
for the scenario where we turn off tethering, we got loading request
for STA mode two times
At second request, we unload driver and return error.
Eventually, we failed to turn on WLAN automatically.
As a fix, we just return success in case of same mode request.
Bug: 28740503
Change-Id: I787db8eae0cf9c9a47a5dc06a3adbc2f31837711
Kernel throws warnings on the invocation of schedule_work() before the
work is initialized.
To mitigate this issue, initialize the work before it is scheduled.
Change-Id: Ia73f3fb186ba0818162d8263a72187a71c2f4a07
CRs-Fixed: 1010964
Bug: 28405264
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
When Wifi is turned off, then hdd_stop is called
which leads to unload of driver. But before hdd_stop
is called, user has turned on wifi and
fwpath_change_handler is called before hdd_stop which
leads to unload twice and leading to crash.
To avoid this problem,
1) Synchronize the kickstart_driver call to keep
wlan_hdd_inited updated.
2) Store the fwpath string locally and check the last mode
with the current mode in fwpath_change_handler.
- If load request comes and driver is already
loaded with no change in fwpath string, then unload the
driver and return failure.
- If load request comes and driver is already loaded with change
in fwpath string then unload and load the driver again.
Change-Id: I2b22a0280e6a408def30244d5cd8ac306425b0bb
CRs-Fixed: 1012569
Bug: 28402915
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
There is a possibility of buffer overflow while processing
GET_CFG IOCTL to retrieve ini parameters from a global array,
because of invalid if condition.
Resolve buffer overflow issue by correcting if condition.
Change-Id: I7168d51dbea8b76f2d59fca6998ee01d29f8864f
CRs-Fixed: 1000853
Bug: 28673278
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
prima to qcacld-2.0 propagation.
Currently driver block wpa_supplicant context for response
for 5 / 5 seconds for LL stats and firmware memory dump
feature respectively. But in M framework watch dog will
be triggered after 1 second because driver is holding
the context longer, which lead to wd thread starvation.
As a part of this fix, block time is reduced to 800 msec
respectively in both cases.
Change-Id: I558a7e40242d04d7a909a819cbdcdd46d0e894cf
CRs-Fixed: 951119
Bug: 28605342
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Currently when an addTs is buffered for processing in SME
and a delTs for the corresponding addTs is issued, the delTs
is getting dropped since the addTs has not yet been processed.
Fix this by buffering the delTs command if a corresponding flow
is not found.
Change-Id: I71c3e15f9ddf19378325f806be2f3b25d1353e47
CRs-Fixed: 1008956
Bug: 28605829
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
In linkspeed ioctl handler, mac address array is allocated a
size of MAC_ADDRESS_STR_LEN, which is 18 bytes taking account of null
terminator '\0'. But in code, a null terminator is being manually added
at index MAC_ADDRESS_STR_LEN. This would overflow the buffer and hence
null terminator should be added at MAC_ADDRESS_STR_LEN -1.
Change-Id: Ie1f437b8240908857e88a072ad1a1ab287499625
CRs-Fixed: 1000861
Bug: 28606501
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Add TPC IE by default in probe requests of STA scans as this
required for VE cert.
Change-Id: I19b20a7e8325c566e2e58fdc686260790ac8de85
CRs-Fixed: 1006608
Bug: 28606500
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
prima to qcacld-2.0 propagation.
Currently MAX_CHANNEL to scan is 45 which should be 46.
Making MAX_CHANNEL as 46.
Change-Id: Ie22962a5928dd676f46f7540383e4d661eee27ac
CRs-Fixed: 951742
Bug: 28605823
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
prima to qcacld-2.0 propagation.
When assoc fail, send protocol reason code instead of generic
reason code. Customer complain that it just reports generic
reason for WPA2 AP and cause UI mismatch.
Change-Id: I1d3ae47abf5bdb67c4c43fc77e4764334905a749
CRs-Fixed: 970759
Bug: 28606513
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Host should not send the ipa_enable_disable cmd to firmware
during driver unload.
As a part of this fix, Host discards ipa enable/disable
commands during driver unload.
CRs-Fixed: 994677
Change-Id: I7db6a8a979b00f040758b6450296b2c768d14361
Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>
use_protection in erp IE was not reset after legacy AP goes away
which was leading to reduced throughput issue.
Fix is to reset protection bit and update the FW once legacy AP
goes away.
CRs-Fixed: 1006601
Change-Id: Ibcda25afdd41d4f6f870648aa04e0655caf4bcc7
Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>
Currently driver reports max MCS index 9 for VHT20, but cfg802.11
doesn't support such case, which leads to link speed null returned
to upper-layer.
Update the driver to report max MCS index 8 for VHT20.
CRs-Fixed: 1005141
Change-Id: I45b7ae9674f73bd8c82256dd035b10418d09b0a4
Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>
As per current implementation WOW wake up stats are not updated
when host wakes up with wake reason WOW_REASON_BPF_ALLOW.
Add changes to update wow wake up stats when host wakes up
with reason WOW_REASON_BPF_ALLOW.
CRs-Fixed: 1006606
Change-Id: I83729e4b6f7315245b3a0c96ee9fcb0d135afecf
Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>
Enable FORCE_LEGACY_PCI_INTERRUPTS flag in Kbuild to make sure that in
every case legacy interrupts is enabled as MSI interrupts are not supported
in driver.
CRs-Fixed: 997768
Change-Id: Ib961f2f55d05f672bc8abb54614a07abec93c40b
Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>
Add changes to enable packet tracing for debug build and pack
CB structure in sk_buff since it was crossing designated size of
CB.
CRs-Fixed: 993295
Change-Id: Ifa2e13109212dfc6b371fc7ba928720efdf7209b
Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>
qcacld-3.0 to qcacld-2.0 propagation
Remove the 4.9 GHZ channels from the driver stack.
4.9 GHZ channels are not being used for any country,
so remove them.
CRs-Fixed: 1001658
Change-Id: I646922b74f4e979de232580060dcdf3c4af77a0c
Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>
As per current implementation 11P channels are added to 5G band
as part of driver initialization if FEATURE_STATICALLY_ADD_11P_CHANNELS
is not defined. Kernel has enabled 11P channels due to which it gives
11p channels as part of scan command. This increases the scan time.
Add changes to remove 11P channels from the received channel list
during scan command.
CRs-Fixed: 1003326
Change-Id: Ic382786ad111f78f007bc65cb0870ff81d12ca61
Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>
Check the return value of snprintf during STA info collection to identify
any insufficient buffer condition.
Change-Id: I6eb5d605d5230df16e27c03c65b151e1cea8f7d8
CRs-Fixed: 1005996
Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>
Check the return value of snprintf during stats collection to
avoid any possible underflow.
Change-Id: Ib37b51e2252cd938ac6369f2562a44ab8f79a4da
CRs-Fixed: 1005994
Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>
Replace 'scnprintf' with 'snprintf' to know the number of bytes that were
attempted to be copied while calculating the AP stats. This is needed to
know if the supplied buffer was long enough or not. Since âscnprintfâ
returns only the number of characters written into the buffer, it is not
helpful here and hence replacing it with âsnprintfâ which returns the
number of bytes attempted to copy. snprintf's return value doesn't
include the terminating null byte.
Change-Id: I6364f2d16d96967f31389413f48ccccc66abdefa
CRs-Fixed: 997777
Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>
In wlan_hdd_add_tx_ptrn, there is a potential memory
leakage once request_id==MAX_ID.
CRs-Fixed: 1002063
Change-Id: I3d08face7cad317bfa730e81f09f5a5af7c90077
Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>
prima to qcacld-2.0 propagation
Framework may initiate LL stat ops while roaming is
in middle, which in turn block the call or wait for
timeout hence introducing roaming delay.
This delay can be overcome by avoiding LL stat ops
if it is triggered in between the roaming.
Change-Id: Ic4af0acd25a4eaa3fddf0a4621f3e71ab275b77e
CRs-Fixed: 881429
Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>
In some cases wmi_buf_alloc is used to allocate memory, while
adf_os_mem_free(vos_mem_free) is used to free the memory.
vos_mem_free checks if memory is present in vosMemList to detect
double free.
Now as wmi_buf_alloc doesnot add the allocated memory to
vosMemList, vos_mem_free assume it to be double free case and cause
kernel panic.
Use proper corresponding API to free memory.
CRs-Fixed: 1004079
Change-Id: I44935b51bf9ff5d5b8ad09d47158b2e15c2a13ad
Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>
Fix incorrect freeing of memory for internally generated oem data
response. For internal oem data response, response length will be
zero and oem_data_rsp will not be allocated any memory. Add a check
to not free that memory for internal data response and also assign
that pointer to NULL in the sender.
Change-Id: I2784b5f6f60988223baf82df025f98083575fd87
CRs-Fixed: 1004248
Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>
Due to race between user triggered disconnect and OTA disconnect,
On receiving OTA disconnect PE sends DISCONNECT_IND to SME and
waits for conformation from SME. By the time if SME already received
disconnect from user it will give PE DEAUTH_REQ instead of DIASSOC_CNF
messgae. Upon receiving this PE will do the clean up and will send
DEAUTH_RSP message. SME will also process DISASSOC_IND and will send
eSmeCommandWmStatusChange. But this will be in pending queue as user
triggered deauth is in progress as a SME active command. If this is processed
after user initiated disconnect command, HDD will get two disconnects which
cause mess up of eConnectionState_Disconnecting/eConnectionState_NotConnected
states in hdd disconnect handler.
Fix is to remove pending eSmeCommandWmStatusChange command after
DEAUTH_RSP from SME.
CRs-Fixed: 1003374
Change-Id: I9f8f2c987855523ae9622d53eef2fad3d90d7222
Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>
During Runtime Suspend, if Crash Shutdown triggered because of other
subsystems, ensure to do runtime resume before accessing PCIe Link
to avoid Link Errors.
CRs-Fixed: 1004540
Change-Id: Ib06930c003afe23349b07142f4fafd92b7405450
Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>
prima to qcacld-2.0 propagation
In case of static driver, upon wifi turn off module exit
doesn't happens. Module exit helps in cleanup of static memory.
If driver is loaded statically, at the time of driver unload,
wiphy flags are not cleared because of static memory.
Fix it by removing channel type as static.
CRs-Fixed: 944530
Change-Id: Ibbd69eaaaf2f436d7f5f02efe63821b941f88b2f
Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>
MCS9 rates in HT20 are basically supported only when rx lpdc
is enabled. Currently rx lpdc is not enabled by default,
so FW is not enabling MCS9 rates for HT20.
To address this, enable gTxLdpcEnable=3 by default.
CRs-Fixed: 1000623
Change-Id: I88ad6e684813c2db610758ace4618a651f8988dc
Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>
WMM access category stats of old BSS getting added to stats of new BSS
on network switch.
To mitigate this issue, clear WMM access category stats on disconnect.
CRs-Fixed: 999832
Change-Id: I87ced6f4240509e92ed880acbd1632f6d865a761
Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>
Before write to array member of pSpectInfoParams
in sapSelectChannel, we need to check the memory
access range to avoid the write overflow of the
memory.
CRs-Fixed: 998557
Change-Id: I7e8eec622835ca644e65cc81a17a69fb2a2c53ff
Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>
If host issues extscan get cache results, while gscan is not in
progress then buckets_scanned mask comes as zero. To handle this
issue now firmware sends the buckets_scanned mask as part of
wmi_extscan_rssi_info instead of fixed_param.
CRs-Fixed: 1001733
Bug: 27902360
Change-Id: I2b0f720c59bfe33ee15b54266a12bb42b3e2ec95
Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>
Add WMI interface changes to send buckets_scanned bitmask per each scan
cache entry that is sent when WMI_EXTSCAN_GET_CACHED_RESULTS_CMDID.
CRs-Fixed: 865207
Change-Id: I9931bb6c896ca4685c76f86d5ec2888f3e06ff1c
Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>
Fix incorrect buffer handling in OEM response handlers.
This change set will fix,
1. Add appropriate check on the respnse length before malloc.
2. Add correct check for malloc failure.
3. Copy correct number of bytes into response buffer.
CRs-Fixed: 1001118
Change-Id: I3e4d4e630900a45ed2e6ea2bcbd6949026a34322
Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>
Add data length information in oem data response messages. Currently
maximum response size is passed to upper layers.
CRs-Fixed: 1001118
Change-Id: I2ae999361bb34dad96d055e774102d94c0b3d9a6
Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>
Check if the spectrum management, short preamble, immediate block ack
are supported by BSS before sending Reassoc request in roaming and
reset the corresponding capability info bits in Reassoc request if the
respective BSS does not support it
CRs-Fixed: 1002770
Change-Id: I60b9d2948c1f95ba9af0e894adeb97ff980c3c93
Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>
Host waits for response from firmware during suspend & resume.
Consider a case during wait for response if SSR happens
then host have old WMA handle. So after time out host
should ensure it has latest WMA handle. If caller has
old handler then they should return gracefully.
Change-Id: I17b9ee9e66cb8e7aef6b6f7e1e028ce639fca59d
CRs-Fixed: 1000615
Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>
Currently TXQ of DEFAULT_MGMT packet is using TID
HTT_TX_EXT_TID_MGMT when we inserted into Scheduler, so use
same TID when we flush it.
Change-Id: I9bf0d0c9e3756ef7bcffa8bbedc8e411b1cf5843
CRs-Fixed: 1000968
Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>
pr_debug() should not appear by default in kernel log (kmsg).
DEBUG is a kernel macro, since host driver is using the same name macro,
pr_debug log statements are appearing in kmsg.
Fix this by moving the code under DEBUG to WLAN_DEBUG and
remove DEBUG macro from Kbuild.
Change-Id: Ibe26ff23e201554eae126f9d657986b950ec679a
CRs-Fixed: 1003261
Bug: 27924477
Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>
Currently, firmware sends static 64 number of tx power level stats.
This is not scalable, hence add the support to send variable number
of tx power level stats.
Change is, firmware sends a separate WMI event with tx power level stats
indicating the total/num tx power levels and offset in the event
followed by the TLV. Host driver radio stats event processing is complete
only after receiving the tx power level stats.
CRs-Fixed: 992365
Change-Id: I2bf006ad776f995634cebe171a27c3d9a36cae70
Signed-off-by: Subhani Shaik <subhanis@codeaurora.org>