samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacmn: Fix buffer overflow in process_tx_info and process_rx_info

Browse Source 
Currently data in "pl_tgt_hdr" is used directly from firmware without
any length check which may cause buffer over-read.

To address this issue add length check before accessing data offset

Change-Id: Ic2930fdf7168b79a8522be282b0e1cd19214742a
CRs-Fixed: 2191170
This commit is contained in:
jitiphil
2018-02-16 19:18:25 +05:30
committed by nshrivas
parent 974da2640a
commit 0081d767f1
3 changed files with 505 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
utils/pktlog/include/pktlog_ac.h
View File

@@ -1,5 +1,5 @@
/*
* Copyright (c) 2012-2017 The Linux Foundation. All rights reserved.
* Copyright (c) 2012-2018 The Linux Foundation. All rights reserved.
*
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
*
@@ -146,7 +146,7 @@ int pktlog_disable(struct hif_opaque_softc *scn);
int pktlogmod_init(void *context);
void pktlogmod_exit(void *context);
int pktlog_htc_attach(void);
void pktlog_process_fw_msg(uint32_t *msg_word);
void pktlog_process_fw_msg(uint32_t *msg_word, uint32_t msg_len);
void lit_pktlog_callback(void *context, enum WDI_EVENT event, void *log_data,
u_int16_t peer_id, uint32_t status);
@@ -192,7 +192,7 @@ static inline int pktlog_htc_attach(void)
{
return 0;
}
static inline void pktlog_process_fw_msg(uint32_t *msg_word)
static inline void pktlog_process_fw_msg(uint32_t *msg_word, uint32_t msg_len)
{ }
#endif /* REMOVE_PKT_LOG */
#endif /* _PKTLOG_AC_H_ */

21
utils/pktlog/pktlog_ac.c
View File

@@ -865,18 +865,21 @@ int pktlog_clearbuff(struct hif_opaque_softc *scn, bool clear_buff)
*
* Return: None
*/
void pktlog_process_fw_msg(uint32_t *buff)
void pktlog_process_fw_msg(uint32_t *buff, uint32_t len)
{
uint32_t *pl_hdr;
uint32_t log_type;
struct cdp_pdev *pdev = get_txrx_context();
struct ol_fw_data pl_fw_data;
if (!pdev) {
qdf_print("%s: txrx_pdev is NULL", __func__);
return;
}
pl_hdr = buff;
pl_fw_data.data = pl_hdr;
pl_fw_data.len = len;
log_type =
(*(pl_hdr + 1) & ATH_PKTLOG_HDR_LOG_TYPE_MASK) >>
ATH_PKTLOG_HDR_LOG_TYPE_SHIFT;
@@ -887,19 +890,19 @@ void pktlog_process_fw_msg(uint32_t *buff)
|| (log_type == PKTLOG_TYPE_TX_FRM_HDR)
|| (log_type == PKTLOG_TYPE_TX_VIRT_ADDR))
wdi_event_handler(WDI_EVENT_TX_STATUS,
pdev, pl_hdr);
pdev, &pl_fw_data);
else if (log_type == PKTLOG_TYPE_RC_FIND)
wdi_event_handler(WDI_EVENT_RATE_FIND,
pdev, pl_hdr);
pdev, &pl_fw_data);
else if (log_type == PKTLOG_TYPE_RC_UPDATE)
wdi_event_handler(WDI_EVENT_RATE_UPDATE,
pdev, pl_hdr);
pdev, &pl_fw_data);
else if (log_type == PKTLOG_TYPE_RX_STAT)
wdi_event_handler(WDI_EVENT_RX_DESC,
pdev, pl_hdr);
pdev, &pl_fw_data);
else if (log_type == PKTLOG_TYPE_SW_EVENT)
wdi_event_handler(WDI_EVENT_SW_EVENT,
pdev, pl_hdr);
pdev, &pl_fw_data);
}
#if defined(QCA_WIFI_3_0_ADRASTEA)
@@ -926,6 +929,7 @@ static void pktlog_t2h_msg_handler(void *context, HTC_PACKET *pkt)
struct pktlog_dev_t *pdev = (struct pktlog_dev_t *)context;
qdf_nbuf_t pktlog_t2h_msg = (qdf_nbuf_t) pkt->pPktContext;
uint32_t *msg_word;
uint32_t msg_len;
/* check for sanity of the packet, have seen corrupted pkts */
if (pktlog_nbuf_check_sanity(pktlog_t2h_msg)) {
@@ -948,7 +952,8 @@ static void pktlog_t2h_msg_handler(void *context, HTC_PACKET *pkt)
qdf_assert((((unsigned long)qdf_nbuf_data(pktlog_t2h_msg)) & 0x3) == 0);
msg_word = (uint32_t *) qdf_nbuf_data(pktlog_t2h_msg);
pktlog_process_fw_msg(msg_word);
msg_len = qdf_nbuf_len(pktlog_t2h_msg);
pktlog_process_fw_msg(msg_word, msg_len);
qdf_nbuf_free(pktlog_t2h_msg);
}

540
utils/pktlog/pktlog_internal.c
View File

@@ -362,6 +362,8 @@ A_STATUS process_tx_info(struct cdp_pdev *txrx_pdev, void *data)
struct ath_pktlog_hdr pl_hdr;
struct ath_pktlog_info *pl_info;
uint32_t *pl_tgt_hdr;
struct ol_fw_data *fw_data;
uint32_t len;
if (!txrx_pdev) {
printk("Invalid pdev in %s\n", __func__);
@@ -371,7 +373,26 @@ A_STATUS process_tx_info(struct cdp_pdev *txrx_pdev, void *data)
qdf_assert(pl_dev);
qdf_assert(data);
pl_tgt_hdr = (uint32_t *) data;
fw_data = (struct ol_fw_data *)data;
len = fw_data->len;
if (len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_FLAGS_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_MISSED_CNT_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_LOG_TYPE_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_MAC_ID_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_SIZE_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_TYPE_SPECIFIC_DATA_OFFSET + 1))) {
qdf_print("Invalid msdu len in %s\n", __func__);
qdf_assert(0);
return A_ERROR;
}
pl_tgt_hdr = (uint32_t *)fw_data->data;
/*
* Makes the short words (16 bits) portable b/w little endian
* and big endian
@@ -396,6 +417,11 @@ A_STATUS process_tx_info(struct cdp_pdev *txrx_pdev, void *data)
*(pl_tgt_hdr + ATH_PKTLOG_HDR_TYPE_SPECIFIC_DATA_OFFSET);
pl_info = pl_dev->pl_info;
if (sizeof(struct ath_pktlog_hdr) + pl_hdr.size > len) {
qdf_assert(0);
return A_ERROR;
}
if (pl_hdr.log_type == PKTLOG_TYPE_TX_CTRL) {
size_t log_size = sizeof(frm_hdr) + pl_hdr.size;
void *txdesc_hdr_ctl = (void *)
@@ -405,7 +431,7 @@ A_STATUS process_tx_info(struct cdp_pdev *txrx_pdev, void *data)
qdf_mem_copy(txdesc_hdr_ctl, &frm_hdr, sizeof(frm_hdr));
qdf_mem_copy((char *)txdesc_hdr_ctl + sizeof(frm_hdr),
((void *)data +
((void *)fw_data->data +
sizeof(struct ath_pktlog_hdr)),
pl_hdr.size);
pl_hdr.size = log_size;
@@ -422,7 +448,8 @@ A_STATUS process_tx_info(struct cdp_pdev *txrx_pdev, void *data)
log_size, &pl_hdr);
qdf_assert(txstat_log.ds_status);
qdf_mem_copy(txstat_log.ds_status,
((void *)data + sizeof(struct ath_pktlog_hdr)),
((void *)fw_data->data +
sizeof(struct ath_pktlog_hdr)),
pl_hdr.size);
/* TODO: MCL specific API */
cds_pkt_stats_to_logger_thread(&pl_hdr, NULL,
@@ -442,6 +469,8 @@ A_STATUS process_tx_info(struct cdp_pdev *txrx_pdev, void *data)
struct ath_pktlog_hdr pl_hdr;
struct ath_pktlog_info *pl_info;
uint32_t *pl_tgt_hdr;
struct ol_fw_data *fw_data;
uint32_t len;
if (!txrx_pdev) {
qdf_print("Invalid pdev in %s\n", __func__);
@@ -451,7 +480,24 @@ A_STATUS process_tx_info(struct cdp_pdev *txrx_pdev, void *data)
qdf_assert(pl_dev);
qdf_assert(data);
pl_tgt_hdr = (uint32_t *) data;
fw_data = (struct ol_fw_data *)data;
len = fw_data->len;
if (len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_FLAGS_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_MISSED_CNT_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_LOG_TYPE_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_SIZE_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_TYPE_SPECIFIC_DATA_OFFSET + 1))) {
qdf_print("Invalid msdu len in %s\n", __func__);
qdf_assert(0);
return A_ERROR;
}
pl_tgt_hdr = (uint32_t *)fw_data->data;
/*
* Makes the short words (16 bits) portable b/w little endian
* and big endian
@@ -473,12 +519,12 @@ A_STATUS process_tx_info(struct cdp_pdev *txrx_pdev, void *data)
if (pl_hdr.log_type == PKTLOG_TYPE_TX_FRM_HDR) {
/* Valid only for the TX CTL */
process_ieee_hdr(data + sizeof(pl_hdr));
process_ieee_hdr(fw_data->data + sizeof(pl_hdr));
}
if (pl_hdr.log_type == PKTLOG_TYPE_TX_VIRT_ADDR) {
A_UINT32 desc_id = (A_UINT32)
*((A_UINT32 *) (data + sizeof(pl_hdr)));
A_UINT32 desc_id = (A_UINT32) *((A_UINT32 *)(fw_data->data +
sizeof(pl_hdr)));
A_UINT32 vdev_id = desc_id;
/* if the pkt log msg is for the bcn frame the vdev id
@@ -532,8 +578,14 @@ A_STATUS process_tx_info(struct cdp_pdev *txrx_pdev, void *data)
pl_hdr.size = (pl_hdr.size > sizeof(txctl_log.priv.txdesc_ctl))
? sizeof(txctl_log.priv.txdesc_ctl) :
pl_hdr.size;
if (sizeof(struct ath_pktlog_hdr) + pl_hdr.size > len) {
qdf_assert(0);
return A_ERROR;
}
qdf_mem_copy((void *)&txctl_log.priv.txdesc_ctl,
((void *)data + sizeof(struct ath_pktlog_hdr)),
((void *)fw_data->data +
sizeof(struct ath_pktlog_hdr)),
pl_hdr.size);
qdf_assert(txctl_log.txdesc_hdr_ctl);
qdf_mem_copy(txctl_log.txdesc_hdr_ctl, &txctl_log.priv,
@@ -552,7 +604,8 @@ A_STATUS process_tx_info(struct cdp_pdev *txrx_pdev, void *data)
pktlog_getbuf(pl_dev, pl_info, log_size, &pl_hdr);
qdf_assert(txstat_log.ds_status);
qdf_mem_copy(txstat_log.ds_status,
((void *)data + sizeof(struct ath_pktlog_hdr)),
((void *)fw_data->data +
sizeof(struct ath_pktlog_hdr)),
pl_hdr.size);
cds_pkt_stats_to_logger_thread(&pl_hdr, NULL,
@@ -567,12 +620,14 @@ A_STATUS process_tx_info(struct cdp_pdev *txrx_pdev, void *data)
log_size = sizeof(pl_msdu_info.priv);
if (pl_dev->mt_pktlog_enabled == false)
fill_ieee80211_hdr_data(txrx_pdev, &pl_msdu_info, data);
fill_ieee80211_hdr_data(txrx_pdev,
&pl_msdu_info, fw_data->data);
pl_msdu_info.ath_msdu_info = pktlog_getbuf(pl_dev, pl_info,
log_size, &pl_hdr);
qdf_mem_copy((void *)&pl_msdu_info.priv.msdu_id_info,
((void *)data + sizeof(struct ath_pktlog_hdr)),
((void *)fw_data->data +
sizeof(struct ath_pktlog_hdr)),
sizeof(pl_msdu_info.priv.msdu_id_info));
qdf_mem_copy(pl_msdu_info.ath_msdu_info, &pl_msdu_info.priv,
sizeof(pl_msdu_info.priv));
@@ -643,6 +698,7 @@ A_STATUS process_rx_info_remote(void *pdev, void *data)
return A_OK;
}
#ifdef HELIUMPLUS
A_STATUS process_rx_info(void *pdev, void *data)
{
struct pktlog_dev_t *pl_dev = get_pktlog_handle();
@@ -651,19 +707,41 @@ A_STATUS process_rx_info(void *pdev, void *data)
struct ath_pktlog_hdr pl_hdr;
size_t log_size;
uint32_t *pl_tgt_hdr;
struct ol_fw_data *fw_data;
uint32_t len;
if (!pdev) {
printk("Invalid pdev in %s", __func__);
return A_ERROR;
}
pl_dev = ((struct ol_txrx_pdev_t *)pdev)->pl_dev;
if (!pl_dev) {
printk("Invalid pl_dev in %s", __func__);
return A_ERROR;
}
fw_data = (struct ol_fw_data *)data;
len = fw_data->len;
if (len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_FLAGS_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_MISSED_CNT_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_LOG_TYPE_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_MAC_ID_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_SIZE_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_TYPE_SPECIFIC_DATA_OFFSET + 1))) {
qdf_print("Invalid msdu len in %s\n", __func__);
qdf_assert(0);
return A_ERROR;
}
pl_info = pl_dev->pl_info;
pl_tgt_hdr = (uint32_t *) data;
pl_tgt_hdr = (uint32_t *)fw_data->data;
qdf_mem_set(&pl_hdr, sizeof(pl_hdr), 0);
pl_hdr.flags = (*(pl_tgt_hdr + ATH_PKTLOG_HDR_FLAGS_OFFSET) &
@@ -672,7 +750,6 @@ A_STATUS process_rx_info(void *pdev, void *data)
pl_hdr.missed_cnt = (*(pl_tgt_hdr + ATH_PKTLOG_HDR_MISSED_CNT_OFFSET) &
ATH_PKTLOG_HDR_MISSED_CNT_MASK) >>
ATH_PKTLOG_HDR_MISSED_CNT_SHIFT;
#ifdef HELIUMPLUS
pl_hdr.log_type = (*(pl_tgt_hdr + ATH_PKTLOG_HDR_LOG_TYPE_OFFSET) &
ATH_PKTLOG_HDR_LOG_TYPE_MASK) >>
ATH_PKTLOG_HDR_LOG_TYPE_SHIFT;
@@ -680,32 +757,106 @@ A_STATUS process_rx_info(void *pdev, void *data)
ATH_PKTLOG_HDR_MAC_ID_MASK) >>
ATH_PKTLOG_HDR_MAC_ID_SHIFT;
pl_hdr.flags |= PKTLOG_HDR_SIZE_16;
#else
pl_hdr.log_type = (*(pl_tgt_hdr + ATH_PKTLOG_HDR_LOG_TYPE_OFFSET) &
ATH_PKTLOG_HDR_LOG_TYPE_MASK) >>
ATH_PKTLOG_HDR_LOG_TYPE_SHIFT;
#endif
pl_hdr.size = (*(pl_tgt_hdr + ATH_PKTLOG_HDR_SIZE_OFFSET) &
ATH_PKTLOG_HDR_SIZE_MASK) >> ATH_PKTLOG_HDR_SIZE_SHIFT;
pl_hdr.timestamp = *(pl_tgt_hdr + ATH_PKTLOG_HDR_TIMESTAMP_OFFSET);
if (sizeof(struct ath_pktlog_hdr) + pl_hdr.size > len) {
qdf_assert(0);
return A_ERROR;
}
log_size = pl_hdr.size;
rxstat_log.rx_desc = (void *)pktlog_getbuf(pl_dev, pl_info,
log_size, &pl_hdr);
qdf_mem_copy(rxstat_log.rx_desc,
(void *)data + sizeof(struct ath_pktlog_hdr), pl_hdr.size);
(void *)fw_data->data + sizeof(struct ath_pktlog_hdr),
pl_hdr.size);
cds_pkt_stats_to_logger_thread(&pl_hdr, NULL, rxstat_log.rx_desc);
return A_OK;
}
#else
A_STATUS process_rx_info(void *pdev, void *data)
{
struct pktlog_dev_t *pl_dev = get_pktlog_handle();
struct ath_pktlog_info *pl_info;
struct ath_pktlog_rx_info rxstat_log;
struct ath_pktlog_hdr pl_hdr;
size_t log_size;
uint32_t *pl_tgt_hdr;
struct ol_fw_data *fw_data;
uint32_t len;
if (!pdev) {
printk("Invalid pdev in %s", __func__);
return A_ERROR;
}
pl_dev = ((struct ol_txrx_pdev_t *)pdev)->pl_dev;
if (!pl_dev) {
printk("Invalid pl_dev in %s", __func__);
return A_ERROR;
}
fw_data = (struct ol_fw_data *)data;
len = fw_data->len;
if (len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_FLAGS_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_MISSED_CNT_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_LOG_TYPE_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_SIZE_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_TYPE_SPECIFIC_DATA_OFFSET + 1))) {
qdf_print("Invalid msdu len in %s\n", __func__);
qdf_assert(0);
return A_ERROR;
}
pl_info = pl_dev->pl_info;
pl_tgt_hdr = (uint32_t *)fw_data->data;
qdf_mem_set(&pl_hdr, sizeof(pl_hdr), 0);
pl_hdr.flags = (*(pl_tgt_hdr + ATH_PKTLOG_HDR_FLAGS_OFFSET) &
ATH_PKTLOG_HDR_FLAGS_MASK) >>
ATH_PKTLOG_HDR_FLAGS_SHIFT;
pl_hdr.missed_cnt = (*(pl_tgt_hdr + ATH_PKTLOG_HDR_MISSED_CNT_OFFSET) &
ATH_PKTLOG_HDR_MISSED_CNT_MASK) >>
ATH_PKTLOG_HDR_MISSED_CNT_SHIFT;
pl_hdr.log_type = (*(pl_tgt_hdr + ATH_PKTLOG_HDR_LOG_TYPE_OFFSET) &
ATH_PKTLOG_HDR_LOG_TYPE_MASK) >>
ATH_PKTLOG_HDR_LOG_TYPE_SHIFT;
pl_hdr.size = (*(pl_tgt_hdr + ATH_PKTLOG_HDR_SIZE_OFFSET) &
ATH_PKTLOG_HDR_SIZE_MASK) >> ATH_PKTLOG_HDR_SIZE_SHIFT;
pl_hdr.timestamp = *(pl_tgt_hdr + ATH_PKTLOG_HDR_TIMESTAMP_OFFSET);
if (sizeof(struct ath_pktlog_hdr) + pl_hdr.size > len) {
qdf_assert(0);
return A_ERROR;
}
log_size = pl_hdr.size;
rxstat_log.rx_desc = (void *)pktlog_getbuf(pl_dev, pl_info,
log_size, &pl_hdr);
qdf_mem_copy(rxstat_log.rx_desc,
(void *)fw_data->data + sizeof(struct ath_pktlog_hdr),
pl_hdr.size);
cds_pkt_stats_to_logger_thread(&pl_hdr, NULL, rxstat_log.rx_desc);
return A_OK;
}
#endif
#ifdef HELIUMPLUS
A_STATUS process_rate_find(void *pdev, void *data)
{
struct pktlog_dev_t *pl_dev = get_pktlog_handle();
struct ath_pktlog_hdr pl_hdr;
struct ath_pktlog_info *pl_info;
size_t log_size;
uint32_t len;
struct ol_fw_data *fw_data;
/*
* Will be uncommented when the rate control find
@@ -720,7 +871,26 @@ A_STATUS process_rate_find(void *pdev, void *data)
return A_ERROR;
}
pl_tgt_hdr = (uint32_t *) data;
fw_data = (struct ol_fw_data *)data;
len = fw_data->len;
if (len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_FLAGS_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_MISSED_CNT_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_LOG_TYPE_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_MAC_ID_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_SIZE_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_TYPE_SPECIFIC_DATA_OFFSET + 1))) {
qdf_print("Invalid msdu len in %s\n", __func__);
qdf_assert(0);
return A_ERROR;
}
pl_tgt_hdr = (uint32_t *)fw_data->data;
/*
* Makes the short words (16 bits) portable b/w little endian
* and big endian
@@ -733,7 +903,6 @@ A_STATUS process_rate_find(void *pdev, void *data)
pl_hdr.missed_cnt = (*(pl_tgt_hdr + ATH_PKTLOG_HDR_MISSED_CNT_OFFSET) &
ATH_PKTLOG_HDR_MISSED_CNT_MASK) >>
ATH_PKTLOG_HDR_MISSED_CNT_SHIFT;
#ifdef HELIUMPLUS
pl_hdr.log_type = (*(pl_tgt_hdr + ATH_PKTLOG_HDR_LOG_TYPE_OFFSET) &
ATH_PKTLOG_HDR_LOG_TYPE_MASK) >>
ATH_PKTLOG_HDR_LOG_TYPE_SHIFT;
@@ -741,13 +910,6 @@ A_STATUS process_rate_find(void *pdev, void *data)
ATH_PKTLOG_HDR_MAC_ID_MASK) >>
ATH_PKTLOG_HDR_MAC_ID_SHIFT;
pl_hdr.flags |= PKTLOG_HDR_SIZE_16;
#else
pl_hdr.log_type = (*(pl_tgt_hdr + ATH_PKTLOG_HDR_LOG_TYPE_OFFSET) &
ATH_PKTLOG_HDR_LOG_TYPE_MASK) >>
ATH_PKTLOG_HDR_LOG_TYPE_SHIFT;
#endif
pl_hdr.size = (*(pl_tgt_hdr + ATH_PKTLOG_HDR_SIZE_OFFSET) &
ATH_PKTLOG_HDR_SIZE_MASK) >> ATH_PKTLOG_HDR_SIZE_SHIFT;
pl_hdr.timestamp = *(pl_tgt_hdr + ATH_PKTLOG_HDR_TIMESTAMP_OFFSET);
@@ -756,20 +918,104 @@ A_STATUS process_rate_find(void *pdev, void *data)
rcf_log.rcFind = (void *)pktlog_getbuf(pl_dev, pl_info,
log_size, &pl_hdr);
if (sizeof(struct ath_pktlog_hdr) + pl_hdr.size > len) {
qdf_assert(0);
return A_ERROR;
}
qdf_mem_copy(rcf_log.rcFind,
((char *)data + sizeof(struct ath_pktlog_hdr)),
((char *)fw_data->data + sizeof(struct ath_pktlog_hdr)),
pl_hdr.size);
cds_pkt_stats_to_logger_thread(&pl_hdr, NULL, rcf_log.rcFind);
return A_OK;
}
#else
A_STATUS process_rate_find(void *pdev, void *data)
{
struct pktlog_dev_t *pl_dev = get_pktlog_handle();
struct ath_pktlog_hdr pl_hdr;
struct ath_pktlog_info *pl_info;
size_t log_size;
uint32_t len;
struct ol_fw_data *fw_data;
/*
* Will be uncommented when the rate control find
* for pktlog is implemented in the firmware.
* Currently derived from the TX PPDU status
*/
struct ath_pktlog_rc_find rcf_log;
uint32_t *pl_tgt_hdr;
if (!pdev || !data || !pl_dev) {
qdf_print("%s: Invalid handle", __func__);
return A_ERROR;
}
fw_data = (struct ol_fw_data *)data;
len = fw_data->len;
if (len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_FLAGS_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_MISSED_CNT_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_LOG_TYPE_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_SIZE_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_TYPE_SPECIFIC_DATA_OFFSET + 1))) {
qdf_print("Invalid msdu len in %s\n", __func__);
qdf_assert(0);
return A_ERROR;
}
pl_tgt_hdr = (uint32_t *)fw_data->data;
/*
* Makes the short words (16 bits) portable b/w little endian
* and big endian
*/
qdf_mem_set(&pl_hdr, sizeof(pl_hdr), 0);
pl_hdr.flags = (*(pl_tgt_hdr + ATH_PKTLOG_HDR_FLAGS_OFFSET) &
ATH_PKTLOG_HDR_FLAGS_MASK) >>
ATH_PKTLOG_HDR_FLAGS_SHIFT;
pl_hdr.missed_cnt = (*(pl_tgt_hdr + ATH_PKTLOG_HDR_MISSED_CNT_OFFSET) &
ATH_PKTLOG_HDR_MISSED_CNT_MASK) >>
ATH_PKTLOG_HDR_MISSED_CNT_SHIFT;
pl_hdr.log_type = (*(pl_tgt_hdr + ATH_PKTLOG_HDR_LOG_TYPE_OFFSET) &
ATH_PKTLOG_HDR_LOG_TYPE_MASK) >>
ATH_PKTLOG_HDR_LOG_TYPE_SHIFT;
pl_hdr.size = (*(pl_tgt_hdr + ATH_PKTLOG_HDR_SIZE_OFFSET) &
ATH_PKTLOG_HDR_SIZE_MASK) >> ATH_PKTLOG_HDR_SIZE_SHIFT;
pl_hdr.timestamp = *(pl_tgt_hdr + ATH_PKTLOG_HDR_TIMESTAMP_OFFSET);
pl_info = pl_dev->pl_info;
log_size = pl_hdr.size;
rcf_log.rcFind = (void *)pktlog_getbuf(pl_dev, pl_info,
log_size, &pl_hdr);
if (sizeof(struct ath_pktlog_hdr) + pl_hdr.size > len) {
qdf_assert(0);
return A_ERROR;
}
qdf_mem_copy(rcf_log.rcFind,
((char *)fw_data->data + sizeof(struct ath_pktlog_hdr)),
pl_hdr.size);
cds_pkt_stats_to_logger_thread(&pl_hdr, NULL, rcf_log.rcFind);
return A_OK;
}
#endif
#ifdef HELIUMPLUS
A_STATUS process_sw_event(void *pdev, void *data)
{
struct pktlog_dev_t *pl_dev = get_pktlog_handle();
struct ath_pktlog_hdr pl_hdr;
struct ath_pktlog_info *pl_info;
size_t log_size;
uint32_t len;
struct ol_fw_data *fw_data;
/*
* Will be uncommented when the rate control find
@@ -792,8 +1038,26 @@ A_STATUS process_sw_event(void *pdev, void *data)
return A_ERROR;
}
fw_data = (struct ol_fw_data *)data;
len = fw_data->len;
if (len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_FLAGS_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_MISSED_CNT_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_LOG_TYPE_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_MAC_ID_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_SIZE_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_TYPE_SPECIFIC_DATA_OFFSET + 1))) {
qdf_print("Invalid msdu len in %s\n", __func__);
qdf_assert(0);
return A_ERROR;
}
pl_tgt_hdr = (uint32_t *) data;
pl_tgt_hdr = (uint32_t *)fw_data->data;
/*
* Makes the short words (16 bits) portable b/w little endian
* and big endian
@@ -804,40 +1068,115 @@ A_STATUS process_sw_event(void *pdev, void *data)
pl_hdr.missed_cnt = (*(pl_tgt_hdr + ATH_PKTLOG_HDR_MISSED_CNT_OFFSET) &
ATH_PKTLOG_HDR_MISSED_CNT_MASK) >>
ATH_PKTLOG_HDR_MISSED_CNT_SHIFT;
#ifdef HELIUMPLUS
pl_hdr.log_type = (*(pl_tgt_hdr + ATH_PKTLOG_HDR_LOG_TYPE_OFFSET) &
ATH_PKTLOG_HDR_LOG_TYPE_MASK) >>
ATH_PKTLOG_HDR_LOG_TYPE_SHIFT;
pl_hdr.macId = (*(pl_tgt_hdr + ATH_PKTLOG_HDR_MAC_ID_OFFSET) &
ATH_PKTLOG_HDR_MAC_ID_MASK) >>
ATH_PKTLOG_HDR_MAC_ID_SHIFT;
#else
pl_hdr.log_type = (*(pl_tgt_hdr + ATH_PKTLOG_HDR_LOG_TYPE_OFFSET) &
ATH_PKTLOG_HDR_LOG_TYPE_MASK) >>
ATH_PKTLOG_HDR_LOG_TYPE_SHIFT;
#endif
pl_hdr.size = (*(pl_tgt_hdr + ATH_PKTLOG_HDR_SIZE_OFFSET) &
ATH_PKTLOG_HDR_SIZE_MASK) >> ATH_PKTLOG_HDR_SIZE_SHIFT;
pl_hdr.timestamp = *(pl_tgt_hdr + ATH_PKTLOG_HDR_TIMESTAMP_OFFSET);
#ifdef HELIUMPLUS
pl_hdr.type_specific_data =
*(pl_tgt_hdr + ATH_PKTLOG_HDR_TYPE_SPECIFIC_DATA_OFFSET);
#endif
pl_info = pl_dev->pl_info;
log_size = pl_hdr.size;
sw_event.sw_event = (void *)pktlog_getbuf(pl_dev, pl_info,
log_size, &pl_hdr);
if (sizeof(struct ath_pktlog_hdr) + pl_hdr.size > len) {
qdf_assert(0);
return A_ERROR;
}
qdf_mem_copy(sw_event.sw_event,
((char *)data + sizeof(struct ath_pktlog_hdr)),
((char *)fw_data->data + sizeof(struct ath_pktlog_hdr)),
pl_hdr.size);
return A_OK;
}
#else
A_STATUS process_sw_event(void *pdev, void *data)
{
struct pktlog_dev_t *pl_dev = get_pktlog_handle();
struct ath_pktlog_hdr pl_hdr;
struct ath_pktlog_info *pl_info;
size_t log_size;
uint32_t len;
struct ol_fw_data *fw_data;
/*
* Will be uncommented when the rate control find
* for pktlog is implemented in the firmware.
* Currently derived from the TX PPDU status
*/
struct ath_pktlog_sw_event sw_event;
uint32_t *pl_tgt_hdr;
if (!pdev) {
qdf_print("Invalid pdev in %s\n", __func__);
return A_ERROR;
}
if (!data) {
qdf_print("Invalid data in %s\n", __func__);
return A_ERROR;
}
if (!pl_dev) {
qdf_print("Invalid pl_dev in %s", __func__);
return A_ERROR;
}
fw_data = (struct ol_fw_data *)data;
len = fw_data->len;
if (len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_FLAGS_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_MISSED_CNT_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_LOG_TYPE_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_SIZE_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_TYPE_SPECIFIC_DATA_OFFSET + 1))) {
qdf_print("Invalid msdu len in %s\n", __func__);
qdf_assert(0);
return A_ERROR;
}
pl_tgt_hdr = (uint32_t *)fw_data->data;
/*
* Makes the short words (16 bits) portable b/w little endian
* and big endian
*/
pl_hdr.flags = (*(pl_tgt_hdr + ATH_PKTLOG_HDR_FLAGS_OFFSET) &
ATH_PKTLOG_HDR_FLAGS_MASK) >>
ATH_PKTLOG_HDR_FLAGS_SHIFT;
pl_hdr.missed_cnt = (*(pl_tgt_hdr + ATH_PKTLOG_HDR_MISSED_CNT_OFFSET) &
ATH_PKTLOG_HDR_MISSED_CNT_MASK) >>
ATH_PKTLOG_HDR_MISSED_CNT_SHIFT;
pl_hdr.log_type = (*(pl_tgt_hdr + ATH_PKTLOG_HDR_LOG_TYPE_OFFSET) &
ATH_PKTLOG_HDR_LOG_TYPE_MASK) >>
ATH_PKTLOG_HDR_LOG_TYPE_SHIFT;
pl_hdr.size = (*(pl_tgt_hdr + ATH_PKTLOG_HDR_SIZE_OFFSET) &
ATH_PKTLOG_HDR_SIZE_MASK) >> ATH_PKTLOG_HDR_SIZE_SHIFT;
pl_hdr.timestamp = *(pl_tgt_hdr + ATH_PKTLOG_HDR_TIMESTAMP_OFFSET);
pl_info = pl_dev->pl_info;
log_size = pl_hdr.size;
sw_event.sw_event = (void *)pktlog_getbuf(pl_dev, pl_info,
log_size, &pl_hdr);
if (sizeof(struct ath_pktlog_hdr) + pl_hdr.size > len) {
qdf_assert(0);
return A_ERROR;
}
qdf_mem_copy(sw_event.sw_event,
((char *)fw_data->data + sizeof(struct ath_pktlog_hdr)),
pl_hdr.size);
return A_OK;
}
#endif
#ifdef HELIUMPLUS
A_STATUS process_rate_update(void *pdev, void *data)
{
struct pktlog_dev_t *pl_dev = get_pktlog_handle();
@@ -846,13 +1185,34 @@ A_STATUS process_rate_update(void *pdev, void *data)
struct ath_pktlog_info *pl_info;
struct ath_pktlog_rc_update rcu_log;
uint32_t *pl_tgt_hdr;
struct ol_fw_data *fw_data;
uint32_t len;
if (!pdev || !data || !pl_dev) {
qdf_print("%s: Invalid handle", __func__);
return A_ERROR;
}
pl_tgt_hdr = (uint32_t *) data;
fw_data = (struct ol_fw_data *)data;
len = fw_data->len;
if (len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_FLAGS_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_MISSED_CNT_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_LOG_TYPE_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_MAC_ID_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_SIZE_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_TYPE_SPECIFIC_DATA_OFFSET + 1))) {
qdf_print("Invalid msdu len in %s\n", __func__);
qdf_assert(0);
return A_ERROR;
}
pl_tgt_hdr = (uint32_t *)fw_data->data;
/*
* Makes the short words (16 bits) portable b/w little endian
* and big endian
@@ -864,7 +1224,6 @@ A_STATUS process_rate_update(void *pdev, void *data)
pl_hdr.missed_cnt = (*(pl_tgt_hdr + ATH_PKTLOG_HDR_MISSED_CNT_OFFSET) &
ATH_PKTLOG_HDR_MISSED_CNT_MASK) >>
ATH_PKTLOG_HDR_MISSED_CNT_SHIFT;
#ifdef HELIUMPLUS
pl_hdr.log_type = (*(pl_tgt_hdr + ATH_PKTLOG_HDR_LOG_TYPE_OFFSET) &
ATH_PKTLOG_HDR_LOG_TYPE_MASK) >>
ATH_PKTLOG_HDR_LOG_TYPE_SHIFT;
@@ -872,12 +1231,6 @@ A_STATUS process_rate_update(void *pdev, void *data)
ATH_PKTLOG_HDR_MAC_ID_MASK) >>
ATH_PKTLOG_HDR_MAC_ID_SHIFT;
pl_hdr.flags |= PKTLOG_HDR_SIZE_16;
#else
pl_hdr.log_type = (*(pl_tgt_hdr + ATH_PKTLOG_HDR_LOG_TYPE_OFFSET) &
ATH_PKTLOG_HDR_LOG_TYPE_MASK) >>
ATH_PKTLOG_HDR_LOG_TYPE_SHIFT;
#endif
pl_hdr.size = (*(pl_tgt_hdr + ATH_PKTLOG_HDR_SIZE_OFFSET) &
ATH_PKTLOG_HDR_SIZE_MASK) >> ATH_PKTLOG_HDR_SIZE_SHIFT;
pl_hdr.timestamp = *(pl_tgt_hdr + ATH_PKTLOG_HDR_TIMESTAMP_OFFSET);
@@ -891,12 +1244,93 @@ A_STATUS process_rate_update(void *pdev, void *data)
*/
rcu_log.txRateCtrl = (void *)pktlog_getbuf(pl_dev, pl_info,
log_size, &pl_hdr);
if (sizeof(struct ath_pktlog_hdr) + pl_hdr.size > len) {
qdf_assert(0);
return A_ERROR;
}
qdf_mem_copy(rcu_log.txRateCtrl,
((char *)data + sizeof(struct ath_pktlog_hdr)),
((char *)fw_data->data +
sizeof(struct ath_pktlog_hdr)),
pl_hdr.size);
cds_pkt_stats_to_logger_thread(&pl_hdr, NULL, rcu_log.txRateCtrl);
return A_OK;
}
#else
A_STATUS process_rate_update(void *pdev, void *data)
{
struct pktlog_dev_t *pl_dev = get_pktlog_handle();
struct ath_pktlog_hdr pl_hdr;
size_t log_size;
struct ath_pktlog_info *pl_info;
struct ath_pktlog_rc_update rcu_log;
uint32_t *pl_tgt_hdr;
struct ol_fw_data *fw_data;
uint32_t len;
if (!pdev || !data || !pl_dev) {
qdf_print("%s: Invalid handle", __func__);
return A_ERROR;
}
fw_data = (struct ol_fw_data *)data;
len = fw_data->len;
if (len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_FLAGS_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_MISSED_CNT_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_LOG_TYPE_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_SIZE_OFFSET + 1)) ||
len < (sizeof(uint32_t) *
(ATH_PKTLOG_HDR_TYPE_SPECIFIC_DATA_OFFSET + 1))) {
qdf_print("Invalid msdu len in %s\n", __func__);
qdf_assert(0);
return A_ERROR;
}
pl_tgt_hdr = (uint32_t *)fw_data->data;
/*
* Makes the short words (16 bits) portable b/w little endian
* and big endian
*/
qdf_mem_set(&pl_hdr, sizeof(pl_hdr), 0);
pl_hdr.flags = (*(pl_tgt_hdr + ATH_PKTLOG_HDR_FLAGS_OFFSET) &
ATH_PKTLOG_HDR_FLAGS_MASK) >>
ATH_PKTLOG_HDR_FLAGS_SHIFT;
pl_hdr.missed_cnt = (*(pl_tgt_hdr + ATH_PKTLOG_HDR_MISSED_CNT_OFFSET) &
ATH_PKTLOG_HDR_MISSED_CNT_MASK) >>
ATH_PKTLOG_HDR_MISSED_CNT_SHIFT;
pl_hdr.log_type = (*(pl_tgt_hdr + ATH_PKTLOG_HDR_LOG_TYPE_OFFSET) &
ATH_PKTLOG_HDR_LOG_TYPE_MASK) >>
ATH_PKTLOG_HDR_LOG_TYPE_SHIFT;
pl_hdr.size = (*(pl_tgt_hdr + ATH_PKTLOG_HDR_SIZE_OFFSET) &
ATH_PKTLOG_HDR_SIZE_MASK) >> ATH_PKTLOG_HDR_SIZE_SHIFT;
pl_hdr.timestamp = *(pl_tgt_hdr + ATH_PKTLOG_HDR_TIMESTAMP_OFFSET);
log_size = pl_hdr.size;
pl_info = pl_dev->pl_info;
/*
* Will be uncommented when the rate control update
* for pktlog is implemented in the firmware.
* Currently derived from the TX PPDU status
*/
rcu_log.txRateCtrl = (void *)pktlog_getbuf(pl_dev, pl_info,
log_size, &pl_hdr);
if (sizeof(struct ath_pktlog_hdr) + pl_hdr.size > len) {
qdf_assert(0);
return A_ERROR;
}
qdf_mem_copy(rcu_log.txRateCtrl,
((char *)fw_data->data +
sizeof(struct ath_pktlog_hdr)),
pl_hdr.size);
cds_pkt_stats_to_logger_thread(&pl_hdr, NULL, rcu_log.txRateCtrl);
return A_OK;
}
#endif
#ifdef QCA_WIFI_QCA6290
int process_rx_desc_remote(void *pdev, void *data)
{