Phy_id value in reg_process_master_chan_list comes directly from firmware.
Therefore, check for OOB value for phy_id.
Change-Id: I0b634e2630c4d6e5d4a15a86953e7a0ed3df6f47
CRs-Fixed: 2327711
In extract_reg_11d_new_country_event_tlv(), the
reg_11d_country_event->new_alpha2 buffer from the original WMI
message is copied into reg_11d_country->alpha2. Will only copy
REG_ALPHA2_LEN bytes into a buffer that REG_ALPHA2_LEN +1 bytes.
then reg_11d_country->alpha2 buffer is printed as a string.
Because the original reg_11d_new_country structure in
tgt_reg_11d_new_cc_handler() was allocated on the stack and
not initialized, there is no guarantee that the buffer is
NULL terminated. Due to this the WMI_LOGD() call will result in
an OOB issue when printing the buffer.
Change-Id: I20b0044974438d95e4c09f843db2a7f369c9b85d
CRs-Fixed: 2327718
The default log level for Object Manager is set to QDF_TRACE_LEVEL_FATAL.
However the prints in the leak detection API's of the objects
are printing with log level QDF_TRACE_LEVEL_ERROR.
So to be able to dump the logs in case of leaks detected
for any pobjects, we are changing the log level to
QDF_TRACE_LEVEL_FATAL in the leak detection API's.
Change-Id: I203865390b910176686b5096fa951879c513d7b8
CRs-Fixed: 2331074
Tx descriptors that belong to a particular vdev are released in
vdev detach path. Since DP soc is not detached yet, interrupts
are not disabled, so it is possible that host gets completions
for same tx descriptor and it tries to process it again.
Add a check for vdev in tx completion path to avoid duplicate
processing of tx descriptors
Change-Id: I5a62ef4d981dbfd0a5ca7483acf4270145d016be
In rx defrag reo inject frame when next hop and cached tail pointer
becomes equal src ring next entry desc returned will be NULL. There
is no NULL check and NULL pointer is dereferenced. In this change
add NULL check and return error status when the next entry desc is
NULL.
Change-Id: I79ca6ba6e6501f03c0c5d188780745b6931102fe
CRs-Fixed: 2318701
In noisy environments with monitor mode enabled, RXDMA2SW
ring is getting filled with bursts of dummy indications,
which were added as part of a WAR to handle RXDMA issue
with error indications received in monitor path. These
indications won't consume any real buffers, but are causing
ring full assertion failure due to smaller ring size.
This change increases max ring size, and the actual ring
size comes from ini file.
Change-Id: Icb7f08ab0757cb5b6ac7c1aee8e04f200ed4a1bd
In the call to QDF_TRACE_HEX_DUMP in extract_ndp_confirm_tlv(),
the buffer, event->ndp_cfg is dereferenced an additional time
and then read the length number of bytes in hex_dump_to_buffer,
resulting in an OOB read.
As WMI logging is already enabled, remove the hex dump.
Change-Id: I6a866e87dd80f3e41cf3c699ff4846416d309cf3
CRs-Fixed: 2326012
Make policy_mgr_set_pcl_for_existing_combo as public API
Move policy_mgr_pdev_set_pcl to policy manager internal header file
Change-Id: I6ef45fb34c4bc4bc0c07cad6f546a777922fde9d
CRs-Fixed: 2331254
Compiler throws no previous prototype build error for cpuhp
on UP system.
Fix is to add static inline for UP build.
Change-Id: Ib867a19ac526b44766a8cbb1838e7e5b2b18b4b1
CRs-Fixed: 2328927
1. Address out of bounds array access while
populating mcs rates.
2. Use cdp_sec_type enum inplace of htt_sec_type
for common code.
Change-Id: I0ae1e0acaf7422e73dc26befc9f066f3f424ec6b
CRs-Fixed: 2327153
Add the basic infra for legacy DP CFG items and the APIs to be used from
other components.
Change-Id: Iec1718f0a93fcb91061892b96ae6ae88174df9ee
CRs-Fixed: 2328481
* Move dfs DA files to a DA specific directory.
The new DA specific directory will be under a new git root.
* DA:- Direct Attach.
Change-Id: I413d736d60a071374baf45ca6b13c793ab8dcbfd
CRs-Fixed: 2305115
* Move spectral DA files to a DA specific directory.
The new DA specific directory will be under a new git root.
* DA:- Direct Attach
Change-Id: Ifd1325bd822015a894ff2a67ed4b53dae24e4a28
In addition to the other nbuf history events, track allocation failures.
This allows root causing issues due to nbuf exhaustion.
Change-Id: Ia0bbc6f12d26e32fcdb4cf7d0efef328417436ce
CRs-Fixed: 2329461
When second segment bangradar is issued, the primary channels are
added to NOL. During preCAC, when a bangradar or real radar is injected in
the second segment, no channels are added to NOL.
dfs_seg_id is updated by enhanced bangradar even when the command is not
issued. During preCAC, the second segment frequency stored in current
channel is invalid and it is stored in dfs itself.
Correct the condition for enhanced bangradar command. Update dfs_seg_id and
radar found segment id. Move the portion of code that update radar_found
parameters when enhanced bangradar command is issued. This portion checks
for radar found segment id that would not have been updated yet. Use proper
second segment frequency to add to NOL during preCAC.
Change-Id: I5e1f1004b45bc30b5da7bfa174a5c03bdea4fa71
CRs-Fixed: 2303458
So far, only HE_TRIG packet type parsing is supported for TB-PPDU
(OFDMA UL)frames, which is not enough for plugfest tests. Add all
radiotap dissecting from HE Data 1 to HE Data 6
CRs-Fixed: 2316408
Change-Id: I49d91d4981291827b20f325d459fd1e60f3cc271
Add a helper function for txrx_stats
to display all the statistics
supported for Lithium based products.
Change-Id: Ieb2d088274dfcc8e9ffc6ac34638404f0d4b2eba
CRs-Fixed: 2327066
hif_runtime_p_put was mistakenly added at two places on the
TX completion path due to a merge issue. Revert the additional call at
dp_tx_comp_handler.
Change-Id: I26a0a9188a490d60e050adbd7ba04e88e213c0b9
CRs-Fixed: 2329466
In dp_get_vdev_from_soc_vdev_id_wifi3 add vdev list lock
while traversing through pdev->vdev_list
Change-Id: I24652a7a65247625b3a6da092476287bf8560e1b
CRs-fixed: 2323655
DA based port learning is not required for HKv2 as
this issue is fixed in HKv2 Hardware
CRs-Fixed: 2329920
Change-Id: If006ce8fe5eb5d7e26ba4d30fd1d9cd43d5da480
Fix out of bound array access for operating_channel[] in
__policy_mgr_check_sta_ap_concurrent_ch_intf.
Change-Id: I3945d2fd5b1e3d02a9e827ba4a907b48b4170fd2
CRs-Fixed: 2329332
Add validation code to make sure wifi_pos_send_rsp
function pointer is not null.
Change-Id: I6761f5065b1a49855afac2691523c41bcf383b2b
CRs-Fixed: 2329346
Add new qdf API: qdf_is_recovering and
qdf_register_recovering_state_query_callback.
Client driver will register the state query callback
to common driver to report the recovering state.
Regulatory skip the chanlist update event during SSR
to keep the current regulatory setting.
Change-Id: I58e503cce162a0351d566148c1897a5012889c62
CRs-Fixed: 2321820
Write a datapath function to compute total PER value and corresponding CDP
interface to get the calculated value.
Change-Id: I1c7feaf48c55689817b83185a4e6d4b8622e51c0
CRs-Fixed: 2308044
Add function to return a pointer pointing to Mobility Domain IE
of a scan entry.
Change-Id: I61254bfc3de117a2d7cfb187665ac228c9ea383e
CRs-Fixed: 2311319
Add Gen3 Spectral host WAR to remove NULL FFT bins for report mode (1)
in which only summary of metrics for each completed FFT + spectral
scan summary report are to be provided. This would be required on some
Gen3 chipsets (starting with IPQ8074) under the following
circumstances: In report mode 1, HW reports a length corresponding to
all bins, and provides bins with value 0. This is because the
subsystem arranging for the FFT information does not arrange for DMA
of FFT bin values (as expected), but cannot arrange for a smaller
length to be reported by HW. In these circumstances, the host driver
would have to disregard the NULL bins and report a bin count of 0 to
higher layers.
Change-Id: If5fb72805dc80ada0ab617b4b1c2cc9ea497bcf8
CRs-Fixed: 2300251
Bufp and buf_len are populated in extract_comb_phyerr_tlv
without validating the buf_len which can cause possible
out of bound access in dfs_phyerr_event_handler.
Fix is to validate the buf_len against num_bufp in param_tlvs.
Change-Id: I95e18d7600f8419f31e768fcc18c3024fe37b7db
CRs-Fixed: 2321371
While handling WMI_GTK_OFFLOAD_STATUS_EVENTID, QDF_BUG()
can occur in pmo_tgt_gtk_rsp_evt->pmo_psoc_get_vdev if
vdev_id is out of range. As the value is directly from
WLAN FW and can be outside the trust boundary.
Add sanity check for vdev id once get parameter from
wlan fw.
Change-Id: I335df52fece39c1a51a556ba4678bd43f470673a
CRs-Fixed: 2321523
With HKv1 WAR to handle DBDC backhaul SON cases a AST
entry for same mac can exist on different radio added
CDP APIs to support the same
Change-Id: I374b8af3fe5e34f62eeb5b09819e331fdeda602a
We are adding AST entry to ast_table from
dp_rx_mcast_echo_check in STA mode as in STA mode
we will not get the peer map event.
Find AST entry from the peer ast list to get ast entry
added in host for that particular peer. As in QWRAP
mode there can exist multiple peers with same mac address
and corresponding AST entries will be added
Change-Id: Ia75f88c03c4d0eba0edbebf8e8f40d41396543d5
CRs-fixed: 2307540
Add host WMI support for EAPOL minrate resource configuration.
Through the use of the global.ini configuration parameter -
eapol_minrate_set and eapol_minrate_ac_set, the user can set EAPOL
frames to be sent in minimum rate in tunnel mode. In addition to
this, the user can also select between the 4 ACs (BE, BK, VI, VO)
to send the EAPOL frames.
The changes are reflected in the target resource config which
is sent to the firmware.
Change-Id: Ib9a264b64305bf43708c3c2af3ff254b6cc28477
CRs-Fixed: 2298020
because of a HW issue we no longer get the MAC address in
the MEC event notifier, As a WAR we now will be reading the
source MAC address from the nbuf data instead of status word
CRs-Fixed: 2324772
Change-Id: Iab8dc346b9a2108e4cb107fb61d242700a084223
Update WMI_NDL_SCHEDULE_UPDATE_EVENTID handling for possible out
of bounds read when fixed_params->num_channels is greater than
TLV length of NDL channel list or NSS list and fixed_params->
num_ndp_instances is greater than TLV length of NDP Instance list.
Change-Id: Idbd74e30868597c9787095372516b7d7dd12481b
CRs-fixed: 2327673
Update handling of WMI_NDP_CONFIRM_EVENTID for possible out of
bounds read when fixed_params->num_ndp_channels is greater than
TLV length of NDP channel list or NSS list
Change-Id: I3bf429a47c46edbb464cf8447f227f7baa74fbe3
CRs-fixed: 2325849
NDP ids copied from NDP instance id array for NDP
end request does not use nla_data to copy the ids
resulting in incorrect data getting copied.
Fix is to use nla_data for NDP instance id array to
copy the ids.
Change-Id: I74795367a5c5a57f42cb1a67ece9cebfeb259b71
CRs-Fixed: 2328245
In macro TAILQ_FOREACH_SAFE, var and tvar point to current head and the
next element respectively. If we unlock the spinlock inside the for loop
and then lock it again, there is a chance (race) that the next element is
pointed to by another thread of execution and both of them may try to
remove the same element at the same time. This may lead to panic.
Instead of using TAILQ_FOREACH_SAFE macro remove the element from the list
one by one using a while loop from the head of the list. Do not lock the
entire while loop, instead lock only during the removal of element from the
list.
This is required because we want to wait for the dfs_remove_from_nol timer
to complete. But the wait should not be done from inside the lock because
the same lock is used by the dfs_remove_from_nol timer.
Change-Id: If820dbb1789b7fcfc33c133b3f90968377bfbf3c
CRs-Fixed: 2322831
In preparation for QDF timer tracking, return QDF_STATUS from
qdf_timer_init(). This allows callers to handle the eventual possibility
of a QDF timer init failure.
Change-Id: I9da4643610099d32b002bda9218af26247a4edc6
CRs-Fixed: 2327724
