Race condition is observed as dp_ipa_rx_intrabss_fwd is
accessing da_peer after releasing the ref count of the peer
while that peer is deleted parallelly.
To fix this, da_peer and sa_peer are only assigned if the
peers are found in the vdev.
Change-Id: Ib03835a509d656eb11946c075b820555b04934f8
CRs-Fixed: 2723448
Ths issue scenario is that valid peer is fetched from
peer_id in dp_rx_process and peer ref count is released
prior to invoking dp_rx_deliver_to_stack. In parallel,
the peer is freed in a different context. This results in
use after free within dp_rx_check_delivery_to_stack since
stale peer is dereferenced to update stats.
Fix is to decrement peer ref cnt after dp_rx_deliver_to_stack
Change-Id: I145247f7795f926faba66c05927fdae0599f0cad
CRs-Fixed: 2720396
Currently, mcopy mode delivers first msdu per-ppdu to upper layer,
add support for Extended mcopy mode to deliver first
msdu per-MPDU.
Change-Id: I8f3f7fb023e9d9140d0be31520d34103a3505ebb
CRs-Fixed: 2701514
Move the srng history to hif context.
Process the monitor ring only for the lmac
corresponding to the configured monitor channel.
Add the timer and srng history for monitor mode.
Change-Id: I4e5e49ad5e657b55bfafbb40ef5f59496277cb40
CRs-Fixed: 2690530
Adding support for enabling ini config to remap reo destination rings
for HK v1, HK v2, maple and pine platforms.
Change-Id: Id9d304521f32497e3acd845ddd2973b96b641516
Current dp_tx_desc structure size is 136 bytes,
re-arranged the fields to fit in exactly 128 bytes to
align with number of descriptor per page and page offset
bit maps
Also add a compilation assert on tx desc size
Change-Id: Ifcb18a9da637cb71c0427b56ad4054d2206ddfbb
The DMA Map/Unmap was restricted to buffer size in rx process.
But the Unmap API was not changed when free nbuf in rx desc,
apply the new unmap API.
Change-Id: Id10d746776aa9e41ef3425e166ba0207851358d6
CRs-Fixed: 2716690
Fix static analysis issue of rx_refill_buf_ring buffer overflow.
rx_refill_buf_ring length is different for WIN/MCL. For MCL length is 1,
WIN is 3. So rx_refill_buf_ring should always use index pdev->lmac_id to
replenish rx buffer for different MACs under MCL.
Change-Id: I00af069c09c01a81ae4aa54bad5beb79dc6fcff5
CRs-Fixed: 2703683
Race Condition is observed as tx_comp_handler is
accessing vdev pointer while its getting freed up
parallelly.
To fix this, peer value is checked before accessing vdev.
If peer is null, vdev is not accessed and the function is
returned.
Change-Id: I05c93c54e2dbb3f40c5c053591d2d66c6143f656
CRs-Fixed: 2708390
Currently there is a single INI item tcp_udp_checksumoffload to enable
or disable this feature for all the adapters. In some cases, we want to
be able to enable this feature selectively for NAN mode.
Add nan_tcp_udp_checksumoffload ini item to enable or disable checksum
offload feature specifically for NAN mode. If
nan_tcp_udp_checksumoffload is 'true' and tcp_udp_checksumoffload is
false, hardware checksum offload will be enabled only for the NAN
adapter and not for other adapters.
CRs-Fixed: 2693638
Change-Id: I6e255ce68ddc7b01ebdefe4e5e8d2c985388fefe
The issue sceanrio is as follows:
1) Packets are received in the rx exception ring and the
rx_descs processed are put into the pdev rx_desc freelist.
2) In the buffers replenish path, the above pdev rx_desc
freelist, on nbuf allocation or map error, is moved to the
soc rx_desc_pool freelist. The tail of the pdev rx_desc
freelist is set to NULL but not the head.
3) On receiving packets in the rx exception ring post above,
the new rx_desc are added to the pdev rx_desc freelist but
since the head of the list was not NULL prior to this, the
tail of the new list will have its next pointing to the
previous stale rx_desc list which is already moved to the soc
rx_desc_pool list.
4) In the replenish path, the buffers would be replenished
till tail of the new list but the desc_list would point
to the same aforementioned stale rx_desc list instead of NULL.
So even though replenish is successful, the desc_list check to
add the list back to soc rx_desc_pool freelist would be true.
This would cause next pointer of the tail and in effect the nbuf
pointer of the rx_desc pointed by tail to get updated.
5) On receiving the rx_desc mentioned in the previous step, nbuf
sanity check fails since nbuf address is pointing to another
rx_desc.
Fix is to set the local_desc_list also to NULL in
dp_rx_add_desc_list_to_free_list.
Change-Id: I984a4c122592547492b9d9625a71c0a90142b442
CRs-Fixed: 2704771
Add logs in driver to log current memory footprint
in init functions. Add wlan_mem_stats to sysfs node
in both perf and defconfig builds.
The stats are included under MCL feature
DCONFIG_WLAN_SYSFS_MEM_STATS.
Change-Id: I79c6d418a5762cddf52ab3bc0b0c93993fa7fd84
CRs-Fixed: 2635192
Update connectivity related tx_host_fw_sent and
tx_ack_count stats on tx completion.
Change-Id: Id0143d934379d8831c58160aa357817c05fcbc71
CRs-Fixed: 2657703
Peer ref count incremented in dp_request_rx_hw_stats
is not decremented back in case of error scenarios
resulting in possible ref leak and failure in peer
deletion.
Fix is to invoke dp_peer_unref_delete for error
scenarios in dp_request_rx_hw_stats error.
Change-Id: I81ecf60a97ff5c804445fd713ed779c478df8521
CRs-Fixed: 2706596
The DMA Map/UnMap was restricted to buffer size in rx process.
But the Map/UnMap API was not changed in rx error process, apply
this change in the rx error data path. So that there will be no
paging request error when rx data error happen.
Change-Id: I690e902ef5c05f216b2eb87de977fd0b45ecadab
CRs-Fixed: 2702369
In monitor mode buffer replenish ring is accessed without
getting initialized for configuring low threshold value.
Add check to avoid uninitialized srng pointer access.
Change-Id: If5dc98d4c1db939ef762749392ec42d46a4ae1f3
CRs-Fixed: 2704586
Configure low threshold for monitor ring only when monitor
vap is created. This is needed to avoid spurious low threshold
interrupts on monitor ring since the low threshold condition always
evaluates to true.
Change-Id: I452c0ada84e0a4f18e410c865d8a6a7f50329aef
In DP while handling ppdu stats, we call qdf_nbuf_put_tail
and proceed with updating the nbuf data whithout a check on
the return status of qdf_nbuf_put_tail.
If the qdf_nbuf_put_tail API failed, would free the nbuf
and subsequent updates to the nbuf would result in use
after free, which is resulting in memory corruption.
Add check to verify the return status of qdf_nbuf_put_tail
and proceed accordingly.
Also while updating the ppdu stats, ensure the num of users
of ppdu is checked against the max number of users defined.
CRs-Fixed: 2678258
Change-Id: I00b661fdb342d31563506f93abd63673af8ede55
Configure the client as isolated peer if part of isolation
list while creating/associating the node or adding the peer
to the isolation list.
Do not forward the packets to and from clients in isolation
list instead accelerate to upper stack.
CRs-Fixed: 2689868
Change-Id: I67fd4dee0fb76c993746cdd66c70c241d407239a
The packet tx complete status from wlan fw define in htt_tx_status
doesn't match with packet trace feature used in qdf_dp_tx_rx_status,
Meanwhile A_STATUS also doesn't convert to correct qdf_dp_tx_rx_status,
so add two according APIs to fix it
Change-Id: Ic250175dd270632f40af14ad9499ddcafbb3033b
Set OL_TXRX_NUM_LOCAL_PEER_IDS to WLAN_MAX_CLIENTS_ALLOWED
if WLAN_MAX_CLIENTS_ALLOWED is defined.
Change-Id: Ifb5c6ab15e791f92aa8503537e624195cf3fad6d
CRs-Fixed: 2694492
Due to changes in datapath init/deinit path, mon_lock spinlock was not
getting created. Create mon_lock spinlock during
dp_rx_pdev_mon_cmn_desc_pool_init.
Add null check to validate rx_tlv_header before calling
hal_rx_mpdu_start_tlv_tag_valid.
Change-Id: I41c781de29f2c8c05ec1bfa90f9c8f742f2539bf
CRs-Fixed: 2693687
In lithium a peer will have only single peer_id hence remove
peer_ids array from dp_peer structure
Change-Id: Ib98270b7fd98f1199b862e4608f990687914b7cc
dp_srng_setup was split into dp_srng_alloc and
dp_srng_init as part of lithium DP init and de
init improvements but the debug prints remain
unchanged
Rectify mistakes in debug prints accordingly
to match dp_srng_alloc or dp_srng_init
CRs-Fixed: 2696952
Change-Id: If6c41ffe80006852f9ac308ce65ceee69736fcb9
Currently computation of Rx rate depends on SU MCS
and SU NSS for SU PPDU. For SU PPDU, incorrect SU NSS leads to
incorrect computation of Rx rate.
To fix this, use respective PPDU information(MCS and NSS) and
calculate Rx rate based on proper SU NSS.
Change-Id: I754a7ecd57ec02d33f211937b7ffd025278d1e05
CRs-Fixed: 2668760
For AC based TX flow control, when try to do TX desc pool
reattach, currently even if TX desc pool avail_desc count
> BE_BK start threshold, it still mark pool status as
FLOW_POOL_ACTIVE_PAUSED.
Set correct pool status to FLOW_POOL_ACTIVE_UNPAUSED.
Change-Id: I6b675ffd71a2233ac23efbd6df2c235313f59cba
CRs-Fixed: 2687728
Make the monitor ring low threshold to half of that of
MON_BUF_MIN_ENTRIES. This is needed so that spurious interrupts
because of reaching low threshold is avoided.
Change-Id: Idfc5dda2e96ad69bf35c3ab4f5cf81931104504e
Currently when the last tx descriptor in any descriptor
pool is freed, it will also free that particular tx
descriptor pool. But before freeing the tx descriptor
pool, the pool is not marked as inactive.
Due to this, the next time when the tx descriptor pool
is tried to be allocated, since its not inactive, the same
pool is reattached, but without any memory allocated.
Deinitialize the tx desc pool before freeing it, to make
sure that the tx descriptor pool status is marked as
inactive when the decriptor pool memory is freed.
Change-Id: I52d792d115d215561c72f203abef6d327d126c01
CRs-Fixed: 2680397
Tx desc flow pool for the vdev is not deleted as part
of disconnection due to tx_desc pending to be processed
in tx comp ring. Hdd_stop is triggered immediately after
this causing dp vdev detach. In parallel, the tx desc
from the tx comp ring is processed, wherein stale vdev
address is derefernced to get dp soc causing page fault.
Fix is to reset tx desc by setting the vdev to NULL as
part of dp_tx_delete_flow_pool and also reset count to
zero in dp_tx_comp_handler before ring desc process loop.
Change-Id: I66f718668ba84f89106d09e624d9593f89479e55
CRs-Fixed: 2683874
In dp_vdev_detach_wifi3(), the vdev_id_map[vdev_id] set to
null is happened before dp_rx_vdev_detach(). but the call back
done by dp_rx_vdev_detach still need to get the vdev pointer by
vdev_id, it will return NULL by current logic.
Move vdev_id_map[vdev_id] null setting after dp_rx_vdev_detach().
Change-Id: Ibaf506cfef83d68a21033e67395c37f53aeb4489
CRs-Fixed: 2681712
FISA RX aggregation is not necessary for non-regular RX delivery
as it requires extra FISA flush and also may impact regular
dp_rx_process() RX FISA aggregation.
Add exception frame flag for non-regular RX delivery, so that
FISA path can identify this frame and bypass FISA RX.
Change-Id: Ic06cb72b516221754b124a673ab6c4f392947897
CRs-Fixed: 2680255
Add debug info support for rx descriptors to log
the caller func name and timestamp in replenish
and free scenario.
Change-Id: I1d9b855d14f705094f241bae653f33a94d0e39b7
CRs-Fixed: 2677288
Added support to configure TSO and REO descriptors as part
of new datapath init-deint enhancement for ipq5018 target.
Change-Id: Ic6878dafa99cb09d6e45cf2d69de76cac0fe35c1
Soc level exception descriptors limit is sent from FW in WMI service
ready TLV. Using that to check for exception packets limit
Change-Id: I99d20ecbb6a5bfd61b5a8a205775d34749eae880
In dp_peer_teardown avoid setting the delete in progress
flag only for AP bss peer
For STA bss peer as CP always allocated new peer for peer_create
set delete in progress in teardown
Change-Id: Id769678895a0953e731ce040399af7bddd4c373d
With the init/de-init FR we set the minimum buffers
needed in monitor buffer ring to be 8, because the low
threshold by FW is set to 32 the MPDU TLVs are not DMA'd
to monitor status ring, this resulted in NAC feature
regressed. hence changing it from 8 to 64
Change-Id: Id39dce59686b7416bdc6156798ff7f948dff8da6
CRs-Fixed: 2683633
Move the ppdu_user_desc assignments in all tx capture
before peer checks. FW sends the peer_id which is not
valid in host, so this check is needed to not
miss the sequence number in this scenario.
Change-Id: I24305ae8f8f1964157ca61b8687fe72e76cde5ca
CRs-Fixed: 2626247
In case of driver unload, there can be a race condition
since the timer for processing monitor status ring can run
in parallel to the unload time wow ack response handler,
which is also flushing all the monitor status ring entries.
To avoid this race condition, stop the monitor reap timer
as a part of target suspend, and process all the outstanding
entries in the montior status ring.
This will make sure that the monitor status ring is
processed from only one context at any given time.
Change-Id: If61327c73fdddc414b3957b69ae986f2a26bb803
CRs-Fixed: 2677812
