The current limits of DP RX packet drop thresholds are huge;
In scenarios, where the processing of RX packets is slow, huge
number of packets will be held in the memory and could eventually
lead to out of memory issues. Reducing the thresholds to address
the problem.
Change-Id: I76a2622fb30cda615aeb27fcc9c8e548ffec3e51
CRs-Fixed: 2941885
In wifipos component, channel info array is allocated for MAX_CHANNELS(255)
and passed to the regulatory module which uses NUM_CHANNELS to fill the
channels. NUM_CHANNELS can be more than 255. This may lead to an array out
of boundary access.
Use NUM_CHANNELS in wifipos component to allocate channel info array.
also, add a boundary check on the number of channels received from the
regulatory component.
Change-Id: I5b7a7a4767d8bbb259c5631cf744e57ee3e1effb
CRs-Fixed: 2938879
There is a timing race condition between RTPM suspend flow and
DP TX flow. When TX is queued during RTPM suspend flow. TX
ring update may be delayed. Add a force TX HP flush when RTPM
is rejected due to TX pending frame. This can help to improve
TX pending frames delay when race condition happens.
Change-Id: I6f60f2902dfda630f81528dcf978da6644d18ba7
CRs-Fixed: 2942744
In wlan suspend and resume cases it is seen that group
irqs are getting disabled multiple times without getting
enabled which is causing irqs to be disabled permenantly.
Track for unbalanced disabling/enabling group irqs which
helps to root cause the issue.
Change-Id: Ic1ef637c317f04b3299f17f19208df11ece3c013
CRs-Fixed: 2939809
Scan manager currently has two flags - scan_f_2ghz and scan_f_5ghz
for the requestor to specify which channel bands to scan.
Currently, these flags are not utilized by the scan manager to
control the channels selected as part of the scan request channel
list. As a result, specifying a particular band will not
limit the scan manager to scan only the mentioned band - instead
scanning all supported channels.
Add a check to use these flags to avoid channels from bands
which are not selected.
Change-Id: I86e17184b5bb67cbf951eee5d43a8f80a93718d6
CRs-Fixed: 2934215
Add QCA vendor interface for userspace to get information of usable
channels for different interface types from the driver/firmware.
Change-Id: Ice662b9f14e95f32f853637e73bccd686678f278
CRs-Fixed: 2939047
This is about CFR feature, set max ta ra entries to 4 for QCA6490 and
QCA6750 base on HW design.
Change-Id: Ief62ac394e3991a896d9bb954289e63ac105e74e
CRs-Fixed: 2939149
Use the qdf_assert_always instead of qdf_assert when rx_desc is NULL
getting by dp_rx_cookie_2_va_mon_status to capture real problem here
since the qdf_assert does not do anything.
Change-Id: I480917ecaf30f9faa4fdcda93c09a59e972a7e1c
CRs-Fixed: 2944083
New regdomain of MKKN added channel 144 to JP.
Add 144 (5720Mhz) to JP outdoor frequency.
Change-Id: Ic50dd3aeb4e192672b71c7173b9fd4b4072b0e0a
CRs-fixed: 2943076
HTC buffer is freed in enqueue failure case. Then it is requeued to
htt_htc_pkt_misclist also. In deinit flow, misclist entry should be
cleared, so buffer double free is hit in this stage. Make a change
to not requeue this frame to misclist.
Change-Id: I0211c4b548d7df7176ee72a83e21f8fcf7fa464c
CRs-Fixed: 2942972
For some concurrency scenarios, there is a need to have each session
operate in independent power modes. To achieve this, add a second
current channel list to store info for the secondary power mode.
Also add the APIs to read from the secondary channel list.
Change-Id: Ib1bd712645de05786ea6d4bbfe6163c385bdfeaa
CRs-fixed: 2944483
On a partial offload chipset, when radar is detected on a DFS channel,
the host dfs wait timer (timeout of 200ms) is started, but there is a
delay in sending the avg_params to the FW. This delay happens for approx
330ms due to some high priority interrupt, due to this, the thread that
sends the avg_params to the FW seems to be suspended.
Host timer expiry is seen, and due to this there is a new target channel
chosen and multivdev restart is sent to the FW (the vdev is in restart
progress state). At this moment, the FW spoof timer (timeout is 300ms)
gets expired and a status code of 1 (indicating spoof failure) is sent
in the host dfs status WMI event. Due to this, the DFS channels are
blocked and the channel list is rebuilt with only non-DFS channels.
A non-DFS channel is chosen as the target channel. Since the vdev SM is
currently in restart progress state, when radar event is posted to the
vdev SM, assert is triggered and this leads to a crash.
The timeout value of the host timer is 200ms and the FW timer is 300ms.
The Host timer should be greater than the FW timer.
Therefore, increase the Host status timeout value from 200ms to 350ms.
Change-Id: I86858377fd5041922f232a1ac3d5ab781c7a63c1
CRs-Fixed: 2936809
CVE-2020-26145
Broadcast and multicast frames should never be fragmented. Several devices
process broadcasted fragments as normal unfragmented frames. Moreover, some
devices accept plaintext fragmented broadcast or multicast frames in
protected Wi-Fi networks. An adversary can abuse this to inject packets
by encapsulating them in a fragmented plaintext broadcast frame. Even
unicast packets can be encapsulated in broadcast Wi-Fi frames and hence
be injected.
Change-Id: I3181a05e177cf9374a14edb748bc5001d058e0f3
CRs-Fixed: 2893212
Drop non-EAPOL frames from unauthorized peer in security mode.
Enabling this feature by default with this change.
Change-Id: I9878b37088149e34f456a38a9c0f722e4c5ee49a
CRs-Fixed: 2943789
Provide multiple combinations to configure the msi interrupts
of DP and CE based on the number of MSIs available in the platform.
Number of MSIs used for CE and DP can be changed by modifying the
MSI assignment table in platform driver. Best possible mask for that
MSI is automatically chosen based on predetermined settings.
Change-Id: I02b44fb033631d69d97f2d8d2d3f698541d37aad
In some RX backpressure cases, we see the HW accessing REO
queue descriptors of a deleted peer(after the queue descriptors
are unmapped/freed), this is leading to SMMU faults. There are
cases where the HW is accessing the stale REO queue descriptors
after ~12seconds after the queue descriptors were freed.
In order to avoid the problem, HW team has suggested to defer
unmapping/free of REO Queue descriptors. Add the logic for the
same.
Change-Id: I5b1fb966dc75b963ccc9d22c40272c8d1d8d6026
CRs-Fixed: 2939223
It's regression of change: qcacmn: Fix smmu fault for tx buffer unmapped.
Only 1 tx buffer is smmu mapped for IPA with it.
During STA-SAP tethering, when IPA access 2nd tx buffer, smmu fault
happens.
Remove qdf_assert_always since it already exists in
__dp_ipa_handle_buf_smmu_mapping.
Change-Id: Ife8ed17d85a8bcfc507c312001af4b905c9b3a27
CRs-Fixed: 2937435
Modify check to ensure packet number is consecutive for
fragments and drop the fragments if the check fails.
Change-Id: I2ca0ef6211594ba35aae894e6a385d3d5778bff6
CRs-Fixed: 2874369
Register dp_peer_flush_frags API in dp peer ops
for flushing fragments for a particular peer.
Change-Id: Ia179d3160bdc306ec965c465134042c66a0c40a6
CRs-Fixed: 2874366
For security cert TC, RSNIE length can be 1 but if the beacon is
dropped, old entry will remain in scan cache and cause cert TC
failure as connection with old entry with valid RSN IE will pass.
So instead of dropping the frame, do not store the RSN pointer so
that old entry is overwritten.
Change-Id: I2fe4d2dd2352be6850f7a18a2ec829733ded7ee8
CRs-Fixed: 2944120
Some of the targets require more QDF nbuf history
size, so making the size configurable keeping
default same.
Change-Id: Ic4ac43a1eacb1e58c0a05b794349525d614d7fc8
CRs-Fixed: 2929968
Firmware generates wmi Rx diag events every few milliseconds,
and processing the same in system shared work queue may lead to
work queue lock-up detection. Hence, move Rx diag event processing
to dedicated work queue.
Change-Id: I10cdde317794e35bc6d10677ab76ea24a66e1880
CRs-Fixed: 2941409
Add new ini's for assoc active and passive dwell time
for 6g. These will be applied if STA is connected.
Change-Id: I680fbd3038968ecf6ff9920fff982456135bfd77
CRs-Fixed: 2941359
Even though HP/TP updates are posted writes at CPU level, they
are getting blocked until soc comes out retention which is hogging
CPU.
To avoid this if EP is in low power state update HP/TP writes from
delayed work context. In delayed work vote for EP awake wait till it
comes out low power state and then proceed to HP/TP update.
Change-Id: I61d5795f58f25f850b5a9ad4d30e3181dba23713
CRs-Fixed: 2913495
In monitor mode, when the channel is set to any 2G band channel
the mac_id passed to dp_mon_process API is 1. As part of
dp_rx_buffers_replenish, refill history is logged and the
mac_id is used to index into the history array. The array is
of size 1 and OOB access would happen when ring_num which
is the mac_id, passed in is 1.
Fix is to pass the pdev->lmac_id instead to
dp_rx_refill_ring_record_entry and add ring_num sanity check.
Change-Id: Id824ec8b01e7923ad74771d5f34a25f5fccb65f3
CRs-Fixed: 2939544
For every channel change, a print is displayed onto console.
reduce log level to suppress print.
CRs-Fixed: 2921656
Change-Id: Ib300ecc17c09412aa6502cc45ec1c4b7da3b54ce
In cm_update_scan_db_on_connect_success, the current candidate is
always retrieved from connect req even when the resp is for reassoc
this can lead to invalid pointer access.
Fix this by getting current candidate from roam command for reassoc
resp.
Change-Id: I99afc49abd7581cf43279654a5fe1e67e2448bd0
CRs-Fixed: 2941836
In some of the targets modulo operator assembly API's
are not defined causing compilation error.
To avoid this use qdf based API's for modulo operations.
Change-Id: Ibc69b69aa38cadff5daa8dee8b65ceaacfe997b7
CRs-Fixed: 2940281
When obss scan is enabled, FW will trigger scan periodically by
a timer. If a scan was triggered, FW need to access host memory
for data transfer. Occasionally, suspend may happen during one
scan, then FW is unable to access host memory and fw will crash.
So disable the obss scan before suspend.
Change-Id: Ie507da929a3701473cb57888e96e702e34d4c95a
CRs-Fixed: 2927239
Allow object manager logging in console only for WIN as
it's a critical print. For MCC, this print will not be
logged to avoid console lock and excessive logging.
Change-Id: I09b6dc80486cfa727c130f3fe205f504a46dd0c0
CRs-Fixed: 2938507
In perf builds, add a ksize check and call qdf_mem_prealloc_put()
only when size is greater than 4K to avoid lookup overhead.
Change-Id: If01a7cbeaf1ee7f514f16296340169a937dafa78
CRs-Fixed: 2936464
Logs are printed inside a spinlock which was held for
losing more than 2 seconds.
To fix this, reducing log level so it is not printed
in the console and instead in driver logs.
Change-Id: Ib510ddc1b5bff63db012b45ffa0280eedc356cc6
CRs-Fixed: 2938590
If MBSSID ie contains only header and no payload
then current logic can cause OOB read.
Added validation check for length of IE before
accessing MBSSID IE payload.
Change-Id: Id8b34e5f516f1a1c85bc7d93d9128cad29393e9d
CRs-Fixed: 2838631
hal_get_entrysize_from_srng returns the entry size
in dwords but the caller expects in bytes. This results
in insufficient data to be recorded for CE event.
Fix is to left shift the entry size by two bits in
hal_get_entrysize_from_srng so that the entry size
value returned is in bytes.
Change-Id: If532da7abe5ce9c293969f0052455085f18b1926
CRs-Fixed: 2935196
