There is a timing race condition between RTPM suspend flow and
DP TX flow. When TX is queued during RTPM suspend flow. TX
ring update may be delayed. Add a force TX HP flush when RTPM
is rejected due to TX pending frame. This can help to improve
TX pending frames delay when race condition happens.
Change-Id: I6f60f2902dfda630f81528dcf978da6644d18ba7
CRs-Fixed: 2942744
Use the qdf_assert_always instead of qdf_assert when rx_desc is NULL
getting by dp_rx_cookie_2_va_mon_status to capture real problem here
since the qdf_assert does not do anything.
Change-Id: I480917ecaf30f9faa4fdcda93c09a59e972a7e1c
CRs-Fixed: 2944083
HTC buffer is freed in enqueue failure case. Then it is requeued to
htt_htc_pkt_misclist also. In deinit flow, misclist entry should be
cleared, so buffer double free is hit in this stage. Make a change
to not requeue this frame to misclist.
Change-Id: I0211c4b548d7df7176ee72a83e21f8fcf7fa464c
CRs-Fixed: 2942972
CVE-2020-26145
Broadcast and multicast frames should never be fragmented. Several devices
process broadcasted fragments as normal unfragmented frames. Moreover, some
devices accept plaintext fragmented broadcast or multicast frames in
protected Wi-Fi networks. An adversary can abuse this to inject packets
by encapsulating them in a fragmented plaintext broadcast frame. Even
unicast packets can be encapsulated in broadcast Wi-Fi frames and hence
be injected.
Change-Id: I3181a05e177cf9374a14edb748bc5001d058e0f3
CRs-Fixed: 2893212
Drop non-EAPOL frames from unauthorized peer in security mode.
Enabling this feature by default with this change.
Change-Id: I9878b37088149e34f456a38a9c0f722e4c5ee49a
CRs-Fixed: 2943789
Provide multiple combinations to configure the msi interrupts
of DP and CE based on the number of MSIs available in the platform.
Number of MSIs used for CE and DP can be changed by modifying the
MSI assignment table in platform driver. Best possible mask for that
MSI is automatically chosen based on predetermined settings.
Change-Id: I02b44fb033631d69d97f2d8d2d3f698541d37aad
In some RX backpressure cases, we see the HW accessing REO
queue descriptors of a deleted peer(after the queue descriptors
are unmapped/freed), this is leading to SMMU faults. There are
cases where the HW is accessing the stale REO queue descriptors
after ~12seconds after the queue descriptors were freed.
In order to avoid the problem, HW team has suggested to defer
unmapping/free of REO Queue descriptors. Add the logic for the
same.
Change-Id: I5b1fb966dc75b963ccc9d22c40272c8d1d8d6026
CRs-Fixed: 2939223
It's regression of change: qcacmn: Fix smmu fault for tx buffer unmapped.
Only 1 tx buffer is smmu mapped for IPA with it.
During STA-SAP tethering, when IPA access 2nd tx buffer, smmu fault
happens.
Remove qdf_assert_always since it already exists in
__dp_ipa_handle_buf_smmu_mapping.
Change-Id: Ife8ed17d85a8bcfc507c312001af4b905c9b3a27
CRs-Fixed: 2937435
Modify check to ensure packet number is consecutive for
fragments and drop the fragments if the check fails.
Change-Id: I2ca0ef6211594ba35aae894e6a385d3d5778bff6
CRs-Fixed: 2874369
Register dp_peer_flush_frags API in dp peer ops
for flushing fragments for a particular peer.
Change-Id: Ia179d3160bdc306ec965c465134042c66a0c40a6
CRs-Fixed: 2874366
In monitor mode, when the channel is set to any 2G band channel
the mac_id passed to dp_mon_process API is 1. As part of
dp_rx_buffers_replenish, refill history is logged and the
mac_id is used to index into the history array. The array is
of size 1 and OOB access would happen when ring_num which
is the mac_id, passed in is 1.
Fix is to pass the pdev->lmac_id instead to
dp_rx_refill_ring_record_entry and add ring_num sanity check.
Change-Id: Id824ec8b01e7923ad74771d5f34a25f5fccb65f3
CRs-Fixed: 2939544
For every channel change, a print is displayed onto console.
reduce log level to suppress print.
CRs-Fixed: 2921656
Change-Id: Ib300ecc17c09412aa6502cc45ec1c4b7da3b54ce
In some of the targets modulo operator assembly API's
are not defined causing compilation error.
To avoid this use qdf based API's for modulo operations.
Change-Id: Ibc69b69aa38cadff5daa8dee8b65ceaacfe997b7
CRs-Fixed: 2940281
Logs are printed inside a spinlock which was held for
losing more than 2 seconds.
To fix this, reducing log level so it is not printed
in the console and instead in driver logs.
Change-Id: Ib510ddc1b5bff63db012b45ffa0280eedc356cc6
CRs-Fixed: 2938590
Add the history support to log Tx descriptors programmed
in Tx and completion HW rings.
Change-Id: I60954c93e2595e7dad1251c459eed8afc761e917
CRs-Fixed: 2924614
Depreciated IPA APIs are currently getting compiled.
To fix this, adding linux kernel version check
Change-Id: I2288db34c09d60047c67a5df9081de08a6c2f62b
CRs-Fixed: 2927413
Fisa packet history is around 6KB for each sw fisa
flow entry and this is part of the dp_fisa_rx_sw_ft
structure. The total size of the SW FT as a result is
around 830KB and the higher order memory allocation via
kzalloc for this could fail in low/fragmented memory
scenarios.
Fix is to allocate memory for FISA pkt history separately
and attach it to the SW FT entry.
Change-Id: I7296d7269c1b86ec38ea1668e8a0893335bbdb6f
CRs-Fixed: 2936353
When enhanced stats are enabled/disabled, dp_mon_filter_update () API
sets/resets MON_BUF ring filters also, this is leading to connection issues
traffic stall on Rx side
Set/Reset MON_BUF ring filters when monitor mode is enabled
Change-Id: I0de7be81465b11224b95c0918b4e8c8e339e3802
add ssn_updates_count to dp_soc_stats rx err stats.
Also add bar fail count on rx tid update during
bar handling.
Change-Id: Ic9a963c8d29ace2087e63cba56bc0d7e40907e1a
CRs-Fixed: 2918806
When nbuf is freed via dp_rx_buffer_pool_nbuf_free, the
nbuf is enqueued to emerg_nbuf_q always even in the case
where the emerg_nbuf_q is not initialized. This will result
in NULL pointer dereference when any nbuf is enqueued to
emerg_nbuf_q.
Fix is to add initialization check before adding the nbuf
to emerg_nbuf_q and free the nbuf if emerg_nbuf_q is not
initialized.
Change-Id: I075b3b93203eec21d44ea3967b5f46d59c291a14
CRs-Fixed: 2934593
Add support for Rx refill ring history, maintain records of refill info
during RXDMA ring replenish.
Change-Id: I034014eacfc510ec6f416fca601fa864326de9c2
CRs-Fixed: 2930005
Currently, excess logging is causing a crash when enqueuing
of Tx MSDU descriptor to HW failed.
Rate limiting the log messages to avoid the crash.
Change-Id: Ibb230ce03c23518b6f7feda61a49bf155c7ddc69
CRs-Fixed: 2933002
Same WDI subscribe event can be added multiple times to event list
since this is triggered by user control this will result to undefined
behaviour during events handling.
To avoid this add check to detect duplicate entry before adding
to list and reset list elements once removed from list.
Change-Id: Iaf23927f8439d4ac503776b915a8fe8cb6abfec5
CRs-Fixed: 2931068
It is possible to hit spinlock vdev->peer_list_lock recursion if
running SSR case, the call stack is as following:
dp_vdev_flush_peers
dp_vdev_iterate_peer
qdf_spin_lock_bh(&vdev->peer_list_lock); -> first time lock
dp_peer_delete
dp_peer_delete_wifi3
dp_peer_vdev_list_remove
qdf_spin_lock_bh(&vdev->peer_list_lock) ->
lock again in same thread.
Replace it with dp_vdev_iterate_peer_lock_safe.
Change-Id: I40fe492d43b376b404b855a7e86aa2cd66ba1d22
CRs-Fixed: 2926284
The status of the IPA SMMU MAP/UNMAP operation is stored in the
result field of the mem info structure that is passed to the
IPA driver. Currently, this field is not checked for MAP/UNMAP
failures; when IPA HW accesses such a buffer for which
mapping is not correctly setup, it will lead to SMMU faults.
Check the result and assert(on failures) to avoid such issues.
Also, check if the physical address passed to the IPA driver is
non zero value.
Change-Id: Iec0702bdf4a07ea37e1213a33dc970028da654df
CRs-Fixed: 2928744
The dp_tx_da_search_override API wrongly returns DA based
address lookup instead of SA based for station mode when
FEATURE_WDS build flag is enabled.
Fix dp_tx_da_search_override API to return SA based
address lookup for station mode.
CRs-Fixed: 2924299
Change-Id: Ibb0c2a6df5f73fd5a361900036316375fc29dbbd
Currently a set of IPA2TCL and WBM2IPA rings is used for
IPA TX data path. Issue is when wlan is configured as
SAP-SAP DBS mode, slow 2G traffic will consume much more
TX resources and thus 5G traffic will have starvation,
which leads to severe degradation of DBS KPI.
Therefore separate IPA2TCL (SW2TCL2) and WBM2IPA (WBM2SW4)
rings are added to support alternative IPA TX pipe for 2G
traffic.
Change-Id: I4b648d0bcacbcde0b9b0a824516c1f06e3b0c7ad
CRs-Fixed: 2750079
Currently before suspending the device, we are draining
out the TX/RX SRNGs. The HP/TP updates which are done as
part of this will be posted writes(there won't be any link
levelccompletions for write transactions), there are chances
that we might end up updating HP/TP after the device enters
low power mode leading to system crashes.
In order to avoid this scenario, do a dummy read before
device is suspended; this will ensure all pendings writes are
flushed before read returns.
CRs-Fixed: 2919459
Change-Id: I5ab77f91fe14c506444bdea1587acfb34224fc69
a call to osif_proxy_arp need to be invoked inside UMAC_SUPPORT_PROXY_ARP
as it was protected under build macro UMAC_SUPPORT_PROXY_ARP.
Change-Id: I6e165a328ac65fb659cb9fbc3a0ce39fcbb6744b
When nbuf map-unmap debug is enabled and monitor vap is created on
Pine, then double nbuf unmap error is reported.
This is because in case of Pine, first monitor destination ring is
processed, then first buffer from monitor status ring is processed
to check for ppdu_id difference and then finally monitor status ring
is processed where the same buffer is unmapped again and thus resulting
in the issue.
Add fix to resolve the same.
Change-Id: Ic20b2ead8ef345c4ff568242544d5f69e83fcfdf
Check the return status of the IPA api that creates or
releases the smmu mappings of the tx/rx buffers. If the
api returns a failure then assert.
Change-Id: I755765c7c35c901341279eefbc8087d0dce0494c
CRs-Fixed: 2898353
Currently dp_lro_hash_setup is being done in dp_vdev_attach_wifi3 when
pdev->vdev_count==1. However, this counter is not getting decremented and
may overflow on repeated VDEV attach/detach calls. This may result in
LRO keys being programmed again.
Use a PDEV flag to determine whether to configure LRO or not. Fix
pdev->vdev_count by decrementing it during VDEV detach.
Change-Id: I03cba0d95c30831fbe8047828f7bb2cf4a869213
CRs-Fixed: 2906871
Add iwpriv option 34 to dump the reo rx h/w descs
in DDR for debugging. This cmd will first send cache
flush cmd to REO for all rx tids and invalidate the h/w
cache. Henceforth ensuring that the reo status tlvs and
the DDR values are in sync.
iwpriv wlan0 txrx_stats 34 0
Add fix to ensure bar frame with 2k jump err code is
processed correctly using the REO error code instead of the
REO push reason.
Change-Id: Ia05be668343f3a5d4b3262b8d6a367a50875add5
CRs-Fixed: 2895965
Add sanity checking before removing the ase from soc AST hash table to
avoid potential stability issue if ase is not found in the table.
Change-Id: I97b756cd5bdb052b0ce797cca5d96c6bac8f844e
CRs-fixed: 2912024
When a msdu scattered across multiple nbufs is received
in REO2SW ring and the remaining nbufs are not yet
available in the ring, loop in dp_rx_process is exited
without resetting the invalid bit in the ring desc cookie.
This will result in an incorrect assertion failure when
the same entry is processed the next time.
Fix is to reset the invalid bit in ring desc cookie
when the loop is exited in the above msdu scattered
scenario.
Change-Id: Ie5cfa1fb8ea1db4b7a0a4837545ecbfdfbb8719a
CRs-Fixed: 2916296
MSDU with len 1654 is received in the REO2SW ring and
the total len of the pkt would be 1654 + 392 (pkt tlvs)
+ 2 (l2 hdr padding) = 2048bytes. The nbuf len sanity
checks for strictly less than 2048 bytes which results
in the assertion failure.
Fix is to add the equal case when validating the
nbuf len.
Change-Id: I7e5d1df10339c8d7908a12001c2322028965a8fe
CRs-Fixed: 2916351
Buffers replenished post processing entries in the
REO2TCL ring do not have ipa smmu mappings created
when RX_PREALLOC_BUFFER_POOL feature is disabled.
This will result in SMMU fault when IPA HW accesses
such replenished buffers.
Fix is to create IPA SMMU mapping for replenished buffers
when RX_PREALLOC_BUFFER_POOL feature is disabled as well.
Change-Id: I0fe611a1279b91a3e45bc269348e05de9015d596
CRs-Fixed: 2915686
