Add support to check if IPA and WLAN share a common dma pool
and based on that take descision to map the rx buffers or not
in IPA use case scenarios
Change-Id: I5d684db1cffc9f04b962cf7bdf0305b7d5e1df23
CRs-Fixed: 3878739
During cnss unload or error quit, cnss_dms_deinit() is called to
perform dms client deinit. When dms sever quit, modem also send event
to cnss to schedule dms client restart with dms_del_server(). The two
processes are asynchronous so qmi_handle_release() may be entered
twice and cause qmi->sock to be used after free.
To avoid this race condition, call cnss_cancel_dms_work() before
cnss_dms_deinit() to guarantee the two processes not run concurrently.
Change-Id: I291c1d0bdead190549dcbbb2c4b7aa65a68196d7
CRs-Fixed: 3875961
Check if clk is enabled before disabling it to avoid
warning log during adsp SSR.
Change-Id: I916af6f9efacfe3d08e0b05dcc0c6023944369d2
Signed-off-by: sarath varma ganapathiraju <quic_ganavarm@quicinc.com>
Reduce the OUI length to 2 bytes for vendor IE to include
just the OUI and the type and omit the body as it is not
mandatory.
CRs-Fixed: 3842063
Change-Id: I42f1b2d6c57da82f859b9917a1e5229273f75263
This change enables the uidle feature support for milos target.
Change-Id: I3f8633b623d69467010639b48e47a2455f64c55b
Signed-off-by: Akash Gajjar <quic_agajjar@quicinc.com>
This change reverts the hard-coded downgrade of non-ML
APs to 11ax from I9471c5b211f9480877c9c2475eaef93071b82734.
Instead, do not send ML-probe or ML IE in assoc request, if
the AP does not support MLO. This keeps the connection as
11be.
Also, cleanup the unused variables in bss description and
keep it 4-bytes aligned.
Change-Id: I1aa681ecce04615f88d563c07d9c7e2ef10c1b92
CRs-Fixed: 3857042
In the api cm_roam_mgmt_frame_event(), the received frame info
is differentiated between legacy and MLO AP on the basis whether
the current vdev is a ML vdev or not. This results in undesired
logging of result during MLo to legacy AP roam failure case as
the vdev is still the ML vdev as it is maintaining the current
connection with the ML AP while the frame info data received
from FW is for legacy AP.
Add a band check when processing the roam frame info data
received from the FW as band info in roam frame data follows
the following format:
1. 0: if the FW tried to roam to a legacy AP
2. when tried to a MLO AP, it will represent the link it forms
association. The format as follows:
* BIT 0: When it is associated on 2 GHz link
* BIT 1: When it is associated on 5 GHz link
* BIT 2: when it is associated on 6 GHz link
Change-Id: I7854ef368776ba11d4cdc8aca28ac86c8c2f4efa
CRs-Fixed: 3866223
Currently, host driver updates the corresponding
info(6 GHz band disable/enable) to regulatory when the DRIVER
cmd SET_FCC_CHANNEL is received. It also updates the complete
RSO_CONFIG to firmware as band has changed. Firmware roaming
state machine gets restarted as all RSO params got updated.
But there is no need to update the complete RSO config as only
band has changed. This can avoid firmware roaming restart.
So, send only CHAN_LIST to fw when SET_FCC_CHANNEL command is
received.
Change-Id: I209ba1f50ec1e08767ab7384cc266864d412f523
CRs-Fixed: 3871985
This change helps to get valid csid id incase
of any IFE is disabled and accessing csid hw caps
with the help of csid id.
CRs-Fixed: 3863667
Change-Id: I57ff8acaaf15b347a69883a54937376843fcd848
Signed-off-by: Gaurav Jindal <quic_gjindal@quicinc.com>
Signed-off-by: Karthik Dillibabu <quic_kard@quicinc.com>
Previously, context user dumps lacked sufficient checks, risking
buffer overflows. Added length checks for dump headers to ensure
enough buffer space before copying header and exact data from
all kinds of request lists.
CRs-Fixed: 3846871
Change-Id: I02d01af54c9985e5642c31b979c0590494fd5775
Signed-off-by: Atiya Kailany <quic_akailany@quicinc.com>
Signed-off-by: Haochen Yang <quic_haocyang@quicinc.com>
No check for cpu buffer offset, which may lead to out of cpu buffer
map. No check for cmd buffer index, which may lead to out of bound
or negative index. Adding check for cpu buffer map offset and
adding check for cmd buffer index.
CRs-Fixed: 3864084
Change-Id: I39494b0a9f323cb5569d37a0c033b2eaf8fbd32c
Signed-off-by: jinguiw <quic_jinguiw@quicinc.com>
sizeof(struct cam_isp_context_dump_header) only accounted for once
instead of num_entries times for minimum offset needed when dumping
event record of isp context.
CRs-Fixed: 3865205
Change-Id: I6db25ba2dc4022c2582493aadc4875f9bf9ddb62
Signed-off-by: Li Sha Lim <quic_lishlim@quicinc.com>
There are only limitations for CAM_BUF_IN and CAM_BUF_OUT in
config validation, but there will be CAM_BUF_IN_OUT type also.
In process io config, both CAM_BUF_OUT and CAM_BUF_IN_OUT types
are in out_map_entries. No limitation for CAM_BUF_IN_OUT will
lead to out of bound for out_map_entries. This change adds check
for num of io config need in out_map_entries to avoid
out of bound risk.
CRs-Fixed: 3857308
Change-Id: I69163a4264d226d617cbe4f37ba1deb4e6434e31
Signed-off-by: jinguiw <quic_jinguiw@quicinc.com>
This change adds extra checking for frame_info_idx to
avoid accessing invalid items in the array.
CRs-Fixed: 3863925
Change-Id: I9f2350aa7d3da35108d26e50ed5198255fc4237a
Signed-off-by: Haochen Yang <quic_haocyang@quicinc.com>
Each call to cam_common_user_dump_helper consumes
sizeof(struct cam_isp_context_dump_header) in memory.
Currently, this check is not accounted before each call
to common user dump is made in this function. This change fixes it.
CRs-Fixed: 3864098
Change-Id: I66cab5055b085660fb15ff25707fa4ae97403740
Signed-off-by: Li Sha Lim <quic_lishlim@quicinc.com>
The cam_mem_cpu_put_buf function called immediately after
cam_jpeg_add_command_buffers can cause UAF. To avoid this,
get the in_out param reference in jpeg enc bottom half
and update the out size param.
CRs-Fixed: 3848801
Change-Id: Ib484ad388f0dd356a481a7fede40b9898f713c63
Signed-off-by: Nirmal Abraham <quic_c_nabrah@quicinc.com>
scenario:
(1) P2P GO interface is getting down, dp_intf is deleted.
(2) dp_vdev has not been freed as it's waiting peer_unmap
for self bss peer.
(3) once host received peer_unmap, bss peer get freed and
trigger dp_vdev deleting, the callback vdev->vdev_del_notify
will try to access dp_link->dp_intf->dp_ctx, invalid dp_intf
is used.
Get dp_ctx by dp_get_context() as dp_intf might be invalid already
when dp_vdev deleting happen.
Change-Id: I8c36b124d11f7fd8acaeb066e08865092ad02ab2
CRs-Fixed: 3866027
fastrpc file free return if session context is NULL. PM QOS request
memory free doesn't happen before this return, which leads to memory
leak. Do memory cleanup to handle this scenario.
Change-Id: I819ba74a7a0b3e2974df552fad8aca55a892df87
Signed-off-by: rnallago <quic_rnallago@quicinc.com>
External researcher found UAF in qcedev_smmu.c on an error condition in
qcedev_check_and_map_buffer. When an error occurs, we free binfo, but it
is still kept in the registeredbufs list. The fix removes it from the
list before freeing binfo.
Change-Id: I0327e456bd46106b12c36a5a21305407aae428dd
Signed-off-by: Daniel Perez-Zoghbi <quic_dperezzo@quicinc.com>
In DP simulation mode, DP link clock's parent is driven
by usb pll clock, in case usb is disconnected during
DP simulation, those registers driven by DP link clock
cannot be accessed any more. In that case, put xo clock as
DP link clock's parent to keep the registers driven by
link clock still be accessible.
Change-Id: I2bbe6b92052284c7825f80348818d00557312a10
Signed-off-by: Yu Wu <quic_zwy@quicinc.com>
When allocating context to copy the compat invoke call arguments data,
it incorrectly treats compat invoke call arguments as kernel memory,
leading to exceptions. The fix is to recognize them as userspace pointers.
Change-Id: I336b33156498103d3c3591768be98e0c105dda89
Signed-off-by: rnallago <quic_rnallago@quicinc.com>
Since PCIE Genoa has separate wlan fw patch for
mission mode(amss.bin) and ftm mode(genoaftm.bin),
but cnss2 platform driver always try to load amss.bin,
which is not feasible. So add this new interface for
cnss2 to get correct driver mode and update the fw
patch name.
Change-Id: I00ef2586dbbf3f732026a0487d240950ccc0a0af
CRs-Fixed: 3864574
