Currently, the compat ioctl call distinguishes itself using a global
flag. If a user sends a compat ioctl call followed by a normal ioctl
call, it may result in using a user passed address as a kernel address
in the fastrpcdriver. To address this issue, consider localizing the
compat flag for the ioctl call.
Change-Id: Ie8fc724424534102736b8c0bc594720547ab6ff6
Signed-off-by: rnallago <quic_rnallago@quicinc.com>
If a user makes the ioctl call for the fastrpc_internal_mmap with the
global map flag, fd, and va corresponding to some map already present
in the process-specific list, then this map present in the process-
specific list could be added to the global list. Because global maps
are also searched in the process-specific list. If a map gets removed
from the global list and another concurrent thread is using the same
map for a process-specific use case, it could lead to a use-after-free.
Avoid searching the global map in the process-specific list.
Change-Id: I59c820eb984945d39cd6e4b163307ea43ee4d2f4
Signed-off-by: Abhishek Singh <quic_abhishes@quicinc.com>
Post link switch the order of VDEV to link info in OSIF
changes and for the next connection, need to restore the
order. This restore currently happens when there is set
MAC address update before every connect, but however if
set MAC address is not received then the unrestored order
of VDEV will be used during connect which can be undesirable
in certain cases.
To avoid going ahead with connection with unrestored VDEV
mapping, make sure this is reset to proper order via
notifying HDD once assoc VDEV connect request becomes active.
Change-Id: Id3ba542820f7c2bc9c721a49735738df00b6e5d5
CRs-Fixed: 3827913
Remove SP_DBG_CNTL register programming from gen8 as
per latest recommendation.
Change-Id: I8a0892589608d570d6757146abc7fdbf3b68a929
Signed-off-by: Kamal Agrawal <quic_kamaagra@quicinc.com>
This change fixes a potential OOB access issue due to
culprit checking.
CRs-Fixed: 3851339
Change-Id: I5a8b8977f815376eeb41a4a227df6e307c7bd99d
Signed-off-by: Haochen Yang <quic_haocyang@quicinc.com>
If MLO peer attach fails for MLO VDEV, handle the failure and
remove the object manager peer and continue for next candidate
incase of initial connection.
Change-Id: Iba374f9b930db07bde84cea1cb18d36a0960c5b7
CRs-Fixed: 3844761
Sending deauth on one of the links in MLO connection will result
in removing anchor link in FW and driver shall silently remove the
next link without initiating another deauth. For this reason the
status of MLO peer is set to DISCONN_INITIATED on sending first
deauth frame so that subsequent links do not send again.
The MLO peer context holds the list of all object manager peers for
that MLD connection and failure to add to the context shall result
in termination of connection. Currently the failures are not handled
and the object manager peer is not having any MLO peer context and
this results in sending deauth frame on both the links.
Handle the error of peer create and MLO peer attach on roaming
to abort the roam sync.
Change-Id: I4d5a766b673b36edb44d19065237aa35ff7d5f1d
CRs-Fixed: 3837890
We currently wait for the completion of previous ASYNC command
transfers on a controller before initiating a new command transfer
on that controller. However, in the case of split DSI usage, the
controllers can encounter issues if a unicast command transfer
occurs before the previous broadcast is complete on both controller.
To prevent this issue, it’s required to flush the CMD DMA of both
controllers before initiating the unicast command transfer following
a previous broadcast.
Change-Id: If2830bea81e32ab26d3b91754bcdf047c3cba483
Signed-off-by: Srihitha Tangudu <quic_tangudu@quicinc.com>
enable synx init, import and release api calls on the
fence fd received from IPA C2 and pass synx object handle
to uC. Also it includes fixes related to validation params
and data handling.
Change-Id: Ifa43dfdb9f2b0069e7ccb276e1c44ec2ce0e8c4f
Signed-off-by: Jagadeesh Ponduru <quic_jponduru@quicinc.com>
Fix compilation failures caused by type mismatch
between format and argument.
Fix some kernel-doc errors.
Change-Id: Id55c19eff1dd62102feffac1785b5fe825555fde
CRs-Fixed: 3805434
Below errors are observed with LTS 6.6.17:
htc_recv.c:49:4: error: 'snprintf' will always be truncated; specified \
size is 2, but format string expands to at least 5
[-Werror,-Wfortify-source].
htc_recv.c:58:3: error: 'snprintf' will always be truncated; specified \
size is 2, but format string expands to at least 5
[-Werror,-Wfortify-source].
Here, the compilation error is because the 2nd argument to snprintf is
using sizeof(byteOffset) which evaluates to 2 and the size of the buffer
we are writing to is 10 and when the format string content expands to
atleast 5 characters, only 2 characters are written to the output string.
Fix is to use size of the buffer we are writing to as the
snprintf 2nd argument.
CRs-Fixed: 3763920
Change-Id: I156260d26df643cd68b2e5d7fb7bf5d95f8026b2
Add APIs and callbacks to OSIF from CNX manager to notify
on assoc VDEV connect request becomes active in serialization.
Change-Id: Ica59c25199e0f09fc86b7311ae16d22f66af3b0c
CRs-Fixed: 3835003
After increased wmi len, bcn frames go to roam sync event instead of roam
sync frame event, add scan entry logic of roam sync frame event handler is
missed in roam sync event handler, if old scan entry for roamed bssid aged
out, roam sync fails for no scan entry found.
To fix it, add scan entry logic in roam sync event handler too.
Change-Id: Ifb2d3323256b42a094a2871279353273275fbddf
CRs-Fixed: 3848978
Sometimes wlan driver loading comes very early, icnss2
driver is not ready at that point and returns '-ENODEV',
which results in wlan failure.
To fix it, icnss2 returns '-EAGAIN' in such case to
trigger the retry mechanism in wlan driver.
Change-Id: Ia9f955622d052842ecd1fe1a752fd20d1e98804c
CRs-Fixed: 3851180
It's possible that the 'rproc name' doesn't contain
'wpss' when 'rproc_restart_level_notifier()' gets called,
there are two issues in such case:
1. The fixed length 'ICNSS_RPROC_LEN(100)' for strnstr()
is too long for some cases, which may leads to
'slab-out-of-bounds' issue in strnstr().
To fix it, pass strlen of the rproc name instead.
2. It returns without freeing memory for the event data
and results in memory leak.
To fix it, allocate memory for the event only when
the notification is for 'wpss'.
Change-Id: Icf48f2f9cb8b8fcb4b766971169dd6dbeba9839d
CRs-Fixed: 3848536
Policy manager restricts three active home channels on same MAC and
if any two links of ML-STA falls under same MAC, then policy manager
sends force inactive num set to one which link bitmap of those two
links. FW will ensure to not make both the links active at the same.
In such cases when another VDEV comes up via concurrency on the same
MAC but with different frequency then, it will result in two active
VDEVs on same MAC. Now if FW decides to exchange the ML-STA links
which are sent in force inactive num via vdev repurpose, then
policy manager rejects this request and it see the upcoming link
will be in MCC with existing two frequencies (one from ML-STA and
another from concurrency) while actually the ML-STA link will
eventually becomes standby if vdev repupose is allowed.
For this reason, skip checking allow concurrency if the target
link in VDEV repurpose is part of dynamic inactive bitmap.
Change-Id: Ia7b1f798925c3ae02aceba68584dc02e44f2a514
CRs-Fixed: 3840955
F/W increased WMI event max length per CE2 config to satisfy increasing
mlo frame length in roam sync event, host checked frame len with old max
length wrongly, so roam sync failed.
To fix it, remove unnecessary frame len with old max length as
roam_sync_frame handler, frame len is checked with tlv len already.
CRs-Fixed: 3844499
Change-Id: I75394ffa6704b4556701ed060e4345a56906dc1b
As of now swr slave path disable only
when no usecase running, that is incorrect.
When stop the usecase itself disable the swr slave path and
set the clk for inactive bank.
Change-Id: I35bc693dc65028ba8ad04f59d47a1101c7bb470c
Signed-off-by: Yuhui Zhao <quic_yuhuzhao@quicinc.com>
Print sgl entries to aid debugging if sgl validation fails
due to mismatch of assigned and expected resources entry.
Change-Id: I63c7ad3a716d3fa37c886f29fa0ac7af6f960aaf
Signed-off-by: Akash Gajjar <quic_agajjar@quicinc.com>
Currently if STA + LPC is running and new interface is brought up
in case of monitor_mode_concurrency ini enable case only LPC
is terminated. if monitor_mode_concurrency ini is disabled LPC
will not be terminated and LPC will continue to run in concurrency
scenario.
To fix the issue remove check for monitor_mode_concurrency and delete
LPC interface directly in concurrency scenarios.
CRs-Fixed: 3849400
Change-Id: Ie0d7f6f942b973e5fc7944430cf5aaa9b0bdf538
Current condition to verify that num_links lies in range, is always false.
This change adds fix to condition, while checking num_links range to avoid OOB acccess.
CRs-Fixed: 3830586
Change-Id: I6e69cd373c6d15d2133fc6a286b4dde23234a6b3
Signed-off-by: Yash Upadhyay <quic_yupadhya@quicinc.com>
Recalculate VPSS line buffer macro to accommodate all
corner cases in VPSS operation.
HFI review done with ccb id 3508147.
Change-Id: If43ad34165a4206b6c9d19993dd4194f7ba597ea
Signed-off-by: Megha Byahatti <quic_mbyahatt@quicinc.com>
Currently, different error codes are returned if remote subsystem
is not up when client tries to open dynamic PD. Need to unify them
to -ECONNREFUSED.
Change-Id: Iee6925724a29a4ab265c50f68baa267150b4058d
Signed-off-by: Minghao Xue <quic_mingxue@quicinc.com>
This enables wakeup capable if gpio is defined in dtsi.
Change-Id: Ie1c82b9321861e12226d4f903daa8bce1d0bc21a
Signed-off-by: Balakrishna Godavarthi <quic_bgodavar@quicinc.com>
Signed-off-by: Adesh Mohanrao Pathare <quic_adesmoha@quicinc.com>
Possible OOB Access array 'endpoint' of size '9' while calling
'log_packet_info' in below APIs:
get_htc_send_packets_credit_based()
get_htc_send_packets()
INT_MAX may be used to access array 'hif_ext_group->os_irq' of
size 16 in function hif_ipci_irq_set_affinity_hint().
Fix is to add index range check before accessing those arrays.
Change-Id: Iab40fe816d8dfcf1ffbf05987b11378ef0fe2572
CRs-Fixed: 3779968
