From 224f4b6a8e0bc21854434e2d83cdcc5daf33af04 Mon Sep 17 00:00:00 2001 From: Rajeev Kumar Date: Wed, 5 Feb 2014 10:19:20 -0800 Subject: qcacld: Fix of kernel panic in LIM MLM response handler In limProcessSwitchChannelJoinReq() adding null pointer check for pLimJoinReq and also making sure pointer is valid before freeing it. Change-Id: I3cf3dc9299bf9a31ece9e1b126ade2994ea0faad CRs-fixed: 611685 --- CORE/MAC/src/pe/lim/limProcessMlmRspMessages.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/CORE/MAC/src/pe/lim/limProcessMlmRspMessages.c b/CORE/MAC/src/pe/lim/limProcessMlmRspMessages.c index 489b96689ab1..4cff521738f2 100644 --- a/CORE/MAC/src/pe/lim/limProcessMlmRspMessages.c +++ b/CORE/MAC/src/pe/lim/limProcessMlmRspMessages.c @@ -3611,7 +3611,8 @@ static void limProcessSwitchChannelJoinReq(tpAniSirGlobal pMac, tpPESession pses goto error; } - if ( (NULL == psessionEntry ) || (NULL == psessionEntry->pLimMlmJoinReq) ) + if ( (NULL == psessionEntry ) || (NULL == psessionEntry->pLimMlmJoinReq) || + (NULL == psessionEntry->pLimJoinReq) ) { PELOGE(limLog(pMac, LOGE, FL("invalid pointer!!"));) goto error; @@ -3674,8 +3675,16 @@ static void limProcessSwitchChannelJoinReq(tpAniSirGlobal pMac, tpPESession pses error: if(NULL != psessionEntry) { - vos_mem_free(psessionEntry->pLimMlmJoinReq); - psessionEntry->pLimMlmJoinReq = NULL; + if (psessionEntry->pLimMlmJoinReq) + { + vos_mem_free(psessionEntry->pLimMlmJoinReq); + psessionEntry->pLimMlmJoinReq = NULL; + } + if (psessionEntry->pLimJoinReq) + { + vos_mem_free(psessionEntry->pLimJoinReq); + psessionEntry->pLimJoinReq = NULL; + } mlmJoinCnf.sessionId = psessionEntry->peSessionId; } else -- cgit v1.2.3 From c1b2e112a71dac28d3eb35cfd49318b30706f9d8 Mon Sep 17 00:00:00 2001 From: Rajeev Kumar Date: Tue, 4 Feb 2014 16:32:07 -0800 Subject: qcacld: Fix of double free panic for P2P message In CLD SLUB debug build double free is considered as panic so whenever a pointer which is not allocated using VOS API is freed using VOS API SLUB debug driver treats it as a double free and calls panic. Using vos_mem_malloc to allocate message for SIR_HAL_P2P_NOA_ATTR_IND in WMA which is later freed in PE using vos_mem_free(). Change-Id: Id97c453b2676b4fe81f12e7067c961e854592745 CRs-Fixed: 611488 --- CORE/SERVICES/WMA/wma.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/CORE/SERVICES/WMA/wma.c b/CORE/SERVICES/WMA/wma.c index 6cfd67315154..64da3364afec 100644 --- a/CORE/SERVICES/WMA/wma.c +++ b/CORE/SERVICES/WMA/wma.c @@ -1348,15 +1348,14 @@ static void wma_update_noa(struct beacon_info *beacon, static void wma_update_probe_resp_noa(tp_wma_handle wma_handle, struct p2p_sub_element_noa *noa_ie) { - tSirP2PNoaAttr *noa_attr = (tSirP2PNoaAttr *) adf_os_mem_alloc( - NULL, sizeof(tSirP2PNoaAttr)); + tSirP2PNoaAttr *noa_attr = (tSirP2PNoaAttr *) vos_mem_malloc(sizeof(tSirP2PNoaAttr)); WMA_LOGD("Received update NoA event"); if (!noa_attr) { WMA_LOGE("Failed to allocate memory for tSirP2PNoaAttr"); return; } - adf_os_mem_set(noa_attr, 0, sizeof(tSirP2PNoaAttr)); + vos_mem_zero(noa_attr, sizeof(tSirP2PNoaAttr)); noa_attr->index = noa_ie->index; noa_attr->oppPsFlag = noa_ie->oppPS; -- cgit v1.2.3 From 000a3c1ae7dea5e88f2d75c88746287a6d2c7aec Mon Sep 17 00:00:00 2001 From: Deepak Dhamdhere Date: Wed, 5 Feb 2014 12:57:20 -0800 Subject: qcacld: Populate bssid field after roaming ADD_BSS WDA_ADD_BSS_REQ is completed asynchronously in case of roaming reassociation through different code path. Interface bssid needs to be updated in that path too. Change-Id: I83d0b293ebf86a7a62387e311566aa33d4fad173 CRs-Fixed: 610379 --- CORE/SERVICES/WMA/wma.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CORE/SERVICES/WMA/wma.c b/CORE/SERVICES/WMA/wma.c index 64da3364afec..bc769fcd449e 100644 --- a/CORE/SERVICES/WMA/wma.c +++ b/CORE/SERVICES/WMA/wma.c @@ -551,7 +551,7 @@ static int wma_vdev_start_resp_handler(void *handle, u_int8_t *cmd_param_info, return -EINVAL; } vos_timer_stop(&req_msg->event_timeout); - iface = &wma->interfaces[resp_event->vdev_id]; + iface = &wma->interfaces[resp_event->vdev_id]; if (req_msg->msg_type == WDA_CHNL_SWITCH_REQ) { tpSwitchChannelParams params = (tpSwitchChannelParams) req_msg->user_data; @@ -578,6 +578,7 @@ static int wma_vdev_start_resp_handler(void *handle, u_int8_t *cmd_param_info, wma_send_msg(wma, WDA_SWITCH_CHANNEL_RSP, (void *)params, 0); } else if (req_msg->msg_type == WDA_ADD_BSS_REQ) { tpAddBssParams bssParams = (tpAddBssParams) req_msg->user_data; + vos_mem_copy(iface->bssid, bssParams->bssId, ETH_ALEN); wma_vdev_start_rsp(wma, bssParams, resp_event); } vos_timer_destroy(&req_msg->event_timeout); -- cgit v1.2.3 From 561223a55a5db52ea6a2142f307b7e06d9542e54 Mon Sep 17 00:00:00 2001 From: Rajeev Kumar Date: Wed, 5 Feb 2014 16:04:14 -0800 Subject: qcacld: Fix of kernel panic caused by dangling pMac pointer Fixing the race condition between driver unload worker thread and over the air ack completion worker thread scheduled by WMA Change-Id: I41c9ad6e4ae49597ba8cc954b170d7744ebb950e CRs-Fixed: 611973 --- CORE/SERVICES/WMA/wma.c | 36 ++++++++++++++++++++++++++---------- 1 file changed, 26 insertions(+), 10 deletions(-) diff --git a/CORE/SERVICES/WMA/wma.c b/CORE/SERVICES/WMA/wma.c index bc769fcd449e..a661cdf8ef44 100644 --- a/CORE/SERVICES/WMA/wma.c +++ b/CORE/SERVICES/WMA/wma.c @@ -12688,11 +12688,18 @@ static int wma_process_receive_filter_clear_filter_req(tp_wma_handle wma_handle, static void wma_data_tx_ack_work_handler(struct work_struct *ack_work) { - struct wma_tx_ack_work_ctx *work = container_of(ack_work, - struct wma_tx_ack_work_ctx, ack_cmp_work); - tp_wma_handle wma_handle = work->wma_handle; - pWDAAckFnTxComp ack_cb = - wma_handle->umac_data_ota_ack_cb; + struct wma_tx_ack_work_ctx *work; + tp_wma_handle wma_handle; + pWDAAckFnTxComp ack_cb; + + if (vos_is_load_unload_in_progress(VOS_MODULE_ID_WDA, NULL)) { + WMA_LOGE("%s: Driver load/unload in progress", __func__); + return; + } + + work = container_of(ack_work, struct wma_tx_ack_work_ctx, ack_cmp_work); + wma_handle = work->wma_handle; + ack_cb = wma_handle->umac_data_ota_ack_cb; WMA_LOGD("Data Tx Ack Cb Status %d", work->status); @@ -14575,19 +14582,28 @@ static int wma_scan_event_callback(WMA_HANDLE handle, u_int8_t *data, static void wma_mgmt_tx_ack_work_handler(struct work_struct *ack_work) { - struct wma_tx_ack_work_ctx *work = container_of(ack_work, - struct wma_tx_ack_work_ctx, ack_cmp_work); - pWDAAckFnTxComp ack_cb = - work->wma_handle->umac_ota_ack_cb[work->sub_type]; + struct wma_tx_ack_work_ctx *work; + tp_wma_handle wma_handle; + pWDAAckFnTxComp ack_cb; + + if (vos_is_load_unload_in_progress(VOS_MODULE_ID_WDA, NULL)) { + WMA_LOGE("%s: Driver load/unload in progress", __func__); + return; + } + + work = container_of(ack_work, struct wma_tx_ack_work_ctx, ack_cmp_work); + wma_handle = work->wma_handle; + ack_cb = wma_handle->umac_ota_ack_cb[work->sub_type]; WMA_LOGD("Tx Ack Cb SubType %d Status %d", work->sub_type, work->status); /* Call the Ack Cb registered by UMAC */ - ack_cb((tpAniSirGlobal)(work->wma_handle->mac_context), + ack_cb((tpAniSirGlobal)(wma_handle->mac_context), work->status ? 0 : 1); adf_os_mem_free(work); + wma_handle->ack_work_ctx = NULL; } /** -- cgit v1.2.3 From 4f5f1cece81eb68145d0b01c03548d4cf560ff18 Mon Sep 17 00:00:00 2001 From: Leo Chang Date: Wed, 5 Feb 2014 18:13:38 -0800 Subject: wlan: CLD crash wiht too many log fix STA registration into TL SHIM module happen with MC thread. TX push frame into TL SHIM module happen with SFT IRQ context. Whatever reason, if STA registration is delayed, SFT IRQ will preempt MC thread. Then SFT IRQ push frame will print MSG and drop frame. When drop packet, too many log printed with error level. Then system crash happen with do timeout. Delayed STA registration may happen time to time. Drop packet with this situation is not critical error. Lower log level is needed. Change-Id: Ibe4ab8a3be36d827866ada145506a190362392e0 CRs-fixed: 612064 --- CORE/CLD_TXRX/TLSHIM/tl_shim.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CORE/CLD_TXRX/TLSHIM/tl_shim.c b/CORE/CLD_TXRX/TLSHIM/tl_shim.c index fcd2955aaf84..ef00f2d6fe26 100644 --- a/CORE/CLD_TXRX/TLSHIM/tl_shim.c +++ b/CORE/CLD_TXRX/TLSHIM/tl_shim.c @@ -915,7 +915,7 @@ adf_nbuf_t WLANTL_SendSTA_DataFrame(void *vos_ctx, u_int8_t sta_id, } if (!tl_shim->sta_info[sta_id].registered) { - TLSHIM_LOGE("Staion is not yet registered for data service"); + TLSHIM_LOGW("Staion is not yet registered for data service"); return skb; } -- cgit v1.2.3 From a4c31946dea5fc50b8bae7247089b4ba330156c7 Mon Sep 17 00:00:00 2001 From: Rakesh Sunki Date: Wed, 5 Feb 2014 19:49:23 -0800 Subject: qcacld: Reduce the frequency of DFS kernel logging Change the frequency of dfs invalid phyerror logging to avoid flushing the kernel logs in a very noisy environment. Change-Id: Ic04bb6764ae825a5a2cf5c06fe3eaf59b9463ac6 CRs-Fixed: 612183 --- CORE/SERVICES/DFS/src/dfs_phyerr_tlv.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/CORE/SERVICES/DFS/src/dfs_phyerr_tlv.c b/CORE/SERVICES/DFS/src/dfs_phyerr_tlv.c index 7458461c1cfd..09203a357999 100644 --- a/CORE/SERVICES/DFS/src/dfs_phyerr_tlv.c +++ b/CORE/SERVICES/DFS/src/dfs_phyerr_tlv.c @@ -595,6 +595,7 @@ dfs_process_phyerr_bb_tlv(struct ath_dfs *dfs, void *buf, u_int16_t datalen, { struct rx_radar_status rs; struct rx_search_fft_report rsfr; + static int invalid_phyerr_count = 0; OS_MEMZERO(&rs, sizeof(rs)); @@ -605,14 +606,25 @@ dfs_process_phyerr_bb_tlv(struct ath_dfs *dfs, void *buf, u_int16_t datalen, */ rs.rssi = rssi; rs.raw_tsf = rs_tstamp; - /* * Try parsing the TLV set. */ if (! tlv_parse_frame(dfs, &rs, &rsfr, buf, datalen, rssi)){ - VOS_TRACE(VOS_MODULE_ID_SAP, VOS_TRACE_LEVEL_ERROR, "%s[%d]:DFS tlv parse frame FAILED", - __func__,__LINE__); - return (0); + invalid_phyerr_count++; + /* + * Print only at every 2 power times + * to avoid flushing of the kernel + * logs, since the frequency of + * invalid phyerrors is very high + * in noisy environments. + */ + if ( !(invalid_phyerr_count & 0xFF) ) + { + VOS_TRACE(VOS_MODULE_ID_SAP, VOS_TRACE_LEVEL_DEBUG, + "%s[%d]:DFS-tlv parse failed invalid phyerror count = %d", + __func__,__LINE__, invalid_phyerr_count); + } + return (0); } /* For debugging, print what we have parsed */ radar_summary_print(dfs, &rs); -- cgit v1.2.3 From 5acabcff3611784218cb8e9a901ba423e15db180 Mon Sep 17 00:00:00 2001 From: Prakash Dhavali Date: Thu, 6 Feb 2014 15:04:36 -0800 Subject: qcacld: Release 1.0.0.30 Caf Staging qcacld: Release 1.0.0.30 Caf Staging Change-Id: Idb20070e2011e55356d5253dbd83a3204d694e8c --- CORE/MAC/inc/qwlan_version.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CORE/MAC/inc/qwlan_version.h b/CORE/MAC/inc/qwlan_version.h index 9029ab40fb51..cdf522fde2e2 100644 --- a/CORE/MAC/inc/qwlan_version.h +++ b/CORE/MAC/inc/qwlan_version.h @@ -42,9 +42,9 @@ BRIEF DESCRIPTION: #define QWLAN_VERSION_MINOR 0 #define QWLAN_VERSION_PATCH 0 #define QWLAN_VERSION_EXTRA "" -#define QWLAN_VERSION_BUILD 29 +#define QWLAN_VERSION_BUILD 30 -#define QWLAN_VERSIONSTR "1.0.0.29" +#define QWLAN_VERSIONSTR "1.0.0.30" #ifdef QCA_WIFI_2_0 -- cgit v1.2.3