summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2023-05-05qcacmn: Fix out-of-bounds of src_freqandroid-u-qpr1-beta-1_r0.6android-u-beta-5_r0.6android-u-beta-5.3_r0.6android-u-beta-5.2_r0.2android-u-beta-4_r0.6android-14.0.0_r0.47android-14.0.0_r0.12android-14.0.0_r0.1android-msm-redbull-4.19-u-beta5.3android-msm-redbull-4.19-u-beta5.2android-msm-redbull-4.19-u-beta5android-msm-redbull-4.19-u-beta4android-msm-redbull-4.19-android14-releaseandroid-msm-redbull-4.19-android14-qpr1-betaandroid-msm-redbull-4.19-android14Hsiu-Chang Chen
When handling WMI_ROAM_SCAN_STATS_EVENTID, the number of channels scanned for each roam trigger is fetched from wmi_roam_scan_info TLV (wmi_roam_scan_info->roam_scan_channel_count), The total number of channels for all the roam triggers is fetched from param_buf->num_roam_scan_chan_info. chan_idx is the index used to fetch the current channel info TLV to be read. So if wmi_roam_scan_info->roam_scan_channel_count provided by firmware exceeds the total param_buf->num_roam_scan_chan_info starting from given chan_idx then OOB access of event buffer can happen. To avoid this, validate the sum of the current chan_idx and src_data->roam_scan_channel_count against evt_buf->num_roam_scan_chan_info. Bug: 280447263 Test: Regression Test Change-Id: Ied94464d1f12690cf8832962b94595c2e00c33f8 CRs-Fixed: 3357714 Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
2022-12-25Merge android-msm-pixel-4.19-tm-qpr2 into android-msm-pixel-4.19android-u-preview-2_r0.1android-u-beta-3_r0.1android-u-beta-2_r0.1android-u-beta-2.1_r0.1android-u-beta-1_r0.2android-msm-redbull-4.19-u-preview-2android-msm-redbull-4.19-u-beta3android-msm-redbull-4.19-u-beta2android-msm-redbull-4.19-u-beta1PixelBot AutoMerger
SBMerger: 478053055 Change-Id: I30e8e19b3c5bf0f8b074c1ee90c85d667f5cd0f4 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
2022-12-13qcacmn: Add a tid check for RX to avoid of OOB accessandroid-t-qpr3-beta-3_r0.2android-t-qpr3-beta-3.1_r0.2android-t-qpr3-beta-2_r0.2android-t-qpr3-beta-1_r0.2android-t-qpr2-beta-3_r0.2android-t-qpr2-beta-3.2_r0.3android-13.0.0_r0.81android-13.0.0_r0.72android-13.0.0_r0.67android-13.0.0_r0.62android-13.0.0_r0.122android-13.0.0_r0.111android-13.0.0_r0.102android-msm-redbull-4.19-t-qpr3-beta-3android-msm-redbull-4.19-t-qpr3-beta-2android-msm-redbull-4.19-t-qpr2-beta-3.2android-msm-redbull-4.19-android13-qpr3-beta1android-msm-redbull-4.19-android13-qpr3android-msm-redbull-4.19-android13-qpr2-betaandroid-msm-redbull-4.19-android13-qpr2Hsiu-Chang Chen
Tid in RX frame header may be larger than MAX TID allowed value, this will lead a out of boundary array access and lead to kernel crash at last. Change is aimed to do a TID check and discard such frame when necessary. Bug: 261470732 Test: Regression Test Change-Id: I11f312668a5a42d690c058550f22b0f36f952104 Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com> CRs-Fixed: 3264581
2022-01-16Merge android-msm-barbet-4.19-sc-qpr3 into android-msm-pixel-4.19android-u-preview-1_r0.1android-t-qpr2-beta-2_r0.2android-t-qpr2-beta-1_r0.3android-t-qpr1-beta-3_r0.1android-t-qpr1-beta-2_r0.3android-t-qpr1-beta-1_r0.2android-t-preview-2_r0.3android-t-beta-4_r0.3android-t-beta-3_r0.3android-t-beta-3.3_r0.3android-t-beta-3.2_r0.3android-t-beta-2_r0.3android-t-beta-1_r0.3android-13.0.0_r0.57android-13.0.0_r0.52android-13.0.0_r0.47android-13.0.0_r0.42android-13.0.0_r0.3android-13.0.0_r0.18android-13.0.0_r0.13android-msm-redbull-4.19-u-preview-1android-msm-redbull-4.19-t-qpr2-beta-1android-msm-redbull-4.19-t-qpr1-beta-2android-msm-redbull-4.19-t-preview-2android-msm-redbull-4.19-t-beta-4android-msm-redbull-4.19-t-beta-3android-msm-redbull-4.19-t-beta-2android-msm-redbull-4.19-t-beta-1android-msm-redbull-4.19-android13-qpr1-beta-3android-msm-redbull-4.19-android13-qpr1-betaandroid-msm-redbull-4.19-android13-qpr1android-msm-redbull-4.19-android13PixelBot AutoMerger
SBMerger: 410055097 Change-Id: I9f1307e0e17fc2a4b9368860af7f7d8494a723ac Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
2022-01-16Merge android-msm-barbet-4.19-sc-v2 into android-msm-barbet-4.19-sc-qpr3android-s-qpr3-beta-3_r0.4android-s-qpr3-beta-2_r0.4android-s-qpr3-beta-1_r0.4android-12.1.0_r0.34android-12.1.0_r0.27android-msm-barbet-4.19-s-qpr3-beta-3android-msm-barbet-4.19-s-qpr3-beta-2android-msm-barbet-4.19-android12-qpr3PixelBot AutoMerger
SBMerger: 410055097 Change-Id: Idd8c7a1d289c2453f54572711c907347910e845e Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
2022-01-09Merge android-msm-barbet-4.19-sc-qpr1 into android-msm-barbet-4.19-sc-v2android-s-v2-beta-3_r0.5android-12.1.0_r0.5android-12.1.0_r0.21android-12.1.0_r0.15android-msm-barbet-4.19-s-v2-beta-3android-msm-barbet-4.19-android12LPixelBot AutoMerger
SBMerger: 410055097 Change-Id: I68d7a72dae21b00816af2f2adf0a9d5dc8285673 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
2021-12-12Merge android-msm-pixel-4.19-sc-v2 into android-msm-pixel-4.19PixelBot AutoMerger
SBMerger: 410055097 Change-Id: I5f5df6feeeff63e0c49d88597f925b2134fe32a8 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
2021-12-12Merge android-msm-pixel-4.19-sc-qpr1 into android-msm-pixel-4.19-sc-v2android-s-v2-beta-3_r0.4android-s-qpr3-beta-3_r0.3android-s-qpr3-beta-2_r0.3android-s-qpr3-beta-1_r0.3android-12.1.0_r0.4android-12.1.0_r0.33android-12.1.0_r0.26android-12.1.0_r0.20android-12.1.0_r0.14android-msm-redbull-4.19-s-v2-beta-3android-msm-redbull-4.19-s-qpr3-beta-3android-msm-redbull-4.19-s-qpr3-beta-2android-msm-redbull-4.19-android12Landroid-msm-redbull-4.19-android12-qpr3PixelBot AutoMerger
SBMerger: 410055097 Change-Id: Ic93d1889ace993d5992a6a73e0990283614474ff Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
2021-11-24Merge branch 'android-msm-barbet-4.19-sc-security' into ↵android-12.0.0_r0.41android-12.0.0_r0.35android-msm-barbet-4.19-android12-qpr1Eva Huang
android-msm-barbet-4.19-sc-qpr1 Jan 2022.1 Bug: 204278602 Change-Id: I3dad163c435883d099cdff4810b0ed2074fe7859
2021-11-24Merge branch 'android-msm-pixel-4.19-sc-security' into ↵android-12.0.0_r0.40android-12.0.0_r0.34android-msm-redbull-4.19-android12-qpr1Eva Huang
android-msm-pixel-4.19-sc-qpr1 Jan 2022.1 Bug: 204278602 Change-Id: Id846fa21d4982f0fad8954436c58af7ba5647575
2021-11-23qcacmn: Possible Integer overflow in wifi_pos_oem_rsp_handlerabhinav kumar
API "target_if_wifi_pos_oem_rsp_ev_handler" is the handler for the event with WMI_OEM_RESPONSE_EVENTID. Host receives "rsp->dma_len" from fw. The integer overflow occurs if "oem_rsp->dma_len" is big enough while calculating the total length of the Oem Data response buffer. Fix is to add a sanity check for rsp->dma_len to avoid integer overflow. Bug: 203032261 Test: Regression test Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com> Change-Id: Idfbd358f62534eae0147f03505ced5728877a269 CRs-Fixed: 3001191
2021-11-23qcacmn: Possible Integer overflow in wifi_pos_oem_rsp_handlerabhinav kumar
API "target_if_wifi_pos_oem_rsp_ev_handler" is the handler for the event with WMI_OEM_RESPONSE_EVENTID. Host receives "rsp->dma_len" from fw. The integer overflow occurs if "oem_rsp->dma_len" is big enough while calculating the total length of the Oem Data response buffer. Fix is to add a sanity check for rsp->dma_len to avoid integer overflow. Bug: 203032261 Test: Regression test Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com> Change-Id: Idfbd358f62534eae0147f03505ced5728877a269 CRs-Fixed: 3001191
2021-11-22qcacmn: Validate the buffer length in fips event handlerandroid-s-v2-beta-2_r0.5android-msm-barbet-4.19-android12-v2-beta-2Surya Prakash Sivaraj
In the WMI_PDEV_FIPS_EVENTID event handling, add a length check to validate if the buffer length sent by the firmware in fixed params is less than or equal to the actual buffer length before processing the data. Bug: 206300486 Test: Regression test Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com> Change-Id: I7a952d3e3a2f66060451263b72118a52aa89dd06 CRs-Fixed: 3009887
2021-11-22qcacmn: Validate the buffer length in fips event handlerandroid-s-v2-beta-2_r0.4android-msm-redbull-4.19-android12-v2-beta-2Surya Prakash Sivaraj
In the WMI_PDEV_FIPS_EVENTID event handling, add a length check to validate if the buffer length sent by the firmware in fixed params is less than or equal to the actual buffer length before processing the data. Bug: 206300486 Test: Regression test Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com> Change-Id: I7a952d3e3a2f66060451263b72118a52aa89dd06 CRs-Fixed: 3009887
2021-11-15qcacmn: Possible OOB read in process_fw_diag_event_dataabhinav kumar
API "fw_diag_data_event_handler" is the handler of an event WMI_DIAG_DATA_CONTAINER_EVENTID comes from FW. Arguments of this handler function come from FW. If num_data may be less than size of(struct wlan_diag_data), possible OOB while extracting event data. Fix is to add a sanity check for num_data to avoid the OOB read. Bug: 204909067 Test: Regression test Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com> Change-Id: Ia2eb62dbaa154936bdb4ea34065657d441f12810 CRs-Fixed: 3001178
2021-11-15qcacmn: Fix OOB read issue in SSID ieJyoti Kumari
During beacon or probe response, if channel is dfs && frame type is MGMT_SUBTYPE_BEACON, it would call "util_scan_add_hidden_ssid" to deal with the packet. If the ie id matches with SSID then OOB read may occur in ie_len as it is validated with upper bound of ie_ssid. Validate the ie length first. If it is more than 0 then copy memory to SSID which are equivalent to ie length. Bug: 204905738 Test: Regression test Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com> Change-Id: Ib5e2ab7f6f3337d4c3e5c240e3133d8f276be50a CRs-Fixed: 3007473
2021-11-15qcacmn: Validate the buffer length in rx mgmt handlerSurya Prakash Sivaraj
In the WMI_MGMT_RX_EVENTID event handling, add a length check to validate if the buffer length sent by the firmware is less than or equal to the actual buffer length. Bug: 204012850 Test: Regression test Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com> Change-Id: I7db9af48bc525543b972dcaf40aee0a05d8f5023 CRs-Fixed: 3001331
2021-11-15qcacmn: Fix possible OOB in wmi_extract_dbr_buf_release_entrysheenam monga
Currently in function wmi_extract_dbr_buf_release_entry, num_buf_release_entry & num_meta_data_entry are copied to direct_buf_rx_rsp structure without any validation which may cause out of bound issue if num_buf_release_entry or num_meta_data_entries provided in fixed param becomes greater than actual number of entries. Fix is to validate num_entries and num_meta_data before populating param->num_buf_release_entry and param->num_meta_data_entry. Bug: 202032183 Test: Regression test Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com> Change-Id: I18050fd4f90f8815d7eceb5f715fdbaa09130d3a CRs-Fixed: 3000875
2021-11-15qcacmn: Possible Integer overflow in wifi_pos_oem_rsp_handlerabhinav kumar
API "target_if_wifi_pos_oem_rsp_ev_handler" is the handler for the event with WMI_OEM_RESPONSE_EVENTID. Host receives "rsp->dma_len" from fw. The integer overflow occurs if "oem_rsp->dma_len" is big enough while calculating the total length of the Oem Data response buffer. Fix is to add a sanity check for rsp->dma_len to avoid integer overflow. Bug: 203032261 Test: Regression test Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com> Change-Id: Idfbd358f62534eae0147f03505ced5728877a269 CRs-Fixed: 3001191
2021-11-15qcacmn: Possible OOB read in process_fw_diag_event_dataabhinav kumar
API "fw_diag_data_event_handler" is the handler of an event WMI_DIAG_DATA_CONTAINER_EVENTID comes from FW. Arguments of this handler function come from FW. If num_data may be less than size of(struct wlan_diag_data), possible OOB while extracting event data. Fix is to add a sanity check for num_data to avoid the OOB read. Bug: 204909067 Test: Regression test Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com> Change-Id: Ia2eb62dbaa154936bdb4ea34065657d441f12810 CRs-Fixed: 3001178
2021-11-15qcacmn: Fix OOB read issue in SSID ieJyoti Kumari
During beacon or probe response, if channel is dfs && frame type is MGMT_SUBTYPE_BEACON, it would call "util_scan_add_hidden_ssid" to deal with the packet. If the ie id matches with SSID then OOB read may occur in ie_len as it is validated with upper bound of ie_ssid. Validate the ie length first. If it is more than 0 then copy memory to SSID which are equivalent to ie length. Bug: 204905738 Test: Regression test Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com> Change-Id: Ib5e2ab7f6f3337d4c3e5c240e3133d8f276be50a CRs-Fixed: 3007473
2021-11-15qcacmn: Validate the buffer length in rx mgmt handlerSurya Prakash Sivaraj
In the WMI_MGMT_RX_EVENTID event handling, add a length check to validate if the buffer length sent by the firmware is less than or equal to the actual buffer length. Bug: 204012850 Test: Regression test Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com> Change-Id: I7db9af48bc525543b972dcaf40aee0a05d8f5023 CRs-Fixed: 3001331
2021-11-15qcacmn: Fix possible OOB in wmi_extract_dbr_buf_release_entrysheenam monga
Currently in function wmi_extract_dbr_buf_release_entry, num_buf_release_entry & num_meta_data_entry are copied to direct_buf_rx_rsp structure without any validation which may cause out of bound issue if num_buf_release_entry or num_meta_data_entries provided in fixed param becomes greater than actual number of entries. Fix is to validate num_entries and num_meta_data before populating param->num_buf_release_entry and param->num_meta_data_entry. Bug: 202032183 Test: Regression test Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com> Change-Id: I18050fd4f90f8815d7eceb5f715fdbaa09130d3a CRs-Fixed: 3000875
2021-11-15qcacmn: Possible Integer overflow in wifi_pos_oem_rsp_handlerabhinav kumar
API "target_if_wifi_pos_oem_rsp_ev_handler" is the handler for the event with WMI_OEM_RESPONSE_EVENTID. Host receives "rsp->dma_len" from fw. The integer overflow occurs if "oem_rsp->dma_len" is big enough while calculating the total length of the Oem Data response buffer. Fix is to add a sanity check for rsp->dma_len to avoid integer overflow. Bug: 203032261 Test: Regression test Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com> Change-Id: Idfbd358f62534eae0147f03505ced5728877a269 CRs-Fixed: 3001191
2021-09-22Merge android-msm-pixel-4.19-sc-qpr1 into android-msm-pixel-4.19android-t-preview-1_r0.3android-msm-redbull-4.19-t-preview-1Lucas Wei
SBMerger: 379283923 Change-Id: I261e9f4421a0dde9225bf3fb90ec271e72b96c8b Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com> Signed-off-by: Lucas Wei <lucaswei@google.com>
2021-09-19Merge android-msm-barbet-4.19-sc-qpr1 into android-msm-pixel-4.19PixelBot AutoMerger
SBMerger: 379283923 Change-Id: I71b016da81e84b9a413e398ea629e7568133fd5a Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
2021-09-10qcacmn: Replace WMI_LOGI() with wmi_* appropriate log levelandroid-s-v2-beta-1_r0.4android-12.0.0_r0.24android-msm-redbull--s-v2-beta-1Srinivas Girigowda
Replace WMI_LOGI() with wmi_* appropriate log level. Bug: 199223496 Test: Basic function test Change-Id: I7b0c32a2aefc5eb300348edbc6a60e7ad0401439 CRs-Fixed: 2892422 Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
2021-09-10qcacmn: Replace WMI_LOGI() with wmi_* appropriate log levelandroid-s-v2-beta-1_r0.5android-12.0.0_r0.25android-msm-barbet-4.19-s-v2-beta-1Srinivas Girigowda
Replace WMI_LOGI() with wmi_* appropriate log level. Bug: 199223496 Test: Basic function test Change-Id: I7b0c32a2aefc5eb300348edbc6a60e7ad0401439 CRs-Fixed: 2892422 Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
2021-08-02Merge 'android-msm-barbet-4.19' into android-msm-pixel-4.19Lucas Wei
Bug: 194667419 Signed-off-by: Lucas Wei <lucaswei@google.com> Change-Id: I18b176b089c3988047a6cb2ffb90c4cedf23d322
2021-07-25Merge android-msm-barbet-4.19-sc into android-msm-barbet-4.19PixelBot AutoMerger
SBMerger: 379283923 Change-Id: I9fd640e63114b71bb6331e0ae3ae7140de857eab Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
2021-07-25Merge android-msm-pixel-4.19-sc into android-msm-pixel-4.19PixelBot AutoMerger
SBMerger: 379283923 Change-Id: Iddca3c7bbc4bfc5d04c7ec923863324766ae6c69 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
2021-07-15qcacmn: Register API to flush frags in dp peer opsandroid-s-beta-5_r0.6android-12.0.0_r0.7android-12.0.0_r0.15android-msm-barbet-4.19-s-beta-5android-msm-barbet-4.19-android12Yeshwanth Sriram Guntuka
Register dp_peer_flush_frags API in dp peer ops for flushing fragments for a particular peer. Bug: 175626671 Test: Regression test Change-Id: Ia179d3160bdc306ec965c465134042c66a0c40a6 CRs-Fixed: 2874366 Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
2021-07-15qcacmn: Register API to flush frags in dp peer opsandroid-s-beta-5_r0.5android-12.0.0_r0.6android-12.0.0_r0.14android-msm-redbull-4.19-s-beta-5android-msm-redbull-4.19-android12Yeshwanth Sriram Guntuka
Register dp_peer_flush_frags API in dp peer ops for flushing fragments for a particular peer. Bug: 175626671 Test: Regression test Change-Id: Ia179d3160bdc306ec965c465134042c66a0c40a6 CRs-Fixed: 2874366 Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
2021-07-04Merge android-msm-barbet-4.19-sc into android-msm-barbet-4.19PixelBot AutoMerger
SBMerger: 379283923 Change-Id: I15896ea7f766b46ac1897d3c6dba051f48b8a6a5 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
2021-07-04Merge android-msm-barbet-4.19-rvc into android-msm-barbet-4.19-scPixelBot AutoMerger
SBMerger: 379283923 Change-Id: I17c5df63edbb43bd9f8fe8b71d1aaf838a115965 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
2021-07-04Merge android-msm-pixel-4.19-sc into android-msm-pixel-4.19PixelBot AutoMerger
SBMerger: 379283923 Change-Id: If5d400924f40a1bb3b5935cd81c0ef19161c4ed9 Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
2021-07-04Merge android-msm-pixel-4.19-rvc-qpr3 into android-msm-pixel-4.19-scandroid-s-beta-4_r0.5android-msm-redbull-4.19-s-beta-4PixelBot AutoMerger
SBMerger: 379283923 Change-Id: If8d1436d95d20e3930a05dd61b1bf7b7da486a5b Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
2021-07-01qcacmn: handle IPA buffer smmu map/unmap correctlyJinwei Chen
Handle ipa buffer smmu map/unmap with below changes, (1) Do IPA smmu unmap for RX buffer received from REO exception/WBM RX release/REO DST/RXDMA DST ring. (2) Align IPA smmu map length to qdf_nbuf_map_nytes_single() with fixed length. Bug: 190403734 Change-Id: I1ed46b31ed31f5b7e4e2484d519bc85d35ce1e69 CRs-Fixed: 2728644 Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
2021-07-01qcacmn: handle IPA buffer smmu map/unmap correctlyJinwei Chen
Handle ipa buffer smmu map/unmap with below changes, (1) Do IPA smmu unmap for RX buffer received from REO exception/WBM RX release/REO DST/RXDMA DST ring. (2) Align IPA smmu map length to qdf_nbuf_map_nytes_single() with fixed length. Bug: 190403734 Change-Id: I1ed46b31ed31f5b7e4e2484d519bc85d35ce1e69 CRs-Fixed: 2728644 Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
2021-06-30qcacmn: handle IPA buffer smmu map/unmap correctlyandroid-11.0.0_r0.116android-11.0.0_r0.106android-msm-barbet-4.19-android11-d2Jinwei Chen
Handle ipa buffer smmu map/unmap with below changes, (1) Do IPA smmu unmap for RX buffer received from REO exception/WBM RX release/REO DST/RXDMA DST ring. (2) Align IPA smmu map length to qdf_nbuf_map_nytes_single() with fixed length. Bug: 190403734 Change-Id: I1ed46b31ed31f5b7e4e2484d519bc85d35ce1e69 CRs-Fixed: 2728644 Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com> (cherry picked from commit bc3b0905f268c6cf64268be944ac2a28d75fa8a4)
2021-06-30Merge branch 'android-msm-pixel-4.19-rvc-security' into ↵android-11.0.0_r0.115android-11.0.0_r0.105android-msm-redbull-4.19-android11-qpr3Eva Huang
android-msm-pixel-4.19-rvc-qpr3 Sep 2021.1 Bug: 192411697 Change-Id: I189118f0e3889120068f48c5dde4f8e337a3e2a2
2021-06-26qcacmn: handle IPA buffer smmu map/unmap correctlyJinwei Chen
Handle ipa buffer smmu map/unmap with below changes, (1) Do IPA smmu unmap for RX buffer received from REO exception/WBM RX release/REO DST/RXDMA DST ring. (2) Align IPA smmu map length to qdf_nbuf_map_nytes_single() with fixed length. Bug: 190403734 Change-Id: I1ed46b31ed31f5b7e4e2484d519bc85d35ce1e69 CRs-Fixed: 2728644 Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
2021-06-26qcacmn: handle IPA buffer smmu map/unmap correctlyJinwei Chen
Handle ipa buffer smmu map/unmap with below changes, (1) Do IPA smmu unmap for RX buffer received from REO exception/WBM RX release/REO DST/RXDMA DST ring. (2) Align IPA smmu map length to qdf_nbuf_map_nytes_single() with fixed length. Bug: 190403734 Change-Id: I1ed46b31ed31f5b7e4e2484d519bc85d35ce1e69 CRs-Fixed: 2728644 Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
2021-06-27qcacmn: handle IPA buffer smmu map/unmap correctlyJinwei Chen
Handle ipa buffer smmu map/unmap with below changes, (1) Do IPA smmu unmap for RX buffer received from REO exception/WBM RX release/REO DST/RXDMA DST ring. (2) Align IPA smmu map length to qdf_nbuf_map_nytes_single() with fixed length. Bug: 190403734 Change-Id: I1ed46b31ed31f5b7e4e2484d519bc85d35ce1e69 CRs-Fixed: 2728644 Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
2021-06-13Merge android-msm-barbet-4.19-rvc into android-msm-barbet-4.19PixelBot AutoMerger
SBMerger: 351186807 Change-Id: I88a68b1b365198831291b8b4fb9bad174558d62f Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
2021-06-07Merge remote-tracking branch 'android-msm-barbet-4.19-rvc-security' into ↵achigoliu
android-msm-barbet-4.19-rvc Aug 2021.1 Bug: 189715888 Bug: 189715042 Change-Id: I63eedce965f031c99291a594f7a3f1e876f0ce80
2021-06-06Merge android-msm-pixel-4.19-rvc-qpr3 into android-msm-pixel-4.19android-s-beta-3_r0.5android-msm-redbull-4.19-s-beta-3PixelBot AutoMerger
SBMerger: 351186807 Change-Id: I923e3f5d28dc0ad507aec3686e8d2c4ce2fd096d Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
2021-06-03Merge branch 'android-msm-pixel-4.19-rvc-security' into ↵android-11.0.0_r0.100Eva Huang
android-msm-pixel-4.19-rvc-qpr3 Aug 2021.1 Bug: 189715888 Change-Id: I7e2510f0b1d97ea72ae908563e2044f7ddcc1f69
2021-06-03qcacmn: Avoid checking extcaps byte if equal to IE lenAditya Sathish
Reading extcaps from the scan entry currently checks if the byte to be accessed is less than the length of the IE. Following this, it will attempt to access the extcap IE using the requested byte as the index. Avoid accessing the extcap IE if the byte is greater than one less than the ie_len (since indexing starts from zero). Bug: 184561362 CRs-Fixed: 2856212 Change-Id: Ie357edcd6095570c05871af657381c287e92504e Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com> (cherry picked from commit cfd42be7efa8b409ec4614fc41659475ef6e04f4)
2021-06-02qcacmn: Fix NULL pointer access for mac address loggingRakesh Pillai
The mac address is tried to be logged from a NULL bss data pointer, which leads to unwanted behavior. Remove the logging of mac address from the NULL bss data pointer. Bug: 182471523 Test: Regression Test Change-Id: I83a9e8b1dac0bd4983bf074863987d39187f9db9 CRs-Fixed: 2761731 Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-08 04:22:50 +0000