Age | Commit message (Collapse) | Author |
|
OOB read/write possible in get_svc_hash() since it convert character until the string meets null terminated
Added null terminated character before calling it.
Bug: 261857862
Test: Checked with lldb
Change-Id: Id998c69ca1dccbd3108c2e78f065521cdac45135
Signed-off-by: Dennis Jeon <dennis.jeon@broadcom.corp-partner.google.com>
|
|
service_specific_info_len sets as serviceSpecificInfo.size()
In case of the len equals sizeof(service_specific_info), OOB write possible.
Bug: 261857623
Test: tested with poc program
Signed-off-by: Dennis Jeon <dennis.jeon@broadcom.corp-partner.google.com>
Change-Id: Ifdaaf475555fd4c9836758d2e804fcee4f822a89
|
|
len could be sizeof(pub_term_event.nan_reason) and null terminated string could be overwritten. It may cause oob read.
Added null terminated string to reason after memcpy
Bug: 258535606
Test: build done
Signed-off-by: Dennis Jeon <dennis.jeon@broadcom.corp-partner.google.com>
Change-Id: I4d13b4e69a751352ebba4d370f7dbdeafa7d4787
|
|
Exceeds the maximum registered cmd count.
"WifiHAL : Failed to add command 2: 0xb400007181ce01d0 at 64, reached max limit 64"
[Analysis]
11-04 20:49:53.142 875 875 V WifiHAL : registering command 0 - (LogHandler, set by framework)
11-04 20:49:53.142 875 875 V WifiHAL : registering command 2 - (FILE_DUMP_REQUEST_ID)
11-04 20:49:58.104 875 875 V WifiHAL : un-registering command 0 - (LogHandler, set by framework)
the cmd(FILE_DUMP_REQUEST_ID) is not un-registered and it causes to exceed the maximum cmd count.
[Reproduce the issue]
It is reproduced when enable/disable logging around 64 times on the Pixel Logger app.
[Solution]
Fixed to un-register the cmd(FILE_DUMP_REQUEST_ID) when wifi_reset_log_handler is called.
Bug:256994683
Test: passed reproduction test
Signed-off-by: Dennis Jeon <dennis.jeon@broadcom.corp-partner.google.com>
Change-Id: I472262817c3fb76c848ec0531e0f7a60c26ec762
|
|
|
|
|
|
[Analysis]
This is a concurrency issue when the framework calls HalStop operation during RingDump operation for Bugreport.
Context #1 - WifiLegacyHal::stop() => global_func_table_.wifi_cleanup() => wifi_cleanup() => RingDump::cancel() => free(mBuff);
Context #2 - RingDump::handleEvent(GOOGLE_FILE_DUMP_EVENT) => malloc mBuff => freeup(mBuff) => free(mBuff);
possible scenario - RingDump::handleEvent() on #2 => malloc mBuff on #2 => WifiLegacyHal::stop() on #1 => global_func_table_.wifi_cleanup() on #1 => wifi_cleanup() on #1 => RingDump::cancel() on #1=> free(mBuff) on #1 => freeup(mBuff) => free(mBuff) on #2;
[Reproduce]
Added sleep() in RingDump:handleEvent() to reproduce.
It will help to make concurrency case easily.
1. "lshal debug android.hardware.wifi@1.6::IWifi >> /dev/null" # Trigger RingDump
2. During the sleep time, run "kill -9 $(pgrep wpa_supplicant)" # It will trigger HAL stop operation
The crash signature is the same as the issue Google reported.
[Solution]
the mBuff should be manipulated in RingDump::handleEvent() and RingDump::handleResponse() only.
Need to avoid controlling mBuff in RingDump:cancel().
Bug: 254602785
Test: Passed the way to reproduce.
Signed-off-by: Dennis Jeon <dennis.jeon@broadcom.com>
Change-Id: I206abaf2200d5182de2ff5f0d8850f703279a870
|
|
Issue:
Continuous "WifiHAL : Failed to add command 253272: 0xb400007edaf95de0 at 64, reached max limit 64" error has occurred while running the multiple AP RTT
Analysis:
When vendor hal is sent with the range_request, each request is registered as cmd and there is a max limit to register the cmd which is 64.
In this error case, because of below 2 reasons, register_cmd max limit can be hit.
1. Missing the corresponding RTT event, upon which cmd is unregistered.
2. Missing the cancel range request, as part of the range_cancel request, unregistering the cmd need to be there, which is missing.
Need to check why rtt event event is getting missed and need to make sure of the canceling the cmd when range_cancel is receieved.
Fix:
Adding the missing unregister_cmd call and more logs.
Bug: 250396851
Test: RTT comms test done. No regressions observed.
Signed-off-by: Dennis Jeon <dennis.jeon@broadcom.com>
Change-Id: I049d7d00151c0b3fbf0de721cd18d8185f1bfddc
|
|
Create and delete the NDIs using the kernel defined
wl_cfg80211_ops api instead of vendor api to remove the dependency on the rtnl lock
Test: Verified Wifi-Aware ACTS
Bug:226984257
Signed-off-by: Ajay Davanageri <ajay.davanageri@broadcom.com>
Change-Id: Iedc58caaab1c91f94a3a148a43e130e24f9a1bdc
|
|
Currently, an event has only a log entry. it is not efficient.
As a simple idea, It can be optimized that multiple log entries can be packed into an event.
Bug: 233102491
Test: SVT test cycle
Signed-off-by: Dennis Jeon <dennis.jeon@broadcom.com>
Change-Id: Id833be2e6bc8acc5980d42feca6429a1bd5e71f3
Merged-In: Id833be2e6bc8acc5980d42feca6429a1bd5e71f3
|
|
If NAN is disabled in the kernel, then the NAN mac control will be NULL
which can lead to a NPE during nan_disable_request(). Make sure to check
mac_prim for NULL before dereferencing it.
Bug: 226984257
Change-Id: I535fbae186eee2f62a01376b439629bd51b76460
|
|
Original change: https://googleplex-android-review.googlesource.com/c/platform/hardware/broadcom/wlan/+/18964908
Change-Id: I1ac4605e9edc5086d887743dc37ee847049a4a3f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
|
|
Multiple hal daemon crash issues which occured by memcpy with invalid address are reported.
#00 pc 000000000004edcc /apex/com.android.runtime/lib64/bionic/libc.so (__memcpy+284) (BuildId: f4bbb65957cf1dbe210e337f4656bdbc)
#01 pc 00000000000388f8 /vendor/lib64/libwifi-hal.so (GetLinkStatsCommand::handleResponse(WifiEvent&)+1016) (BuildId: 17e0eae73546034631ce75e7dc274029)
#02 pc 0000000000026260 /vendor/lib64/libwifi-hal.so (WifiCommand::response_handler(nl_msg*, void*)+160) (BuildId: 17e0eae73546034631ce75e7dc274029)
In some cases, this call flow can be proccessed even this code is deprecated.
so, we can remove this code to avoid hal daemon crash issue
Bug: 235782242
Test: halutil -stats
Signed-off-by: Dennis Jeon <dennis.jeon@broadcom.com>
Change-Id: Ibc316e5087b8ed5ea0eac5311c103ff722ab4ef0
|
|
Original change: https://googleplex-android-review.googlesource.com/c/platform/hardware/broadcom/wlan/+/18910392
Change-Id: I0bdbca50e13ff9a08e632161923a060062e5eaee
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
|
|
In case of pre-init failure, HAL damon can be crashes by CHECK macro if the subsequent process is performed.
It should be returned error code and induce retry.
Bug: 235041267
Test: Basic function works fine
Signed-off-by: Dennis Jeon <dennis.jeon@broadcom.com>
Change-Id: I2f33e0ebb9d1f8717284965ac1581c28443c7c2e
|
|
Original change: https://googleplex-android-review.googlesource.com/c/platform/hardware/broadcom/wlan/+/18728846
Change-Id: If252a2a8b44d06ae2b6c218ca3ae5bb07155c510
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
|
|
According to the log, it seems different who calls interface deletion.
- Typically, interface deletion is preceded by WPKTRT->LegacyHAL->WifiHAL before hal stop.
- In issue case, interface deletion performed by wifi_cleanup()->wifi_virtual_interface_delete.
100% not sure, hal seems to be stuck if the interface is deleted after hal stopping.
Typically, the interface is deleted before wifi_cleanup().
So, fixed to precede interface deletion before hal stopping to avoid hal stuck if virtual interface is left in wifi_cleanup context.
It looks reasonable. And added more logs to debug later.
Bug: 234098317
Test: Basic function works fine.
Signed-off-by: Damon Kim <taekhun.kim@broadcom.com>
Change-Id: I611ee110f02933d0513eeabd70e84edc949439d1
|
|
18ce00799c
Original change: https://googleplex-android-review.googlesource.com/c/platform/hardware/broadcom/wlan/+/18219321
Change-Id: Ic7d6a680531a73f6fee1440e076c9b7176af9cd5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
|
|
|
|
Bug: 215193418
Test: Verified using the halutil cli
Signed-off-by: Ajay Davanageri <ajay.davanageri@broadcom.com>
Change-Id: I488a9630eaa04e72031b7919b9bc8e18bcfa83b8
|
|
Original change: https://googleplex-android-review.googlesource.com/c/platform/hardware/broadcom/wlan/+/18230585
Change-Id: Iad938be05c7585c259bc53cf1ff19744e54b6a47
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
|
|
Original change: https://googleplex-android-review.googlesource.com/c/platform/hardware/broadcom/wlan/+/18230585
Change-Id: If207ecd6a641a41d8f2b97b196630e641b9f456f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
|
|
Extend supporting table
Bug: 231662351
Bug: 231661700
Test: files can be loaded correctly
Change-Id: Ib339b0c7d4b5a1e1b2bb34da22755dd14100a08e
|
|
GOOGLE_FILE_DUMP_EVENT" into tm-dev am: 79464da5e6 am: 7be3e13264
Original change: https://googleplex-android-review.googlesource.com/c/platform/hardware/broadcom/wlan/+/17887004
Change-Id: I9a6e2f9e34b3ba6fae48be333d7c5ed2e7eba7ec
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
|
|
GOOGLE_FILE_DUMP_EVENT" into tm-dev am: 79464da5e6
Original change: https://googleplex-android-review.googlesource.com/c/platform/hardware/broadcom/wlan/+/17887004
Change-Id: I8e422c583520a0975343de0427fa923701d16789
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
|
|
GOOGLE_FILE_DUMP_EVENT" into tm-dev
|
|
e5bd58b920
Original change: https://googleplex-android-review.googlesource.com/c/platform/hardware/broadcom/wlan/+/17899764
Change-Id: I8efba271cacd7928e6d15ba7a47d48651e73375c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
|
|
Original change: https://googleplex-android-review.googlesource.com/c/platform/hardware/broadcom/wlan/+/17899764
Change-Id: Ia0e44df272dcd189ee8c1231088ab14beb5af0d6
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
|
|
Local pthread_mutex_lock in handleResponse() is not required,
as all the vendor hal apis from legacy Hal are protected with the GlobalLock .
bug:228092853
Test: Verified on oriole platform
Signed-off-by: Ajay Davanageri <ajay.davanageri@broadcom.com>
Change-Id: I77df86dd3f794c4e260af60d979ff81c7074ef9e
|
|
When DHD sends GOOGLE_FILE_DUMP_EVENT, PKTID logs are included as well.
In order to dump them properly, some attributes for PKTID logs have been added.
Bug: 229551181
Test: verified on device and PKDID dump can be find in debug dump.
Signed-off-by: Ajay Davanageri <ajay.davanageri@broadcom.com>
Change-Id: I4a49db204dac945bb352911f79963d0673333889
|
|
pre-emption am: 46e29fefb5 am: 39bb9bc7a8
Original change: https://googleplex-android-review.googlesource.com/c/platform/hardware/broadcom/wlan/+/17325853
Change-Id: I9646800e82096468c4fc60ce38f624945dd0e4c3
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
|
|
pre-emption am: 46e29fefb5
Original change: https://googleplex-android-review.googlesource.com/c/platform/hardware/broadcom/wlan/+/17325853
Change-Id: I41fa72c651f152d45532efb271c93f6be7b63294
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
|
|
Bug: 206614765
Test: Have CHRE interact with APIs and validate NAN session starts
Test: Use halutil commands to verify no crash happens
Signed-off-by: naveen.cprg <naveen.cprg@broadcom.com>
Change-Id: Ie181c0e666365cc5630b2461f2c13fa609698610
|
|
Bug: 217699915
Test: Verified build in hikey960
Test: Basic function works fine on C10
Signed-off-by: Ajay Davanageri <ajay.davanageri@broadcom.com>
Change-Id: I296ff7dc075fde574b5ec1356fd79f99117ef52a
|
|
|
|
When dhd_mem_dump() ocrrus, DHD sends bulky data to HAL through netlink socket for debugging.
This sometimes overruns the socket buffer and drops important events.
To avoid this, replace socket event-based communication with memcpy-based(copy_to_user) for vulky data
BUG: 205673231
Test: sanity test passed
Signed-off-by: Dennis Jeon <dennis.jeon@broadcom.corp-partner.google.com>
Change-Id: I3e324ae528752069943cbfaca08c98cf90edddf7
|
|
Bug: 219106895
Test: Verified ACTS on oriole platform
Signed-off-by: Ajay Davanageri <ajay.davanageri@broadcom.com>
Change-Id: Ibd74ea10e51c0438f0f24cfad8eb7527fbd365f4
(cherry picked from commit b9d7856f62d9daf1c0326964e044efb4f7ee9c32)
Merged-In: Ibd74ea10e51c0438f0f24cfad8eb7527fbd365f4
|
|
10ea65c0a1 -s ours am: 01303706e3 -s ours
am skip reason: Merged-In I3f481ff3c48d84971d4a499648e688eaed4637fe with SHA-1 d7cf82ba13 is already in history
Original change: https://android-review.googlesource.com/c/platform/hardware/broadcom/wlan/+/2013321
Change-Id: I5c8568942d585385ddab683ddca604852702d843
|
|
-s ours am: e66e53338a -s ours
am skip reason: Merged-In I3f481ff3c48d84971d4a499648e688eaed4637fe with SHA-1 d7cf82ba13 is already in history
Original change: https://android-review.googlesource.com/c/platform/hardware/broadcom/wlan/+/2013321
Change-Id: I96b1b2014bb5be0587dce6ba66168eb04f2778ca
|
|
10ea65c0a1 -s ours
am skip reason: Merged-In I3f481ff3c48d84971d4a499648e688eaed4637fe with SHA-1 d7cf82ba13 is already in history
Original change: https://android-review.googlesource.com/c/platform/hardware/broadcom/wlan/+/2013321
Change-Id: I0500ecf53bebb13a6bcf328a0409828d6fd45cfe
|
|
-s ours
am skip reason: Merged-In I3f481ff3c48d84971d4a499648e688eaed4637fe with SHA-1 d7cf82ba13 is already in history
Original change: https://android-review.googlesource.com/c/platform/hardware/broadcom/wlan/+/2013321
Change-Id: I570ce1275576f75339e5b5a3f2e2b86ecbb45d8b
|
|
am skip reason: Merged-In I3f481ff3c48d84971d4a499648e688eaed4637fe with SHA-1 d7cf82ba13 is already in history
Original change: https://android-review.googlesource.com/c/platform/hardware/broadcom/wlan/+/2013321
Change-Id: If5209314fb32cf52cf8bef39a23d2a86e60700a2
|
|
am skip reason: Merged-In I3f481ff3c48d84971d4a499648e688eaed4637fe with SHA-1 d7cf82ba13 is already in history
Original change: https://android-review.googlesource.com/c/platform/hardware/broadcom/wlan/+/2013321
Change-Id: Ia46f68adf6195f84a7b691075903f56b99aef133
|
|
|
|
Bug: 208877624
Test: Verified on hikey960 using the halutil cli halutil -getSupportedRadioMatrix
Signed-off-by: Ajay <ajay.davanageri@broadcom.com>
Change-Id: I191c6553a03eef8e93a45f8854c97468da7cf75a
|
|
Bug: 222710654
Merged-In: I3f481ff3c48d84971d4a499648e688eaed4637fe
Change-Id: I0ddd898504dad331d78be86320559d99cc4c4f3a
|
|
d7cf82ba13 -s ours am: 6cf75bc4c5 -s ours
am skip reason: Merged-In Icf4354c4eee74cac3ebedcaba1116320e750b2a3 with SHA-1 c835c0483b is already in history
Original change: https://googleplex-android-review.googlesource.com/c/platform/hardware/broadcom/wlan/+/16844480
Change-Id: Ia4a9835bdad3afeb5ad7d775545c4a0dee2bba4a
|
|
d7cf82ba13 -s ours
am skip reason: Merged-In Icf4354c4eee74cac3ebedcaba1116320e750b2a3 with SHA-1 c835c0483b is already in history
Original change: https://googleplex-android-review.googlesource.com/c/platform/hardware/broadcom/wlan/+/16844480
Change-Id: I9c7195ece36a822f6cc5cb9f1596132bd053b17f
|
|
Added enable instant mode and config checks before processing it
down to the driver.
Bug: 216658673
Test: Verified ACTS on oriole platform
Test: sanity test passed
Signed-off-by: Ajay Davanageri <ajay.davanageri@broadcom.com>
Change-Id: I8d8310145ee4052b1851be85eb45acc678ca4092
|
|
Bug: 214455710
Merged-In: Icf4354c4eee74cac3ebedcaba1116320e750b2a3
Change-Id: I3f481ff3c48d84971d4a499648e688eaed4637fe
|