Currently fix_param->vdev_id, recevied from the FW, is directly used
to refer to wma->interfaces without validating if the vdev_id is valid.
Add sanity check to make sure vdev_id is less than max_bssid before
using it.
Change-Id: I92743589e0333449c39e148b37d200cac2cdb817
CRs-Fixed: 2119434
Add sanity check for num_hw_modes and num_phy in wma_populate_soc_caps()
for WMI_SERVICE_READY_EXT_EVENTID.
Change-Id: I023d737449283f9ac092d278bde016b208b2c891
CRs-Fixed: 2119887
1) Currently all the parameter to decide best candidate are chosen
as by default.
Add INI support for those parameters to change values on basis
of performance.
2) At the time of calculating best candidate score, rssi consider
bucket size, good rssi, bad rssi, good rssi percentage from total
rssi percentage, bad rssi percentage from total percentage.
Configure these all params from ini.
Change-Id: I808a40486473fcbb161c12fbd369b3b846beb8c2
CRs-Fixed: 2121735
In function wma_unified_link_iface_stats_event_handler, num_ac is received
from the firmware and is used in the loop to populate values into results.
However the memory for results is allocated only for WIFI_AC_MAX and a
buffer overflow will occur of num_ac is greater than WIFI_AC_MAX.
Add checks to make sure num_ac is not greater than WIFI_AC_MAX and
num_offload_stats is not greater than WMI_OFFLOAD_STATS_TYPE_MAX.
Change-Id: Ife8b1d19aa853f85f4fad82d5791e49a8c892ca4
CRs-Fixed: 2114756
Assert added as part of I2689873c2c5e63c83e5059563662c0c69dc659fc
in wma_get_ll_stats_ext_buf is not required as it causes a stack
trace exposing further security issues.
Remove the assert in wma_get_ll_stats_ext_buf
Change-Id: I92a5eb1b287e61c7f2cc9d6dba92446719c3c6b2
CRs-Fixed: 2115112
Propagation from qcacld-2.0 to qcacld-3.0
Add diag event for wow packet counters stats.
The event EVENT_WLAN_POWERSAVE_WOW_STATS will be used to
inform the wow stats packet counters.
Change-Id: I9d1760aa6b790544b9879e7ef18d4f5359e0e245
CRs-Fixed: 1087714
STA is roaming to 2G AP even though 5G
only is configured through ini.
Set weightage of the 2G social channels
to zero so that firmware will not roam
to 2G channels.
Change-Id: I7dea8413618265e0f1fe353da4b858583c1921af
CRs-Fixed: 2117614
Add 1 second wake lock for 4 way handshake to avoid APPS
power collapse in middle of eapol exchange which can delay
the association process.
Change-Id: Ife73dc00aa05b5a80d0a90afd18468bd033ebdd9
CRs-Fixed: 2118533
On vdev response timer expire, memory allocated for vdev request
will be freed in the timer handler(wma_vdev_resp_timer). But there
can be a race condition where wlan shutdown is invoked at the same
time, where host tried to cleanup unhandled vdev requests by calling
same timer handler.
To mitigate this issue don't free the memory if vdev request is not
found(as other thread freed memory by this time)
Change-Id: Iea214f0ed3acb9600b5a3b84b5740c1b496719d9
CRs-Fixed: 2049673
The current driver strategy is to converge on unified APIs, and the
unified WMI struct flashing_req_params conveys the same information as
typedef tSirLedFlashingReq, therefore replace tSirLedFlashingReq with
struct flashing_req_params.
Change-Id: I4ef75ee3bff7c83dbf8197bba0802569282a414f
CRs-Fixed: 2121335
Update ini param g_auto_detect_power_failure_mode to incorporate below
values,
0 - Don't register wow wakeup event and FW crashes on power failure
1 - Register wow wakeup event and FW sends failure event to host on
power failure
2 - Don't register wow wakeup event and FW silently rejuvenate on
power failure
3 - Don't register wow wakeup event and the auto power failure detect
feature is disabled in FW.
Change-Id: I8a704954ecbacadbc035c1523fa41a18b6300f66
CRs-Fixed: 2087144
Make sure num_vdev_mac_entries which is coming from firmware within
MAX_VDEV_SUPPORTED to avoid any buffer overflow or OOB read.
Change-Id: I92793a6bcfd46b288c3f496a6f6cc9b372f60c48
CRs-Fixed: 2119432
Current driver forming a unit test command within HDD layer and uses
message passing method to deliver it to WMA layer which
requires HDD layer to have a knowledge of how to form a unit test command.
User SME API to send params to WMA layer and let WMA form a unit test
command and send it directly to FW through WMI layer instead of HDD
forming and passing it down.
CRs-Fixed: 2118725
Change-Id: Id1838939813e6cd2d52cee8720a1f4e0ca34329b
Current doesn't perform boundary check on num_vdev_mac_entries param
which coming from firmware. Without boundary check, driver may be
exposed to buffer overflow.
Check against the boundary limit before using it.
CRs-Fixed: 2119430
Change-Id: I502926a7f783acc7b73a3fbbbd70386a099b48b3
Currently if_id used in the for loop is incremented based on vdev_map != 0
and vdev_map is a uint_32, received from FW, and is right shifted by one bit
for each iteration. This could result in if_id going upto max of 31 and cause
OOB read.
Add sanity check to make sure if_id is less than max_bssid.
Change-Id: I7e0c4e9a26cb67f41e35c60c2756d7ad02cf43ea
CRs-Fixed: 2119443
Add sanity check for vdev id in wma_roam_event_callback() to prevent
out of bound access of memory in wma_roam_better_ap_handler().
Change-Id: If3cf06a8eca767201fdd8b056bee6d773938a2a6
CRs-Fixed: 2119400
Add support in wma_flush_complete_evt_handler to capture
data stall event from Firmware and post the message to
sys queue.
CRs-Fixed: 2086176
Change-Id: I4e819b1ae711b3867fa46ff638d4bfd2054519ed
Host should keep the wake lock from the time it sends
WMI_PDEV_SET_MAC_CONFIG_CMDID to FW till it receives the
WMI_PDEV_SET_MAC_CONFIG_RESP_EVENTID. This will avoid any fatal
crash condition.
Change-Id: Id16a1957b38acee6cf45c123ea9dbab25aae9b39
CRs-Fixed: 2070779
Add Vendor Event to get the driver hang reason indicating to the
user space that the driver has detected an internal failure.
This event carries the information indicating the reason that triggered
this detection.
Change-Id: I3934f2a18c796ed3b53175dcbe7efd7f4d1409b9
CRs-fixed: 2098498
After deriving the vdev_id from the vdev map in
wma_beacon_swba_handler check for the validity
of the vdev_id
Change-Id: Ifc4577d8a00f447e2bcfa4e01fce5ac2dbe96a4d
CRs-Fixed: 2120751
There are currently two ways to get vdev stats from firmware. As such,
the redundant pe_stats_req is being removed. Migrate existing consumers
to stats_request_params instead.
Change-Id: I3426b43a6202bb59ceef13cf8d4528700c7f3983
CRs-Fixed: 2120637
Currently in wma_unified_link_peer_stats_event_handler, the check to validate
if peer_stats->num_rates is less than WMA_SVC_MSG_MAX_SIZE is done only for
the first member of the peer_stats array. This can lead to integer overflow
as num_rates is calculated as sum of peer_stats->num_rates for each of the
peer_stats in the array.
Add code changes to loop and calculate total_num_rates for all the peer_stats
and then validate total_num_rates with WMA_SVC_MSG_MAX_SIZE.
Change-Id: Ic934934a990bd55fce70a0eaffa2812bc34b0ddd
CRs-Fixed: 2113758
Check vdev_id against wma->max_bssid in wma_mcc_vdev_tx_pause_evt_handler to
avoid bufer overflow.
Change-Id: Ie47a0ed2f7f27f13a01e1b2cb365fae66b41b1df
CRs-Fixed: 2120677
Implementation to change BmissFinalBcnt dynamically.
User can set totalBcnt using the new command
QCA_WLAN_VENDOR_ATTR_CONFIG_TOTAL_BMISS_CNT.
BmissFirstBcnt will retain its default value or from ini.
BmissFinalBcnt will be configured as (totalBcnt - BmissFirstBcnt).
Change-Id: Ie3c3895d48248d349400e755f07edc807e335b44
CRs-Fixed: 2081906
During host invoked roaming, set WMI_ROAM_INVOKE_FLAG_NO_NULL_FRAME_TO_AP
flag so that FW will not send NULL data frame while doing transition to
same bssid.
CRs-Fixed: 2046964
Change-Id: I043c3d2431e4da5af36fb710bd36a520550abbd3
Change-id Iafd5666179d079c7bcc950277092cef3046356bf was added to remove
antenna sharing support from SAP and STA case but customer needs those
changes for SAP case only.
So bringing back changes for STA case.
CRs-Fixed: 2117829
Change-Id: I79f7c5ae1fd642f0b26170f066a5409638cdd873
In the function wma_roam_synch_event_handler, vdev_id is received from
the fw and is used to access member of the array wma->interfaces without
validating the max of the vdev_id received from the fw
Add check to make sure vdev_id is less than max_bssid before using it
Change-Id: I3b940e183ab66680891cb7351af4537b50afce1d
CRs-Fixed: 2114187
Add sanity check to ensure num_failure_info from FW does not cause
integer overflow while calculating alloc_len, as alloc_len is in
turn used to malloc which can lead to less than required memory
allocated in case of integer overflow of alloc_len
Change-Id: Iea93e879196e9cd43856a7dcc9204d2304f76c78
CRs-Fixed: 2114789
While DUT is in SAP or GO mode, due to LTE antenna sharing mechanism,
DUT is associating in 2x1 chains to HT clients.
As per new requirement, remove dependency of number of chains on antenna
sharing. If HT client supports 2 chains, and due to DBS/LTE antenna
sharing SAP/GO drops down a chain then rate adaptation at peer takes
care of dropping down chains at peer side
Change-Id: Iafd5666179d079c7bcc950277092cef3046356bf
CRs-Fixed: 2108484
Check multiple variables received from firmware used to calculate
buf_len to make sure that it does not exceed the max msg size, as
this buf_len is in turn used in malloc and can lead to less than
required memory allocated in case of integer overflow of buf_len
Change-Id: I2689873c2c5e63c83e5059563662c0c69dc659fc
CRs-Fixed: 2115112
Check for the validity of the number of channels passed in the
radio stats event received from firmware to ensure an integer
overflow does not happen.
Change-Id: Idf5738a40139aafad4de422965dc4ff3d0e53a32
CRs-Fixed: 2114426
Check for the num_peers received from firmware and ensure an
integer overflow does not happen in wma_peer_info_event_handler.
Change-Id: I08cc98fc425d9905d0ca090cd42b73227e594772
CRs-Fixed: 2115366
Check for the maximum allowed data that can be written into
the buffer utf_event_info.data in the function
wma_process_utf_event.
Change-Id: I9ee37470b7a3e7016941f871d3cf73eb12718758
CRs-Fixed: 2115375
Check for the upper bounds for number of NOA descriptors
received in the P2P NOA event.
Change-Id: Id7ecf064f2c25f378f76d795902713da8520507f
CRs-Fixed: 2113072
Clear up the tdls legacy functions which handle add/delete
tdls peer, tdls mgmt frame process and tdls_oper callback.
Change-Id: I8ba344ce5593df44bd15527e2ff68e872b6d23b8
CRs-Fixed: 2105075
wma_get_caps_for_phyidx_hwmode() does not check legacy chips like Rome,
which leads to wrong HT/VHT caps being populated.
Fix is to check legacy chips in wma_get_caps_for_phyidx_hwmode() and
populate HT/VHT caps accordingly including RX LDPC capability.
Change-Id: I496191636f0f21ef3399c24fbfb43a562ca2debc
CRs-Fixed: 2061889
Currently HDD sends a FW memory dump request to firmware without
checking support for this feature. This can lead to a crash as firmware
doesn't send the command response if feature is not supported.
Add a check in HDD so that the request is only sent when FW memory dump
capability is advertised by the firmware.
Change-Id: I73b980f50910e13aa5f2d2434f07b6f985dd5010
CRs-fixed: 1090806
When AP is in 11b-only mode then for a TDLS peer, in the peer_assoc
command to FW, pass phymode as per capability of the TDLS peer.
Change-Id: If1a84b35c2e755aad8b6b67536cbbcc49d378fda
CRs-Fixed: 2093277
Add support to send rate information for mgmt frames.
Currently default rates are used by target for the mgmt frames before
association. If the AP does not support the default rates (1 Mbps for
2.4G and 6Mbps for 5G), STA would still send AUTH, ASSOC frames with
the default rates. Add support to send the minimum rate supported by
the AP as part of the MGMT Tx WMI command.
Change-Id: I38d832818bbbd5fe3dec5660bd01dd08798bf0be
CRs-Fixed: 2085006
Current method for calculating LISTEN INTERVAL are static
configuration a.ka. ini based. Now OEM / USER want to take
control of setting LISTEN INTERVAL as per their applications
need. Once if USER configure the LISTEN INTERVAL value using
vendor command then host should avoid changing the LI value
during each suspend/resume. User LI value will be override
configuration. Once USER will Disable the LI using vendor
command then host can fallback to current default method.
Change-Id: Ia9b412b073c059df0cdff7bcda8198f7581e796d
CRs-Fixed: 2040298
Update driver for the latest reg domain info according to
Regdomain_23 and Regdomain_24 excel sheets.
Change-Id: I6b259be20de650886a16c32b69f8ed82b96dbcd8
CRs-Fixed: 2112485
iface->del_staself_req is used to check if del sta self was defered
and if it is set vdev detatch is called. iface->del_staself_req is
also set in case del sta self was not defered and thus del sta self
resp may get called twice, assuming it was differed and this result
in double free of del_sta_session_req.
To fix this added a bool to check if the del sta self was defered.
Change-Id: If4c2bc2a5bb6b8761f4130119a96602055d45b77
CRs-Fixed: 2116888
When kernel panic happen, if WiFi FW is still active,
it may cause NOC errors/memory corruption, to avoid
this, inject a fw crash first.
Propagated from qcacld-2.0
Change-Id: I97a696a02dfd73aaca212ef1bca9f3597df1e382
CRs-Fixed: 2052332
Set the limit off-channel command parameters and conc_system_pref
according to active tos indication from application.
CRs-Fixed: 2066088
Change-Id: I896999adb59aa468daf33364c708d95ef3062018
Driver is updating WMI_CHAN_FLAG_PASSIVE flag for DFS channels
while sending 'WMI_SCAN_CHAN_LIST_CMDID' command to firmware.
Driver should also update the WMI_CHAN_FLAG_DFS flag for
DFS channels. Otherwise functionality like skipping DFS channels
as part of scan request may not work.
CRs-Fixed: 2103636
Change-Id: Ia146eaad93deab778d5ce7a8647f5c0ba7068ead
Currently the mpdu_data_len in Rx pkt meta is not checked for
upper bound in wma_form_rx_packet.
Add sanity check to drop the packet if mpdu_data_len is
greater than 2000 bytes. Also add upper bound check for
frame_len in lim_process_auth_frame function.
Change-Id: I7ab454045e2f6d278351dcabde6da556f9f741e0
CRs-Fixed: 2093392
