The host will update the rx nss after it gets the
rx nss info from the operating mode notification
IE. Currently, it does not check the num rf chains
of the dut. It causes the difference between
software and hardware.
Change-Id: I5d6852f8e2928cc99fc88ccface3bc4abe97f273
CRs-Fixed: 2280003
During peer removal, call cdp_peer_teardown to
make sure all the peer AST entries are removed.
This also marks the peer->delete_in_progress flag.
Change-Id: Ibe4a0244cadc2b8073e4e71a925a615447d00933
CRs-Fixed: 2287663
In the function csr_queue_sme_command, we memset the memory for
the roam command to 0 in case of failure and release the memory
to the global command pool. But in csr_roam_issue_connect,
csr_release_command_roam is called again in case of failure,
and this can lead to memset of memory to 0 that is released to
global command pool.
Remove the redundant csr_release_command_roam in the function
csr_roam_issue_connect and the call to csr_reinit_preauth_cmd in
csr_roam_enqueue_preauth.
Change-Id: Ifab3551dd3b2dbb2d135b5488f7b09f422648abb
CRs-Fixed: 2280904
We are transitioning the usage of LL stats response event
to request manager framework.
Change-Id: Ice8b3d53beb47b345ed569f2b4bf790e9f5ce506
CRs-Fixed: 2274933
Add per module logging macros without function/line info
to avoid adding function/line info where it is not required.
Change-Id: Id808fef623b82cec38fc31071ef384f3ff0c92da
CRs-Fixed: 2278874
The command eSmeCommandDelStaSession issues vdev delete to
firmware. As this command eSmeCommandDelStaSession is not
serialized, this may issue delete vdev before the peers for the
vdev are deleted, resulting in fw assert. Serialization should
be brought in for this command, so that first eSmeCommandRoam
command will do vdev_stop-->remove_peer-->vdev_down and then
eSmeCommandDelStaSession will be processed which will send vdev
delete.
Post the command eSmeCommandDelStaSession to the serialization
module and WMA_DEL_STA_SELF_REQ will be posted from the sme
eSmeCommandDelStaSession handler.
Change-Id: I60fcbf622b961162c647db3638b5e019c5231971
CRs-Fixed: 2270982
If 11w is enabled, mmie should be included in broadcast
multicast rmf, length check need consider it to avoid buffer
overflow
CRs-Fixed: 2270117
Change-Id: I6c2ebe18fb5b6e4246ba6d28c1dbc55175279e30
The function wma_roam_synch_frame_event_handler, memory is
allocated for iface->roam_synch_frame_ind.bcn_probe_rsp,
iface->roam_synch_frame_ind.bcn_reassoc_req,
iface->roam_synch_frame_ind.bcn_reassoc_rsp when the wmi event
WMI_ROAM_SYNCH_FRAME_EVENT is received. This event is followed
by a WMI_ROAM_SYNCH_EVENT from the firmware where the host
copies the bcn_probe_rsp, bcn_reassoc_req, bcn_reassoc_rsp to
the structure roam_synch_ind_ptr and frees the allocated memory.
In this flow memory leak can happen in following cases:
1. Firmware sends multiple cascade of WMI_ROAM_SYNCH_FRAME_EVENT
the host allocates bcn_reassoc_req, bcn_reassoc_rsp and
bcn_probe_rsp with out freeing the previous instance.
2. Firmware sends WMI_ROAM_SYNCH_FRAME_EVENT with either
bcn_reassoc_req or bcn_reassoc_req or bcn_probe_rsp NULL or all
the three are NULL.
3. Firmware sends WMI_ROAM_SYNCH_FRAME_EVENT having
bcn_reassoc_req bcn_reassoc_req and bcn_probe_rsp. Then it sends
the WMI_ROAM_SYNCH_EVENT with non zero bcn_reassoc_req_len or
bcn_reassoc_rsp_len or bcn_probe_rsp length.
4. Host doesn't free the allocated memory in
wma_roam_synch_frame_event_handler during failure cases.
Check if received iface->roam_synch_frame_ind has non NULL
bcn_probe_rsp, bcn_reassoc_req, bcn_reassoc_rsp and free the
same before allocating new memory. Also free the allocated
bcn_probe_rsp, bcn_reassoc_req, bcn_reassoc_rsp in failure
return cases.
Change-Id: I2b76769d09fd61929f7837cb8661d778cd2f881a
CRs-Fixed: 2282413
There are multiple places where a tHalStopType parameter is passed but
unused. This is a historical artifact, so remove all instances of it.
Change-Id: Iebcbbac580495a376b7456b3a2901f33c2474f83
CRs-Fixed: 2283460
For a full explanation of the problem and phased solution refer to
"qcacmn: Clean up the extscan unified WMI (phase 1)", Change-Id
I11800361b572331cfada00fb7d518c314df20b43, in the qca-wifi-host-cmn
project.
For phase 2 (this change):
Replace all references of the badly named identifiers with references
to the properly named substitutes. Note that this phase may touch
multiple repos and may involve a number of separate changes.
Change-Id: I4b14045b7294103f4fa03a7f964be33ed4ac6cc6
CRs-Fixed: 2282841
The task formerly done by wma_get_buf_extscan_change_monitor_cmd() is
now done in the common WMI project and this function is no longer
used, so remove it.
Change-Id: I4a42bda3c3b790bcd0c21abcda94a4f4aa49d8ff
CRs-Fixed: 2281906
The task formerly done by wma_get_buf_extscan_start_cmd() is now done
in the common WMI project and this function is no longer used, so
remove it.
Change-Id: I840c6a5f83c6cdc479e6746f36a29c2a7970c964
CRs-Fixed: 2281900
1) Use correct typecast in function wma_process_fw_event_mc_thread_ctx
2) Change log level to debug and refine logs in
wma_process_fw_event_handler
CRs-Fixed: 2281191
Change-Id: I4e67143d028867b193e42ec51f6f7562287eba82
When beacon is updated the host pass the gSchBeaconFrameBegin
param to WMA to copy the beacon to WMI and pass the value to
firmware. gSchBeaconFrameBegin is global so if we receive new
beacon update in LIM before the WMA process the old beacon
update the values in the global gSchBeaconFrameBegin are
updated as per new beacon. So if there is change in beacon
length the first WMA msg copy the wrong beacon data and send
this corrupt date to firmware.
To fix this instead of passing the global gSchBeaconFrameBegin
fill the beacon date in the beacon update req itself.
Change-Id: I6d196784470d9a2aeeaba76e12577f9f65012bac
CRs-Fixed: 2272448
The API wma_is_service_enable is a wrapper on the converged
wmi_service_enabled API for services and extended services. The checks
used in the API are not updated for the converged service enum.
Replace wma_is_service_enable with wmi_service_enabled as there is no
need to have a wrapper
Change-Id: I4fe3601f7e1a031290e139f9ef55f845965b7b2e
CRs-Fixed: 2276471
The WMI ready event from firmware currently uses an event queue, but is
being moved to a simple event instead. Update WMA to account for this
change.
See: I08b4f088874b7c63e20b129f14dbac01851496e5
Change-Id: I5242cc0e839b59db990fb918e8029b8f68385de6
CRs-Fixed: 2275468
The P2P LO Callback currently specifies a void pointer for the event
payload. In the case of this API the event payload is always a struct
sir_p2p_lo_event so update the API to explicitly use this type. In
addition, currently the callback is not using the registered
user-supplied context, so update the callback to correctly use the
user-supplied context.
Change-Id: I566facea3c92b377823c1b3e38f99c84bc65e9d4
CRs-Fixed: 2278587
Qca6574 doesn't use phy_err_mask0 to indicate a spectral
scan phyerr, so spectral_phyerr_event_handler will never
be called. So add some logical to extract the correct phyerr
code to obtain the spectral scan results.
Change-Id: Ib1ec1aa98f25827dfe6ab549ff96a5d4139ad106
CRs-Fixed: 2252379
Add setter and getter function of timestamp for management frames
for the peer based on peer's mac address.
Change-Id: Iab0862eda2392bd516c8ba0b913441b8e0d4c493
CRs-Fixed: 2264667
In wma_unified_link_iface_stats_event_handler, FW stats is cast into
some host data structure via memory copy. It could be dangerous since
there could be some mismatch between host and FW data structures.
Update it with field-by-field assignment.
Change-Id: If90c6062551c8769d948b3267dfa323fba310a78
CRs-Fixed: 2274034
Validate SAR2 response event handle and pass the valid
pointer for result extraction
Change-Id: I91982c411c77494662f6d00de6078622a3d548ae
CRs-Fixed: 2259373
Firmware reports HW mode ID during HW mode change,
use Policy mgr API to get HW mode Info.
Change-Id: I01c7e346a5c2292490705690bc8261b41d0a8127
CRs-Fixed: 2256189
At DP peer creation update UMAC peer objmgr handle to the
DP peer structure. Also update the DP peer handle to the UMAC
peer objmgr handle.
Change-Id: I9983fe9626eae9d2ad6e3b2a6fde9183f5bf6356
CRs-Fixed: 2259804
Currently the EXT Scan Callback API specifies a void pointer for the
context parameter. It is fine for an API to use a void pointer for a
data structure that is opaque or a binary blob, but in this case an
HDD handle is always passed, so explicitly reference that type. This
will allow the compiler to verify that the correct type of parameter
is being passed.
Change-Id: I50c16e1259149147537984242f9bd03b3af15d0b
CRs-Fixed: 2277275
It is fine for an API to use a void pointer for a data structure that
is opaque or a binary blob, but it is not ok to do so when the type of
the data must be known and agreed upon by both the caller and the
callee. In the case of the link layer stats callback the API
definition uses a void pointer for both the context parameter and the
response parameter, but an HDD handle is always passed as the context
and a tSirLLStatsResults struct is always passed as the response, so
explicitly reference those types. This will allow the compiler to
verify that the correct types of parameters are being passed.
Change-Id: Iba181bbc97331f8fdde1cdf5c81a80efef014839
CRs-Fixed: 2276494
As part of DP-CP interaction convergence register common
converged target if ops for DP control ops.
Change-Id: Ifbe5d20e32262782016c3b0c20a7d2e149a071c3
CRs-fixed: 2273037
In order to help facilitate the move to per-level logging, add new
logging macros to WMA.
Change-Id: Ie5fa0074f6ace527a84dcc82b332607473615d7c
CRs-Fixed: 2275464
For self STA object manager peer is not created.
To transmit some frames before association object manager
peer is required in wlan_mgmt_txrx_mgmt_frame_tx.
So, create self STA obj manager peer as part of vdev attach.
CRs-Fixed: 2276106
Change-Id: If34e039e1bbadcafabd1f86579c7d639256c9267
There are two instances where peer ref counting leak has been observed
1) When DUT-STA is connected to AP1 and if it tries to roam to AP2 or
to same AP1 then as part of roam sync indication, it needs to delete
the old peer and create the new peer. Deletion of old peer is
happening through force delete operation which is No-OP for some of
the platforms. In such cases, do normal peer delete operation, so
that peer ref count can be deleted properly.
CRs-Fixed: 2270761
Change-Id: Ibcad72943258e531e29498961d3d7e692fd05b36
BSS Desc pointer will be NULL when starting SAP, in function
csr_roam_issue_start_bss(). And it is causing NULL pointer
dereference when get bss channel number from BSS Desc.
Get channel number from csr_roamstart_bssparams instead.
CRs-Fixed: 2272749
Change-Id: Idf4eeb21f1298db03a030af72bf9f0a530ba3e68
It get NULL pointer to txrx vdev when Rome platform tx mgmt frame in
cdp_mgmt_send_ext, and then DUT broken since access NULL pointer.
So, add protection before call cdp_mgmt_send_ext.
Change-Id: Ia51a8183bf89115a4f0f3520b80186daa379602d
CRs-Fixed: 2265687
Add Genoa specific default target configurations for
offload configs, max tx pattern config and max sta
vdev config
Change-Id: Id682b1103d87021e207de335721805515db6a932
CRs-Fixed: 2258999
Add support for SRD channels in ETSI regulatory domain
1) Add SRD channels only if DSRC feature is disabled.
2) Add user configuration to enable/disable these channels
in master mode PCL/ACS. Default is disabled.
3) Allow these channels in ACS/PCL only if the INI is set.
Change-Id: Ibd79dc95e9911ce3a0fd101f4716d9bbb8b75466
CRs-Fixed: 2264786
There are multiple issues with wmi_unified_nat_keepalive_enable():
1) WMA global functions should have a wma_ prefix.
2) The function prototype indicates it should return int status, and
the one caller, wma_add_sta_req_sta_mode(), is expecting that, but
it actually returns QDF_STATUS.
3) The function is a very thin wrapper that calls the unified WMI API
wmi_unified_nat_keepalive_en_cmd() and hence adds no real value.
Rather than address these issues, just remove the function and update
wma_add_sta_req_sta_mode() to directly call the unified WMI API
wmi_unified_nat_keepalive_en_cmd().
Change-Id: I13a4140ba6343240bde51704af2921c001f66a21
CRs-Fixed: 2271552
In function wma_extscan_change_results_event_handler(), numResults
in dest_chglist is assigning as total_entries in the event, but the
memory allocated to dest_chglist is based on the numap variable,
which may cause out of buffer read in extscan indication callback
function wlan_hdd_cfg80211_extscan_signif_wifi_change_results_ind().
Also tSirWifiSignificantChange array parsing in both the functions
is not efficient which may lead to accessing unallocated memory.
To address out of buffer read, assign numap to numResults in
dest_chglist and to address accessing of unallocated memory,
parse tSirWifiSignificantChange array with efficient logic.
Change-Id: Ia0c287147e80e17de84fe6b1cb83c8e3c29a1fa0
CRs-Fixed: 2253396
Add CDP API to set RX MIC key in datapath.
Required to perform RX demic of fragmented packets.
Change-Id: I3c05da62ff20f8551cdc5780ce2f7b8d23c73a37
CRs-Fixed: 2217884
Fix checkpatch issue introduced by change "qcacld-3.0:
separate HE caps per band", use new mac_handle_t instead
of tHalHandle in sme_update_tgt_he_cap param and fix
indent issue.
Change-Id: I91e11fd38ac72266b4afcf42d71340975127f559
CRs-Fixed: 2268400
If wmi_ready is not set, we can infer that WMI_READY_EVENTID has not
been fully processed yet. Completion of WMI_READY_EVENTID is necessary
for any follow-on messages to be processed properly, since it builds
infrastructure on host. Therefore, serialize the follow-on message with
WMI_READY_EVENT if wmi_ready is not set yet.
CRs-Fixed: 2267180
Change-Id: I2e5df318f8e40a9487502a49539252c9fde9892b
While processing the WMA_ROAM_OFFLOAD_SYNCH_IND event, The
driver takes nearly 150 to 200 msec time to just write fatal,
error and info messages to the kmsg log buffer. Also to get
tx power supplicant runs another thread while roaming. These
cause more latency(300ms) to send WMA_ROAM_OFFLOAD_SYNCH_CNF
message to fw. To decrease roam latency, the driver should
write the only necessary error message to kmsg buffer.
The fix is to change irrelevant fatal, error and info message
type to debug add a check in __wlan_hdd_cfg80211_get_txpower
to reject the request to get Tx power while roaming in progress
otherwise driver will process this and will increase the roaming
latency.
Change-Id: I6c31637f21991b5b29c1e2dd2c2935ae7d4fc3d0
CRs-Fixed: 2251824
Currently if disconnet is triggered from the supplicant, RSO Stop
is sent with reason REASON_ROAM_STOP_ALL and this sends roam_scan_mode
as 0 to the FW.
However, if disconnect is triggered from the LIM/FW, the RSO Stop
is sent with reason REASON_DISCONNECTED and leads to roam_scan_mode
being sent as 4 which does not disable RSO in the FW.
In STA+STA scenario where vdev0 receives a disconnect from LIM,
RSO is not stopped for vdev0, however driver goes ahead to enable
RSO for vdev1, which leads to FW assert.
Send roam_scan_mode as 0 for RSO Stop command with REASON_DISCONNECTED
also.
Change-Id: Id2147653ecbd91e033f42382aa00a717d280f6e6
CRs-Fixed: 2266778
Currently fw_peer_count for HO failure is done in wma_roam_ho_fail_handler
which can lead to improper reset of the fw_peer_count if a HDD triggered
disassoc is in progress for the same peer leading to fw_peer_count going
to -1.
Reset the fw_peer_count for HO failure case in wma_delete_bss_ho_fail
API as this is called from the CSR/LIM for handling HO failure as
part of CSR disconnect.
Change-Id: I1526757b085086ca51eef9b9cca0ea757ed20b61
CRs-Fixed: 2266337
While processing get_station cfg operation, HDD is using Nss
value, which gets updated during association, to calculate data
rate. So, there is a possibility of driver to report invalid
MCS index to upper layer if association happens with Nss 2 and
when data transmission is happening at Nss 1 rate.
On receiving GET STATS response, calculate Nss value based upon
the current data rate received from firmware, and pass it to HDD,
so that HDD can use the same Nss value to report valid MCS index
to the upper layer.
Change-Id: I62f029d53149a4747f619027ce69ce65fb280b8d
CRs-Fixed: 2250993
In wma_is_ccmp_pn_replay_attack peer is used without taking the ref
count and thus this can lead to peer used after free.
Fix this by taking ref of peer before using the peer in
wma_is_ccmp_pn_replay_attack and release ref once access is done.
Change-Id: Iaa5936a1c7f6f8667a68fcb646eaec4cb3aa5469
CRs-Fixed: 2264434
