The hal param to sme_get_status_for_candidate() is incorrectly typed
to be a pointer to a tHalHandle when it should just be a tHalHandle,
so fix it.
Change-Id: I8799c334de58e196c1fcef2889fef4d9931b91f4
CRs-Fixed: 2255549
Currently csr_get_parsed_bss_description_ies() takes a tHalHandle
context param. However CSR is an internal module, and hence it should
be using the "real" context pointer type tpAniSirGlobal instead of the
opaque reference tHalhandle, so update the API.
Change-Id: Id10bc9165f942b75ee1bd0e2e9b046ea484976e7
CRs-Fixed: 2255547
Currently csr_parse_bss_description_ies() takes a tHalHandle context
param. However CSR is an internal module, and hence it should be
using the "real" context pointer type tpAniSirGlobal instead of the
opaque reference tHalhandle, so update the API.
Change-Id: Iabb093ac924340b0a6bfa5185d0b9d5fcc440c91
CRs-Fixed: 2255547
Currently csr_rates_is_dot11_rate_supported() takes a tHalHandle
context param. However CSR is an internal module, and hence it should
be using the "real" context pointer type tpAniSirGlobal instead of the
opaque reference tHalhandle, so update the API.
Change-Id: I9349e152b4818862f7ac406f7a8f96d78c4c1782
CRs-Fixed: 2255547
Currently csr_is_security_match() takes a tHalHandle context param.
However CSR is an internal module, and hence it should be using the
"real" context pointer type tpAniSirGlobal instead of the opaque
reference tHalhandle, so update the API.
Change-Id: Ibaf8273ad45a7019d19f8793e2bfc35032221c8d
CRs-Fixed: 2255547
Currently csr_retrieve_wapi_ie() takes a tHalHandle context param.
However CSR is an internal module, and hence it should be using the
"real" context pointer type tpAniSirGlobal instead of the opaque
reference tHalhandle, so update the API.
Change-Id: I0dca1d6b64e3ef3698439277d05611d7051926c2
CRs-Fixed: 2255547
Currently csr_retrieve_rsn_ie() takes a tHalHandle context param.
However CSR is an internal module, and hence it should be using the
"real" context pointer type tpAniSirGlobal instead of the opaque
reference tHalhandle, so update the API.
Change-Id: Ie410ef70ed38c569f1203f59a4fc8ce4ee30400d
CRs-Fixed: 2255547
Currently csr_is_ssid_equal() takes a tHalHandle context param.
However CSR is an internal module, and hence it should be using the
"real" context pointer type tpAniSirGlobal instead of the opaque
reference tHalhandle, so update the API.
Change-Id: I3db1f07166f90de28c8ac8a6fb31480578b04caa
CRs-Fixed: 2255547
Currently csr_retrieve_wpa_ie() takes a tHalHandle context param.
However CSR is an internal module, and hence it should be using the
"real" context pointer type tpAniSirGlobal instead of the opaque
reference tHalhandle, so update the API.
Change-Id: Ia2a7bb81a1bf4254ad5f557bcc77d71d36495bb8
CRs-Fixed: 2255547
Currently csr_construct_wpa_ie() takes a tHalHandle context param.
However CSR is an internal module, and hence it should be using the
"real" context pointer type tpAniSirGlobal instead of the opaque
reference tHalhandle, so update the API.
Change-Id: Id690878208d1e5ca97adfce94a61629a8788ede2
CRs-Fixed: 2255547
Currently csr_construct_rsn_ie() takes a tHalHandle context param.
However CSR is an internal module, and hence it should be using the
"real" context pointer type tpAniSirGlobal instead of the opaque
reference tHalhandle, so update the API.
Change-Id: I812709f7c149788d04151ac0b2bf2d79527131b4
CRs-Fixed: 2255547
Currently csr_get11h_power_constraint() takes a tHalHandle context
param. However CSR is an internal module, and hence it should be
using the "real" context pointer type tpAniSirGlobal instead of the
opaque reference tHalhandle, so update the API.
Change-Id: Ic7f622b8633726a03ace11951c6e53b7e0936beb
CRs-Fixed: 2255547
Currently csr_get_rts_thresh() takes a tHalHandle context param.
However CSR is an internal module, and hence it should be using the
"real" context pointer type tpAniSirGlobal instead of the opaque
reference tHalhandle, so update the API.
Change-Id: I94d370739cd616b17eea922825417d5e9ab4bd3d
CRs-Fixed: 2255547
Currently csr_get_frag_thresh() takes a tHalHandle context param.
However CSR is an internal module, and hence it should be using the
"real" context pointer type tpAniSirGlobal instead of the opaque
reference tHalhandle, so update the API.
Change-Id: I69ae6f07dd12cf79659c5e4c461fba1c7fa8ff46
CRs-Fixed: 2255547
Currently csr_get_qo_s_from_bss_desc() takes a tHalHandle context
param. However CSR is an internal module, and hence it should be using
the "real" context pointer type tpAniSirGlobal instead of the opaque
reference tHalhandle, so update the API. In addition change "qo_s" to
"qos" to fix the typo in the name.
Change-Id: Ib5f53d55737138c708d47e79a68a2b1344dff5d2
CRs-Fixed: 2255547
Currently csr_roam_issue_ft_preauth_req() takes a tHalHandle context
param. However CSR is an internal module, and hence it should be using
the "real" context pointer type tpAniSirGlobal instead of the opaque
reference tHalhandle, so update the API.
Change-Id: I7d521ba558a64c87af72a6ce2d27eae93d1a633d
CRs-Fixed: 2255547
Currently csr_roam_ft_pre_auth_rsp_processor() takes a tHalHandle
context param. However CSR is an internal module, and hence it should
be using the "real" context pointer type tpAniSirGlobal instead of the
opaque reference tHalhandle, so update the API.
Change-Id: If8ca89e68cd0f38a65a68e1702ab3a43b130a277
CRs-Fixed: 2255547
Function csrValidateCountryString() no longer exists, but there is
still an obsolete prototype for it, so remove it.
Change-Id: I40869b7160cbc3e64b785e44711237455f2e02b0
CRs-Fixed: 2255482
Currently hdd_handle_t is defined as a void pointer. This is
convenient from an information hiding point of view since that means a
non-HDD component cannot dereference an HDD handle to access HDD
private data. However this is not convenient from a defect prevention
point of view since the C standard allows any other pointer type to be
freely and silently converted to and from a void pointer, and hence
the compiler is unable to detect when an HDD handle is used in a
context where a different pointer type is expected.
An example of one such defect was addressed by Change-Id
I2bbf1bf4a7975e5cb44066b6a3b1a98e82df9fad (qcacld-3.0: Fix bad param
passed during QoS Map conversion).
To help prevent this kind of defect change the definition of
hdd_handle_t to be a pointer to an opaque struct.
Change-Id: I6e885f84c0554bbe5c8582474fddb65ab6a0fdac
CRs-Fixed: 2254907
In sir_convert_qos_map_configure_frame2_struct() a HDD Handle is being
passed as the first parameter to convert_qos_mapset_frame() which is
expecting a pMac. Change the call to pass the pMac.
Change-Id: I2bbf1bf4a7975e5cb44066b6a3b1a98e82df9fad
CRs-Fixed: 2254955
While processing FILS EAP TLVs present in FILS wrapped data in Auth Frame,
the tlv->length from the frame is used as the length to copy the buffer
into the FILS auth info without validating if the received buffer
length is at least greater than the length value in the TLV buffer.
This would lead to OOB read if the TLV length present in the frame is
greater than the actual data_len of the FILS wrapped data.
Add sanity check to return error if tlv->length is greater than wrapped
data_len + 2 with 2 bytes for the TLV header.
Change-Id: Ibe1183c8e318ceb75db6278c935786322a029d5c
CRs-Fixed: 2245944
Currently driver marks cache type as static when it sends valid
channel list to firmware to use for roaming. When cache type is
static, driver will not add WMI_ROAM_SCAN_MODE_RSSI_CHANGE in
wma_process_roaming_config.
Roam scan may not trigger upon RSSI change when mode does not
have WMI_ROAM_SCAN_MODE_RSSI_CHANGE and may have issues related
to roaming.
Mark channel list as dynamic based on newly added ini
"force_rssi_trigger" for valid channel list as well.
With this new ini , customers can tune the behaviour of
roaming scan in firmware based on RSSI trigger or periodic.
Change-Id: I04123cb954408fd510d41d2b6ba96144be0945f9
CRs-fixed: 2240544
If SAP comes up in 2.4Ghz channel in HT/VHT 20/40Mhz and channel
switch comes for a 5Ghz channel, SAP gets started in HT/VHT 20/40
Mhz only while it should connect in VHT80Mhz or HT40Mhz depending
on whether the initial connection is in HT or VHT.
Change the bw to 80Mhz if initial connection is in VHT and to 40Mhz
if initial connection is in HT if channel switch comes for a 5Ghz
channel.
Change-Id: I709dd35575866b7ec9fddcfb94078f114a78d1a2
CRs-Fixed: 2226979
Add support for Last Beacon Report indication sub element and
Beacon Report Frame Body Fragment ID sub element to the beacon report IE
of Radio Measurement Frame.
Change-Id: I07facc245ca96b375779b30f61fc7659f1aa679d
CRs-Fixed: 2254248
Currently PE session ID is filled in eWNI_SME_DISCONNECT_DONE_IND
__lim_process_sme_disassoc_cnf but this command is expected to fill
SME session ID instead.
Send SME session ID instead of PE session ID for
eWNI_SME_DISCONNECT_DONE_IND in __lim_process_sme_disassoc_cnf function.
Change-Id: I50f7ec31eea265d04a94d9717415227bde09bdb5
CRs-Fixed: 2246024
Currently in htt_t2h_msg_handler_fast, msg_len, which is in number of
bytes, is directly compared with pdev->rx_mpdu_range_offset_words,
which is in number of words. Thus their comparison becomes invalid.
In htt_t2h_msg_handler, in addition to similar issue as above, the
checks for message offset validations do not consider integer overflows
occurring.
In htt_t2h_msg_handler_fast, the check condition involving
pdev_rx_mpdu_range_offset_words were corrected to work with bytes,
and in htt_t2h_msg_handler checks for integer overflow were also
added.
Change-Id: I9ec7d30cc24d288ddcabd3bb30674a2ca21f2251
CRs-Fixed: 2248069
In the function wma_mgmt_rx_process, wbuf is the allocated skb
which houses the incoming management frame. An extra 100 bytes
buffer is allocated in wbuf->data to avoid OOB access when
additional headers are present in addition to ieee80211_frame.
This additional buffer is uninitialized and can cause potential
OOB for the management frames of length
sizeof(struct ieee80211_frame) and have no IE or any data.
Initialize the allocated extra bytes so that OOB is prevented.
Change-Id: I44047b0c6f3a731c741c5e0217f3bd0cdd8ed4dc
CRs-Fixed: 2249815
Currently in function csr_roam_issue_connect, if queue sme command
fail, the scan result will be purged by csr_release_command_roam(), but
some caller will also purge it again if don't return success status,
like csr_roam_connect().
Make csr_roam_issue_connect() to consume hBSSList always, and remove
double purging code in the callers.
Change-Id: If226ff300771ccbf1dcbfb2a82fb02498c334cdc
CRs-Fixed: 2237948
In the PI wma_tx_packet, host assigns downld_comp_required
to true/false according to tx_frm_download_comp_cb,
is_high_latency, tx_frm_ota_comp_cb, all the three
conditions to be true. Also the host checks
tx_frm_download_comp_cb, and assigns tx_frm_index
according to downld_comp_required, but in the else
case when tx_frm_download_comp_cb is false, the check
of downld_comp_required is void, as the downld_comp_required
cannot be true if prior tx_frm_download_comp_cb is false,
so the code in the else part which checks tx_frm_download_comp_cb
and assigns tx_frm_index is dead, and in any case cannot be
executed.
Fix is to remove the check of downld_comp_required in
the else case.
Change-Id: If1a376099234d541d508f18cee075dd0f1603294
CRs-Fixed: 2233558
WMI_SERVICE_READY_EXT_EVENT isn't supported in Rome F/W, service
ready ext timer shouldn't be started. Ext service bitmap is
passed to host by F/W event: WMI_SERVICE_AVAILABLE_EVENT.
Change-Id: Id8058c2e58c5771ef27482d3e4076869e560acf1
CRs-Fixed: 2251523
The same code is executed regardless of the conditioal
logic, so remove the redundant conditional block.
Change-Id: I46688f9e7b159a77dd3a2fa977e98237abe1777a
CRs-Fixed: 2232937
Currently, BTM offload config from the ini is sent to the FW as part
of the RSO start for the vdev which has roaming enabled. In case
of STA+STA concurrency, when roaming is enabled for second STA,
BTM config is sent for the second STA vdev leading the FW to assert
as the FW already has BTM offload enabled for the previous STA
session and supports only one vdev with BTM offload enabled at a time.
Send BTM offload config with flags as disabled as part of RSO Stop
so that the FW de-inits the BTM offload on the current connected vdev
before it inits BTM offload config on the new vdev for the second STA.
Change-Id: I7af499b0f7c77b5d52e6c74b09c28c845bdfcd9a
CRs-Fixed: 2251994
When add_bss is done for a STA vdev, the rmfEnabled flag is set
on the wma_txrx_node based on the PE session config. However this flag
is not reset during del_bss which leads to DPP public action frames
sent from supplicant with no session established to be considered
as rmf enabled (due to previous connected rmf session) and adding
additional bytes in the header. This leads to the DPP frame of
incorrect length to be transmitted and the other DPP STA receiving the
frame drops it.
Reset the rmfEnabled flag in wma_vdev_stop_resp_handler if set
previously for the VDEV.
Change-Id: I6ffb1f3efbfc8455768f54155a2abcc8ccf13fe6
CRs-Fixed: 2236476
During peer deletion, ol_txrx_is_peer_eligible_for_deletion() is
called to check if peer is eligible for deletion. Inside function,
vdev is dereferenced to extract pdev but due to race conditon peer
may get freed from the list and this may lead to NULL pointer
derefencing of vdev.
Avoid dereferencing of vdev and pass pdev itself as an argument to
ol_txrx_is_peer_eligible_for_deletion()
Change-Id: I743e2e2c83c3e07e5d5ec4fde7fc3b098766ca96
CRs-Fixed: 2252243
Peer get deleted during ol_txrx_peer_detach_force_delete when
WMA_ROAM_OFFLOAD_SYNCH_IND is received. As peer deletion is
happening in different context and ol_rx_send_pktlog_event is
accessing the peer in different context, a possible race condition
has occurred which leads to NULL pointer dereferencing of peer.
Ignore the peer deletion during ol_txrx_peer_detach_force_delete and
delete it during ol_rx_peer_unmap_handler.
Change-Id: Icf252612081a41f94db6df4684348f2962b2da9d
CRs-Fixed: 2238214
