In csr_roam_joined_state_msg_processor, roam_info->tx_stbc is
assigned twice because of a typo.
Assign roam_info->rx_stbc as the value of
pUpperLayerAssocCnf->rx_stbc.
Change-Id: Ic90f6b486a50dcc3aca8cb7171a137a34319914d
CRs-Fixed: 2460716
A VHT beamformee shall indicate the maximum number of space-time
streams it can receive in a VHT NDP in the Beamformee STS
Capability subfield of the VHT Capabilities Information field of
the VHT Capabilities element. The SAP is advertising STS value
as 8 in both 2G and 5G band. This may cause IOT issues.
Fix the default value of beamformee STS capability value as
default value 3 for SAP.
Change-Id: I026eabeea941a33f1ffab6e498e6de90e182320e
CRs-Fixed: 2448390
The linux coding style forbids use of typedef unless clearly
some rules are met. The tSirBssDescription doesn't match any of
those criteria, so replace it with underlying structure
bss_description.
Change-Id: I36ad517325117cf04d499c7c472ca6ef5921a85d
CRs-Fixed: 2459769
The Linux Coding Style doesn't allow mixed-case names so rename
eSirBssType in struct pe_session to be in compliance.
Change-Id: Iafe6649a130c77064180c67fb1385d2d7a763370
CRs-Fixed: 2459767
The Linux Coding Style enumerates a few special cases where
typedefs are useful, but stresses "NEVER EVER use a typedef
unless you can clearly match one of those rules." The
tSirMacStatusCodes typedef does not meet any of those criteria,
so replace it properly named enum.
Change-Id: I4712acc4898a60ce78e7a6e71d2e91f5b1929c97
CRs-Fixed: 2459765
In hdd_vdev_destroy, if policy_mgr_check_and_stop_opportunistic_timer
decides to move to single mac mode and while sending the HW mode change
the target goes down, this leads to timeout of the HW mode change req in
WMA layer which is 2 sec and in serialization its 4 sec, but
policy_mgr_check_and_stop_opportunistic_timer timeout in 1 sec and proceed
to sme_close_session and wait for it to complete.
sme_close_session queue WLAN_SER_CMD_DEL_STA_SESSION to serialization but
it remains in pending queue, behind HW mode change req.
Now due to SSR the wait event for sme_close_session is set and thus
hdd_vdev_destroy logically deletes the vdev.
Now on WMA timeout the HW mode change try to remove the request from
serialization which it fails to remove as it fails to get ref for vdev
with vdev being logically deleted.
Thus WLAN_SER_CMD_DEL_STA_SESSION is not processed and is flushed in
hdd_wlan_shutdown.
Thus as SSR WLAN_SER_CMD_DEL_STA_SESSION is flushed from serialization
queue, the wma_vdev_detach() is not called for that vdev and thus the
peer attached to the vdev are not deleted and wma vdev ref is also not
released, this lead vdev/peer ref leak.
To fix this update the wait timeout in
policy_mgr_check_and_stop_opportunistic_timer with proper value higher
than the serialization timeout for the HW mode change request. ALso
set the wait event in policy_mgr_pdev_set_hw_mode_cb in failure cases
as well to avoid timeout in case of hw mode change failures.
Also release pending peer and vdef refs in wma_wmi_service_close.
Change-Id: I5ddf8263b0dbf889be506332a67f5e18c1bfb111
CRs-Fixed: 2458034
Userspace request driver to report details of each beacon
received whose bssid is same as currently connected BSS's
mac address. The driver encapsulates the details of these
beacons as an asynchronous event within vendor command:
QCA_NL80211_VENDOR_SUBCMD_BEACON_REPORTING with operation
type QCA_WLAN_VENDOR_BEACON_REPORTING_OP_STOP until
userspace requests to stop sending beacons.
When driver gets stop indication from userspace, it does
the following things:
1. De-register all callback which is registered while handling
start indication
2. Add beacon filter and send it to fw
If driver is in WOW mode and WMI_ADD_BCN_FILTER_CMDID is
NOT configured, fw wakeup HOST and sends connected AP beacon.
Fw should not wakeup host if host is in wow mode. In order
to support this, configure WOW_BEACON_EVENT for STA and P2P.
Change-Id: Ie7c768fa957d02e1361e1ecb95435ba3f06034b0
CRs-Fixed: 2431360
In roaming scenario when there is no hw_mode change is required, roam
failure is sent to CSR which is causing move VDEV from INIT state to
EV_DOWN. In this case, wma_target_req buffer expected instead of
scheduler_msg. As the wrong buffer is passed, it is causing a
system instability.
Fix is not to send reassoc failure for LFR2 when there is
no change in hw_mode required and go ahead with connect.
Change-Id: I7cc7b0ee1407e04c47177838fc069db5b90353d7
CRs-Fixed: 2451178
Currently, host sends 11k offload command to FW as part of RSO Start
and 11k offload disables to FW during RSO Stop. In case of STA+STA
concurrency, Host sends vdev_stop before 11k_deconfig for
currently enabled STA results to assert in FW.
In order to configure 11k for second STA without assertion, Driver
should de-config 11k for currently enabled STA before vdev stop/delete.
Fix is to configure 11k while start roaming and de-configure 11k
while stop roaming irrespective of the reason for roaming STOP.
Change-Id: I0915d8a0141194c331eb59ba0f2dfa9c8995628a
CRs-Fixed: 2449431
With feature flag for LFR2 disabled, there is compilation
failure in the wlan host driver.
Fix the compilation issues.
Change-Id: Ic21ccd0b313c6690c72a6546eba30c1ecb306cb0
CRs-Fixed: 2453298
Currently, there is no information for roam reason
in hdd.
Fix, Handle roam reason recived from csr, print roam
reason and add roam reason in roam auth event.
Change-Id: Ib9188cb443fa81307fe23d73cce09f7c23bc7a41
CRs-Fixed: 2425910
Cleanup sme_scan_flush_result and csr_scan_flush_result to
use ucfg_scan_flush_results API to flush scan results.
Change-Id: If4ee6c56662d8b214c3b15325a5aef83c449d7c0
CRs-Fixed: 2450775
If firmware starts off-channel scan, driver does not
receive beacons. In this case driver should send a
pause event to userspace.
Change-Id: I90ba5c586656486df110778b73b236e5877f8684
CRs-Fixed: 2431359
Once driver gets QCA_NL80211_VENDOR_SUBCMD_BEACON_REPORTING vendor
command with an attribute for start, firmware sends all
beacons to host for the connected peer. Host extract required info
(SSID, BSSID, Channel number, Beacon Interval, Timestamp, System
timestamp) from incoming beacon for connected AP and sends it to
userspace. Userspace needs this data for WIPS.
Change-Id: I9d6dd068a076bda79881043946be3133ee87fe84
CRs-Fixed: 2431354
Add new vendor cmd : QCA_NL80211_VENDOR_SUBCMD_BEACON_REPORTING.
This subcommand is used to implement asynchronous beacon
reporting feature. Userspace can request driver/firmware to
report details of each beacon received whose bssid is same as
currently connected BSS's mac address. The driver will encapsulate
the details of these beacons as an asynchronous event within this
command id until userspace requests to stop sending beacons.
Change-Id: I9a32fe5431767b077983c7db90a2f825709f368c
CRs-Fixed: 2431351
In hdd_deregister_cb, wlan_hdd_cfg80211_stats_ext_callback should
be deregistered instead of registered.
Change-Id: Ib7051aeb4579e2573b1b1845601aee07f596bcbc
CRs-Fixed: 2449023
Currently the driver flushes all the scan results during
ACS request, and then scans the specific channels as
mentioned in the request, which leads to a scan again
for the STA interface as no scan results are available.
Fix is to have a timestamp, and get only the latest scan
results, instead of the scan database flush.
Change-Id: Icc343fcca77fb7074071ca1d467947ef70fd1930
CRs-Fixed: 2446490
Currently the driver does not sends the assoc req and assoc
response frame exchanged with the AP if the connection attempt
fails with the peer.
The connection failure can be because of n number of reasons,
OCE assoc reject be one of them.
The supplicant requires these IEs to reject the connection
attempt with the AP with which the connect attempt failed
for t number of seconds, which is mentioned by the AP.
Fix is to send the assoc req, and assoc response IEs to
the driver.
Change-Id: I9c1f7063105912a8005f9e8399640d028b15eec7
CRs-Fixed: 2445709
No channel is included for RRM scan on receiving beacon
report request with operating class 0 as there is no
channel list in the global operating class table.
Fix is to include all the valid channels for RRM scan when
operating class in beacon report request is 0.
Change-Id: I49aedbeabf14cdd709c6965a1f5af05cc7a68a76
CRs-Fixed: 2444737
Disable OCE in STA vdev if any sta gets associated to SAP/GO.
This will improve the scan results in STA interface.
Without this fix firmware will do probe request deferral for 15ms
out of 28 ms , so 15ms is gone and rest is not sufficient dwell
time to get all AP probe responses.
Change-Id: Ie6f79c86025c53360c792c740a963ed8a1d9b936
CRs-Fixed: 2443190
Adaptive 11r feature that enables the AP to support FT-AKM
without configuring the FT-AKM in the network. The AP will
advertise non-FT akm with a vendor specific IE having Adaptive
11r bit set to 1 in the IE data. The AP also advertises the
MDE in beacon/probe response.
The STA should check the adaptive 11r capability if the AP
advertises MDE in beacon/probe and adaptive 11r capability in
vendor specific IE. If adaptive 11r capability is found,
STA can advertise the FT equivalent of the non-FT AKM and
connect with 11r protocol.
Before sending probe request to the AP, the host driver
intersects the csr_roam_profile akm with the akms advertised
by the AP in the function csr_construct_rsn_ie(). Based on
the intersection, RSN IE is constructed and this RSN IE will
be sent over the association request frame. Add changes to
fill FT-PSK akm selector if AP advertises PSK akm(00:0f:ac,4).
If the AP advertises 802.1X akm, fill FT-802.1x akm(00:0f:ac,3).
If the session is adaptive 11r connection, then copy the
adaptive_11r flag to pe_session while sending join request.
Populate the adaptive 11r vendor specific IE into association
request frame.
Change-Id: Iae6ea37787e96fd7cffca32fc4d9a33eb5772f26
CRs-Fixed: 2441337
Adaptive 11r feature that enables the AP to support FT-AKM
without configuring the FT-AKM in the network. The AP will
advertise non-FT akm with a vendor specific IE having Adaptive
11r bit set to 1 in the IE data. The AP also advertises the
MDE in beacon/probe response.
The STA should check the adaptive 11r capability if the AP
advertises MDE in beacon/probe and adaptive 11r capability in
vendor specific IE. If adaptive 11r capability is found,
STA should advertise the FT equivalent of the non-FT AKM.
Introdue a compile time flag WLAN_ADAPTIVE_11R_ENABLED to
enable/disable adaptive 11r support.
If the AP is adaptive 11r capable, set the is_adaptive_11r_ap
flag in bss descrtiptor. This flag will be sent in join request
and populated to pe_session. Also mark the CSR session as
adaptive 11r session based on this flag.
Add changes to check for the adaptive 11r service capability
advertised by firmware. If the host driver connects to adaptive
11r AP, enable RSO only if the firmware advertises adaptive
11r capability, else RSO should be disabled.
If the connection is adaptive 11r connection and if the adaptive
11r ini is enabled, set the adaptive_11r flag in
wmi_roam_11r_offload_tlv_param sent over the wmi command
WMI_ROAM_SCAN_MODE to the firmware. This will enable firmware to
filter the adaptive 11r AP from roam scan results.
Change-Id: If27a2393e3f4bb68942f5ebcec0135f57627f16b
CRs-Fixed: 2437988
Use updated cp stats component to get peer rssi and tx rate,
rx rate for big data logging as legacy infrastructure is
deprecated.
Additionally add support for RX multicast broadcast packets from FW.
Change-Id: Idcab4a022a4e7e34bd15878f95ad8248ca3aa9dd
CRs-fixed: 2428582
Currently in the case of concurrent sessions running,
the driver updates the active dwell time for the scan
request to the default value, overwriting the already
filled active dwell time which the DUT got from the
AP as part of RRM request, which results in violation
of protocol.
Fix is to not update the concurrency params if the scan
request is of type RRM.
Change-Id: I09ebfbee0d282391be17aed7eaf56e3c53c2a5e2
CRs-Fixed: 2438535
With current design, firmware sends the kck, kek and replay
counters as part of wmi_key_material tlv over the
WMI_ROAM_SYNCH_EVENTID event. But the maximum supported kck key
length in wmi_key_material was 16 bytes. But for FT Suite-B
(akm 00:0f:ac:13), the kck_bits is 24 bytes long and cannot be
sent over wmi_key_material. So firmware sends kck, kek and
replay counter values over the new tlv wmi_key_material_ext.
Host driver copies the kck key with fixed 16 byte length to the
upper layers. Introduce kck_length parameter in csr_roam_info
and roam_offload_synch_ind structures and copy kck based on this
length.
Also fix maximum number of AKM suites supported to 5, as some
certification test cases advertise 5 akms.
Change-Id: Iab050e3e3f7efead8070a02094998d15f7ffcbd0
CRs-Fixed: 2400770
On failure in processing beacon report request in
sme_rrm_process_beacon_report_req_ind, xmit ind is
not sent to PE. This will result in all subsequent
beacon report requests to fail as current request
in PE is not freed. Beacon report request is received
with country code US-O and operating class 12. In this
scenario, third byte in country code is overwritten to
global_op_class which causes no channel to be populated
for scan as there is no operating class 12 in global op
class.
Fix is to send xmit ind to PE on failure in processing
beacon report req in SME for cleanup and not overwrite
the third byte in country code if value exceeds global
op value.
Change-Id: Ie07dbb1f45803cf93b45df2173f0ad064a194cb3
CRs-Fixed: 2439827
Add gTxAggSwRetry for tx aggregation case, and
Add gTxNonAggSwRetry for non tx aggregation case.
Change-Id: I92265fb4e279eaf63c45f0134f997df02bca8737
CRs-Fixed: 2436305
Currently, the function csr_save_tx_power_to_cfg does not
update the max_tx_power_24/5 length before it copies the
max_tx_power_24/5 data. Then the channel and tx power info
is not complete.
Change-Id: I99e4def6678b68e192f421d03ca7768b341dfbab
CRs-Fixed: 2437214
Connection is initiated with AP1, roaming to AP2 and then
roaming back to AP1.In this scenario, after assoc is done
to AP1 firmware has the pmk for AP1. Now firmware roams to
AP2 and sends roam sync indication with status as connected
and 1x is now offloaded to supplicant. Now even before 1x is
complete driver enables RSO for AP2 , due to this firmware
receives same PMK as that of AP1. Firmware flushes AP1 entry
because AP2 also has same PMK. After 1x , supplicant issues
new PMK which is sent to firmware and firmware updates this
for AP2 . Now when firmware tries to roam to AP1 and it dosent
have pmk for AP1 and it results in full EAP HS.
Change-Id: Id1a0b227cf7be12efa23f63c0abac6d3419469d5
CRs-Fixed: 2432114
For SHA384 based 11r AKMs below:
FT-FILS-SHA384, FT-SUITEB-SHA384, the FT MIC length is 24. But
the host driver has MIC length hardcoded as 16, so only first
16 bytes of MIC is copied into MIC field and the rest 8 bytes are
copied into R1KH-ID. This results in R1KH-ID and R0KH-ID parse
failure. Due to this, the host driver sends R0KH-ID as 0 to the
firmware in the R0KH-ID. So the next roaming fails in the
firmware.
For SHA384 based AKMs, add changes to reparse the association/
reassociation response FT element. Introduce new FTIE structure
with MIC defined as array of 24 bytes. With this, the R0KH-ID
and R1KH-ID will be populated correctly in to the assoc response
structure and ultimately RSO command will carry the right R0KH-ID
to firmware.
Change-Id: I5aa50145fcd3ba91b1c92d4817b7f0e4fc216e3f
CRs-Fixed: 2430828
Currently when an RRM scan is issued for beacon report request from the
connected AP, we use the current scan country code to get the op class
table for the country.
However, the AP can specify which table to use in the country IE's 3rd
byte of the country field which is not parsed and stored in the scan
country code.
For RRM Scan for beacon report request, use the 3rd byte to get the table
number from the connected AP's beacon and if no table number is present,
then use the op class table based on the country code.
Change-Id: I0911ac908d1c71676f7c1450ab260eaa732ddcb9
CRs-Fixed: 2435942
After DUT STA connected, search connected ssid from scan cache,
get each channel and put into roam scan channel map. To make sure
current home channel is always included and don't set full
channel as channel map, add home channel into roam scan channel
map directly.
Change-Id: Ifb25562259a9b7f35849b39d8e0d238e754d4f96
CRs-Fixed: 2436200
Add new ini to configure various roam trigger parameters:
1. "minimum_btm_candidate_score"
Consider the AP as roam candidate only if its score is greater
than minimum_btm_candidate_score. This value will be sent over
the WMI_BTM_OFFLOAD_CONFIG command.
2. "roam_scan_inactivity_time"
Device inactivity monitoring time in milliseconds for which
the device is considered to be inactive with data packets
count is less than configured roam_inactive_count.
3. "roam_inactive_data_packet_count"
Maximum allowed data packets count during
roam_scan_inactivity_time.
4. "roam_scan_period_after_inactivity"
Roam scan period in ms after device was in inactive state.
5. "btm_roam_score_delta"
Roam scan delta value for btm triggered roam scan. This value
will be sent to firmware over the WMI_ROAM_AP_PROFILE wmi
command.
6. "idle_roam_score_delta"
Roam scan delta value for Idle roam scan trigger reason. This
value will be sent to firmware over the WMI_ROAM_AP_PROFILE
wmi commnd in the roam_score_delta_param_list tlv.
7. "disconnect_roam_trigger_min_rssi"
Candidate minimum rssi value for disconnect roam trigger. This
value will be sent to firmware over the WMI_ROAM_AP_PROFILE
wmi commnd in the roam_score_min_rssi_param_list tlv.
8. "beacon_miss_roam_min_rssi"
Candidate minimum rssi value for BTM triggered roam. This
value will be sent to firmware over the WMI_ROAM_AP_PROFILE
wmi commnd in the roam_score_min_rssi_param_list tlv.
9. "bss_load_trigger_5g_rssi_threshold"
If connected AP is in 5GHz band, then consider bss load roam
triggered only if load % > bss_load_threshold && connected AP
rssi is worse than bss_load_trigger_5g_rssi_threshold.
10. "bss_load_trigger_2g_rssi_threshold"
If connected AP is in 2GHz band, then consider bss load roam
triggered only if load % > bss_load_threshold && connected AP
rssi is worse than bss_load_trigger_2g_rssi_threshold.
Change-Id: Ib026251a8ec403f4376a16a91ff1b5d969336816
CRs-Fixed: 2434922
Roam channel map is got by searching current ssid in scan db,
if hidden ssid, probe resp has ssid, but beacon usually has
NULL ssid.
Use new scan structure in csr_init_occupied_channels_list
Change-Id: I9758cb30b83a7c0c3d221b7178ffb607f0911593
CRs-Fixed: 2432223
If csr_is_security_match() call csr_validate_any_default(), it passed
NULL pointers of some input parameters, check these pointers before
de-reference it.
Change-Id: I2cbd9f680c8a90919599db3af5b522ccb760892d
CRs-Fixed: 2423713
Add policy manager support to avoid simultaneous connections on
STA plus STA concurrent interfaces when
WMI_SERVICE_STA_PLUS_STA_SUPPORT is not set.
Change-Id: I73e65c56a98908128d56af2f4fba8ced5210fff1
CRs-Fixed: 2427828
Unicast probe requests are sent to AP even though
beacons or probe responses from AP contain MBO IE
with assoc disallowed bit set. In another scenario
where AP rejects association with retry delay of 60
secs, unicast probe requests are being sent to AP
as part of scan for ssid during connection within
the retry delay.
Fix is to reject connection when assoc disallowed
bit is set in MBO IE and also not trigger scan for
ssid when get_scan_results fails due to rssi reject.
Change-Id: I855cf397ff7e3869fb1eceeddc1db5d109790465
CRs-Fixed: 2433740
Add support for new wmi command WMI_ROAM_DEAUTH_CONFIG_CMDID
to send disconnect roam trigger parameters and the
new wmi command WMI_ROAM_IDLE_CONFIG_CMDID is used to send the
idle roam trigger parameters. Fill the parameters from csr to
roam request and send it as part of RSO start command to
firmware.
Fill the corresponding parameters in
csr_update_roam_scan_offload_request(). This will be sent to wmi
and the params will be copied to the wmi command buffer.
Change-Id: I3d863a3ec8c5608d47e600c760d7b3406703a953
CRs-Fixed: 2431490
Currently, lim_process_sme_disassoc_cnf,
lim_process_sme_disassoc_req, lim_process_sme_deauth_req and
sme_qos_request_reassoc does not do null validation for session
which can lead to null pointer derefrence.
Add null pointer check for session in lim_process_sme_disassoc_req,
lim_process_sme_deauth_req,lim_process_sme_disassoc_cnf and
sme_qos_request_reassoc before usage and send failure to sme.
Change-Id: I0efe4e98a8dd26767309ed1e6b668a6267a4b770
CRs-Fixed: 2423887
During LFR3 driver post the message to add the scan entry in
scheduler to scan module and continue with roaming and send roam
event to CFG layer. Also it set the new AP' scan entry in scan
module as associated, to avoid age out of the entry.
Now as the message posted to scan module will get schedule after
roaming is complete, if new AP's entry is not present in CFG scan
cache the roam indication to CFG may fail. Also if it's not present
in the driver cache the new AP's entry may AGE out and channel will
not be added in occupied list, used for roaming.
Thus update the scan entry in scan module and CFG in same context.
Change-Id: I2c5f165b43d48a0b0b54fdf08a0e53b31fac07aa
CRs-Fixed: 2435410
In SAP if a peer is disconnecting, so CSR roamstate is set to
eCSR_ROAMING_STATE_JOINING. Now if at the same time another peer
is trying to connect, eWNI_SME_UPPER_LAYER_ASSOC_CNF will be dropped
in eCSR_ROAMING_STATE_JOINING state.
Fix this by processing eWNI_SME_UPPER_LAYER_ASSOC_CNF in
eCSR_ROAMING_STATE_JOINING state.
Change-Id: I7d4347013eca494e537aaeb4468814238cb3fca6
CRs-Fixed: 2430840
Validate cfgLength to the upper bound before using it in copy
inside csr_get_cfg_max_tx_power()/lim_get_dot11d_transmit_power.
Change-Id: Ibcc1f145db9b902a29a0332553323d0a3ac6b2ff
CRs-Fixed: 2423707
If the FW doesn't send the ext service ready event, and
thus the host does not get the max chainmask that both
the macs can support, the host still updates the ini
with the minimum of the host, and FW config, which can
lead to functional issues in connection, and scan.
Fix is to honour the setting only if the FW sends a non
zero positive chainmask for both macs.
Change-Id: I2a321923a2f995cca20cef3980acb1bf41ca0db0
CRs-Fixed: 2429584
Pointer 'req' is dereference before null check which can lead
to null pointer dereference.
Pointer 'body' is never null check after allocation of memory.
qdf_mem_malloc can return null and when pointer 'body' is
dereference, it can lead to null pointer dereference.
Change-Id: I62f26341079d4849c56f7d35d0b7c64df6b49f3b
CRs-Fixed: 2424010
