Currently event->vdev_id, recevied from the FW, is directly used
to refer to wma->interfaces without validating if the vdev_id is valid.
Add sanity check to make sure vdev_id is less than max_bssid before
using it.
Change-Id: I9fd97e430532c597a6c4b4e42b5dfaddba628ffb
CRs-Fixed: 2119442
The functionality that handles tAniIbssRouteTable is no longer
present, so remove the associated function prototype and data
structures.
Change-Id: I80eebe7494bf60b46165e0bd1eea04ce0f23c44b
CRs-Fixed: 2352149
Remove the duplicate channel info in vdev_start_params and
it sub structure channel and use implementations
can use the channel sub structure directly.
Change-Id: Ib1c4e47639f6a4883b944200c3649dc54bb2c59a
CRs-Fixed: 2350648
In wma_remove_peer_on_add_bss_failure, wma is returned from
cds_get_context(). This is not validated for null before being
passed to wma_remove_peer where dereference can occur.
Validate wma against null before passing it to wma_remove_peer.
Change-Id: Ia0323d88a719b6f6bfae058ddf499650a5c078a7
CRs-Fixed: 2350512
In High Latency interfaces, do not wait for download complete when
management over wmi service is enabled.
Change-Id: I7e1e175fdf5b4c836c504a7a816be4f98d4451a0
CRs-Fixed: 2341451
Fill the cmn nss chains structure from the mlme
nss chain params structure and send to fw
Change-Id: I573b0df20be31af536107f0585e7fa825dc2b6b3
CRs-Fixed: 2349823
Define two different mlme priv obj structures
based upon the flag CONFIG_VDEV_SM, for the
support of dynamic nss, chains update.
Change-Id: I00f39eb82973da86233ddfc8bdcc94b6ca8a439a
CRs-Fixed: 2349200
Add prefix NSS_CHAINS to band info to remove duplicate band
info in driver, and minor code cleanup.
Change-Id: I3a8446af6b6c272cfcb19583540e2384f64e3a1a
CRs-Fixed: 2347624
Accept the command to change the dynamic params like nss
and chains only when the vdev is in connected state for
STA/P2P-CLI, and in start state in case of SAP/P2P-GO.
Change-Id: Id4d2e3c4ac6745e25c7005af0b3c95e3e1db4533
CRs-Fixed: 2347488
For fw to store the dynamic config, the host needs to send
the vdev params to fw before vdev start.
Send the vdev ini params to the fw before vdev start.
Change-Id: I83a93481bae8452eb47f9a14d1978e8d8dd02f03
CRs-Fixed: 2347498
In case PEER send BW as 80Mhz in OPmode IE in 2.4Ghz, driver doesn't check
the SAP session BW and allow this BW in PEER assoc command to firmware.
Fix this by limiting the PEER BW to less than or equal to SAP session
BW.
Change-Id: Icf9e53fec32d30e5620e51b8664b0e92ba2b26d6
CRs-Fixed: 2346537
If the wma_remove_peer fails, the caller can still proceed to
start vdev hold request timer for WMA_DELETE_STA_REQ. The Host
driver doesnot stop the timer and this results in page fault
when the timer is expired.
Check the return status of wma_remove_peer and send failure
to the caller of wma_remove_peer.
Change-Id: I63d0dfefb183cf1a88b1f7abb2686b2dfdc6bd79
CRs-Fixed: 2348248
Quiet timers and TX control API are no longer used and are dummy API
which is dropped in WMA layer. Thus remove this unused code.
Change-Id: I77617df14093806f19c0d587e953f63ae86f8ffe
CRs-Fixed: 2348271
Support Rate control and rate control update events
for pktlog by enabling the events in
WMI_PDEV_PKTLOG_ENABLE_CMDID message.
Change-Id: I9281fcd7c632ba19a84a6eb2c0dff49a172fd70d
CRs-Fixed: 2340635
As part of tdls peer assoc request, WMI_SERVICE_PEER_ASSOC_CONF is
checked and a timer of 6 sec is started. But, in case of any failure
for peer assoc in host, This is not stopped and waited for timer to
expire and sends the response with failure status.
Stop the peer assoc confirm timer and send the add sta response with
failure status in case of any failure in host.
Change-Id: If6ba6aa1297afaea1fd86bf406dcbb6e4e461d25
CRs-Fixed: 2345086
Replace QDF_BUG(0) with call cds_trigger_recovery() in
wma_remove_peer(), as it is a possible scenario for NDI
since the NDI vdev is managed by FW.
Change-Id: Ief8a37c732a1feebe3a78f2f03da791712398d43
CRs-Fixed: 2346252
It doesn't update wma_handle->num_dbs_hw_modes after event
WMI_SERVICE_READY_EXT_EVENTID comes and re-allocate hw_mode_list,
which will cause potentially OOB read hw_mode_list.
Change-Id: I8e4aa13120bfe185fba3e0000cf289406b6bcfce
CRs-Fixed: 2336889
The primary data structure used within the protocol stack is currently
named sAniSirGlobal. This naming is problematic for two reasons.
First, the "Ani" and "Sir" are archaic references that should be
replaced throughout the driver. Second, camelCase is frowned upon by
the Linux coding style. In order to address these issues, rename
sAniSirGlobal to mac_context.
Change-Id: Ibaaeb5296e42a24c66d4adf4f720d32a9ae41888
CRs-Fixed: 2345128
This fixes below build error.
format '%lu' expects argument of type 'long unsigned int',
but argument 6 has type 'unsigned int' [-Werror=format=]
Change-Id: I54b2e171ab5c7799af3e23a5d1fd8d4cb3034983
CRs-Fixed: 2344741
Add the following HT Caps related INI/CFG items to MLME component.
gShortPreamble, CFG_HT_AMPDU_PARAMS, CFG_EXT_HT_CAP_INFO,
CFG_HT_INFO_FIELD, gEnableAMPDUPS and gMaxAmsduNum.
Change-Id: I019961016a2f0e39c7c62066c04788d3bd3d37e7
CRs-Fixed: 2318579
In function wma_send_bcn_buf_ll, bcn info is filled from
wma handle by mapping the vdev id. For valid vdev id also wma_handle
could have NULL beacon info. So, check for NULL pointer before
accessing the bcn pointer.
Change-Id: I660c8231801eb28962edc364a139e7980febb71e
CRs-Fixed: 2336946
When SSR is in progress, when trying to remove self peer, if
wma_remove_peer() is failed then wma_vdev_detach() doesn't send del sta
response and wma_self_peer_remove() can still proceed to start vdev
hold request timer. This can lead to skip of vdev reference count
release by wma acquired during vdev attach.
To address this, release vdev reference count when self peer remove is
failed and when del self sta request is timed-out.
Change-Id: I2703261a848983b10798cb8ec74d1cec5a393ce5
CRs-Fixed: 2342453
Currently Napier FW WAPI TX/RX initial PN logic is fit for WIN
host, modify MCL host to align with WIN so that WAPI can work.
Change-Id: I0b49a25e75d1e9c4856daf8648d6561486005ba9
CRs-Fixed: 2323152
In error cases of set hw mode, set dual config etc are not handled
in all scenarios and thus the active cmd is not removed in this case
resulting in active cmd timeout.
Fix this by handling and sending failure resp for all the error
scenarios.
Change-Id: I21151798f58bf9816458430d96c7fd1d5f0ee07f
CRs-Fixed: 2341816
Some target which support sending mgmt frame based on htt would DMA
write this PMF tx frame buffer, it may cause smmu check permission
fault, set a flag to do special DMA map.
Change-Id: I3686be211374d2c316726fa3248dedce87c3faed
CRs-Fixed: 2332329
Remove legacy cfg items definitions and related macros for the
converged CFG items.
Change-Id: I12944f50d68dafe989417dda777f29a6233c97a4
CRs-Fixed: 2340856
In wma_vdev_resp_timer(), while handling WMA_DELETE_BSS_REQ if
wma_crash_on_fw_timeout() is true, SSR is triggered, but timer
event_timeout isn't destroyed, wma_target_req, and user_data
isn't freed, result in timer and mem leak.
Change-Id: Ic47af43de671d195c6addd0360b96305af15d9bf
CRs-Fixed: 2337211
Currently if ADD_BSS_REQ vdev_start request times out, the
wma_vdev_resp_timer notifies this as ADD_BSS_RSP with failure status
to the upper layer and the SAP FSM moves from STARTING to DISCONNECTED
state. After this the WMA_DEL_STA_SELF_REQ is sent to the FW which does
a VDEV delete. However in cases where the ADD_BSS_REQ has been sent to the
FW but the response has not been received, the FW has the VDEV in started
state and asserts if a VDEV delete is sent without sending a vdev stop.
Send VDEV stop to the FW in case of ADD_BSS_REQ times our in
wma_vdev_resp_timer.
Change-Id: Ib2b95d38cb7fd36b02a738a73dbc1f8102d2169e
CRs-Fixed: 2323293
Wireless application needs to tune parameters per AC based.
Such as VI/VO queue use the different re-transmission attempts
while other queue keeps the default value. It helps to improve
the video/audio performance in noisy environment. this change
add the ability to config re-transmission attempts of non
aggregation QOS packets.
Change-Id: I95404302463275803e3feff3038f04c900b14705
CRs-Fixed: 2323555
Update NSS command is remove once driver receive the tx completion
event for the beacon. If SAP is in CAC wait state driver will not
get the tx completion for the beacon and the update NSS will timeout
after 30 sec and the serialization cmds queues will get stuck.
To avoid this remove the update NSS command from active queue as
soon as beacon is sent to firmware
Change-Id: I6f5b6bce91bdfacd4621020f313be25f74696b9d
CRs-Fixed: 2332302
To keep names of PMO ucfg APIs consistent, change some of them from
"pmo_ucfg_xxx" to "ucfg_pmo_xxx".
Change-Id: I77165be8c5c408c3f91f84a477c15be1c6ea15e8
CRs-Fixed: 2334109
Make the following updates to the extscan stop scan logic:
1) Exclusively use the Unified WMI data structures.
2) Update the HDD<=>SME interface to enforce the contract that SME
must not make any assumptions about the buffers provided by HDD.
Change-Id: Ie4a693b4a91d728a075cffad3ee368b22d9c5b2a
CRs-Fixed: 2335647
Make the following updates to the extscan start scan logic:
1) Exclusively use the Unified WMI data structures.
2) Update the HDD<=>SME interface to enforce the contract that SME
must not make any assumptions about the buffers provided by HDD.
3) Address a multitude of checkpatch issues
Change-Id: I68dc988fafb7e14b2b80d1007adf614ddff284e2
CRs-Fixed: 2335045
LFR2 uses ft reassoc, whose process is different from general
connect.
1.ft reassoc, normal reassoc and assoc, all of 3 need deliver
event WLAN_VDEV_SM_EV_START to SM, but need different handler.
2.ft reassoc send vdev start when add bss, not switch channel.
Change-Id: Ieefbcf0a28867be3c8a86d9a912143857c54fe06
CRs-Fixed: 2334194
In wma_self_peer_remove, sta_self_wmi_rsp is allocated and sent as
params to wma_fill_hold_req for WMA_DELETE_STA_REQ. However, if
wma_fill_hold_req fails and returns NULL, the memory allocated for
sta_self_wmi_rsp is not freed leading to memory leak.
Free sta_self_wmi_rsp in the error handling case for wma_fill_hold_req
in wma_self_peer_remove.
Change-Id: I8df840b39284e00a8c8be114c0fec13c3c199fc6
CRs-Fixed: 2334580
Make the following updates to the passpoint set/reset logic:
1) Exclusively use the Unified WMI data structures.
2) Refactor the vendor command processing to improve code
maintainability.
Change-Id: I39945b2cec90c3f34c81e5ca525842f1af9340f7
CRs-Fixed: 2334234
Protocol stack supposed to be HLOS-agnostic, but there is some use of
Linux fixed-width types u8, u16, and u32. These should be replaced with
C99 fixed-width types uint8_t, uint16_t, and uint32_t so that they will
correctly be HLOS-agnostic and work on non-Linux targets.
CRs-Fixed: 2326407
Change-Id: I8f9099a0170e4f94a54cdd6cc6c2e321a29af717
Featurize MCL only WMI APIs by compiling them as a separate source.
It enables profiles/configs to selectively compile the WMI APIs
based on whether the feature is required or not.
Featurize WMI APIs and TLVs that are specific to MCL -
- DSRC
- NAN
- P2P
- PMO
- roaming
- concurrency
- STA
- Generic MCL specific WMI (STA)
Change-Id: I3b005b8f60491c7d27cf221b7505116e1b9c1a38
CRs-Fixed: 2333916
During hdd wlan reinit VDEV delete command is not sent to firmware
since cds_driver_recovery is True and it is set to False at later stage.
To fix this, remove recovery check in wma_vdev_detach to send WMI command
to FW as WMI is active during reinit phase.
Change-Id: I94b7437edbf0c5bccbc469ce01940b14b46258fb
CRs-Fixed: 2333475
Make the following updates to the extscan set epno logic:
1) Exclusively use the Unified WMI data structures.
2) Refactor the vendor command processing to improve code
maintainability.
Change-Id: I8179fd9b9acced01956232f113d656e0137231b5
CRs-Fixed: 2333537
While handling the WMI_HOST_SWBA_EVENTID WMI FW event, driver invokes
corresponding wma handler wma_beacon_swba_handler. The event argument
comes directly from the FW. Towards the end of the function,
wma_beacon_swba_handler invokes wma_send_bcn_buf_ll and passes the
original TLV structure, param_buf, as an argument. wma_send_bcn_buf_ll
pull tim_info and p2p_noa_info from the param_buf structure. These
structures can be optionally defined in the message with zero length
resulting in them being NULL pointers. Later, throughout the function
they are then deferenced without every checking if they are in fact NULL.
Fix is to make sure in wma_send_bcn_buf_ll, param_buf->tim_info and
param_buf->p2p_noa_info dereferenced only after NULL check.
Change-Id: Ic27b59dd35f74413e9a978627047855e655b9ed1
CRs-Fixed: 2331956
Check if rs_results->total_num_tx_power_levels is allocated, before
checking the OOB in wma_unified_radio_tx_power_level_stats_event_handler
for new fixed_param->total_num_tx_power_levels
Change-Id: I3e3caf295fad568ecc8e294e6224356ea8a84da6
CRs-Fixed: 2333042
When vdev restart response is received for channel switch during
CSA, we set the phy mode in firmware and then send vdev up. But
even if the restart request has failed host sends vdev up. This
is wrong as firmware expects vdev up only after vdev start is
successful.
If vdev restart is rejected don't send vdev up to firmware.
Instead send WMA_SWITCH_CHANNEL_RSP with failure status.
Change-Id: I1f1ba860abeb0d25e90fd9b9977f02153aca81af
CRs-Fixed: 2331485
Below API's logs failure with caller information,
So no need logs at caller.
qdf_mem_malloc_atomic()
qdf_mem_malloc()
wmi_buf_alloc()
qdf_nbuf_alloc()
wmi_unified_cmd_send()
Change-Id: I5d7d49811d71f83ecafccd9f936af323073b32c6
CRs-Fixed: 2327098
PLD FW down uevent is asynchronous which races against all critical
driver transition events like probe, remove, shutdown, reinit and
hence move wmi_stop to wma shutdown notifier callbakk such that its
protected against all critical driver transition events.
Change-Id: I91046efeab8bc13b9f5c37d5a4d02b66c63e35a9
CRs-Fixed: 2330980
Add bound check for new fixed_param->total_num_tx_power_levels
with its old value of rs_results->total_num_tx_power_levels in
wma_unified_radio_tx_power_level_stats_event_handler.
rs_results->tx_time_per_power_level is allocated only once
if it has not been already allocated.This allocation is saved
into the global wma_handle structure.
If multiple invocations of this handler occur then a buffer
overflow can occur in the following scenario:
1. First message is used to allocate rs_results->tx_time_per_power_level
with a small, but valid size.
2. Second message skips allocation of rs_results->tx_time_per_power_level
since it was done with the first message. This message specifies a larger
valid value and causes the qdf_mem_copy() to overflow.
Change-Id: Ib9c7d3bd667e2ffc1408cd7356be35985331e028
CRs-Fixed: 2327688
When interface change timer expires, wma_wmi_service_close() is
called from hdd_iface_change_callback()->hdd_wlan_stop_modules()
->cds_close(). wmi_handle is made null here. At the same time,
if there is a modem reboot, host will receive early
indication from FW. Due to this, icnss driver sent
ICNSS_UEVENT_FW_DOWN event to host and it calls wmi_stop() again
from icnss_call_driver_uevent()->pld_snoc_uevent()->
wlan_hdd_pld_uevent() -> wlan_hdd_set_the_pld_uevent()->
wma_wmi_stop() -> wmi_stop(). As wmi_handle which was marked
null during wlan stop modules, this causes potential NULL
pointer dereference.
Flush iface_idle_work before wma_wmi_stop and add NULL check
before accessing wmi_handle.
Change-Id: I1bfa8ab7329040c0b5ba989c0d7de7bf7228dd35
CRs-Fixed: 2328575
