In the function wma_passpoint_match_event_handler, fixed param event data
from firmware is filled in the destination buffer and indication is sent
to upper layers. The buffer allocation is done for the size
(wmi_passpoint_event_hdr*) + event->ie_length + event->anqp_length. The
maximum firmware event message size is WMI_SVC_MSG_MAX_SIZE. If either,
ie_length and anqp_length combined is greater than WMI_SVC_MSG_MAX_SIZE or
either of the two exceeds WMI_SVC_MSG_MAC_SIZE, an OOB write will occur in
wma_passpoint_match_event_handler.
Add check to ensure either of the values ie_length or anqp_lenth or
(ie_length + anqp_length) doesnt exceed the WMI_SVC_MAX_SIZE. Return
failure if it exceeds.
Change-Id: I21f473ca0b99ebb8488f2cca3c0774817ea97c3a
CRs-Fixed: 2201190
In a previous version of the driver both unicast and broadcast DPU
signatures were used to synchronize the data plane with the control
plane. However the current version of the driver does not use this
synchronization mechanism, so remove propagation of the DPU signatures
from the UMAC. This is part of the plan to completely remove these
signatures from throughout the driver.
Change-Id: I6a1808d0905bb0c4550b16cf2b2157a529caa9e9
CRs-Fixed: 2200997
Add support to send ADDBA request with user configured buffer
size and tid and ADDBA response with user configured buffer
size.
Change-Id: I2a1dfedadeb68a1cfca9a6eba8e7775d0bb51d1a
CRs-Fixed: 2193872
In CSA handling after vdev restarts, program peer_phymode before peer_ch_wd
to firmware, since firmware cannot handle higher channel width than current
peer_phymode.
Change-Id: I12ce1a6e6c0af758e1ecc9c1d272320e5e800983
CRs-Fixed: 2201944
Add compilation flag to compile out HTC credit History
feature cleanly from the cld-3.2 driver binary.
Change-Id: I5f5e73e430d282c99d3077fb82ed1cb8eb79715a
CRs-Fixed: 2190545
1) When wma_self_peer_remove() API returns failure, driver triggers
recovery without checking if driver unload is in progress which may
cause driver to go in bad state.
2) when wma_self_peer_remove() API returns success, driver releases the
memory accidently as part of I14895b0d3a19b3aaea2299311cc021ea14408f1e
Fix 1st condition by checking if driver unload is in progress. If driver
in unloading then just release the memory and return failure. If driver
is not unloading then just trigger SSR recovery, so FW can recover
silently.
Fix 2nd condition by checking the return status and release the memory
up on failure status code.
CRs-Fixed: 2197657
Change-Id: Ia08dbdac66d8641d22f6a82c29ab1a5b99309214
The memory leak is detected in API csr_process_del_sta_session_command()
for the memory allocation of del_sta_self_req.
SME sends this message from WMA for further processing.
When WMA_DEL_STA_SELF_REQ is processed, wma_self_peer_remove() will be
called for p2p device. If wma_self_peer_remove() API is failed due to
some reason then memory needs to be freed up which is allocated through
csr_process_del_sta_session_command() API which is missing.
For any failure case, release the message memory allocated by SME either
by releasing directly in WMA when response is not required or by sending
failure response which in turn releases the memory when response is
required.
CRs-Fixed: 2192935
Change-Id: I14895b0d3a19b3aaea2299311cc021ea14408f1e
Recent changes in Power Management and Offload (PMO) have removed the
need for a configurable maximum number of WoW filters. Remove the
following relevant fields:
* maxWoWFilters
* CFG_MAX_WOW_FILTERS_MAX
* WMA_STA_WOW_DEFAULT_PTRN_MAX
* max_wow_filters
* ol_ini_info
Change-Id: I99cc74731d6373258dc65473a8342bda0ab2786b
CRs-Fixed: 2199452
In order to conserve firmware memory when various filtering features are
not in use, update the target configuration provided to firmware based
on the intersection of various filtering features and host
configuration.
Part 1
num_wow_filters = ARP/NS offload enabled ? 2 : 5
bpf_instruction_size - BPF enabled ? 0 (auto) : 0xffffffff
Part 2 (pending firmware support)
pkt_filter_num = Packet Filter enabled ? 12 : 0 (disabled)
Change-Id: Ic6624ff04598b53d8321e4864618b12b9702780f
CRs-Fixed: 2196997
Provide PMO-specific device capabilities to PMO. This allows PMO to do
intersections between configuration and device capabilities.
Change-Id: If0a199f9be466d16cef900a29b14b73a2a4e52d0
CRs-Fixed: 2197828
Currently, driver calls wma_group_num_bss_to_scan_id API from
wma_extscan_cached_results_event_handler to group bss to scan id
table. Without checking return status of wma_group_num_bss_to_scan_id,
HDD callback is called which can lead to NULL pointer de-reference issue
in wlan_hdd_cfg80211_extscan_cached_results_ind if malloc for
t_scan_id_grp->ap fails in wma_group_num_bss_to_scan_id.
Add check for return status of "wma_group_num_bss_to_scan_id" in
wma_extscan_cached_results_event_handler before invoking HDD callback
Change-Id: I457f39404436c54feb4b555f8101895d3c1ae5d7
CRs-Fixed: 2188297
Failure can be observed when waiting for peer deletion
before sending WMI command. Peer deletion in VDEV stop
timeout handler also need to be handled in the scheduler
queues.
Change the logic to wait for peer delete completion
before sending message to scheduler queue to delete VDEV.
Change-Id: I78d3070a73c85d212bc33c346b3e60edf3c016f8
CRs-Fixed: 2187430
In wma_vdev_delete_handler() once vdev req is removed from the
vdev_resp_queue the vdev rsp timer is stopped and freed after
releasing the wake lock and vdev detach callback.
So before vdev rsp timer is stopped it may get expired and
post msg in MC thread. Now once this timer msg is processed it
access the already freed memory.
To fix it stop vdev rsp timer first before releasing the wake
lock and vdev detach callback.
Change-Id: Iface6d1faaa9f801d0da7a70d548eafbd082dc48
CRs-Fixed: 2196338
qcacld-2.0 to qcacld-3.0 propagation
Send host timestamp to firmware, so that firmware can print the
logs timestamp in sync with host.
Change-Id: I1d4d223aa1c8e207941ab659f69b72a855e3a604
CRs-Fixed: 2193976
Check the total supported mac and phy count for capability
parsing in service ready extension event.
Change-Id: Ibde9040e5adf97d53645f714e5e8981dd1a9d22a
CRs-Fixed: 2194602
Add check for GMAC offload capability wmi_service_gmac_offload_support.
If firmware supports GMAC offload, trim MMIE when driver receives
PMF frame. Otherwise, driver calculates MIC and trims MMIE.
Also, add support for suiteB auth types during roaming in
e_csr_auth_type_to_rsn_authmode.
Change-Id: Id44f44a41297ca3e462d14905f5986f904a639fd
CRs-Fixed: 2185819
While changing the channel, driver needs to add vdev restart instead
of channel switch.
Change-Id: I2d5a40aee2108feda5da5e41c6d18aab6c3a30bc
CRs-Fixed: 2182014
Send a ROAM_STOP command to firmware with an explicit
reason code for the failure so that it is not blocked
in WMA before sending it to firmware.
Change-Id: I4d7e2e525c145ca0e990dcef85948285e2186c63
CRs-Fixed: 2182671
In function wma_vdev_stop_resp_handler, resp_event->vdev_id is
received from the FW and is used to access the interfaces array in
wma_handle. This could lead to OOB read/write if the vdev_id
received from the FW is greater than or equal to max_bssid.
Add check to return failure if resp_event->vdev_id is greater than
or equal to max_bssid in wma_vdev_stop_resp_handler
Change-Id: I1af5312e6c45db3b9ba03fbf45de3d3c2a7fab20
CRs-Fixed: 2185477
As part of csa or opmode IE handling program phymode param after
ch_width since firmware expects channel width to be programmed
before phymode.
Change-Id: I46e3a5e1ce94fa53e27f821e70c29e209e591865
CRs-Fixed: 2186030
It is decided to centralize the logic of programming LI based on
modulated/dynamic DTIM in FW to address the concerns with LFR3.0 in WoW
mode. In order to make it work, following steps need to be performed.
1) If listen interval offload bit is enabled in service ready extension
then,
a) Driver needs to send "gEnableModulatedDTIM", "gMaxLIModulatedDTIM"
and "gEnableDynamicDTIM" params' value to FW via VDEV PARAM up on
each successful association.
b) Driver should not program LI during suspend()/resume()
2) If listen interval offload bit is disabled in service ready extension
then don't trigger above changes.
Change-Id: I6f94c95bd83e5846d7290d5dc752b14da5951a76
CRs-Fixed: 2187597
Check the current vdev supported bandwidth values agianst peer
opemode update value and if the peer opmode value is greater than
current supported value then do not send the opmode update request
to FW.
Change-Id: I8f360d769b5aafb90061a6a9d18f1f8062e3534e
CRs-Fixed: 2174050
Update the HE STBC capabilty per latest spec and add support
to configure it using INI configuration and ioctl.
Change-Id: I4ecc7b600671c132c1f3968a10fb652a4311f484
CRs-Fixed: 2181114
Stats events are sent by WLAN FW based on over the air frame reception
and may contain incorrect vdev id hence sanitize vdev id received from
FW in stats events before accessing interface array based on it.
Change-Id: I4ecc73fc27285c98c0ea8cebc27955213cd68399
CRs-Fixed: 2186953
Before VDEV_STOP is initiated by host, sometimes there are
outstanding mgmt tx pkts left in FW. need wait all tx
complete, or peer vdev ref count keep held. In P2P GO/SAP mode,
no wait since wma->interfaces[session_id].delay_before_vdev_stop
is 0, ini relative cfg isn't passed to wma at all.
Change-Id: I1c3d137bb08624e30cc220e0fa0e31e6d6fc8a9d
CRs-Fixed: 2184096
Check new channel width and center frequency segments in CSA
wider BW IE before processing the channel switch and if CSA IE
has invalid data for any of these parameters then do not do the
channel switch with wider BW.
Also check for self capability for BW that is supported by device
before processing wider BW channel switch. If AP advertises the new
channel width with valid data that is greater than self capability
BW value then limit the channel switch BW to self capability.
Change-Id: I1d567e5cdc6347b56b513ea002b5a3978cb447e9
CRs-Fixed: 2182054
FW assert is observed when deleting VDEV due to there are peers
not deleted.
Add check for peer number in FW before sending delete VDEV
command to avoid such issue.
Change-Id: I4cc5d4c63faf3dc8f7b9d0702f92b54b298802cb
CRs-Fixed: 2163770
Move wma_get_buf_start_scan_cmd logic to common code in
ucfg_scan_update_params.
Change-Id: Iaee8ab5b7f0c20867bf37db7509b1c1fab23579d
CRs-Fixed: 2180959
As part of convergence the mode capabilities
are extracted and saved in the target info structure.
Update the hardware mode list and pcl from the converged
structures.
CRs-Fixed: 2179003
Change-Id: I3cfc28533448c312913db3bead5d5322386f3f74
HT MCS index returned by wma_get_mcs_idx function is
between 0 and 7 for both nss equal to 1 and 2. This
results in incorrect HT MCS index for nss 2 case
populated in station stats on using iw station dump
command.
Fix is to set the correct HT MCS index based on nss.
Change-Id: Id4ac51b56bc44e90ea0e7570b387450af83ee8f5
CRs-Fixed: 2182050
Currently 11k offload params is sent directly as a message from CSR to WMA
leading to timing issues where 11k offload params are sent to the FW
before RSO start is sent.
Send the 11k offload params as part of the RSO request from CSR to WMA
and handle the request to send the 11k offload WMA command to FW.
Change-Id: Icff7146171cdf325f3a7e5a067652669ec0270ff
CRs-Fixed: 2183161
update the max frag entry,ht,vht, rf chains from from the converged
target psoc capabilities information and remove redundant wma_handle.
CRs-Fixed: 2178922
Change-Id: I6bfe734bac85905b0d6837bffb37d286cff2a4ff
Use the converged wmi service bitmap from the
target psoc info instead extracting the same from
the ready event.
CRs-Fixed: 2178812
Change-Id: I00d61aa3cbb2a90459d4363e2ca04e297cc74187
As part of converged init deinit architecuture, all the target
capabilities are saved as part of target_psoc_info, use the same
to update.
CRs-Fixed: 2178726
Change-Id: Iad1d0224e0fdfe1140d1600e17f3e585142eaf63
If wma_send_msg with msg_type WMA_SET_LINK_STATE_RSP, tpLinkStateParams
params has a member callbackArg which is malloc from heap. If this
message is flushed when driver unload, because no msg.flush_callback is
supplied, the flush just free msg->bodyptr and callbackArg got leak.
Fix it by supply a flush_callback as wma_discard_fw_event, and minor
change to avoid NULL pointer access.
Change-Id: Ie979a1e83cbd7c87e5bbb08382ae2af3230a13db
CRs-Fixed: 2181458
Currently wake_info->vdev_id, recevied from the FW, is directly used
to refer to wma->interfaces without validating if the vdev_id is valid.
Add sanity check to make sure vdev_id is less than max_bssid before
using it.
Change-Id: I66be7d15f370d0204e25c3d0ea60c0c9f5912005
CRs-Fixed: 2121059
Remove dependency on WMA layer for green AP component by registering
green AP events through target_if layer.
Change-Id: Ic4ea8df1928db632b8e31f0a873b74c6aff4505d
CRs-Fixed: 2167028
