Check for stats ext info data len does not take TLV header
size into account which could lead to buffer overflow
when copying data where TLV header size is taken into
account.
Fix is to subtract TLV header size and stats_ext_info
size from max allowed size when validating stats ext
info data length.
Change-Id: I34e35a0aab396af3d93a0f61e0ab6a2da09f22ab
CRs-Fixed: 2227263
In the API sir_validate_and_rectify_ies, the driver rectifies
the RSN IE, if the AP hasnt filled the RSN capabilities in the
beacon/probe response, but has filled the length of IE as extra
2 bytes meant for the RSN capabilities.The driver tries to repair
these kind of frames and fills the last 2 bytes of RSN IE with
default RSN capabilities, to prevent the failure of unpacking
the IEs in unpack-core. But, the driver may write these default
RSN capabilities into some other allocated memory, because the
allocated memory is only the frame length, which would result
in OOB write.
Fix is to allocate some reserve bytes in the frame
for these type of issues.
Change-Id: I46c7301f3e40f84d2c68ec9ba38702baa6926306
CRs-Fixed: 2232542
In function wma_form_rx_packet, mpdu_data_len is calculated as
(buf_len - mpdu_hdr_len). If the value of buf_len is less than
mpdu_hdr_len, then a integer underflow would occur while calculating
mpdu_data_len.
Add sanity check to return invalid if buf_len is less than mpdu_hdr_len.
Change-Id: I4522eadb65f6cd8b210ba071a91e53008eec042c
CRs-Fixed: 2230318
For LFR2.0 roaming policy, firmware will indicate roam event with
WMI_ROAM_REASON_SUITABLE_AP reason even ROAM_SCAN_OFFLOAD_STOP cmd
set with WMI_ROAM_SCAN_MODE_ROAMOFFLOAD, it doesn't obey LFR2.0
roaming policy design. Root cause is firmware only disable roam
scan with ROAM_SCAN_OFFLOAD_STOP cmd which must set scan mode with
WMI_ROAM_SCAN_MODE_NONE.
Fix is to always set scan mode with WMI_ROAM_SCAN_MODE_NONE for
LFR2.0 when host send ROAM_SCAN_OFFLOAD_STOP cmd.
Change-Id: Id5e8325f2767023daacd3dbd4104ce768de3857d
CRs-Fixed: 2228315
Association request initiated by the host contains
the RSN capabilities which contains both the flags
of PMF, i.e PMF required and PMF capable. The DUT
may connect to a non PMF AP or only a PMF capable AP,
if the DUT is PMK capable and not PMF required,
but connection to a non PMF AP isnt allowed
if the DUT is configured as PMF required.
In the Association request, the DUT advertises its
RSN capabilities, and accrding to them, the connection
(PMF/non PMF) happens. But these capabilities arent
sent to the firmware, so while roaming, the DUT may
connect to a non-PMF AP, as in the re-assoc request
the DUT would still advertise PMF-REQUIRED as false,
which would be violation of protocol.
Fix is to send these RSN capabilities to the
firmware as part of roam scan offload params,
to have firmware save the configuration, and
send the RE-assoc request with PMF required as
true, if the DUT supports PMF required.
Change-Id: Iff58f7ba3b2fee7a834bd625225bbb3d62f33557
CRs-Fixed: 2234977
Vdev ref count is incremented in wma_state_info_dump
and not decremented before return. This results in
vdev not deleted physically as part of wlan0 hdd_stop.
On hdd_open, a new vdev is created for wlan0 with same
mac addr as the previous wlan0 vdev. In scan, API to
get vdev by mac addr will return NULL since the first
wlan0 vdev is not physically deleted and not removed from
vdev list.
Fix is to decrement vdev ref count in wma_state_info_dump.
Change-Id: I67c90a721643f5bb7c6e212846f6d398055a6672
CRs-Fixed: 2233997
Remove duplicate structs wmi_dual_mac_config and sir_dual_mac_config
and use policy_mgr_dual_mac_config.
Change-Id: I6da6539f519ec46ee274ba3f3ae042e5fd9c25d2
CRs-Fixed: 2190993
Use get_wmi_unified_hdl_from_psoc instead of GET_WMI_HDL_FROM_PSOC due
to incompatible return types.
Solve renaming dependencies with common side changes.
Change-Id: Ie84641327d64876877c7d26b63d632c79770a88c
CRs-Fixed: 2203055
Presently, fw_crash_timeout is disabled as a result of which if
timeout happens for any VDEV related WMI command and device goes
in bad state, no assert or recovery is getting triggered. Due to
this, device crashes at some later point of time at some random
location making debugging difficult.
Enable fw_crash_timeout and trigger recovery if recovery is enabled
otherwise assert.
Change-Id: I9e9e51cba8086bd181be28884c490f0bd77663a8
CRs-Fixed: 2229101
Replace typos "sucess" and "sucessful" with correct spellings
"success" and "successful"
Change-Id: I30746cbab4533da9b052261fa9bb87214188138b
CRs-Fixed: 2237724
wlan_objmgr_get_vdev_by_macaddr_from_psoc and wlan_objmgr_get_peer
API's definitions have been changed to include pdev_id as an
argument.
Modify the callers of these APIs to include pdev_id as argument.
Change-Id: I3d0de6a0bc1dfefbe1b3cad51ec23f703baaf3ad
CRs-Fixed: 2210728
wma_is_service_enabled can't get valid service bitmap if call in
hdd_update_pmo_config, use psoc_ctx->caps.unified_wow instead to check
pattern id per vdev and legacy d0 wow capability.
Change-Id: If7bf316f482c49253fc4b95b94e172727b27ffd1
CRs-Fixed: 2225847
In the API wma_process_pdev_hw_mode_trans_ind
the host doesnt check the upper limit of
num_vdev_mac_entries received from the firmware,
and fills the same to the host structure
hw_mode_trans_ind, which may cause OOB write.
Fix is to check for the max vdev supported in the
same API and return if the condition is false.
Change-Id: I54a9e12f777b87b49057d6c97c06ab71b9ad1d77
CRs-Fixed: 2221965
In the function wma_set_epno_network_list,
req->networks[i].ssid.ssId is copied into the destination
params->networks[i].ssid.mac_ssid. But the ssid length is not
considered while copying and WMI_MAC_MAX_SSID_LENGTH is used as
the length for copying. This might result in possible buffer
overread if the ssid length is not WMI_MAC_MAX_SSID_LENGTH.
Similar issue is seen in wma_pno_start also.
Use pno->aNetworks[i].ssId.length as the size to mem copy the
ssid to the destination ssid buffer.
Change-Id: Id3f579da97e398663b7d583f5f46d4671eabeae3
CRs-Fixed: 2233682
cdp_get_pn_info() would output wild pointers and cause NULL
pointer reference in wma_is_ccmp_pn_replay_attack().
Add pointer check in wma_is_ccmp_pn_replay_attack().
CRs-Fixed: 2232554
Change-Id: Ic2e5487468aaced91d6567005bbe66a7c065f088
Log reason code while flushing logging events to precisely know
the reason of failure.
Change-Id: Ibe26563780f165e85490c54c2b4f83d959a3587f
CRs-Fixed: 2235138
Move chanmode_to_chanwidth API to qcacmn since it will be used by ndp
schedule update event.
Change-Id: I13d00c0b818eb0da434c8a5372b2ab7b6693f22a
CRs-Fixed: 2216803
Add GRO support and make it configurable through INI(GROEnable).
GRO and LRO are mutually exclusive. Only one of them can be enabled.
And disable GRO during following conditions
1) Low TPUT scenario
2) Concurrency cases
3) For Rx packets when Peer is not connected
Change-Id: I15535827a03953231670d4138235c4876b16e045
CRs-Fixed: 2098772
In wma_fill_roam_synch_buffer, fils_info is received from the FW
as part of roam synch event and contains kek_len and pmk_len. These
lengths are used to copy the kek and pmk from the FW buffer to the
roam_synch_ind_ptr respectively.
If the kek_len exceeds the SIR_KEK_KEY_LEN_FILS or pmk_len exceeds
the SIR_PMK_LEN value, a buffer overwrite would occur during
memcpy.
Add sanity check to return error if kek_len exceeds SIR_KEK_KEY_LEN_FILS
or if pmk_len exceeds SIR_PMK_LEN.
Change-Id: I8035c54cb4cbd5b4065646377f7d1d2824f9c436
CRs-Fixed: 2226386
In function wma_get_arp_stats_handler avoid un-initialized
access to arp rsp_stats by initializing it to 0s.
Change-Id: I95c41f89740bff276ed5c6736b4ad9da3ef6ce87
CRs-Fixed: 2232401
CCMP and GCMP both have different lengths of their MIC part. MIC
length for CCMP is 8 bytes whereas it is 16 bytes for GCMP. When
encryption type is GCMP/GCMP-256, sending packets with CCMP MIC
length causes fw to drop the GCMP encrypted management packets
leading to connection issues.
Send GCMP encrypted frames with GCMP MIC length.
Change-Id: Ia83fa6ffde880fe69e5e4c3e3c3ce9c62ad8fa3c
CRs-Fixed: 2203224
If any WMA request is queued in wma hold req/vdev resp queue after fw
has crashed and sent the corresponding uevent to HOST, request will
timeout and if at the same time, SSR is also going on, it may lead to
various issues and crashes.
Check whether target is ready or not before queuing any request
in wma hold req/vdev resp queue.
Change-Id: I358841566f858e115b3b04f12f4d8b70b75d1dfc
CRs-Fixed: 2226497
Log the reg-domain parameters when sending command
WMI_PDEV_SET_REGDOMAIN_CMDID to FW.
Change-Id: I9cc9437b9b9be9a1f7c58ca08a7d6456f9bdebcf
CRs-Fixed: 2229604
Video/audio wireless application needs to tune parameters
per AC based. Config the number of TX sw retry per AC via
driver INI configuration file. It helps to improve the
video/audio performance in noisy environment.
Change-Id: Icffb5174b265b6453021b0d0a8ad3e12b695847a
CRs-Fixed: 2212954
The routine wma_roam_synch_event_handler sends roam indication to the
upper layers. It uses the vdev_id of the synch event to pass the roaming
indication for the vdev session. If the vdevid exceeds the max_bssid
supported, then OOB write occurs in wma_roam_synch_event_handler.
Add check to validate vdev doesnot exceed the maximum bssid configured.
Add check to ensure vdev doesnot exceed max_bssid and return error if
violated.
Change-Id: Ief8b5070fd6cbb375900e2816524dbd946c5238d
CRs-Fixed: 2206569
Video/audio wireless application needs to tune parameters
per AC based. Configure A-MPDU subframe parameter per
AC via driver ini configuration file.
Change-Id: Id63be7aacf6465edee08f7a2f4c8a119f9bd6346
CRs-Fixed: 2212932
In the function wma_vdev_start_resp_handler when we recieve a
vdev start response event, we copy the req_msg->user_data to the
object hidden_ssid_restart of the structure
tpHalHiddenSsidVdevRestart. If hidden_ssid_restart_in_progress
flag is set for the corresponding vdev_id, then we post that
message to the PE and free the hidden_ssid_restart. If this
req_msg->user_data is used again if req_msg->msg_type is
WMA_CHNL_SWITCH_REQ , then a possible Use-After-Free will occur
in wma_vdev_start_resp_handler.
When a channel switch request has occured, there will not be a
hidden ssid restart event in progress. So add check to validate
if the req_msg->msg_type == WMA_HIDDEN_SSID_VDEV_RESTART.
Change-Id: Ie3195b23ff136fbfd38fcd4d32e993d4cb016316
CRs-Fixed: 2216751
Post the LFR2 Candidate found indication to low priority scan queue
instead of SME queue to maintain order with beacon/probe frames
from Scan queue.
Change-Id: I5e8a6247a7d5200371d776bce3436104a5ba2df2
CRs-Fixed: 2226234
Add support to process MU EDCA param set in assoc response
frames and send the params to FW.
Change-Id: Ia492d1212b3c357647a89e4f98d3cfdc7ff7bbac
CRs-Fixed: 2220227
Currently there is no provision to decide delay between two roam
scans in firmware. With these new ini's, driver wants to expose
control to decide delay between roam scans:
Add ini "min_delay_btw_scans" to set minimum duration allowed between
two consecutive roam scans. Fw should not allow roam scan if duration
between two consecutive roam scan is less than min_delay_btw_scan.
Add ini "roam_trigger_reason_bitmask" to set default value of
bit-mask containing roam_trigger_reasons for which
min_delay_btw_scans constraints should be apply.
Change-Id: I2af9d5dc8e6919eeb90251d3d744e3f07705e776
CRs-Fixed: 2221779
Fix condition checked before programming user's requested chainmask to
firwmare. Get current firmware advertised phy cap for non-dbs phymode
and check if it supports all chains for tx/rx 2g and 5g.
Change-Id: I3fcef315f478403955ce400b3ba6d138a8006a01
CRs-Fixed: 2202544
Add new ini item "enable_ftopen" to enable/disable FT open
feature. There is no ini currently to disable only FT open.
Change-Id: I18280d9de77857b15698eb233ba4ec71089beb06
CRs-Fixed: 2214766
The routine wma_unified_debug_print_event_handler logs the data from debug
print event handler. The param event data from firmware is copied to a
destination buffer .If the maximum size of the data exceeds or equals
BIG_ENDIAN_MAX_DEBUG_BUF for big endian hosts then possible OOB write will
occur in wma_unified_debug_print_event_handler. For other hosts, OOB read
could occur if datalen exceeds maximum firmware message size
WMI_SVC_MAX_SIZE.
Add check to validate datalen doesnot exceed the maximum firmware msg size
WMI_SVC_MAX_SIZE. Return failure if it exceeds.
Add check to ensure datalen doesnot exceed or equal the maximum buffer
length value for big endian hosts BIG_ENDIAN_MAX_DEBUG_BUF.
Add null termination at the end of the data recieved from the firmware.
Change-Id: Ibb662cb8e17ef8be8b7591308c422a78b71e331a
CRs-Fixed: 2222533
When SSR is in progress, WMI commands for peer and vdev deletion
will not be sent to FW. Do not wait for peer deletion for it will
always lead to timeout since peer delete command will not be sent.
And the check is not needed since vdev delete command will not be
sent, either.
Change-Id: Ib6f921a7c7ff09bf30ed19b443a30542db2b51a3
CRs-Fixed: 2217366
The SoftAP VSTA feature was introduced to overcome a limitation in a
prior version of WLAN hardware. Since the WLAN hardware supported by
this driver does not have this limitation, remove the feature code.
Change-Id: I1f2fe31b294fb7b2da1fa8619b3380412c5d872e
CRs-Fixed: 2224817
As many as 5 vdevs can be created, which is defined by MAX_SME_SESSIONS.
But flow control pools are only valid for active TxRx capable vdevs.
Which is 3 active vdev starts. So attach flow pool creation to vdev_start
instead of vdev_attach.
Change-Id: I137676ba618aa3a6684c7d17ef7d9263c4df6efe
CRs-Fixed: 2179220
Add new ini item "ho_delay_for_rx" to set delay Hand-off
period. For LFR 3.0 roaming scenario, once roam candidate
is found, firmware waits for minimum this much duration
to receive pending rx frames from current BSS before
switching to new channel for handoff to new AP.
Change-Id: Ided9a81e9402259f5df6b42926b3fa336b6bb4d0
CRs-Fixed: 2221748
WMI cmds should be blocked, before calling HTC stop
to avoid the race condition in the system
Change-Id: I677c55cd96ea6af973595eec1e759641fbea109a
CRs-Fixed: 2193653
The change for the CR 2211133 caused compilation issue in LE
branches. This reverts commit with
change Id-I45943ae76d8fcf7b53e1f064c462d01cd6d00dcf
Change-Id: I069f1a4ae8ad320f5a073ee072dd772e05c5fc5d
CRs-Fixed: 2222536
