Replace typos "sucess" and "sucessful" with correct spellings
"success" and "successful"
Change-Id: I30746cbab4533da9b052261fa9bb87214188138b
CRs-Fixed: 2237724
wlan_objmgr_get_vdev_by_macaddr_from_psoc and wlan_objmgr_get_peer
API's definitions have been changed to include pdev_id as an
argument.
Modify the callers of these APIs to include pdev_id as argument.
Change-Id: I3d0de6a0bc1dfefbe1b3cad51ec23f703baaf3ad
CRs-Fixed: 2210728
wma_is_service_enabled can't get valid service bitmap if call in
hdd_update_pmo_config, use psoc_ctx->caps.unified_wow instead to check
pattern id per vdev and legacy d0 wow capability.
Change-Id: If7bf316f482c49253fc4b95b94e172727b27ffd1
CRs-Fixed: 2225847
In the API wma_process_pdev_hw_mode_trans_ind
the host doesnt check the upper limit of
num_vdev_mac_entries received from the firmware,
and fills the same to the host structure
hw_mode_trans_ind, which may cause OOB write.
Fix is to check for the max vdev supported in the
same API and return if the condition is false.
Change-Id: I54a9e12f777b87b49057d6c97c06ab71b9ad1d77
CRs-Fixed: 2221965
In the function wma_set_epno_network_list,
req->networks[i].ssid.ssId is copied into the destination
params->networks[i].ssid.mac_ssid. But the ssid length is not
considered while copying and WMI_MAC_MAX_SSID_LENGTH is used as
the length for copying. This might result in possible buffer
overread if the ssid length is not WMI_MAC_MAX_SSID_LENGTH.
Similar issue is seen in wma_pno_start also.
Use pno->aNetworks[i].ssId.length as the size to mem copy the
ssid to the destination ssid buffer.
Change-Id: Id3f579da97e398663b7d583f5f46d4671eabeae3
CRs-Fixed: 2233682
cdp_get_pn_info() would output wild pointers and cause NULL
pointer reference in wma_is_ccmp_pn_replay_attack().
Add pointer check in wma_is_ccmp_pn_replay_attack().
CRs-Fixed: 2232554
Change-Id: Ic2e5487468aaced91d6567005bbe66a7c065f088
Log reason code while flushing logging events to precisely know
the reason of failure.
Change-Id: Ibe26563780f165e85490c54c2b4f83d959a3587f
CRs-Fixed: 2235138
Move chanmode_to_chanwidth API to qcacmn since it will be used by ndp
schedule update event.
Change-Id: I13d00c0b818eb0da434c8a5372b2ab7b6693f22a
CRs-Fixed: 2216803
Add GRO support and make it configurable through INI(GROEnable).
GRO and LRO are mutually exclusive. Only one of them can be enabled.
And disable GRO during following conditions
1) Low TPUT scenario
2) Concurrency cases
3) For Rx packets when Peer is not connected
Change-Id: I15535827a03953231670d4138235c4876b16e045
CRs-Fixed: 2098772
In wma_fill_roam_synch_buffer, fils_info is received from the FW
as part of roam synch event and contains kek_len and pmk_len. These
lengths are used to copy the kek and pmk from the FW buffer to the
roam_synch_ind_ptr respectively.
If the kek_len exceeds the SIR_KEK_KEY_LEN_FILS or pmk_len exceeds
the SIR_PMK_LEN value, a buffer overwrite would occur during
memcpy.
Add sanity check to return error if kek_len exceeds SIR_KEK_KEY_LEN_FILS
or if pmk_len exceeds SIR_PMK_LEN.
Change-Id: I8035c54cb4cbd5b4065646377f7d1d2824f9c436
CRs-Fixed: 2226386
In function wma_get_arp_stats_handler avoid un-initialized
access to arp rsp_stats by initializing it to 0s.
Change-Id: I95c41f89740bff276ed5c6736b4ad9da3ef6ce87
CRs-Fixed: 2232401
CCMP and GCMP both have different lengths of their MIC part. MIC
length for CCMP is 8 bytes whereas it is 16 bytes for GCMP. When
encryption type is GCMP/GCMP-256, sending packets with CCMP MIC
length causes fw to drop the GCMP encrypted management packets
leading to connection issues.
Send GCMP encrypted frames with GCMP MIC length.
Change-Id: Ia83fa6ffde880fe69e5e4c3e3c3ce9c62ad8fa3c
CRs-Fixed: 2203224
If any WMA request is queued in wma hold req/vdev resp queue after fw
has crashed and sent the corresponding uevent to HOST, request will
timeout and if at the same time, SSR is also going on, it may lead to
various issues and crashes.
Check whether target is ready or not before queuing any request
in wma hold req/vdev resp queue.
Change-Id: I358841566f858e115b3b04f12f4d8b70b75d1dfc
CRs-Fixed: 2226497
Log the reg-domain parameters when sending command
WMI_PDEV_SET_REGDOMAIN_CMDID to FW.
Change-Id: I9cc9437b9b9be9a1f7c58ca08a7d6456f9bdebcf
CRs-Fixed: 2229604
Video/audio wireless application needs to tune parameters
per AC based. Config the number of TX sw retry per AC via
driver INI configuration file. It helps to improve the
video/audio performance in noisy environment.
Change-Id: Icffb5174b265b6453021b0d0a8ad3e12b695847a
CRs-Fixed: 2212954
The routine wma_roam_synch_event_handler sends roam indication to the
upper layers. It uses the vdev_id of the synch event to pass the roaming
indication for the vdev session. If the vdevid exceeds the max_bssid
supported, then OOB write occurs in wma_roam_synch_event_handler.
Add check to validate vdev doesnot exceed the maximum bssid configured.
Add check to ensure vdev doesnot exceed max_bssid and return error if
violated.
Change-Id: Ief8b5070fd6cbb375900e2816524dbd946c5238d
CRs-Fixed: 2206569
Video/audio wireless application needs to tune parameters
per AC based. Configure A-MPDU subframe parameter per
AC via driver ini configuration file.
Change-Id: Id63be7aacf6465edee08f7a2f4c8a119f9bd6346
CRs-Fixed: 2212932
In the function wma_vdev_start_resp_handler when we recieve a
vdev start response event, we copy the req_msg->user_data to the
object hidden_ssid_restart of the structure
tpHalHiddenSsidVdevRestart. If hidden_ssid_restart_in_progress
flag is set for the corresponding vdev_id, then we post that
message to the PE and free the hidden_ssid_restart. If this
req_msg->user_data is used again if req_msg->msg_type is
WMA_CHNL_SWITCH_REQ , then a possible Use-After-Free will occur
in wma_vdev_start_resp_handler.
When a channel switch request has occured, there will not be a
hidden ssid restart event in progress. So add check to validate
if the req_msg->msg_type == WMA_HIDDEN_SSID_VDEV_RESTART.
Change-Id: Ie3195b23ff136fbfd38fcd4d32e993d4cb016316
CRs-Fixed: 2216751
Post the LFR2 Candidate found indication to low priority scan queue
instead of SME queue to maintain order with beacon/probe frames
from Scan queue.
Change-Id: I5e8a6247a7d5200371d776bce3436104a5ba2df2
CRs-Fixed: 2226234
Add support to process MU EDCA param set in assoc response
frames and send the params to FW.
Change-Id: Ia492d1212b3c357647a89e4f98d3cfdc7ff7bbac
CRs-Fixed: 2220227
Currently there is no provision to decide delay between two roam
scans in firmware. With these new ini's, driver wants to expose
control to decide delay between roam scans:
Add ini "min_delay_btw_scans" to set minimum duration allowed between
two consecutive roam scans. Fw should not allow roam scan if duration
between two consecutive roam scan is less than min_delay_btw_scan.
Add ini "roam_trigger_reason_bitmask" to set default value of
bit-mask containing roam_trigger_reasons for which
min_delay_btw_scans constraints should be apply.
Change-Id: I2af9d5dc8e6919eeb90251d3d744e3f07705e776
CRs-Fixed: 2221779
Fix condition checked before programming user's requested chainmask to
firwmare. Get current firmware advertised phy cap for non-dbs phymode
and check if it supports all chains for tx/rx 2g and 5g.
Change-Id: I3fcef315f478403955ce400b3ba6d138a8006a01
CRs-Fixed: 2202544
Add new ini item "enable_ftopen" to enable/disable FT open
feature. There is no ini currently to disable only FT open.
Change-Id: I18280d9de77857b15698eb233ba4ec71089beb06
CRs-Fixed: 2214766
The routine wma_unified_debug_print_event_handler logs the data from debug
print event handler. The param event data from firmware is copied to a
destination buffer .If the maximum size of the data exceeds or equals
BIG_ENDIAN_MAX_DEBUG_BUF for big endian hosts then possible OOB write will
occur in wma_unified_debug_print_event_handler. For other hosts, OOB read
could occur if datalen exceeds maximum firmware message size
WMI_SVC_MAX_SIZE.
Add check to validate datalen doesnot exceed the maximum firmware msg size
WMI_SVC_MAX_SIZE. Return failure if it exceeds.
Add check to ensure datalen doesnot exceed or equal the maximum buffer
length value for big endian hosts BIG_ENDIAN_MAX_DEBUG_BUF.
Add null termination at the end of the data recieved from the firmware.
Change-Id: Ibb662cb8e17ef8be8b7591308c422a78b71e331a
CRs-Fixed: 2222533
When SSR is in progress, WMI commands for peer and vdev deletion
will not be sent to FW. Do not wait for peer deletion for it will
always lead to timeout since peer delete command will not be sent.
And the check is not needed since vdev delete command will not be
sent, either.
Change-Id: Ib6f921a7c7ff09bf30ed19b443a30542db2b51a3
CRs-Fixed: 2217366
The SoftAP VSTA feature was introduced to overcome a limitation in a
prior version of WLAN hardware. Since the WLAN hardware supported by
this driver does not have this limitation, remove the feature code.
Change-Id: I1f2fe31b294fb7b2da1fa8619b3380412c5d872e
CRs-Fixed: 2224817
As many as 5 vdevs can be created, which is defined by MAX_SME_SESSIONS.
But flow control pools are only valid for active TxRx capable vdevs.
Which is 3 active vdev starts. So attach flow pool creation to vdev_start
instead of vdev_attach.
Change-Id: I137676ba618aa3a6684c7d17ef7d9263c4df6efe
CRs-Fixed: 2179220
Add new ini item "ho_delay_for_rx" to set delay Hand-off
period. For LFR 3.0 roaming scenario, once roam candidate
is found, firmware waits for minimum this much duration
to receive pending rx frames from current BSS before
switching to new channel for handoff to new AP.
Change-Id: Ided9a81e9402259f5df6b42926b3fa336b6bb4d0
CRs-Fixed: 2221748
WMI cmds should be blocked, before calling HTC stop
to avoid the race condition in the system
Change-Id: I677c55cd96ea6af973595eec1e759641fbea109a
CRs-Fixed: 2193653
The change for the CR 2211133 caused compilation issue in LE
branches. This reverts commit with
change Id-I45943ae76d8fcf7b53e1f064c462d01cd6d00dcf
Change-Id: I069f1a4ae8ad320f5a073ee072dd772e05c5fc5d
CRs-Fixed: 2222536
The driver contains considerable debris from the obsolete WOWL
messaging, so clean it up.
Change-Id: I432f7fc1567b0aa31a7be758c05f2213340baed0
CRs-Fixed: 2223859
The function wma_del_tdls_sta is used to process delete sta
request from UMAC in TDLS. peerStateParams is a pointer to the
structure tTdlsPeerStateParams. The memory allocated for
peerStateParams is freed in the call to the function
wma_update_tdls_peer_state(). When peerStateParams is used to
access vdev_id again after free, then a use after free case will
occur.
Retrieve the vdev_id value from the del_sta structure that is
passed into wma_del_tdls_sta initially.
Change-Id: Iad7edf87058bfc20aadc0e72d474b1c330790512
CRs-Fixed: 2216242
qcacld-2.0 to qcacld-3.0 propagation
Discard the original wmi interface:
WMI_PEER_ANTDIV_INFO_REQ_CMDID/PEER_ANTDIV_INFO_EVENTID,
replace with the new one:
WMI_PDEV_DIV_GET_RSSI_ANTID_CMDID/WMI_PDEV_DIV_RSSI_ANTID_EVENTID
to support chain value along with corresponding antenna info.
Change-Id: Ie9ea9d160e1ac1e2e65de422c85989159fb5a556
CRs-Fixed: 2005820
Currently Kbuild unconditionally sets -DHAL_SELF_STA_PER_BSS=1. There
is only one place where this macro is referenced, and it actually
requires that the macro be set for the driver to work. Since this
logic isn't really conditional, remove the conditional compilation.
Change-Id: I09a03339df086146b81b3012fb281e166fccd5da
CRs-Fixed: 2221852
Currently a set of ANI_COMPILER_TYPE macros are checked against, but
other than that they serve no purpose. As part of ongoing Kbuild
cleanup remove these obsolete macros.
Change-Id: Ia112d7d5ae8d12eae46144b53addc8ad54393bba
CRs-Fixed: 2220285
The routine wma_extscan_change_results_event_handler sends the ext scan
results to upper layers. This contains the bssid info, rssi values of
different APs that are scanner. If the num_rssi_samples is negative or
greater than UINT32_MAX,then an OOB write could happen.
Add check to ensure rssi_num is not negative or exceeds UINT32_MAX.
Also make sure the numap value is not negative.
Change-Id: If82c4fd1193c45d38bd4495c187a406deb25acad
CRs-Fixed: 2205957
The routine wma_unified_debug_print_event_handler logs the data from debug
print event handler. The param event data from firmware is copied to a
destination buffer .If the maximum size of the data exceeds or equals
BIG_ENDIAN_MAX_DEBUG_BUF for big endian hosts then possible OOB write will
occur in wma_unified_debug_print_event_handler. For other hosts, OOB read
could occur if datalen exceeds maximum firmware message size
WMI_SVC_MAX_SIZE.
Add check to validate datalen doesnot exceed the maximum firmware msg size
WMI_SVC_MAX_SIZE. Return failure if it exceeds.
Add check to ensure datalen doesnot exceed or equal the maximum buffer
length value for big endian hosts BIG_ENDIAN_MAX_DEBUG_BUF.
Invoke strlcpy instead of memcpy to ensure the string is null terminated
before printed.
Change-Id: I45943ae76d8fcf7b53e1f064c462d01cd6d00dcf
CRs-Fixed: 2211133
PDR recovery is taking longer time because vdev
delete is waiting for peer delete completion.
Modified vdev delete handler to get the status
of firmware. If firmware state is detected as down
then vdev delete handler will not wait for peer delete
completion.
Change-Id: I1014df239a1abecaccbe5097769a10c625597e12
CRs-Fixed: 2207795
Change htt_sec_type to cdp_sec_type since the CDP API expects a
cdp_sec_type as it's argument. Required for compilation using LLVM.
Change-Id: I8dbf59dd80bd0fce221a23544c69764508377ae0
CRs-Fixed: 2216859
In function wlansap_channel_change_request validate channel requested
before processing the request.
Change-Id: I1cc8c978b15fe6ee043ce6bf712a109994dce50b
CRs-Fixed: 2212078
Currently wma_update_hdd_cfg() has unconditional code to check for
firmware support of the WMI_SERVICE_EGAP service and to register an
event handler when it is present. However this code doesn't build
correctly when the Green AP feature is disabled in the build.
Therefore featurize the Green AP service event handling.
Change-Id: Ic5f8fcc960c4b1b6ebc3b9b78acd84f583c24b9f
CRs-Fixed: 2216245
Use the wmi enum type in function wma_get_rcpi_req instead of
rcpi_measurement_type.
Change-Id: I5b506059ad8b0f4cd65c24e20df6306a47249fdb
CRs-Fixed: 2216015
