When vdev restart response is received for channel switch during
CSA, we set the phy mode in firmware and then send vdev up. But
even if the restart request has failed host sends vdev up. This
is wrong as firmware expects vdev up only after vdev start is
successful.
If vdev restart is rejected don't send vdev up to firmware.
Instead send WMA_SWITCH_CHANNEL_RSP with failure status.
Change-Id: I1f1ba860abeb0d25e90fd9b9977f02153aca81af
CRs-Fixed: 2331485
Below API's logs failure with caller information,
So no need logs at caller.
qdf_mem_malloc_atomic()
qdf_mem_malloc()
wmi_buf_alloc()
qdf_nbuf_alloc()
wmi_unified_cmd_send()
Change-Id: I5d7d49811d71f83ecafccd9f936af323073b32c6
CRs-Fixed: 2327098
PLD FW down uevent is asynchronous which races against all critical
driver transition events like probe, remove, shutdown, reinit and
hence move wmi_stop to wma shutdown notifier callbakk such that its
protected against all critical driver transition events.
Change-Id: I91046efeab8bc13b9f5c37d5a4d02b66c63e35a9
CRs-Fixed: 2330980
Add bound check for new fixed_param->total_num_tx_power_levels
with its old value of rs_results->total_num_tx_power_levels in
wma_unified_radio_tx_power_level_stats_event_handler.
rs_results->tx_time_per_power_level is allocated only once
if it has not been already allocated.This allocation is saved
into the global wma_handle structure.
If multiple invocations of this handler occur then a buffer
overflow can occur in the following scenario:
1. First message is used to allocate rs_results->tx_time_per_power_level
with a small, but valid size.
2. Second message skips allocation of rs_results->tx_time_per_power_level
since it was done with the first message. This message specifies a larger
valid value and causes the qdf_mem_copy() to overflow.
Change-Id: Ib9c7d3bd667e2ffc1408cd7356be35985331e028
CRs-Fixed: 2327688
When interface change timer expires, wma_wmi_service_close() is
called from hdd_iface_change_callback()->hdd_wlan_stop_modules()
->cds_close(). wmi_handle is made null here. At the same time,
if there is a modem reboot, host will receive early
indication from FW. Due to this, icnss driver sent
ICNSS_UEVENT_FW_DOWN event to host and it calls wmi_stop() again
from icnss_call_driver_uevent()->pld_snoc_uevent()->
wlan_hdd_pld_uevent() -> wlan_hdd_set_the_pld_uevent()->
wma_wmi_stop() -> wmi_stop(). As wmi_handle which was marked
null during wlan stop modules, this causes potential NULL
pointer dereference.
Flush iface_idle_work before wma_wmi_stop and add NULL check
before accessing wmi_handle.
Change-Id: I1bfa8ab7329040c0b5ba989c0d7de7bf7228dd35
CRs-Fixed: 2328575
Add sanity check for vdev_id in wma_lost_link_info_handler
against wma_handle->max_bssid.
Change-Id: I1f469b25ac88deb4d5bbaf754c0ea441e6cb04de
CRs-Fixed: 2325718
Make the following updates to the extscan get capabilities logic:
1) Exclusively use the Unified WMI data structures.
2) Update the HDD<=>SME interface to enforce the contract that SME
must not make any assumptions about the buffers provided by HDD.
Change-Id: I9e57c86a3da0924af01d82d626b61c28f7d520bf
CRs-Fixed: 2330211
Remove the QDF_BUG() from sanity check of pdev_id passed with
pdev_hw_mode_trans_ind event from FW.
Change-Id: I91bb697993e129bf3f8ff62900e21f85dbe85efc
CRs-Fixed: 2328603
Make the following updates to the extscan get cached results logic:
1) Exclusively use the Unified WMI data structures.
2) Update the HDD<=>SME interface to enforce the contract that SME
must not make any assumptions about the buffers provided by HDD.
Change-Id: I4144aa4cdb9c6d3ddaae30eedaec3096abf95857
CRs-Fixed: 2329405
pmac->sme.get_chain_rssi_cb is never checked if
WMI_PDEV_DIV_RSSI_ANTID_EVENTID messages is sent anytime
by user.
pmac->sme.get_chain_rssi_cb can not be appropriately
registered and can result in NULL pointer dereference.
Change-Id: I64783a0e2d054b45678f126b42de20470d3264d3
CRs-Fixed: 2324128
Don't account length field size while comparing against max
beacon size.
Current driver starts from (ptr+4 bytes) then tries to copy
512 bytes from that point which creates to copy extra 4 bytes
beyond the array's boundary.
Instead copy only 508 bytes if driver starts copying from
(ptr+ 4bytes).
ptr
^
|
|
+---------------+--------------------------------+
| | |
| Length | Max Beacon payload |
| | |
+---------------+--------------------------------+
|<-- 4 bytes -->|<-------- 508 bytes ----------->|
|<------------- 512 bytes --------------------->|
CRs-Fixed: 2327052
Change-Id: I2646986ec424f7da31107ad01f673588734eaa52
Currently the wmi_roam_synch_frame_event_id is sent from the FW before
the roam_synch event if the size of the beacon/probe, reassoc request
and reassoc response frames exceeds the max WMA message size.
In such scenarios, the FW sends two wmi_roam_synch_frame_event_id events
with the first event containing beacon/probe and reassoc response frames
and the second event with reassoc request frame.
However, driver is dropping the first event with beacon/probe and reassoc
response frame as the reassoc request is not present in that event.
This is expected in the first frame and the driver should handle each
frame independenly in the wma_roam_synch_frame_event_handler.
Remove the check for beacon/probe and reassoc request frame while
handling reassoc response frame in wma_roam_synch_frame_event_handler.
Change-Id: Ic66dd7f93da0de32715cf36be520128d2a1efc8e
CRs-Fixed: 2325217
Create and send user configurable ini for max number of roam preauth
retries and roam preauth no-ack timeout to the firmware.
Change-Id: I66808b33f421f56cd7c007cdde1db19c8e7ca5f9
CRs-Fixed: 2279049
Since refined PMO configures based on converged cfg component, apply
PMO configurations, remove related legacy codes.
Change-Id: I2cdf18c1000d8cc923c80c00bf530b2b0c60563e
CRs-Fixed: 2322185
Remove the legacy definitions that are related to the WEP
cfg.
Move them to mlme component
Change-Id: Ibcec8adf15123d12ad7c2eb6ed770b44a093673a
CRs-Fixed: 2324046
in wma_ibss_peer_info_event_handler, the driver has a upper
bound check on num_peers and not a lower bound check.
the num_peers should be a positive value.
Since there is no check to see if num_peers is set to 0,
this check can underflow and result in multiple OOB writes
once the loop has incremented more than 32 times.
Fix is to check whether num_peers is a positive value,
and return if not found true.
Change-Id: I599151cc6720ed931142ad6a519add6957fea467
CRs-Fixed: 2324139
When peer creation fails in wma_create_peer, vdev delete is sent
to the fw and then eWNI_SME_ADD_STA_SELF_RSP is sent to sme.
Here three error cases needs to be handled:
1. The vdev deletion has happened, but the cdp_detach_peer is
not done. So the data path peer remains. Also the vdev_active
flag that was set after vdev creation was not unset.
2. The eWNI_SME_ADD_STA_SELF_RSP msg handler
csr_process_add_sta_session_rsp invokes csr_roam_session_opened
which signals HDD that vdev is created successfully and hdd
calls hdd_vdev_ready and vdev related parameter set commands are
sent to FW for the deleted vdev.
3. Vdev delete is not sent for objmgr peer creation failure in
case of VDEV_TYPE_STA and release vdev object ref count.
Add cdp_vdev_detach() calls during error case and set the
vdev_active flag to false. Handle releasing vdev object ref
count in all needed error case flows.
Propagate the error in wma_vdev_attach() through
csr_roam_session_opened() to HDD and abort the vdev create.
Change-Id: Iec97122d011098fae7ae2a59864fbe8ca8a0980e
CRs-Fixed: 2322212
While handling the WMI_VDEV_START_RESP_EVENTID WMI FW event a reachable
QDF_BUG() can occur, because the message coming from out is not
reliable.
Change-Id: I9a142152a5d65e8fa25590eac1bc63279a1de4ba
CRs-Fixed: 2321490
When wma_create_peer is called, driver checks for
cds_is_target_ready and the macro CDS_DRIVER_STATE_FW_READY is
unset during the wlan_hdd_pld_uevent. This results in race
condition where the wma_peer_create fails due to
cds_is_target_ready() failure and wma_vdev_delete is sent from
wma_vdev_attach. In wmi_stopinprogress is set when firmware is
down. But this is set only after a small delay and the vdev
commands reach the fw, which results in a race condition.
Remove the cds_is_target_ready() call from wma_create_peer.
Place the call to wma_wmi_stop() to set the wmi_stopinprogress
flag immediately after the wlan_hdd_pld_uevent is received.
Change-Id: Iea53931771afd93ffaeabf704bbaffcf2460284f
CRs-Fixed: 2320538
Currently PHY mode is not getting updated and it is being set as
0, which is resulting in an invalid channel setting to FW
for LOWI.
To address this issue update the PHY mode correctly.
Change-Id: I1f650268e2ba1814a435994d558b4b68030eb8c1
CRs-Fixed: 2318551
Restrict the band of PCL to the connected band if
intra band roaming is enabled
Change-Id: I78e9a29d7f8eb226e899e944e4d2980629c52a01
CRs-Fixed: 2302607
In wma_extscan_find_unique_scan_ids() the TLV structures
for param_buf are pulled from the WMI message.
wma_extscan_find_unique_scan_ids parses the data (param_buf)
which is obtained from the firmware.
This parsing logic of rssi_list does not consider the
size of the list and thus results in an OOB access.
Fix is loop for the num_rssi_list and not the num of entries
Change-Id: Icf79b59a17b66ac858222b79589641787022572d
CRs-Fixed: 2316805
Add CFG items of RTT and PMF as generic items based
on converged cfg component.
Change-Id: Ic95d1e7b052259149704d9faf65ebe5f51536fdf
CRs-Fixed: 2313281
wma_mgmt_nbuf_unmap_cb uses wma handle to check if wmi service
capability for mgmt is supported. If wma handle is freed before
call back is invoked it returns with out doing unmap of nbuf.
Instead of wma handle use psoc object handle which has the
information about wmi service capability support.
Change-Id: Icbdeb155be0fb5d056dd876faa2bd73f78cd9db7
CRs-Fixed: 2317785
As a part of the cfg80211_get_station command, the driver sends TX stats
(tx rate, MCS index, NSS and flags). Currently there is no support to
send the similar RX stats.
Add support to send RX stats to the framework.
Change-Id: Ic66596d118ad1395706db7638da1b4fdef7dc2d5
CRs-Fixed: 2303306
In wma_unified_radio_tx_mem_free() function, results buffer array may be
dereferenced with large index value, that may result OOB memory access.
Fix the same by correcting incrementing pointer to results buffer.
Change-Id: I57a26dba9db32758c7d7fd51b99d3364a8020a9d
CRs-Fixed: 2308644
This change Removes legacy APIs to modify vdev state machine and
add use new API to get vdev state.
Change-Id: I48aa3744dafc6d13a43a14e48de821c7dadf3a37
CRs-Fixed: 2314730
Since refined mlme sta configures based on converged cfg component,
apply mlme sta configurations, remove related legacy codes.
Change-Id: Ia5989a29378bf33e3c9550a0ae26338aeb966592
CRs-Fixed: 2312079
In slub debug enabled build processing is slowed down and hence
increase the FW response timeout values by factor of 2 times.
Change-Id: I979269a9b4f6bc03f97452b3d7f7416fd418f336
CRs-Fixed: 2315934
