Currently there is no way to find out PD Restart indication,
so platform driver has added an API to differentiate PD Restart
from SSR. Using this API in shutdown notify handler, sending
message to IPA to do required cleanup.
Change-Id: I9d07c6fc573b6db1c7d0c1b7c99f325e22fe81cd
CRs-Fixed: 2436036
When the ready event is received from the firmware, hdd callback
is called to create the pdev and update the capabilties. If
there is any error the error is not propogated back to hdd
which can result in the accessing the invalid memory.
Propagate the status correctly from hdd to wma to resolve this issue.
This will result in the probe failure until the resources are available
or reference leaks are fixed.
Change-Id: I97ec062893216e25e285d95d6bfb5cf3e91a4005
CRs-Fixed: 2426612
Generate PMK-R0 and PMK-R1NAME for FT-FILS connection and send it
over assoc request frame.
According to 802.11-2016 standard:
PMK-R0 is derived as:
R0-Key-Data = KDF-Hash-Length(XXKey, "FT-R0", SSIDlength ||
SSID || MDID || R0KHlength ||
R0KH-ID || S0KH-ID)
PMK-R0 = L(R0-Key-Data, 0, Q)
PMKR0Name = Truncate-128(SHA-256("FT-R0N" || PMK-R0Name-Salt))
PMK-R1 is derived as:
PMK-R1 = KDF-Hash-Length(PMK-R0, "FT-R1", R1KH-ID || S1KH-ID)
PMK-R1Name is derived as:
PMKR1Name = Truncate-128(SHA-256(“FT-R1N” || PMKR0Name ||
R1KH-ID || S1KH-ID))
Call qdf_get_hash() function to generate a sha-256 or sha-384
hash. Use qdf_get_hash() with hmac(sha-256) or hmac(sha-384)
to generate hmac_hash.
Set PMKID count as 1 in RSN IE and copy the PMKR1-name
generated to the PMKID list. This PMKR1 should be the only
entry in PMKID list in assoc request frame sent by the driver
during FT-FILS initial mobility domain FILS connection.
Change-Id: Ic634aebbe42a58b92f871cf3258c62f7541d161a
CRs-Fixed: 2414719
With current design, firmware sends the kck, kek and replay
counters as part of wmi_key_material tlv over the
WMI_ROAM_SYNCH_EVENTID event. But the maximum supported kck key
length in wmi_key_material was 16 bytes. But for FT Suite-B
(akm 00:0f:ac:13), the kck_bits is 24 bytes long and cannot be
sent over wmi_key_material. So firmware sends kck, kek and
replay counter values over the new tlv wmi_key_material_ext.
Host driver copies the kck key with fixed 16 byte length to the
upper layers. Introduce kck_length parameter in csr_roam_info
and roam_offload_synch_ind structures and copy kck based on this
length.
Also fix maximum number of AKM suites supported to 5, as some
certification test cases advertise 5 akms.
Change-Id: Iab050e3e3f7efead8070a02094998d15f7ffcbd0
CRs-Fixed: 2400770
On failure in processing beacon report request in
sme_rrm_process_beacon_report_req_ind, xmit ind is
not sent to PE. This will result in all subsequent
beacon report requests to fail as current request
in PE is not freed. Beacon report request is received
with country code US-O and operating class 12. In this
scenario, third byte in country code is overwritten to
global_op_class which causes no channel to be populated
for scan as there is no operating class 12 in global op
class.
Fix is to send xmit ind to PE on failure in processing
beacon report req in SME for cleanup and not overwrite
the third byte in country code if value exceeds global
op value.
Change-Id: Ie07dbb1f45803cf93b45df2173f0ad064a194cb3
CRs-Fixed: 2439827
Propagation from qcacld-2.0 to qcacld-3.0
For the sap role, .get_station would invoke
wlan_hdd_get_station_remote() or wlan_hdd_get_sap_stats(), depends on
"gSapGetPeerInfo" ini setting. And fix the logic of determine sap get
peer info enable or not by target capability.
CRs-Fixed: 2427627
Change-Id: I3162950a6a7202d55b64ff9c60a26971d3a31555
In some parse APIs the duplicate IE detection logic is not present
and thus duplicate IE will be processed again.
Fix by adding logic in missed API to parse IEs.
Change-Id: I0ad5decf41e72783c211fca2ca56d796b08a1003
CRs-Fixed: 2441001
Peer is created but not setup in LFR3 roaming case,
then peer->rx_tid[tid].array is not initialized with a valid
value before using,which cause null point dereference in
dp_rx_defrag_cleanup() when cleaning up peer.
Change-Id: Ia8fd7773041511f3865d8ba26f4844d9b33bcec0
CRs-Fixed: 2436112
Add gTxAggSwRetry for tx aggregation case, and
Add gTxNonAggSwRetry for non tx aggregation case.
Change-Id: I92265fb4e279eaf63c45f0134f997df02bca8737
CRs-Fixed: 2436305
Currently, the function csr_save_tx_power_to_cfg does not
update the max_tx_power_24/5 length before it copies the
max_tx_power_24/5 data. Then the channel and tx power info
is not complete.
Change-Id: I99e4def6678b68e192f421d03ca7768b341dfbab
CRs-Fixed: 2437214
Connection is initiated with AP1, roaming to AP2 and then
roaming back to AP1.In this scenario, after assoc is done
to AP1 firmware has the pmk for AP1. Now firmware roams to
AP2 and sends roam sync indication with status as connected
and 1x is now offloaded to supplicant. Now even before 1x is
complete driver enables RSO for AP2 , due to this firmware
receives same PMK as that of AP1. Firmware flushes AP1 entry
because AP2 also has same PMK. After 1x , supplicant issues
new PMK which is sent to firmware and firmware updates this
for AP2 . Now when firmware tries to roam to AP1 and it dosent
have pmk for AP1 and it results in full EAP HS.
Change-Id: Id1a0b227cf7be12efa23f63c0abac6d3419469d5
CRs-Fixed: 2432114
In case of no scan result, ACS logic should select one channel based on
any of the below condition (as per mentioned order):
1. First valid channel from PCL
2. First safe channel from safe_channels
3. ACS start channel
Change-Id: Ife1d7a0a963b7773b92c091ed7cc976fcda25347
CRs-Fixed: 2430935
For SHA384 based 11r AKMs below:
FT-FILS-SHA384, FT-SUITEB-SHA384, the FT MIC length is 24. But
the host driver has MIC length hardcoded as 16, so only first
16 bytes of MIC is copied into MIC field and the rest 8 bytes are
copied into R1KH-ID. This results in R1KH-ID and R0KH-ID parse
failure. Due to this, the host driver sends R0KH-ID as 0 to the
firmware in the R0KH-ID. So the next roaming fails in the
firmware.
For SHA384 based AKMs, add changes to reparse the association/
reassociation response FT element. Introduce new FTIE structure
with MIC defined as array of 24 bytes. With this, the R0KH-ID
and R1KH-ID will be populated correctly in to the assoc response
structure and ultimately RSO command will carry the right R0KH-ID
to firmware.
Change-Id: I5aa50145fcd3ba91b1c92d4817b7f0e4fc216e3f
CRs-Fixed: 2430828
In TSO case, if eit header is less than 64 bytes in length,
it will result in unauthorized access to memory that has not
been dma mapped.
For TSO path, adjust the pkt download length before the call
to ce_send_fast(), so that the excess delta is taken into
account and handled.
Change-Id: I049f40afb87c66ad5544da583db27d066fe12453
CRs-Fixed: 2439186
Set MCC quota is mainly for miracast p2p interface when
STA+CLI or STA+GO. Change the condition checking to consider
the other (SAP) existing but not start, to avoid set quota
failure.
Change-Id: I2acfd2bf86991d884c40657dfdd027a235df1270
CRs-Fixed: 2439269
Currently rxmpdu count and fcs count is not getting
populated in station info, add support to populate rx mpdu count
and fcs count in station info and send to user space with
get_station command.
Change-Id: I5ae3c4c1e5647ad0b4777440ce0a1226ba4f373e
CRs-fixed: 2438671
In hdd_apf_read_memory_cb, context buffer length is checked
against sum of packet offset and event length, packet offset
and event length are extracted from FW response and can lead
to integer overflow, which will allow to pass the length check
and eventually will lead to buffer overwrite when event data is
copied to context buffer.
To avoid this issue, validate the event length against the
available length in the context buffer, which can be obtained
by getting difference of packet offset from the context buffer
length.
Change-Id: I53798e56403f1c550f0a762645ccd67a1dc8500d
CRs-fixed: 2436502
Check for validity of vdev obtained from the CDP
cdp_get_vdev_from_vdev_id API.
Change-Id: Ie7fb99a0e08135bd3f2cc6b63070a4bd72df943a
CRs-Fixed: 2434583
Currently when an RRM scan is issued for beacon report request from the
connected AP, we use the current scan country code to get the op class
table for the country.
However, the AP can specify which table to use in the country IE's 3rd
byte of the country field which is not parsed and stored in the scan
country code.
For RRM Scan for beacon report request, use the 3rd byte to get the table
number from the connected AP's beacon and if no table number is present,
then use the op class table based on the country code.
Change-Id: I0911ac908d1c71676f7c1450ab260eaa732ddcb9
CRs-Fixed: 2435942
After DUT STA connected, search connected ssid from scan cache,
get each channel and put into roam scan channel map. To make sure
current home channel is always included and don't set full
channel as channel map, add home channel into roam scan channel
map directly.
Change-Id: Ifb25562259a9b7f35849b39d8e0d238e754d4f96
CRs-Fixed: 2436200
When SAP works in ACS mode, it needs to restart with a safe channel
if current channel is unsafe. Sometimes no channel is selected from
pcl channels. SAP can't just pick up one safe channel because the
channel may be DFS channel while SAP may disable DFS master capability.
SAP should select one valid channel for LTE COEX.
Change-Id: I303165f82b5c2a8d06447df4ba23fdcba5b1083c
CRs-Fixed: 2415007
With FT-FILS akm, initial mobility domain fils connection
requires FTIE in the assoc request frame. FTIE is copied from
auth response frame received from the AP and stored in fils_info.
Add frame parser changes to populate the FT-IE into the
association request frame.
Send this FTIE in the association request appended after MDIE.
Change-Id: I9087ff9f36b52f3ef08b03cba826bdc42834a9f8
CRs-Fixed: 2414678
FT-FILS initial mobility domain association requires FTIE in the
association request frame sent to the AP. FTIE has the R0-KH and
R1-KH ID that is needed to derive the FILS-FT key.
Host driver should save the FTIE received from the AP in the
authentication response frame and send it without any
modification to the AP in association request frame.
Change-ID: I047538e13b37e10c2cebad4959fc796af5d16df6
CRs-Fixed: 2414662
Expectation of user is fcc constraint should be applied when user input
is zero and should be cleared when input is negative value. But current
driver behavior is out of sync.
To address this, invert the user-input before invoking regulatory
component api ucfg_reg_set_fcc_constraint(). Also ensure reduced
tx power is effective in calculating maximum tx power while connecting
to access-point.
Change-Id: I73485685b70b805107a52080c64efde30e807dc3
CRs-Fixed: 2429993
Add new ini to configure various roam trigger parameters:
1. "minimum_btm_candidate_score"
Consider the AP as roam candidate only if its score is greater
than minimum_btm_candidate_score. This value will be sent over
the WMI_BTM_OFFLOAD_CONFIG command.
2. "roam_scan_inactivity_time"
Device inactivity monitoring time in milliseconds for which
the device is considered to be inactive with data packets
count is less than configured roam_inactive_count.
3. "roam_inactive_data_packet_count"
Maximum allowed data packets count during
roam_scan_inactivity_time.
4. "roam_scan_period_after_inactivity"
Roam scan period in ms after device was in inactive state.
5. "btm_roam_score_delta"
Roam scan delta value for btm triggered roam scan. This value
will be sent to firmware over the WMI_ROAM_AP_PROFILE wmi
command.
6. "idle_roam_score_delta"
Roam scan delta value for Idle roam scan trigger reason. This
value will be sent to firmware over the WMI_ROAM_AP_PROFILE
wmi commnd in the roam_score_delta_param_list tlv.
7. "disconnect_roam_trigger_min_rssi"
Candidate minimum rssi value for disconnect roam trigger. This
value will be sent to firmware over the WMI_ROAM_AP_PROFILE
wmi commnd in the roam_score_min_rssi_param_list tlv.
8. "beacon_miss_roam_min_rssi"
Candidate minimum rssi value for BTM triggered roam. This
value will be sent to firmware over the WMI_ROAM_AP_PROFILE
wmi commnd in the roam_score_min_rssi_param_list tlv.
9. "bss_load_trigger_5g_rssi_threshold"
If connected AP is in 5GHz band, then consider bss load roam
triggered only if load % > bss_load_threshold && connected AP
rssi is worse than bss_load_trigger_5g_rssi_threshold.
10. "bss_load_trigger_2g_rssi_threshold"
If connected AP is in 2GHz band, then consider bss load roam
triggered only if load % > bss_load_threshold && connected AP
rssi is worse than bss_load_trigger_2g_rssi_threshold.
Change-Id: Ib026251a8ec403f4376a16a91ff1b5d969336816
CRs-Fixed: 2434922
After SSR, SAR configuration is lost.
Since, SSR is hidden from userland, VENDOR_SUBCMD_SET_SAR_LIMITS
to configure SAR shall not come again from userspace after SSR.
To restore SAR configuration, save this in hdd context when the vendor
command comes and restore after re-init.
Change-Id: I083fb72a9fad35af1a84bcc9d8d59976485b9fa3
CRs-Fixed: 2427382
1. The original mgmt send path changed by converged p2p component, now
wma_tx_packet() will not invoke when sending station mode action
frames, it invokes p2p_mgmt_tx() instead. But for tx buffers of PMF
frames sending to some target require to do bi-direction dma map to
pass smmu sanity check, which is missed in p2p_mgmt_tx() path.
2. The offchan flag passed to wlan_hdd_mgmt_tx() is not always accurate.
There have been cases where the flag is set even though the operation is
taking place on the home channel, and blindly following the flag leads
to an unnecessary ROC.
Fix it by adding QDF_NBUF_CB_TX_DMA_BI_MAP to new p2p mgmt tx path and
bring back home channel check to override the offchan flag if
necessary.
Change-Id: I9589157e57e95d0c61a432f87a07630c4b77f757
CRs-Fixed: 2423341
