Currently driver allows start_bss on SAP interface even when roaming is
in progress on STA interface. This leads to two simultaneous vdev starts
in FW which causes the FW to assert.
Add changes to reject the start_bss request for SAP if roaming is in
progress on any STA interface.
Also, when a connect for STA or start_bss for SAP is received and
roaming is not in progress for any STA interface, stop roaming on all
STA interfaces by sending WMI_ROAM_SCAN_MODE_NONE to FW. Also after
association or start_bss completion, enable roaming again on connected
STA interface.
Change-Id: I3baaffeef3b350e6527660cbac4b79fa4d9f83f0
CRs-Fixed: 2221337
Out of Buffer access may occur in wmi_get_buf_extscan_start_cmd()
function if user provided inputs are different for below parameters
which are assigned in hdd_extscan_start_fill_bucket_channel_spec()
function
1. QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC_NUM_CHANNEL_SPECS
2. QCA_WLAN_VENDOR_ATTR_EXTSCAN_CHANNEL_SPEC
To address this issue return failure status if numChannels is not
equal to the total number of channel entries.
Change-Id: I60d74161dc3752bd7f609af3910d7c86a99488ec
CRs-Fixed: 2255189
Presently, wrong channel is passed in ch_in_pcl() as a result of which
PCL discount is applied on wrong channel resulting in wrong ACS weight
calculation.
Pass correct channel in ch_in_pcl().
Change-Id: Id87c0afe501d7217ae6b170656bf6d2fab89b5b7
CRs-Fixed: 2257182
When gvendor_acs_support=1, ch_width provided by hostapd is not getting
copied to sap_cfg. As a result, ch_width is 0 (20Mhz) irrepective of
whatever provided by hostapd causing issues.
Copy ch_width irrespective of gvendor_acs_support value.
Change-Id: I7013eb7ee3610790194916078640d633747de15e
CRs-Fixed: 2247771
This reverts the change I48227166d722496afd2d9dd7aca1ae78d44c8833
because it is refering to the API csr_is_duplicate_bss_description()
which is deprecated and not defined.
Change-Id: I0f133eed437754f20547a1450090df09a6e0f2ba
The function hdd_validate_adapter() can expose kernel address space
with a bad adapter pointer. Fix this by removing unwanted information
from the error print.
Change-Id: I65caab9d710e031992661efdf6f8c72d0c7bf82c
CRs-Fixed: 2235225
WIFI_LOGGER_PACKET_FATE_SUPPORTED bit in logging features
indicates the support to packet fate stats. Set the bit to indicate
the packet fate stats support to user space.
Change-Id: Ie286b3bf994fc75a987a42a329dd159db978ebe6
CRs-Fixed: 2233537
When DUT P2P Go/SAP deauth ref STA, in race condition, scheduler
thread may try to clear peer data and drop pending rx packets
after peer freed in peer unmap handler in soft irq context,
use after free issue will happen.
Error log:
BUG: spinlock bad magic on CPU#1, scheduler_threa/28550
Unable to handle kernel paging request at virtual address
6b6b6b6b6b715b
Stackframe:
do_raw_spin_lock+0x34/0x154
_raw_spin_lock_bh+0x24/0x30
ol_txrx_clear_peer_internal+0x68/0xb0 [wlan]
ol_txrx_clear_peer+0x78/0xa0 [wlan]
hdd_softap_deregister_sta+0xd0/0x200 [wlan]
hdd_hostapd_sap_event_cb+0xca8/0x20b8 [wlan]
Change-Id: Ib8d133528f5ff22125218861206d241f96eaf0da
CRs-Fixed: 2247334
Propagation from cld2.0 to cld3.0.
While connected AP requires DUT to do radio
measurement for itself in passive scan mode,
DUT sends empty beacon report.
In passive scan, sta only listens beacons.
Connected AP beacon is offloaded to firmware, and
Firmware discards it except that special
IE exists in the beacon. Connected AP beacon will
not be sent to host. Hence, timer of connected BSS
is not updated in scan result lists
and cannot meet "scan timer > RRM_scan_timer".
Fix the issue by adding connected
BSS judging condition.
Change-Id: I48227166d722496afd2d9dd7aca1ae78d44c8833
CRs-Fixed: 2239559
Separate out QCA_LL_LEGACY_TX_FLOW_CONTROL
and QCA_LL_TX_FLOW_CONTROL_V2 flow control implementation
in different files to compile out features cleanly.
Change-Id: I5d6ddf9ea61b409b25d242852ed1f0102e94ad88
CRs-Fixed: 2228902
In lim_process_action_frame and lim_process_action_frame_no_session,
The Rx frame pointer is directly casted to the action frame header
to find the Action frame category and action ID without validating
the minimum length of the frame. If the frame len is less than the
action frame header len, then OOB read would occur.
Check if frame_len is less than the size of action frame header len
and return if true.
Change-ID: Idf8ca7eeacdf57171d2850fe6317784911830aac
CRs-Fixed: 2253243
In the API lim_process_deauth_frame, the reason-code is
fetched from the payload, and it may happen that the
payload received is empty, and the MPDU just contains the
header, so the driver may access the memory not allocated
to the frame, thus resulting in a OOB read.
Fix is to have a min length check of 16 bits for the
reason code before accessing it.
Change-Id: I7e7a435ba049356c13fb10240f4abb9bf6219af4
CRs-Fixed: 2249768
During a channel switch, host sends the beacon template to the FW.
Currently the CSA/ECSA Channel Switch count offset fields in the
WMI_BCN_TMPL_CMDID fixed params are not filled from the host.
Add changes to calculate the CSA/ECSA Switch count offset from
start of the beacon template data and fill it in the fixed
params field for WMI_BCN_TMPL_CMDID.
Change-Id: Icb568f59346972784c4aceef9b42c8543adaa889
CRs-Fixed: 2246600
In wma_is_pkt_drop_candidate the frame received time is updated
even when the frame was dropped and thus the received time of
the frame keeps on increasing. Thus the condition to check if
frame is allowed after WMA_MGMT_FRAME_DETECT_DOS_TIMER ms always
fails if driver continuously keep on getting the frames.
This can lead to dropping of valid deauth/disassoc frames in case
if RMF is enabled and some rouge peer keep on sending rogue
deauth/disassoc frames and thus even if peer send valid deauth
peer will not get disconnected.
To fix this update the rcvd time stamp only when the frame is
allowed, as this timestamp should be used to block the duplicate
frames for WMA_MGMT_FRAME_DETECT_DOS_TIMER ms.
Change-Id: I4f480e21369b585d78f240c5f4f062d010d889a8
CRs-Fixed: 2256679
The protocol stack has some lingering uses of the legacy status
enumeration eSirStatus (typedefed as tSirRetStatus). There is a desire
to transition all of these to QDF_STATUS. As a first step of this
transition replace all usage of enum eSirRetStatus with tSirRetStatus.
This will eventually allow a global replace of tSirRetStatus with
QDF_STATUS.
Change-Id: I84a748f75117af99890725e64fc32a6392d262d5
CRs-Fixed: 2258411
After parsing of Re/Association Response frame,
sir_convert_assoc_resp_frame2_struct populates association response
structure sSirAssocRsp. In case if FEATURE_WLAN_ESE is enabled,
the host runs a loop to memcopy for all WMM TSPEC info from the parsed
buffer to association response structure.
Currently, While copying parsed data to sSirAssocRsp,
sir_convert_assoc_resp_frame2_struct is passing (sizeof(tDot11fIEWMMTSPEC)
* ar->num_WMMTSPEC)) as length argument to qdf_mem_copy to copy individual
TSPECInfo. Which could result to buffer overflow, as size of per
TSPECInfo is only sizeof(tDot11fIEWMMTSPEC).
Pass correct length to qdf_mem_copy while coping TSPECInfo.
Change-Id: I9c74e3bbd387fda736a715625260d95c67f03ecc
CRs-Fixed: 2254946
In the function cds_is_gmac_mmie_valid, there is uninitialized
use of mic array elements that are passed into the function
qdf_crypto_aes_gmac which causes error report in coverty.
Initialize mic array before it is passed to qdf_crypto_aes_gmac.
Change-Id: I8650cc18d32f297f659ffaac0a514e183823f042
CRs-Fixed: 2233863
While processing QCA_NL80211_VENDOR_SUBCMD_TRIGGER_SCAN,
scan randomization attributes: SCAN_MAC and SCAN_MAC_MASK are not
validated using nla_policy for a minimum length check of
MAC_ADDR_SIZE (6 bytes) which can result in buffer over-read.
To address this, add nla_policy for randomization attributes.
Change-Id: I872e221b951809ca1e5c60b867be52b9fa738ddd
CRs-Fixed: 2232745
Currently there are no diag events to inform user space about
used AKM Suite, requested pairwise cipher, group cipher, and
group key management in assoc request and algo num used in auth
req.
Add such diag events which can be useful in automation.
Change-Id: I210773ded47a84a3d06390271401e53cbda83089
CRs-Fixed: 2203232
Add support to send regulatory sync event to user space for self
managed regulatory when regulatory info is updated.
Change-Id: Iacecb6f3e6a65c615d3a013509770463bdafe616
CRs-Fixed: 2242697
Add support for getting cfg integer from PMO. Register callbacks
during pe_open/close so that PMO can query CFG int values for
calculating parameters like listen interval etc.
Change-Id: I52d165586576e547e175ba276e6b7225db5b27e0
CRs-Fixed: 2252661
The driver allocates memory to channelist in the API
sap_get_channel_list, and stores the pointer to channel
list in sap_context, and frees the memory allocated for
the same in scan request callback.
But it may happen that before the callback, stop adapter
calls wlansap_context_put and frees the memory allocated
to sap context, without the mem free of channellist, which
results in a mem leak
Fix is to add a NULL check to sap context and free the memory
allocated to the sap context channel list in
sap_cleanup_channel_list.
Change-Id: I7030ca8325ae4c968db654bf14062e332f409b87
CRs-Fixed: 2254767
Currently after dp peer delete peer info is logged which leads
to invalid pointer access. Do not log the peer info after it is
deleted.
Change-Id: If4c2d9af7e3f2b29e3e034eec08fa68fd329257b
CRs-Fixed: 2259026
Before checking for other kinds of resources leaks, check to ensure all
objmgr vdevs have been properly freed.
Change-Id: Ie30daf22834ceb4a8ce19fbd1d4c9b231d3b70d4
CRs-Fixed: 2255511
Peer removal happens in MC thread context and the corrresponding
unmap events processed in soft IRQ context. But both the events
are not synchronized correctly and causes race condition
in the system.
Apply reference count for the peer to avoid this
problem.
Change-Id: If1ca656a4dc0325032069af926697784cdec9b2d
CRs-Fixed: 2183468
With IPA WDI unified API, IPA PM is used instad of IPA RM
for power/resource management. When checking if IPA clk
scaling is enabled or not, HDD_IPA_RM_ENABLE_MASK is thus
not applicable for WDI unified API.
Change-Id: Ie18c2ba6168a06a3bf03f6a5754ffef98113ce30
CRs-Fixed: 2256015
With IPA WDI unified API, IPA PM is initialized after WLAN IPA pipes
are connected. Initializing IPA perf profile will fail if IPA pipes
are not yet connected.
Fix is to
1. Initialize perf perofile only after IPA pipes are connected
successfully.
2. If clk scaling is disabled, initialize perf level to maximum.
3. Allow driver to proceed if perf profile initialization fails.
Change-Id: I3a63e0f1decec10440467da62cb6ccf740eda318
CRs-Fixed: 2258682
The function wlan_hdd_cfg80211_set_key_wapi is currently set as public
which is not required as it is called from the same file only.
Make the function static.
Change-Id: I8188cf02ec06b7212607b2aba759b47ec5cc58ac
CRs-Fixed: 2247639
hdd_inspect_dhcp_packet() Will be called for each TX packet in SAP
interface. Remove the print to avoid flush print which will impact
the TX performance.
CRs-Fixed: 2253186
Change-Id: I01766ad923725a0cb04b2c19952806d4de84b37e
The value that is received from the ini for the max number of peers
supported for SAP is not being updated to the sme database.
Update the ini param into the sme database
Change-Id: I319d825e8b1f643b04b5521577786f8a3ed20e13
CRs-Fixed: 2249919
Currently while sending wmi command when target is suspend, it will
check whether command is WMI_WOW_HOSTWAKEUP_FROM_SLEEP_CMDID/
WMI_PDEV_RESUME_CMDID, but D0WOW command is an exception, to keep align
with legacy code so don't set wmi_handle->is_target_suspended if it is
D0WOW enable command.
Move out logic of checking D0WOW status from PMO tgt to core layer.
Change-Id: I164f24ea733e54e5e0dbdb77344917df5d039e53
CRs-Fixed: 2254047
In the function wma_update_intf_hw_mode_params, vdev_id received
from caller wma_pdev_set_hw_mode_resp_evt_handler, is used as
the array index for wma->interfaces. If vdev_id exceeds
wma->max_bssid then a possible OOB write could occur.
Add check to validate vdev_id against wma->max_bssid. Print
error if it exceeds.
Change-Id: I3ddf5e1b24fbd2bd401ac879219300857d05e4b7
CRs-Fixed: 2243990
The function sap_goto_channel_sel triggers the pre start bss
scan for SAP. After this scan is queued, the hostapd process
gets scheduled after 3 secs and proceeds to select the channel
to start the SAP. If scan completion for the ACS scan was not
received, it selects the default channels. ACS scan is sent to
firmware with low priority like other normal scan.
Increasing the priority of the scan will ensure that the scan
completion is done prior to the other existing scans pending on
the queue.
Escalate the priority of the ACS scan from low to high.
Change-Id: Ibe558a4a323f276cce6eaabb3b62db217dbd5a94
CRs-Fixed: 2245200
new INI gNumVdevs is added to allow number of VDEV support
for both Host and FW. Also Updated logic to calculate num_peers
and num_tids.
Change-Id: Ife5ff24e9594c8986913c06899ac5e41c83fc75c
CRs-Fixed: 2245506
There are several logs along the suspend/resume code paths that log
debugging related information at the INFO level. Reduce the logging
level of these debug logs to avoid spamming the console.
Change-Id: I0e81901e4a053038392c1012600ae125a1ad27a3
CRs-Fixed: 2258093
The API wma_inc_wow_stats lacks a break in switch case
after WOW_REASON_OEM_RESPONSE_EVENT. Due to this
execution falls through to the next case statement or
default.
Fix is to add a break after WOW_REASON_OEM_RESPONSE_EVENT
Change-Id: I0b95fd55403b29d74a471f038e518c58c81cfcf7
CRs-Fixed: 2233189
