Currently the mpdu_data_len in Rx pkt meta is not checked for
upper bound in wma_process_rmf_frame.
Add sanity check to drop the packet if mpdu_data_len is
greater than 2000 bytes.
Change-Id: I156cf9766dda30ee3746361614a2e4586553f93d
CRs-Fixed: 2123807
Currently the debug logs print only the KEK, KCK and other
keys during FILS Roam sync indication from FW to Framework.
Add additional debug logs to print Next ERP Sequence Number
from the firmware during roam sync indication to Framework.
Change-Id: I3df03cd3d426ffa18e021a45d95edb3148838858
CRs-Fixed: 2106552
Currently, wmi_service_bitmap field in WMI_SERVICE_READY_EVENT is
exhausted. WMI_SERVICE_AVAILABLE_EVENT is available for upcoming
capability intimations.
Add service_available_event handler in host driver to extract
FILS roaming capability of fw. Based on this capability only,
send RSO, update connect params, HLP IE commands, GTK offload
are sent to fw.
Change-Id: I320ba86d29109d8cba23830ef9cb5e159792f19a
CRs-Fixed: 2094229
Currently, in host driver, FILS Keys(PMK, KEK, ICK) are
printed in debug logs.
Remove all the Key dumps added as part of FILS.
Change-Id: Iafdd556b5c547d5d8f8184a33c0d2fad40cb96d0
CRs-Fixed: 2095631
Add FILS roaming support changes as follows:
- Update ERP info in RSO Start
- Update HLP info in a new command WMI_PDEV_UPDATE_FILS_HLP_PKT_CMDID
- Set/Delete PMK cache info with WMI_PDEV_UPDATE_PMK_CACHE_CMDID
- Process FILS TLV in Roam Synch Indication and update the FILS info
[seq number,PMK, KEK, realm] to Supplicant.
Change-Id: I78c3bdde080701deb8d2bdb92d8d57d18cceb864
CRs-Fixed: 2081252
This change adds support for configuring voltage corner mode
thorugh INI parameter. User will provide a bitmap which will
be passed on to the FW during initialization. In this bitmap,
each pair of bits till BIT27 correspond to different phymode,
bw combination. Bit values signify voltage corner configuration.
Change-Id: I9e86d43079225b6f08fdd281c8f424b18abcffe9
CRs-Fixed: 2109884
In WMI_SERVICE_READY_EVENTID, check for number of dbs HW modes against
the metadata.
Change-Id: I043c93c4e6bc0dfdd73dbdc65bab683c56269308
CRs-Fixed: 2119387
In Rome platform, it use invalid radio id in FW event
WMI_RADIO_LINK_STATS_EVENTID and cause crash. So check
radio id when handling this event.
Change-Id: Iadf61fbde53f80f1081da9a386cf13f0cce69e3c
CRs-Fixed: 2123782
Number of profile data from firmware cannot be trusted. Check for
number of entries against the metadata in TLV header.
Change-Id: I0d8078f623a97e33ee1689398c291be75fe9a62a
CRs-Fixed: 2119391
Add sanity check for vdev id in wma_vdev_start_resp_handler() to prevent
out of bound memory access.
Change-Id: Ia4e18e8e322142928c41dfa88b874ff017727266
CRs-Fixed: 2120424
Assert was added in the wma_rx_aggr_failure_event_handler via the change
Iea93e879196e9cd43856a7dcc9204d2304f76c78 and it exposes further security
issues.
Remove the assert in wma_rx_aggr_failure_event_handler.
Change-Id: Iaef00389fa19da0fe33e3bcd6f2123e553b84dff
CRs-Fixed: 2114789
SAP DUT allocates SA query timer for each STA-PEER which gets associated
to DUT. When STA-PEER walks out or gets disassociated, SAP DUT releases
this timer memory through PEER clean-up process but in few corner cases
it is observed that STA-PEER left uncleaned.
In such cases ideally when SAP session goes away, SAP state-machine
should check any left out memory and clean it up through
lim_cleanup_mlm() but this API check for own session validity and
own session has been marked as invalid before even calling this API.
Due to which timer memory leaks.
Fix the situation by deleting the timer before marking own session as
invalid.
In some cases, for some reasons PEER delete sta request couldn't send to
FW then memory associated with delete sta request needs to be freed.
If status is failure and del sta response is not required then silently
release the memory.
CRs-Fixed: 2124293
Change-Id: I082c771bbee6d083b15515dd2e40ed9a27e0a9a1
Add sanity check for wow_buf_pkt_len in wma_wow_wakeup_host_event()
to avoid out of bound memory access.
Change-Id: Id3b0003aa366d9239739efe561f44eff1dceff5d
CRs-Fixed: 2119401
Checkpatch flaged the following issues, so fix them:
- WARNING:LONG_LINE: line over 80 characters
- ERROR:SPACING: space prohibited before that ',' (ctx:WxE)
- WARNING:LINE_SPACING: Missing a blank line after declarations
Change-Id: Ifb14eaa7828da997c35265deed5e94a2a2db9054
CRs-Fixed: 2125681
Checkpatch reported the following problem:
ERROR: Prefixing 0x with decimal output is defective
Correctly use %x when logging hex data.
Change-Id: I8150cf6ae5770a18035f006df9e774932919d9b7
CRs-Fixed: 2124907
In WMA, data from firmware event buffer is used without
sanity checks for upper limit. This might lead to a potential
integer overflow further leading to buffer corruption.
Add sanity check to avoid integer overflow.
Change-Id: Id47e12015a4d46af24180b621b52ffcb17596c07
CRs-Fixed: 2112832
Structure roam_offload_synch_ind has element hlp_data which is of
size FILS_MAX_HLP_DATA_LEN is greater than WMI_SVC_MSG_MAX_SIZE.
Hence, remove check for size of roam_offload_synch_ind against
WMI_SVC_MSG_MAX_SIZE to avoid roam failure. Also, modify check
for validity of vdev id.
Change-Id: I1b9cef08e1d847f27b7057abf7189ef0f867b92f
CRs-Fixed: 2124786
Currently resp_event->vdev_id, recevied from the FW, is directly used
to refer to wma->interfaces without validating if the vdev_id is valid.
Add sanity check to make sure vdev_id is less than max_bssid before
using it.
Change-Id: I734ff795a3936719b08493f868384dbde72a80df
CRs-Fixed: 2119394
In function wma_ndp_end_indication_event_handler, num_ndp_end_indication_list
from the fw is used to calculate buf_size which is in turn used to malloc.
This could lead to potential integer overflow if num_ndp_end_indication_list
is a very high value.
Add check to validate num_ndp_end_indication_list does not exceed the max
message size from firmware.
Change-Id: Icbb763bfc14ec0ef8424cab50afa5c6826fd3c60
CRs-Fixed: 2114255
Currently fix_param->vdev_id, recevied from the FW, is directly used
to refer to wma->interfaces without validating if the vdev_id is valid.
Add sanity check to make sure vdev_id is less than max_bssid before
using it.
Change-Id: I92743589e0333449c39e148b37d200cac2cdb817
CRs-Fixed: 2119434
Add sanity check for num_hw_modes and num_phy in wma_populate_soc_caps()
for WMI_SERVICE_READY_EXT_EVENTID.
Change-Id: I023d737449283f9ac092d278bde016b208b2c891
CRs-Fixed: 2119887
1) Currently all the parameter to decide best candidate are chosen
as by default.
Add INI support for those parameters to change values on basis
of performance.
2) At the time of calculating best candidate score, rssi consider
bucket size, good rssi, bad rssi, good rssi percentage from total
rssi percentage, bad rssi percentage from total percentage.
Configure these all params from ini.
Change-Id: I808a40486473fcbb161c12fbd369b3b846beb8c2
CRs-Fixed: 2121735
In function wma_unified_link_iface_stats_event_handler, num_ac is received
from the firmware and is used in the loop to populate values into results.
However the memory for results is allocated only for WIFI_AC_MAX and a
buffer overflow will occur of num_ac is greater than WIFI_AC_MAX.
Add checks to make sure num_ac is not greater than WIFI_AC_MAX and
num_offload_stats is not greater than WMI_OFFLOAD_STATS_TYPE_MAX.
Change-Id: Ife8b1d19aa853f85f4fad82d5791e49a8c892ca4
CRs-Fixed: 2114756
Assert added as part of I2689873c2c5e63c83e5059563662c0c69dc659fc
in wma_get_ll_stats_ext_buf is not required as it causes a stack
trace exposing further security issues.
Remove the assert in wma_get_ll_stats_ext_buf
Change-Id: I92a5eb1b287e61c7f2cc9d6dba92446719c3c6b2
CRs-Fixed: 2115112
Propagation from qcacld-2.0 to qcacld-3.0
Add diag event for wow packet counters stats.
The event EVENT_WLAN_POWERSAVE_WOW_STATS will be used to
inform the wow stats packet counters.
Change-Id: I9d1760aa6b790544b9879e7ef18d4f5359e0e245
CRs-Fixed: 1087714
STA is roaming to 2G AP even though 5G
only is configured through ini.
Set weightage of the 2G social channels
to zero so that firmware will not roam
to 2G channels.
Change-Id: I7dea8413618265e0f1fe353da4b858583c1921af
CRs-Fixed: 2117614
Add 1 second wake lock for 4 way handshake to avoid APPS
power collapse in middle of eapol exchange which can delay
the association process.
Change-Id: Ife73dc00aa05b5a80d0a90afd18468bd033ebdd9
CRs-Fixed: 2118533
On vdev response timer expire, memory allocated for vdev request
will be freed in the timer handler(wma_vdev_resp_timer). But there
can be a race condition where wlan shutdown is invoked at the same
time, where host tried to cleanup unhandled vdev requests by calling
same timer handler.
To mitigate this issue don't free the memory if vdev request is not
found(as other thread freed memory by this time)
Change-Id: Iea214f0ed3acb9600b5a3b84b5740c1b496719d9
CRs-Fixed: 2049673
The current driver strategy is to converge on unified APIs, and the
unified WMI struct flashing_req_params conveys the same information as
typedef tSirLedFlashingReq, therefore replace tSirLedFlashingReq with
struct flashing_req_params.
Change-Id: I4ef75ee3bff7c83dbf8197bba0802569282a414f
CRs-Fixed: 2121335
Update ini param g_auto_detect_power_failure_mode to incorporate below
values,
0 - Don't register wow wakeup event and FW crashes on power failure
1 - Register wow wakeup event and FW sends failure event to host on
power failure
2 - Don't register wow wakeup event and FW silently rejuvenate on
power failure
3 - Don't register wow wakeup event and the auto power failure detect
feature is disabled in FW.
Change-Id: I8a704954ecbacadbc035c1523fa41a18b6300f66
CRs-Fixed: 2087144
Make sure num_vdev_mac_entries which is coming from firmware within
MAX_VDEV_SUPPORTED to avoid any buffer overflow or OOB read.
Change-Id: I92793a6bcfd46b288c3f496a6f6cc9b372f60c48
CRs-Fixed: 2119432
Current driver forming a unit test command within HDD layer and uses
message passing method to deliver it to WMA layer which
requires HDD layer to have a knowledge of how to form a unit test command.
User SME API to send params to WMA layer and let WMA form a unit test
command and send it directly to FW through WMI layer instead of HDD
forming and passing it down.
CRs-Fixed: 2118725
Change-Id: Id1838939813e6cd2d52cee8720a1f4e0ca34329b
Current doesn't perform boundary check on num_vdev_mac_entries param
which coming from firmware. Without boundary check, driver may be
exposed to buffer overflow.
Check against the boundary limit before using it.
CRs-Fixed: 2119430
Change-Id: I502926a7f783acc7b73a3fbbbd70386a099b48b3
Currently if_id used in the for loop is incremented based on vdev_map != 0
and vdev_map is a uint_32, received from FW, and is right shifted by one bit
for each iteration. This could result in if_id going upto max of 31 and cause
OOB read.
Add sanity check to make sure if_id is less than max_bssid.
Change-Id: I7e0c4e9a26cb67f41e35c60c2756d7ad02cf43ea
CRs-Fixed: 2119443
Add sanity check for vdev id in wma_roam_event_callback() to prevent
out of bound access of memory in wma_roam_better_ap_handler().
Change-Id: If3cf06a8eca767201fdd8b056bee6d773938a2a6
CRs-Fixed: 2119400
Add support in wma_flush_complete_evt_handler to capture
data stall event from Firmware and post the message to
sys queue.
CRs-Fixed: 2086176
Change-Id: I4e819b1ae711b3867fa46ff638d4bfd2054519ed
Host should keep the wake lock from the time it sends
WMI_PDEV_SET_MAC_CONFIG_CMDID to FW till it receives the
WMI_PDEV_SET_MAC_CONFIG_RESP_EVENTID. This will avoid any fatal
crash condition.
Change-Id: Id16a1957b38acee6cf45c123ea9dbab25aae9b39
CRs-Fixed: 2070779
Add Vendor Event to get the driver hang reason indicating to the
user space that the driver has detected an internal failure.
This event carries the information indicating the reason that triggered
this detection.
Change-Id: I3934f2a18c796ed3b53175dcbe7efd7f4d1409b9
CRs-fixed: 2098498
After deriving the vdev_id from the vdev map in
wma_beacon_swba_handler check for the validity
of the vdev_id
Change-Id: Ifc4577d8a00f447e2bcfa4e01fce5ac2dbe96a4d
CRs-Fixed: 2120751
There are currently two ways to get vdev stats from firmware. As such,
the redundant pe_stats_req is being removed. Migrate existing consumers
to stats_request_params instead.
Change-Id: I3426b43a6202bb59ceef13cf8d4528700c7f3983
CRs-Fixed: 2120637
Currently in wma_unified_link_peer_stats_event_handler, the check to validate
if peer_stats->num_rates is less than WMA_SVC_MSG_MAX_SIZE is done only for
the first member of the peer_stats array. This can lead to integer overflow
as num_rates is calculated as sum of peer_stats->num_rates for each of the
peer_stats in the array.
Add code changes to loop and calculate total_num_rates for all the peer_stats
and then validate total_num_rates with WMA_SVC_MSG_MAX_SIZE.
Change-Id: Ic934934a990bd55fce70a0eaffa2812bc34b0ddd
CRs-Fixed: 2113758
Check vdev_id against wma->max_bssid in wma_mcc_vdev_tx_pause_evt_handler to
avoid bufer overflow.
Change-Id: Ie47a0ed2f7f27f13a01e1b2cb365fae66b41b1df
CRs-Fixed: 2120677
Implementation to change BmissFinalBcnt dynamically.
User can set totalBcnt using the new command
QCA_WLAN_VENDOR_ATTR_CONFIG_TOTAL_BMISS_CNT.
BmissFirstBcnt will retain its default value or from ini.
BmissFinalBcnt will be configured as (totalBcnt - BmissFirstBcnt).
Change-Id: Ie3c3895d48248d349400e755f07edc807e335b44
CRs-Fixed: 2081906
During host invoked roaming, set WMI_ROAM_INVOKE_FLAG_NO_NULL_FRAME_TO_AP
flag so that FW will not send NULL data frame while doing transition to
same bssid.
CRs-Fixed: 2046964
Change-Id: I043c3d2431e4da5af36fb710bd36a520550abbd3
Change-id Iafd5666179d079c7bcc950277092cef3046356bf was added to remove
antenna sharing support from SAP and STA case but customer needs those
changes for SAP case only.
So bringing back changes for STA case.
CRs-Fixed: 2117829
Change-Id: I79f7c5ae1fd642f0b26170f066a5409638cdd873
In the function wma_roam_synch_event_handler, vdev_id is received from
the fw and is used to access member of the array wma->interfaces without
validating the max of the vdev_id received from the fw
Add check to make sure vdev_id is less than max_bssid before using it
Change-Id: I3b940e183ab66680891cb7351af4537b50afce1d
CRs-Fixed: 2114187
