Add spectral scan feature flag which can be
used to control the feature through build options.
Change-Id: Ide13e958cffff610626c891041307b40ac94c47d
CRs-Fixed: 2232167
Currently the function typedef wma_tgt_cfg_cb is defined with two void
pointer parameters. However the types of the two parameters are known
to both the sender and the receiver, so fully specify the types of
those parameters.
Change-Id: I7cf7178015084599061b123da7b5f1f453ec5353
CRs-Fixed: 2254954
Per the Linux coding style "mixed-case names are frowned upon" so
rename field pMACContext in struct cds_context.
Change-Id: I50007d80d12276b682237d728435203e455a18c9
CRs-Fixed: 2250670
Add HDD flow pool map and unmap functions. These are registered
with the policy manager (via CDS) so that lithium_dp vdev flow pools are
created/deleted when vdev become active/not-active under the control of
the policy manager
Change-Id: I1ff6b3bafa78df68fbf9a221ac0d001bd5a06d8d
CRs-Fixed: 2240815
To align with the Linux Kernel coding style replace typedefs
cds_context_type and p_cds_contextType with a reference to the
underlying struct.
Change-Id: Ifc85a9bbecd29614835ed9e61ab143d0387e82b0
CRs-Fixed: 2250667
There are certain stability issues reported and from the logs, it
has been concluded that vdev detach is missing which causes memory
leaks.
Add debug logs around vdev attach and detach paths to recognize any
memory leaks.
CRs-Fixed: 2244033
Change-Id: I9ee751fff8f51c7ad2ca2d7ec1e894cbbf60d201
In wma_open, first get ref of psoc, then attach wmi, if attach
failed, should release ref of psoc before return
Change-Id: If2e21bbf8b54de865c2b54582685974474ea3c7c
CRs-Fixed: 2250872
When WMI attaching fails in wma_open, the memory allocated
during invokation of target_if_open should be freed to
avoid a memory leak.
Change-Id: I64e5bbc9714199a1598df55e00586786a30aad35
CRs-fixed: 2237068
In the function hdd_hostapd_sap_event_cb, stainfo is obtained
from hdd_get_stainfo(). This stainfo is dereferenced later to
retrive dhcp_phase later. If the stainfo returned from the
function hdd_get_stainfo is NULL, then a possible NULL pointer
dereference could occur.
Add check to validate stainfo is not NULL.
Change-Id: Ia428142b6ae2545528c5998dcde63845ca592b56
CRs-Fixed: 2233870
Remove support for enabling/disabling SIFS burst mode,
SAP DFS channel SIFS burst and SIFS burst duration through
ini parameter as well as through IOCTL
Change-Id: I3d43afa3c0c85eef470a29b9e7ad812079666278
CRs-Fixed: 2238175
These board information are stored in the board file while the
calibration process. WMI service ready event will now carry them for host.
Append these board version information to the firmware version string.
Change-Id: Ieb5bc480bd0c2e387fcf6990dd192741f0b7cd6b
CRs-fixed: 2218963
Fix tTxrateinfoflags as per linux coding guidelines, this will later
help move the struct to qcacmn.
Change-Id: I1911d25594aaecc7c166cf36b79111b61e6de457
CRs-Fixed: 2244834
Address the following issues in the core/wma folder:
CHECK: 'accomodate' may be misspelled - perhaps 'accommodate'?
CHECK: 'acess' may be misspelled - perhaps 'access'?
CHECK: 'catagory' may be misspelled - perhaps 'category'?
CHECK: 'chnage' may be misspelled - perhaps 'change'?
CHECK: 'defintions' may be misspelled - perhaps 'definitions'?
CHECK: 'Intialize' may be misspelled - perhaps 'Initialize'?
CHECK: 'Intial' may be misspelled - perhaps 'Initial'?
CHECK: 'proces' may be misspelled - perhaps 'process'?
CHECK: 'progess' may be misspelled - perhaps 'progress'?
CHECK: 'refrence' may be misspelled - perhaps 'reference'?
CHECK: 'Relevent' may be misspelled - perhaps 'Relevant'?
CHECK: 'reponse' may be misspelled - perhaps 'response'?
Change-Id: Idc314b5a3a6945211581e2135cfaf9d0d5f69457
CRs-Fixed: 2241946
Change "qcacld-3.0: Add support to send A-MSDU aggregation type
to firmware" combines the AMSDU/AMPDU configuration path in WMA
layer, which is causing some ampdu parameters be overwritten by
value of amsdu.
Avoid GEN_VDEV_PARAM_AMSDU handler to touch ampdu parameters.
CRs-Fixed: 2243571
Change-Id: I52119f2bbcb306f5fad704e912c4cbb179c6a369
The driver verifies the replay_attack in protected
management frames in the API wma_is_ccmp_pn_replay_attack
The API expects a CCMP header pointer, but it may happen that
the size of the total frame is less than the size of ieee frame
+ the CCMP header length. In that case the CCMP pointer will
point to some memory location not allocated to the frame, which
will result to out of bound access.
Fix is to add a length check to memory allocated to wbuf in
wma_process_rmf_frame
Change-Id: I351fa671cb8728843c8843c27dd91bcb201abb42
CRs-Fixed: 2230976
In the earlier generation of product or qcacld-3.0 code,
the wow related logs which helps debug which is the packet
waking up the APPS used to appear in kmsg and hence part of
the bugreport.
Now in the recent code base, this log is moved to LOGD
which appears in cnss_diag, with this change the ask is
to revive the same logs to appear in kmsg instead of
cnss_diag logs.
Hence move these from Debug to Info. INFO logs appear in kmsg.
Change-Id: Iefcd362209f3f2276d0c2ac53359e0f325122f95
CRs-Fixed: 2225547
Check for nan rsp data len does not take TLV header
size into account which could lead to buffer overflow
when copying data where TLV header size is taken into
account.
Fix is to subtract TLV header size and wmi_nan_event_hdr
size from max allowed size when validating nan rsp data
length.
Change-Id: I341779a33ed218fdda5d008e949ced0c8cf05590
CRs-Fixed: 2227248
For LFR 3.0, when HO failed, peer deletion is handled by FW,
No WMI_PEER_DELETE_CMDID will be sent to FW.
Reset the peer counter when HO failure is reported.
Change-Id: I07cecf3166f40d2bd103a286e4556f95d7465bba
CRs-Fixed: 2240059
qcacld-2.0 to qcacld-3.0 propagation
When Management frame Tx fails, tx_frm_ota_comp_cb is not set NULL
during cleanup, because of which assert is observed since session
is not available
Set tx_frm_ota_comp_cb NULL when Management frame tx fails
Change-Id: I318a6d04cce06955f6751f6f3df746fec50b9434
CRs-Fixed: 2127855
Vdev resp and hold req queue cleanup is called in kernel thread context
and this may lead to race condition where it may free the wma's iface
structure while MC thread is using the iface.
In case FW down is received during interface delete, driver complete wait
events and thus the interface delete remove the adapter before del sta
self resp is received and thus del sta self resp uses adapter after its
freed.
To avoid this call the vdev resp and hold req queue cleanup from MC
thread. Also call del sta self resp only when driver unload is in
progress. For FW down case the resp is not required.
Change-Id: I711f83c54df29251de365a3137077b3b8d82b448
CRs-Fixed: 2234547
Check for stats ext info data len does not take TLV header
size into account which could lead to buffer overflow
when copying data where TLV header size is taken into
account.
Fix is to subtract TLV header size and stats_ext_info
size from max allowed size when validating stats ext
info data length.
Change-Id: I34e35a0aab396af3d93a0f61e0ab6a2da09f22ab
CRs-Fixed: 2227263
In the API sir_validate_and_rectify_ies, the driver rectifies
the RSN IE, if the AP hasnt filled the RSN capabilities in the
beacon/probe response, but has filled the length of IE as extra
2 bytes meant for the RSN capabilities.The driver tries to repair
these kind of frames and fills the last 2 bytes of RSN IE with
default RSN capabilities, to prevent the failure of unpacking
the IEs in unpack-core. But, the driver may write these default
RSN capabilities into some other allocated memory, because the
allocated memory is only the frame length, which would result
in OOB write.
Fix is to allocate some reserve bytes in the frame
for these type of issues.
Change-Id: I46c7301f3e40f84d2c68ec9ba38702baa6926306
CRs-Fixed: 2232542
In function wma_form_rx_packet, mpdu_data_len is calculated as
(buf_len - mpdu_hdr_len). If the value of buf_len is less than
mpdu_hdr_len, then a integer underflow would occur while calculating
mpdu_data_len.
Add sanity check to return invalid if buf_len is less than mpdu_hdr_len.
Change-Id: I4522eadb65f6cd8b210ba071a91e53008eec042c
CRs-Fixed: 2230318
For LFR2.0 roaming policy, firmware will indicate roam event with
WMI_ROAM_REASON_SUITABLE_AP reason even ROAM_SCAN_OFFLOAD_STOP cmd
set with WMI_ROAM_SCAN_MODE_ROAMOFFLOAD, it doesn't obey LFR2.0
roaming policy design. Root cause is firmware only disable roam
scan with ROAM_SCAN_OFFLOAD_STOP cmd which must set scan mode with
WMI_ROAM_SCAN_MODE_NONE.
Fix is to always set scan mode with WMI_ROAM_SCAN_MODE_NONE for
LFR2.0 when host send ROAM_SCAN_OFFLOAD_STOP cmd.
Change-Id: Id5e8325f2767023daacd3dbd4104ce768de3857d
CRs-Fixed: 2228315
Association request initiated by the host contains
the RSN capabilities which contains both the flags
of PMF, i.e PMF required and PMF capable. The DUT
may connect to a non PMF AP or only a PMF capable AP,
if the DUT is PMK capable and not PMF required,
but connection to a non PMF AP isnt allowed
if the DUT is configured as PMF required.
In the Association request, the DUT advertises its
RSN capabilities, and accrding to them, the connection
(PMF/non PMF) happens. But these capabilities arent
sent to the firmware, so while roaming, the DUT may
connect to a non-PMF AP, as in the re-assoc request
the DUT would still advertise PMF-REQUIRED as false,
which would be violation of protocol.
Fix is to send these RSN capabilities to the
firmware as part of roam scan offload params,
to have firmware save the configuration, and
send the RE-assoc request with PMF required as
true, if the DUT supports PMF required.
Change-Id: Iff58f7ba3b2fee7a834bd625225bbb3d62f33557
CRs-Fixed: 2234977
Vdev ref count is incremented in wma_state_info_dump
and not decremented before return. This results in
vdev not deleted physically as part of wlan0 hdd_stop.
On hdd_open, a new vdev is created for wlan0 with same
mac addr as the previous wlan0 vdev. In scan, API to
get vdev by mac addr will return NULL since the first
wlan0 vdev is not physically deleted and not removed from
vdev list.
Fix is to decrement vdev ref count in wma_state_info_dump.
Change-Id: I67c90a721643f5bb7c6e212846f6d398055a6672
CRs-Fixed: 2233997
Remove duplicate structs wmi_dual_mac_config and sir_dual_mac_config
and use policy_mgr_dual_mac_config.
Change-Id: I6da6539f519ec46ee274ba3f3ae042e5fd9c25d2
CRs-Fixed: 2190993
Use get_wmi_unified_hdl_from_psoc instead of GET_WMI_HDL_FROM_PSOC due
to incompatible return types.
Solve renaming dependencies with common side changes.
Change-Id: Ie84641327d64876877c7d26b63d632c79770a88c
CRs-Fixed: 2203055
Presently, fw_crash_timeout is disabled as a result of which if
timeout happens for any VDEV related WMI command and device goes
in bad state, no assert or recovery is getting triggered. Due to
this, device crashes at some later point of time at some random
location making debugging difficult.
Enable fw_crash_timeout and trigger recovery if recovery is enabled
otherwise assert.
Change-Id: I9e9e51cba8086bd181be28884c490f0bd77663a8
CRs-Fixed: 2229101
Replace typos "sucess" and "sucessful" with correct spellings
"success" and "successful"
Change-Id: I30746cbab4533da9b052261fa9bb87214188138b
CRs-Fixed: 2237724
wlan_objmgr_get_vdev_by_macaddr_from_psoc and wlan_objmgr_get_peer
API's definitions have been changed to include pdev_id as an
argument.
Modify the callers of these APIs to include pdev_id as argument.
Change-Id: I3d0de6a0bc1dfefbe1b3cad51ec23f703baaf3ad
CRs-Fixed: 2210728
wma_is_service_enabled can't get valid service bitmap if call in
hdd_update_pmo_config, use psoc_ctx->caps.unified_wow instead to check
pattern id per vdev and legacy d0 wow capability.
Change-Id: If7bf316f482c49253fc4b95b94e172727b27ffd1
CRs-Fixed: 2225847
In the API wma_process_pdev_hw_mode_trans_ind
the host doesnt check the upper limit of
num_vdev_mac_entries received from the firmware,
and fills the same to the host structure
hw_mode_trans_ind, which may cause OOB write.
Fix is to check for the max vdev supported in the
same API and return if the condition is false.
Change-Id: I54a9e12f777b87b49057d6c97c06ab71b9ad1d77
CRs-Fixed: 2221965
In the function wma_set_epno_network_list,
req->networks[i].ssid.ssId is copied into the destination
params->networks[i].ssid.mac_ssid. But the ssid length is not
considered while copying and WMI_MAC_MAX_SSID_LENGTH is used as
the length for copying. This might result in possible buffer
overread if the ssid length is not WMI_MAC_MAX_SSID_LENGTH.
Similar issue is seen in wma_pno_start also.
Use pno->aNetworks[i].ssId.length as the size to mem copy the
ssid to the destination ssid buffer.
Change-Id: Id3f579da97e398663b7d583f5f46d4671eabeae3
CRs-Fixed: 2233682
cdp_get_pn_info() would output wild pointers and cause NULL
pointer reference in wma_is_ccmp_pn_replay_attack().
Add pointer check in wma_is_ccmp_pn_replay_attack().
CRs-Fixed: 2232554
Change-Id: Ic2e5487468aaced91d6567005bbe66a7c065f088
