In wma_vdev_delete_handler() once vdev req is removed from the
vdev_resp_queue the vdev rsp timer is stopped and freed after
releasing the wake lock and vdev detach callback.
So before vdev rsp timer is stopped it may get expired and
post msg in MC thread. Now once this timer msg is processed it
access the already freed memory.
To fix it stop vdev rsp timer first before releasing the wake
lock and vdev detach callback.
Change-Id: Iface6d1faaa9f801d0da7a70d548eafbd082dc48
CRs-Fixed: 2196338
qcacld-2.0 to qcacld-3.0 propagation
Send host timestamp to firmware, so that firmware can print the
logs timestamp in sync with host.
Change-Id: I1d4d223aa1c8e207941ab659f69b72a855e3a604
CRs-Fixed: 2193976
Check the total supported mac and phy count for capability
parsing in service ready extension event.
Change-Id: Ibde9040e5adf97d53645f714e5e8981dd1a9d22a
CRs-Fixed: 2194602
Add check for GMAC offload capability wmi_service_gmac_offload_support.
If firmware supports GMAC offload, trim MMIE when driver receives
PMF frame. Otherwise, driver calculates MIC and trims MMIE.
Also, add support for suiteB auth types during roaming in
e_csr_auth_type_to_rsn_authmode.
Change-Id: Id44f44a41297ca3e462d14905f5986f904a639fd
CRs-Fixed: 2185819
While changing the channel, driver needs to add vdev restart instead
of channel switch.
Change-Id: I2d5a40aee2108feda5da5e41c6d18aab6c3a30bc
CRs-Fixed: 2182014
Send a ROAM_STOP command to firmware with an explicit
reason code for the failure so that it is not blocked
in WMA before sending it to firmware.
Change-Id: I4d7e2e525c145ca0e990dcef85948285e2186c63
CRs-Fixed: 2182671
In function wma_vdev_stop_resp_handler, resp_event->vdev_id is
received from the FW and is used to access the interfaces array in
wma_handle. This could lead to OOB read/write if the vdev_id
received from the FW is greater than or equal to max_bssid.
Add check to return failure if resp_event->vdev_id is greater than
or equal to max_bssid in wma_vdev_stop_resp_handler
Change-Id: I1af5312e6c45db3b9ba03fbf45de3d3c2a7fab20
CRs-Fixed: 2185477
As part of csa or opmode IE handling program phymode param after
ch_width since firmware expects channel width to be programmed
before phymode.
Change-Id: I46e3a5e1ce94fa53e27f821e70c29e209e591865
CRs-Fixed: 2186030
It is decided to centralize the logic of programming LI based on
modulated/dynamic DTIM in FW to address the concerns with LFR3.0 in WoW
mode. In order to make it work, following steps need to be performed.
1) If listen interval offload bit is enabled in service ready extension
then,
a) Driver needs to send "gEnableModulatedDTIM", "gMaxLIModulatedDTIM"
and "gEnableDynamicDTIM" params' value to FW via VDEV PARAM up on
each successful association.
b) Driver should not program LI during suspend()/resume()
2) If listen interval offload bit is disabled in service ready extension
then don't trigger above changes.
Change-Id: I6f94c95bd83e5846d7290d5dc752b14da5951a76
CRs-Fixed: 2187597
Check the current vdev supported bandwidth values agianst peer
opemode update value and if the peer opmode value is greater than
current supported value then do not send the opmode update request
to FW.
Change-Id: I8f360d769b5aafb90061a6a9d18f1f8062e3534e
CRs-Fixed: 2174050
Update the HE STBC capabilty per latest spec and add support
to configure it using INI configuration and ioctl.
Change-Id: I4ecc7b600671c132c1f3968a10fb652a4311f484
CRs-Fixed: 2181114
Stats events are sent by WLAN FW based on over the air frame reception
and may contain incorrect vdev id hence sanitize vdev id received from
FW in stats events before accessing interface array based on it.
Change-Id: I4ecc73fc27285c98c0ea8cebc27955213cd68399
CRs-Fixed: 2186953
Before VDEV_STOP is initiated by host, sometimes there are
outstanding mgmt tx pkts left in FW. need wait all tx
complete, or peer vdev ref count keep held. In P2P GO/SAP mode,
no wait since wma->interfaces[session_id].delay_before_vdev_stop
is 0, ini relative cfg isn't passed to wma at all.
Change-Id: I1c3d137bb08624e30cc220e0fa0e31e6d6fc8a9d
CRs-Fixed: 2184096
Check new channel width and center frequency segments in CSA
wider BW IE before processing the channel switch and if CSA IE
has invalid data for any of these parameters then do not do the
channel switch with wider BW.
Also check for self capability for BW that is supported by device
before processing wider BW channel switch. If AP advertises the new
channel width with valid data that is greater than self capability
BW value then limit the channel switch BW to self capability.
Change-Id: I1d567e5cdc6347b56b513ea002b5a3978cb447e9
CRs-Fixed: 2182054
FW assert is observed when deleting VDEV due to there are peers
not deleted.
Add check for peer number in FW before sending delete VDEV
command to avoid such issue.
Change-Id: I4cc5d4c63faf3dc8f7b9d0702f92b54b298802cb
CRs-Fixed: 2163770
Move wma_get_buf_start_scan_cmd logic to common code in
ucfg_scan_update_params.
Change-Id: Iaee8ab5b7f0c20867bf37db7509b1c1fab23579d
CRs-Fixed: 2180959
As part of convergence the mode capabilities
are extracted and saved in the target info structure.
Update the hardware mode list and pcl from the converged
structures.
CRs-Fixed: 2179003
Change-Id: I3cfc28533448c312913db3bead5d5322386f3f74
HT MCS index returned by wma_get_mcs_idx function is
between 0 and 7 for both nss equal to 1 and 2. This
results in incorrect HT MCS index for nss 2 case
populated in station stats on using iw station dump
command.
Fix is to set the correct HT MCS index based on nss.
Change-Id: Id4ac51b56bc44e90ea0e7570b387450af83ee8f5
CRs-Fixed: 2182050
Currently 11k offload params is sent directly as a message from CSR to WMA
leading to timing issues where 11k offload params are sent to the FW
before RSO start is sent.
Send the 11k offload params as part of the RSO request from CSR to WMA
and handle the request to send the 11k offload WMA command to FW.
Change-Id: Icff7146171cdf325f3a7e5a067652669ec0270ff
CRs-Fixed: 2183161
update the max frag entry,ht,vht, rf chains from from the converged
target psoc capabilities information and remove redundant wma_handle.
CRs-Fixed: 2178922
Change-Id: I6bfe734bac85905b0d6837bffb37d286cff2a4ff
Use the converged wmi service bitmap from the
target psoc info instead extracting the same from
the ready event.
CRs-Fixed: 2178812
Change-Id: I00d61aa3cbb2a90459d4363e2ca04e297cc74187
As part of converged init deinit architecuture, all the target
capabilities are saved as part of target_psoc_info, use the same
to update.
CRs-Fixed: 2178726
Change-Id: Iad1d0224e0fdfe1140d1600e17f3e585142eaf63
If wma_send_msg with msg_type WMA_SET_LINK_STATE_RSP, tpLinkStateParams
params has a member callbackArg which is malloc from heap. If this
message is flushed when driver unload, because no msg.flush_callback is
supplied, the flush just free msg->bodyptr and callbackArg got leak.
Fix it by supply a flush_callback as wma_discard_fw_event, and minor
change to avoid NULL pointer access.
Change-Id: Ie979a1e83cbd7c87e5bbb08382ae2af3230a13db
CRs-Fixed: 2181458
Currently wake_info->vdev_id, recevied from the FW, is directly used
to refer to wma->interfaces without validating if the vdev_id is valid.
Add sanity check to make sure vdev_id is less than max_bssid before
using it.
Change-Id: I66be7d15f370d0204e25c3d0ea60c0c9f5912005
CRs-Fixed: 2121059
Remove dependency on WMA layer for green AP component by registering
green AP events through target_if layer.
Change-Id: Ic4ea8df1928db632b8e31f0a873b74c6aff4505d
CRs-Fixed: 2167028
Cleanup abort scan called from CSR and LIM by calling
ucfg_scan_cancel api to abort the scan.
Change-Id: Ie146c60a1888a55b0da295864a9edc083fc36d1a
CRs-Fixed: 2180189
As part of converged architecture use the converged
target resource configuration.
CRs-Fixed: 2178610
Change-Id: Ic0e3cbddea3c216688eb16c4e9a8045c7a0a1e9e
Initial changes for the init deinit convergence wherein
service ready, extended service ready and init cmd are
converged.
Change-Id: I1c1fd50f51362f4f09561c259961e6761429fcd0
CRs-Fixed: 2178590
Ignore the disassociation and deauthentication requests from
the old AP once roaming is in progress. Memorize the
received disassoc/deauth. If the roaming is not successful
and current AP's connection is retained, then the earlier
received disassoc/deauth can be honored and disconnect can
be triggered internally.
Change-Id: I5fa4d154c17e08904d839b8a889020680d662021
CRs-Fixed: 2160681
Add new ini options for 11k offload paramters and changes to pass down the
11k offload parameters to the FW. The 11k offload command is sent after
roam start to the FW in connect path.
Also add 11k invoke command support to offload neighbor report request
iwpriv command to FW
Change-Id: If6d4bff91531e5460bbc8a851a6d777cf088eda0
CRs-Fixed: 2162029
In function wma_unified_radio_tx_power_level_stats_event_handler, radio_id
is received from the FW in the fixed_param strcutre and is used to access
the buffer wma_handle->link_stats_results which is allocated in
wma_unified_link_radio_stats_event_handler. The buffer is allocated for
link_stats_results->num_radio and if the radio_id received from the
FW is greater than link_stats_results->num_radio, an OOB write will
occur in wma_unified_radio_tx_power_level_stats_event_handler.
Add check to return failure if radio_id received from the FW is greater
than link_stats_results->num_radio.
Change-Id: I67a848e7ab137d46bb43e7336ff8135da257568c
CRs-Fixed: 2169104
Currently, SME sends a eWNI_SME_SET_BCN_FILTER_REQ message
to PE which in turn builds a beacon filter request using
lim_send_beacon_filter_info and sends down a message to
WMA using WMA_BEACON_FILTER_IND. But, this message does
not have a handler in WMA. So, cleanup all these messages.
The beacon filtering is currently happening through
hdd_add_beacon_filter.
Change-Id: Id235d6303ce7c740f907147afc7248d833772067
CRs-Fixed: 2177429
Do not process radar event until receiving vdev start response, because
during channel switch, radar may be detected again in the old channel.
Change-Id: I1a524e38c25f91c684fd2c4962aeaf556d2445eb
CRs-Fixed: 2175891
In wma_sar_event_handler, compiler with -Werror=frame-larger-than=
throws frame size larger than 1024 bytes build error.
Fix is to use heap memory for struct sar_limit_event.
Change-Id: Idd122b24a7e00b10404864e045eaa9df01852fd8
CRs-Fixed: 2177791
HE PPET is an optional field within HE Capability IE, however
current frame parser code was treating it as optiona IE and
inserting EID, length for it causing in-correct PPET values.
Fix frame parser code by treating PPET as just another data
field instead of IE.
Change-Id: I1903d99daf5eb00e47f42485886532551e061982
CRs-Fixed: 2172820
Currently in SAP cases, logging is huge and hence failure
logs are getting overwritten very fast within 2mins itself.
Fix it to delete the some irrelevant log prints.
Change-Id: I90a77ba9348b84eb7e5c3518391f7c98a04bb39f
CRs-Fixed: 2169101
