In function csr_check_concurrent_channel_overlap, local
variable intf_ch is defined as uint16_t, but its pointer
is casted to uint32_t * before invoking
policy_mgr_get_sap_mandatory_channel, which will do
32-bit memory write and causes a stack memory over-
writing.
Call Trace:
dump_stack+0x46/0x59
print_address_description+0x66/0x22b
kasan_report+0x21f/0x245
policy_mgr_get_sap_mandatory_channel+0x1fd/0x258 [wlan]
csr_check_concurrent_channel_overlap+0xf84/0x10d2 [wlan]
sme_check_concurrent_channel_overlap+0xaa/0xf0 [wlan]
wlansap_check_cc_intf+0x102/0x124 [wlan]
wlan_hdd_get_channel_for_sap_restart+0x506/0x8f8 [wlan]
policy_mgr_check_sta_ap_concurrent_ch_intf+0x35e/0x425[wlan]
process_one_work+0x2cc/0x53b
worker_thread+0x357/0x490
Change the type of the 2nd parameter to uint16_t within
function policy_mgr_get_sap_mandatory_channel, so only
16-bit memory writing will take place.
Change-Id: If514a394e65d005a1fe025c0e753bf7440dd5dde
CRs-Fixed: 2508798
Direct buffer tx component initializes in target_if_init, which cause
platform assert since g_umac_glb_obj is NULL. So change the order to
avoid NULL pointer access.
Change-Id: I348775d08ccc478caef605c2ae8d1b6d65d77eb2
CRs-Fixed: 2497809
Avoid compiling ol_rx_reorder.c and ol_rx_reorder_timeout.c
for low latency and only compile for high latency
data path.
Change-Id: I1f3819fa093766abba87e5dc6dc44e6d2188740b
CRs-Fixed: 2506005
In "Change-Id: I2896f7704ffb809214c5b08756c4b8673307fd9e", parameter
type of hif_get_hal_handle changed from void to hif_opaque_softc,
which cause compilation failure in wma_init_dbr_params.
Change-Id: Idbb591bb1ea1507661882fe48b18eaaffcac164d
CRs-Fixed: 2504894
Support monitor mode enablement by changing driver mode, and also
remove the support that enable monitor mode with insmod parameter
"con_mode_monitor = 4", use "con_mode = 4" instead.
enable monitor mode steps for reference:
(1) change driver mode
a. svc wifi disable
b. echo 4 > /sys/module/wlan/parameters/con_mode
c. ifconfig wlan0 up
d. iwpriv wlan0 setMonChan 11 0
(2) insmod with kernal parameter way
a. insmod /vendor/lib/modules/qca_cld3_wlan.ko con_mode=4
b. ifconfig wlan0 up
c. iwpriv wlan0 setMonChan 11 0
Change-Id: Ie615533d060261d545b3b92bea9916099ccccadd
CRs-Fixed: 2494158
Presently in the driver, in function hdd_objmgr_create_and_store_vdev
the vdev object is created and stored. In case the creation of the vdev
fails due to some reason, the corresponding error condition tries to
free the osif_priv pointer. This osif_free pointer is actually already
freed as a part of vdev_obj_delete -> vdev_release_ref -> vdev_obj_free.
As this is already freed, a possible double free scenario can occur in
the original error handling scenario.
To avoid this scenario, do not free the osif_priv pointer in the error
handling as it is already taken care in the caller.
Change-Id: I7fc7be187ce1e303c81da885a75c600a7b6c4b3e
CRs-Fixed: 2507432
enum qca_wlan_vendor_roaming_subcmd contains different values of
subcmds to be used with QCA_WLAN_VENDOR_ATTR_ROAMING_SUBCMD and
these are not attributes.
Values of the enum qca_wlan_vendor_roaming_subcmd have been
renamed according to usage and relevant documentation is added
in qca-vendor.h. Make corresponding changes in usage to avoid
compilation errors.
Use right max index(QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX) while
parsing for PARAM_LIST_SSID. This caused compilation error as the
inappropriate max index(QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_MAX)
is used for parsing which has been deleted now.
Change-Id: Ifc063b801ba2729e8cff1581ef63e78e1d36a32d
CRs-Fixed: 2508196
Currently, the API cdp_fc_get_tx_resource takes as input the sta_id. As a
part of cleaning up the usage of sta_id, replace it by peer mac address.
Change-Id: I7b81a05d312da84aa16c82f0f6152710daf986c5
CRs-Fixed: 2507274
Cleanup ol_txrx_get_tx_resource to be peer mac address based
from local peer id based.
Change-Id: Id7ac4b5152c782d3475d9fad59f8f835102483cc
CRs-Fixed: 2508132
Some system suspend commands are getting sent to firmware while
runtime resume is in progress. Sync runtime pm resume when system
suspend occurs to avoid this.
Change-Id: I6e652104e984b81e29a5f328fcf3937502a8f47f
CRs-Fixed: 2509910
Currently the NUD tracking is done only for STA mode.
For all the adapters the NUD tracking work is not
created and hence should not be destroyed when the
adapter is cleaned up.
Destroy the NUD tracking work only for the STA adapter.
CRs-Fixed: 2505365
Change-Id: I677a07cb37e2d547e62b7ffebf6d014255a9d237
In the current wlanhost driver dump status, it doesn't
support to count the dropped packets seperately that
due to firmware don't have enough tx descriptors, so
add such function which can benefit KPI tune.
Change-Id: I1a72acbc4f1f861c2013a1ef1a95b73acccd6b53
CRs-Fixed: 2507410
Currently the driver selects channel 12, 13 as they are
free from BSS as their weights are minimum, which results
into IOT issues as legacy STAs do not support the same.
Fix is to avoid channel 12, 13 in SAP ACS process, and try
to start the SAP on channels from 1 - 11.
Change-Id: If735fade7d7b489b45a20f74c04bab5582343f79
CRs-Fixed: 2509791
Convert channel to freq in hdd_connection_info, so
remove unused 'channel' and rename 'freq' to 'chan_freq'.
Change-Id: I0d3fd39f9ac3c2303729b27b7c97385097c82104
CRs-Fixed: 2508791
1. Add g_enable_go_force_scc INI configuration
to enable force SCC on P2P GO interface.
This option only takes effect when
gWlanMccToSccSwitchMode INI enabled.
2. Add API policy_mgr_is_go_allow_force_scc to get
the above configuration value for GO.
Driver will apply "MCC to SCC" logic to P2P GO
interface based on STA active status and the configurated
INI values.
Change-Id: I1d16368b5f2d88984b91ef0a3e882148c20dcd23
CRs-Fixed: 2509555
In AP+STA case, if g_sta_sap_scc_on_lte_coex_chan != 0,
SAP is allowed SCC with STA on unsafe channel. And
if g_sta_sap_scc_on_dfs_chan != 0, SAP is allowed
SCC with STA on DFS channel.
But when the STA disconnected, standalone SAP is not allowed
on unsafe channel or DFS channel. We need to move
the SAP to safe channel or non DFS channel.
The original API -
policy_mgr_is_sap_restart_required_after_sta_disconnect
only handle AP+STA case. Change it to cover 3VIF
concurrency case - AP+AP+STA.
Change-Id: Iec4e750d8b3fda0cc52ac698ecaa9a274f935706
CRs-Fixed: 2509545
Currently, cdp_peer_get_vdev_by_sta_id takes as input the sta_id. As a
part of cleaning up the usage of sta_id, replace it by peer mac address.
Change-Id: Ibb7f3489899ac3fda48ad5e54891cd2d7623c6c8
CRs-Fixed: 2507219
Rename API ol_txrx_get_vdev_by_sta_id to ol_txrx_get_vdev_by_peer_addr
and cleanup ol_txrx_get_vdev_by_peer_addr to be peer mac address based
from local peer id based.
Change-Id: Ie3b8a1d97b5196e7306e5641cb894f31b8abe154
CRs-Fixed: 2504565
Currently the driver calls the pre bss scan cb
which is used to calculate the weight to start
the SAP on best channel. This API depends upon
the SAP context pointer which is passed as a arg
to the scan module, which in turn returns the arg
as part of the scan cb. But it may happen that
the SAP was deleted before the scan cb was called.
In that case pre bss scan cb and weight calculation
does not matter to the driver as SAP in any case is
OFF. Here the sap context which was passed as an arg
to the ACS cb is used after free, and there is no way
currently to validate the pointer. But as part of scan
cb, the driver gets a vdev pointer, which would be in a
logically deleted state, if the stop adapter for SAP has
been done. Using this data, the driver can know the object
status, and then decide to continue with the weight calculation.
Fix is to try get vdev ref before the weight calculation algo
kicks in, and return if the reference cannot be taken to avoid
use after free for SAP-context.
Change-Id: Ib9c3bde4a36ee49efdadab3dc531991b8688f79e
CRs-Fixed: 2509249
When lte channel avoidance event triggered, multiple SAP will choose
safe channel from pcl/acs combination and switch to the safe channel
one by one.
Actually when force SCC mode is enabled, if one SAP is the same band
as other concurrent SAP whose channel is already safe, it doesn't
need to choose safe channel from pcl/acs again, just needs to
follow concurrent SAP channel. Add code to implement this policy.
Change-Id: Icc9b2a53bb56915daeab8d94eceaaa64a660cb65
CRs-Fixed: 2500183
There is only vdev start, stop, and set-key wakelocks for system suspend
as of now. Add vdev start, stop, and set-key wakelocks for runtime PM
also.
Change-Id: Ic071bcfb112ae8861a446298677d190484f0c01b
CRs-Fixed: 2507852
As a part of vdev manager conversion, vdev delete code is
refactored. Legacy code and naming is removed. In vdev manager
operations, STA_SESSION is addressed as VDEV.
Hence WLAN_SER_CMD_DEL_STA_SESSION macro is renamed to
WLAN_SER_CMD_VDEV_DELETE.
Change-Id: I34b0a34191bef1f279582178f25b9b20b33e709e
CRs-Fixed: 2508150
In wlan_hdd_extauth_copy_pmkid(), pmkid received from userspace
could be NULL. Currently there is no validation for the PMKID.
Add check to validate the received PMKID before copy.
Change-Id: I756458562bf20226a202a5ecdbbe9e79884169c7
CRs-Fixed: 2508935
SAP1 chan6, SAP2 chan6, LTE channel avoidance event marks
chan6 unsafe, driver will do channel switch for SAP1 and SAP2 to
safe chan 1.
In the middle of channel switch of SAP1, policy_mgr_allow_concurrency
disallows the channel switch request because new SAP1 channel 1
will cause MCC with existing SAP2 (channel 6) and firmware
doesn't support MCC for dual-beacon entities on same band.
This change removes all the SAP entry on the old channel
before do concurrency check for SAP channel change request.
Change-Id: Ic2c828a3fec4cbe2f11d4bedf471211bee442e9e
CRs-Fixed: 2491265
Currently the driver modifies the channel list
which came from hostapd in trim channel list API
in case of concurrency present.
This would in turn prevent SAP to change channel
to a safe channel whenever a LTE-COEX event comes
as the acs channel list would contain only one channel
that would be the SAP channel itself.
Fix is to retain the info of channels which came from
the hostapd, and use this info to restart he SAP.
Change-Id: I9d43930d78f1eaedb01139a9ddc319b610d21862
CRs-Fixed: 2501400
Currently the API hdd_is_current_high_throughput considers any
throughput level higher(or equal) than PLD_BUS_WIDTH_HIGH as high
throughput level. Based on this level, driver decides to take up RX
wakelock and log certain stats(TDLS). This can have an impact on power
even in HT20 modes.
Reduce the high throughput detection level to PLD_BUS_WIDTH_MEDIUM. So
throughput >= 60Mbps is considered high by the API.
Change-Id: I2225edc55568facf4b74a389b4a0a53845ea14ae
CRs-Fixed: 2495719
