Current doesn't perform boundary check on num_vdev_mac_entries param
which coming from firmware. Without boundary check, driver may be
exposed to buffer overflow.
Check against the boundary limit before using it.
CRs-Fixed: 2119430
Change-Id: I502926a7f783acc7b73a3fbbbd70386a099b48b3
Currently if_id used in the for loop is incremented based on vdev_map != 0
and vdev_map is a uint_32, received from FW, and is right shifted by one bit
for each iteration. This could result in if_id going upto max of 31 and cause
OOB read.
Add sanity check to make sure if_id is less than max_bssid.
Change-Id: I7e0c4e9a26cb67f41e35c60c2756d7ad02cf43ea
CRs-Fixed: 2119443
Add sanity check for vdev id in wma_roam_event_callback() to prevent
out of bound access of memory in wma_roam_better_ap_handler().
Change-Id: If3cf06a8eca767201fdd8b056bee6d773938a2a6
CRs-Fixed: 2119400
Add support in wma_flush_complete_evt_handler to capture
data stall event from Firmware and post the message to
sys queue.
CRs-Fixed: 2086176
Change-Id: I4e819b1ae711b3867fa46ff638d4bfd2054519ed
Host should keep the wake lock from the time it sends
WMI_PDEV_SET_MAC_CONFIG_CMDID to FW till it receives the
WMI_PDEV_SET_MAC_CONFIG_RESP_EVENTID. This will avoid any fatal
crash condition.
Change-Id: Id16a1957b38acee6cf45c123ea9dbab25aae9b39
CRs-Fixed: 2070779
Add Vendor Event to get the driver hang reason indicating to the
user space that the driver has detected an internal failure.
This event carries the information indicating the reason that triggered
this detection.
Change-Id: I3934f2a18c796ed3b53175dcbe7efd7f4d1409b9
CRs-fixed: 2098498
After deriving the vdev_id from the vdev map in
wma_beacon_swba_handler check for the validity
of the vdev_id
Change-Id: Ifc4577d8a00f447e2bcfa4e01fce5ac2dbe96a4d
CRs-Fixed: 2120751
There are currently two ways to get vdev stats from firmware. As such,
the redundant pe_stats_req is being removed. Migrate existing consumers
to stats_request_params instead.
Change-Id: I3426b43a6202bb59ceef13cf8d4528700c7f3983
CRs-Fixed: 2120637
Currently in wma_unified_link_peer_stats_event_handler, the check to validate
if peer_stats->num_rates is less than WMA_SVC_MSG_MAX_SIZE is done only for
the first member of the peer_stats array. This can lead to integer overflow
as num_rates is calculated as sum of peer_stats->num_rates for each of the
peer_stats in the array.
Add code changes to loop and calculate total_num_rates for all the peer_stats
and then validate total_num_rates with WMA_SVC_MSG_MAX_SIZE.
Change-Id: Ic934934a990bd55fce70a0eaffa2812bc34b0ddd
CRs-Fixed: 2113758
Check vdev_id against wma->max_bssid in wma_mcc_vdev_tx_pause_evt_handler to
avoid bufer overflow.
Change-Id: Ie47a0ed2f7f27f13a01e1b2cb365fae66b41b1df
CRs-Fixed: 2120677
Implementation to change BmissFinalBcnt dynamically.
User can set totalBcnt using the new command
QCA_WLAN_VENDOR_ATTR_CONFIG_TOTAL_BMISS_CNT.
BmissFirstBcnt will retain its default value or from ini.
BmissFinalBcnt will be configured as (totalBcnt - BmissFirstBcnt).
Change-Id: Ie3c3895d48248d349400e755f07edc807e335b44
CRs-Fixed: 2081906
During host invoked roaming, set WMI_ROAM_INVOKE_FLAG_NO_NULL_FRAME_TO_AP
flag so that FW will not send NULL data frame while doing transition to
same bssid.
CRs-Fixed: 2046964
Change-Id: I043c3d2431e4da5af36fb710bd36a520550abbd3
Change-id Iafd5666179d079c7bcc950277092cef3046356bf was added to remove
antenna sharing support from SAP and STA case but customer needs those
changes for SAP case only.
So bringing back changes for STA case.
CRs-Fixed: 2117829
Change-Id: I79f7c5ae1fd642f0b26170f066a5409638cdd873
In the function wma_roam_synch_event_handler, vdev_id is received from
the fw and is used to access member of the array wma->interfaces without
validating the max of the vdev_id received from the fw
Add check to make sure vdev_id is less than max_bssid before using it
Change-Id: I3b940e183ab66680891cb7351af4537b50afce1d
CRs-Fixed: 2114187
Add sanity check to ensure num_failure_info from FW does not cause
integer overflow while calculating alloc_len, as alloc_len is in
turn used to malloc which can lead to less than required memory
allocated in case of integer overflow of alloc_len
Change-Id: Iea93e879196e9cd43856a7dcc9204d2304f76c78
CRs-Fixed: 2114789
While DUT is in SAP or GO mode, due to LTE antenna sharing mechanism,
DUT is associating in 2x1 chains to HT clients.
As per new requirement, remove dependency of number of chains on antenna
sharing. If HT client supports 2 chains, and due to DBS/LTE antenna
sharing SAP/GO drops down a chain then rate adaptation at peer takes
care of dropping down chains at peer side
Change-Id: Iafd5666179d079c7bcc950277092cef3046356bf
CRs-Fixed: 2108484
Check multiple variables received from firmware used to calculate
buf_len to make sure that it does not exceed the max msg size, as
this buf_len is in turn used in malloc and can lead to less than
required memory allocated in case of integer overflow of buf_len
Change-Id: I2689873c2c5e63c83e5059563662c0c69dc659fc
CRs-Fixed: 2115112
Check for the validity of the number of channels passed in the
radio stats event received from firmware to ensure an integer
overflow does not happen.
Change-Id: Idf5738a40139aafad4de422965dc4ff3d0e53a32
CRs-Fixed: 2114426
Check for the num_peers received from firmware and ensure an
integer overflow does not happen in wma_peer_info_event_handler.
Change-Id: I08cc98fc425d9905d0ca090cd42b73227e594772
CRs-Fixed: 2115366
Check for the maximum allowed data that can be written into
the buffer utf_event_info.data in the function
wma_process_utf_event.
Change-Id: I9ee37470b7a3e7016941f871d3cf73eb12718758
CRs-Fixed: 2115375
Check for the upper bounds for number of NOA descriptors
received in the P2P NOA event.
Change-Id: Id7ecf064f2c25f378f76d795902713da8520507f
CRs-Fixed: 2113072
Clear up the tdls legacy functions which handle add/delete
tdls peer, tdls mgmt frame process and tdls_oper callback.
Change-Id: I8ba344ce5593df44bd15527e2ff68e872b6d23b8
CRs-Fixed: 2105075
wma_get_caps_for_phyidx_hwmode() does not check legacy chips like Rome,
which leads to wrong HT/VHT caps being populated.
Fix is to check legacy chips in wma_get_caps_for_phyidx_hwmode() and
populate HT/VHT caps accordingly including RX LDPC capability.
Change-Id: I496191636f0f21ef3399c24fbfb43a562ca2debc
CRs-Fixed: 2061889
Currently HDD sends a FW memory dump request to firmware without
checking support for this feature. This can lead to a crash as firmware
doesn't send the command response if feature is not supported.
Add a check in HDD so that the request is only sent when FW memory dump
capability is advertised by the firmware.
Change-Id: I73b980f50910e13aa5f2d2434f07b6f985dd5010
CRs-fixed: 1090806
When AP is in 11b-only mode then for a TDLS peer, in the peer_assoc
command to FW, pass phymode as per capability of the TDLS peer.
Change-Id: If1a84b35c2e755aad8b6b67536cbbcc49d378fda
CRs-Fixed: 2093277
Add support to send rate information for mgmt frames.
Currently default rates are used by target for the mgmt frames before
association. If the AP does not support the default rates (1 Mbps for
2.4G and 6Mbps for 5G), STA would still send AUTH, ASSOC frames with
the default rates. Add support to send the minimum rate supported by
the AP as part of the MGMT Tx WMI command.
Change-Id: I38d832818bbbd5fe3dec5660bd01dd08798bf0be
CRs-Fixed: 2085006
Current method for calculating LISTEN INTERVAL are static
configuration a.ka. ini based. Now OEM / USER want to take
control of setting LISTEN INTERVAL as per their applications
need. Once if USER configure the LISTEN INTERVAL value using
vendor command then host should avoid changing the LI value
during each suspend/resume. User LI value will be override
configuration. Once USER will Disable the LI using vendor
command then host can fallback to current default method.
Change-Id: Ia9b412b073c059df0cdff7bcda8198f7581e796d
CRs-Fixed: 2040298
Update driver for the latest reg domain info according to
Regdomain_23 and Regdomain_24 excel sheets.
Change-Id: I6b259be20de650886a16c32b69f8ed82b96dbcd8
CRs-Fixed: 2112485
iface->del_staself_req is used to check if del sta self was defered
and if it is set vdev detatch is called. iface->del_staself_req is
also set in case del sta self was not defered and thus del sta self
resp may get called twice, assuming it was differed and this result
in double free of del_sta_session_req.
To fix this added a bool to check if the del sta self was defered.
Change-Id: If4c2bc2a5bb6b8761f4130119a96602055d45b77
CRs-Fixed: 2116888
When kernel panic happen, if WiFi FW is still active,
it may cause NOC errors/memory corruption, to avoid
this, inject a fw crash first.
Propagated from qcacld-2.0
Change-Id: I97a696a02dfd73aaca212ef1bca9f3597df1e382
CRs-Fixed: 2052332
Set the limit off-channel command parameters and conc_system_pref
according to active tos indication from application.
CRs-Fixed: 2066088
Change-Id: I896999adb59aa468daf33364c708d95ef3062018
Driver is updating WMI_CHAN_FLAG_PASSIVE flag for DFS channels
while sending 'WMI_SCAN_CHAN_LIST_CMDID' command to firmware.
Driver should also update the WMI_CHAN_FLAG_DFS flag for
DFS channels. Otherwise functionality like skipping DFS channels
as part of scan request may not work.
CRs-Fixed: 2103636
Change-Id: Ia146eaad93deab778d5ce7a8647f5c0ba7068ead
Currently the mpdu_data_len in Rx pkt meta is not checked for
upper bound in wma_form_rx_packet.
Add sanity check to drop the packet if mpdu_data_len is
greater than 2000 bytes. Also add upper bound check for
frame_len in lim_process_auth_frame function.
Change-Id: I7ab454045e2f6d278351dcabde6da556f9f741e0
CRs-Fixed: 2093392
Before sending tdls peer state update command to FW make sure
that tdls peer exists.
Change-Id: I26b5daf9896b0f57fbcfedadcabd67ddd000b257
CRs-Fixed: 2032770
Add new WCNSS_qcom_cfg.ini item to configure offset from bad RSSI
threshold ini for 2G to 5G band roam. This offset is used to
calculate the RSSI to be used as trigger for device to roam from
2G to 5G band when it is connected to a bad RSSI 2G AP and a 5G AP
is available in the environment.
New ini added : roam_bad_rssi_thresh_offset_2g
Change-Id: If2285317d1d01bb2faae2cf1928ad7adae8204d4
CRs-Fixed: 2105894
In Rome platform, it use invalid radio id in FW event
WMI_RADIO_TX_POWER_LEVEL_STATS_EVENTID and cause crash. So check
radio id when handling this event.
Change-Id: Id720ca94ef496ea883f5ba1848fb4e28af57002f
CRs-Fixed: 2112322
Add data structures to save beacon tx rate.
The beacon data rate is multiples of 100 Kbps.
Firmware expects the data rate in the form of hw rate codes.
So convert the data rates to hw rate code.
And send it to firmware.
Change-Id: Ia39fd4c14defa729f75f2c45748fe5b04b909647
CRs-Fixed: 2099052
qcacld-2.0 to qcacld-3.0 propagation
Currently the crash can be injected by iwpriv command and FW
gets crashed.
Changes are done to add the gEnableCrashInject ini parameter
1) This ini param is disabled by default.
2) If this param is disabled the crash inject is ignored.
Change-Id: I7e908be1e37090a9d343dc04411fe387f776a937
CRs-Fixed: 864932
Introduce the below WCNSS_qcom_cfg.ini items to configure
for bad RSSI roaming. These parameters would be used when
the device is connected to an AP with weak signal and has
to roam to a better AP if it is stationary but has found
some other better AP in the vicinity
roam_bg_scan_bad_rssi_thresh:
If the DUT is connected to an AP with weak signal, then the bad RSSI
threshold will be used as an opportunity to use the scan results
from other scan clients and try to roam if there is a better AP
available in the environment.
roam_bg_scan_client_bitmap:
This bitmap is used to define the client scans that need to be used
by the roaming module to perform a background roaming.
Change-Id: I3b9f737ea389d35f8be173ce83b2237c2375fb88
CRs-Fixed: 2082904
Introduce the following items in WCNSS_qcom_cfg.ini for
user to modify them for MAWC based roaming.
mawc_roam_enabled
mawc_roam_traffic_threshold
mawc_roam_ap_rssi_threshold
mawc_roam_rssi_high_adjust
mawc_roam_rssi_low_adjust
Change-Id: Ief51e3e91603bfd7f6c6deed3ca48bc717b2b6fb
CRs-Fixed: 2081413
Currently cds_alloc_context() & cds_free_context() take a CDS context
parameter. However CDS already maintains its own context, hence this
parameter introduces an unnecessary coupling, so remove it.
Change-Id: I4501a0fea7acc7b4a764b0d425da386922b93bcb
CRs-Fixed: 2109265
Currently wma_open() takes a cds_ctx parameter. All of the other WMA
functions which previously took a cds_ctx no longer use that
parameter, and those functions have been modified to remove the unused
parameter. wma_open() still needs the cds_ctx, but it can get that
context by calling cds_get_global_context(), so remove the cds_ctx
parameter to be consistent with the other WMA functions.
Note: the fact that wma_open() needs the cds_ctx, and then
dereferences it, is a layering violation that needs to be addressed in
the future.
Change-Id: I176e2ac68cc2e8081645a4ce3c158b41d3018587
CRs-Fixed: 2109263
Currently wma_wmi_service_close() takes a cds_ctx parameter. All of
the other WMA functions which previously took a cds_ctx no longer use
that parameter, and those functions have been modified to remove the
unused parameter. wma_wmi_service_close() still needs the cds_ctx, but
it can get that context by calling cds_get_global_context(), so remove
the cds_ctx parameter to be consistent with the other WMA functions.
Note: the fact that wma_wmi_service_close() needs the cds_ctx, and
then dereferences it, is a layering violation that needs to be
addressed in the future.
Change-Id: I02564bae87077314fea58c1509b3a50b8d567a7a
CRs-Fixed: 2109262
