The firmware sends a new wmi event WMI_ROAM_BLACKLIST_EVENTID
to send the blacklist AP list.
Change-Id: I04fab853efbded48285ac063bb39c64f342c229b
CRs-Fixed: 2369107
Add host support for db2dbm RSSI changes. Firmware
indicates this capability when underlying hardware
has RSSI reporting feature. Based on this capability
host will know if firmware sends SNR or RSSI. If no
capablity is present then host will convert SNR to
rssi using a fixed offset of -96. If capability is
present host will directly use the rssi as it is.
Change-Id: I9058f16c6280d466feb96cf88a8a0d8cd7b02032
CRs-Fixed: 2364025
After driver load and interface up, if user changes the country code
and performs the interface down, now if interface change timer expires,
stop modules is invoked. When user again tries to do interface up, as a
part of start modules, update channel list indication comes from FW
with default country info from BDF file which overwrites user specified
country information.
To resolve this issue, if current country is set by user and if
driver gets notification to update channel list from FW with
different country code during restart of wlan modules then ignore
master channel list and send the current user country to FW.
Change-Id: I0a0c57eda03827dc3fef59928569bf2f0bc32634
CRs-Fixed: 2340798
As part of the NAN Discovery DBS support, new vendor command
- QCA_NL80211_VENDOR_SUBCMD_NAN_EXT - has been defined that
can carry the binary blob encapsulated within an attribute
and can carry additional attributes to enhance the NAN command
interface. Add the related definitions to support this command.
Add definitions to support the new NAN EXT vendor command.
Change-Id: I83c12c7512066434f8974619e1d953ac78d3a40d
CRs-Fixed: 2339032
Currently there is no converged wmi_service enum for the
WMI_SERVICE_VDEV_LATENCY_CONFIG.
Add wmi_service_vdev_latency_config as the converged enum.
Change-Id: I90d54ccd507b4267cd7310b4e6e5b1473c7dc41c
CRs-Fixed: 2366187
Add WMI support to send WMI_PEER_UNMAP_CONF_CMDID to FW
for peer unmap confirmation.
Change-Id: I1a260f840ed28f90568d9cba912cc5e5128c8c7d
CRs-Fixed: 2358066
This FR is to enhance existing pktlog debug tool
This feature will allow to capture pktlog for particular
peer mac address.
Change-Id: I3676095536185f25b0d498e03f70246260a324fd
While handling the WMI_SERVICE_READY_EXT_EVENTID WMI FW event, a NULL
pointer dereference can occur if param_buf->hal_reg_caps is not checked.
Check param_buf->hal_reg_caps before dereferencing it to avoid NULL
pointer dereference.
Change-Id: I00eba5e89fbdde78979d19f492df5ad4dca8b80c
CRs-Fixed: 2347673
Introduce a new wmi_send pdev param to enable/disable
"Subchannel Marking" in Firmware (only in Full Offload)
Change-Id: I3cd4f4f13ebca72c4505b6195cc8dc4856d41671
CRs-Fixed: 2334258
Current HTT_H2T messages from host driver does not have
consistency in message length set by host driver. Some
message types include HTC header length also within the
message length, while other types have message length
itself only, which causes difficulty in handling message
length in FW.
Change-Id: I885a21530a2d8f852387ae54cf7ee0751aad2516
CRs-Fixed: 2345075
Remove the unused fields from WMI unified vdev_start_params structure.
The channel information duplicated in vdev_start_params and
it sub structure channel is removed and all implementations
can use the channel sub structure directly.
Change-Id: I47cf4c4223111b6f564ec8336dbfcda4592e8e0c
CRs-Fixed: 2350505
In extract_roam_scan_stats_res_evt_tlv(), there is potential
buffer-overflow due to no input validation of following event
parameters from firmware:
(a) Roam scan frequencies against maximum value of 50
(WMI_ROAM_SCAN_STATS_CHANNELS_MAX) and
(b) Roam scan candidates against maximum value of 4
(WMI_ROAM_SCAN_STATS_CANDIDATES_MAX)
To fix this, validate roam scan stats event parameters.
Change-Id: I866b492f7ccb48c4960ff25a9e817cbdb394509e
CRs-Fixed: 2335530
1. Send add random mac addr rx filter WMI command
to target
2. Add/Del the active random mac addr entry
3. Clear random mac addr from target if not active
Change-Id: I9dcbdc20b76d9865da7a8db6ee013bf5e44e4407
CRs-Fixed: 2322097
When WMI_SERVICE_READY_EXT_EVENT is received from firmware, the
function extract_chainmask_tables_tlv is called to update the
soc caps and other capabilities to the host. hw_caps is
extracted directly from the param_buf value received from the
firmware and hw_caps->num_chainmask_tables is used to traverse
through the chainmask table and update the values to it from the
param_buf->mac_phy_chainmask_caps. hw_caps->num_chainmask_tables
is validated against PSOC_MAX_CHAINMASK_TABLES but not against
param_buf->num_mac_phy_chainmask_combo. This can cause potential
out of bound read in extract_chainmask_tables_tlv.
Validate the value of the hw_caps->num_chainmask_tables received
from the firmware against param_buf->num_mac_phy_chainmask_combo
before updating chainmask_table.
Change-Id: Ibf438760a9219f4ff82d29b42aa30f4dcf626364
CRs-Fixed: 2336842
num_chainmask_tables used as a for loop variable in
extract_service_ready_ext_tlv(), is never bound check
and may lead to OOB.
Change-Id: Ib0fdde8386fc372abee44934e10e9f54b0fe25b8
CRS-Fixed: 2330943
In extract_roam_scan_stats_res_evt_tlv(), validate
num_roam_scans to avoid any possible integer overflow
when receive larger num_roam_scans value.
Change-Id: I0f3bbf64fac8c151789de2f93a77c9af29b855d1
CRs-Fixed: 2331868
the fixed_param TLV structure is pulled from the WMI message and
assigned to chan_list_event_hdr. num_2g_reg_rules and
num_5g_reg_rules are assigned from the TLV structure, then passed
to create_reg_rules_from_wmi without length check, out of buffer
may happen.
Change-Id: I70c9d74ef94161896e1c7700c73943040f3a77e1
CRs-Fixed: 2327667
While extracting green ap egap status info there is no
sanity check for egap info event and chainmask event which may
lead to NULL pointer access.
To prevent this NULL pointer access add a sanity check for
egap info event and chainmask event.
Change-Id: Ib9cc273f12bb159bce309065279230e96925be7f
CRs-Fixed: 2331873
This commit contains the following changes related to FR49350:
usenol pdev param declaration and implementation of wmi cmd to send
the param to FW.
Failure status code declaration for scan and vdev start.
CRs-Fixed: 2328894
Change-Id: I5d3bfe758aeb9907193b6f626582b70413f5381c
Change the wmi_pdev_stats structure to wmi_pdev_stats_v2 structure.
This change is needed because of corresponding change made in FW
for renaming the structure.
Change-Id: I6dd3abd61730d8f17d74a11a42978a64853136e5
In the existing converged component, WMI TLV APIs are implemented in
a generic manner without proper featurization. All the APIs exposed
outside of WMI are implemented in wmi_unified_api.c and all the APIs
forming the CMD or extracting the EVT is implemented in wmi_unified_tlv.c.
Since WIN and MCL have a unified WMI layer in the converged component and
there are features within WIN and MCL that are not common, there exists a
good number of WMI APIs which are specific to WIN but compiled by MCL and
vice-versa. Due to this inadvertent problem, there is a chunk of code and
memory used up by WIN and MCL for features that are not used in their
products.
Featurize WMI APIs and TLVs that are specific to MCL -
- DSRC
- NAN
- P2P
- PMO
- roaming
- concurrency
- STA
- Generic MCL specific WMI (STA)
Change-Id: I03a68b0db30a3aa585b269ab0a1745b37bc7e0b7
CRs-Fixed: 2316935
Chain mask tables number is from wmi service ready ext event, it is
not check valid which will cause oob read arry of chain mask tables.
Change-Id: I2fa0251358ed66d928477c0b55933ca028c8bd53
CRs-Fixed: 2331850
In extract_reg_11d_new_country_event_tlv(), the
reg_11d_country_event->new_alpha2 buffer from the original WMI
message is copied into reg_11d_country->alpha2. Will only copy
REG_ALPHA2_LEN bytes into a buffer that REG_ALPHA2_LEN +1 bytes.
then reg_11d_country->alpha2 buffer is printed as a string.
Because the original reg_11d_new_country structure in
tgt_reg_11d_new_cc_handler() was allocated on the stack and
not initialized, there is no guarantee that the buffer is
NULL terminated. Due to this the WMI_LOGD() call will result in
an OOB issue when printing the buffer.
Change-Id: I20b0044974438d95e4c09f843db2a7f369c9b85d
CRs-Fixed: 2327718
In the call to QDF_TRACE_HEX_DUMP in extract_ndp_confirm_tlv(),
the buffer, event->ndp_cfg is dereferenced an additional time
and then read the length number of bytes in hex_dump_to_buffer,
resulting in an OOB read.
As WMI logging is already enabled, remove the hex dump.
Change-Id: I6a866e87dd80f3e41cf3c699ff4846416d309cf3
CRs-Fixed: 2326012
Bufp and buf_len are populated in extract_comb_phyerr_tlv
without validating the buf_len which can cause possible
out of bound access in dfs_phyerr_event_handler.
Fix is to validate the buf_len against num_bufp in param_tlvs.
Change-Id: I95e18d7600f8419f31e768fcc18c3024fe37b7db
CRs-Fixed: 2321371
While handling WMI_GTK_OFFLOAD_STATUS_EVENTID, QDF_BUG()
can occur in pmo_tgt_gtk_rsp_evt->pmo_psoc_get_vdev if
vdev_id is out of range. As the value is directly from
WLAN FW and can be outside the trust boundary.
Add sanity check for vdev id once get parameter from
wlan fw.
Change-Id: I335df52fece39c1a51a556ba4678bd43f470673a
CRs-Fixed: 2321523
Add host WMI support for EAPOL minrate resource configuration.
Through the use of the global.ini configuration parameter -
eapol_minrate_set and eapol_minrate_ac_set, the user can set EAPOL
frames to be sent in minimum rate in tunnel mode. In addition to
this, the user can also select between the 4 ACs (BE, BK, VI, VO)
to send the EAPOL frames.
The changes are reflected in the target resource config which
is sent to the firmware.
Change-Id: Ib9a264b64305bf43708c3c2af3ff254b6cc28477
CRs-Fixed: 2298020
Update WMI_NDL_SCHEDULE_UPDATE_EVENTID handling for possible out
of bounds read when fixed_params->num_channels is greater than
TLV length of NDL channel list or NSS list and fixed_params->
num_ndp_instances is greater than TLV length of NDP Instance list.
Change-Id: Idbd74e30868597c9787095372516b7d7dd12481b
CRs-fixed: 2327673
Update handling of WMI_NDP_CONFIRM_EVENTID for possible out of
bounds read when fixed_params->num_ndp_channels is greater than
TLV length of NDP channel list or NSS list
Change-Id: I3bf429a47c46edbb464cf8447f227f7baa74fbe3
CRs-fixed: 2325849
In the existing converged component, WMI TLV APIs are implemented in
a generic manner without proper featurization. All the APIs exposed
outside of WMI are implemented in wmi_unified_api.c and all the APIs
forming the CMD or extracting the EVT is implemented in wmi_unified_tlv.c.
Since WIN and MCL have a unified WMI layer in the converged component and
there are features within WIN and MCL that are not common, there exists a
good number of WMI APIs which are specific to WIN but compiled by MCL and
vice-versa. Due to this inadvertent problem, there is a chunk of code and
memory used up by WIN and MCL for features that are not used in their
products.
Featurize WMI APIs and TLVs that are specific to WIN
- Air Time Fareness (ATF)
- Direct Buffer Rx (DBR)
- Smart Antenna (SMART_ANT)
- Generic WIN specific WMI (AP)
Change-Id: I7b27c8993da04c9e9651a9682de370daaa40d187
CRs-Fixed: 2320273
NAN vdev ref count incremented as part of end_ind handler
is not released which will result in the nan vdev not
getting physically deleted.
Fix is to release nan vdev ref in os_if_ndp_end_ind_handler.
Change-Id: I31a32fa241fb9e86d3a64d490722bc42905970c4
CRs-Fixed: 2325580
Due to change in Opclass calculation in the new
regulatory component invalid opclass is returned for the
TDLS component. Update arguments to calculate opclass correctly
to regulatory component.
Change-Id: I062bbb55d283f9525da241d32177e26d07aa8590
CRs-Fixed: 2325834
Fix the possible out of bound access while processing the
channel avoid frequency event from FW.
Change-Id: Ib49df0ebd785944b7cbbfa5927613887dd35d9ff
CRs-Fixed: 2308629
Add bound check rssi_event->num_per_chain_rssi_stats in
extract_all_stats_counts_tlv().
ev->num_chain_rssi_stats in
target_if_cp_stats_extract_vdev_chain_rssi_stats()
is derived from rssi_event->num_per_chain_rssi_stats
and is used as limit in for loop.
As length was never checked multiple qdf_mem_copy calls in
wmi_extract_per_chain_rssi_stats() used in
target_if_cp_stats_extract_vdev_chain_rssi_stats()
will result in an OOB issue.
Change-Id: I204744e1435e687e33f2165744a92cdb8b975a51
CRs-Fixed: 2322298
Separate WMI MGMT RX event logging from main WMI event
logging because WMI MGMT RX event is too frequent and its
over-running useful WMI control path events.
Change-Id: Iacd1576c3e133b70224e45f589f566c73637a626
CRs-Fixed: 2318021
FW generates too many diag events and these diag events
also come on CE-2 together with other critical control
path WMI events and easily over-run useful control path
WMI RX even log buffer. Separate WMI diag rx event loggig
in a separate log buffer such that useful control path WMI
log event buffer is not over-run.
Change-Id: I89b5d88036bc9d7e57e8e16858bc556be4e2ed41
CRs-Fixed: 2318083
