NLO complete events were not received as
host is in runtime pm suspend state and thus
scan results were not sent to supplicant to
trigger re-connection. Add code to prevent
runtime pm suspend on receiving NLO match event
and resume Runtime PM on receiving NLO complete
event from firmware.
Change-Id: Iab91fb88fff3394ce5629be1eb6adc911a673b58
CRs-Fixed: 2954994
Fix the channel validity check for DS param IE in beacon or probe
response frames in scan.
Change-Id: I17132d3d406b2953ad31dc6ab40b0158e21bc5c4
CRs-Fixed: 2960334
Currently, host comapres HT Ie with htcap_cmn_ie
structure size but returns err in case ie len
is different from structure len which may break
the iteration and can lead to scan entry creation
failure.
Fix is not to break the loop and perform action
based on other Ie to avoid Ie parse failure which
leads to scan entry creation failure.
Change-Id: I93f0d67ae0f7ea8bb5dbeabc895b5c3d1ae43a73
CRs-Fixed: 2965729
If STA country code is US and 6G AP country IE is other than
US, STA would use VLP mode. Since US VLP is not determined
we don't allow connection to go through. Additionally, don't
include such AP to scan result.
Change-Id: I41b0c7dbea681b2ef1bea7c0a572ee1d7248fa6e
CRs-Fixed: 2953248
Scan manager currently has two flags - scan_f_2ghz and scan_f_5ghz
for the requestor to specify which channel bands to scan.
Currently, these flags are not utilized by the scan manager to
control the channels selected as part of the scan request channel
list. As a result, specifying a particular band will not
limit the scan manager to scan only the mentioned band - instead
scanning all supported channels.
Add a check to use these flags to avoid channels from bands
which are not selected.
Change-Id: I86e17184b5bb67cbf951eee5d43a8f80a93718d6
CRs-Fixed: 2934215
For security cert TC, RSNIE length can be 1 but if the beacon is
dropped, old entry will remain in scan cache and cause cert TC
failure as connection with old entry with valid RSN IE will pass.
So instead of dropping the frame, do not store the RSN pointer so
that old entry is overwritten.
Change-Id: I2fe4d2dd2352be6850f7a18a2ec829733ded7ee8
CRs-Fixed: 2944120
Add new ini's for assoc active and passive dwell time
for 6g. These will be applied if STA is connected.
Change-Id: I680fbd3038968ecf6ff9920fff982456135bfd77
CRs-Fixed: 2941359
When obss scan is enabled, FW will trigger scan periodically by
a timer. If a scan was triggered, FW need to access host memory
for data transfer. Occasionally, suspend may happen during one
scan, then FW is unable to access host memory and fw will crash.
So disable the obss scan before suspend.
Change-Id: Ie507da929a3701473cb57888e96e702e34d4c95a
CRs-Fixed: 2927239
If MBSSID ie contains only header and no payload
then current logic can cause OOB read.
Added validation check for length of IE before
accessing MBSSID IE payload.
Change-Id: Id8b34e5f516f1a1c85bc7d93d9128cad29393e9d
CRs-Fixed: 2838631
Currently when updating the single pmk capability for an AP,
the driver only changes for the sae single pmk OUI advertised
by the AP and not the ini value. This causes the crypto entry
for the AP to be updated with single pmk flag to true even when
the ini is disabled.
So check the sae single pmk ini also to update the scan entry
as sae single pmk bss.
Change-Id: I2ae16c8da5af397b041723f9d5a3b2d8a6e7c986
CRs-Fixed: 2935440
The earlier logic for scanning non-inheritance IE fails if
non transmitted bssid profile has any extension element
such as MU EDCA before the extension element with
non-inheritance IE.
Since MU EDCA is also an extension element and it does not
have noninheritance element id in it, the logic used to fail
as the driver does not check further for any other extension
element ID in non transmitted bssid profile. Because of this
the IEs part of non-inheritance list used to get inherited,
causing disconnection issue.
With current fix, the scanning for non-inheritance IE has been
taken care properly. Driver will go through the non transmitted
bssid profile until it finds the extension element with
non-inheritance element ID in it.
Change-Id: Ib4346600a880a8390c6d023cf403ed18c62406d2
CRs-Fixed: 2935065
Previously, for high accuracy scan,
configured scan policy SCAN_DBS_POLICY_FORCE_NONDBS
takes more time to scan.
For DBS HW, to improve scan time, this should be
changed to SCAN_DBS_POLICY_DEFAULT.
Change-Id: I692e2a8b4fd9c97b526197edc57b830fa091a456
CRs-Fixed: 2927022
If multiple MBSSID beacons fail during scan entry generation,
it can lead to flooding of the console.
Rate limit this print to avoid scheduler timeouts.
CRs-Fixed: 2918649
Change-Id: I71ed2dafcedc7da4be130569776870a2bbb6b28f
Currently, scan requests are optimized to trim 6g channels based
on the ini params scan_mode_6ghz and scan_mode_6ghz_duty_cycle.
But RRM scan request comes to host driver with a fixed set of
channels and the expectation is to scan all supported channels
out of these.
Don't consider scan_mode_6ghz_duty_cycle to optimize the
channels in case of RRM scan request. Thereby no 6g channels
would be trimmed.
Ini param "scan_mode_6ghz" is still honored if it's set to
"SCAN_MODE_6G_NO_CHANNEL", which filters out all 6g
channels from the scan request.
Change-Id: I960ac2c68f8d291209acc1c59d2f5b9076f042d7
CRs-Fixed: 2913913
Updated the EHT related variables as per latest fw cmn headers.
Address review comments from previous EHT gerrits.
Change-Id: I67cd58a4efcf3e06d2ca3b5570432593b1d80825
CRs-Fixed: 2902607
Validate the 6GHz AP beacon in the scan result for valid security
if user enables the 6GHz security checks.
Drop the beacon from scan result if valid security is not found.
Change-Id: I6e02e77cc996b4f4fb7dc7a1678990419a51c79e
CRs-Fixed: 2904741
Add EHT capability and EHT operation IE definitions and supporting
functions to parse these IEs.
Change-Id: Ida6f8b29fb33a581d2f13584f92327162cfa1664
CRs-Fixed: 2858005
Currently util_is_noninh_ie is called based on WLAN_FEATURE_MBSSID,
but definition doesn't depend on WLAN_FEATURE_MBSSID which may
cause compilation issue.
Fix is to keep definition under WLAN_FEATURE_MBSSID feature flag
Change-Id: I409c367c98bf1fe06c1c3107348f4a469ebdbd07
CRs-Fixed: 2907601
If there is any non-inheritance element present as part of the
nontransmitted BSSID profile then while generating scan entry
for that profile, driver need not inherit those list of
element IDs and list of element ID extensions from the
transmitted BSSID profile.
Since non-inheritance element is an element ID extension, it
should be part of extension element. So the logic we use over
here is to find if there are any extension element present in
the nontransmitted BSSID profile. if yes, then only go ahead
with below logic or else go with the normal flow.
Logic:
Mark and store the start of the list of element IDs and
list of Element ID extension.
While generating the new ie for the non transmitted BSSID
profile, do not inherit the IEs present in the above
mentioned lists.
Change-Id: I466afa8273e841b6f7656b1dc59342bc2d4f13bc
CRs-Fixed: 2883389
If any nontransmitted BSSID profile is fragmented across
multiple MBSSID elements, then it is called split profile.
For a split profile to exist we need to have at least two
MBSSID elements as part of the RX beacon or probe response
Hence, first we need to identify the next MBSSID element
and check for the 5th bit from the starting of the next
MBSSID IE and if it does not have Nontransmitted BSSID
capability element, then it's a split profile case.
This change is responsible in accumulating the non
transmitted BSSID profile, fragmented across multiple
MBSSIDs, so that the scan entry will not miss any
information.
Change-Id: Ia78cc47d1ffd03ada659d257b83741e7ab921fa2
CRs-Fixed: 2883389
There is an API to get the scan aging time,
but there in no API to set the scan aging time
and can be configured through INI.
Add API to set the scan aging time run time.
CRs-Fixed: 2894428
Change-Id: Ide2b2eec780dd7ff07ebd783b0916a68c0e94a2c
Update default values of INI items to most commonly used values
in WCNSS_qcom_cfg.ini file on commercial devices.
Change-Id: Ie3a4ce2cbf4bc2352d5ebc5be939a47818a6d594
CRs-Fixed: 2874759
Modify the length check to drop beacons which has
WLAN_ELEMID_WIDE_BAND_CHAN_SWITCH IE length less than 3. This is to
accommodate the addition of fields to this IE in the future.
Change-Id: I8cba60b631022f4348cce90ae41a003964040ad1
CRs-Fixed: 2884249
To check if a scan entry is a non-Tx VAP of our connected BSS, the current
implementation of scm_age_out_entries() searches through all scan entries
to find out our connected BSS. This check takes O(n) time where n = number
of scan entries. Running this check in the main loop of
scm_age_out_entries() results in an overall time complexity of O(square(n))
Time complexity can be improved if we do one iteration over scan entries
to find out our connected BSS, and save it in a local variable, and then
use that local variable in the main loop of scm_age_out_entries().
With this approach, we just do two iterations over scan entries
instead of nested iterations.
CRs-Fixed: 2877884
Change-Id: I51be764f4aa6f65ba9068d46eaa42791ac0f8d97
During multiple BSSID scan ie parse, there is memory allocation
on new_ie variable of size 1024 which may create buffer overflow
in util_gen_new_ie() if ie length is greater than 1024.
As part of fix, allocate memory of size ie length in new_ie.
And also add check before copying to pos variable in
util_gen_new_ie().
Change-Id: I55e0819817b5a616684067170bf28a314a145fc2
CRs-Fixed: 2867353
Currently there is no mechanism in driver to decide whether
to consider the user configured number of sched scan plan or
to configure only 1 schad scan plan.
There is a requirement to configure only one sched scan plan,
add ini support to meet this requiremet.
Change-Id: Iea3bc3f18696837150ce6f4bd60416a8a45bd1d3
CRs-Fixed: 2868125
Add length check in scan beacon IE processing function for the below IEs to
avoid any possible memory corruption.
1. WLAN_ELEMID_COUNTRY
2. WLAN_ELEMID_WIDE_BAND_CHAN_SWITCH
3. WLAN_ELEMID_VHT_TX_PWR_ENVLP
4. WLAN_EXTN_ELEMID_MAX_CHAN_SWITCH_TIME
Change-Id: I860bee8633849215d46c2dfe60a1a98d7c80f510
CRs-Fixed: 2873039
util_scan_copy_beacon_data copies beacon and updates ie
pointers for the cache entry. However, two of the ie pointers
listed below are not updated:
1) hecap_6g - pointer to he 6ghz cap ie.
2) srp - pointer to spatial reuse parameter sub extended ie.
These non updated pointers will cause use after free issues
if the parent scan entry is freed.
Update ie pointers for hecap_6g and srp.
Change-Id: I6d0a6129941e3dc1267404a4191ab368c013a102
CRs-Fixed: 2862607
With the reception of MBSSIE beacon frame, host tries to
construct beacon frames for the non tx VAPs as well.
For which, it has to copy all the IEs from the
received beacon's IE except the MBSSID relevant element
IDs, by comparing the subelement data.
The memcpy that is being used in this case, does not check
the space availability in the target buffer which may lead
to random memory corruption. Hence, using safe memcpy to
avoid buffer overflow.
Change-Id: Ib0861d606dba7725077dd530dd15ebff59058cfd
CRs-Fixed: 2857436
Reading extcaps from the scan entry currently checks if the byte
to be accessed is less than the length of the IE. Following this,
it will attempt to access the extcap IE using the requested byte
as the index.
Avoid accessing the extcap IE if the byte is greater than one less
than the ie_len (since indexing starts from zero).
CRs-Fixed: 2856212
Change-Id: Ie357edcd6095570c05871af657381c287e92504e
Host updates proper FILS param set i.e. username, auth_type and
is_fils_connection in the FILS response.
Change-Id: I0c30325bc7d620aa286aae0dd299dec9b26219ff
CRs-Fixed: 2865060
When parsing FILS Indication IE, the data pointer is not
validated while moving the pointer which may cause
out of bound issue.
Validate data pointer before moving pointer.
Change-Id: Ib20f78fe58d7a4c8f9245e6b8d28212499cc6f50
CRs-Fixed: 2842475
During esp ie parse from beacon/probe response, the data pointer
is getting read from esp ie and it's not validate while updating
to esp params which may cause out of bound read issue.
Validate data pointer before updating to esp params.
Change-Id: I1167b82248613cc65fcd7c70cdcfe57595de6b21
CRs-Fixed: 2842234
During ie parse from beacon/probe response, the variable
tbtt_count and tbtt_length in util_scan_parse_rnr_ie() getting
read from ie and the value is not checked before using it which
may cause out of bound read issue
Validate tbtt_count and tbtt_length before using it
Change-Id: I51cfb2356fb16feda8a70c4b76c7f76c90b1393b
CRs-Fixed: 2836205
If is_bwnss_oui return true in util_scan_parse_vendor_ie,
and it will run into below logical:
scan_params->ie_list.bwnss_map = (((uint8_t *)ie) + 8)
But in fact if ie->ie_len < 6, it will casue read out
of boundary issue. So add the length chekcing before
reading it
Change-Id: I0cdf723154eb808f8062efd897f9d67d54d4573b
CRs-Fixed: 2838849
Currently, 6g channels are sorted based on the weightage of each
channel. Frequencies are sorted but the flags associated to each
channel are not updated properly. So, channels carry invalid
flags to firmware and firmware may miss to scan few 6g channels
based on these flags and may scan few 6g channels unnecessarily.
Copy flags also while sorting frequencies to maintain the flags
of each channel as it is.
Also, change the type of phymode to enum scan_phy_mode
from uint32_t.
Change-Id: I0a2330faab1b738f2d7eff3d39ccbfffd51dfde0
CRs-Fixed: 2840029
A temporary variable "temp" is declared to use it while sorting
the channels based on the weightage/rnr info. This is declared
as a pointer to hold the reference of struct rnr_chan_weight but
memcpy is done to this without allocating memory.
Declare this as a variable instead of pointer to use it as an
intermediate variable for sorting.
Change-Id: If619f5fa462d5400f0a77e57317ac3c8debb34a5
CRs-Fixed: 2842819
Currently, 6g PSC/non-PSC channels in the scan request are
scanned or optimized to scan only if RNR IE is found based on
the inis scan_mode_6ghz and scan_mode_6ghz_duty_cycle.
As scan_mode_6ghz_duty_cycle is set to 4 by default, first 3
scans are optimized to scan only if RNR IE is found and 4th scan
would be full scan. If there is any standalone AP in 6g channel
that doesn't advertize RNR IE in colocated APs beacons/probe
responses, that's not scanned till the 4th scan.
Reverse the order for scan_mode_6ghz_duty_cycle such that the
first scan of every four scans is a full scan and rest of the
three scans are optimized. So, the standalone 6g APs can be found
in first scan itself based on the ini scan_mode_6ghz.
Change-Id: Ice1614a94f1fd166e283355616ace241a5df2bcb
CRs-Fixed: 2829550
Declare a TPE pointer to store the TPE IE in the scan cache ie list.
Write a function to obtain the TPE IE stored in the scan cache ie list.
Declare a minimum TPE IE length as 2 Bytes and use that to check the
sanity of the received TPE IE before storing it. Discard the TPE IE if the
length check fails.
Change-Id: If5b06604b03d07dd5fb26a62f90fb7202ce4eff0
CRs-Fixed: 2826300
In arch 32 platform, the size of rnr_chan_info is 8 bytes, and it only
allocates 4 bytes for each of them. Which cause memory access out of
bounds.
Change-Id: I4f1798c5354c6a76e32bdfed13ade9667465b789
CRs-Fixed: 2827289
Scan entry fails if any coruppted IEs are present
Introduced new ini parameters to enable scan based on ie
corruption. If ini parameter is enable then scan module skips
all IEs following coruppted IEs and adds scan entry without
completely dropping the frame. Otherwise if ini parameter is
disable then scan entry fails on corrupted ie.
Change-Id: If17b68448dd3e6ac3e98ed854ed67d7f16d9dff7
CRs-Fixed: 2806932
Fix MBSSID IE pasring by properly incrementing offsets while
pasing the IE.
Copy ext IEs also in final iteration.
Minor code readability changes done along with the above fixes.
Change-Id: I3aaf5dd440b48c4229ddefc37f75703fc58ba994
CRs-Fixed: 2814732
Add logic to
- Check if connect req freq is 6Ghz and security
is not allowed for 6Ghz, reject connect.
- Ignore 6Ghz APs if connect req security is invalid
for 6Ghz
Also added user config key_mgmt_mask_6ghz mask
to allow specific AKMs, by default all are allowed.
Add added user config check_6Ghz_security to enable
security checks as per spec.
Change-Id: I37518731faa4de67a49853e5ac544efa3b3ce1d6
CRs-Fixed: 2813013
This change fixed compilation error about implicit-fallthrough and
pointer to in cast.
Change-Id: Iea2c25d97d8a039ed0f8083078427a8f8de70cd1
CRs-Fixed: 2814658
