OOB read can occur while handling WMI_SERVICE_READY_EXT_EVENTID event
when large invalid num_phy received in that event, as this value is used
as index to array.
Change-Id: I0e80d04d19160e219028b07599a8b9953a798fb2
CRs-Fixed: 2374726
The CE11 in target CE config array is used, but not allocated.
Fix this by allocating memory for CE11 in the global structure.
Change-Id: I85088f5a832aec037a1e46eed4b72ac4228fde44
CRs-Fixed: 2365435
Remove dependency of qwrap on VAP layer and radio(ic) layer data
structure. Added flags to detect qwrap specific features in vdev
structure.
Change-Id: I5bb951ce8c813928b9ab189a77bf4da2ac6258d6
Some compilers allow functions to be annotated such that a warning will
be emitted if the return value of that function is not used. Allow the
WLAN driver to leverage these annotations by introducing a wrapper in
QDF, qdf_must_check.
Change-Id: I9c1328ae904857717703aae3748b207967a8dd3d
CRs-Fixed: 2382837
Make sure the objmgr_peer is not deleted before
dp peer is deleted, which will avoid the access
of already freed objmgr_peer for connected sta peers.
Change-Id: Ib931dcd0c5650fea5284e9dd53dae9e41f662c56
CRs-Fixed: 2359645
hal_srng_cleanup was called from dp_srng_cleanup after the
hal_soc was freed.
Move the call to dp_srng_deinit where the memory is still
valid.
Change-Id: Ida25ee48e527b5139fc05cd85c5634e70965ccd0
CRs-Fixed: 2367332
Currently we have same function name/different implementation when set
wmi scan channel list for WIN and MCL, the implementation for WIN side
send_scan_chan_list_cmd_tlv looks more intuitive which will remain with
minor change.
Remove definition of struct scan_chan_list_params and wmi_channel_param
which is no longer needed. Change HT flag set independent on VHT flag.
Add WMI DFS flag set if channel_param.dfs_set set.
Change-Id: I131ca09c12687bda5eb3eb03b7bcca1d62ac7aa9
CRs-Fixed: 2363675
As a hot fix before h\w part change, just limit maxinum nss number
to 2 for MCL platform.
CRs-Fixed: 2377796
Change-Id: Iad205804be90b6803ff2f1afa79076dde9b77013
Added support for pmksa handling in crypto to
support add_pmksa, del_pmksa and
flush_pmksa function calls from cfg80211.
Added support for adding pmkid in rsnie.
Change-Id: Ic8add9635c2e7fd73da21b1305467e6500f6d73c
CRs-Fixed: 2363632
To align with the converged nomenclature replace the identifier
session_id with vdev_id in qdf_trace APIs.
Change-Id: Ic97a2df848e2b687edbd29c419193f4285125f81
CRs-Fixed: 2381424
Currently host does not process the country code if CC
is not found in the firmware. Firmware supposedly set world
mode if CC is not found. Set the world mode in such a case.
Change-Id: I87dde58c70ce12358583c704d1959e0467f9b186
CRs-Fixed: 2368293
Create target_if_reg_11d.c and target_if_reg_lte.c files.
Move 11d and LTE feature specific code from target_if_reg.c file to
these files.
These files has only MCL specific code.
Change-Id: I016c6e6c8b6d54670496367e08ac5d83ad94bebd
CRs-Fixed: 2349173
Change Ie6c4a9847f2daa9ba2aebd17f386d584201b86d6 ("qcacld-3.0: Remove
obsolete set/reset ssid hotlist") in the qcacld-3.0 project removed
the only client of the WMI SSID hotlist infrastructure. Since this
infrastructure is obsolete, remove it.
Change-Id: I4a1de39c982947bbf4958d976426f95e3217f1a3
CRs-Fixed: 2381277
once in a while the HW is sending a descriptor which
is already processed by host. This can be a potential HW
issue, as a WAR we are not processing such duplicate descriptors
instead increment a counter and continue with next descriptor.
Change-Id: I6c9bc6a9fb4705b42284171a32855411aa5dd73f
CRs-Fixed: 2338543
Refactor the prints for rx management frames. Do not print beacon,
probe resp and probe req frames in txrx module.
Also remove the beacon print from wlan_cfg80211_inform_bss_frame.
Change-Id: I1dbfcec1614b9465d97c010fa4c386f3a1612f5f
CRs-Fixed: 2381796
Currently the logic present for disabling the indoor channels during SAP
start is not complete. The way of using the two ini deviates the driver
from the expected behavior.
Mark the indoor channels correctly during SAP start and SAP stop as per
the expected behavior.
Change-Id: Ia136dcbc4f20ad72812f096531863aeb5fbe66fb
CRs-Fixed: 2368218
Change the CDP abstraction APIs for ast entry find, add and delete
to avoid external references for ast entry in upper layers
Process the HTT v2 peer map messages which will be enabled for
nexthop ast entries and use these messages instead of WMI event
for HKv1 WAR where we have to wait for delete confirmation from
target event which is processed in control path
Change-Id: Ifa91a259c0762344deb8ab89e868fc5554d75543
CRs-fixed: 2354951
In extract_mac_phy_cap_service_ready_ext() the num_hw_modes
is used as loop bounds and may be attacked.
hw_mode_caps is a pointer defined by firmware. The exact
array length cannot be got since hw_mode_caps pointing array
length is variable. So use max number to check
num_hw_modes before loop.
The max number of hw modes is 24 including 11ax.
Change-Id: I72f30ba819bca89915bb09f271e3dbe7c0f157a6
CRs-Fixed: 2369233
Add command support to enable/disbale 'Spatial Reuse Value15
Allowed' parameter in the Spatial Reuse IE.
Change-Id: I755a15da7758704f2e833ddc61805d45654f0957
CRs-fixed:2345770
Current Spectral WMI logs on TLV systems are
difficult to interpret, correct it.
Also, set their log level to QDF_TRACE_LEVLE_DEBUG.
Change-Id: I6f19143df230d82edc2fb8dd86b18addbb327d6b
CRs-Fixed: 2369960
The pointer to chain masks capabilities is increased, and the number
of chainmask capabilities isn't check if valid. Which will cause oob
read list of chain mask capabilities.
Change-Id: I1f11fb49d545a4f88fe4d0734968dbe17c3f1a7e
CRs-Fixed: 2347661
QCA8074 platform supports DBS(two radio) and DBS_SBS(three radio)
modes. In these cases, same WMI event ring is shared for all the
radios. Increase the WMI event ring size two absorb host delays
due to lower clock platforms. This increase is required even to
support three radios.
Change-Id: I1aa08b8fa879f6ec54c838541a0e4c4e5871b60a
CRs-Fixed: 2378193
For subchannel marking, an offset of 20 MHz was added to the
second segment center frequency value of VHT160 mode operation
to get the actual second segment center frequency.
This was not done for HE160 mode operation, which led to wrong
subchannels being added to NOL.
Add 20 MHz frequency offset to the center frequency for HE160 opmode.
Change-Id: I7c076be220c70c18b60ed68c1ce99068924d41bf
CRs-Fixed: 2378075
When WMI_SERVICE_READY_EXT_EVENT is received from firmware, the
function extract_hw_mode_cap_service_ready_ext_tlv is called to
update the soc caps and other capabilities to the host. hw_caps
is extracted directly from the param_buf value received from the
firmware and hw_caps->num_hw_modes is used to traverse
through the hw_mode_caps and update the values to it from the
param_buf->hw_mode_caps, need validate hw_caps->num_hw_modes and
param_buf->hw_mode_caps before use them.
Change-Id: I459f0afce7701ddf1d041912e3406643d27a7f9c
CRs-Fixed: 2336910
mpdu length is calculated wrongly in one corner case
resulting in wrongly identifying the last nbuf of the
mpdu, fixed it by properly adjusting the length.
CRs-Fixed: 2368608
Change-Id: Ia7bd3247eb05f2eb4b5de1c65e7190c798128792
The aim is to remove CONFIG_MCL or CONFIG_WIN from
cmn component.
This change takes care host_diag_log_set_code and
host_diag_log_set_length.
CRs-Fixed: 2371125
Change-Id: Ic04037202d79f87003a47ac2d698bc4e7752ee12
Define QCA vendor command attributes to configure HE +HTC support and
HE operating mode control transmission.
Change-Id: I6249a23ab0d0b9a82210c749dfd6bd53fb697c51
CRs-Fixed: 2377769
Due to unknown legacy reason, the rates received by the driver from the
firmware are currently divided by 500 to convert it into units of
500kbps. This division by 500 is later compensated by a multiplication
with 5 to maintain units of 100kbps before being sent to the upper
layer. This division and then subsequent multiplication results in the
loss of precision (in the case the rate is not divisible by 5).
Consequently, the rate being sent to the upper layer becomes inaccurate.
Also the calculation of the MCS rate flags is affected.
Do not carry out the unnecessary division and multiplication by 5.
Instead just convert the rates into units of 100kbps (which is as
mandated by the kernel) when driver receives the rate from the firmware.
Change-Id: Iab7b825f4067ad51174a0c545cf4a7d0ab426171
CRs-Fixed: 2378167
When regulatory offload is enabled, firmware sends 11d new country code
event. Now, to get master channel list for this new country send
SET_CURRENT_COUNTRY command to firmware.
Change-Id: Iac4d38ed488984ad2b3739ec8052813b7cc945c1
CRs-Fixed: 2367335
In the call to QDF_TRACE_HEX_DUMP in extract_ndp_ind_tlv(),
the buffer, event->ndp_cfg is dereferenced an additional time
and then read the length number of bytes in hex_dump_to_buffer,
resulting in an OOB read.
As WMI logging is already enabled, remove the hex dump.
Change-Id: I1ebe2469a6bb2baefc76980405d97700c1c57b5c
CRs-Fixed: 2336856
Currently the driver includes all the DFS channels as part of scan
in the scan list, and thus not exclude the DFS channels in the first
scan for faster scan.
Fix is to check the ini, for first DFS channel scan, and then remove
the DFS channels from the scan list if the ini is enabled.
Change-Id: I43d5c87676d4e66706da3cc0029c60559b70d179
CRs-Fixed: 2378805
Array mcs_count is of size 13 and the
macro MCS_MAX is 13
mcs_count array should be access only
till 12, hence change the comparison
from <= MCS_MAX to < MCS_MAX
Change-Id: Ieab9a8d1f2a06ff31fa79a062bfcbf96f298f0a1
The rx_pending flag is never set to 0 if the check for
TARGET_REGISTER_ACCESS_ALLOWED(scn) is failed when target is
not reachable. Since, the rx_pending flag is not set to 0,
ce_check_rx_pending(CE_state) check inside ce_tasklet() will
be true and tasklet gets rescheduled again and again.
Reset the rx_pending flag before TARGET_REGISTER_ACCESS_ALLOWED(scn)
check in ce_per_engine_service() to avoid continuous scheduling of
tasklet when check for TARGET_REGISTER_ACCESS_ALLOWED(scn) fails.
Change-Id: Ib9268e6cf2bdcd0ed0bf84934e9370bcef1cdbab
CRs-Fixed: 2375307
There are other places where txLookupQueue is protected
with htc_lock instead of lookup_queue_lock.
Change-Id: I91497ce4593a14033871d3e8c3a97deab222d365
For non-NSS platform, update no of rx packets being
sent from wifi driver to network stack in case of
vow traffic.
Change-Id: If16a5b9c37a16374d4217369b1f02360c62155a9
CRs-Fixed: 2371429
If two threads T1 and T2 are trying to stop the serialization timer,
both can get the timer while holding lock. Timer cmd pointer is set
to NULL after releasing lock.
Now if a third thread T3 is trying to start the timer at same time,
it may get the timer as soon as T1 make cmd NULL and adds its cmd
pointer to the timer in the list.
But T2, which was also trying to stop the timer can stop the timer
and set cmd back to NULL again. Thus T3 will not have the timer in
the timer list.
Now when driver try to abort/flush the command it will not find the
timer and In case timer is not found the command is not freed, leading
to vdev ref leak.
To fix this stop and update the timer while holding lock.
Change-Id: I363a4d36181328be310c7c980c981302501a9453
CRs-Fixed: 2376733
In wlan_cfg80211_scan the number of ssid, ssid length and number of
channels are not checked for max size of array and thus can lead to
Out of bound access of memories.
Fix is to add bound check before copying the params.
Change-Id: Ie6d4e546fb9c884d5988493b611ef7b217f0a95c
CRs-Fixed: 2375217
In extract_hal_reg_cap_tlv(), hal_reg_capabilities
can be optionally defined. This field can be NULL
resulting in a NULL pointer read. Add NULL pointer
check before qdf_memory_call().
Change-Id: I142bed65e80aa9b4bb88a4e68f74235dd50e3624
CRs-Fixed: 2368284
Initialize drop_bcn_on_chan_mismatch from INI
(CFG_DROP_BCN_ON_CHANNEL_MISMATCH) default value
Change-Id: I55c28aa5656ce6befe9cd3477ab0b14c99641cea
CRs-Fixed: 2375199
Currently, beacon or probe responses are dropped by the scan module
if the rates IE does not present. But, some AP's in 11n mode does not
add the rates IE.
So, it is not mandatory to have the rates IE in the beacon or probe
response.
Change-Id: Id57b2216c012d117cca1a3a2dbce9825d58b67c3
CRs-Fixed: 2376710
