Previously, host drivers only updated the link state for
active links upon receiving the wmi_mlo_link_state_switch_eventid
event from the firmware. This led to all links being updated
as active after multiple link_state_switch events, as the
state for inactive links was not being updated.
This commit addresses this issue by ensuring that the link
state for both active and inactive links is updated upon
receiving the link_state_switch event from the firmware.
Change-Id: I668074b397cf6b570929459c9fe5e23ca55b75b1
CRs-Fixed: 3763361
Un-initialize structure variable causes prevent issue.
Initialize structure variable with zero in all fields of the
structure in cm_update_link_channel_info
Change-Id: Ib249bcb56b189b1529daeeb4be9f694c5a3ecae3
CRs-Fixed: 3788234
Hit following issue of link switch when LL-SAP existed.
1. Link switch was received on VDEV-1 (partner link).
a. Link switch cmd was added to serial active queue, existing peer
was deleted as part of link switch disconnect.
b. Link switch connect started but got deferred due to LL-SAP Bearer
switch transition, when WLAN_CM_SM_EV_BEARER_SWITCH_COMPLETE
received, a new connect cmd was added to serial pending queue,
link switch was blocked here.
2. Disconnect from userspace was received
a. The disconnect on VDEV-1 here notified MLO-manager to terminate
ongoing link switch.
b. Link switch confirmation was sent to F/W as failure.
c. link switch cmd was removed from serial active queue.
3. Connect cmd queued in #1.b was activated and moved VDEV-1 state to
connecting.
a. New peer got created but PE session wasn't yet created.
b. Disconnect from #2.a changed the VDEV-1 state from connecting to
disconnecting.
c. While processing the disconnect in #3.b, peer delete for the peer
created in #3.a didn’t happen as disconnect didn’t proceed when pe
session not found.
To fix it, for link switch, don't add new connect cmd to serial queue
after LL-SAP Bearer switch since link switch cmd is queued already.
1. Link switch is received on VDEV-1 (partner link).
a. links witch cmd was added serial active queue, existing peer
gets deleted as part of link switch disconnect.
b. Link switch connect starts but gets deferred due to LL-SAP Bearer
switch transition, WLAN_CM_SM_EV_CONNECT_ACTIVE is sent after
WLAN_CM_SM_EV_BEARER_SWITCH_COMPLETE received, bss peer creat cmd
is sent to F/W.
2. Disconnect from userspace is received when link switch unfinished.
a. The disconnect on VDEV-1 here notified MLO-manager to terminate
ongoing link switch.
b. If BSS peer created, mlme_cm_bss_peer_delete_req will be called to
delete it.
c. Link switch confirmation is sent to F/W as failure.
d. link switch cmd is removed from serial active queue.
Change-Id: I13ba820bd0240d062c7cd47ec0e53ae1a27d5b58
CRs-Fixed: 3752437
Don't fetch TBTT info if data + neighbor_ap_info_field is <=
ie + rnr_ie_len + 2 instead of < ie + rnr_ie_len + 2.
Only less than validation may lead to extra iteration and
wrong rnr data.
CRs-Fixed: 3787446
Change-Id: I9dbaa066dd09f6c9ddfb3e400d95e009313cd54d
Check the max supported current regulatory domain's
phy mode equals 11be or not.
Change-Id: Ic4ba81d22d195248a7a1b25f3e7fa5b31093f4c6
CRs-Fixed: 3671851
In RNR of bad AP beacon, partner link has same link id and bssid as assoc
link of same MLD.
To fix it, disable partner link which has same mac or id as assoc link
of same MLD.
Change-Id: Ieda1807b5ed13559c847f2d39035a9acb2e4232f
CRs-Fixed: 3772848
Currently, while parsing scan RNR Ie data is moved to
next neighbor_ap_info_field after parsing the current
neighbor_ap_info_field. But in last iteration pointer may
try to access invalid data if (uint8_t *)ie + rnr_ie_len + 2)
bytes are less than sizeof neighbor_ap_info_field and same
is the case with tbtt_length access.
Fix is to add a length check of data + next data size to be parsed
< (uint8_t *)ie + rnr_ie_len + 2) instead of adding a validation
of data length only.
CRs-Fixed: 3710080
Change-Id: I05e5a9a02f0f4f9bc468db894588e676f0a248c0
In malformed beacon frame may deference the NULL pointer while
parsing MBSSID IE in util_scan_parse_mbssid will lead to crash.
Add check in util_scan_parse_mbsssid for split_prof_start before
passing to util_gen_new_ie and assign zero to split_prof_len
whenever split_prof_start freed to avoid unanticipated scenario.
Change-Id: Ibb9739d6b5d1775ab52d59f9aa5050ca693cd926
CRs-Fixed: 3717571
LTF keyseed required flag is set only for newly created PASN
peer. This value is filled from the security mode value received
the PASN peer create request event from the firmware.
If PASN peer already exists, then the peer is just added to the
peer list and secure LTF keyseed required flag is not updated.
This leads to wrong sequence of commands going to firmware.
Expected sequence: Install TK -> Set LTF keyseed -> PASN Auth
STATUS.
Observed Sequence: Install TK -> PASN Auth status -> Set LTF
keyseed -> PASN Auth status.
So set the is_ltf_keyseed required flag for already existing
PASN peer also
Change-Id: If9994ad01a96bdb26ad55538a67feaed7e22892f
CRs-Fixed: 3742573
If the scan entries for a non-tx profile MBSSID partner links
are not present at the time of candidate selection, then
host driver generates the scan entry for the missing partner
link from the assoc response.
The assoc response from the AP has PMKID in the RSN(some APs
do not include RSN IE in assoc resp).In this case, the RSN
along with PMKID gets inherited into the scan cache of the
missing partner and this leads to mismatch between M3 and
scan entry RSN causing disconnection.
To fix this, mark all the MBSSID partners without scan entries
as invalid links at the time of candidate shortlisting. Score
and connect to only non-tx candidates with valid scan entries.
Remove the probe response generation from assoc response logic.
Change-Id: I342519490ead2a2e91426439cf47e65c61b53aed
CRs-Fixed: 3766047
Add new structures, enums and APIs to enhance driver support
to store peer create and destroy history in PSOC.
Add new list to MLME's PSOC object to hold entries.
Change-Id: I22b8d559e9981a93dc4891d563586dc13245aff9
CRs-Fixed: 3738897
For mlo candidate, need generate all possible unique candidates, and try
to connect one by one by sort of score.
For single MLO AP 5 GHz + 6 GHz + 2 GHz
generates all possible unique candidates as following:
1. 6 GHz + 2 GHz + 5 GHz
2. 6 GHz + 2 GHz
3. 6 GHz + 5 GHz
4. 6 GHz
5. 5 GHz + 2 GHz
6. 5 GHz
7. 2 GHz
Since standby link doesn't contribute to MLO candidate score,
to assure 3 links candidate is tried before 2 links generated,
insert generated candidate after original candidate.
Change-Id: I6c92b02e47563fc9b15e37fcec2ab7025a6554a3
CRs-Fixed: 3750735
In wlan_mlo_parse_t2lm_ie(), the code is present to check if the frame
length is less than the parsed IE length plus size of ie_header structure
(2 bytes). If the above condition is false then the subsequent code will
access the data of parsed IE length plus size of extn_ie_header structure
(3 bytes).
To fix the out-of-bound read, check if the frame length is less than
parsed IE length plus size of extn_ie_header structure.
Also, added the code to return success if frame length is same as parsed
IE length.
Change-Id: I07c32379ecd18d253a82876127c33b4d95196dd2
CRs-Fixed: 3704796
Check for frame length before processing the T2LM request and response
action frames.
Change-Id: I3ac1c8f6c2ff58a8c3a6d589fe6485dd97bfce09
CRs-Fixed: 3704794
Currently, when a new ppdu is received, num_users per ppdu is
not getting cleared after every ppdu is processed. Hence, in OFDMA
cases the number of users increments for each ppdu and asserts when
number of users exceed the OFDMA_NUM_USERS.
To fix this, clear num_users when the ppdu is processed from status
ring in monitor mode.
Change-Id: If2598486338650342b83d65f2d5410a73c38c006
CRs-Fixed: 3664999
HW is non-DBS. SAP is UP in 6 GHz. Now, when a STA connection is
attempted, the pcl for the second connection would have SAP SCC
channel with highest priority, all the 5 GHz channels with 2nd
highest priority and the 6 GHz channels with least priority.
Therefore, even if there is a strong 6 GHz candidate for STA, the
5 GHz candidate would be chosen and the SAP moves to SCC in 5 GHz.
To fix this, ignore the pcl scoring for the non-DBS concurrency
cases as the SAP can move to the channel of the best STA interface.
If the SAP is in legacy band, and if still a 6 GHz STA is chosen,
then the legacy SAP would be torn down. So, give STA the best
possible in non-DBS case.
Change-Id: I08d1acbe7805dcf7137534347406ffdf539ff0aa
CRs-Fixed: 3748694
Currently there is no way to distinguish between
Local Packet Capture and STA+Mon mode as both mode
uses same monitor interface. So to distinguish between
two mode in local_packet_capture enable case use
mon_flags which can be passed during monitor interface
add time. If "flags otherbss" is passed during
monitor interface add driver will consider current mode
as STA+MON mode, LPC otherwise.
Change-Id: I56a724697bb187d0b809b6c43c7b5bf4b7d15ca7
CRs-Fixed: 3739438
Currently STA+Mon mode is not supported in LPC case
as both mode uses monitor interface to capture
packets. So to distinguish between two different
monitor modes add changes to store monitor interface flags
Change-Id: Ied43fa50adac200bed47a4044245baca4d6cc84f
CRs-Fixed: 3739291
Currently, Host driver is using only MLMR bss type for
vendor_roam_score_algorithm.
Due to recent change in host driver via
Change-Id: I01338dbbc0845e6f6284e4a374f5ad0a5cada334, Host driver
is using this api policy_mgr_2_freq_always_on_same_mac for
evaluating sbs or dbs frequency which in turn returns MLSR for
frequency 5 GHz and 6 GHz opposed to MLMR earlier.
This change is to use both the bss types MLMR and MLSR for
the evaluation vendor_roam_score_algorithm.
Change-Id: I72b0d5e5b2daf498a434c05b503ea8aebc65be74
CRs-Fixed: 3742619
If the length of the MBSSID IE is 0, then there is a potential
OOB read in util_scan_parse_mbssid(), when the Max BSSID indicator
field is accessed.
To fix this, do not proceed with MBSSID parsing if the length
of the MBSSID IE is zero.
Change-Id: I2c7a7641b77fed20a910cb77035588a7540caa62
CRs-Fixed: 3717567
If the tag length in next_elem is some invalid high value then the
existing length check can still pass and lead to the OOB access.
Add an OOB check w.r.t total IE length to ensure it has the
minimum number of bytes in the buffer.
Change-Id: I9778a3e0ced05d3246d91e23c2a47f7318634d75
CRs-Fixed: 3717566
Currently, driver passes void pointer to wmsg as source buffer
in memcpy API to copy the local log_msg to nlmsg data buffer
in ptt_sock_send_msg_to_app(). This leads to kernel warn as
kernel is unable to calculate the size of variable length source
buffer.
To fix this issue, pass the data buffer of nlmsg in memcpy API
so that kernel is able to calculate the size of source buffer
and verify for buffer overflow before copy.
Change-Id: I91e2e1b0b8e58428ed5ba20c7caf4ec3b45a6428
CRs-Fixed: 3749523
Currently, driver passes void pointer to wmsg as source buffer
in memcpy API to copy the local log_msg to nlmsg data buffer
in send_filled_buffers_to_user(). This leads to kernel warn
as kernel is unable to calculate the size of variable length
source buffer.
To fix this issue, pass the data buffer of nlmsg in memcpy API
so that kernel is able to calculate the size of source buffer
and verify for buffer overflow before copy.
Change-Id: Ief089f4a834aa89a0be75fcf201ad56ca9cba7d8
CRs-Fixed: 3749520
In util_get_bvmlie_bssparamchangecnt() and util_get_bvmlie_mldcap(),
fix the possible OOB read of the ML IE, if the ML IE length is less
than the minimum template of Basic variant ML probe response.
Change-Id: I50efaba682a1e42ef8befe09224edc34de9c8c7b
CRs-Fixed: 3700045
Fix the OOB read/writes util_add_mlie_for_prb_rsp_gen() when
the common info length is higher than the ML IE inside which
the common info is encoded.
Change-Id: I07e9ad748404c6252924996aae57aba0f18e2f7d
CRs-Fixed: 3700072
For Dual SAP(legacy SAP + 6 GHz SAP), WFA HE-4.1.1 cert
case requires the following:
a) If Dual SAP is enabled, the 6 GHz SSID should be
discovered via the RNR IE of the colocated legacy SAP.
b) If a co-located neighbor is present, the 6 GHz SAP
should not send FD or unsolicited probe responses.
Add support for the above the cert case by configuring the
FD support for the 6 GHz SAP based on the operation of the
co-located SAP.
Change-Id: Ib1ea2794baf8786b7c042fc35130b6929abb947f
CRs-Fixed: 3732663
Currently during local packet capture filter reset
mon_pdev monitor filters are not reset to default init
state, which can result in issue in STA+Mon case as
packets will not be routed to monitor rings.
So to fix the issue reset mon_pdev monitor filters
to init state on LPC filter reset.
Change-Id: I45c354381405427ef28eee6a31fae4f54c4ab5ab
CRs-Fixed: 3739278
2 GHz link CCFS may not filled correctly in vht/he op, wrong CCFS0
is got from util_scan_sec_chan_freq_from_htinfo and passed to kernel,
regulatory check failed, disconnect will happen.
To fix it, add new API util_scan_ccfs0_from_htinfo, and get CCFS0 by it.
Change-Id: I0e8879f13cff37b85cffb6446cc15c60c05465d2
CRs-Fixed: 3739815
Currently if HP/TP register updates are delayed due to delayed reg
write work not getting scheduled, although driver has processed
the ring completely, hardware would see HP/TP delta and fires an
interrupt based on interrupt threshold configuration until the
HP/TP updates reach the hardware.
When system is heavily stressed, this delay in HP/TP updates would
result in IRQ storm further stressing the system which is bad.
Force update HP/TP to the hardware under such scenarios to avoid
this problem.
Currently doing this just for CE DST SRNGs, this can be scaled to
other SRNGs on need.
Change-Id: I8a4938dbd4850d7ab6ae5183186237a5e37e1038
CRs-Fixed: 3749078
Currently for IPCI devices, SoC wake request and release messages
are serialized, i.e., a new request cannot make it to the firmware
unless the current request is completed. In some cases, when system
is heavily loaded, SoC wake request cannot make it to the firmware
due to a previous SoC wake release resulting in a timeout.
Increase the SoC wake timeout to 1 second to avoid this. Since this
is a worst case value, increasing it should be fine.
Change-Id: Ic265c0076233378bc6db7b2a99f7a0b7d7a4b2bc
CRs-Fixed: 3748244
Driver tries to fetch BSS info from kernel to update
connect results and at the same time updates HDD/OSIF
of the current link's BSSID and link ID.
OSIF/HDD will not be updated, if BSS info is not found
in kernel. This will leave MLO manager and OSIF/HDD to
go out-of-sync.
This can later lead to link switch failure as HDD is
not having all link's information.
To keep MLO manager and OSIF/HDD in sync, always update
OSIF/HDD even if BSS info fetch from kernel fails.
Change-Id: Ie2e67317256cc2d9edaa7663d3902b63a45cbaaa
CRs-Fixed: 3729709
Currently host does not maintain peer map and unmap
event count, due to which its difficult to check
if host has received peer unmap events for all peer map.
To fix the issue maintain peer map and unmap count and dump
stats in case of duplicate peer map event.
CRs-Fixed: 3707115
Change-Id: I8881cc35646ba4abcc9897b71ed462a5e2c3dfb4
Add new ssr/hang reason code for enable irq failure.
This reason code will be used to log recovery reason when
enable irq failure is seen.
Change-Id: Idc126f9d313373a47cde02c5dfd0fc909970691f
CRs-Fixed: 3724895
Add support to request rtpm resume in suspending state,
this helps to request resume from WOW initial wake up
sequence if resume request is being missed from CE
interrupt handler.
Change-Id: I7e5e4be7d793fef94c7c72f9c3bd2ac28e992f7c
CRs-Fixed: 3743772
Currently in __qdf_nbuf_alloc(), __GFP_KSWAPD_RECLAIM flag is
unset before calling kernel APIs for SKB allocation. Since this
flag is not set, in low memory scenarios, nbuf allocations might
fail resulting in firmware assert.
Re-enable the __GFP_KSWAPD_RECLAIM flag to avoid these failures.
It is safe to re-enable this flag since __qdf_nbuf_alloc() does
not request for order-3 allocations any more.
Change-Id: I2501a751d42277e2f7015b9e712ccdf5ec0ef7f1
CRs-Fixed: 3739812
Currently, in the driver, the minimum MBSSID IE length value
in the driver is set to 4. Some APs advertize this value as
1. In such situations, driver fails to parse the the ie.
So, to avoid such cases, modify the minimum mbssid ie length
value to 1.
Change-Id: I6ef89706b95318cb9bd38e04cab56b0fdef99fd5
CRs-Fixed: 3684794
Currently, in function "util_get_ml_bv_partner_link_info" driver
access the ML IE memory with offset which is calculated from ML IE
length and increment this offset with other values (such as
perstaprof_stainfo_len). But this can lead to OOB for ML IE when
this offset value is increment beyond ML IE length.
So, to fix this, add check for offset before accessing ML IE.
Change-Id: Ie7312ab3379fce16e5b0f83d07d46f263f774ed8
CRs-Fixed: 3710085
Currently, In the MLO t2lm API, wlan_mlo_parse_bcn_prbresp_t2lm_ie
is missing frame boundary checks which may lead to out-of-bound
reads if the lengths are not checked by the caller.
Fix is, while parsing t2lm ie pass the frame length and add
check for frame boundary.
CRs-Fixed: 3704739
Change-Id: If3068db3489ee1c9a9da4945407598e27e3ca276
