Previously, host drivers only updated the link state for
active links upon receiving the wmi_mlo_link_state_switch_eventid
event from the firmware. This led to all links being updated
as active after multiple link_state_switch events, as the
state for inactive links was not being updated.
This commit addresses this issue by ensuring that the link
state for both active and inactive links is updated upon
receiving the link_state_switch event from the firmware.
Change-Id: I668074b397cf6b570929459c9fe5e23ca55b75b1
CRs-Fixed: 3763361
Un-initialize structure variable causes prevent issue.
Initialize structure variable with zero in all fields of the
structure in cm_update_link_channel_info
Change-Id: Ib249bcb56b189b1529daeeb4be9f694c5a3ecae3
CRs-Fixed: 3788234
Hit following issue of link switch when LL-SAP existed.
1. Link switch was received on VDEV-1 (partner link).
a. Link switch cmd was added to serial active queue, existing peer
was deleted as part of link switch disconnect.
b. Link switch connect started but got deferred due to LL-SAP Bearer
switch transition, when WLAN_CM_SM_EV_BEARER_SWITCH_COMPLETE
received, a new connect cmd was added to serial pending queue,
link switch was blocked here.
2. Disconnect from userspace was received
a. The disconnect on VDEV-1 here notified MLO-manager to terminate
ongoing link switch.
b. Link switch confirmation was sent to F/W as failure.
c. link switch cmd was removed from serial active queue.
3. Connect cmd queued in #1.b was activated and moved VDEV-1 state to
connecting.
a. New peer got created but PE session wasn't yet created.
b. Disconnect from #2.a changed the VDEV-1 state from connecting to
disconnecting.
c. While processing the disconnect in #3.b, peer delete for the peer
created in #3.a didn’t happen as disconnect didn’t proceed when pe
session not found.
To fix it, for link switch, don't add new connect cmd to serial queue
after LL-SAP Bearer switch since link switch cmd is queued already.
1. Link switch is received on VDEV-1 (partner link).
a. links witch cmd was added serial active queue, existing peer
gets deleted as part of link switch disconnect.
b. Link switch connect starts but gets deferred due to LL-SAP Bearer
switch transition, WLAN_CM_SM_EV_CONNECT_ACTIVE is sent after
WLAN_CM_SM_EV_BEARER_SWITCH_COMPLETE received, bss peer creat cmd
is sent to F/W.
2. Disconnect from userspace is received when link switch unfinished.
a. The disconnect on VDEV-1 here notified MLO-manager to terminate
ongoing link switch.
b. If BSS peer created, mlme_cm_bss_peer_delete_req will be called to
delete it.
c. Link switch confirmation is sent to F/W as failure.
d. link switch cmd is removed from serial active queue.
Change-Id: I13ba820bd0240d062c7cd47ec0e53ae1a27d5b58
CRs-Fixed: 3752437
Don't fetch TBTT info if data + neighbor_ap_info_field is <=
ie + rnr_ie_len + 2 instead of < ie + rnr_ie_len + 2.
Only less than validation may lead to extra iteration and
wrong rnr data.
CRs-Fixed: 3787446
Change-Id: I9dbaa066dd09f6c9ddfb3e400d95e009313cd54d
Check the max supported current regulatory domain's
phy mode equals 11be or not.
Change-Id: Ic4ba81d22d195248a7a1b25f3e7fa5b31093f4c6
CRs-Fixed: 3671851
In RNR of bad AP beacon, partner link has same link id and bssid as assoc
link of same MLD.
To fix it, disable partner link which has same mac or id as assoc link
of same MLD.
Change-Id: Ieda1807b5ed13559c847f2d39035a9acb2e4232f
CRs-Fixed: 3772848
Currently, while parsing scan RNR Ie data is moved to
next neighbor_ap_info_field after parsing the current
neighbor_ap_info_field. But in last iteration pointer may
try to access invalid data if (uint8_t *)ie + rnr_ie_len + 2)
bytes are less than sizeof neighbor_ap_info_field and same
is the case with tbtt_length access.
Fix is to add a length check of data + next data size to be parsed
< (uint8_t *)ie + rnr_ie_len + 2) instead of adding a validation
of data length only.
CRs-Fixed: 3710080
Change-Id: I05e5a9a02f0f4f9bc468db894588e676f0a248c0
In malformed beacon frame may deference the NULL pointer while
parsing MBSSID IE in util_scan_parse_mbssid will lead to crash.
Add check in util_scan_parse_mbsssid for split_prof_start before
passing to util_gen_new_ie and assign zero to split_prof_len
whenever split_prof_start freed to avoid unanticipated scenario.
Change-Id: Ibb9739d6b5d1775ab52d59f9aa5050ca693cd926
CRs-Fixed: 3717571
LTF keyseed required flag is set only for newly created PASN
peer. This value is filled from the security mode value received
the PASN peer create request event from the firmware.
If PASN peer already exists, then the peer is just added to the
peer list and secure LTF keyseed required flag is not updated.
This leads to wrong sequence of commands going to firmware.
Expected sequence: Install TK -> Set LTF keyseed -> PASN Auth
STATUS.
Observed Sequence: Install TK -> PASN Auth status -> Set LTF
keyseed -> PASN Auth status.
So set the is_ltf_keyseed required flag for already existing
PASN peer also
Change-Id: If9994ad01a96bdb26ad55538a67feaed7e22892f
CRs-Fixed: 3742573
If the scan entries for a non-tx profile MBSSID partner links
are not present at the time of candidate selection, then
host driver generates the scan entry for the missing partner
link from the assoc response.
The assoc response from the AP has PMKID in the RSN(some APs
do not include RSN IE in assoc resp).In this case, the RSN
along with PMKID gets inherited into the scan cache of the
missing partner and this leads to mismatch between M3 and
scan entry RSN causing disconnection.
To fix this, mark all the MBSSID partners without scan entries
as invalid links at the time of candidate shortlisting. Score
and connect to only non-tx candidates with valid scan entries.
Remove the probe response generation from assoc response logic.
Change-Id: I342519490ead2a2e91426439cf47e65c61b53aed
CRs-Fixed: 3766047
Add new structures, enums and APIs to enhance driver support
to store peer create and destroy history in PSOC.
Add new list to MLME's PSOC object to hold entries.
Change-Id: I22b8d559e9981a93dc4891d563586dc13245aff9
CRs-Fixed: 3738897
For mlo candidate, need generate all possible unique candidates, and try
to connect one by one by sort of score.
For single MLO AP 5 GHz + 6 GHz + 2 GHz
generates all possible unique candidates as following:
1. 6 GHz + 2 GHz + 5 GHz
2. 6 GHz + 2 GHz
3. 6 GHz + 5 GHz
4. 6 GHz
5. 5 GHz + 2 GHz
6. 5 GHz
7. 2 GHz
Since standby link doesn't contribute to MLO candidate score,
to assure 3 links candidate is tried before 2 links generated,
insert generated candidate after original candidate.
Change-Id: I6c92b02e47563fc9b15e37fcec2ab7025a6554a3
CRs-Fixed: 3750735
In wlan_mlo_parse_t2lm_ie(), the code is present to check if the frame
length is less than the parsed IE length plus size of ie_header structure
(2 bytes). If the above condition is false then the subsequent code will
access the data of parsed IE length plus size of extn_ie_header structure
(3 bytes).
To fix the out-of-bound read, check if the frame length is less than
parsed IE length plus size of extn_ie_header structure.
Also, added the code to return success if frame length is same as parsed
IE length.
Change-Id: I07c32379ecd18d253a82876127c33b4d95196dd2
CRs-Fixed: 3704796
Check for frame length before processing the T2LM request and response
action frames.
Change-Id: I3ac1c8f6c2ff58a8c3a6d589fe6485dd97bfce09
CRs-Fixed: 3704794
HW is non-DBS. SAP is UP in 6 GHz. Now, when a STA connection is
attempted, the pcl for the second connection would have SAP SCC
channel with highest priority, all the 5 GHz channels with 2nd
highest priority and the 6 GHz channels with least priority.
Therefore, even if there is a strong 6 GHz candidate for STA, the
5 GHz candidate would be chosen and the SAP moves to SCC in 5 GHz.
To fix this, ignore the pcl scoring for the non-DBS concurrency
cases as the SAP can move to the channel of the best STA interface.
If the SAP is in legacy band, and if still a 6 GHz STA is chosen,
then the legacy SAP would be torn down. So, give STA the best
possible in non-DBS case.
Change-Id: I08d1acbe7805dcf7137534347406ffdf539ff0aa
CRs-Fixed: 3748694
Currently, Host driver is using only MLMR bss type for
vendor_roam_score_algorithm.
Due to recent change in host driver via
Change-Id: I01338dbbc0845e6f6284e4a374f5ad0a5cada334, Host driver
is using this api policy_mgr_2_freq_always_on_same_mac for
evaluating sbs or dbs frequency which in turn returns MLSR for
frequency 5 GHz and 6 GHz opposed to MLMR earlier.
This change is to use both the bss types MLMR and MLSR for
the evaluation vendor_roam_score_algorithm.
Change-Id: I72b0d5e5b2daf498a434c05b503ea8aebc65be74
CRs-Fixed: 3742619
If the length of the MBSSID IE is 0, then there is a potential
OOB read in util_scan_parse_mbssid(), when the Max BSSID indicator
field is accessed.
To fix this, do not proceed with MBSSID parsing if the length
of the MBSSID IE is zero.
Change-Id: I2c7a7641b77fed20a910cb77035588a7540caa62
CRs-Fixed: 3717567
If the tag length in next_elem is some invalid high value then the
existing length check can still pass and lead to the OOB access.
Add an OOB check w.r.t total IE length to ensure it has the
minimum number of bytes in the buffer.
Change-Id: I9778a3e0ced05d3246d91e23c2a47f7318634d75
CRs-Fixed: 3717566
In util_get_bvmlie_bssparamchangecnt() and util_get_bvmlie_mldcap(),
fix the possible OOB read of the ML IE, if the ML IE length is less
than the minimum template of Basic variant ML probe response.
Change-Id: I50efaba682a1e42ef8befe09224edc34de9c8c7b
CRs-Fixed: 3700045
Fix the OOB read/writes util_add_mlie_for_prb_rsp_gen() when
the common info length is higher than the ML IE inside which
the common info is encoded.
Change-Id: I07e9ad748404c6252924996aae57aba0f18e2f7d
CRs-Fixed: 3700072
For Dual SAP(legacy SAP + 6 GHz SAP), WFA HE-4.1.1 cert
case requires the following:
a) If Dual SAP is enabled, the 6 GHz SSID should be
discovered via the RNR IE of the colocated legacy SAP.
b) If a co-located neighbor is present, the 6 GHz SAP
should not send FD or unsolicited probe responses.
Add support for the above the cert case by configuring the
FD support for the 6 GHz SAP based on the operation of the
co-located SAP.
Change-Id: Ib1ea2794baf8786b7c042fc35130b6929abb947f
CRs-Fixed: 3732663
2 GHz link CCFS may not filled correctly in vht/he op, wrong CCFS0
is got from util_scan_sec_chan_freq_from_htinfo and passed to kernel,
regulatory check failed, disconnect will happen.
To fix it, add new API util_scan_ccfs0_from_htinfo, and get CCFS0 by it.
Change-Id: I0e8879f13cff37b85cffb6446cc15c60c05465d2
CRs-Fixed: 3739815
Currently, in the driver, the minimum MBSSID IE length value
in the driver is set to 4. Some APs advertize this value as
1. In such situations, driver fails to parse the the ie.
So, to avoid such cases, modify the minimum mbssid ie length
value to 1.
Change-Id: I6ef89706b95318cb9bd38e04cab56b0fdef99fd5
CRs-Fixed: 3684794
Currently, in function "util_get_ml_bv_partner_link_info" driver
access the ML IE memory with offset which is calculated from ML IE
length and increment this offset with other values (such as
perstaprof_stainfo_len). But this can lead to OOB for ML IE when
this offset value is increment beyond ML IE length.
So, to fix this, add check for offset before accessing ML IE.
Change-Id: Ie7312ab3379fce16e5b0f83d07d46f263f774ed8
CRs-Fixed: 3710085
Currently, In the MLO t2lm API, wlan_mlo_parse_bcn_prbresp_t2lm_ie
is missing frame boundary checks which may lead to out-of-bound
reads if the lengths are not checked by the caller.
Fix is, while parsing t2lm ie pass the frame length and add
check for frame boundary.
CRs-Fixed: 3704739
Change-Id: If3068db3489ee1c9a9da4945407598e27e3ca276
Enhance WMI command of existing peer delete and VDEV stop to
add new TLV to carry MLO params with link switch BIT set when
link switch is in progress.
Change-Id: I50b1aa48e4e2c976a56bcd3b75395eef6830e627
CRs-Fixed: 3663340
Firmware forwards certain action frames to host driver for NAN
functionality. Host driver forwards these frames to kernel.
Userspace may register for these frames on NAN interface and
receive the same.
So, filter the NAN action frames based on WFA OUI (0x50, 0x6f, 0x9a)
and NAN WFA version (0x13) and send them on NAN interface.
Add an API to check for the NAN WFA OUI + NAN WFA version.
Change-Id: I46640060299b9bff20f4b191c2c421deedf84e20
CRs-Fixed: 3694518
Currently, host driver allocates the memory for crypto keys in
PDEV. But during SSR, driver destroys PDEV and VDEV and keys are
deleted. This results in SAP starting in open mode after SSR as
the keys are not plumbed.
So, fix this issue by allocating the memory for crypto keys in
PSOC.
Change-Id: Ie97d94b340df9abb258da703286ce16e62a44253
CRs-Fixed: 3663797
While CSA, wlan_reg_get_bonded_channel_state_for_pwrmode function
returning invalid channel state for Legacy connection leads to
CSA failure.
This function wlan_reg_get_bonded_channel_state_for_pwrmode
is under macro 11BE feature flag, so for non MLO case returning
invalid.
To handle this issue in Legacy connection, remove 11BE feature
flag for wlan_reg_get_bonded_channel_state_for_pwrmode function.
Change-Id: I905cd84b6af1b91c6c4bf9b1cbaf6e2562dc62e2
CRs-Fixed: 3724006
This change is to update link state status in case
of WMI_MLO_LINK_STATE_SWITCH_EVENTID event.
Change-Id: Ia95c072aa9b2ccb64ca8a6b137d1f75bb6f87003
CRs-Fixed: 3721397
As per new requirement, host should send proper values
to get_channel request from upper layer for standby link.
Upper layer can use these information to fetch CU values
for standby link and print on console.
Change-Id: I045b8c5a3035f96e55281bd31d3e0b8043df4cb7
CRs-Fixed: 3719534
While parsing ESP IE from beacon/probe response frame,
the condition in loop to copy ESP_INFO from the ESP IE is
incorrect which will iterate for 5 times rather than 4 times,
this may cause OOB access.
data < ((uint8_t *)esp_ie + esp_ie->esp_len + 3)
Here adding 3 for esp_ie->esp_len, actually esp_len itself is
1 byte extra (esp_ len = ESP_ID_EXTN + ESP_INFO * 4),
but by adding 3 again will loop for one more iteration
this will cause OOB access.
Remove 3 in loop condition to avoid one more extra iteration
and ignore ESP_ID_EXTN element for total elements, in function
util_scan_update_esp_data.
Change-Id: Ia9226e483672369af36c6914e3ac914fe9de45e5
CRs-Fixed: 3710081
After legacy STA connected 1 link of MLO AP as 11ax, MLO STA connect
same MLO AP, 1 link connect will fail for bss peer existed, tx queue
will be disabled, other links can't be used at all.
To fix it, when MLO STA select candidate AP link, if peer with BSS link
addr exist, disable the link.
Change-Id: Ib7e2f4cd43c8190c5e5fd0bb7786df41b022f518
CRs-Fixed: 3715997
Remove unused argument in mlo_send_link_connect() and
fetch MLD address from connect response to fill in
partner link connect request.
Change-Id: Iad6089c39d14115774cf1456341965cad8c0110d
CRs-Fixed: 3714999
Profile count information not sent to firmware
when DUT associated to TX BSS.
Populate profile count for TX BSS profile.
CRs-Fixed: 3633267
Change-Id: I08a13fe785dbbf66f7ec3394d7aa72f685438619
Issue:
TA of the MBSSID basic trigger always shows up as:
00:00:00:00:00:00, when the STA connected to Non-tx
VAP, due to which peers are not responding to the
basic trigger frames and getting more response
timeouts. This results into a dip in the throughput
(due to excessive retries).
Fix:
In AP solutions, it is expected that the non trans
bssid could be 00:00:00:00:00:00, during vdev MLME
up operation. Hnece, the updating the vdev up params
(trans bssid, profile index, profile number), should
not be dependent on the valid non trans bssid.
This condition is valid for STA solution, hence added
a opmode check specific for AP.
Change-Id: I766182c6dd0aba93d861800146eb44d3e3f6a706
CRs-Fixed: 3669310
When MLO partner link and assoc link are on same frequency, F/W will
assert.
To fix it, don't allow partner link is on same frequency of assoc link.
Change-Id: I01338dbbc0845e6f6284e4a374f5ad0a5cada334
CRs-Fixed: 3706613
FW sends "Center Frequency Index" as new center frequency.
via mlo sta standby csa event WMI_CSA_HANDLING_EVENTID.
Currently host uses value of Center Frequency Index (CFI)
directly to update center frequency for all links to
"mlo_link_info" structure. Due to this host maintains a
wrong value of center frequency throughout of connection
which leads to failure in calculation of bonded channel
in case of 6 GHz and 320 MHz connection.
Fix is to update center frequency in "mlo_link_info"
structure for all require link(s) as per CFI coming via
mlo sta standby csa event.
Change-Id: Iea04fb9b1c1c9b0dbd0be3647173708c47ea74be
CRs-Fixed: 3702255
Currently for any assoc failure the number of links part of the
association is reduced and retried with less number of partner links.
If the failure is due to "Association request rejected temporarily,
try again later" retry to the same with the same number
of partner links instead of downgrading the links.
Change-Id: Id2b50469a5265b0151c000b3bcead2db361ad152
CRs-Fixed: 3708221
While parsing probe response and assoc response frame,
timestamp data is copied to buffer variable without validating
the frame length. If received frame length is less than max
size of timestamp, this will lead Out-of-bound access.
Add frame length check with max size of timestamp before copying
from the frame received in util_gen_link_reqrsp_cmn.
Change-Id: I055ccc84d334316ecd772e19371d315274373c04
CRs-Fixed: 3699954
Currently, Host driver is updating partner bssid to kernel
based on number of link. In some cases number of link may be zero
leading to not updating partner link bssid to kernel.
This change is to eliminate number of link check for updating
partner link BSSID to kernel.
Change-Id: I2e2704aeaea0db41c4d82792808cc8765290cc7c
CRs-Fixed: 3707662
Currently, while generating non-TX VAP scan entry from the
TX VAP beacon or probe response MBSSID IE, driver copies
the ML IE from MBSSID and main frame which lead to 2 ML IE
in the TX VAP frame.
Fix is, add proper check to copy the non-TX VAP ML IE from
MBSSID IE.
CRs-Fixed: 3708786
Change-Id: I93f2552fe8a0080ffc871b39b164fadd86df8ff0
