Currently as part of TDLS connection if TLDS connection is formed
on secondary vdev, osif_vdev of secondary vdev is updated with
osif_vdev of primary vdev.
Due to osif_vdev update, during vdev delete 1st vdev will call
API to free osif_vdev. When 2nd vdev try to access the osif_vdev
it will result in invalid pointer access.
As current change was done to handle case where osif_vdev
for MLO connection used to point to 2 different interfaces
and where secondary interface used to point to NULL/dummy netdev.
As per latest change osif_vdev will point to per vdev dp_link
which for MLO connection will have single interface. So osif_vdev
update is not required anymore.
So, to fix invalid/stale pointer issue remove osif_vdev update for
TDLS connection.
CRs-Fixed: 3814466
Change-Id: Icac13d88411ca572c9d5823a6bd2d3d5b1ba632f
Initiate disconnect if VDEV repurpose fails for any reason
and the VDEV moves to disconnected state (not connected).
Change-Id: Ie6421f2430fc109b4f10c22f98c3dbf3909bb103
CRs-Fixed: 3797171
first_msdu_payload is updated for every WIFIRX_HEADER_E
TLV received in the status nbuf and this could result
in incorrect offset into the nbuf for the first MSDU
if the PPDU has multiple MPDUs. Also, the size variable
used is 8 bit for the calculation of offset into the nbuf
for the frame which could result in possible overflow.
Fix is to update first_msdu_payload only for the first
WIFIRX_HEADER_E TLV entry for a PPDU and increase the
width of size variable to avoid possible integer overflow.
Change-Id: Ic12cb11328fc1414bd7a68fa941fa0ef764c8b1f
CRs-Fixed: 3788496
Register TTLM notify API()
wlan_mlo_t2lm_register_link_update_notify_handler()
only for WIN.
For MCC, call wlan_register_t2lm_link_update_notify_handler()
to register the MCC handlers to receive link update
notification.
CRs-Fixed: 3764848
Change-Id: Iadf06a0879213d84753f2114b6c5fd4cfa1b8618
In dp_rx_buffers_lt_replenish_simple pass desc_list
and tail pointers correctly to dp_rx_buffers_replenish.
To avoid NULL pointer dereference of desc_list
Change-Id: Ic94c93ddf7ef6343afafc78a70d5634c70fa8bc4
CRs-Fixed: 3665302
If host founds below all conditions are true:
1. Connected AP sends CCX IE in beacon/probe response
2. single PMK feature enabled via ini
"sae_single_pmk_feature_enabled"
3. And current connection is SAE with AKM type
WLAN_CRYPTO_KEY_MGMT_SAE_EXT_KEY or
WLAN_CRYPTO_KEY_MGMT_SAE
Then host should mark connected AP supports
"single PMK feature" and update same to FW via RSO
command.
Change-Id: I696da4d2ca929e72ee5cff087a1411b492b03ce3
CRs-Fixed: 3803070
When fragment buffer received in REO2SW, MSDU length only valid
in the last fragment, need to copy that value to first fragment
for following process.
Change-Id: Ib3fbc07b11662fc161402befbb8396519fcebd33
CRs-Fixed: 3790059
Currently bool values are not initialized and results
in unexpected values for bool variables,
Hence this change is to initialize structure to NULL
before use.
Change-Id: I096ca0d3cb86083c2f57abaa429535ff76154fbd
CRs-Fixed: 3800969
In the case of of 5 GHz + non-tx 6 GHz MLO connection, the scan entry
generated from the ML-probe might not carry MBSSID information of the
non-tx partner. The RNR of the assoc link will also not be inherited.
Therefore, the mbssid info is not generated for this non-tx 6 GHz scan
entry. In such cases, if there is a vdev restart, host driver sends zero
mac address in trans bssid, leading to issues with connection.
To fix this:
1. Look up the RNR db for the 6 GHz link, and determine if the bss param
corresponding to the bssid is non-tx MBSSID.
2. If it is a non-tx MBSSID and there is no mbssid info in the scan cache,
then configure the tx-bssid as broadcast mac.
3. This allows the firmware to auto-detect the tx bssid from the upcoming
beacons.
4. Also, save the neighbor entries from the beacon/probes received from
the firmware during roam sync and other events to facilitate the look-up.
5. If there is no existing entry for the roamed non-tx link, then caching
the neighbor info from the assoc partner link would store the valid entry
into the rnr db.
Change-Id: I2c16ed1428b578efaeed98daca08b722b0d40a05
CRs-Fixed: 3784879
In util_scan_find_noninheritance_ie API,
ies[ELEM_ID_EXTN_POS] may lead to OOB access if
len==MIN_IE_LEN.
util_parse_noninheritance_list may lead to OOB
read access extn_elem[ELEM_ID_LIST_LEN_POS]
Fix is to add length checks and add sub_copy and length
subie_len checks before accessing extn_elem to avoid any
OOB read.
Change-Id: I7758c6e4d8d568a5050011603b48a23e0b11da94
CRs-Fixed: 3717569
Move the peer transition history infra under
WLAN_FEATURE_11BE_MLO_ADV_FEATURE flag to enable the changes
by default
Change-Id: I8b0e07fb045b1e383af4b4144e31e8b709a8c83d
CRs-Fixed: 3802485
After roaming update scan mlme bss info and update AP
channel info MLO mgr API are not called. This causes the
wrong channel width to be updated in the get_channel
command leading to disconnect.
Update standby link vdev scan entry state after roaming and
refactor the scan mlme info updation logic in a new API.
CRs-Fixed: 3753587
Change-Id: I5bcd4c807f6e23b5d604eec1158c21ccb4f29b58
In util_gen_new_ie, there are several possible out-of-bound reads
with invalid information elements such as improper/missing check when
updating tmp_old, missing check prior to starting while loop and missing
length check.
To fix these OOB issues add and improve length checks in util_gen_new_ie.
Change-Id: I39b9cd82ab6a7bd1a4c8d7cd5039a998a290b85f
CRs-Fixed: 3717568
add a condition to check for rx_user_status to see
if its NULL or not. in 2.0 platforms it comes always as valid
for 1.0 platforms it could vary.
In case of rx_user_status is NULL then user rx_status instead.
for when rx_user_status is valid then 'or' both values.
Change-Id: I9e87d3b3592741a24ef2ef229bf7d4cdbdb871a3
CRs-Fixed: 3755942
add missing values for rx_status and rx_user_status
values are for both HE and EHT data as well as usig.
CRs-Fixed: 3734450
Change-Id: I1bfd1a3021e11c4b5f2c07f324273bb778bf5c0f
MLO manager will change the VDEV MLO flags on start of VDEV repurpose
and need to reset the flags on end of VDEV repurpose. Currently MLO
manager callback is not called after end of VDEV repurpose and flags
are not reset.
Always call MLO manager to reset the flags on VDEV repurpose completion.
Change-Id: Ie2d323888a01e4f19c439619b5ed267e43f0ce0c
CRs-Fixed: 3798911
Currently OOM work counter is incremented when schedule_work
is called and counter is decremented when work is scheduled.
But there is possibility of OOM schedule_work is getting called
from tasklet context and worker thread context and resulting
only one time work execution but active work counter being
incremented twice. This scenario may result in OOM work going
out of sync and preventing suspend usecase.
Avoid this by incrementing the OOM active work count only when
work is getting added to global work queue and corresponding count
will be decremented when work handler gets executed.
Change-Id: Ie02d5b9c821327337a1b822c81c51878af522832
CRs-Fixed: 3787873
ACK frame captured via TXMON as part of LPC has incorrect
RA field populated using addr2 from TLVs. This is resulting
in the TX ACK frame to be misinterpreted as RX ACK frame.
Fix is to use addr1 from TLVs to populate RA for TX ACK
frames.
Change-Id: I23022c5cbabafc7025abef9ef2e9e2370750dad7
CRs-Fixed: 3787647
Introduce an attribute QCA_WLAN_VENDOR_ATTR_CONFIG_KEEP_ALIVE_INTERVAL
in QCA_NL80211_VENDOR_SUBCMD_SET_WIFI_CONFIGURATION to configure
station's keep-alive interval to the driver/firmware. This can be used
to resolve kickout issues from APs which kick out STAs before the BSS
maximum idle period expires.
Change-Id: I80c743d5a10b559a2ec027a1098ff55fc450007b
CRs-Fixed: 3795409
Currently, CE history captures 1024 events. Addition of CE-1 events
to the CE history increased the memory requirement on perf builds by
56KB. Reducing CE history size to 768 will offset the memory
increase and also captures sufficient logs for issue debugging.
Change-Id: I411d8ba7422d0039ad7e2ab01c159c36aa68dc41
CRs-Fixed: 3781894
VDEV repurpose is in progress when NB disconnect is received.
Driver will change the state of CM to IDLE_DUE_TO_LINK_SWITCH
on disconnect complete due to VDEV repurpose. When the NB disconnect
gets active, instead of dropping the disconnect, queues a new
disconnect to do necessary cleanup and notify kernel if it is on
assoc VDEV. Here before VDEV repurpose disconnect moves the CM-SM
to IDLE_DUE_TO_LINK_SWITCH, the NB disconnect command gets active
and drops the disconnect request and finally the CM-SM moves to
IDLE_DUE_TO_LINK_SWITCH.
Supplicant sends new connect request and driver while handling this
sees the CM state as IDLE_DUE_TO_LINK_SWITCH and moves the SM to
connected to force trigger disconnect and later handle the connect.
This forced disconnect has cleared the VDEV-MLO flag on disconnect
complete but by the time peer create request is filled, this MLO-VDEV
flag is set so ML peer is created but during VDEV start MLO flag is not
set, so FW assertion failed while sending peer assoc indication with
MLO flag set.
Issue gets unflods when handling NB disconnect where the state of
CM is not set to IDLE_DUE_TO_LINK_SWITCH. So first set the CM-SM
before calling the disconnect complete handler.
Change-Id: Ieed1a1ace8ca18670c51d177d172243fc754b617
CRs-Fixed: 3784659
Add proper cinfo length check to fix heap buffer overflow issue
while generating link specific (re)association request/response,
as well as in the API for getting per-STA partner link information.
Change-Id: Ida561790bb745d6861a3a07b9db09b5b24443a6a
CRs-Fixed: 3699767
If last scan_cache_node in scan list is removed as dup candidate, it's
next becomes itself. qdf_list_peek_next return failed, so next_node isn't
updated, keeps as old freed scan_cache_node, and assign to cur_node for
next loop, next_node becomes same as cur_node, so the node will be
treated as dup candidate, double free will happen.
To fix it, if qdf_list_peek_next return failed, means no more next node,
break loop.
Change-Id: I6451437d6d025375ec5de2fa3e4651d967cd94b9
CRs-Fixed: 3785453
The non-transitioning VDEV in link switch might not be
in connected state (processing of NB disconnect on another
thread). Not checking VDEV state of non-transitioning VDEV
can lead to not handling error status where VDEV repurpose
shall be rejected.
Iterate all the connected VDEVs in the MLO dev context at
the start of VDEV repurpose.
Change-Id: I092780564715f22f1c75e042f86ea0ad37b04ba6
CRs-Fixed: 3743757
Send WMI_PDEV_PARAM_ENABLE_CHIPSET_LOGGING to enable chipset
stats logging in FW based on INI and new service bit
WMI_SERVICE_CHIPSET_LOGGING_SUPPORT.
Change-Id: I29918ac80b10c1c38af1140ac36f92ea91318040
CRs-Fixed: 3786401
Add APIs in QDF to allow QMI Indication handled. This will be done
by registering callbacks to QMI Indications.
Change-Id: Ic01d0f0f7e87a2cf77fbba25a1a7b1606b3d42de
CRs-Fixed: 3786369
Add new CFG file for CP stats where we can define INIs for component
CP Stats.
Add INI to enable / disable chipset stats logging feature in CP
Stats config file.
Change-Id: I56154127d2f74ec423891653419d93c3ee0c3c5c
CRs-Fixed: 3785789
Previously, host drivers only updated the link state for
active links upon receiving the wmi_mlo_link_state_switch_eventid
event from the firmware. This led to all links being updated
as active after multiple link_state_switch events, as the
state for inactive links was not being updated.
This commit addresses this issue by ensuring that the link
state for both active and inactive links is updated upon
receiving the link_state_switch event from the firmware.
Change-Id: I668074b397cf6b570929459c9fe5e23ca55b75b1
CRs-Fixed: 3763361
Un-initialize structure variable causes prevent issue.
Initialize structure variable with zero in all fields of the
structure in cm_update_link_channel_info
Change-Id: Ib249bcb56b189b1529daeeb4be9f694c5a3ecae3
CRs-Fixed: 3788234
Hit following issue of link switch when LL-SAP existed.
1. Link switch was received on VDEV-1 (partner link).
a. Link switch cmd was added to serial active queue, existing peer
was deleted as part of link switch disconnect.
b. Link switch connect started but got deferred due to LL-SAP Bearer
switch transition, when WLAN_CM_SM_EV_BEARER_SWITCH_COMPLETE
received, a new connect cmd was added to serial pending queue,
link switch was blocked here.
2. Disconnect from userspace was received
a. The disconnect on VDEV-1 here notified MLO-manager to terminate
ongoing link switch.
b. Link switch confirmation was sent to F/W as failure.
c. link switch cmd was removed from serial active queue.
3. Connect cmd queued in #1.b was activated and moved VDEV-1 state to
connecting.
a. New peer got created but PE session wasn't yet created.
b. Disconnect from #2.a changed the VDEV-1 state from connecting to
disconnecting.
c. While processing the disconnect in #3.b, peer delete for the peer
created in #3.a didn’t happen as disconnect didn’t proceed when pe
session not found.
To fix it, for link switch, don't add new connect cmd to serial queue
after LL-SAP Bearer switch since link switch cmd is queued already.
1. Link switch is received on VDEV-1 (partner link).
a. links witch cmd was added serial active queue, existing peer
gets deleted as part of link switch disconnect.
b. Link switch connect starts but gets deferred due to LL-SAP Bearer
switch transition, WLAN_CM_SM_EV_CONNECT_ACTIVE is sent after
WLAN_CM_SM_EV_BEARER_SWITCH_COMPLETE received, bss peer creat cmd
is sent to F/W.
2. Disconnect from userspace is received when link switch unfinished.
a. The disconnect on VDEV-1 here notified MLO-manager to terminate
ongoing link switch.
b. If BSS peer created, mlme_cm_bss_peer_delete_req will be called to
delete it.
c. Link switch confirmation is sent to F/W as failure.
d. link switch cmd is removed from serial active queue.
Change-Id: I13ba820bd0240d062c7cd47ec0e53ae1a27d5b58
CRs-Fixed: 3752437
Don't fetch TBTT info if data + neighbor_ap_info_field is <=
ie + rnr_ie_len + 2 instead of < ie + rnr_ie_len + 2.
Only less than validation may lead to extra iteration and
wrong rnr data.
CRs-Fixed: 3787446
Change-Id: I9dbaa066dd09f6c9ddfb3e400d95e009313cd54d
Check the max supported current regulatory domain's
phy mode equals 11be or not.
Change-Id: Ic4ba81d22d195248a7a1b25f3e7fa5b31093f4c6
CRs-Fixed: 3671851
In RNR of bad AP beacon, partner link has same link id and bssid as assoc
link of same MLD.
To fix it, disable partner link which has same mac or id as assoc link
of same MLD.
Change-Id: Ieda1807b5ed13559c847f2d39035a9acb2e4232f
CRs-Fixed: 3772848
Currently, while parsing scan RNR Ie data is moved to
next neighbor_ap_info_field after parsing the current
neighbor_ap_info_field. But in last iteration pointer may
try to access invalid data if (uint8_t *)ie + rnr_ie_len + 2)
bytes are less than sizeof neighbor_ap_info_field and same
is the case with tbtt_length access.
Fix is to add a length check of data + next data size to be parsed
< (uint8_t *)ie + rnr_ie_len + 2) instead of adding a validation
of data length only.
CRs-Fixed: 3710080
Change-Id: I05e5a9a02f0f4f9bc468db894588e676f0a248c0
In malformed beacon frame may deference the NULL pointer while
parsing MBSSID IE in util_scan_parse_mbssid will lead to crash.
Add check in util_scan_parse_mbsssid for split_prof_start before
passing to util_gen_new_ie and assign zero to split_prof_len
whenever split_prof_start freed to avoid unanticipated scenario.
Change-Id: Ibb9739d6b5d1775ab52d59f9aa5050ca693cd926
CRs-Fixed: 3717571
LTF keyseed required flag is set only for newly created PASN
peer. This value is filled from the security mode value received
the PASN peer create request event from the firmware.
If PASN peer already exists, then the peer is just added to the
peer list and secure LTF keyseed required flag is not updated.
This leads to wrong sequence of commands going to firmware.
Expected sequence: Install TK -> Set LTF keyseed -> PASN Auth
STATUS.
Observed Sequence: Install TK -> PASN Auth status -> Set LTF
keyseed -> PASN Auth status.
So set the is_ltf_keyseed required flag for already existing
PASN peer also
Change-Id: If9994ad01a96bdb26ad55538a67feaed7e22892f
CRs-Fixed: 3742573
If the scan entries for a non-tx profile MBSSID partner links
are not present at the time of candidate selection, then
host driver generates the scan entry for the missing partner
link from the assoc response.
The assoc response from the AP has PMKID in the RSN(some APs
do not include RSN IE in assoc resp).In this case, the RSN
along with PMKID gets inherited into the scan cache of the
missing partner and this leads to mismatch between M3 and
scan entry RSN causing disconnection.
To fix this, mark all the MBSSID partners without scan entries
as invalid links at the time of candidate shortlisting. Score
and connect to only non-tx candidates with valid scan entries.
Remove the probe response generation from assoc response logic.
Change-Id: I342519490ead2a2e91426439cf47e65c61b53aed
CRs-Fixed: 3766047
Add new structures, enums and APIs to enhance driver support
to store peer create and destroy history in PSOC.
Add new list to MLME's PSOC object to hold entries.
Change-Id: I22b8d559e9981a93dc4891d563586dc13245aff9
CRs-Fixed: 3738897
