The pointer to chain masks capabilities is increased, and the number
of chainmask capabilities isn't check if valid. Which will cause oob
read list of chain mask capabilities.
Change-Id: I1f11fb49d545a4f88fe4d0734968dbe17c3f1a7e
CRs-Fixed: 2347661
QCA8074 platform supports DBS(two radio) and DBS_SBS(three radio)
modes. In these cases, same WMI event ring is shared for all the
radios. Increase the WMI event ring size two absorb host delays
due to lower clock platforms. This increase is required even to
support three radios.
Change-Id: I1aa08b8fa879f6ec54c838541a0e4c4e5871b60a
CRs-Fixed: 2378193
For subchannel marking, an offset of 20 MHz was added to the
second segment center frequency value of VHT160 mode operation
to get the actual second segment center frequency.
This was not done for HE160 mode operation, which led to wrong
subchannels being added to NOL.
Add 20 MHz frequency offset to the center frequency for HE160 opmode.
Change-Id: I7c076be220c70c18b60ed68c1ce99068924d41bf
CRs-Fixed: 2378075
When WMI_SERVICE_READY_EXT_EVENT is received from firmware, the
function extract_hw_mode_cap_service_ready_ext_tlv is called to
update the soc caps and other capabilities to the host. hw_caps
is extracted directly from the param_buf value received from the
firmware and hw_caps->num_hw_modes is used to traverse
through the hw_mode_caps and update the values to it from the
param_buf->hw_mode_caps, need validate hw_caps->num_hw_modes and
param_buf->hw_mode_caps before use them.
Change-Id: I459f0afce7701ddf1d041912e3406643d27a7f9c
CRs-Fixed: 2336910
mpdu length is calculated wrongly in one corner case
resulting in wrongly identifying the last nbuf of the
mpdu, fixed it by properly adjusting the length.
CRs-Fixed: 2368608
Change-Id: Ia7bd3247eb05f2eb4b5de1c65e7190c798128792
The aim is to remove CONFIG_MCL or CONFIG_WIN from
cmn component.
This change takes care host_diag_log_set_code and
host_diag_log_set_length.
CRs-Fixed: 2371125
Change-Id: Ic04037202d79f87003a47ac2d698bc4e7752ee12
Define QCA vendor command attributes to configure HE +HTC support and
HE operating mode control transmission.
Change-Id: I6249a23ab0d0b9a82210c749dfd6bd53fb697c51
CRs-Fixed: 2377769
Due to unknown legacy reason, the rates received by the driver from the
firmware are currently divided by 500 to convert it into units of
500kbps. This division by 500 is later compensated by a multiplication
with 5 to maintain units of 100kbps before being sent to the upper
layer. This division and then subsequent multiplication results in the
loss of precision (in the case the rate is not divisible by 5).
Consequently, the rate being sent to the upper layer becomes inaccurate.
Also the calculation of the MCS rate flags is affected.
Do not carry out the unnecessary division and multiplication by 5.
Instead just convert the rates into units of 100kbps (which is as
mandated by the kernel) when driver receives the rate from the firmware.
Change-Id: Iab7b825f4067ad51174a0c545cf4a7d0ab426171
CRs-Fixed: 2378167
When regulatory offload is enabled, firmware sends 11d new country code
event. Now, to get master channel list for this new country send
SET_CURRENT_COUNTRY command to firmware.
Change-Id: Iac4d38ed488984ad2b3739ec8052813b7cc945c1
CRs-Fixed: 2367335
In the call to QDF_TRACE_HEX_DUMP in extract_ndp_ind_tlv(),
the buffer, event->ndp_cfg is dereferenced an additional time
and then read the length number of bytes in hex_dump_to_buffer,
resulting in an OOB read.
As WMI logging is already enabled, remove the hex dump.
Change-Id: I1ebe2469a6bb2baefc76980405d97700c1c57b5c
CRs-Fixed: 2336856
Currently the driver includes all the DFS channels as part of scan
in the scan list, and thus not exclude the DFS channels in the first
scan for faster scan.
Fix is to check the ini, for first DFS channel scan, and then remove
the DFS channels from the scan list if the ini is enabled.
Change-Id: I43d5c87676d4e66706da3cc0029c60559b70d179
CRs-Fixed: 2378805
Array mcs_count is of size 13 and the
macro MCS_MAX is 13
mcs_count array should be access only
till 12, hence change the comparison
from <= MCS_MAX to < MCS_MAX
Change-Id: Ieab9a8d1f2a06ff31fa79a062bfcbf96f298f0a1
The rx_pending flag is never set to 0 if the check for
TARGET_REGISTER_ACCESS_ALLOWED(scn) is failed when target is
not reachable. Since, the rx_pending flag is not set to 0,
ce_check_rx_pending(CE_state) check inside ce_tasklet() will
be true and tasklet gets rescheduled again and again.
Reset the rx_pending flag before TARGET_REGISTER_ACCESS_ALLOWED(scn)
check in ce_per_engine_service() to avoid continuous scheduling of
tasklet when check for TARGET_REGISTER_ACCESS_ALLOWED(scn) fails.
Change-Id: Ib9268e6cf2bdcd0ed0bf84934e9370bcef1cdbab
CRs-Fixed: 2375307
There are other places where txLookupQueue is protected
with htc_lock instead of lookup_queue_lock.
Change-Id: I91497ce4593a14033871d3e8c3a97deab222d365
For non-NSS platform, update no of rx packets being
sent from wifi driver to network stack in case of
vow traffic.
Change-Id: If16a5b9c37a16374d4217369b1f02360c62155a9
CRs-Fixed: 2371429
If two threads T1 and T2 are trying to stop the serialization timer,
both can get the timer while holding lock. Timer cmd pointer is set
to NULL after releasing lock.
Now if a third thread T3 is trying to start the timer at same time,
it may get the timer as soon as T1 make cmd NULL and adds its cmd
pointer to the timer in the list.
But T2, which was also trying to stop the timer can stop the timer
and set cmd back to NULL again. Thus T3 will not have the timer in
the timer list.
Now when driver try to abort/flush the command it will not find the
timer and In case timer is not found the command is not freed, leading
to vdev ref leak.
To fix this stop and update the timer while holding lock.
Change-Id: I363a4d36181328be310c7c980c981302501a9453
CRs-Fixed: 2376733
In wlan_cfg80211_scan the number of ssid, ssid length and number of
channels are not checked for max size of array and thus can lead to
Out of bound access of memories.
Fix is to add bound check before copying the params.
Change-Id: Ie6d4e546fb9c884d5988493b611ef7b217f0a95c
CRs-Fixed: 2375217
In extract_hal_reg_cap_tlv(), hal_reg_capabilities
can be optionally defined. This field can be NULL
resulting in a NULL pointer read. Add NULL pointer
check before qdf_memory_call().
Change-Id: I142bed65e80aa9b4bb88a4e68f74235dd50e3624
CRs-Fixed: 2368284
Initialize drop_bcn_on_chan_mismatch from INI
(CFG_DROP_BCN_ON_CHANNEL_MISMATCH) default value
Change-Id: I55c28aa5656ce6befe9cd3477ab0b14c99641cea
CRs-Fixed: 2375199
Currently, beacon or probe responses are dropped by the scan module
if the rates IE does not present. But, some AP's in 11n mode does not
add the rates IE.
So, it is not mandatory to have the rates IE in the beacon or probe
response.
Change-Id: Id57b2216c012d117cca1a3a2dbce9825d58b67c3
CRs-Fixed: 2376710
Per the Linux coding style both mixed-case names and so-called
Hungarian notation are frowned upon, so rename local variable
ptspecIE in send_set_ric_req_cmd_tlv() to align with the coding
style.
Note that there are other instances of mixed-case names in this
function, but these are global in scope and will need to be cleaned up
in a global effort.
Change-Id: I10780e2f751d1a1ed8f14a5ee4890794f498ec0b
CRs-Fixed: 2374719
Logs of the Spectral WMI interaction prints are under
OL_SPECTRAL_DEBUG_CONFIG_INTERACTIONS macro and is disabled by default.
As the WMI logs are already controllable at runtime from qdf_cv_lvl,
there is no need for OL_SPECTRAL_DEBUG_CONFIG_INTERACTIONS anymore.
Change-Id: I3b89192de4deb420d853631064c20add894fb1e3
CRs-Fixed: 2369846
When unit test command "iwpriv wlan0 wlan_suspend 0 0" is issued on
SAP-DUT (given that one REF-STA is connected), FW would go in WOW-D0
state. In this state, when HW receives the pkt from peer (REF-STA), it
generates MSI (REO-interrupt) and host process this pkt but it doesn't
wake-up the FW. Due to this situation, no TX is happening on SAP after
issueing wlan_suspend command.
This situation only happens when iwpriv command issued as this command
would be fool the FW by notifying that APSS is in power-down state but
actually it is not in active state. When APSS is really in power-down
state then up-on receiption of any RX pkt would wake-up the APSS and
this waking-up process would wake-up FW as well.
Fix this situation by sending explicit FW wake-up event.
CRs-Fixed: 2325860
Change-Id: I18937e5c568c742f838cdf3f815c2184a916283c
Rearrange the debug prints in the wmi path
so that valid information gets printed.
CRs-Fixed: 2368173
Change-Id: I8900eda444c9d1dee69f5c1e30662022580d2a7b
Splitting the wds srcport learn function to add:
1. A wrapper function where host extracts the required fields from
nbuf cb and rx_tlv header.
2. A common function which can be called from both host path
as well as offload path.
Change-Id: I2f2c0580c049f48395a3e0a265e3fb5d8aed6774
Add cdp api to check if tx desc pool available descriptor
threshold has reached.
Change-Id: Ie542d03dd865d32aa6e01da00328aa51728b4276
CRs-Fixed: 2369218
In function qdf_trace_msg_cmn va_end is called without va_start.
This can lead to delay in driver logging.
Change-Id: I9d2c9893037f5836cf902e6e311a0a521b8389e0
CRs-Fixed: 2373637
The last_ack_rssi value is made to get updated with the
correct value and the code fragment to reset it to 0 has
been removed.
Change-Id: I87f9ca788c92ae6ffc05b10faeb82e03024050ce
According to the ucode and mac team, the new TB-PPDU (UL OFDMA
Dat frame) from any other users using the TLV's fields below:
* PHYRX_RSSI_LEGACY (has a reception type field that is
set to UL-MU)
* PHYRX_RSSI_HT
* PHYRX_COMMON_USER_INFO (has a reception type field that is
set to UL-MU)
* PHYRX_USER_INFO (has more detailed modulation info)
* PHYRX_USER_INFO (Could be more than one)
...
* PHYRX_DATA
* PHYRX_DATA (Could be more than one)
CRs-Fixed: 2329959
Change-Id: Ib5fa1734a5525d2b2d1db8756166f259be30b9c0
Current driver doesn't check for any TX pending flag before doing
bus suspend.
Add a logic which is similar to existing helium platform.
Change-Id: I49d078c3b86fc0d9659fbbc2f3c1a604a79a9dff
CRs-Fixed: 2360189
Driver first try to find peer for beacon frames with addr2,
and if no peer is found it loop through peer list 2nd time
for addr1. For beacon addr1 is broadcast address and thus
peer will never be found with broadcast address.
Thus use addr1 to find peer only if addr1 is not broadcast
address.
Change-Id: I7e5c221ec7f93f878981f4eafb69935aafd64174
CRs-Fixed: 2373793
Validate num_mem_reqs should be less than TLV size in
extract_host_mem_req_tlv() function.
Change-Id: I88ebfc4bfe3abb9b0926990f5f777fc0d62e1fc1
CRs-Fixed: 2347667
Packetdump invokes legacy data path API directly without
considering underlying HW:
1. ol_register_packetdump_callback
2. ol_deregister_packetdump_callback
Global pointer pdev_txrx_ctx will be casted to struct ol_txrx_pdev_t
always even Lithium (use struct dp_pdev) underlying, that leads to
struct dp_pdev be overwritten unexpectly.
Wrap with cdp API to avoid.
About packet-dump feature:
It is one debug feature/requirement for Android N, to track/dump
TX/RX data/mgmt. packets during connection. This enhancement can help
in debugging connection related issues.
This change only touches its data packet callback register API.
Change-Id: Ie63fd2dfa909f89741ccf0c5131f6d3305093a3e
CRs-Fixed: 2366334
Packetdump invokes legacy data path API directly without
considering underlying HW:
1. ol_register_packetdump_callback
2. ol_deregister_packetdump_callback
Global pointer pdev_txrx_ctx will be casted to struct ol_txrx_pdev_t
always even Lithium (use struct dp_pdev) underlying, and overwrite
struct dp_pdev unexpected.
Wrap with cdp API to avoid.
Change-Id: I5c8847ddc51548e8854ba600bec99ce5200dd817
CRs-Fixed: 2366344
Adds support to use bangradarenh command to inject radar on the
secondary segment, if AP is operating in HT80+80 or HT160 mode.
Change-Id: I78ab3d3fcb3ecf5fee274911bf6dc48f74c53818
CRs-Fixed: 2359763
Rename target_if_open() to target_if_init() and target_if_close()
to target_if_deinit() as these handles global target_if
initializations.
Change-Id: I935eb6461f1774043adaa0539b6e8e0ea9824382
CRs-Fixed: 2352015
Local variable is used to store cpumask to send it to
irq_set_affinity_hint and qdf_dev_set_irq_affinity APIs.
This memory is used by the kernel later outside the
current contect resulting in invalid memory access.
Fix this by using global variables to store cpumask.
Change-Id: I086f40bf1b3499d2c2ccb1ce18140b2dc2761d04
CRs-Fixed: 2373548
Currently, the function causes the system false when
tries to release the spinlock because it holds the
spinlock longer than max_hold_time.
Change-Id: I90c78b7d8530cf3d1c224a693ab9f743f669b730
CRs-Fixed: 2371481
Each cmd in serialization list holds a vdev ref by
I8d573ff5a25e6dff928b2708e51ad7b97e292277. When vdev is
destroyed physically, it means vdev ref count is 0, all
serialization cmds of this vdev are released, don't need purge
in vdev destroy handler.
Change-Id: Iea75707c88154e1e3e87369285b82d1288523e22
CRs-Fixed: 2367242
