the enum for subchannel marking pdev param is after the
maximum value. Re-enumerate the enum so that the pdev param max
points to the last value.
Change-Id: I9ecf616a13b3b73b3aafb0f6dfdfbf6eda29f4dd
CRs-Fixed: 2334258
While handling the WMI_SERVICE_READY_EXT_EVENTID WMI FW event, a NULL
pointer dereference can occur if param_buf->hal_reg_caps is not checked.
Check param_buf->hal_reg_caps before dereferencing it to avoid NULL
pointer dereference.
Change-Id: I00eba5e89fbdde78979d19f492df5ad4dca8b80c
CRs-Fixed: 2347673
When CONFIG_MOBILE_ROUTER is enabled there are build failures
due to improper featurization of NAN, so fix the featurization.
Change-Id: I6bc11fb82394c2d32b328cb5d50ff974051755e1
CRs-Fixed: 2353170
Introduce a new wmi_send pdev param to enable/disable
"Subchannel Marking" in Firmware (only in Full Offload)
Change-Id: I3cd4f4f13ebca72c4505b6195cc8dc4856d41671
CRs-Fixed: 2334258
Current HTT_H2T messages from host driver does not have
consistency in message length set by host driver. Some
message types include HTC header length also within the
message length, while other types have message length
itself only, which causes difficulty in handling message
length in FW.
Change-Id: I885a21530a2d8f852387ae54cf7ee0751aad2516
CRs-Fixed: 2345075
Fix WMI message for peer channel width switching to account
for reserve space allocated in the message between num_peer
and chan_width_peer_list.
Change-Id: I5f0cec3c263cb68f44f0fcaa2aa26d120e807b1a
CRs-Fixed: 2352372
Remove the unused fields from WMI unified vdev_start_params structure.
The channel information duplicated in vdev_start_params and
it sub structure channel is removed and all implementations
can use the channel sub structure directly.
Change-Id: I47cf4c4223111b6f564ec8336dbfcda4592e8e0c
CRs-Fixed: 2350505
When WMI_SAR_GET_LIMITS_EVENTID is received from firmware, the
function extract_sar_limit_event_tlv is called to update the SAR
limits for all the chains of each band. There is a for loop
defined to loop over each item in param_buf->sar_get_limits.
Since the param_buf->sar_get_limits could be either optionally
defined or not a part of the message at all there is a potential
NULL pointer dereference if sar_get_limits is not sent as part
of the WMI_SAR_GET_LIMITS_EVENTID event.
param_buf->sar_get_limits needs to be checked for NULL prior to
derefencing it.
Change-Id: I93c07fa8048df97c6f6960b0db6df3bbc30e23b4
CRs-Fixed: 2336928
Add flags WMI_HOST_FW_FEATURE_VOW_FEATURES and
WMI_HOST_FW_FEATURE_VOW_STATS which will be sent
to firmware to enable VOW stats.
Change-Id: I7829327ac21406af309f21b79f9f040687997275
CRs-Fixed: 2340765
Adding two members including tx sgi_count in
host peer_extd_stats structure which is received from
the fw and populated to upper layer along with adding two
members to cdp_rx_stats.
Change-Id: Id45b2d0042d01771ac74a906d72c369c3dc31394
CRs-Fixed: 2147922
Change I9a14a3defc61462bf4c7a8f0278e258603b781c7 moved a log in
wmi_control_rx indicating that a specific event Id has no associated
handler from debug-level to error-level. This resulted in excessive
logging, as the driver has no obligation to handle every event type
received from firmware and very well might not want to handle every
event type received from firmware. Restore the original debug-level to
the log.
Change-Id: I4b1118fef7e4752dbaaf796db2f9444927c7e178
CRs-Fixed: 2341953
In extract_roam_scan_stats_res_evt_tlv(), there is potential
buffer-overflow due to no input validation of following event
parameters from firmware:
(a) Roam scan frequencies against maximum value of 50
(WMI_ROAM_SCAN_STATS_CHANNELS_MAX) and
(b) Roam scan candidates against maximum value of 4
(WMI_ROAM_SCAN_STATS_CANDIDATES_MAX)
To fix this, validate roam scan stats event parameters.
Change-Id: I866b492f7ccb48c4960ff25a9e817cbdb394509e
CRs-Fixed: 2335530
Requirement to provide various msdu retry stats to host:-
1. successfully transmitted msdus
2. Retried msdus
3. msdus retried for more than once
4. failed msdus
Change-Id: I4cd7dfceae16b4223df605fa174299858a8651c8
This change is to fix the regression issue caused by CR 2316935 which
dropped the change of CR 2307276 in the refactoring.
Update handling of WMI_SAR_GET_LIMITS_EVENTID for a possible OOB that
can occur if param_buf->fixed_param.num_limit_rows is greater than
actual TLV length of param_buf->sar_get_limits array.
Change-Id: Id633296d39bcaf4d1588963368630e69ff790ea4
CRs-fixed: 2339015
1. Send add random mac addr rx filter WMI command
to target
2. Add/Del the active random mac addr entry
3. Clear random mac addr from target if not active
Change-Id: I9dcbdc20b76d9865da7a8db6ee013bf5e44e4407
CRs-Fixed: 2322097
When WMI_SERVICE_READY_EXT_EVENT is received from firmware, the
function extract_chainmask_tables_tlv is called to update the
soc caps and other capabilities to the host. hw_caps is
extracted directly from the param_buf value received from the
firmware and hw_caps->num_chainmask_tables is used to traverse
through the chainmask table and update the values to it from the
param_buf->mac_phy_chainmask_caps. hw_caps->num_chainmask_tables
is validated against PSOC_MAX_CHAINMASK_TABLES but not against
param_buf->num_mac_phy_chainmask_combo. This can cause potential
out of bound read in extract_chainmask_tables_tlv.
Validate the value of the hw_caps->num_chainmask_tables received
from the firmware against param_buf->num_mac_phy_chainmask_combo
before updating chainmask_table.
Change-Id: Ibf438760a9219f4ff82d29b42aa30f4dcf626364
CRs-Fixed: 2336842
num_chainmask_tables used as a for loop variable in
extract_service_ready_ext_tlv(), is never bound check
and may lead to OOB.
Change-Id: Ib0fdde8386fc372abee44934e10e9f54b0fe25b8
CRS-Fixed: 2330943
Provide WMI support for AP channel switching enhancements.
As part of FR50393, AP is provided with the ability to notify
capable connected peers to follow it to the new channel bandwidth.
This change provides WMI support for sending required parameters to
the firmware to update the peer list internally with the MAC address
of the capable peer along with it's new channel width.
Change-Id: I0696efd2b1c883d15de23364677050618f114743
CRs-Fixed: 2316625
WMI endpoint will receive commands
from both user context and kernel
context
Hence making the it as asynchronous
Change-Id: Ia969bb9db6a8978a7f50bc19f9f602dfbc1c83ea
CRs-Fixed: 2313262
In extract_roam_scan_stats_res_evt_tlv(), validate
num_roam_scans to avoid any possible integer overflow
when receive larger num_roam_scans value.
Change-Id: I0f3bbf64fac8c151789de2f93a77c9af29b855d1
CRs-Fixed: 2331868
the fixed_param TLV structure is pulled from the WMI message and
assigned to chan_list_event_hdr. num_2g_reg_rules and
num_5g_reg_rules are assigned from the TLV structure, then passed
to create_reg_rules_from_wmi without length check, out of buffer
may happen.
Change-Id: I70c9d74ef94161896e1c7700c73943040f3a77e1
CRs-Fixed: 2327667
While extracting green ap egap status info there is no
sanity check for egap info event and chainmask event which may
lead to NULL pointer access.
To prevent this NULL pointer access add a sanity check for
egap info event and chainmask event.
Change-Id: Ib9cc273f12bb159bce309065279230e96925be7f
CRs-Fixed: 2331873
This commit contains the following changes related to FR49350:
usenol pdev param declaration and implementation of wmi cmd to send
the param to FW.
Failure status code declaration for scan and vdev start.
CRs-Fixed: 2328894
Change-Id: I5d3bfe758aeb9907193b6f626582b70413f5381c
In tdls_get_wmi_offchannel_bw in default case uninitialized output
bw is printed instead input bw. This will result in printing
uninitialized variable.
Change-Id: I7819dad3426fbe1b4c4626bc69744e3ee59ba18f
CRs-Fixed: 2329333
The debug node for all the nbufs allocated by wbuff
for a module contains the file and line info
pertaining to wbuff_module_register().
To enhance debugging, Use qdf_net_buf_debug_update_node()
to update debug info when nbuf is requested through
wbuff_buff_get().
Change-Id: Ie8b148ef6313bd3b265cfa3f141e8d0de8b75597
CRs-Fixed: 2328257
Change the wmi_pdev_stats structure to wmi_pdev_stats_v2 structure.
This change is needed because of corresponding change made in FW
for renaming the structure.
Change-Id: I6dd3abd61730d8f17d74a11a42978a64853136e5
In the existing converged component, WMI TLV APIs are implemented in
a generic manner without proper featurization. All the APIs exposed
outside of WMI are implemented in wmi_unified_api.c and all the APIs
forming the CMD or extracting the EVT is implemented in wmi_unified_tlv.c.
Since WIN and MCL have a unified WMI layer in the converged component and
there are features within WIN and MCL that are not common, there exists a
good number of WMI APIs which are specific to WIN but compiled by MCL and
vice-versa. Due to this inadvertent problem, there is a chunk of code and
memory used up by WIN and MCL for features that are not used in their
products.
Featurize WMI APIs and TLVs that are specific to MCL -
- DSRC
- NAN
- P2P
- PMO
- roaming
- concurrency
- STA
- Generic MCL specific WMI (STA)
Change-Id: I03a68b0db30a3aa585b269ab0a1745b37bc7e0b7
CRs-Fixed: 2316935
FR: TDMA Support for Wave2 Radios (host support)
Added a wmi cmd for configuring the interval between successive sifs
trigger frames given by the user app. Added a separate wmi cmd instead
of wmi param with reference to further scope.
Change-Id: Ifa778a761e3495ef7abab5f63a49661b307034ae
CRs-Fixed: 2330484
Chain mask tables number is from wmi service ready ext event, it is
not check valid which will cause oob read arry of chain mask tables.
Change-Id: I2fa0251358ed66d928477c0b55933ca028c8bd53
CRs-Fixed: 2331850
In extract_reg_11d_new_country_event_tlv(), the
reg_11d_country_event->new_alpha2 buffer from the original WMI
message is copied into reg_11d_country->alpha2. Will only copy
REG_ALPHA2_LEN bytes into a buffer that REG_ALPHA2_LEN +1 bytes.
then reg_11d_country->alpha2 buffer is printed as a string.
Because the original reg_11d_new_country structure in
tgt_reg_11d_new_cc_handler() was allocated on the stack and
not initialized, there is no guarantee that the buffer is
NULL terminated. Due to this the WMI_LOGD() call will result in
an OOB issue when printing the buffer.
Change-Id: I20b0044974438d95e4c09f843db2a7f369c9b85d
CRs-Fixed: 2327718
In the call to QDF_TRACE_HEX_DUMP in extract_ndp_confirm_tlv(),
the buffer, event->ndp_cfg is dereferenced an additional time
and then read the length number of bytes in hex_dump_to_buffer,
resulting in an OOB read.
As WMI logging is already enabled, remove the hex dump.
Change-Id: I6a866e87dd80f3e41cf3c699ff4846416d309cf3
CRs-Fixed: 2326012
Bufp and buf_len are populated in extract_comb_phyerr_tlv
without validating the buf_len which can cause possible
out of bound access in dfs_phyerr_event_handler.
Fix is to validate the buf_len against num_bufp in param_tlvs.
Change-Id: I95e18d7600f8419f31e768fcc18c3024fe37b7db
CRs-Fixed: 2321371
While handling WMI_GTK_OFFLOAD_STATUS_EVENTID, QDF_BUG()
can occur in pmo_tgt_gtk_rsp_evt->pmo_psoc_get_vdev if
vdev_id is out of range. As the value is directly from
WLAN FW and can be outside the trust boundary.
Add sanity check for vdev id once get parameter from
wlan fw.
Change-Id: I335df52fece39c1a51a556ba4678bd43f470673a
CRs-Fixed: 2321523
Add host WMI support for EAPOL minrate resource configuration.
Through the use of the global.ini configuration parameter -
eapol_minrate_set and eapol_minrate_ac_set, the user can set EAPOL
frames to be sent in minimum rate in tunnel mode. In addition to
this, the user can also select between the 4 ACs (BE, BK, VI, VO)
to send the EAPOL frames.
The changes are reflected in the target resource config which
is sent to the firmware.
Change-Id: Ib9a264b64305bf43708c3c2af3ff254b6cc28477
CRs-Fixed: 2298020
Update WMI_NDL_SCHEDULE_UPDATE_EVENTID handling for possible out
of bounds read when fixed_params->num_channels is greater than
TLV length of NDL channel list or NSS list and fixed_params->
num_ndp_instances is greater than TLV length of NDP Instance list.
Change-Id: Idbd74e30868597c9787095372516b7d7dd12481b
CRs-fixed: 2327673
