In the existing converged component, WMI TLV APIs are implemented in
a generic manner without proper featurization. All the APIs exposed
outside of WMI are implemented in wmi_unified_api.c and all the APIs
forming the CMD or extracting the EVT is implemented in wmi_unified_tlv.c.
Since WIN and MCL have a unified WMI layer in the converged component and
there are features within WIN and MCL that are not common, there exists a
good number of WMI APIs which are specific to WIN but compiled by MCL and
vice-versa. Due to this inadvertent problem, there is a chunk of code and
memory used up by WIN and MCL for features that are not used in their
products.
Featurize WMI APIs and TLVs that are specific to MCL -
- DSRC
- NAN
- P2P
- PMO
- roaming
- concurrency
- STA
- Generic MCL specific WMI (STA)
Change-Id: I03a68b0db30a3aa585b269ab0a1745b37bc7e0b7
CRs-Fixed: 2316935
FR: TDMA Support for Wave2 Radios (host support)
Added a wmi cmd for configuring the interval between successive sifs
trigger frames given by the user app. Added a separate wmi cmd instead
of wmi param with reference to further scope.
Change-Id: Ifa778a761e3495ef7abab5f63a49661b307034ae
CRs-Fixed: 2330484
Chain mask tables number is from wmi service ready ext event, it is
not check valid which will cause oob read arry of chain mask tables.
Change-Id: I2fa0251358ed66d928477c0b55933ca028c8bd53
CRs-Fixed: 2331850
In extract_reg_11d_new_country_event_tlv(), the
reg_11d_country_event->new_alpha2 buffer from the original WMI
message is copied into reg_11d_country->alpha2. Will only copy
REG_ALPHA2_LEN bytes into a buffer that REG_ALPHA2_LEN +1 bytes.
then reg_11d_country->alpha2 buffer is printed as a string.
Because the original reg_11d_new_country structure in
tgt_reg_11d_new_cc_handler() was allocated on the stack and
not initialized, there is no guarantee that the buffer is
NULL terminated. Due to this the WMI_LOGD() call will result in
an OOB issue when printing the buffer.
Change-Id: I20b0044974438d95e4c09f843db2a7f369c9b85d
CRs-Fixed: 2327718
In the call to QDF_TRACE_HEX_DUMP in extract_ndp_confirm_tlv(),
the buffer, event->ndp_cfg is dereferenced an additional time
and then read the length number of bytes in hex_dump_to_buffer,
resulting in an OOB read.
As WMI logging is already enabled, remove the hex dump.
Change-Id: I6a866e87dd80f3e41cf3c699ff4846416d309cf3
CRs-Fixed: 2326012
Bufp and buf_len are populated in extract_comb_phyerr_tlv
without validating the buf_len which can cause possible
out of bound access in dfs_phyerr_event_handler.
Fix is to validate the buf_len against num_bufp in param_tlvs.
Change-Id: I95e18d7600f8419f31e768fcc18c3024fe37b7db
CRs-Fixed: 2321371
While handling WMI_GTK_OFFLOAD_STATUS_EVENTID, QDF_BUG()
can occur in pmo_tgt_gtk_rsp_evt->pmo_psoc_get_vdev if
vdev_id is out of range. As the value is directly from
WLAN FW and can be outside the trust boundary.
Add sanity check for vdev id once get parameter from
wlan fw.
Change-Id: I335df52fece39c1a51a556ba4678bd43f470673a
CRs-Fixed: 2321523
Add host WMI support for EAPOL minrate resource configuration.
Through the use of the global.ini configuration parameter -
eapol_minrate_set and eapol_minrate_ac_set, the user can set EAPOL
frames to be sent in minimum rate in tunnel mode. In addition to
this, the user can also select between the 4 ACs (BE, BK, VI, VO)
to send the EAPOL frames.
The changes are reflected in the target resource config which
is sent to the firmware.
Change-Id: Ib9a264b64305bf43708c3c2af3ff254b6cc28477
CRs-Fixed: 2298020
Update WMI_NDL_SCHEDULE_UPDATE_EVENTID handling for possible out
of bounds read when fixed_params->num_channels is greater than
TLV length of NDL channel list or NSS list and fixed_params->
num_ndp_instances is greater than TLV length of NDP Instance list.
Change-Id: Idbd74e30868597c9787095372516b7d7dd12481b
CRs-fixed: 2327673
Update handling of WMI_NDP_CONFIRM_EVENTID for possible out of
bounds read when fixed_params->num_ndp_channels is greater than
TLV length of NDP channel list or NSS list
Change-Id: I3bf429a47c46edbb464cf8447f227f7baa74fbe3
CRs-fixed: 2325849
In the existing converged component, WMI TLV APIs are implemented in
a generic manner without proper featurization. All the APIs exposed
outside of WMI are implemented in wmi_unified_api.c and all the APIs
forming the CMD or extracting the EVT is implemented in wmi_unified_tlv.c.
Since WIN and MCL have a unified WMI layer in the converged component and
there are features within WIN and MCL that are not common, there exists a
good number of WMI APIs which are specific to WIN but compiled by MCL and
vice-versa. Due to this inadvertent problem, there is a chunk of code and
memory used up by WIN and MCL for features that are not used in their
products.
Featurize WMI APIs and TLVs that are specific to WIN
- Air Time Fareness (ATF)
- Direct Buffer Rx (DBR)
- Smart Antenna (SMART_ANT)
- Generic WIN specific WMI (AP)
Change-Id: I7b27c8993da04c9e9651a9682de370daaa40d187
CRs-Fixed: 2320273
The existing Beacon offload control WMI command is used
to control beacon tx to intimate FW for a VAP the beacon
is suspend or resume.
Added API for non tlv to send WMI_BCN_OFFLOAD_CTRL_CMDID
command to FW.
Change-Id: Ia02f4c7f317460ab766ca765bab14e0cd7acd879
CRs-Fixed: 2269491
NAN vdev ref count incremented as part of end_ind handler
is not released which will result in the nan vdev not
getting physically deleted.
Fix is to release nan vdev ref in os_if_ndp_end_ind_handler.
Change-Id: I31a32fa241fb9e86d3a64d490722bc42905970c4
CRs-Fixed: 2325580
Due to change in Opclass calculation in the new
regulatory component invalid opclass is returned for the
TDLS component. Update arguments to calculate opclass correctly
to regulatory component.
Change-Id: I062bbb55d283f9525da241d32177e26d07aa8590
CRs-Fixed: 2325834
Fix the possible out of bound access while processing the
channel avoid frequency event from FW.
Change-Id: Ib49df0ebd785944b7cbbfa5927613887dd35d9ff
CRs-Fixed: 2308629
Add bound check rssi_event->num_per_chain_rssi_stats in
extract_all_stats_counts_tlv().
ev->num_chain_rssi_stats in
target_if_cp_stats_extract_vdev_chain_rssi_stats()
is derived from rssi_event->num_per_chain_rssi_stats
and is used as limit in for loop.
As length was never checked multiple qdf_mem_copy calls in
wmi_extract_per_chain_rssi_stats() used in
target_if_cp_stats_extract_vdev_chain_rssi_stats()
will result in an OOB issue.
Change-Id: I204744e1435e687e33f2165744a92cdb8b975a51
CRs-Fixed: 2322298
Fix the compilation error in vdev state machine and make state
transition logs from debug to info.
Change-Id: I7d7975931232f041206bdb64c639456bf9327b3f
CRs-Fixed: 2321726
Separate WMI MGMT RX event logging from main WMI event
logging because WMI MGMT RX event is too frequent and its
over-running useful WMI control path events.
Change-Id: Iacd1576c3e133b70224e45f589f566c73637a626
CRs-Fixed: 2318021
FW generates too many diag events and these diag events
also come on CE-2 together with other critical control
path WMI events and easily over-run useful control path
WMI RX even log buffer. Separate WMI diag rx event loggig
in a separate log buffer such that useful control path WMI
log event buffer is not over-run.
Change-Id: I89b5d88036bc9d7e57e8e16858bc556be4e2ed41
CRs-Fixed: 2318083
Use WMI layer tdls_offchan_mode enum value while sending tdls
offchannel mode request to FW.
Change-Id: I3faee2d22ab2bcbf99918d46eeeb5b5bbe925048
CRs-Fixed: 2320796
Register WMI with wbuff for pre-allocation of
skbs. Register at wmi_unified_attach() and
de-register at wmi wmi_unified_detach().
Change-Id: I9d6df1a8480324dd2a258de12672669a8fbe8940
CRs-Fixed: 2313935
WMI APIs currently use qdf_print() calls to print the messages onto
the console irrespective of whether it is an error, info or debug
message.
Replace qdf_print() calls with appropriate WMI_LOGX() APIs to ensure
they align with the debug framework.
Change-Id: I9a14a3defc61462bf4c7a8f0278e258603b781c7
CRs-Fixed: 2319398
This change Removes legacy APIs to modify vdev state machine and
add use new API to get vdev state.
Change-Id: I48aa3744dafc6d13a43a14e48de821c7dadf3a37
CRs-Fixed: 2314731
Wmi_hdl can be NULL in call to wmi_unified_ipa_offload_control_cmd. Do
a check for the same.
Change-Id: I2629e03a812cbafdfd1494798ad7d8b986ceec75
CRs-Fixed: 2316859
Create and send user configurable ini for max number of roam preauth
retries and roam preauth no-ack timeout to the firmware.
Change-Id: I0343cb29952286d9b42a69136fc6353cd86e4752
CRs-Fixed: 2286079
wmi_mtrace is defined as static in wmi_unified_tlv.c and
used in TLV functions, but some TLVs need to be featurized
and moved to separated TLV files. Need to export wmi_mtrace
for external use.
Change-Id: I9459ec01c9cd4a89f3544d6a9831acba56e6a278
CRs-Fixed: 2314779
next_twt_size is introduced in TWT resume dialog command by FW to
provide next TWT subfield size. Update this field in the TWT resume
command.
Change-Id: Id4e7aacfa2c4890e3b03de17402e7ea29f82826a
CRs-Fixed: 2316475
Enable ML logging in wmi_control_rx and capture all
responses from firmware.
This would result in knowledge of whether the wmi_response
or any wmi_event was received by the host.
Change-Id: I0206a5b9bd357d06a8621747473dedecaa1779f2
CRs-Fixed: 2306047
No data length check when extract control panel stats of pdev,
vdev and peer etc, may result in buffer overflow.
Fixed param of cp stats indicates numbers of pdev, vdev and peer
etc in cp stats. Need do length check to make sure actual tlv
data length is same as expected.
Change-Id: I8750d4e10048930222059897a24804e9f2c91ab5
CRs-Fixed: 2305421
WDS entry should be removed before adding peer with same mac address.
iIn DBDC mode, this can be ensured only by waiting for response for WDS
delete from FW before creating peer. Add logic to defer AUTH until WDS
is removed from FW.
Change-Id: Ie76d08c4817f953504913ae6cc49fc5388169e4a
CRs-Fixed: 2270592
Host changes to enable HTT version 2 messaging for
PEER map and unmap in FW and changes to handle these
messages in host
Change-Id: Ifbe478212bbbc9c9ea1c1e4791c7a78407c376cc
Update handling of WMI_SAR_GET_LIMITS_EVENTID for a possible OOB that
can occur if param_buf->fixed_param.num_limit_rows is greater than
actual TLV length of param_buf->sar_get_limits array.
Change-Id: Iccacbb3689e6a7bdd73b2b1f0517d011ccf6d076
CRs-fixed: 2307276
Currently only 16 bytes of wmi command/event messages are logged
excluding wmi header information.
By enabling WMI_EXT_DBG whole command/event messages can be dumped
using qdf debugfs apis. This will help if it is needed to
collect whole command/event messages information.
Change-Id: I72dff1279b1145b8d2ee415db97656f457c0136f
CRs-Fixed: 2309286
Make the HECAP and HEOP changes for 11ax Draft3.0.
Draft2.0 support can still be enabled by unsetting
SUPPORT_11AX_D3 in config.unified.wlan.profile.
Change-Id: I0c0fd885a43b672baca61011b75a51526481b1ee
CRs-fixed: 2294235
This change is required as a part of setting sifs_rate in the
target through wmi command from host for legacy chipsets.
Change-Id: Ia3ed8a6d33fcb31b290129e1302dfc0000ad4626
CRs-Fixed: 2031293
We are transitioning to new logging infrastructure
by using existing mtrace functionality.
Add new logging for complete WMI module.
Change-Id: Ifbc81a6f119ff63b69e3558ad7becb1eaefae8ca
CRs-Fixed: 2301964
For qdf_mtrace 15 bits are reserved for message id and currently
WMI message IDs are getting used as 32 bit IDs.
Write a wrapper function which accepts 32 bit message IDs and
converts this 32 bit message id to 15 bit by extracting
WMI_GRP_ID and WMI_MESSAGE_ID in that group. New 15 bit
message ID for qdf_mtrace will be constucted as 8 bits
(From LSB) specifies the WMI_GRP_ID and remaining 7 bits
specifies the actual WMI command. With this notation there
can be maximum 256 groups and each group can have max 128
commands which can be supported.
Change-Id: Ia5adfc079b63c2311bdc8ae4c73488d89afd462f
CRs-Fixed: 2298877
Add wmi layer support to get firmware roam scan statistics which includes
scoring of roam candidates, channels, old and new bssids etc.,
Change-Id: I3a0aafbe66d12eea40e71ceb4c7c3a60b9d6e04f
CRs-Fixed: 2203904
The function extract_pdev_utf_event_tlv, is called when the WMI
event WMI_PDEV_UTF_EVENTID is received. The event_buf
argument to it is fully FW controlled. There is an assumption
that the WMI message is at least the size of struct
wmi_host_utf_seg_header_info which could lead to OOB read issues
when a shorter message is sent.
Add fix to validate the event->datalen passed against
sizeof(struct wmi_host_utf_seg_header_info) before copying to
seg_hdr.
Change-Id: I1a8313f11013722edb601c009e59b1509fda3280
CRs-Fixed: 2305465
There is possible to read buffer overflow. Since it don't check number
of NOA descriptor when handling WMI_P2P_NOA_EVENTID.
Change-Id: I08fc3ac429bc19a8df7ac429fbe779fa3b227318
CRs-Fixed: 2307321
