Partner link connect request is copied from primary link.
The upper layer may include BSS channel freq preference in
OS connect req. We have to clear it for partner link connecting,
otherwise the scm_filter_match will filter out the mlo partner
candidate and cause partner connect failed.
Change-Id: I9ca8f2baf5f7e660ed0b72c1dffa886f1c1e8f11
CRs-Fixed: 3320085
In special case, link peer is failed to attach, then mlo peer is deleted
without detaching from ml peer list. When access peer list, assert will
happen for use after free.
Change-Id: Ic7a58fa0708ae6b920a69100e798c0aa8db7fe0d
CRs-Fixed: 3319376
When SAE station is trying to associate to MLO AP.
If this station was connected to other link vap of same MLD,
then if same station is trying to connecting with link VAP,
ML peer entry is found with MLD MAC address.
For SAE stations, initial understanding to handle disconnect
from hostapd, but as hostapd initiates SA query for the connected
link peers only, in this case, hostapd can't initiate SA query
as it was connected to other link VAP.
The fix is to allow initiating deauth of the current ML peer entry.
Change-Id: Iddb53f0156b460a2ede2197a74acf254c83b7b37
CRs-Fixed: 3313785
The assoc-resp buffer of the link-peer can be null, while sending the
assoc-resp frame. This can happen if the ML peers are already setup but
the next association fails. In this case we send the assoc-resp frame
before link-peer's assoc-resp buffer is initialized.
Change-Id: I28d48068b4554b7663b118cc6023df396e45cae9
CRs-Fixed: 3316851
Add further clarification for util_find_mlie() that the buffer passed
should contain only 802.11 Information Elements, and should not
contain other information like 802.11 header, 802.11 fields that are
not elements, etc.
Change-Id: Id577cdc08189cd0f60053b1345ee15b3bb4f0eca
CRs-Fixed: 3316369
Currently, this MLO flag is being set/clear without regard for
concurrency. We need to lock the vdev when updating these values to
prevent race condition.
Change-Id: Ied90d62f10f6f12a35eeac3060dd0fae7d0c6cfd
CRs-Fixed: 3305558
mlo_clear_connected_links_bmap api is also used for roaming,
so changing it as public api.
Change-Id: I31225cb04971dbf470338022ca4dc09a9967b5c4
CRs-Fixed: 3317236
For STA MLO connection, the AP can send M1 right after assoc
response on assoc link, which will trigger sending keys to FW
for mlo links, but it can happen that wmi_peer_assoc is not
sent for mlo link until this time.
Current code does not have handling for this case.
To solve this, store the link vdev keys and send them once
link vdev is connected.
Change-Id: I882da96280711ca9cfa4d6ba852fda4a8b6d7a77
CRs-Fixed: 3293692
If repeater is configured as dependent WDS repeater, call the
handler to bringup/bringdown all the standalone AP vaps in the
repeater once all the other AP vaps present in the AP ML context
are up/down.
Change-Id: Icad3d0434180cb25bdcdedec3334ccbbe642cf4c
CRs-Fixed: 3299010
If 2 MLO AP have same MLD addr, when roam between them, link vdev1 old
peer is deleted first, ML peer goes to state ML_PEER_DISCONN_INITIATED,
Since ML peer can be found for same MLD addr, no new ML peer is created,
but vdev1 new link peer is failed to attach to ML peer for wrong state,
then ML peer will be double freed, assert will happen.
To fix it, if roam target AP and current AP have same MLD addr, before
attach new peer to reused ML peer, update different info from target AP,
update ML peer state to ML_PEER_CREATED again.
Change-Id: Ia656ed61be4ae417b8cfbe7711d421fbcee89b97
CRs-Fixed: 3302438
While schedule thread handle connect, disconnect from OSIF will
fail but free copied connect req wrongly.
When connect partner link, will access copied connect req, assert will
happen.
To fix it, don't free copied connect req until disconnect return
success, add function mlo_free_copied_conn_req.
Change-Id: Id0e40b4bb6e4927f7b31aa7443b581a62f64e6fa
CRs-Fixed: 3305286
Currently link specific probe response ie does not include
the basic variant ml ie. This results in multi link connection failure.
To solve this add basic variant mlo ie in the link probe response.
Change-Id: I7d6e9bcc461bf4e855c5613ad28a08749303a81d
CRs-Fixed: 3301288
1.This change fixes the use of uninitialized
variable in host driver.
2.Adds NULL check for num_psocs in mlo_peer_calculate_avg_rssi to
avoid undefined behaviour.
Change-Id: Ifbfef42b5930dfe15736a75a74e81155c5f1fbce
CRs-Fixed: 3297794
When partner link probe rsp is generated from ML probe rsp, bssid is
filled wrongly, then scan entry with wrong bssid is added, if no beacon
or probe rsp of partner link is received, then candidate can't be found
by partner link bssid, partner link connect fails, at last MLO connect
fails.
Change-Id: I3fa51dbde1cf9d8e256ecfc17059660a4430056a
CRs-Fixed: 3298706
This change adds API that searches for the primary peer in the peer list.
It returns vdev link id of the primary peer.
Change-Id: I43bef7ec56c5785669f217d63a15f95717f8d349
CRs-Fixed: 3280575
When roam from legacy to mlo, vdev1 is updated first, ml peer is created,
but failed to attach since it is link vdev, then vdev0 is updated, ml peer
is created again, ref count is 1.
When disconnect, stop vdev1 first, in stop event handler, ml peer ref count
becomes 0, mlo_peer_cleanup is called unexpectedly.
mlo_peer_cleanup should be called after MLO vdev0 stopped.
To fix it, change wlan_mlo_peer_create, mlo_dev_mlpeer_attach is called if
the ml peer not attached and can't be found.
Change-Id: Iae3b2b498849646ae71154484b555a7fc9a36017
CRs-Fixed: 3277886
Per spec 11be_D2.1.1, the TSF Offset subfield of the STA Info field
indicates the offset (Toffset)between the TSF timer of the reported
AP (TA) and the TSF timer of the reporting AP (TB) and is encoded
as a 2s complement signed integer with units of 2 µs. Toffset is
calculated as Toffset= Floor((TA – TB)/2).
Change-Id: I7810568f6308e369dcf2ff26bdfd1246783466d4
CRs-Fixed: 3276836
When teardown completeion event is received from FW, teardown
completion handler resets pdev link to NULL, when the expectation
is only to put pdev state in teardown, such that when soc goes
down the list gets cleared.
Change-Id: Ief490eabe0546207f0ef649cb6d5cde1faf582d8
CRs-Fixed: 3280671
Add API to extract MLD AP MSD capabilities from MLO IE
common info field if present. This will be shared with FW
via peer assoc cmd.
Change-Id: I0ebcd5408a40f3314932d4a2a7e586c208af2ee5
CRs-Fixed: 3271118
As 11be 2.1 spec 35.3.3.3 Fields and elements not carried in a per-STA
profile, an AP affiliated with an AP MLD shall not include a Timestamp
field, a Beacon Interval field. Change ML probe rsp per-STA profile decode
logic accordingly. Copy Timestamp from the starting of the probe response
frame.
Change-Id: I0fe5682c170dc3dcd6e5a93c68473cd4cb6999b8
CRs-Fixed: 3280227
This change adds protection, if partner link peer creation failure
leads to MLO peer free. It also returns failure.
Change-Id: I4f2097c3a2942cecf01f77c7e4899595bbce0dff
CRs-Fixed: 3277770
For T2LM capable MLO STAs the AID is allocated from the second pool.
There is an inconsistency in allocating these AID pools.
Please check the example below.
Let's say the max_aid in ML AID manager is 12 and the start_aid is 3.
As per the current implementation,
aid_end1 = (ml_aid_mgr->max_aid - start_aid)/AID_NUM_BUCKET
= ( 12 - 3)/3 = 3
Only 3 AIDs are available in pool_1. But, all these 3 AID are reserved due
to start_aid = 3. Hence, we will not be able to allocate any AID from
pool_1.
With the fix,
pool_1_max_aid = (ml_aid_mgr->max_aid - start_aid)/AID_NUM_BUCKET
= 3
aid_end1 = pool_1_max_aid + start_aid
= 6
So for pool 1, AID 4,5 and 6 are available now.
Change-Id: Ia96966b542e68511acbf46de32448f0d95d31c69
CRs-Fixed: 3276564
Currently, for all link peers of ML peer, is_primary set as
true, since all link peers are attached to same PSOC.
But, FW and DP needs only one peer to be set primary.
So far, FW and DP are considering last peer created or last peer
assoc received as primary peer.
This method causing issue since the order is not guaranteed
between FW and DP layer.
So, added a change to set is_primary to one of the link peers
only
Change-Id: I1c1aa87056baf86091fefc780180b5fc6a16af0d
CRs-Fixed: 3274360
During dynamic mac address change process, some link vdev mld
address will be changed successfully and some link vdev mld
address will be failed to be changed from target in failure case.
In vdev deleting, if no result to find mlo dev ctx by mld mac
address, try to use vdev->mlo_dev_ctx to detach vdev from mlo
dev ctx. This will avoid memory leak in above failure case of
dynamic mac address change.
Change-Id: I11304c92f9258e2390cfe2d03f29ada0db80e6af
CRs-Fixed: 3271092
For fixed field of per-sta profile for mlo, only assoc rsp is parsed,
need include reassoc rsp.
Change-Id: I8be3ab2d2f7719bda0190b59c6d24c07d12f21e8
CRs-Fixed: 3273819
Avoid code duplication by using common definitions
i.e use enum wlan_ml_linfo_subelementid.
Change-Id: Ia09c1a42207461878d023e8f4534f2d26fb2f81b
CRs-Fixed: 3227859
In current code, deauth is skipped for PMF clients
but ML peer state is updated for PMF clients also
This fix skips ML Peer state update for PMF clients
Change-Id: I41c870a5ff4bb658f378b65c729947fad324e807
CRs-Fixed: 3261671
Add null check on connect req params before
invoking cloning of rsn/rsnx ies for mlo stations
Change-Id: I651683ad7eb6a5c0404feee321402ac1f39edcfc
CRs-Fixed: 3234326
Add check to validate vendor IE length in util validate
reporting STA IE API to avoid OOB read.
Change-Id: I1cdd8eced7b5ffcecde6f0337eb45fc90077932f
CRs-Fixed: 3236561
Currently, in few instances the MLO peer APIs are called
with invalid ML peer pointer.
This change prevents NULL pointer access and clears MLO
flag for peer.
Change-Id: I8bcdae1d71655f7ed267cc5bc3f6d0fc51e930df
CRs-Fixed: 3245158
Extract EML and MLD Capabilities from Target via
wmi_service_ready_ext2_event. These values can be
used while advertising EML and MLD Capabilities.
Add helper function to get EML related delays in
Micro Secs from values got from EML and MLD advertisments.
Send EML Capabilities received from node to Target
via WMI_PEER_ASSOC.
CRs-Fixed: 3225495
Change-Id: Ibfa2ff8dbf11d4293125331376a7986e611d5f63
In current code, assoc peer is designated as primry umac,
on primary umac allocation, primary umac bit gets reset.
But in force umac case, primary umac bit not getting reset.
This change resets primary umac bit of assoc peer, if
assoc peer is not designated primary UMAC.
Change-Id: I640433548b9efeb20ba2b23f8d1141cc5505087b
CRs-Fixed: 3243326
Currently, in wlan_defrag_elemsubelem_fragseq() API,
there is possible buffer over-read in fragbuff buffer.
Buffer may have a malicious length larger than their
payload size, which leads to a buffer over-read during
defragmentation.
Fix is to validate the fragment length against the buffer
boundary in util_get_successorfrag().
Change-Id: Ia9e688a0ab17954eb464ec586820bb95b51f12d1
CRs-Fixed: 3236560
Add following fixes for STA to support and operate in
eMLSR mode
1) Update and send eMLSR cap flag to FW even in vdev start
request on both links.
2) Copy EML caps to wmi peer assoc mlo params to send it
to FW.
Change-Id: Ic17b9b82809659d7a4392c09eceecae7c53b2049
CRs-Fixed: 3237737
Add mld config checks in osif_vap_create_check and fail
once the config is invalid.
Change-Id: I26c3b4719fa9b18be0a4590861c654504fb3e6bf
CRs-Fixed: 3200923
In case of MLO, if connect is in progress and assoc vdev is moved to
connected state, if the disconnect is received before mlo mgr is
notified for connect, then it can lead to race between connect and
disconnect processing.
Add fix to avoid race between connect comlplete and disconnect by
checking connected link bitmap which is set in mlo connect notifier
Change-Id: I5783827c00106bf6bda2949e4154088fd172de15
CRs-Fixed: 3241708
The api wlan_mlo_peer_list_peek_head is invoked with lock acquired.
wlan_mlo_peer_create api does not invoke ml_peerlist_lock_acquire
and ml_peerlist_lock_release when invoking api mlo_get_mlpeer, this
causes race condition issue.
To resolve this issue, using api wlan_mlo_get_mlpeer instead of
api mlo_get_mlpeer.
Change-Id: Ifb41b7d83bf17938d210ce5a2d7f370d6355197c
CRs-Fixed: 3228243
A malicious input can cause a buffer over-read in util_find_extn_eid.
When len==2 and frame[TAG_LEN_POS]==0, the while loop will be entered
and an over-read will happen for frame[ELEM_ID_EXTN_POS].
Since both MIN_IE_LEN and ELEM_ID_EXTN_POS are equal to 2, ensure
(len > MIN_IE_LEN) before accessing the index.
Change-Id: Ia0aa8a2b59e8bf9ac06f5454e40687c5c34c5d88
CRs-Fixed: 3236559
Current max aid assignment doesn't consider start aid
which is causing start aid greater than max aid in
MBSSID MLO case.
This change accounts start aid while updating max aid
Change-Id: Ic6af28cd2599090538393082032932ba416b4c66
CRs-Fixed: 3220059
These utility functions help to parse the Probe Request Variant of
Multi-Link IE.
It implements 11BE draft 2.0 spec
Change-Id: I09dcf47ef481278f5c74082002f83d9c8e2155a4
CRs-Fixed: 3213367
