Currently, while parsing the per STA profile IE, driver tries to
access the EXTN element ID without checking IE len. When IE len
is zero, if driver tries to access the IE after IE header then it
will leads to out of bound error.
So, to fix this, add check for IE len before accessing it.
Change-Id: I30d3fae9aaedc0011a2d3415e273d5e32db2d56e
CRs-Fixed: 3852338
(cherry picked from commit 608d3ddcb6)
Currently, wlan_logging event flags is defined as unsigned long
and kernel APIs(set_bit/test_bit/clear_bit) are used to operate
on this. But these APIs might expect an unsigned long array and
static analyzer tool reported the same as OOB access on this.
Use QDF APIs to define the bitmap and to operate on the bitmap
also which takes care of these.
Change-Id: Ied1c5cbfc82dc0185c79278bdaedfbd894527ef9
CRs-Fixed: 3865946
If a duplicate BSS with same BSSID and MLD address exists then it
can potentially override the scan entry in DB and later driver may
use this duplicate entry for connection whose freq and IEEE link id
could be different.
Crypto keys for each link is saved as a hash function of BSSID and
corresponding link's IEEE link id. So picking scan entry with wrong
link id will result in not finding crypto keys.
For link switch cases this error results in triggering disconnect but
the response of link switch goes as success as error is not properly
notified to mlo manager and FW expects valid crypto keys to be plumbed
before sending link switch success.
Add link id and frequency to scan filter for partner link connect and
link switch connect to avoid connection if scan entry is not found.
Change-Id: I0b400dd584e1a4fa4ee717e34308c1434083a6dd
CRs-Fixed: 3831342
Introduce APIs to fetch the self IEEE link id of the scan entry
and also add new fields to scan filter to enable filtering
entries matching the link id.
Change-Id: I5da8592dc60dbca4734601d746a1137655ee0b34
CRs-Fixed: 3843567
To avoid array index out of bound for chan_list->chan index use
qdf_min to fill chan_list->num_chan.
CRs-Fixed: 3776519
Change-Id: I33d5059a4f8da6637c2bbf69378cfad5d65ba1b5
Previously, the Host driver assigned a minimum score of 1 to
any candidate, if the BSSID was in the deny list.
This commit introduces a change to prioritize candidates based on
their link type. The new scoring system adds more weight to MLO
over SLO and Legacy links. The priority order is as follows:
MLO 3-link > MLO 2-link > SLO > Legacy.
Change-Id: I1bb8247d7a2ae88967c0949c0a51e32a3d8a44da
CRs-Fixed: 3855155
Currently, driver does not handle dual protected public(9) action
frame having vendor specific(9) action ID and it drops these
frames.
So, to allow these frame, add enum and check in the target if
layer.
Change-Id: I15d6fefaa794c5a6a3993c2ae013f362bc310eba
CRs-Fixed: 3844645
Peer id mismatch is observed when prefetch of HW
descriptor exceeds the last valid descriptor.
To fix this issue, add check to limit prefetch to
the last valid descriptor.
Change-Id: I01582892d55ed1f300d6806e1d8def46f747516b
CRs-Fixed: 3671814
Use proper format specifiers in dp_print_tso_stats,
also dp_tx_dump_tx_desc type cast variable as per
format specified to fix compilation issues.
Change-Id: Ic901144b15fb3a163eed6ad29400d0e3e668b4c6
CRs-Fixed: 3849167
If MLO peer attach fails for MLO VDEV, handle the failure and
remove the object manager peer and continue for next candidate
incase of initial connection.
Change-Id: Iba374f9b930db07bde84cea1cb18d36a0960c5b7
CRs-Fixed: 3844761
Below errors are observed with LTS 6.6.17:
htc_recv.c:49:4: error: 'snprintf' will always be truncated; specified \
size is 2, but format string expands to at least 5
[-Werror,-Wfortify-source].
htc_recv.c:58:3: error: 'snprintf' will always be truncated; specified \
size is 2, but format string expands to at least 5
[-Werror,-Wfortify-source].
Here, the compilation error is because the 2nd argument to snprintf is
using sizeof(byteOffset) which evaluates to 2 and the size of the buffer
we are writing to is 10 and when the format string content expands to
atleast 5 characters, only 2 characters are written to the output string.
Fix is to use size of the buffer we are writing to as the
snprintf 2nd argument.
CRs-Fixed: 3763920
Change-Id: I156260d26df643cd68b2e5d7fb7bf5d95f8026b2
Add APIs and callbacks to OSIF from CNX manager to notify
on assoc VDEV connect request becomes active in serialization.
Change-Id: Ica59c25199e0f09fc86b7311ae16d22f66af3b0c
CRs-Fixed: 3835003
Possible OOB Access array 'endpoint' of size '9' while calling
'log_packet_info' in below APIs:
get_htc_send_packets_credit_based()
get_htc_send_packets()
INT_MAX may be used to access array 'hif_ext_group->os_irq' of
size 16 in function hif_ipci_irq_set_affinity_hint().
Fix is to add index range check before accessing those arrays.
Change-Id: Iab40fe816d8dfcf1ffbf05987b11378ef0fe2572
CRs-Fixed: 3779968
Currently, when monitor interface is going down, buffer ring filters
are not being reset.
To fix this, set mv_dev to NULL after filter reset.
Change-Id: I7555acd6b4a54a362e36a43a970ab1c75e3c24c8
CRs-Fixed: 3841235
When roamed from MLO to SLO, clean up vdev1 link, and disable RSO,
but RSO isn't re-enabled when disconnect completed for vdev0 link in
same MLD existed, can't roam until next reconnect.
To fix it, When roamed from MLO to SLO, clean up vdev1 link, don't
disable RSO since it's internal disconnect, no wmi like vdev stop is
sent to F/W too, vdev1 is stopped by F/W already.
Change-Id: Ib83b15352e91cb8ef73fd42bc9a5e1c6181f4ea9
CRs-Fixed: 3844460
(cherry picked from commit ecbd818bb6)
RSO stop isn't sent to F/W before link vdev stop when MLO
disconnect, F/W will assert later
To fix it, Send RSO stop to assoc vdev before link vdev stop when MLO
disconnect.
RSO stop for internal link cleanup has no side effect, only RSO disable
clears the RCL in firmware.
Change-Id: Id11da42ebebf0d9966974cc913cf6618cea0cfbb
CRs-Fixed: 3835214
(cherry picked from commit b03b971b86)
When roamed from MLO to SLO, clean up vdev1 link, and disable RSO,
but RSO isn't re-enabled when disconnect completed for vdev0 link in
same MLD existed, can't roam until next reconnect.
To fix it, When roamed from MLO to SLO, clean up vdev1 link, don't
disable RSO since it's internal disconnect, no wmi like vdev stop is
sent to F/W too, vdev1 is stopped by F/W already.
Change-Id: Ib83b15352e91cb8ef73fd42bc9a5e1c6181f4ea9
CRs-Fixed: 3844460
RSO stop isn't sent to F/W before link vdev stop when MLO
disconnect, F/W will assert later
To fix it, Send RSO stop to assoc vdev before link vdev stop when MLO
disconnect.
RSO stop for internal link cleanup has no side effect, only RSO disable
clears the RCL in firmware.
Change-Id: Id11da42ebebf0d9966974cc913cf6618cea0cfbb
CRs-Fixed: 3835214
Add logic to stitch MPDU from MSDU and
hold MPDU till PPDU_END tlv to update radiotap
header fields before submitting to stack for
local packet capture mode.
CRs-Fixed: 3821723
Change-Id: I7ac8127c1c0abfc747f37139c741dc69fb79a2a4
As part of disconnect driver clears copied connect request params
in sta_ctx. If driver receives connect request while already
connected, then an internal disconnect is triggered which will
clear the copied connect request params from the connect request.
Once this internal disconnect completes, connection on assoc link
will start with connect request params from the connection manager
request and has all the connect params saved. However on starting
partner link connect, driver relies on connect request params copied
to sta_ctx at the start of connect, which gets cleared in internal
disconnect this will result in not having proper IEs for connect
and crypto params from that partner link will be invalid.
Before start of partner link connect, check if the sta_ctx
connect request params are valid. If not, fetch the connect req
params from assoc VDEV's connect request.
Change-Id: I6b1288320425a3d3be841f47cf027142ca27334f
CRs-Fixed: 3830536
Allocate memory and copy scan and assoc IEs from the current
active connect request command in cm_get_active_connect_req_param().
Change-Id: Ia3567fb81a28f30ce4cd6fd3441c66d0756a976f
CRs-Fixed: 3833104
Driver calls this function "util_get_ml_bv_partner_link_info"
frequently during scanning and this function can logs the debug
prints frequently which can lead to crash due to excessive logging.
So, to avoid this, rate limit the logs in the function
"util_get_ml_bv_partner_link_info".
Change-Id: Iec778980aa2ce7aa1609622b90d64e784b2e7b1b
CRs-Fixed: 3753074
For MLO link vdev, during HO failure the disconnect sequence
is not completed resulting in disconnect command timeout.
Proceed to complete the disconnect sequence if RSO stop is
not sent in case of HO failure disconnect handling of the
MLO link vdev.
CRs-Fixed: 3825174
Change-Id: I5e7984928a8d175ae13e344dd442d868a0171e2d
RSO stop is skipped if disconnect reason is
REASON_FW_TRIGGERED_ROAM_FAILURE. It was done to avoid RSO stop
command for internal disconnect. But for HO failure also
same reason code is used with different source value.
In HO failure case firmware expects RSO stop and
roam deinit. Disconnect should continue after RSO stop response
is received.
Send RSO stop during HO failure disconnect.
CRs-Fixed: 3756884
Change-Id: Ia0300f3cf9f260c894a98845447885f62a67c8c3
If 3 SAP virtual iface are created first, then up, 3 MLD is
created during 3 vdev created, but 3rd failed to added to
g_mlo_ctx->ml_dev_list for WLAN_UMAC_MLO_MAX_DEV limit, when the vdev
deleted, assert will happen when remove MLD from g_mlo_ctx->ml_dev_list.
To fix it, check MLD num before create new MLD, if reached MAX num,
return failed.
Change-Id: I88f6cca802e4bf53548aee67cb0dca09df23a94d
CRs-Fixed: 3799142
Issue is: Supplicant initiated abort scan, but host fails
to abort it.
Host assigns unique scan cmd_id across vdevs for the pdev
and all vdevs uses same pdev serialization command queue
to enqueue and deque start or cancel scan command.
While processing cancel scan request, host uses unique
cmd_id of scan request to iterated among pdev serialization
cmd queue and if cmd_id is matched then that command id gets
flushed.
Currently host uses command id as well as vdev to cancel
scan request from pdev serialization command queue this may
results in cancel scan request failure as passing vdev is
not mandatory here. Command id match is sufficient to delete
scan command from pdev serialization command queue.
Fix is to use only unique scan cmd_id to cancel scan request
from pdev serialization command queue.
CRs-Fixed: 3824149
Change-Id: I76668defb465bfad42704df289608da1c9dc7c40
Host driver opens adapter with ML-support having 2 vdevs and
1 MLD self peer. Now, during runtime, the country changes to
a non-11be supported region. This is followed by a set mac
address request from userspace, but since the EHT support
is disabled due to country change, the driver tries to lookup
the self peer using link mac address. But, since the peer is
created using MLD mac, the set mac address fails leading to
issues with DP-peer creation during connection.
To fix this, remove the EHT capability check from the adapter
routine and look up the peers and mac address only based on
the ML adapter configuration.
Change-Id: I104e348445944cce128a6918d3fbd119ba9488dc
CRs-Fixed: 3805214
Reap more entries from error ring if the number of
available entries are less than half of the ring entries.
Change-Id: I742f97e41c0e392f1e50bbd95ab625bd6168a8e5
CRs-Fixed: 3749873
Currently as part of TDLS connection if TLDS connection is formed
on secondary vdev, osif_vdev of secondary vdev is updated with
osif_vdev of primary vdev.
Due to osif_vdev update, during vdev delete 1st vdev will call
API to free osif_vdev. When 2nd vdev try to access the osif_vdev
it will result in invalid pointer access.
As current change was done to handle case where osif_vdev
for MLO connection used to point to 2 different interfaces
and where secondary interface used to point to NULL/dummy netdev.
As per latest change osif_vdev will point to per vdev dp_link
which for MLO connection will have single interface. So osif_vdev
update is not required anymore.
So, to fix invalid/stale pointer issue remove osif_vdev update for
TDLS connection.
CRs-Fixed: 3814466
Change-Id: Icac13d88411ca572c9d5823a6bd2d3d5b1ba632f
Move the peer transition history infra under
WLAN_FEATURE_11BE_MLO_ADV_FEATURE flag to enable the changes
by default
Change-Id: I8b0e07fb045b1e383af4b4144e31e8b709a8c83d
CRs-Fixed: 3802485
Initiate disconnect if VDEV repurpose fails for any reason
and the VDEV moves to disconnected state (not connected).
Change-Id: Ie6421f2430fc109b4f10c22f98c3dbf3909bb103
CRs-Fixed: 3797171
first_msdu_payload is updated for every WIFIRX_HEADER_E
TLV received in the status nbuf and this could result
in incorrect offset into the nbuf for the first MSDU
if the PPDU has multiple MPDUs. Also, the size variable
used is 8 bit for the calculation of offset into the nbuf
for the frame which could result in possible overflow.
Fix is to update first_msdu_payload only for the first
WIFIRX_HEADER_E TLV entry for a PPDU and increase the
width of size variable to avoid possible integer overflow.
Change-Id: Ic12cb11328fc1414bd7a68fa941fa0ef764c8b1f
CRs-Fixed: 3788496
Register TTLM notify API()
wlan_mlo_t2lm_register_link_update_notify_handler()
only for WIN.
For MCC, call wlan_register_t2lm_link_update_notify_handler()
to register the MCC handlers to receive link update
notification.
CRs-Fixed: 3764848
Change-Id: Iadf06a0879213d84753f2114b6c5fd4cfa1b8618
