The pointer to chain masks capabilities is increased, and the number
of chainmask capabilities isn't check if valid. Which will cause oob
read list of chain mask capabilities.
Change-Id: I1f11fb49d545a4f88fe4d0734968dbe17c3f1a7e
CRs-Fixed: 2347661
When WMI_SERVICE_READY_EXT_EVENT is received from firmware, the
function extract_hw_mode_cap_service_ready_ext_tlv is called to
update the soc caps and other capabilities to the host. hw_caps
is extracted directly from the param_buf value received from the
firmware and hw_caps->num_hw_modes is used to traverse
through the hw_mode_caps and update the values to it from the
param_buf->hw_mode_caps, need validate hw_caps->num_hw_modes and
param_buf->hw_mode_caps before use them.
Change-Id: I459f0afce7701ddf1d041912e3406643d27a7f9c
CRs-Fixed: 2336910
In the call to QDF_TRACE_HEX_DUMP in extract_ndp_ind_tlv(),
the buffer, event->ndp_cfg is dereferenced an additional time
and then read the length number of bytes in hex_dump_to_buffer,
resulting in an OOB read.
As WMI logging is already enabled, remove the hex dump.
Change-Id: I1ebe2469a6bb2baefc76980405d97700c1c57b5c
CRs-Fixed: 2336856
In wlan_cfg80211_scan the number of ssid, ssid length and number of
channels are not checked for max size of array and thus can lead to
Out of bound access of memories.
Fix is to add bound check before copying the params.
Change-Id: Ie6d4e546fb9c884d5988493b611ef7b217f0a95c
CRs-Fixed: 2375217
In extract_hal_reg_cap_tlv(), hal_reg_capabilities
can be optionally defined. This field can be NULL
resulting in a NULL pointer read. Add NULL pointer
check before qdf_memory_call().
Change-Id: I142bed65e80aa9b4bb88a4e68f74235dd50e3624
CRs-Fixed: 2368284
Per the Linux coding style both mixed-case names and so-called
Hungarian notation are frowned upon, so rename local variable
ptspecIE in send_set_ric_req_cmd_tlv() to align with the coding
style.
Note that there are other instances of mixed-case names in this
function, but these are global in scope and will need to be cleaned up
in a global effort.
Change-Id: I10780e2f751d1a1ed8f14a5ee4890794f498ec0b
CRs-Fixed: 2374719
Logs of the Spectral WMI interaction prints are under
OL_SPECTRAL_DEBUG_CONFIG_INTERACTIONS macro and is disabled by default.
As the WMI logs are already controllable at runtime from qdf_cv_lvl,
there is no need for OL_SPECTRAL_DEBUG_CONFIG_INTERACTIONS anymore.
Change-Id: I3b89192de4deb420d853631064c20add894fb1e3
CRs-Fixed: 2369846
Rearrange the debug prints in the wmi path
so that valid information gets printed.
CRs-Fixed: 2368173
Change-Id: I8900eda444c9d1dee69f5c1e30662022580d2a7b
Validate num_mem_reqs should be less than TLV size in
extract_host_mem_req_tlv() function.
Change-Id: I88ebfc4bfe3abb9b0926990f5f777fc0d62e1fc1
CRs-Fixed: 2347667
Per the Linux coding style both mixed-case names and so-called
Hungarian notation are frowned upon, therefore replace the identifier
pAddPeriodicTxPtrnParams everywhere it occurs.
Change-Id: Id80fc4cd22a8e4af125f01b937e03eea0b898283
CRs-Fixed: 2371906
Using both structure wmi_tdls_params and tdls_info if TDLS component
sets FW states, which will cause memory corruption potentially. Use
enum wmi_tdls_state as type of tdls state.
Change-Id: Ia1e78a5c6d8aee9ab5166c0704dd7827f42c2457
CRs-Fixed: 2372452
wmi_unified_bcn_buf_ll_cmd in wmi_unified.h had compilation flag
CONFIG_MCL. To get rid of the compilation flag, a separate header
file is created
Change-Id: I0bbcdf749f461f6880aacc1e3ef4e8e8fdc08ff6
CRs-Fixed: 2366773
Two new WCNSS_qcom.ini values "roam_score_delta" and
"roam_trigger_bitmap" are introduced. These values are sent to
firmware over the WMI command WMI_ROAM_AP_PROFILE over the
structure wmi_roam_cnd_scoring_param. The values to this
structure are populated from struct scoring_params.
Add roam_score_delta and roam_trigger_bitmap in scoring_param.
Populate these values from roam request to the structure
wmi_roam_cnd_scoring_param to be sent over the wmi command.
Change-Id: I012867e60ddf18a276250ef3bd27015f191d8a6a
CRs-Fixed: 2368263
Two new WCNSS_qcom.ini values "btm_validity_timer" and
"disassoc_timer" are introduced. These values are sent to
firmware over the structures wmi_roam_offload_tlv_param and
wmi_btm_config_fixed_param respectively. The values to this
structure are populated from struct roam_offload_scan_params.
Add rct_validity_timer in roam_offload_scan_params.
Populate these values from roam request to the structure
roam_offload_scan_params to be sent over the wmi command.
Change-Id: I6130e9966d520169b0f74b9726d35aa4fef6d81d
CRs-Fixed: 2369040
The firmware sends a new wmi event WMI_ROAM_BLACKLIST_EVENTID
to send the blacklist AP list.
Change-Id: I04fab853efbded48285ac063bb39c64f342c229b
CRs-Fixed: 2369107
Add changes to send bss_load_bss_sample_time over the wmi
command WMI_ROAM_BSS_LOAD_CONFIG_CMDID.
Change-Id: Iab882f0474071458ed8b8876d8edda987b76e94d
CRs-Fixed: 2372167
Populate the load bss trigger configuration values based on the
ini values and send them to firmware.
Add wmi changes to send bss load trigger config to firmware.
Change-Id: Ib2e21904bc7b8d87e5f51824d2694b90a3ac53f2
CRs-Fixed: 2367773
Add host support for db2dbm RSSI changes. Firmware
indicates this capability when underlying hardware
has RSSI reporting feature. Based on this capability
host will know if firmware sends SNR or RSSI. If no
capablity is present then host will convert SNR to
rssi using a fixed offset of -96. If capability is
present host will directly use the rssi as it is.
Change-Id: I9058f16c6280d466feb96cf88a8a0d8cd7b02032
CRs-Fixed: 2364025
Spectral HW time stamp gets reset when a reset happens in
within target. This can potentially result in unpredictable
behaviour during classification. To mitigate this calculated
offset is added to the time stamp value in the FFT report.
HT = Spectral HW timer
AT = Actual time stamp in spectral report
CF = Time stamp correction factor
CT = Corrected time stamp
L = Time stamp in the last FFT report before reset
F = Time stamp in the first FFT report after reset
D = Time gap between the last spectral report before reset
and the end of reset(This is provided by FW via direct
DMA framework)
***Target Reset***
^
|
|<---D---->| time line--->
_______________________________________________________
^ ^ ^ ^
| | | |
HT --> 0 L 0 F
AT --> 0 L F
CF --> 0 0 (L+D)
CT --> 0 L (F+L+D)
Spectral driver corrects the time stamp received from target
using the following formula and sends upwards.
CT(Corrected time stamp) = AT(Actual time stamp) +
CF(Correction Factor)
Calculation of Correction factor (CF):-
---------------------------------------
Initialization : CF = 0
CF += (L + D) (Done only for the first spectral report after reset)
This scheme takes care of the wrap around in the 32 bit time stamp
which would have occurred if the timer was not restarted due to
target reset.
CRs-Fixed: 2356382 2355486
Change-Id: I17b55d39eb91eb03b867bcfddaf3eb03d1fc5d1b
After driver load and interface up, if user changes the country code
and performs the interface down, now if interface change timer expires,
stop modules is invoked. When user again tries to do interface up, as a
part of start modules, update channel list indication comes from FW
with default country info from BDF file which overwrites user specified
country information.
To resolve this issue, if current country is set by user and if
driver gets notification to update channel list from FW with
different country code during restart of wlan modules then ignore
master channel list and send the current user country to FW.
Change-Id: I0a0c57eda03827dc3fef59928569bf2f0bc32634
CRs-Fixed: 2340798
As part of supporting NAN DBS, new WMI TLVs are defined so
that Host can maintain the status of NAN Discovery in sync
with the Firmware. Move the older handlers into the NAN
related files. Also add modules to extract information from
the new TLV's and fill up the event parameters to pass
them to the NAN component. add support for explicitly
disabling NAN due to concurrencies.
Add modules to handle and extract the info from NAN events.
Change-Id: Ic03baaaef45106353c211a813e11e33a90cd41ca
CRs-Fixed: 2338059
As part of the NAN Discovery DBS support, new vendor command
- QCA_NL80211_VENDOR_SUBCMD_NAN_EXT - has been defined that
can carry the binary blob encapsulated within an attribute
and can carry additional attributes to enhance the NAN command
interface. Add the related definitions to support this command.
Add definitions to support the new NAN EXT vendor command.
Change-Id: I83c12c7512066434f8974619e1d953ac78d3a40d
CRs-Fixed: 2339032
Currently there is no converged wmi_service enum for the
WMI_SERVICE_VDEV_LATENCY_CONFIG.
Add wmi_service_vdev_latency_config as the converged enum.
Change-Id: I90d54ccd507b4267cd7310b4e6e5b1473c7dc41c
CRs-Fixed: 2366187
The original definition of struct wmi_unified_pmk_cache had several
anomalies:
1) It contains an unnecessary tlv_header field. Only the fw-api
structs should contain TLV headers.
2) It contains a mis-named session_id field. Common structures should
use converged terminology, in this case vdev_id
Change If4be27111c604c16ea437aa654210cdff28220a7 ("qcacmn: Refine
struct wmi_unified_pmk_cache (phase 1)") completely addressed the
first issue, and as the first phase of fixing the second issue it
replaced the session_id field with an anonymous union which contains
both the existing session_id field and a new vdev_id field. Being part
of a union these field will overlay each other.
For phase 2 replace the reference to session_id with a reference to
vdev_id in send_set_del_pmkid_cache_cmd_tlv().
Change-Id: Ie8cc453751b95c332e3df32794506a4bd3c324ad
CRs-Fixed: 2363431
Add WMI support to send action oui DISABLE_AGGRESSIVE_TX
to firmware to disable some of aggressive tx features for peer mac
when DUT is operating in softap mode.
Aggressive TX features disabled are SIFS bursting, assist and support of
more than 32 frames in AMPDU.
Change-Id: Iaad1917a6a4897cef4d65a8951d3d1f207a9167b
CRs-Fixed: 2364937
Add WMI support to send WMI_PEER_UNMAP_CONF_CMDID to FW
for peer unmap confirmation.
Change-Id: I1a260f840ed28f90568d9cba912cc5e5128c8c7d
CRs-Fixed: 2358066
Function send_pdev_set_dual_mac_config_cmd_tlv return success even
if it fails to send WMI_PDEV_SET_MAC_CONFIG_CMDID. Thus the
e_sme_command_set_dual_mac_config cmd stuck in active queue leading
to active command timeout.
Return failure if WMI_PDEV_SET_MAC_CONFIG_CMDID fails.
Change-Id: I9593c7369a4e152c8c233e60216ecd7fc301b944
CRs-Fixed: 2362270
WMI RX workqueue is created with WQ_MEM_RECLAIM flag. When host receives
the WMI service ready event it queues the work. There is 50sec delay in
scheduling workqueue to process WMI service ready event. This results in
host timeout (timeout = 15sec) and wifi load failure. This cleans up the
host data structures related to data path. But work got scheduled after
50sec resulting in init path handling with inconsistent data structures.
Use workqueue UNBOUND flag to create WMI RX workqueue. Works queued to
unbound workqueues are implicitly HIGHPRI and dispatched to unbound
workers as soon as resources are available.
Change-Id: I46eb0242ad88103268df99be9fd2e0759ebec4b2
CRs-Fixed: 2343181
This FR is to enhance existing pktlog debug tool
This feature will allow to capture pktlog for particular
peer mac address.
Change-Id: I3676095536185f25b0d498e03f70246260a324fd
While handling the WMI_SERVICE_READY_EXT_EVENTID WMI FW event, a NULL
pointer dereference can occur if param_buf->hal_reg_caps is not checked.
Check param_buf->hal_reg_caps before dereferencing it to avoid NULL
pointer dereference.
Change-Id: I00eba5e89fbdde78979d19f492df5ad4dca8b80c
CRs-Fixed: 2347673
When CONFIG_MOBILE_ROUTER is enabled there are build failures
due to improper featurization of NAN, so fix the featurization.
Change-Id: I6bc11fb82394c2d32b328cb5d50ff974051755e1
CRs-Fixed: 2353170
Introduce a new wmi_send pdev param to enable/disable
"Subchannel Marking" in Firmware (only in Full Offload)
Change-Id: I3cd4f4f13ebca72c4505b6195cc8dc4856d41671
CRs-Fixed: 2334258
Current HTT_H2T messages from host driver does not have
consistency in message length set by host driver. Some
message types include HTC header length also within the
message length, while other types have message length
itself only, which causes difficulty in handling message
length in FW.
Change-Id: I885a21530a2d8f852387ae54cf7ee0751aad2516
CRs-Fixed: 2345075
Fix WMI message for peer channel width switching to account
for reserve space allocated in the message between num_peer
and chan_width_peer_list.
Change-Id: I5f0cec3c263cb68f44f0fcaa2aa26d120e807b1a
CRs-Fixed: 2352372
Remove the unused fields from WMI unified vdev_start_params structure.
The channel information duplicated in vdev_start_params and
it sub structure channel is removed and all implementations
can use the channel sub structure directly.
Change-Id: I47cf4c4223111b6f564ec8336dbfcda4592e8e0c
CRs-Fixed: 2350505
When WMI_SAR_GET_LIMITS_EVENTID is received from firmware, the
function extract_sar_limit_event_tlv is called to update the SAR
limits for all the chains of each band. There is a for loop
defined to loop over each item in param_buf->sar_get_limits.
Since the param_buf->sar_get_limits could be either optionally
defined or not a part of the message at all there is a potential
NULL pointer dereference if sar_get_limits is not sent as part
of the WMI_SAR_GET_LIMITS_EVENTID event.
param_buf->sar_get_limits needs to be checked for NULL prior to
derefencing it.
Change-Id: I93c07fa8048df97c6f6960b0db6df3bbc30e23b4
CRs-Fixed: 2336928
