While handling the WMI_HOST_SWBA_EVENTID WMI FW event, driver invokes
corresponding wma handler wma_beacon_swba_handler. The event argument
comes directly from the FW. Towards the end of the function,
wma_beacon_swba_handler invokes wma_send_bcn_buf_ll and passes the
original TLV structure, param_buf, as an argument. wma_send_bcn_buf_ll
pull tim_info and p2p_noa_info from the param_buf structure. These
structures can be optionally defined in the message with zero length
resulting in them being NULL pointers. Later, throughout the function
they are then deferenced without every checking if they are in fact NULL.
Fix is to make sure in wma_send_bcn_buf_ll, param_buf->tim_info and
param_buf->p2p_noa_info dereferenced only after NULL check.
Change-Id: Ic27b59dd35f74413e9a978627047855e655b9ed1
CRs-Fixed: 2331956
Check if rs_results->total_num_tx_power_levels is allocated, before
checking the OOB in wma_unified_radio_tx_power_level_stats_event_handler
for new fixed_param->total_num_tx_power_levels
Change-Id: I3e3caf295fad568ecc8e294e6224356ea8a84da6
CRs-Fixed: 2333042
hdd_set_csr_auth_type sets roam profile auth type on the basis
of pHddStaCtx->conn_info.authType. Currently, if supplicant
sends pHddStaCtx->conn_info.authType = eCSR_AUTH_TYPE_AUTOSWITCH,
driver is not handling this case and by default sets
eCSR_AUTH_TYPE_UNKNOWN. When scan results are obtained, driver is
not able to match the auth type in csrIsSecurityMatch as its set
to UNKNOWN .This leads to connection failure in FT roaming.
Fix is to set proper value of pRoamProfile->AuthType in case of
pHddStaCtx->conn_info.authType = eCSR_AUTH_TYPE_AUTOSWITCH.
Change-Id: I203f71606ee424340b447caecb91aded18c029b0
CRs-Fixed: 2327541
If DFS CAC is offloaded the SAP VDEV state machine does not move to
CAC wait state and thus stop AP and radar indications are dropped.
This leads to del_self_sta without del_bss.
To fix this move the SAP VDEV state machine to cac wait state when
dfs cac offload is set.
Change-Id: I0b526974a4586b41f5a4b1ea5968721f444c610b
CRs-Fixed: 2332087
Below API's logs failure with caller information,
So no need logs at caller.
qdf_mem_malloc_atomic()
qdf_mem_malloc()
wmi_buf_alloc()
qdf_nbuf_alloc()
wmi_unified_cmd_send()
Change-Id: Ia1ec91d07ef014428921e7a88d8836266b378204
CRs-Fixed: 2331224
Below API's logs failure with caller information,
So no need logs at caller.
qdf_mem_malloc_atomic()
qdf_mem_malloc()
wmi_buf_alloc()
qdf_nbuf_alloc()
wmi_unified_cmd_send()
Change-Id: I18dc9026be41bf1bf63fa2b1eec89b2ea18dc0bf
CRs-Fixed: 2331224
Enable TSF for Adrastea arch on Vipertooth chip firstly and
expose TSF time mapping via file system
CRs-Fixed: 2320218
Change-Id: Ifda0d8035717ad21edb1a393ef32f1157ab59105
During performance testing system stability issues were observed which
were attributed to excess logging in hdd_check_wext_control(). In
order to avoid such issue, rate limit those messages.
Change-Id: Ia0fa6f8a3fd7150ab3b8f2417bdb5087241c51e3
CRs-Fixed: 2332711
Avoid excessive console logging from NUD stats cb which
can lead to watchdog error.
Change-Id: Ida3c732fd5fe4c9ea0f9e08df2bf1656023bb810
CRs-Fixed: 2332618
When disconnect is issued from userspace, lim_del_bss is invoked
and vdev stop is sent to firmware. If sending vdev stop fails,
WMA_DELETE_BSS_RSP is posted with failure. If an SSR is
happening during this time, then cds_mc_thread is preempted, and
as part of the pld uevent vdev resp queue cleanup is done . In
this path, lim_process_sta_mlm_del_bss_rsp is called and
msg->bodyptr is freed and pe session is deleted. After pld
uevent execution, the delete bss response processing in
cds_mc_thread as part of user space disconnect resumes and tries
to free the msg->bodyptr again. This results in double free.
Set msg->bodyptr to NULL after freeing the memory.
Change-Id: I851a5ddcae47cffe450dffafa31570895620bd9c
CRs-Fixed: 2332677
__wlan_hdd_cfg80211_change_iface() has a number of obvious style issues.
Lightly refactor __wlan_hdd_cfg80211_change_iface() to address the low
hanging fruit.
Change-Id: Ib2efa7405e986e73a5c5b6fc7e5509eeebd2e6f3
CRs-Fixed: 2330973
wlan_hdd_cfg80211_set_txpower() currently expects the input power to
be in units of dBm. However cfg80211 specifies the set_tx_power()
method will pass the power in mBm, and that to get dBm the driver
should use MBM_TO_DBM(). The userspace tool "iw" also expects the
power to be in mBm.
In order to comply with the definition of cfg80211, change the
implementation of wlan_hdd_cfg80211_set_txpower() to expect the power
in mBm and use MBM_TO_DBM() to convert the power to dBm. But for
backward compatibility with userspace entities which are expecting the
current implementation, if the converted power is 0 then assume the
input power is already in dBm and use it without conversion.
Change-Id: I7c64f7ac14249a307357c91f8bea4dad8d59ff28
CRs-Fixed: 2331003
Update the mac_open and mac_close APIs as follows:
1) Fully document the interfaces (not the implementation).
2) Utilize the new mac_handle_t abstraction
3) Clean up local coding style violations
Change-Id: I9b047c3951b7f8c8831cec0b0a1aa3c521b32e6c
CRs-Fixed: 2332042
Currently the command timeout value in serialization for start_bss
and stop_bss commands for SAP are set to 30 seconds which is too high.
Reduce the command timeout value for SAP start_bss and stop_bss
commands in serialization to 10 seconds.
Change-Id: I1bcfe13de92a703ec55445b344a502f7843bbed8
CRs-Fixed: 2331830
Currently a ref count for VDEV is taken while posting the SME command
to serialization in csr_set_serialization_params_to_cmd called from
csr_queue_sme_command. However once the command is posted to serialization
queue, the VDEV ref count is released which could lead to the VDEV
object used from the serialization callback without holding the ref count.
Release the VDEV ref count only if the posting to serialization module
fails and for success cases, release the ref count from
sme_ser_cmd_callback under the WLAN_SER_CB_RELEASE_MEM_CMD case.
Change-Id: I8d573ff5a25e6dff928b2708e51ad7b97e292277
CRs-Fixed: 2331716
Driver won't handle the ps in disconnected state. But kernel can
give ps enable/disable command in non associated state hence return
success without posting the request to FW.
Change-Id: I6b559c30cff816c2ba056ef23633fb350e867db7
CRs-Fixed: 2321744
noise_floor_weight is defined as unsigned in
sap_weight_channel_noise_floor(), but is checked
for value less than 0, which will never be true.
Change-Id: Idd8215c479eeae2ffd712434aae740f8465a8b45
CRs-Fixed: 2310624
When vdev restart response is received for channel switch during
CSA, we set the phy mode in firmware and then send vdev up. But
even if the restart request has failed host sends vdev up. This
is wrong as firmware expects vdev up only after vdev start is
successful.
If vdev restart is rejected don't send vdev up to firmware.
Instead send WMA_SWITCH_CHANNEL_RSP with failure status.
Change-Id: I1f1ba860abeb0d25e90fd9b9977f02153aca81af
CRs-Fixed: 2331485
QCA6290 non-AX chipset is deprecated, so enable changes for QCA6290 AX
chipset by default.
Change-Id: I09b52dc58c1a79e36502671de94021d5940d0072
CRs-fixed: 2331182
Check for dhcp packet type before processing on packet sta_id.
This reduces per packet mem_copy and mem_cmp instructions for
sap Rx.
Change-Id: I4a2732ff4d9e3fa31aace25cc824f26b0c339b52
CRs-Fixed: 2331420
In proc_dnld_rsp, pHdr->sBufSize is coming from fw message
which could not be trusted. Before its use it should proc_dnld_rsp
should verify it against its max allowed size (UINT_MAX).
Fix is to add a sanity check for pHdr->sBufSize against UINT_MAX
before its use.
Change-Id: I6ec970483af860d5e42d6adac640274743f44f1a
CRs-Fixed: 2308333
There is no sanity check for hdd context and sap config in
start acs api which may lead to NULL pointer access.
To avoid this issue, validate hdd context and sap config
before accessing these pointers.
Change-Id: I0a3f6a91a6bc5a517c035c9e7d706e66aea62fd4
CRs-Fixed: 2331412
Currently only the WLAN_SER_CMD_DENIED_UNSPECIFIED is returned as
failure to HDD when a command is posted into serialization from
SME/CSR. This can lead to HDD getting a status as success if the
command posting failed due to some other reason code in serialization
like WLAN_SER_CMD_DENIED_LIST_FULL.
Handle all serialization reason codes in csr_queue_sme_command API.
Change-Id: Icce5b9f560320b99feb985dead9d06489caa8b5c
CRs-Fixed: 2330852
Currently in function wlan_hdd_cfg80211_start_bss(), copying
supported rates and extended rates from information element pointer
without checking for array bounds which may cause OOB access.
To address this issue, add length checks before copying supported
rates and extended rates.
Change-Id: Ic6363e97bb3498a5dd23bc5e5f9b9f3ce093509d
CRs-Fixed: 2312995
