Fix length check and add sub_copy and length
subie_len checks before accessing extn_elem to avoid any
OOB read.
Change-Id: I85ea636d5fe64e8508e91b06f0302d5f6258e583
CRs-Fixed: 3800831
Currently HAL_RX_GET_64 is used in monitor API to access TLV fields
In case of kiwi TLVs has 64-bit tlv fields. But in case of peach
tlv fields are changed to 32-bit which is results in wrong value
access.
To fix the issue use HAL_RX_GET and define common 32-bit HAL macros
to access TLV fields.
CRs-Fixed: 3694842
Change-Id: I9eee7e7e25147863f11f59655693dfea2b1832a0
Currently, qdf_set_bit()/qdf_clear_bit()/qdf_test_bit() APIs are
used to operate on the event_flag in logger_thread. These APIs
use non-atomic kernel APIs __set_bit()/__clear_bit()/__test_bit()
and the operation is indeterministic when system syspend/resume
happens.
Use atomic APIs(qdf_atomic_*) to avoid this.
Change-Id: I52d1c608f9845ed6c98975f2455035c8587bfd72
CRs-Fixed: 3890216
(cherry picked from commit 3aaddb2c45)
IP multicast check for IPv4 was failing as the big endian
conversion was not being done and wrong values were being checked.
Do ntohs conversion on macros to check if packet is mcast packet.
In IPv6 check, the word is being checked instead of first byte.
Check only first byte when checking for ipv6 multicast address.
Change-Id: I686cdef7957778f9c60f2dc919421d39c4b8b71c
CRs-Fixed: 3824229
When MLO STA connects to a specified buggy MLO AP with PMKID in assoc
req, it consistently fails and then retries with a downgraded SLO
candidate, which eventually succeeds. However, the customer expects MLMR
connection.
To address this, when select this buggy AP, we avoid generating
downgraded SLO/11AX candidates, use full SAE auth instead of existed PMKSA,
and don't add PMKID in RSNIEof assoc req when connect.
Change-Id: I8e446544b2fdbae089840713bc8bc93c601f1863
CRs-Fixed: 3888074
When util_scan_copy_cache_entry return NULL for out of buffers,
NULL pointer dereference happens.
To fix it, check return pointer of util_scan_copy_cache_entry
before use it.
Change-Id: Iec5e6f10c8e0bbe6b88d844cc00320f3f23191a4
CRs-Fixed: 3885075
Currently, When connection failure happens with MLO
AP then all combinations of that MLO AP are tried until
the partner links become 0/SLO.If AP configured links are
more than supported links and AP doesn't support EHT then
AP disconnects with reason EHT not supported and STA will not
be able to connect to that AP as STA tries combination till SLO
but all combinations are 11BE only.
To Fix above scenario add a 11AX entry in candidate table, so that
connection can be tried with 11AX if all combination fails or failure
reason clears that 11BE association is not possible.
Change-Id: Ibde68f44a1367c9af160201bc677dd97b1897c06
CRs-Fixed: 3779644
There could be a case when SLO and 11AX entry has same score. In
that case consider MLO candidate first and then move to 11AX in case
of failure.
Change-Id: I4e24ff45a23e9f620b7c2894f26223c55828c8bd
CRs-Fixed: 3779623
As current MLO RSSI algorithm, MLO RSSI score is quite worse
than that of better link if worse link RSSI is poor, which may
make MLO candidate score worse than link candidate score, SLO
candidate is selected to connect instead of MLO candidate.
To fix it, for DBS/HBS MLO candidate, boost total score 10%.
Optimize MLO rssi score algorithm as following:
MLO-RSSI = [BW1/(BW1+BW2) ]* RSSI1 + [BW2/(BW1+BW2) ]* RSSI2.
CRs-Fixed: 3776301
Change-Id: I16d65b2a70cd0ca0daba47b116c8627f995d5157
Currently, while parsing the per STA profile IE, driver tries to
access the EXTN element ID without checking IE len. When IE len
is zero, if driver tries to access the IE after IE header then it
will leads to out of bound error.
So, to fix this, add check for IE len before accessing it.
Change-Id: I30d3fae9aaedc0011a2d3415e273d5e32db2d56e
CRs-Fixed: 3852338
(cherry picked from commit 608d3ddcb6)
Currently, qdf_set_bit()/qdf_clear_bit()/qdf_test_bit() APIs are
used to operate on the event_flag in logger_thread. These APIs
use non-atomic kernel APIs __set_bit()/__clear_bit()/__test_bit()
and the operation is indeterministic when system syspend/resume
happens.
Use atomic APIs(qdf_atomic_*) to avoid this.
Change-Id: I52d1c608f9845ed6c98975f2455035c8587bfd72
CRs-Fixed: 3890216
There can be a possibility that some 6 GHz channels are enabled
for STA/CLI/NAN but disabled for SAP/GO. As part of get usable
channel list request there is no logic to validate if these 6 GHz
channels are disabled for SAP/GO, hence these channels are not
getting removed for get usable channel list request for SAP/GO.
To address this issue remove 6 GHz channels from usable channel
list, if frequency not valid for SAP/GO.
Change-Id: I8171f5d3e3747e28785e0515c87346cd53ff7712
CRs-Fixed: 3874255
Currently, while parsing the per STA profile IE, driver tries to
access the EXTN element ID without checking IE len. When IE len
is zero, if driver tries to access the IE after IE header then it
will leads to out of bound error.
So, to fix this, add check for IE len before accessing it.
Change-Id: I30d3fae9aaedc0011a2d3415e273d5e32db2d56e
CRs-Fixed: 3852338
Reduce the OUI length to 2 bytes for vendor IE to include
just the OUI and the type and omit the body as it is not
mandatory.
CRs-Fixed: 3842063
Change-Id: I42f1b2d6c57da82f859b9917a1e5229273f75263
Currently, wlan_logging event flags is defined as unsigned long
and kernel APIs(set_bit/test_bit/clear_bit) are used to operate
on this. But these APIs might expect an unsigned long array and
static analyzer tool reported the same as OOB access on this.
Use QDF APIs to define the bitmap and to operate on the bitmap
also which takes care of these.
Change-Id: Ied1c5cbfc82dc0185c79278bdaedfbd894527ef9
CRs-Fixed: 3865946
If a duplicate BSS with same BSSID and MLD address exists then it
can potentially override the scan entry in DB and later driver may
use this duplicate entry for connection whose freq and IEEE link id
could be different.
Crypto keys for each link is saved as a hash function of BSSID and
corresponding link's IEEE link id. So picking scan entry with wrong
link id will result in not finding crypto keys.
For link switch cases this error results in triggering disconnect but
the response of link switch goes as success as error is not properly
notified to mlo manager and FW expects valid crypto keys to be plumbed
before sending link switch success.
Add link id and frequency to scan filter for partner link connect and
link switch connect to avoid connection if scan entry is not found.
Change-Id: I0b400dd584e1a4fa4ee717e34308c1434083a6dd
CRs-Fixed: 3831342
Introduce APIs to fetch the self IEEE link id of the scan entry
and also add new fields to scan filter to enable filtering
entries matching the link id.
Change-Id: I5da8592dc60dbca4734601d746a1137655ee0b34
CRs-Fixed: 3843567
To avoid array index out of bound for chan_list->chan index use
qdf_min to fill chan_list->num_chan.
CRs-Fixed: 3776519
Change-Id: I33d5059a4f8da6637c2bbf69378cfad5d65ba1b5
Previously, the Host driver assigned a minimum score of 1 to
any candidate, if the BSSID was in the deny list.
This commit introduces a change to prioritize candidates based on
their link type. The new scoring system adds more weight to MLO
over SLO and Legacy links. The priority order is as follows:
MLO 3-link > MLO 2-link > SLO > Legacy.
Change-Id: I1bb8247d7a2ae88967c0949c0a51e32a3d8a44da
CRs-Fixed: 3855155
Currently, driver does not handle dual protected public(9) action
frame having vendor specific(9) action ID and it drops these
frames.
So, to allow these frame, add enum and check in the target if
layer.
Change-Id: I15d6fefaa794c5a6a3993c2ae013f362bc310eba
CRs-Fixed: 3844645
Peer id mismatch is observed when prefetch of HW
descriptor exceeds the last valid descriptor.
To fix this issue, add check to limit prefetch to
the last valid descriptor.
Change-Id: I01582892d55ed1f300d6806e1d8def46f747516b
CRs-Fixed: 3671814
Use proper format specifiers in dp_print_tso_stats,
also dp_tx_dump_tx_desc type cast variable as per
format specified to fix compilation issues.
Change-Id: Ic901144b15fb3a163eed6ad29400d0e3e668b4c6
CRs-Fixed: 3849167
If MLO peer attach fails for MLO VDEV, handle the failure and
remove the object manager peer and continue for next candidate
incase of initial connection.
Change-Id: Iba374f9b930db07bde84cea1cb18d36a0960c5b7
CRs-Fixed: 3844761
Below errors are observed with LTS 6.6.17:
htc_recv.c:49:4: error: 'snprintf' will always be truncated; specified \
size is 2, but format string expands to at least 5
[-Werror,-Wfortify-source].
htc_recv.c:58:3: error: 'snprintf' will always be truncated; specified \
size is 2, but format string expands to at least 5
[-Werror,-Wfortify-source].
Here, the compilation error is because the 2nd argument to snprintf is
using sizeof(byteOffset) which evaluates to 2 and the size of the buffer
we are writing to is 10 and when the format string content expands to
atleast 5 characters, only 2 characters are written to the output string.
Fix is to use size of the buffer we are writing to as the
snprintf 2nd argument.
CRs-Fixed: 3763920
Change-Id: I156260d26df643cd68b2e5d7fb7bf5d95f8026b2
Add APIs and callbacks to OSIF from CNX manager to notify
on assoc VDEV connect request becomes active in serialization.
Change-Id: Ica59c25199e0f09fc86b7311ae16d22f66af3b0c
CRs-Fixed: 3835003
Possible OOB Access array 'endpoint' of size '9' while calling
'log_packet_info' in below APIs:
get_htc_send_packets_credit_based()
get_htc_send_packets()
INT_MAX may be used to access array 'hif_ext_group->os_irq' of
size 16 in function hif_ipci_irq_set_affinity_hint().
Fix is to add index range check before accessing those arrays.
Change-Id: Iab40fe816d8dfcf1ffbf05987b11378ef0fe2572
CRs-Fixed: 3779968
Currently, when monitor interface is going down, buffer ring filters
are not being reset.
To fix this, set mv_dev to NULL after filter reset.
Change-Id: I7555acd6b4a54a362e36a43a970ab1c75e3c24c8
CRs-Fixed: 3841235
When roamed from MLO to SLO, clean up vdev1 link, and disable RSO,
but RSO isn't re-enabled when disconnect completed for vdev0 link in
same MLD existed, can't roam until next reconnect.
To fix it, When roamed from MLO to SLO, clean up vdev1 link, don't
disable RSO since it's internal disconnect, no wmi like vdev stop is
sent to F/W too, vdev1 is stopped by F/W already.
Change-Id: Ib83b15352e91cb8ef73fd42bc9a5e1c6181f4ea9
CRs-Fixed: 3844460
(cherry picked from commit ecbd818bb6)
RSO stop isn't sent to F/W before link vdev stop when MLO
disconnect, F/W will assert later
To fix it, Send RSO stop to assoc vdev before link vdev stop when MLO
disconnect.
RSO stop for internal link cleanup has no side effect, only RSO disable
clears the RCL in firmware.
Change-Id: Id11da42ebebf0d9966974cc913cf6618cea0cfbb
CRs-Fixed: 3835214
(cherry picked from commit b03b971b86)
When roamed from MLO to SLO, clean up vdev1 link, and disable RSO,
but RSO isn't re-enabled when disconnect completed for vdev0 link in
same MLD existed, can't roam until next reconnect.
To fix it, When roamed from MLO to SLO, clean up vdev1 link, don't
disable RSO since it's internal disconnect, no wmi like vdev stop is
sent to F/W too, vdev1 is stopped by F/W already.
Change-Id: Ib83b15352e91cb8ef73fd42bc9a5e1c6181f4ea9
CRs-Fixed: 3844460
RSO stop isn't sent to F/W before link vdev stop when MLO
disconnect, F/W will assert later
To fix it, Send RSO stop to assoc vdev before link vdev stop when MLO
disconnect.
RSO stop for internal link cleanup has no side effect, only RSO disable
clears the RCL in firmware.
Change-Id: Id11da42ebebf0d9966974cc913cf6618cea0cfbb
CRs-Fixed: 3835214
Add logic to stitch MPDU from MSDU and
hold MPDU till PPDU_END tlv to update radiotap
header fields before submitting to stack for
local packet capture mode.
CRs-Fixed: 3821723
Change-Id: I7ac8127c1c0abfc747f37139c741dc69fb79a2a4
As part of disconnect driver clears copied connect request params
in sta_ctx. If driver receives connect request while already
connected, then an internal disconnect is triggered which will
clear the copied connect request params from the connect request.
Once this internal disconnect completes, connection on assoc link
will start with connect request params from the connection manager
request and has all the connect params saved. However on starting
partner link connect, driver relies on connect request params copied
to sta_ctx at the start of connect, which gets cleared in internal
disconnect this will result in not having proper IEs for connect
and crypto params from that partner link will be invalid.
Before start of partner link connect, check if the sta_ctx
connect request params are valid. If not, fetch the connect req
params from assoc VDEV's connect request.
Change-Id: I6b1288320425a3d3be841f47cf027142ca27334f
CRs-Fixed: 3830536
Allocate memory and copy scan and assoc IEs from the current
active connect request command in cm_get_active_connect_req_param().
Change-Id: Ia3567fb81a28f30ce4cd6fd3441c66d0756a976f
CRs-Fixed: 3833104
Driver calls this function "util_get_ml_bv_partner_link_info"
frequently during scanning and this function can logs the debug
prints frequently which can lead to crash due to excessive logging.
So, to avoid this, rate limit the logs in the function
"util_get_ml_bv_partner_link_info".
Change-Id: Iec778980aa2ce7aa1609622b90d64e784b2e7b1b
CRs-Fixed: 3753074
