| 77cebf70 | 18-Mar-2024 |
Krupali Dhanvijay <quic_kdhanvij@quicinc.com> |
qcacmn: Add check to avoid NULL pointer deference in parse MBSSID
In malformed beacon frame may deference the NULL pointer while
parsing MBSSID IE in util_scan_parse_mbssid will lead to crash.
Add
qcacmn: Add check to avoid NULL pointer deference in parse MBSSID
In malformed beacon frame may deference the NULL pointer while
parsing MBSSID IE in util_scan_parse_mbssid will lead to crash.
Add check in util_scan_parse_mbsssid for split_prof_start before
passing to util_gen_new_ie and assign zero to split_prof_len
whenever split_prof_start freed to avoid unanticipated scenario.
Change-Id: Ibb9739d6b5d1775ab52d59f9aa5050ca693cd926
CRs-Fixed: 3717571
show more ...
|
| ba7f3371 | 20-Feb-2024 |
Pragaspathi Thilagaraj <quic_tpragasp@quicinc.com> |
qcacmn: Set LTF keyseed required for existing peer also
LTF keyseed required flag is set only for newly created PASN
peer. This value is filled from the security mode value received
the PASN peer cr
qcacmn: Set LTF keyseed required for existing peer also
LTF keyseed required flag is set only for newly created PASN
peer. This value is filled from the security mode value received
the PASN peer create request event from the firmware.
If PASN peer already exists, then the peer is just added to the
peer list and secure LTF keyseed required flag is not updated.
This leads to wrong sequence of commands going to firmware.
Expected sequence: Install TK -> Set LTF keyseed -> PASN Auth
STATUS.
Observed Sequence: Install TK -> PASN Auth status -> Set LTF
keyseed -> PASN Auth status.
So set the is_ltf_keyseed required flag for already existing
PASN peer also
Change-Id: If9994ad01a96bdb26ad55538a67feaed7e22892f
CRs-Fixed: 3742573
show more ...
|
| 99f24676 | 11-Mar-2024 |
Surya Prakash Sivaraj <quic_suryapra@quicinc.com> |
qcacmn: Use only partner links with valid scan entry
If the scan entries for a non-tx profile MBSSID partner links
are not present at the time of candidate selection, then
host driver generates the
qcacmn: Use only partner links with valid scan entry
If the scan entries for a non-tx profile MBSSID partner links
are not present at the time of candidate selection, then
host driver generates the scan entry for the missing partner
link from the assoc response.
The assoc response from the AP has PMKID in the RSN(some APs
do not include RSN IE in assoc resp).In this case, the RSN
along with PMKID gets inherited into the scan cache of the
missing partner and this leads to mismatch between M3 and
scan entry RSN causing disconnection.
To fix this, mark all the MBSSID partners without scan entries
as invalid links at the time of candidate shortlisting. Score
and connect to only non-tx candidates with valid scan entries.
Remove the probe response generation from assoc response logic.
Change-Id: I342519490ead2a2e91426439cf47e65c61b53aed
CRs-Fixed: 3766047
show more ...
|
| 3ea1cbb9 | 11-Mar-2024 |
Vinod Kumar Pirla <quic_vpirla@quicinc.com> |
qcacmn: Introduce APIs to save peer create and destroy hist
Add new structures, enums and APIs to enhance driver support
to store peer create and destroy history in PSOC.
Add new list to MLME's PSO
qcacmn: Introduce APIs to save peer create and destroy hist
Add new structures, enums and APIs to enhance driver support
to store peer create and destroy history in PSOC.
Add new list to MLME's PSOC object to hold entries.
Change-Id: I22b8d559e9981a93dc4891d563586dc13245aff9
CRs-Fixed: 3738897
show more ...
|
| a43a03d5 | 11-Mar-2024 |
Vinod Kumar Pirla <quic_vpirla@quicinc.com> |
qcacmn: New field to save number of FW roamed links
Add new field to hodl number of links FW roamed
to from roam sync indication.
Change-Id: Ie855a4725eb20d2696de7b7e88e67b870fb918c6
CRs-Fixed: 375
qcacmn: New field to save number of FW roamed links
Add new field to hodl number of links FW roamed
to from roam sync indication.
Change-Id: Ie855a4725eb20d2696de7b7e88e67b870fb918c6
CRs-Fixed: 3755825
show more ...
|
| 54e03329 | 22-Mar-2024 |
Jianmin Zhu <quic_jianminz@quicinc.com> |
qcacmn: Generate all possible unique candidates for MLO AP
For mlo candidate, need generate all possible unique candidates, and try
to connect one by one by sort of score.
For single MLO AP 5 GHz +
qcacmn: Generate all possible unique candidates for MLO AP
For mlo candidate, need generate all possible unique candidates, and try
to connect one by one by sort of score.
For single MLO AP 5 GHz + 6 GHz + 2 GHz
generates all possible unique candidates as following:
1. 6 GHz + 2 GHz + 5 GHz
2. 6 GHz + 2 GHz
3. 6 GHz + 5 GHz
4. 6 GHz
5. 5 GHz + 2 GHz
6. 5 GHz
7. 2 GHz
Since standby link doesn't contribute to MLO candidate score,
to assure 3 links candidate is tried before 2 links generated,
insert generated candidate after original candidate.
Change-Id: I6c92b02e47563fc9b15e37fcec2ab7025a6554a3
CRs-Fixed: 3750735
show more ...
|
| 20e6be3a | 17-Feb-2024 |
Shashikala Prabhu <quic_pshashik@quicinc.com> |
qcacmn: Fix out-of-bound read in T2LM IE parse API
In wlan_mlo_parse_t2lm_ie(), the code is present to check if the frame
length is less than the parsed IE length plus size of ie_header structure
(2
qcacmn: Fix out-of-bound read in T2LM IE parse API
In wlan_mlo_parse_t2lm_ie(), the code is present to check if the frame
length is less than the parsed IE length plus size of ie_header structure
(2 bytes). If the above condition is false then the subsequent code will
access the data of parsed IE length plus size of extn_ie_header structure
(3 bytes).
To fix the out-of-bound read, check if the frame length is less than
parsed IE length plus size of extn_ie_header structure.
Also, added the code to return success if frame length is same as parsed
IE length.
Change-Id: I07c32379ecd18d253a82876127c33b4d95196dd2
CRs-Fixed: 3704796
show more ...
|
| 3c0cb904 | 17-Feb-2024 |
Shashikala Prabhu <quic_pshashik@quicinc.com> |
qcacmn: Add frame length check in T2LM action frame parse APIs
Check for frame length before processing the T2LM request and response
action frames.
Change-Id: I3ac1c8f6c2ff58a8c3a6d589fe6485dd97bf
qcacmn: Add frame length check in T2LM action frame parse APIs
Check for frame length before processing the T2LM request and response
action frames.
Change-Id: I3ac1c8f6c2ff58a8c3a6d589fe6485dd97bfce09
CRs-Fixed: 3704794
show more ...
|
| 70624478 | 04-Mar-2024 |
Surya Prakash Sivaraj <quic_suryapra@quicinc.com> |
qcacmn: Ignore PCL scoring for non-DBS STA
HW is non-DBS. SAP is UP in 6 GHz. Now, when a STA connection is
attempted, the pcl for the second connection would have SAP SCC
channel with highest prior
qcacmn: Ignore PCL scoring for non-DBS STA
HW is non-DBS. SAP is UP in 6 GHz. Now, when a STA connection is
attempted, the pcl for the second connection would have SAP SCC
channel with highest priority, all the 5 GHz channels with 2nd
highest priority and the 6 GHz channels with least priority.
Therefore, even if there is a strong 6 GHz candidate for STA, the
5 GHz candidate would be chosen and the SAP moves to SCC in 5 GHz.
To fix this, ignore the pcl scoring for the non-DBS concurrency
cases as the SAP can move to the channel of the best STA interface.
If the SAP is in legacy band, and if still a 6 GHz STA is chosen,
then the legacy SAP would be torn down. So, give STA the best
possible in non-DBS case.
Change-Id: I08d1acbe7805dcf7137534347406ffdf539ff0aa
CRs-Fixed: 3748694
show more ...
|
| 6e6bab3a | 26-Feb-2024 |
Aasir Rasheed <quic_arasheed@quicinc.com> |
qcacmn: Use MLMR and MLSR bss type for vendor_roam_score_algo
Currently, Host driver is using only MLMR bss type for
vendor_roam_score_algorithm.
Due to recent change in host driver via
Change-Id:
qcacmn: Use MLMR and MLSR bss type for vendor_roam_score_algo
Currently, Host driver is using only MLMR bss type for
vendor_roam_score_algorithm.
Due to recent change in host driver via
Change-Id: I01338dbbc0845e6f6284e4a374f5ad0a5cada334, Host driver
is using this api policy_mgr_2_freq_always_on_same_mac for
evaluating sbs or dbs frequency which in turn returns MLSR for
frequency 5 GHz and 6 GHz opposed to MLMR earlier.
This change is to use both the bss types MLMR and MLSR for
the evaluation vendor_roam_score_algorithm.
Change-Id: I72b0d5e5b2daf498a434c05b503ea8aebc65be74
CRs-Fixed: 3742619
show more ...
|
| 5438cc76 | 12-Mar-2024 |
CNSS_WLAN Service <cnssbldsw@qualcomm.com> |
Merge "qcacmn: Fix potential OOB read in util_scan_parse_mbssid()" into wlan-cmn.driver.lnx.2.0.14 |
| 2613f5f7 | 12-Mar-2024 |
CNSS_WLAN Service <cnssbldsw@qualcomm.com> |
Merge "qcacmn: Fix potential OOB read in util_scan_is_split_prof_found()" into wlan-cmn.driver.lnx.2.0.14 |
| 87778b39 | 29-Jan-2024 |
Surya Prakash Sivaraj <quic_suryapra@quicinc.com> |
qcacmn: Fix potential OOB read in util_scan_parse_mbssid()
If the length of the MBSSID IE is 0, then there is a potential
OOB read in util_scan_parse_mbssid(), when the Max BSSID indicator
field is
qcacmn: Fix potential OOB read in util_scan_parse_mbssid()
If the length of the MBSSID IE is 0, then there is a potential
OOB read in util_scan_parse_mbssid(), when the Max BSSID indicator
field is accessed.
To fix this, do not proceed with MBSSID parsing if the length
of the MBSSID IE is zero.
Change-Id: I2c7a7641b77fed20a910cb77035588a7540caa62
CRs-Fixed: 3717567
show more ...
|
| 77e5284c | 31-Jan-2024 |
Srikanth Marepalli <quic_srimarep@quicinc.com> |
qcacmn: Fix potential OOB read in util_scan_is_split_prof_found()
If the tag length in next_elem is some invalid high value then the
existing length check can still pass and lead to the OOB access.
qcacmn: Fix potential OOB read in util_scan_is_split_prof_found()
If the tag length in next_elem is some invalid high value then the
existing length check can still pass and lead to the OOB access.
Add an OOB check w.r.t total IE length to ensure it has the
minimum number of bytes in the buffer.
Change-Id: I9778a3e0ced05d3246d91e23c2a47f7318634d75
CRs-Fixed: 3717566
show more ...
|
| 8536ce5d | 09-Jan-2024 |
Surya Prakash Sivaraj <quic_suryapra@quicinc.com> |
qcacmn: Fix OOB read of ML IE
In util_get_bvmlie_bssparamchangecnt() and util_get_bvmlie_mldcap(),
fix the possible OOB read of the ML IE, if the ML IE length is less
than the minimum template of Ba
qcacmn: Fix OOB read of ML IE
In util_get_bvmlie_bssparamchangecnt() and util_get_bvmlie_mldcap(),
fix the possible OOB read of the ML IE, if the ML IE length is less
than the minimum template of Basic variant ML probe response.
Change-Id: I50efaba682a1e42ef8befe09224edc34de9c8c7b
CRs-Fixed: 3700045
show more ...
|
| 24073c30 | 09-Jan-2024 |
Surya Prakash Sivaraj <quic_suryapra@quicinc.com> |
qcacmn: Fix possible OOB read/writes in ML probe generation
Fix the OOB read/writes util_add_mlie_for_prb_rsp_gen() when
the common info length is higher than the ML IE inside which
the common info
qcacmn: Fix possible OOB read/writes in ML probe generation
Fix the OOB read/writes util_add_mlie_for_prb_rsp_gen() when
the common info length is higher than the ML IE inside which
the common info is encoded.
Change-Id: I07e9ad748404c6252924996aae57aba0f18e2f7d
CRs-Fixed: 3700072
show more ...
|
| 9c831dd9 | 13-Feb-2024 |
Surya Prakash Sivaraj <quic_suryapra@quicinc.com> |
qcacmn: Support dynamic FILS enablement for dual SAP
For Dual SAP(legacy SAP + 6 GHz SAP), WFA HE-4.1.1 cert
case requires the following:
a) If Dual SAP is enabled, the 6 GHz SSID should be
discove
qcacmn: Support dynamic FILS enablement for dual SAP
For Dual SAP(legacy SAP + 6 GHz SAP), WFA HE-4.1.1 cert
case requires the following:
a) If Dual SAP is enabled, the 6 GHz SSID should be
discovered via the RNR IE of the colocated legacy SAP.
b) If a co-located neighbor is present, the 6 GHz SAP
should not send FD or unsolicited probe responses.
Add support for the above the cert case by configuring the
FD support for the 6 GHz SAP based on the operation of the
co-located SAP.
Change-Id: Ib1ea2794baf8786b7c042fc35130b6929abb947f
CRs-Fixed: 3732663
show more ...
|
| bf97803c | 27-Feb-2024 |
Jianmin Zhu <quic_jianminz@quicinc.com> |
qcacmn: Fix wrong MLO 2 GHz link CCFS1 in response to get_channel
2 GHz link CCFS may not filled correctly in vht/he op, wrong CCFS0
is got from util_scan_sec_chan_freq_from_htinfo and passed to ker
qcacmn: Fix wrong MLO 2 GHz link CCFS1 in response to get_channel
2 GHz link CCFS may not filled correctly in vht/he op, wrong CCFS0
is got from util_scan_sec_chan_freq_from_htinfo and passed to kernel,
regulatory check failed, disconnect will happen.
To fix it, add new API util_scan_ccfs0_from_htinfo, and get CCFS0 by it.
Change-Id: I0e8879f13cff37b85cffb6446cc15c60c05465d2
CRs-Fixed: 3739815
show more ...
|
| a9c79a17 | 21-Feb-2024 |
Jianmin Zhu <quic_jianminz@quicinc.com> |
qcacmn: Move TPE MACRO to regulatory module
Move TPE MACRO to regulatory module
Change-Id: I61672a09abe6b0d5884d1233fbc4f5d2595ea290
CRs-Fixed: 3737992 |
| 8cd06744 | 08-Feb-2024 |
Krupali Dhanvijay <quic_kdhanvij@quicinc.com> |
qcacmn: Change minimum mbssid ie length value to 1
Currently, in the driver, the minimum MBSSID IE length value
in the driver is set to 4. Some APs advertize this value as
1. In such situations, dri
qcacmn: Change minimum mbssid ie length value to 1
Currently, in the driver, the minimum MBSSID IE length value
in the driver is set to 4. Some APs advertize this value as
1. In such situations, driver fails to parse the the ie.
So, to avoid such cases, modify the minimum mbssid ie length
value to 1.
Change-Id: I6ef89706b95318cb9bd38e04cab56b0fdef99fd5
CRs-Fixed: 3684794
show more ...
|
| b2253d34 | 29-Jan-2024 |
Rahul Gusain <quic_rgusain@quicinc.com> |
qcacmn: OOB while accessing ML IE
Currently, in function "util_get_ml_bv_partner_link_info" driver
access the ML IE memory with offset which is calculated from ML IE
length and increment this offset
qcacmn: OOB while accessing ML IE
Currently, in function "util_get_ml_bv_partner_link_info" driver
access the ML IE memory with offset which is calculated from ML IE
length and increment this offset with other values (such as
perstaprof_stainfo_len). But this can lead to OOB for ML IE when
this offset value is increment beyond ML IE length.
So, to fix this, add check for offset before accessing ML IE.
Change-Id: Ie7312ab3379fce16e5b0f83d07d46f263f774ed8
CRs-Fixed: 3710085
show more ...
|
| f323c32b | 05-Feb-2024 |
Krupali Dhanvijay <quic_kdhanvij@quicinc.com> |
qcacmn: Fix out-of-bound in wlan_mlo_parse_bcn_prbresp_t2lm_ie
Currently, In the MLO t2lm API, wlan_mlo_parse_bcn_prbresp_t2lm_ie
is missing frame boundary checks which may lead to out-of-bound
read
qcacmn: Fix out-of-bound in wlan_mlo_parse_bcn_prbresp_t2lm_ie
Currently, In the MLO t2lm API, wlan_mlo_parse_bcn_prbresp_t2lm_ie
is missing frame boundary checks which may lead to out-of-bound
reads if the lengths are not checked by the caller.
Fix is, while parsing t2lm ie pass the frame length and add
check for frame boundary.
CRs-Fixed: 3704739
Change-Id: If3068db3489ee1c9a9da4945407598e27e3ca276
show more ...
|
| a1aaa5c7 | 21-Feb-2024 |
Jianmin Zhu <quic_jianminz@quicinc.com> |
qcacmn: Fix assert in cm_validate_partner_links
Uninitialized pointer partner_entry is deferenced wrongly in
Change-Id: Ib7e2f4cd43c8190c5e5fd0bb7786df41b022f518
Change-Id: I0cada18a043f4ed2f65697f
qcacmn: Fix assert in cm_validate_partner_links
Uninitialized pointer partner_entry is deferenced wrongly in
Change-Id: Ib7e2f4cd43c8190c5e5fd0bb7786df41b022f518
Change-Id: I0cada18a043f4ed2f65697f81530b4169dc46dd2
CRs-Fixed: 3738263
show more ...
|
| c753fff3 | 02-Feb-2024 |
Jianmin Zhu <quic_jianminz@quicinc.com> |
qcacmn: Add API to check whether MLO CSA allowed
SCC links in same MLD is not allowed, add API to check whether MLO CSA
allowed
CRs-Fixed: 3722991
Change-Id: I1eab54995e2b12715b66c58d6c6e31c14de6c9
qcacmn: Add API to check whether MLO CSA allowed
SCC links in same MLD is not allowed, add API to check whether MLO CSA
allowed
CRs-Fixed: 3722991
Change-Id: I1eab54995e2b12715b66c58d6c6e31c14de6c994
show more ...
|
| 0d945daa | 14-Nov-2023 |
Vinod Kumar Pirla <quic_vpirla@quicinc.com> |
qcacmn: Extend vdev stop and peer delete cmd for link switch
Enhance WMI command of existing peer delete and VDEV stop to
add new TLV to carry MLO params with link switch BIT set when
link switch is
qcacmn: Extend vdev stop and peer delete cmd for link switch
Enhance WMI command of existing peer delete and VDEV stop to
add new TLV to carry MLO params with link switch BIT set when
link switch is in progress.
Change-Id: I50b1aa48e4e2c976a56bcd3b75395eef6830e627
CRs-Fixed: 3663340
show more ...
|