In function wma_unified_link_iface_stats_event_handler, num_ac is received
from the firmware and is used in the loop to populate values into results.
However the memory for results is allocated only for WIFI_AC_MAX and a
buffer overflow will occur of num_ac is greater than WIFI_AC_MAX.
Add checks to make sure num_ac is not greater than WIFI_AC_MAX and
num_offload_stats is not greater than WMI_OFFLOAD_STATS_TYPE_MAX.
Change-Id: Ife8b1d19aa853f85f4fad82d5791e49a8c892ca4
CRs-Fixed: 2114756
Assert added as part of I2689873c2c5e63c83e5059563662c0c69dc659fc
in wma_get_ll_stats_ext_buf is not required as it causes a stack
trace exposing further security issues.
Remove the assert in wma_get_ll_stats_ext_buf
Change-Id: I92a5eb1b287e61c7f2cc9d6dba92446719c3c6b2
CRs-Fixed: 2115112
Enable the TX orphan for TCP packets by gEnableTxOrphan if TX flow control
is not enabled, such as SCC mode.
Change-Id: I0f3bc41bb22f8db10614d4833558caa664e52517
CRs-Fixed: 2123892
In present code, by default csr_init11d_info() function return failure status.
Due to wrong return status, ioctl (set11Dstate) get failed.
correct return status in csr_init11d_info function.
Change-Id: I40f130454d259cbc8a22f16e27c2c1a9e7c10b07
CRs-Fixed: 1105989
Checkpatch has detected multiple instances of "line over 80
characters." Some of them are trivial, so fix them.
Note that there are some instances that can only be addressed by
refactoring the code, and those will be addressed later.
Change-Id: I5d23b8cc7643d83a349532e3f2d32cd27b5dca95
CRs-Fixed: 2122896
Change "qcacld-3.0: Provide SME API to send unit test command to FW"
introduced two whitespace-related issues flagged by checkpatch:
- WARNING: suspect code indent for conditional statements (16, 20)
- WARNING: Statements should start on a tabstop
Fix those issues, as well as update an error message to align with the
new design.
Change-Id: Ic58c3330f73c838ba100e7621ce23eadc3f0d7b0
CRs-Fixed: 2122894
Checkpatch has detected one instance of "else is not generally useful
after a break or return" in hdd_indicate_tsf_internal(), so fix it.
Change-Id: I6aa92cc7966795e719eb5824a3a9354928e79590
CRs-Fixed: 2122872
Checkpatch has detected multiple instances of "line over 80
characters" so fix them. Also remove an obsolete extern to
eliminate an instance of "externs should be avoided in .c files."
Change-Id: Ic6b2082c2df0ffb20ce10c3c3a51c2fbebe849c7
CRs-Fixed: 2122873
Checkpatch has detected multiple instances of "line over 80
characters" so fix them. Also fix one instance of "else is not
generally useful after a break or return."
Change-Id: Ifb03d4d1399a53fa69f03ce2f77ccfca3929d1cc
CRs-Fixed: 2122822
Functions exported by HDD should have an HDD prefix so rename
sap_restart_chan_switch_cb() since it is exported by HDD.
Change-Id: I7b871774bb537e60e2992d471ab57b342246dd50
CRs-Fixed: 2122575
The Linux Coding Style enumerates a few special cases where typedefs
are useful, but stresses "NEVER EVER use a typedef unless you can
clearly match one of those rules." The tSirBssDescription typedef does
not meet any of those criteria, so replace references to it within HDD
with a reference to the underlying struct.
Change-Id: I13938fc15841986e9957f4774fbcfd035f734ccd
CRs-Fixed: 2122558
Both HDD and SAP define GET_IE_LEN_IN_BSS_DESC() macros, but these
macros simply replicate the logic already present in the global macro
GET_IE_LEN_IN_BSS(). Therefore delete these macros, and use
GET_IE_LEN_IN_BSS() instead.
Change-Id: I431984673141715ad32ca6ea96e31722129ce929
CRs-Fixed: 2122547
The Linux Coding Style frowns upon mixed-case names and so-called
Hungarian notation, so rename struct sSirBssDescription to align with
the Coding Style.
Note that it will be a separate exercie to replace instances of the
tSirBssDescription and tpSirBssDescription typedefs.
Change-Id: Ia698c5290e719ac6eef22cdee56e8954e5f61146
CRs-Fixed: 2122503
Test team requires support for pdev_reset ioctl that is present
on other devices, so add support for it.
Change-Id: I8d9b30987dfbdbc94de0a1ab2a0c686c93c7da8a
CRs-Fixed: 2122060
Checkpatch identified multiple indentation issues in hdd including:
- Statements should start on a tabstop
- suspect code indent for conditional statements
- labels should not be indented
Fix these issues.
(Note that there is a false positive "labels should not be indented"
in wlan_hdd_memdump.c that should not being modified)
Change-Id: I781fb05bffe6c75183bdd45d797a248d2cd06e6b
CRs-Fixed: 2121931
Checkpatch reported multiple block comment issues in hdd including:
- Block comments use * on subsequent lines
- Block comments should align the * on each line
- Block comments use a trailing */ on a separate line
Fix those issues.
Change-Id: Ic2b74c520ffb4be1c82fad6f6bdd0a9474d4b506
CRs-Fixed: 2121930
Checkpatch reported multiple instances of "void function return
statements are not generally useful" in hdd, so remove them.
Change-Id: Ia6ac669bdb9eaa71f9a68f1ef20f230acd59bf76
CRs-Fixed: 2121928
Checkpatch reported multiple instances of "Missing a blank line after
declarations" in hdd, so fix them.
Change-Id: I0b86be9066425d0a92f88b96e08ff4a57f91765e
CRs-Fixed: 2121927
Assoc reject status sent over the air
is internal failure status not inline
with the specification.
Update the assoc reject status sent
over the air.
Change-Id: I01250c63a42302d7b386a33aaf3b18e272581868
CRs-Fixed: 2115126
Dfs public function are renamed to have utils_ prefix,
make sure to call new dfs public API's.
Change-Id: Ib36ebb6ca4d3838c5e7468e22f6dd5182a0a08e0
CRs-Fixed: 2124373
Excessive logging during scan causes the watchdog timeout
hence reduce the log messages in the scan path
Change-Id: I378e9667dfad15cfd5ba1c68484b97567af5d45f
CRs-Fixed: 2079149
qcacld-2.0 to qcacld-3.0 propagation
In function wlanqcmbr_mc_process_msg, variable data_len
is from message, which should not be trusted. Buffer
overflow will happen if using it directory to copy data
to utf_buf.
Change-Id: I21479f510b95e6ced214f80d942db919837e8324
CRs-Fixed: 2116449
Propagation from qcacld-2.0 to qcacld-3.0
Add diag event for wow packet counters stats.
The event EVENT_WLAN_POWERSAVE_WOW_STATS will be used to
inform the wow stats packet counters.
Change-Id: I9d1760aa6b790544b9879e7ef18d4f5359e0e245
CRs-Fixed: 1087714
STA is roaming to 2G AP even though 5G
only is configured through ini.
Set weightage of the 2G social channels
to zero so that firmware will not roam
to 2G channels.
Change-Id: I7dea8413618265e0f1fe353da4b858583c1921af
CRs-Fixed: 2117614
Invalid memory length passed to memcpy triggered
crash and it is due to unintialized stack variable.
Initialize pmkid cache variable to zero.
Change-Id: Ib25812086f4d9f8399ce560d6aa7423a1978d04d
CRs-Fixed: 2119987
Add device_mode check in hdd_ipa_send_pkt_to_tl,
WLAN_HDD_GET_AP_CTX_PTR only can be used in SAP/P2P_GO mode.
Change-Id: Ieb4ce8fb28251432c9f3e22eb945b32f47776380
CRs-Fixed: 2123952
Reset the limit off channel parameters after disconnection, otherwise
FW is going to use these settings for future connections on the same
interface.
CRs-Fixed: 2105301
Change-Id: I00a408c1d71cdf261e5718a67d9417ac3fcd133c
Add debug logs to capture htt rx_ring info during data stall
detection for FW_RX_REFILL failure reason.
Change-Id: I6733a37677ebccfef5096ac38858c4505e8665b6
CRs-Fixed: 2121686
Add 1 second wake lock for 4 way handshake to avoid APPS
power collapse in middle of eapol exchange which can delay
the association process.
Change-Id: Ife73dc00aa05b5a80d0a90afd18468bd033ebdd9
CRs-Fixed: 2118533
Move HE get string API for cfg_params to cfg_param_name.c and
make it generic so that any parameter can be added to it.
Change-Id: Id14fb60a97f479a5898a27b2a192f67801e49974
CRs-Fixed: 2106869
In the function get_container_ies_len, len (uint32) is calculated
from the length of the buffer parsed. Then it is copied to the uint8
pnConsumed pointer from the calling function. This could lead to
pnConsumed becoming 0 if len exceeds 255 and would cause infinte
loop in the function unpack_core.
Add changes to make pnConsumed passed from unpack_core to be uint32
so that there are no issues in get_container_ies_len
Change-Id: Ia5770b4becf7dd1cf7cb97ec2e0d94f3c5f4ed54
CRs-Fixed: 2101200
On vdev response timer expire, memory allocated for vdev request
will be freed in the timer handler(wma_vdev_resp_timer). But there
can be a race condition where wlan shutdown is invoked at the same
time, where host tried to cleanup unhandled vdev requests by calling
same timer handler.
To mitigate this issue don't free the memory if vdev request is not
found(as other thread freed memory by this time)
Change-Id: Iea214f0ed3acb9600b5a3b84b5740c1b496719d9
CRs-Fixed: 2049673
Rome and iHelium BT Coex FW capability is completely different from
earlier generation of driver/fw and hence this kind of BT Coex protection
may not be needed.
Change-Id: Ic2f34acc03a3830ad51296313e8844011ef48266
CRs-Fixed: 2066727
Wiphy band can be NULL since it is dynamically allocated depending
on some condition. So check for NULL before populating it.
CRs-Fixed: 2122279
Change-Id: If88045e2ebbb6bceb0ed3b5337cc70778b21f832
In case STAUT is using auto-switch auth type for WEP, a retried AUTH frame
from AP can mess up our state machine and connection will fail. Save seq
number of processed auth so that retried frame can be dropped in host.
Change-Id: I00cedf594309e0bb9b4bb8f0ced2929e7d00f64d
CRs-Fixed: 2102402
Set IPA ownership for intra-BSS Tx packets to avoid skb_orphan(), and
clear the ownership after check it to avoid ipa_free_skb() is called
when Tx completed.
Change-Id: I03883773e418bb5518ea63a324d22503173ea436
CRs-Fixed: 2062911
Add ini param 'gtsf_ptp_options' to control
PTP options, it's a bitmap:
bit0 - PTP_OPT_RX(0x1)
set this bit to enable RX time stamping
bit1 - PTP_OPT_TX(0x2)
set this bit to enable TX time stamping
bit2 - PTP_OPT_RAW(0x4)
set this bit to use raw time as timestamp
bit3 - TSF_DBG_FS(0x8)
set this bit to add device attriubte 'tsf' for iface
The default value of gtsf_ptp_options is 0xf
Propagated from qcacld-2.0.
Change-Id: Ie53d503bdd2e85790502583a238ee138f4bcf6c6
CRs-Fixed: 2079466
In function lim_update_ibss_prop_add_ies size of a malloc is based on
sum of two integers. Add check for integer overflow before malloc.
Change-Id: Ia7f1b306e6eb99ee0cea9f2ef00123ca66a5c062
CRs-Fixed: 2119673
The current driver strategy is to converge on unified APIs, and the
unified WMI struct flashing_req_params conveys the same information as
typedef tSirLedFlashingReq, therefore replace tSirLedFlashingReq with
struct flashing_req_params.
Change-Id: I4ef75ee3bff7c83dbf8197bba0802569282a414f
CRs-Fixed: 2121335
The Linux Coding Style frowns upon mixed-case names and so-called
Hungarian notation, so rename pBeaconIes to align with the Coding
Style.
Change-Id: Ib1d48cd0db2a497c68c3596230b22e169ed0cc8f
CRs-Fixed: 2121264
The Linux Coding Style frowns upon mixed-case names and so-called
Hungarian notation, so rename pRoamInfo to align with the Coding
Style.
Change-Id: I39f76a4e11fb26c5ab4279ae0b02dddadd06a83b
CRs-Fixed: 2121188
The Linux Coding Style frowns upon mixed-case names and so-called
Hungarian notation, so rename pRoamInfo to align with the Coding
Style.
Change-Id: I444fc7925066f0ef147aed666a02027661308799
CRs-Fixed: 2121187
The Linux Coding Style frowns upon mixed-case names and so-called
Hungarian notation, so rename pHddStaCtx to align with the Coding
Style.
Change-Id: I508816b354eb592305cb238f7604ef39586c19b2
CRs-Fixed: 2121162
The Linux Coding Style frowns upon mixed-case names and so-called
Hungarian notation, so rename pHostapdState to align with the Coding
Style.
Change-Id: I11f20591272265ad2e0e9d1f5f8ae1243d3ecd5b
CRs-Fixed: 2121138
When specific band is set from ini file and if user is trying to change
phy mode to auto with iwpriv command, crash is seen.
To fix this, avoid eCSR_DOT11_MODE_AUTO when BandCapability is set.
Change-Id: Ieaaa1dddfafbed2fdf51b7c924977b02077f01b6
CRs-Fixed: 2082166
The Linux Coding Style frowns upon mixed-case names and so-called
Hungarian notation, so rename pHddApCtx to align with the Coding
Style.
Change-Id: I9c209be206d9e453ec2c5adc7803126639d06b84
CRs-Fixed: 2121131
The Linux Coding Style frowns upon mixed-case names and so-called
Hungarian notation, so rename pHostapdAdapter to align with the Coding
Style.
Change-Id: I18a74117ae47ad05a1c46b50a14fcb64347f1c07
CRs-Fixed: 2121120
Checkpatch has detected an instance of a block comment where the
trailing "*/" is not on a separate line, so fix it.
Change-Id: Ibe8c83ea4d87f04c330f0abe6953d2dfb2067ff7
CRs-Fixed: 2120626
Checkpatch has detected multiple instances of "line over 80
characters" so fix them.
Change-Id: Ie9b3a517b97c0f70f43e7991c0576eaf1e05ec38
CRs-Fixed: 2120622
Propagation from qcacld-2.0 to qcacld-3.0
In random testing cases, the SAP close may be called even before the BSS
is started. In such cases the SAP callback may not have been registered
and such scenarios may lead to unnecessary assertion. Just returning an
errror should do.
Remove the assert but retain the error notification.
Change-Id: Ief9ea45d2d7f3d910766e73a9e0dca5e34c85905
CRs-Fixed: 2121720
Propagation from qcacld-2.0 to qcacld-3.0
During BSS frame update, frame_len is calculated as size of ieee80211_mgmt
and ielen. Since ieee80211_mgmt is a generic frame structure and different
frame structures are defined under union this may exceed the actual frame
len.
Fix by calculatiing offset of variable(ies) and ies length.
Change-Id: Ied8e4e604e41de1ac5ccc047ef5cc3cdb05a9445
CRs-Fixed: 2121711
Update ini param g_auto_detect_power_failure_mode to incorporate below
values,
0 - Don't register wow wakeup event and FW crashes on power failure
1 - Register wow wakeup event and FW sends failure event to host on
power failure
2 - Don't register wow wakeup event and FW silently rejuvenate on
power failure
3 - Don't register wow wakeup event and the auto power failure detect
feature is disabled in FW.
Change-Id: I8a704954ecbacadbc035c1523fa41a18b6300f66
CRs-Fixed: 2087144
Current driver has roam id uninitialized in anticipation that roam id
will be filled by SME APIs to correct value but in error conditions
that value may not be filled at all. In those kind of cases
initializing to invalid value will help to avoid any security breach.
CRs-Fixed: 2119198
Change-Id: I96e55cb91ef76df63dd6ba267130e1092fdcf899
Make sure num_vdev_mac_entries which is coming from firmware within
MAX_VDEV_SUPPORTED to avoid any buffer overflow or OOB read.
Change-Id: I92793a6bcfd46b288c3f496a6f6cc9b372f60c48
CRs-Fixed: 2119432
Current driver forming a unit test command within HDD layer and uses
message passing method to deliver it to WMA layer which
requires HDD layer to have a knowledge of how to form a unit test command.
User SME API to send params to WMA layer and let WMA form a unit test
command and send it directly to FW through WMI layer instead of HDD
forming and passing it down.
CRs-Fixed: 2118725
Change-Id: Id1838939813e6cd2d52cee8720a1f4e0ca34329b
Checkpatch has detected multiple instances of "line over 80
characters" so fix them.
Change-Id: I240fcea5af2cfb4f3c1b660784fc7d37bc948c3c
CRs-Fixed: 2120625
Checkpatch has detected multiple instances of "line over 80
characters" so fix them.
Change-Id: If7b0e259a4399cc829fa4d0186c4699ae7980706
CRs-Fixed: 2120617
Current doesn't perform boundary check on num_vdev_mac_entries param
which coming from firmware. Without boundary check, driver may be
exposed to buffer overflow.
Check against the boundary limit before using it.
CRs-Fixed: 2119430
Change-Id: I502926a7f783acc7b73a3fbbbd70386a099b48b3
