When disconnect is issued from userspace, lim_del_bss is invoked
and vdev stop is sent to firmware. If sending vdev stop fails,
WMA_DELETE_BSS_RSP is posted with failure. If an SSR is
happening during this time, then cds_mc_thread is preempted, and
as part of the pld uevent vdev resp queue cleanup is done . In
this path, lim_process_sta_mlm_del_bss_rsp is called and
msg->bodyptr is freed and pe session is deleted. After pld
uevent execution, the delete bss response processing in
cds_mc_thread as part of user space disconnect resumes and tries
to free the msg->bodyptr again. This results in double free.
Set msg->bodyptr to NULL after freeing the memory.
Change-Id: I851a5ddcae47cffe450dffafa31570895620bd9c
CRs-Fixed: 2332677
__wlan_hdd_cfg80211_change_iface() has a number of obvious style issues.
Lightly refactor __wlan_hdd_cfg80211_change_iface() to address the low
hanging fruit.
Change-Id: Ib2efa7405e986e73a5c5b6fc7e5509eeebd2e6f3
CRs-Fixed: 2330973
wlan_hdd_cfg80211_set_txpower() currently expects the input power to
be in units of dBm. However cfg80211 specifies the set_tx_power()
method will pass the power in mBm, and that to get dBm the driver
should use MBM_TO_DBM(). The userspace tool "iw" also expects the
power to be in mBm.
In order to comply with the definition of cfg80211, change the
implementation of wlan_hdd_cfg80211_set_txpower() to expect the power
in mBm and use MBM_TO_DBM() to convert the power to dBm. But for
backward compatibility with userspace entities which are expecting the
current implementation, if the converted power is 0 then assume the
input power is already in dBm and use it without conversion.
Change-Id: I7c64f7ac14249a307357c91f8bea4dad8d59ff28
CRs-Fixed: 2331003
Update the mac_open and mac_close APIs as follows:
1) Fully document the interfaces (not the implementation).
2) Utilize the new mac_handle_t abstraction
3) Clean up local coding style violations
Change-Id: I9b047c3951b7f8c8831cec0b0a1aa3c521b32e6c
CRs-Fixed: 2332042
Currently the command timeout value in serialization for start_bss
and stop_bss commands for SAP are set to 30 seconds which is too high.
Reduce the command timeout value for SAP start_bss and stop_bss
commands in serialization to 10 seconds.
Change-Id: I1bcfe13de92a703ec55445b344a502f7843bbed8
CRs-Fixed: 2331830
Currently a ref count for VDEV is taken while posting the SME command
to serialization in csr_set_serialization_params_to_cmd called from
csr_queue_sme_command. However once the command is posted to serialization
queue, the VDEV ref count is released which could lead to the VDEV
object used from the serialization callback without holding the ref count.
Release the VDEV ref count only if the posting to serialization module
fails and for success cases, release the ref count from
sme_ser_cmd_callback under the WLAN_SER_CB_RELEASE_MEM_CMD case.
Change-Id: I8d573ff5a25e6dff928b2708e51ad7b97e292277
CRs-Fixed: 2331716
Driver won't handle the ps in disconnected state. But kernel can
give ps enable/disable command in non associated state hence return
success without posting the request to FW.
Change-Id: I6b559c30cff816c2ba056ef23633fb350e867db7
CRs-Fixed: 2321744
noise_floor_weight is defined as unsigned in
sap_weight_channel_noise_floor(), but is checked
for value less than 0, which will never be true.
Change-Id: Idd8215c479eeae2ffd712434aae740f8465a8b45
CRs-Fixed: 2310624
When vdev restart response is received for channel switch during
CSA, we set the phy mode in firmware and then send vdev up. But
even if the restart request has failed host sends vdev up. This
is wrong as firmware expects vdev up only after vdev start is
successful.
If vdev restart is rejected don't send vdev up to firmware.
Instead send WMA_SWITCH_CHANNEL_RSP with failure status.
Change-Id: I1f1ba860abeb0d25e90fd9b9977f02153aca81af
CRs-Fixed: 2331485
QCA6290 non-AX chipset is deprecated, so enable changes for QCA6290 AX
chipset by default.
Change-Id: I09b52dc58c1a79e36502671de94021d5940d0072
CRs-fixed: 2331182
Check for dhcp packet type before processing on packet sta_id.
This reduces per packet mem_copy and mem_cmp instructions for
sap Rx.
Change-Id: I4a2732ff4d9e3fa31aace25cc824f26b0c339b52
CRs-Fixed: 2331420
In proc_dnld_rsp, pHdr->sBufSize is coming from fw message
which could not be trusted. Before its use it should proc_dnld_rsp
should verify it against its max allowed size (UINT_MAX).
Fix is to add a sanity check for pHdr->sBufSize against UINT_MAX
before its use.
Change-Id: I6ec970483af860d5e42d6adac640274743f44f1a
CRs-Fixed: 2308333
There is no sanity check for hdd context and sap config in
start acs api which may lead to NULL pointer access.
To avoid this issue, validate hdd context and sap config
before accessing these pointers.
Change-Id: I0a3f6a91a6bc5a517c035c9e7d706e66aea62fd4
CRs-Fixed: 2331412
Currently only the WLAN_SER_CMD_DENIED_UNSPECIFIED is returned as
failure to HDD when a command is posted into serialization from
SME/CSR. This can lead to HDD getting a status as success if the
command posting failed due to some other reason code in serialization
like WLAN_SER_CMD_DENIED_LIST_FULL.
Handle all serialization reason codes in csr_queue_sme_command API.
Change-Id: Icce5b9f560320b99feb985dead9d06489caa8b5c
CRs-Fixed: 2330852
Currently in function wlan_hdd_cfg80211_start_bss(), copying
supported rates and extended rates from information element pointer
without checking for array bounds which may cause OOB access.
To address this issue, add length checks before copying supported
rates and extended rates.
Change-Id: Ic6363e97bb3498a5dd23bc5e5f9b9f3ce093509d
CRs-Fixed: 2312995
Below API's logs failure with caller information,
So no need logs at caller.
qdf_mem_malloc_atomic()
qdf_mem_malloc()
wmi_buf_alloc()
qdf_nbuf_alloc()
wmi_unified_cmd_send()
Change-Id: I392fd31f2ae1e46a0d7ceaa657b77fad4efd31eb
CRs-Fixed: 2327098
Below API's logs failure with caller information,
So no need logs at caller.
qdf_mem_malloc_atomic()
qdf_mem_malloc()
wmi_buf_alloc()
qdf_nbuf_alloc()
wmi_unified_cmd_send()
Change-Id: I5d7d49811d71f83ecafccd9f936af323073b32c6
CRs-Fixed: 2327098
PLD FW down uevent is asynchronous which races against all critical
driver transition events like probe, remove, shutdown, reinit and
hence move wmi_stop to wma shutdown notifier callbakk such that its
protected against all critical driver transition events.
Change-Id: I91046efeab8bc13b9f5c37d5a4d02b66c63e35a9
CRs-Fixed: 2330980
Add bound check for new fixed_param->total_num_tx_power_levels
with its old value of rs_results->total_num_tx_power_levels in
wma_unified_radio_tx_power_level_stats_event_handler.
rs_results->tx_time_per_power_level is allocated only once
if it has not been already allocated.This allocation is saved
into the global wma_handle structure.
If multiple invocations of this handler occur then a buffer
overflow can occur in the following scenario:
1. First message is used to allocate rs_results->tx_time_per_power_level
with a small, but valid size.
2. Second message skips allocation of rs_results->tx_time_per_power_level
since it was done with the first message. This message specifies a larger
valid value and causes the qdf_mem_copy() to overflow.
Change-Id: Ib9c7d3bd667e2ffc1408cd7356be35985331e028
CRs-Fixed: 2327688
Change I8cd30439d7ac3de7b550aa5042353cf30e04cbda recently introduced
misleading indentation in sme_update_tx_bfee_nstsi(). Not only does this
cause a build failure for some configurations, but is also dangerously
confusing for future readers. Remove the misleading indentation in
sme_update_tx_bfee_nstsi().
Change-Id: Ia971c414b433eeaff51eb4c65d3d2f56c49617b1
CRs-Fixed: 2330256
In the functioncsr_roam_chk_lnk_swt_ch_ind(), newChannelId is
updated to session->pConnectBssDesc->channelId and
pConnectBssDesc->ieFields is passed to wlan_cfg_get_ie_ptr().
the parameters of pConnectBssDesc are accessed without
validating pConnectBssDesc. This can result in possible null
pointer dereference.
Validate the session->pConnectBssDesc before access.
Change-Id: I45f2c090cea90052f91d678f1bacd1411c4b9496
CRs-Fixed: 2329317
When interface change timer expires, wma_wmi_service_close() is
called from hdd_iface_change_callback()->hdd_wlan_stop_modules()
->cds_close(). wmi_handle is made null here. At the same time,
if there is a modem reboot, host will receive early
indication from FW. Due to this, icnss driver sent
ICNSS_UEVENT_FW_DOWN event to host and it calls wmi_stop() again
from icnss_call_driver_uevent()->pld_snoc_uevent()->
wlan_hdd_pld_uevent() -> wlan_hdd_set_the_pld_uevent()->
wma_wmi_stop() -> wmi_stop(). As wmi_handle which was marked
null during wlan stop modules, this causes potential NULL
pointer dereference.
Flush iface_idle_work before wma_wmi_stop and add NULL check
before accessing wmi_handle.
Change-Id: I1bfa8ab7329040c0b5ba989c0d7de7bf7228dd35
CRs-Fixed: 2328575
Add sanity check for vdev_id in wma_lost_link_info_handler
against wma_handle->max_bssid.
Change-Id: I1f469b25ac88deb4d5bbaf754c0ea441e6cb04de
CRs-Fixed: 2325718
When disconnect is issued from userspace, lim_del_bss is invoked
and vdev stop is sent to firmware. If sending vdev stop fails,
WMA_DELETE_BSS_RSP is posted with failure. If an SSR is
happening during this time, then cds_mc_thread is preempted, and
as part of the pld uevent vdev resp queue cleanup is done . In
this path, lim_process_sta_mlm_del_bss_rsp is called and
msg->bodyptr is freed and pe session is deleted. After pld
uevent execution, the delete bss response processing in
cds_mc_thread as part of user space disconnect resumes and tries
to free the msg->bodyptr again. This results in double free.
Add check to validate if msg->bodyptr is NULL before freeing
the memory.
Change-Id: I491e5bab640aca6546b58755502dd00aa1bc6083
CRs-Fixed: 2324482
Make the following updates to the extscan get capabilities logic:
1) Exclusively use the Unified WMI data structures.
2) Update the HDD<=>SME interface to enforce the contract that SME
must not make any assumptions about the buffers provided by HDD.
Change-Id: I9e57c86a3da0924af01d82d626b61c28f7d520bf
CRs-Fixed: 2330211
