qcacld-2.0 to qcacld-3.0 propagation
In function wlanqcmbr_mc_process_msg, variable data_len
is from message, which should not be trusted. Buffer
overflow will happen if using it directory to copy data
to utf_buf.
Change-Id: I21479f510b95e6ced214f80d942db919837e8324
CRs-Fixed: 2116449
Propagation from qcacld-2.0 to qcacld-3.0
Add diag event for wow packet counters stats.
The event EVENT_WLAN_POWERSAVE_WOW_STATS will be used to
inform the wow stats packet counters.
Change-Id: I9d1760aa6b790544b9879e7ef18d4f5359e0e245
CRs-Fixed: 1087714
STA is roaming to 2G AP even though 5G
only is configured through ini.
Set weightage of the 2G social channels
to zero so that firmware will not roam
to 2G channels.
Change-Id: I7dea8413618265e0f1fe353da4b858583c1921af
CRs-Fixed: 2117614
Invalid memory length passed to memcpy triggered
crash and it is due to unintialized stack variable.
Initialize pmkid cache variable to zero.
Change-Id: Ib25812086f4d9f8399ce560d6aa7423a1978d04d
CRs-Fixed: 2119987
Add device_mode check in hdd_ipa_send_pkt_to_tl,
WLAN_HDD_GET_AP_CTX_PTR only can be used in SAP/P2P_GO mode.
Change-Id: Ieb4ce8fb28251432c9f3e22eb945b32f47776380
CRs-Fixed: 2123952
Reset the limit off channel parameters after disconnection, otherwise
FW is going to use these settings for future connections on the same
interface.
CRs-Fixed: 2105301
Change-Id: I00a408c1d71cdf261e5718a67d9417ac3fcd133c
Add debug logs to capture htt rx_ring info during data stall
detection for FW_RX_REFILL failure reason.
Change-Id: I6733a37677ebccfef5096ac38858c4505e8665b6
CRs-Fixed: 2121686
Add 1 second wake lock for 4 way handshake to avoid APPS
power collapse in middle of eapol exchange which can delay
the association process.
Change-Id: Ife73dc00aa05b5a80d0a90afd18468bd033ebdd9
CRs-Fixed: 2118533
Move HE get string API for cfg_params to cfg_param_name.c and
make it generic so that any parameter can be added to it.
Change-Id: Id14fb60a97f479a5898a27b2a192f67801e49974
CRs-Fixed: 2106869
In the function get_container_ies_len, len (uint32) is calculated
from the length of the buffer parsed. Then it is copied to the uint8
pnConsumed pointer from the calling function. This could lead to
pnConsumed becoming 0 if len exceeds 255 and would cause infinte
loop in the function unpack_core.
Add changes to make pnConsumed passed from unpack_core to be uint32
so that there are no issues in get_container_ies_len
Change-Id: Ia5770b4becf7dd1cf7cb97ec2e0d94f3c5f4ed54
CRs-Fixed: 2101200
On vdev response timer expire, memory allocated for vdev request
will be freed in the timer handler(wma_vdev_resp_timer). But there
can be a race condition where wlan shutdown is invoked at the same
time, where host tried to cleanup unhandled vdev requests by calling
same timer handler.
To mitigate this issue don't free the memory if vdev request is not
found(as other thread freed memory by this time)
Change-Id: Iea214f0ed3acb9600b5a3b84b5740c1b496719d9
CRs-Fixed: 2049673
Rome and iHelium BT Coex FW capability is completely different from
earlier generation of driver/fw and hence this kind of BT Coex protection
may not be needed.
Change-Id: Ic2f34acc03a3830ad51296313e8844011ef48266
CRs-Fixed: 2066727
Wiphy band can be NULL since it is dynamically allocated depending
on some condition. So check for NULL before populating it.
CRs-Fixed: 2122279
Change-Id: If88045e2ebbb6bceb0ed3b5337cc70778b21f832
In case STAUT is using auto-switch auth type for WEP, a retried AUTH frame
from AP can mess up our state machine and connection will fail. Save seq
number of processed auth so that retried frame can be dropped in host.
Change-Id: I00cedf594309e0bb9b4bb8f0ced2929e7d00f64d
CRs-Fixed: 2102402
Set IPA ownership for intra-BSS Tx packets to avoid skb_orphan(), and
clear the ownership after check it to avoid ipa_free_skb() is called
when Tx completed.
Change-Id: I03883773e418bb5518ea63a324d22503173ea436
CRs-Fixed: 2062911
Add ini param 'gtsf_ptp_options' to control
PTP options, it's a bitmap:
bit0 - PTP_OPT_RX(0x1)
set this bit to enable RX time stamping
bit1 - PTP_OPT_TX(0x2)
set this bit to enable TX time stamping
bit2 - PTP_OPT_RAW(0x4)
set this bit to use raw time as timestamp
bit3 - TSF_DBG_FS(0x8)
set this bit to add device attriubte 'tsf' for iface
The default value of gtsf_ptp_options is 0xf
Propagated from qcacld-2.0.
Change-Id: Ie53d503bdd2e85790502583a238ee138f4bcf6c6
CRs-Fixed: 2079466
In function lim_update_ibss_prop_add_ies size of a malloc is based on
sum of two integers. Add check for integer overflow before malloc.
Change-Id: Ia7f1b306e6eb99ee0cea9f2ef00123ca66a5c062
CRs-Fixed: 2119673
The current driver strategy is to converge on unified APIs, and the
unified WMI struct flashing_req_params conveys the same information as
typedef tSirLedFlashingReq, therefore replace tSirLedFlashingReq with
struct flashing_req_params.
Change-Id: I4ef75ee3bff7c83dbf8197bba0802569282a414f
CRs-Fixed: 2121335
The Linux Coding Style frowns upon mixed-case names and so-called
Hungarian notation, so rename pBeaconIes to align with the Coding
Style.
Change-Id: Ib1d48cd0db2a497c68c3596230b22e169ed0cc8f
CRs-Fixed: 2121264
The Linux Coding Style frowns upon mixed-case names and so-called
Hungarian notation, so rename pRoamInfo to align with the Coding
Style.
Change-Id: I39f76a4e11fb26c5ab4279ae0b02dddadd06a83b
CRs-Fixed: 2121188
The Linux Coding Style frowns upon mixed-case names and so-called
Hungarian notation, so rename pRoamInfo to align with the Coding
Style.
Change-Id: I444fc7925066f0ef147aed666a02027661308799
CRs-Fixed: 2121187
The Linux Coding Style frowns upon mixed-case names and so-called
Hungarian notation, so rename pHddStaCtx to align with the Coding
Style.
Change-Id: I508816b354eb592305cb238f7604ef39586c19b2
CRs-Fixed: 2121162
The Linux Coding Style frowns upon mixed-case names and so-called
Hungarian notation, so rename pHostapdState to align with the Coding
Style.
Change-Id: I11f20591272265ad2e0e9d1f5f8ae1243d3ecd5b
CRs-Fixed: 2121138
When specific band is set from ini file and if user is trying to change
phy mode to auto with iwpriv command, crash is seen.
To fix this, avoid eCSR_DOT11_MODE_AUTO when BandCapability is set.
Change-Id: Ieaaa1dddfafbed2fdf51b7c924977b02077f01b6
CRs-Fixed: 2082166
The Linux Coding Style frowns upon mixed-case names and so-called
Hungarian notation, so rename pHddApCtx to align with the Coding
Style.
Change-Id: I9c209be206d9e453ec2c5adc7803126639d06b84
CRs-Fixed: 2121131
The Linux Coding Style frowns upon mixed-case names and so-called
Hungarian notation, so rename pHostapdAdapter to align with the Coding
Style.
Change-Id: I18a74117ae47ad05a1c46b50a14fcb64347f1c07
CRs-Fixed: 2121120
Checkpatch has detected an instance of a block comment where the
trailing "*/" is not on a separate line, so fix it.
Change-Id: Ibe8c83ea4d87f04c330f0abe6953d2dfb2067ff7
CRs-Fixed: 2120626
Checkpatch has detected multiple instances of "line over 80
characters" so fix them.
Change-Id: Ie9b3a517b97c0f70f43e7991c0576eaf1e05ec38
CRs-Fixed: 2120622
Propagation from qcacld-2.0 to qcacld-3.0
In random testing cases, the SAP close may be called even before the BSS
is started. In such cases the SAP callback may not have been registered
and such scenarios may lead to unnecessary assertion. Just returning an
errror should do.
Remove the assert but retain the error notification.
Change-Id: Ief9ea45d2d7f3d910766e73a9e0dca5e34c85905
CRs-Fixed: 2121720
Propagation from qcacld-2.0 to qcacld-3.0
During BSS frame update, frame_len is calculated as size of ieee80211_mgmt
and ielen. Since ieee80211_mgmt is a generic frame structure and different
frame structures are defined under union this may exceed the actual frame
len.
Fix by calculatiing offset of variable(ies) and ies length.
Change-Id: Ied8e4e604e41de1ac5ccc047ef5cc3cdb05a9445
CRs-Fixed: 2121711
Update ini param g_auto_detect_power_failure_mode to incorporate below
values,
0 - Don't register wow wakeup event and FW crashes on power failure
1 - Register wow wakeup event and FW sends failure event to host on
power failure
2 - Don't register wow wakeup event and FW silently rejuvenate on
power failure
3 - Don't register wow wakeup event and the auto power failure detect
feature is disabled in FW.
Change-Id: I8a704954ecbacadbc035c1523fa41a18b6300f66
CRs-Fixed: 2087144
Current driver has roam id uninitialized in anticipation that roam id
will be filled by SME APIs to correct value but in error conditions
that value may not be filled at all. In those kind of cases
initializing to invalid value will help to avoid any security breach.
CRs-Fixed: 2119198
Change-Id: I96e55cb91ef76df63dd6ba267130e1092fdcf899
Make sure num_vdev_mac_entries which is coming from firmware within
MAX_VDEV_SUPPORTED to avoid any buffer overflow or OOB read.
Change-Id: I92793a6bcfd46b288c3f496a6f6cc9b372f60c48
CRs-Fixed: 2119432
Current driver forming a unit test command within HDD layer and uses
message passing method to deliver it to WMA layer which
requires HDD layer to have a knowledge of how to form a unit test command.
User SME API to send params to WMA layer and let WMA form a unit test
command and send it directly to FW through WMI layer instead of HDD
forming and passing it down.
CRs-Fixed: 2118725
Change-Id: Id1838939813e6cd2d52cee8720a1f4e0ca34329b
Checkpatch has detected multiple instances of "line over 80
characters" so fix them.
Change-Id: I240fcea5af2cfb4f3c1b660784fc7d37bc948c3c
CRs-Fixed: 2120625
Checkpatch has detected multiple instances of "line over 80
characters" so fix them.
Change-Id: If7b0e259a4399cc829fa4d0186c4699ae7980706
CRs-Fixed: 2120617
Current doesn't perform boundary check on num_vdev_mac_entries param
which coming from firmware. Without boundary check, driver may be
exposed to buffer overflow.
Check against the boundary limit before using it.
CRs-Fixed: 2119430
Change-Id: I502926a7f783acc7b73a3fbbbd70386a099b48b3
Currently if_id used in the for loop is incremented based on vdev_map != 0
and vdev_map is a uint_32, received from FW, and is right shifted by one bit
for each iteration. This could result in if_id going upto max of 31 and cause
OOB read.
Add sanity check to make sure if_id is less than max_bssid.
Change-Id: I7e0c4e9a26cb67f41e35c60c2756d7ad02cf43ea
CRs-Fixed: 2119443
Add sanity check for vdev id in wma_roam_event_callback() to prevent
out of bound access of memory in wma_roam_better_ap_handler().
Change-Id: If3cf06a8eca767201fdd8b056bee6d773938a2a6
CRs-Fixed: 2119400
In case of FILS connection, form 802.3 packet out of
HLP IE info parsed from assoc response(if present) and
send the same to IP layer.
Change-Id: I0e077ee48030da84bfe9f987722f96ac2e05ae36
CRs-Fixed: 2034452
This change adds support to append/store the HLP IE(if present)
in req_ie as part of connect request from Supplicant and adds the
same in Association request for FILS connection.
Change-Id: I8cd3e28b462a8ac2bd9eee2a383f9d0886adfa83
CRs-Fixed: 2034452
Add support in wma_flush_complete_evt_handler to capture
data stall event from Firmware and post the message to
sys queue.
CRs-Fixed: 2086176
Change-Id: I4e819b1ae711b3867fa46ff638d4bfd2054519ed
Add support to post data stall event to sys message queue
to handle it in data detection module and finally post
diag event to QXDM. Add support to send NUD failure
diag event.
CRs-Fixed: 2086176
Change-Id: I72ba36d4c2f6ef2eb495ad1586f74af0f3c69254
Add data stall detection module in hdd which handles data
stall reported by host or fw and take necessary recovery
steps based on the data stall type.
Change-Id: Idf6c43f55d1bc115a0c06b4c6ef766ff3ed09bee
CRs-Fixed: 2090643
Host should keep the wake lock from the time it sends
WMI_PDEV_SET_MAC_CONFIG_CMDID to FW till it receives the
WMI_PDEV_SET_MAC_CONFIG_RESP_EVENTID. This will avoid any fatal
crash condition.
Change-Id: Id16a1957b38acee6cf45c123ea9dbab25aae9b39
CRs-Fixed: 2070779
If Probe resp is received just after the Probe after
HB timer expires then it results in disconnection.
Fix is to increase the probe after hb timer default
value to 70msecs.
Change-Id: I0d4ac3e567def348c6b03b41c54579f332099de8
CRs-Fixed: 2111579
wlan_hdd_cfg80211_get_fw_mem_dump() currently returns ENOTSUPP
if the feature is not supported by firmware. Return EOPNOTSUPP
instead of ENOTSUPP, which looks more appropriate.
Change-Id: I1ca2ebd3fa572ba3caae29ef9f1e396693378fb2
CRs-Fixed: 2088667
Add Vendor Event to get the driver hang reason indicating to the
user space that the driver has detected an internal failure.
This event carries the information indicating the reason that triggered
this detection.
Change-Id: I3934f2a18c796ed3b53175dcbe7efd7f4d1409b9
CRs-fixed: 2098498
The Linux Coding Style frowns upon mixed-case names and
so-called Hungarian notation, so rename pAdapter to align
with the Coding Style.
Change-Id: Id6ab1b413a3eec66c88dce52ce14dd3693d15a34
CRs-Fixed: 2119860
The Linux Coding Style frowns upon mixed-case names and
so-called Hungarian notation, so rename pAdapter to align
with the Coding Style.
Change-Id: I29e0573d41628692838037c79007ef983a0cbf9f
CRs-Fixed: 2119855
The Linux Coding Style frowns upon mixed-case names and
so-called Hungarian notation, so rename pAdapter to align
with the Coding Style.
Change-Id: I3d3c52f80a402231dd2a742cf019bf5813791fe7
CRs-Fixed: 2119854
The Linux Coding Style frowns upon mixed-case names and
so-called Hungarian notation, so rename pAdapter to align
with the Coding Style.
Change-Id: I846cf0b6effcfacce22ce122bf73064a230a05c1
CRs-Fixed: 2119853
The Linux Coding Style frowns upon mixed-case names and
so-called Hungarian notation, so rename pAdapter to align
with the Coding Style.
Change-Id: Iee939c8df097967143b77cbffe46fba6e69cd52a
CRs-Fixed: 2119849
Check the length of the IE's before appending them
and storing them in the session in
lim_process_update_add_ies.
Change-Id: I70d26638a58998c82a8810d7c2181d1f24c56e19
CRs-Fixed: 2119729
Currently the size of array ch_list in sme_set_plm_request is
defined as WNI_CFG_VALID_CHANNEL_LIST and this is incorrect.
This is just an index to the corresponding CFG item. Fix the
size to WNI_CFG_VALID_CHANNEL_LIST_LEN which is the maximum
size that can be passed from the source buffer.
Change-Id: I90086f2c73ee09cfc9d63a327b464f4017f5b37f
CRs-Fixed: 2120725
Currently, mem_dump feature support is advertized just based
on the compile macro, if the firmware does not support this
feature, still code ends up sending true to the user space.
Fix this by properly advertising the mem_dump feature support
based on the the FW support.
Change-Id: I4d601f764c6598c51c48d43e24e15fb6c35875bd
CRs-Fixed: 2077931
After deriving the vdev_id from the vdev map in
wma_beacon_swba_handler check for the validity
of the vdev_id
Change-Id: Ifc4577d8a00f447e2bcfa4e01fce5ac2dbe96a4d
CRs-Fixed: 2120751
