Presently, while sending scan offload request to fw, fw is only notified
whether the channel list is static or dynamic. Fw is not notified whether
it is dynamic init, dynamic flush or dynamic update. Also, in HOST
driver it is not being used anywhere.
Remove the code to mark the channel list as dynamic update, dynamic flush
or dynamic init. Instead, assign the channel list simply as dynamic.
Change-Id: Iad834f07bb61963f0fbb6227ffcedfd1679d1a9e
CRs-Fixed: 2260715
The protocol stack has some lingering uses of the legacy status
enumeration tSirRetStatus. There is a plan to transition all of these
to QDF_STATUS. As the next step of this plan replace the tSirRetStatus
definition with macros that map to QDF_STATUS identifiers. This will
ensure that the transition does not have any side effects, and will
provide the mappings to be used to allow a global replace of
tSirRetStatus identifiers with QDF_STATUS identifiers.
Change-Id: Ied64393500d78b5059b68536fc5511918188962b
CRs-Fixed: 2261128
Copy the country code value to local variable and use
it to set the country code to avoid the out of bound
access to caller buffer.
Change-Id: I48662d4034f5dab496b23af4c1840581061bd2e5
CRs-Fixed: 2247610
In case of WLAN_EID_WAPI, Host assuming that the incoming ie buffer
is at least of length (4 + 2 + akmsuiteCount * sizeof(uint32_t))
long and is not checked anywhere before accessing. Results possible
OOB read issue could occur.
Fix is to add a check for incoming buffer IEs.
Change-Id: Ia60cf8c56478b47e5f2f654f0cf77fe6bd5706e4
CRs-Fixed: 2252250
Channel info for ACS is not getting initialized if channel is unsafe.
So, channel number, rssi, ACS weight, etc. is not getting initialized
and is 0 for all the unsafe channels. As a result, wrong weights are
getting calculated in ACS algo and wrong channel number is getting
printed in logs for all these channels.
Initialize channel info for ACS even if channel is unsafe.
Change-Id: Iec315ea818b5b51aef6879831b8be29ba4515983
CRs-Fixed: 2260798
When CSA is received from the firmware, dot11_mode is copied
from received message . In response to the CSA message, the host
invokes wma_vdev_start with isRestart flag set to restart the
vdev with the new updated channel, and channel params.
The dot11_mode value is copied from the CSA which will not be a
problem unless the switching channel is on the same band or on
different band as long as its HT/VHT 2.4GHZ to HT/VHT 5GHZ bands
or vice-versa. When the channel switch occurs from a 11a to 11g
band or vice-versa, wrong dot11_mode is populated without being
updated for the new band. As the phy_mode is calculated from the
dot11_mode value, phy_mode check fails in wma_vdev_start in this
case. So the host doesn't send vdev_restart.
Populate the dot11_mode correctly and pass it to lower layers
upon updation. This will ensure correct phy_mode is calculated
and vdev_restart is sent.
Change-Id: Iaf8788d51b47190c04744b8981dd594236fbae57
CRs-Fixed: 2248980
Currently, in ol_txrx_is_peer_eligible_for_deletion(), invalid
dereferencing of peer_id_to_obj_map[0xFFFF] to get peer_ref while
processing VDEV stop response handler may occur.
Revert the changes introduced by
Change-Id: Icf252612081a41f94db6df4684348f2962b2da9d and
Change-Id: I743e2e2c83c3e07e5d5ec4fde7fc3b098766ca96
Change-Id: I7aa104f69a5665f0e08314fb0a273e077f562939
CRs-Fixed: 2261088
Before wow enable or pdev suspend host sets hardware filter bitmap
and enables the filter via a command. But after resuming it sends
bitmap as zero with filter disable. This is interpreted by Firmware
as disable the modes set in the bitmap, so none of the modes are
disabled. With this host will not receive bc/mc packets after
disabling the hw filter, which it is expecting.
Send the same bitmap after resume that was used before suspend.
Change-Id: Ic7425274c9197e907404c3ca9ba0d5269ee51690
CRs-Fixed: 2194964
In implementation of Android Packet Filter, functions, variables,
definitions are named after BPF, which stands for Berkely Packet
Filter. The term was more appropriate for Link Layer packet
filters implemented in the Linux kernel, known as Linux Socket
Filters.
The term BPF is obsolete now, so rename it with the
appropriate acronym, APF.
Change-Id: I9e02edbc580ffb2c559c8e864f54d255fc2d51a3
CRs-Fixed: 2191530
File wlan_hdd_cfg80211.c is bloated and adding support for
upcoming Android Packet Filter v3 is going to increase its
size even more.
Create a new source file for APF related HDD modules and a
header file for declaring the API's.
Change-Id: I2fb3d7e017f4befbad7aacab3575ae2b48e88a45
CRs-Fixed: 2189825
Currently the NL MSG handlers for WLAN_NL_MSG_OEM and
WLAN_NL_MSG_SPECTRAL_SCAN are not deregistered during hdd_wlan_exit which
can causes a page fault if NL issues cld80211_doit for these NL messages
when the WLAN is not up.
Add Deregister APIs for all the NL MSGs to call as part of
hdd_exit_netlink_services during hdd_wlan_exit.
Change-Id: I5811dcfc79eff4ea7281de5f7591e078c572e69c
CRs-Fixed: 2232902
PMO should not know about vdev data path handle, but
pmo_unpause_all_vdev() need it, so register a wma callback to retrieve
the vdev dp handle instead of keep a copy in pmo vdev private context.
Refine current code to retrieve vdev dp handle using a wma callback
Change-Id: I1f668fff633a5e5cdfc478e7f619e9600930b333
CRs-Fixed: 2227384
In __iw_set_packet_filter_params(), a user controlled length value,
priv_data.length, is used to allocated a buffer. This buffer is then
cast to a struct pointer of struct pkt_filter_cfg type without ensuring
the buffer is of proper length.
Add a sanity check on priv_data.length to ensure that the command being
issued has proper parameters.
Change-Id: Ia871e35ef938ca889fb6b1609a0c881d76f29e4b
CRs-Fixed: 2250775
1) Add timer callback function for resuming OS netdev queues once
they have been paused.
2) Add HDD function to register resume timer callback for High Latency
Data Path Flow Control.
HL netdev flow control will re-use some of the
QCA_LL_LEGACY_TX_FLOW_CONTROL functionality, hence some parts of the
legacy flow control code have been conditionally enabled for
QCA_HL_NETDEV_FLOW_CONTROL as well.
Change-Id: I4d4a03ddd5be980ce27fd0771fa9d6dc26138357
CRs-fixed: 2236321
The following memory leak issues of blocked scan requests
need to be addressed:
1. Add list for blocked scan requests
There could be multiple scan requests are blocked before related
callback can be executed. Currently there is only one pointer
for such requests. A list is added accordingly.
2. Cleanup blocked scan request when ifdown
Scheduled work for blocked scan might not be able to be executed
before ifdown. When the work is cancelled, related scan request is
not freed and will caused memory leak.
Call the relate callback when blocked scan work is cancelled to
cleanup the pending scan request.
Change-Id: Ifb5fc1b14a043ad67e4ba1d305ce4133b471188c
CRs-Fixed: 2166111
Fix overrunning callee's array of size 19 by evaluating argument tid
not to pass the maximum number.
Change-Id: I993339f4b9aea51e9566d213c9828825c5f2bf66
CRs-Fixed: 2232744
For txrx_stats command, there are two parameters are designed as
mandatory: 1st is statistics category, 2nd is mac id.
Add default value 0 for those parameters.
CRs-Fixed: 2248034
Change-Id: Ifc667e22bd78a295c3323f2b2e063f2f6ba12e8e
In case the current selected txq group, does not have enough credits,
try to borrow credits from the other txq group.
Change-Id: I86fbe990853d90598f6e09b13f7061e4ba1a78ae
CRs-fixed: 2246206
1) When a group is created i.e. the first vdev is added to it,
assign all the credits to it.
2) When the second group is created, transfer some minimum credits
to it.
3) When a group is deleted, transfer its credits to the other group.
Change-Id: I0c5532033718b250ab0633b4da4e219c0315cac9
CRs-fixed: 2246206
1) Add function: ol_tx_update_grp_frm_count() to maintain count of frames
per group.
2) Call ol_tx_update_grp_frm_count() from ol_tx_enqueue(),
ol_tx_dequeue() and ol_tx_queue_free().
Change-Id: If1b07ea5bbdcbc6ad6d0c91e6b2060c4264b9472
CRs-fixed: 2246206
During wlan unloading, target failure is ignored, no recovery
will happen, refer function ol_target_failure
During wlan unloading, cds_cfg may be freed, can't get
cds_is_self_recovery_enabled state correctly
Change-Id: I321d4029f299ef2eb7a6316faaed90f62e091b4e
CRs-Fixed: 2224058
After CSA, channel is not getting updated in DS params and HT info
IE in BSS descriptor of corresponding session. As a result, channel
in cfg80211 is still old due to which freq getting displayed in UI
is still the older one.
Update channel in DS params and HT info IE in BSS descriptor after CSA.
Change-Id: I4a0f301ccd6155dc459fa1bfa4fbd0c59c04e0f8
CRs-Fixed: 2244619
The API sme_process_msg lacks a break in switch case
after eWNI_SME_SET_DUAL_MAC_CFG_RESP. Due to this
execution falls through to the next case statement or
default.
Fix is to add a break after eWNI_SME_SET_DUAL_MAC_CFG_RESP
Change-Id: I7466dfdc8c8cbe186f61f47371137dca958e1d08
CRs-Fixed: 2233190
In __wlan_hdd_cfg80211_scan(), while copying ie data from
cfg80211_scan_request to local destination buffer, there is no check of
ie_len against maximum possible length of SIR_MAC_MAX_ADD_IE_LENGTH (2048).
This can result in buffer over-flow.
To address this, validate ie_len in cfg80211_scan_request.
Change-Id: I5da837395869704666762fdf57293d9561d3ad83
CRs-Fixed: 2247604
Add per-level logging wrappers to PE module,
which can be compiled in or out by the build
configuration.
Change-Id: Ie8ded666d1bd268a4bbc57091af32aeb5b285eb1
CRs-Fixed: 2260214
There are several logs in PMO that log debugging related information
at the INFO level. Reduce the logging level of these debug logs to
avoid spamming the console.
Change-Id: Ib1bb9279d5d8104104b58bd2c83869f72c0bde4a
CRs-Fixed: 2260190
As per WAPI spec, the akmsuite if of length 4 x akm suite count. This
was changed as part of I63528da4c2dfafa22f2c6fc73afe52727af02b64 and
causes WAPI connection failure due to mismatch in scan results.
Fix the correct length while copying akmsuite from supplicant IEs in
wlan_hdd_cfg80211_set_ie.
Change-Id: Ib0d60e82a3fbaef1a9405200dd03eb7882007fcb
CRs-Fixed: 2258136
Currently driver allows start_bss on SAP interface even when roaming is
in progress on STA interface. This leads to two simultaneous vdev starts
in FW which causes the FW to assert.
Add changes to reject the start_bss request for SAP if roaming is in
progress on any STA interface.
Also, when a connect for STA or start_bss for SAP is received and
roaming is not in progress for any STA interface, stop roaming on all
STA interfaces by sending WMI_ROAM_SCAN_MODE_NONE to FW. Also after
association or start_bss completion, enable roaming again on connected
STA interface.
Change-Id: I3baaffeef3b350e6527660cbac4b79fa4d9f83f0
CRs-Fixed: 2221337
Out of Buffer access may occur in wmi_get_buf_extscan_start_cmd()
function if user provided inputs are different for below parameters
which are assigned in hdd_extscan_start_fill_bucket_channel_spec()
function
1. QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC_NUM_CHANNEL_SPECS
2. QCA_WLAN_VENDOR_ATTR_EXTSCAN_CHANNEL_SPEC
To address this issue return failure status if numChannels is not
equal to the total number of channel entries.
Change-Id: I60d74161dc3752bd7f609af3910d7c86a99488ec
CRs-Fixed: 2255189
Presently, wrong channel is passed in ch_in_pcl() as a result of which
PCL discount is applied on wrong channel resulting in wrong ACS weight
calculation.
Pass correct channel in ch_in_pcl().
Change-Id: Id87c0afe501d7217ae6b170656bf6d2fab89b5b7
CRs-Fixed: 2257182
When gvendor_acs_support=1, ch_width provided by hostapd is not getting
copied to sap_cfg. As a result, ch_width is 0 (20Mhz) irrepective of
whatever provided by hostapd causing issues.
Copy ch_width irrespective of gvendor_acs_support value.
Change-Id: I7013eb7ee3610790194916078640d633747de15e
CRs-Fixed: 2247771
This reverts the change I48227166d722496afd2d9dd7aca1ae78d44c8833
because it is refering to the API csr_is_duplicate_bss_description()
which is deprecated and not defined.
Change-Id: I0f133eed437754f20547a1450090df09a6e0f2ba
The function hdd_validate_adapter() can expose kernel address space
with a bad adapter pointer. Fix this by removing unwanted information
from the error print.
Change-Id: I65caab9d710e031992661efdf6f8c72d0c7bf82c
CRs-Fixed: 2235225
WIFI_LOGGER_PACKET_FATE_SUPPORTED bit in logging features
indicates the support to packet fate stats. Set the bit to indicate
the packet fate stats support to user space.
Change-Id: Ie286b3bf994fc75a987a42a329dd159db978ebe6
CRs-Fixed: 2233537
When DUT P2P Go/SAP deauth ref STA, in race condition, scheduler
thread may try to clear peer data and drop pending rx packets
after peer freed in peer unmap handler in soft irq context,
use after free issue will happen.
Error log:
BUG: spinlock bad magic on CPU#1, scheduler_threa/28550
Unable to handle kernel paging request at virtual address
6b6b6b6b6b715b
Stackframe:
do_raw_spin_lock+0x34/0x154
_raw_spin_lock_bh+0x24/0x30
ol_txrx_clear_peer_internal+0x68/0xb0 [wlan]
ol_txrx_clear_peer+0x78/0xa0 [wlan]
hdd_softap_deregister_sta+0xd0/0x200 [wlan]
hdd_hostapd_sap_event_cb+0xca8/0x20b8 [wlan]
Change-Id: Ib8d133528f5ff22125218861206d241f96eaf0da
CRs-Fixed: 2247334
Propagation from cld2.0 to cld3.0.
While connected AP requires DUT to do radio
measurement for itself in passive scan mode,
DUT sends empty beacon report.
In passive scan, sta only listens beacons.
Connected AP beacon is offloaded to firmware, and
Firmware discards it except that special
IE exists in the beacon. Connected AP beacon will
not be sent to host. Hence, timer of connected BSS
is not updated in scan result lists
and cannot meet "scan timer > RRM_scan_timer".
Fix the issue by adding connected
BSS judging condition.
Change-Id: I48227166d722496afd2d9dd7aca1ae78d44c8833
CRs-Fixed: 2239559
Separate out QCA_LL_LEGACY_TX_FLOW_CONTROL
and QCA_LL_TX_FLOW_CONTROL_V2 flow control implementation
in different files to compile out features cleanly.
Change-Id: I5d6ddf9ea61b409b25d242852ed1f0102e94ad88
CRs-Fixed: 2228902
In lim_process_action_frame and lim_process_action_frame_no_session,
The Rx frame pointer is directly casted to the action frame header
to find the Action frame category and action ID without validating
the minimum length of the frame. If the frame len is less than the
action frame header len, then OOB read would occur.
Check if frame_len is less than the size of action frame header len
and return if true.
Change-ID: Idf8ca7eeacdf57171d2850fe6317784911830aac
CRs-Fixed: 2253243
In the API lim_process_deauth_frame, the reason-code is
fetched from the payload, and it may happen that the
payload received is empty, and the MPDU just contains the
header, so the driver may access the memory not allocated
to the frame, thus resulting in a OOB read.
Fix is to have a min length check of 16 bits for the
reason code before accessing it.
Change-Id: I7e7a435ba049356c13fb10240f4abb9bf6219af4
CRs-Fixed: 2249768
During a channel switch, host sends the beacon template to the FW.
Currently the CSA/ECSA Channel Switch count offset fields in the
WMI_BCN_TMPL_CMDID fixed params are not filled from the host.
Add changes to calculate the CSA/ECSA Switch count offset from
start of the beacon template data and fill it in the fixed
params field for WMI_BCN_TMPL_CMDID.
Change-Id: Icb568f59346972784c4aceef9b42c8543adaa889
CRs-Fixed: 2246600
In wma_is_pkt_drop_candidate the frame received time is updated
even when the frame was dropped and thus the received time of
the frame keeps on increasing. Thus the condition to check if
frame is allowed after WMA_MGMT_FRAME_DETECT_DOS_TIMER ms always
fails if driver continuously keep on getting the frames.
This can lead to dropping of valid deauth/disassoc frames in case
if RMF is enabled and some rouge peer keep on sending rogue
deauth/disassoc frames and thus even if peer send valid deauth
peer will not get disconnected.
To fix this update the rcvd time stamp only when the frame is
allowed, as this timestamp should be used to block the duplicate
frames for WMA_MGMT_FRAME_DETECT_DOS_TIMER ms.
Change-Id: I4f480e21369b585d78f240c5f4f062d010d889a8
CRs-Fixed: 2256679
The protocol stack has some lingering uses of the legacy status
enumeration eSirStatus (typedefed as tSirRetStatus). There is a desire
to transition all of these to QDF_STATUS. As a first step of this
transition replace all usage of enum eSirRetStatus with tSirRetStatus.
This will eventually allow a global replace of tSirRetStatus with
QDF_STATUS.
Change-Id: I84a748f75117af99890725e64fc32a6392d262d5
CRs-Fixed: 2258411
After parsing of Re/Association Response frame,
sir_convert_assoc_resp_frame2_struct populates association response
structure sSirAssocRsp. In case if FEATURE_WLAN_ESE is enabled,
the host runs a loop to memcopy for all WMM TSPEC info from the parsed
buffer to association response structure.
Currently, While copying parsed data to sSirAssocRsp,
sir_convert_assoc_resp_frame2_struct is passing (sizeof(tDot11fIEWMMTSPEC)
* ar->num_WMMTSPEC)) as length argument to qdf_mem_copy to copy individual
TSPECInfo. Which could result to buffer overflow, as size of per
TSPECInfo is only sizeof(tDot11fIEWMMTSPEC).
Pass correct length to qdf_mem_copy while coping TSPECInfo.
Change-Id: I9c74e3bbd387fda736a715625260d95c67f03ecc
CRs-Fixed: 2254946
In the function cds_is_gmac_mmie_valid, there is uninitialized
use of mic array elements that are passed into the function
qdf_crypto_aes_gmac which causes error report in coverty.
Initialize mic array before it is passed to qdf_crypto_aes_gmac.
Change-Id: I8650cc18d32f297f659ffaac0a514e183823f042
CRs-Fixed: 2233863
While processing QCA_NL80211_VENDOR_SUBCMD_TRIGGER_SCAN,
scan randomization attributes: SCAN_MAC and SCAN_MAC_MASK are not
validated using nla_policy for a minimum length check of
MAC_ADDR_SIZE (6 bytes) which can result in buffer over-read.
To address this, add nla_policy for randomization attributes.
Change-Id: I872e221b951809ca1e5c60b867be52b9fa738ddd
CRs-Fixed: 2232745
Currently there are no diag events to inform user space about
used AKM Suite, requested pairwise cipher, group cipher, and
group key management in assoc request and algo num used in auth
req.
Add such diag events which can be useful in automation.
Change-Id: I210773ded47a84a3d06390271401e53cbda83089
CRs-Fixed: 2203232
Add support to send regulatory sync event to user space for self
managed regulatory when regulatory info is updated.
Change-Id: Iacecb6f3e6a65c615d3a013509770463bdafe616
CRs-Fixed: 2242697
Add support for getting cfg integer from PMO. Register callbacks
during pe_open/close so that PMO can query CFG int values for
calculating parameters like listen interval etc.
Change-Id: I52d165586576e547e175ba276e6b7225db5b27e0
CRs-Fixed: 2252661
The driver allocates memory to channelist in the API
sap_get_channel_list, and stores the pointer to channel
list in sap_context, and frees the memory allocated for
the same in scan request callback.
But it may happen that before the callback, stop adapter
calls wlansap_context_put and frees the memory allocated
to sap context, without the mem free of channellist, which
results in a mem leak
Fix is to add a NULL check to sap context and free the memory
allocated to the sap context channel list in
sap_cleanup_channel_list.
Change-Id: I7030ca8325ae4c968db654bf14062e332f409b87
CRs-Fixed: 2254767
Currently after dp peer delete peer info is logged which leads
to invalid pointer access. Do not log the peer info after it is
deleted.
Change-Id: If4c2d9af7e3f2b29e3e034eec08fa68fd329257b
CRs-Fixed: 2259026
Before checking for other kinds of resources leaks, check to ensure all
objmgr vdevs have been properly freed.
Change-Id: Ie30daf22834ceb4a8ce19fbd1d4c9b231d3b70d4
CRs-Fixed: 2255511
Peer removal happens in MC thread context and the corrresponding
unmap events processed in soft IRQ context. But both the events
are not synchronized correctly and causes race condition
in the system.
Apply reference count for the peer to avoid this
problem.
Change-Id: If1ca656a4dc0325032069af926697784cdec9b2d
CRs-Fixed: 2183468
The function wlan_hdd_cfg80211_set_key_wapi is currently set as public
which is not required as it is called from the same file only.
Make the function static.
Change-Id: I8188cf02ec06b7212607b2aba759b47ec5cc58ac
CRs-Fixed: 2247639
hdd_inspect_dhcp_packet() Will be called for each TX packet in SAP
interface. Remove the print to avoid flush print which will impact
the TX performance.
CRs-Fixed: 2253186
Change-Id: I01766ad923725a0cb04b2c19952806d4de84b37e
The value that is received from the ini for the max number of peers
supported for SAP is not being updated to the sme database.
Update the ini param into the sme database
Change-Id: I319d825e8b1f643b04b5521577786f8a3ed20e13
CRs-Fixed: 2249919
In the function wma_update_intf_hw_mode_params, vdev_id received
from caller wma_pdev_set_hw_mode_resp_evt_handler, is used as
the array index for wma->interfaces. If vdev_id exceeds
wma->max_bssid then a possible OOB write could occur.
Add check to validate vdev_id against wma->max_bssid. Print
error if it exceeds.
Change-Id: I3ddf5e1b24fbd2bd401ac879219300857d05e4b7
CRs-Fixed: 2243990
The function sap_goto_channel_sel triggers the pre start bss
scan for SAP. After this scan is queued, the hostapd process
gets scheduled after 3 secs and proceeds to select the channel
to start the SAP. If scan completion for the ACS scan was not
received, it selects the default channels. ACS scan is sent to
firmware with low priority like other normal scan.
Increasing the priority of the scan will ensure that the scan
completion is done prior to the other existing scans pending on
the queue.
Escalate the priority of the ACS scan from low to high.
Change-Id: Ibe558a4a323f276cce6eaabb3b62db217dbd5a94
CRs-Fixed: 2245200
new INI gNumVdevs is added to allow number of VDEV support
for both Host and FW. Also Updated logic to calculate num_peers
and num_tids.
Change-Id: Ife5ff24e9594c8986913c06899ac5e41c83fc75c
CRs-Fixed: 2245506
There are several logs along the suspend/resume code paths that log
debugging related information at the INFO level. Reduce the logging
level of these debug logs to avoid spamming the console.
Change-Id: I0e81901e4a053038392c1012600ae125a1ad27a3
CRs-Fixed: 2258093
The API wma_inc_wow_stats lacks a break in switch case
after WOW_REASON_OEM_RESPONSE_EVENT. Due to this
execution falls through to the next case statement or
default.
Fix is to add a break after WOW_REASON_OEM_RESPONSE_EVENT
Change-Id: I0b95fd55403b29d74a471f038e518c58c81cfcf7
CRs-Fixed: 2233189
Currently the length of every FILS information is updated before buffer
pointer check which results in invalid update of FILS information.
Add non-zero buffer pointer check for all parameters of FILS information.
Change-Id: I2065f2f1984da473b5e97ffa25f4ab519e091c5b
CRs-Fixed: 2228062
In wma_unified_link_peer_stats_event_handler() we are checking
if buf_len is of proper value. At this point buf_len is may be
uninitialized, thus causing a compilation issue.
Initialize buf_len before use in the validation check.
Change-Id: Ia19de3c5c8bcd154670a44a9dafca31c6bf0b76b
CRs-Fixed: 2256229
In wma_unified_link_peer_stats_event_handler a check for excess WMI
buffer is done by comparing difference between WMI_SVC_MSG_MAX_SIZE and
buffer length with size of wmi_peer_stats_event_fixed_param. In case the
buffer length is a value larger than WMI_SVC_MSG_MAX_SIZE, and as buffer
length is an unsigned integer, it causes an integer overflow and results
in a very large value, thus invalidating the check.
Change the check to compare difference of WMI_SVC_MSG_MAX_SIZE and size
of wmi_peer_stats_event_fixed_param with the buffer length which
prevents chance of integer overflow.
Change-Id: Ic99d0cf6b34c7c45dde3c4feb50e102807564eff
CRs-Fixed: 2224451
In the function lim_process_messages, msg is received as the
argument. msg->bodyptr is accessed before checking if the msg is
NULL. This can cause a NULL pointer dereference if msg is NULL.
Moved the NULL check for the msg structure prior to accessing msg.
Change-Id: I61fc5fc65c9604bd5a82d7e226d9a4a9c30aebd2
CRs-Fixed: 2245791
Introducing integer overflow checks in htt_t2h_tx_ppdu_log_print()
contained use of %p which violates security guidelines.
Change %p to %pK.
Change-Id: I9e886e9b065ea6902aeedc3d9c25aac76a07d6de
CRs-Fixed: 2252217
Loading driver is fail because request_firmware returns
EAGAIN when it invokes usermodehelper_read_trylock during
system suspend happens. Though system suspend is aborted,
it hasn't invoked usermodehelper_enable yet.
To resolve this issue, retry again to check whether
usermodehelper_enable has done.
Change-Id: I80f95c2194039a67adbc463a32bfc0a15e68484b
CRs-Fixed: 2251604
The maximum value of the variable cRegTableEntries is defined in
MAX_CFG_INI_ITEMS. In the scenario the value is greater than this it
may cause an overrun may occur due to the weak guard.
Turn the runtime check into compile time check to prevent such scenario.
Change-Id: I58a0d47a32d457297d3caa456fd0ca03523ed9f5
CRs-Fixed: 2232723
In case of back to back connect req, if the 1st connect is in scan for
ssid phase, the 2nd connect req try to cleanup the 1st connect and wait
for disconnect complete variable for 5 sec. In this scenario as cleanup is
pending, the scan for ssid will fail and result in the association
failure.
But in association failure the disconnect complete variable is not
completed and thus the 2nd connect req keeps on waiting for 5 sec.
To fix this complete the disconnect complete variable in association
failure, if reason is scan for ssid failure and hdd disconnect is pending.
Change-Id: Ibc0cfb72d04442e82847dd624ede15eda340b766
CRs-Fixed: 2256376
Currently tHalHandle is used as the opaque handle for the primary data
structure within the protocol stack. This name is an anachronism given
that the HAL layer was moved to firmware many generations ago. In
addition the name does not conform to the Linux Kernel naming
convention.
To address these issues introduce a new identifier, mac_handle_t, to
be used as the opaque handle. Keep tHalHandle as a typedef to
mac_handle_t until such time that all references have been replaced.
In addition introduce a new set of conversion functions, MAC_CONTEXT()
and MAC_HANDLE(), to be used to convert between these two kinds of
references.
Change-Id: I9d0d7d109621237f29d66f7b06c5b63c38f63fb2
CRs-Fixed: 2257659
In function wma_send_offload_11k_params, check to support 11k offload
in FW fails due to usage of older WMI_SERVICE_EXT_IS_ENABLED leading
to 11k offload params not sent to FW.
Add changes to use wmi_service_enabled instead of
WMI_SERVICE_EXT_IS_ENABLED in wma_send_offload_11k_params.
Change-Id: Ic71043f448d74066a234ae1cb9513a1580011abd
CRs-Fixed: 2255255
Currently max_intf_count which report from target only update to hdd
layer, but there might be a race condition if don't update to objmgr:
There are already max_intf_count vdev created, one of the vdev is
closing by supplicant, vdev is logically deleted and referenced by
other function and waiting for cleaning. The interface count of hdd
layer is already decreased to accept opening new adapter, but the
vdev_id which derived from objmgr vdev is still occupied so the new
vdev have to choose max_intf_count as vdev_id, which makes target
assert.
Update max_vdev_count to psoc objmgr in hdd_update_tgt_cfg()
Change-Id: Ifff0b79cfb4645bb466a22da2d7d07040eee2bd0
CRs-Fixed: 2241098
Enable PNO feature in FW feature config such that WiFi
kernel space driver can return proper PNO feature capability
to user space.
Change-Id: I1360050aab0224b109ee9b3912d1aa428f5a5ed7
CRs-Fixed: 2249491
Current ucfg API's that disables wow events accept a u32 bitmap
variable. A pointer to that variable is passed to core API where
it assumes it as a u32 array of 4 bytes. This will lead to out of
bound memory access.
Change wow enable/disable API's to accept wow event type as the
parameter.
Change-Id: I220aaddfea62ab96f121014d0d65a1406988c946
CRs-Fixed: 2233108
ol_tx_update_connectivity_stats() in tx completion
path updates connectivity stats referenced from tx_desc.
In cases when vdev has gone down and tx completion are received
leads to NULL vdev access. So, add check before accessing vdev.
Change-Id: I402d740ab3ecd923aa1b632bd0c59447599c17df
CRs-Fixed: 2225053
ol_tx_update_arp_stats() in tx completion path updates the per vdev
arp statistics. vdev is referenced from tx_desc.
In cases when vdev has gone down and tx completion are received leads
to NULL vdev access. So clear reference to vdev inside tx_descs when
vdev goes down.
Change-Id: Ic8c854b42ece41489f71e1374e5e72580308e9fe
CRs-Fixed: 2215312
After DUT connected AP, run on CLI: iwpriv wlan0 reassoc,
QDF_BUG(0) in driver on Rome.
When reassoc to current connected AP, LFR2 and LFR3 have
different design.
Helium supports LFR3, send WMI_ROAM_INVOKE_CMDID to F/W to
trigger offload roaming.
Rome only supports LFR2, Send vdev start cmd to F/W while
vdev already started first, then send reassoc frame.
Passpoint TC5.2a need reassoc to current connected AP.
Change-Id: Ic0e2c945c6978835f39ec1746f625a0c52f643a7
CRs-Fixed: 2232538
The hal param to sme_get_status_for_candidate() is incorrectly typed
to be a pointer to a tHalHandle when it should just be a tHalHandle,
so fix it.
Change-Id: I8799c334de58e196c1fcef2889fef4d9931b91f4
CRs-Fixed: 2255549
Currently csr_get_parsed_bss_description_ies() takes a tHalHandle
context param. However CSR is an internal module, and hence it should
be using the "real" context pointer type tpAniSirGlobal instead of the
opaque reference tHalhandle, so update the API.
Change-Id: Id10bc9165f942b75ee1bd0e2e9b046ea484976e7
CRs-Fixed: 2255547
Currently csr_parse_bss_description_ies() takes a tHalHandle context
param. However CSR is an internal module, and hence it should be
using the "real" context pointer type tpAniSirGlobal instead of the
opaque reference tHalhandle, so update the API.
Change-Id: Iabb093ac924340b0a6bfa5185d0b9d5fcc440c91
CRs-Fixed: 2255547
Currently csr_rates_is_dot11_rate_supported() takes a tHalHandle
context param. However CSR is an internal module, and hence it should
be using the "real" context pointer type tpAniSirGlobal instead of the
opaque reference tHalhandle, so update the API.
Change-Id: I9349e152b4818862f7ac406f7a8f96d78c4c1782
CRs-Fixed: 2255547
Currently csr_is_security_match() takes a tHalHandle context param.
However CSR is an internal module, and hence it should be using the
"real" context pointer type tpAniSirGlobal instead of the opaque
reference tHalhandle, so update the API.
Change-Id: Ibaf8273ad45a7019d19f8793e2bfc35032221c8d
CRs-Fixed: 2255547
Currently csr_retrieve_wapi_ie() takes a tHalHandle context param.
However CSR is an internal module, and hence it should be using the
"real" context pointer type tpAniSirGlobal instead of the opaque
reference tHalhandle, so update the API.
Change-Id: I0dca1d6b64e3ef3698439277d05611d7051926c2
CRs-Fixed: 2255547
Currently csr_retrieve_rsn_ie() takes a tHalHandle context param.
However CSR is an internal module, and hence it should be using the
"real" context pointer type tpAniSirGlobal instead of the opaque
reference tHalhandle, so update the API.
Change-Id: Ie410ef70ed38c569f1203f59a4fc8ce4ee30400d
CRs-Fixed: 2255547
Currently csr_is_ssid_equal() takes a tHalHandle context param.
However CSR is an internal module, and hence it should be using the
"real" context pointer type tpAniSirGlobal instead of the opaque
reference tHalhandle, so update the API.
Change-Id: I3db1f07166f90de28c8ac8a6fb31480578b04caa
CRs-Fixed: 2255547
Currently csr_retrieve_wpa_ie() takes a tHalHandle context param.
However CSR is an internal module, and hence it should be using the
"real" context pointer type tpAniSirGlobal instead of the opaque
reference tHalhandle, so update the API.
Change-Id: Ia2a7bb81a1bf4254ad5f557bcc77d71d36495bb8
CRs-Fixed: 2255547
Currently csr_construct_wpa_ie() takes a tHalHandle context param.
However CSR is an internal module, and hence it should be using the
"real" context pointer type tpAniSirGlobal instead of the opaque
reference tHalhandle, so update the API.
Change-Id: Id690878208d1e5ca97adfce94a61629a8788ede2
CRs-Fixed: 2255547
Currently csr_construct_rsn_ie() takes a tHalHandle context param.
However CSR is an internal module, and hence it should be using the
"real" context pointer type tpAniSirGlobal instead of the opaque
reference tHalhandle, so update the API.
Change-Id: I812709f7c149788d04151ac0b2bf2d79527131b4
CRs-Fixed: 2255547
Currently csr_get11h_power_constraint() takes a tHalHandle context
param. However CSR is an internal module, and hence it should be
using the "real" context pointer type tpAniSirGlobal instead of the
opaque reference tHalhandle, so update the API.
Change-Id: Ic7f622b8633726a03ace11951c6e53b7e0936beb
CRs-Fixed: 2255547
Currently csr_get_rts_thresh() takes a tHalHandle context param.
However CSR is an internal module, and hence it should be using the
"real" context pointer type tpAniSirGlobal instead of the opaque
reference tHalhandle, so update the API.
Change-Id: I94d370739cd616b17eea922825417d5e9ab4bd3d
CRs-Fixed: 2255547
Currently csr_get_frag_thresh() takes a tHalHandle context param.
However CSR is an internal module, and hence it should be using the
"real" context pointer type tpAniSirGlobal instead of the opaque
reference tHalhandle, so update the API.
Change-Id: I69ae6f07dd12cf79659c5e4c461fba1c7fa8ff46
CRs-Fixed: 2255547
Currently csr_get_qo_s_from_bss_desc() takes a tHalHandle context
param. However CSR is an internal module, and hence it should be using
the "real" context pointer type tpAniSirGlobal instead of the opaque
reference tHalhandle, so update the API. In addition change "qo_s" to
"qos" to fix the typo in the name.
Change-Id: Ib5f53d55737138c708d47e79a68a2b1344dff5d2
CRs-Fixed: 2255547
Currently csr_roam_issue_ft_preauth_req() takes a tHalHandle context
param. However CSR is an internal module, and hence it should be using
the "real" context pointer type tpAniSirGlobal instead of the opaque
reference tHalhandle, so update the API.
Change-Id: I7d521ba558a64c87af72a6ce2d27eae93d1a633d
CRs-Fixed: 2255547
Currently csr_roam_ft_pre_auth_rsp_processor() takes a tHalHandle
context param. However CSR is an internal module, and hence it should
be using the "real" context pointer type tpAniSirGlobal instead of the
opaque reference tHalhandle, so update the API.
Change-Id: If8ca89e68cd0f38a65a68e1702ab3a43b130a277
CRs-Fixed: 2255547
Function csrValidateCountryString() no longer exists, but there is
still an obsolete prototype for it, so remove it.
Change-Id: I40869b7160cbc3e64b785e44711237455f2e02b0
CRs-Fixed: 2255482
Currently hdd_handle_t is defined as a void pointer. This is
convenient from an information hiding point of view since that means a
non-HDD component cannot dereference an HDD handle to access HDD
private data. However this is not convenient from a defect prevention
point of view since the C standard allows any other pointer type to be
freely and silently converted to and from a void pointer, and hence
the compiler is unable to detect when an HDD handle is used in a
context where a different pointer type is expected.
An example of one such defect was addressed by Change-Id
I2bbf1bf4a7975e5cb44066b6a3b1a98e82df9fad (qcacld-3.0: Fix bad param
passed during QoS Map conversion).
To help prevent this kind of defect change the definition of
hdd_handle_t to be a pointer to an opaque struct.
Change-Id: I6e885f84c0554bbe5c8582474fddb65ab6a0fdac
CRs-Fixed: 2254907
In sir_convert_qos_map_configure_frame2_struct() a HDD Handle is being
passed as the first parameter to convert_qos_mapset_frame() which is
expecting a pMac. Change the call to pass the pMac.
Change-Id: I2bbf1bf4a7975e5cb44066b6a3b1a98e82df9fad
CRs-Fixed: 2254955
While processing FILS EAP TLVs present in FILS wrapped data in Auth Frame,
the tlv->length from the frame is used as the length to copy the buffer
into the FILS auth info without validating if the received buffer
length is at least greater than the length value in the TLV buffer.
This would lead to OOB read if the TLV length present in the frame is
greater than the actual data_len of the FILS wrapped data.
Add sanity check to return error if tlv->length is greater than wrapped
data_len + 2 with 2 bytes for the TLV header.
Change-Id: Ibe1183c8e318ceb75db6278c935786322a029d5c
CRs-Fixed: 2245944
Currently driver marks cache type as static when it sends valid
channel list to firmware to use for roaming. When cache type is
static, driver will not add WMI_ROAM_SCAN_MODE_RSSI_CHANGE in
wma_process_roaming_config.
Roam scan may not trigger upon RSSI change when mode does not
have WMI_ROAM_SCAN_MODE_RSSI_CHANGE and may have issues related
to roaming.
Mark channel list as dynamic based on newly added ini
"force_rssi_trigger" for valid channel list as well.
With this new ini , customers can tune the behaviour of
roaming scan in firmware based on RSSI trigger or periodic.
Change-Id: I04123cb954408fd510d41d2b6ba96144be0945f9
CRs-fixed: 2240544
If SAP comes up in 2.4Ghz channel in HT/VHT 20/40Mhz and channel
switch comes for a 5Ghz channel, SAP gets started in HT/VHT 20/40
Mhz only while it should connect in VHT80Mhz or HT40Mhz depending
on whether the initial connection is in HT or VHT.
Change the bw to 80Mhz if initial connection is in VHT and to 40Mhz
if initial connection is in HT if channel switch comes for a 5Ghz
channel.
Change-Id: I709dd35575866b7ec9fddcfb94078f114a78d1a2
CRs-Fixed: 2226979
Add support for Last Beacon Report indication sub element and
Beacon Report Frame Body Fragment ID sub element to the beacon report IE
of Radio Measurement Frame.
Change-Id: I07facc245ca96b375779b30f61fc7659f1aa679d
CRs-Fixed: 2254248
Currently PE session ID is filled in eWNI_SME_DISCONNECT_DONE_IND
__lim_process_sme_disassoc_cnf but this command is expected to fill
SME session ID instead.
Send SME session ID instead of PE session ID for
eWNI_SME_DISCONNECT_DONE_IND in __lim_process_sme_disassoc_cnf function.
Change-Id: I50f7ec31eea265d04a94d9717415227bde09bdb5
CRs-Fixed: 2246024
