qcacld-2.0 to qcacld-3.0 propagation
SoftAP is changing channel in response to ECSA frame from STA
Do not let SoftAP switch channel in response to ECSA.
Change-Id: Ie9ddbf10c13f62205fdd60c512a560b35c6610ba
CRs-Fixed: 2121117
Currently SAP beacon callback loops through PE sessions to check
if the beacon's channel matches any active SAP channel and then
invokes sch_beacon_process_for_ap API. In sch_beacon_process_for_ap
we again loop through all the PE sessions to identify the session
where the SAP is active.
Optimize this by looping only once through all PE sessions in
lim_handle_sap_beacon and invoke sch_beacon_process_for_ap with
the SAP session's session_id.
Change-Id: Ia74e17845de161508b6c8efff6aca82cf4d9c961
CRs-Fixed: 2226237
Currently wlan_hdd_reassoc_bssid_hint returns true if prev_bssid is
present in the connect request even if the hdd_reassoc fails leading
to connection not happening if the supplicant sends a prev_bssid
and bssid_hint in the connect request and if the current state is
not connected.
Fix return status in __wlan_hdd_cfg80211_connect to return 0 only
if hdd_reassoc is success else proceed with disconnect and connect
Change-Id: I513495797f2538fc8887ff0a9ce04e13035e0549
CRs-Fixed: 2238104
Currently the channel list received from the SETROAMSCANCHANNELS
driver command is passed directly to the FW without checking if it
contains any invalid channels leading the firmware to assert if the
list contains unsupported channels.
Validate the channel list received from the ioctl with the base
channel list and send to firmware only if all the channels in
the list are valid
Change-Id: Ia502eecb97e34de854a75a6af7ffb8ccc02a7e52
CRs-Fixed: 2231242
If FEATURE_WLAN_ESE is disable, there is a compilation error.
Remove the definition of hdd_wmm_inactivity_timer_cb and
hdd_wmm_disable_inactivity_timer if FEATURE_WLAN_ESE is disabled
as these apis are not getting used anywhere.
Change-Id: I2c236f63429bdc738be9ccb06f9671b694fd9a5d
CRs-Fixed: 2238180
Check for stats ext info data len does not take TLV header
size into account which could lead to buffer overflow
when copying data where TLV header size is taken into
account.
Fix is to subtract TLV header size and stats_ext_info
size from max allowed size when validating stats ext
info data length.
Change-Id: I34e35a0aab396af3d93a0f61e0ab6a2da09f22ab
CRs-Fixed: 2227263
The use TAILQ_FOREACH for freeing the fw_stats list during
pdev detach causes a use-after-free condition, which can lead
to unexpected behavior during the driver load or unload.
Fix the possible Use-after-free condition in pdev detach, by
using TAILQ_FOREACH_SAFE instead of TAILQ_FOREACH for freeing
the fw_stats list.
CRs-Fixed: 2214520
Change-Id: I5dfcc5e3f0d2e77a5f6226eca06bc6ab1af4e643
In the API sir_validate_and_rectify_ies, the driver rectifies
the RSN IE, if the AP hasnt filled the RSN capabilities in the
beacon/probe response, but has filled the length of IE as extra
2 bytes meant for the RSN capabilities.The driver tries to repair
these kind of frames and fills the last 2 bytes of RSN IE with
default RSN capabilities, to prevent the failure of unpacking
the IEs in unpack-core. But, the driver may write these default
RSN capabilities into some other allocated memory, because the
allocated memory is only the frame length, which would result
in OOB write.
Fix is to allocate some reserve bytes in the frame
for these type of issues.
Change-Id: I46c7301f3e40f84d2c68ec9ba38702baa6926306
CRs-Fixed: 2232542
Currently when transferring SSID information from the nl80211 TLV to
the internal data structure hdd_fill_pmksa_info() always copies
SIR_MAC_MAX_SSID_LENGTH bytes which can overread the buffer. In order
to prevent overread only copy as many bytes as the TLV contains.
Note that the destination buffer passed to hdd_fill_pmksa_info() is
always zero-filled so no additional zeroing of bytes is required.
Change-Id: I1f6773b70e9e728d6b1ce93ca26417348e96844c
CRs-Fixed: 2237462
In lim_process_switch_channel_rsp, if pe_find_session_by_session_id
returns NULL, memory of body pointer is not freed leading to memory
leak.
Free memory allocated for body pointer if session entry is NULL in
lim_process_switch_channel_rsp.
Change-Id: I939aceb3ed993fd1488b72db9df526c1724f0ac5
CRs-Fixed: 2236980
In a scenario where the below two HDD commands are executed at the
same time from different threads
1. Disconnect which does an RSO Stop and free the pCurRoamProfile
2. Set Blacklist BSSID which does and RSO Update and accessed
the pCurRoamProfile
pCurRoamProfile is accessed in the function csr_roam_offload_scan
after is freed from the other context.
The Disconnect command from HDD is protected under the global SME lock,
however, the set blacklist BSSID path is not protected under SME lock.
There are multiple instances where csr_roam_offload_scan is called
without the SME lock which could lead to similar issues.
Acquire SME lock before csr_roam_offload_scan from callers in
SME/HDD which can be from other threads.
Change-Id: I9666bab0001b56ec01dcf1df0becb36344fb6f9a
CRs-Fixed: 2226423
In function wma_form_rx_packet, mpdu_data_len is calculated as
(buf_len - mpdu_hdr_len). If the value of buf_len is less than
mpdu_hdr_len, then a integer underflow would occur while calculating
mpdu_data_len.
Add sanity check to return invalid if buf_len is less than mpdu_hdr_len.
Change-Id: I4522eadb65f6cd8b210ba071a91e53008eec042c
CRs-Fixed: 2230318
qcacld-2.0 to qcacld-3.0 propagation
Update LDPC flag from Vendor IE instead of VHT capabilities
for VHT20 case.
Change-Id: I7bb916353586529fb78f1caeda68687663e44af2
CRs-Fixed: 2091292
Fix typo in checking mlm status by adding missing
eLIM_MLM_WT_DEL_BSS_RSP_STATE state check in
__lim_process_sme_disassoc_cnf() function.
Change-Id: Id2acde09023ba117e1d938035db9e9a0d7b303b3
CRs-Fixed: 2232883
For LFR2.0 roaming policy, firmware will indicate roam event with
WMI_ROAM_REASON_SUITABLE_AP reason even ROAM_SCAN_OFFLOAD_STOP cmd
set with WMI_ROAM_SCAN_MODE_ROAMOFFLOAD, it doesn't obey LFR2.0
roaming policy design. Root cause is firmware only disable roam
scan with ROAM_SCAN_OFFLOAD_STOP cmd which must set scan mode with
WMI_ROAM_SCAN_MODE_NONE.
Fix is to always set scan mode with WMI_ROAM_SCAN_MODE_NONE for
LFR2.0 when host send ROAM_SCAN_OFFLOAD_STOP cmd.
Change-Id: Id5e8325f2767023daacd3dbd4104ce768de3857d
CRs-Fixed: 2228315
When Pre-Auth is failed, it will go to ROAM_SCAN_OFFLOAD_START
or ROAM_SCAN_OFFLOAD_RESTART process, it always uses zero as
session_id param for csr_roam_offload_scan, it's wrong, session_id
should be variable value.
Fix is to use variable session_id param for csr_roam_offload_scan.
Change-Id: Iaf5f234dc73001440aaf02d7931c7891903f9148
CRs-Fixed: 2239812
DPT_DEBUGFS_PERMS macro has been defined inside
ifdef QCA_SUPPORT_TXRX_LOCAL_PEER_ID. Since this can cause problems
when the above config is not set, defining it outside.
Change-Id: Ibf02f692ddaf0b5de17d647cce27a6e093f7b7df
CRs-Fixed: 2238106
Association request initiated by the host contains
the RSN capabilities which contains both the flags
of PMF, i.e PMF required and PMF capable. The DUT
may connect to a non PMF AP or only a PMF capable AP,
if the DUT is PMK capable and not PMF required,
but connection to a non PMF AP isnt allowed
if the DUT is configured as PMF required.
In the Association request, the DUT advertises its
RSN capabilities, and accrding to them, the connection
(PMF/non PMF) happens. But these capabilities arent
sent to the firmware, so while roaming, the DUT may
connect to a non-PMF AP, as in the re-assoc request
the DUT would still advertise PMF-REQUIRED as false,
which would be violation of protocol.
Fix is to send these RSN capabilities to the
firmware as part of roam scan offload params,
to have firmware save the configuration, and
send the RE-assoc request with PMF required as
true, if the DUT supports PMF required.
Change-Id: Iff58f7ba3b2fee7a834bd625225bbb3d62f33557
CRs-Fixed: 2234977
While SSR happen, hdd_reset_all_adapters will not clear
mac_ctx->sap.sapCtxList[sapctx->sessionId].pSapContext, and later the
sapctx will assign new sessionId after SSR restart SAP and update to
mac_ctx->sap.sapCtxList. So sapctx/old sessionId still can be
referenced by like wlan_sap_is_pre_cac_active and call pre cac cleanup
on unexpected port.
When SAP restart and set global sapCtxList in sap_set_session_param(),
find matched sapctx and clear it before assigning updated value.
Change-Id: Id02733cb22267ac0c1899d8caf9ac47c65e24a88
CRs-Fixed: 2232398
Vdev ref count is incremented in wma_state_info_dump
and not decremented before return. This results in
vdev not deleted physically as part of wlan0 hdd_stop.
On hdd_open, a new vdev is created for wlan0 with same
mac addr as the previous wlan0 vdev. In scan, API to
get vdev by mac addr will return NULL since the first
wlan0 vdev is not physically deleted and not removed from
vdev list.
Fix is to decrement vdev ref count in wma_state_info_dump.
Change-Id: I67c90a721643f5bb7c6e212846f6d398055a6672
CRs-Fixed: 2233997
In find_ie_defn function, if the current IE is an Ext IE with EID=255,
the third byte of the IE is accessed to get the extn_eid. However, if
the actual buffer length is less than 3, then an OOB read would occur
while trying to access extn_eid.
Add check to access pbuf + 2 for extn_eid only if nbuf is greater than 2.
Change-Id: Id9708176affe35a85eb21a07901ae8ed62b78b9e
CRs-Fixed: 2237141
Add Null pointer check for packet buffer before dereference
it in lim_send_addba_response_frame() API.
Change-Id: I46c637b7534fe200ec586b07e34d9a4baee5ac7e
CRs-Fixed: 2232740
'wma' pointer is initialized using the return value of
cds_get_context;This function can return NULL value.
Check for NULL pointer before dereferencing the 'wma'.
Change-Id: I529a34fba91f19bdd6c62d14e97cfabb476cdf7f
CRs-Fixed: 2239647
Currently in pe_handle_mgmt_frame, all management frames are posted
into the PE message queue. The beacon and probe response frames are
filtered before posting into the PE message queue, however the PE
message queue can still be flooded with probe request frames.
Post probe request frames via SCAN queue with the appropriate
callback function.
Change-Id: Ie29ad9602d3389af467b8f893624b86265a44421
CRs-Fixed: 2238190
