If sta_sta_sap_scc_on_dfs_chan enabled then SAP is not allowed
on DFS channel in standalone mode. If ACS and sta_sap_scc_on_dfs_chan
are enabled ini then skip the DFS channels from the ACS channel list
CRs-Fixed: 2159816
Change-Id: I396d0c8996f8870de1570ed9932451567f5c77f3
In the API csr_roam_roaming_state_reassoc_rsp_processor
the driver extracts pNeighborRoamInfo from pMac, but it
may happen the session id is greater than CSR_ROAM_SESSION_MAX
which results in a out of bound access of memory.
Fix is to have a max check of session ID and then extract
pNeighborRoamInfo from that session.
Change-Id: If3fb98fa278562abe40137ffead8ff4f85b40b1f
CRs-Fixed: 2259229
There is a chance that kernel can trigger suspend while reassoc
in progress. If driver allows this suspend, this can result in
two issues:
1. Authentication timeout in supplicant and leads to connection
failure if reassoc is triggered using reassoc bssid hint.
2. Roam synch timeout in firmware if roaming is triggered from fw.
Add one more check for roaming in progress to fix this issue.
Change-Id: I84a5d6e70e28f98440affb968c0b0bb90e21ac95
CRs-Fixed: 2269316
LL_STATS is supported only for STA mode and currently no check
is present to validate the device mode while setting the LL_STATS
from the vendor command.
Allow LL_STATS to be set from the vendor command only for STA mode.
Change-Id: I40e9a6beb20524a84d87105455fe9b28cdc50816
CRs-Fixed: 2266936
csr_roam_set_bss_config_cfg invokes csr_roam_substate_change
with sessionId as one argument to change roam substate. In
csr_roam_substate_change, sessionId is uses as index of array
curSubState of max allowed index CSR_ROAM_SESSION_MAX(5). But
there is no any check present in csr_roam_substate_change to
validate sessionId against maximum allowed concurrent sessions.
This results Out-of-Bound access if sessionId >=
CSR_ROAM_SESSION_MAX.
Add check for sessionId against CSR_ROAM_SESSION_MAX in
csr_roam_substate_change.
Change-Id: Iae7da836001a9ccbec77cdc64df27b259f15bf4e
CRs-Fixed: 2268547
There are multiple issues with wmi_unified_nat_keepalive_enable():
1) WMA global functions should have a wma_ prefix.
2) The function prototype indicates it should return int status, and
the one caller, wma_add_sta_req_sta_mode(), is expecting that, but
it actually returns QDF_STATUS.
3) The function is a very thin wrapper that calls the unified WMI API
wmi_unified_nat_keepalive_en_cmd() and hence adds no real value.
Rather than address these issues, just remove the function and update
wma_add_sta_req_sta_mode() to directly call the unified WMI API
wmi_unified_nat_keepalive_en_cmd().
Change-Id: I13a4140ba6343240bde51704af2921c001f66a21
CRs-Fixed: 2271552
There will be excessive logs in exception path when running SAP embedded
traffic since these logs are per packet.
Fix is to ratelimit all logs in IPA exception path to avoid excessive
logs.
Change-Id: Ia96a60f4de145740d7099b432c92e7b5785047d2
CRs-Fixed: 2272014
Assert in firmware due to invalid vdev id in spectral scan
request.
Fix is to check for invalid vdev id before spectral scan
req send to firmware.
Change-Id: I05b2e359a7b2535384fa40276d3aa42469b7ae81
CRs-Fixed: 2259269
If we disable LFR3 featurization (CONFIG_QCACLD_WLAN_LFR3=n),
Driver does not able to compile due to change present in
Change-Id: I4c91cac6bad400c8fa58b2a6ba2b282a3b7f1620.
Fix is to include change I4c91cac6bad400c8fa58b2a6ba2b282a3b7f1620
under WLAN_FEATURE_ROAM_OFFLOAD feature flag.
Change-Id: I9dcf3bbcd5564c08b0ba52cfebfb2118fd50fee8
CRs-Fixed: 2268764
In the API lim_perform_ft_pre_auth, the driver sends
a auth frame to a peer whose MAC address is extracted
from the session entry, and it may happen that the
pointer tpftPEContext is NULL, which results in
pointer dereference.
Fix is to send an auth frame only if the sFTPEContext
is valid.
Change-Id: I5544739a0b438efcc0216bbccdcff113946b330b
CRs-Fixed: 2259250
In the API hdd_update_tgt_cfg, the driver extracts hdd_ctx from
context, and it may happen that the context is NULL, which may cause
pointer dereference in the same API
Fix is to have a NULL check for hdd_ctx
Change-Id: I9216e0fb72d1825af10445c52448c102603f7e13
CRs-Fixed: 2259401
In wlan_hdd_cfg80211_start_bss, not all the error path will
reset IEs, which might lead to memory leak of IE buffers.
Update error handling of the function to ensure that it will
cover all error cases.
Change-Id: I44d1eeb4d0100a2f720ea20abd5eacf9fa9bf1fc
CRs-Fixed: 2271222
To poiulate peer rates (Supproted rates, HT & VHT Capabilities)
lim_populate_peer_rate_set first copy values of
psessionEntry->rateSet.rate in a local buffer tempRateSet for
sorting of rates. Currently while copying, index for
psessionEntry->rateSet.rate bufffer varies from 0 to max rate
allowed SIR_MAC_RATESET_EID_MAX(12). This results access of 13th
index(OOB) of psessionEntry->rateSet.rate buffer.
The fix is to set proper upper bound to copy values of
psessionEntry->rateSet.rate in to a local buffer tempRateSet.
Change-Id: I75d5f5b5e7d44665101dae6e095b4adadc1781fb
CRs-Fixed: 2268610
Standalone SAP is not allowed on DFS channel if STA+SAP SCC enabled
on DFS channel. So move the SAP to a non DFS channel as soon as STA
gets disconnect.
CRs-Fixed: 2145495
Change-Id: I27d018739f53997641a7113cfc7c844e02bd7e29
Implicit conversion from enumeration type 'enum dfs_reg' to
different enumeration type 'enum nl80211_dfs_regions'
[-Werror,-Wenum-conversion]
Change-Id: Iceff212456180b995a9432be04af5e39e7863acb
CRs-Fixed: 2271384
In the APi wlansap_roam_callback, under switch
case of roam result eCSR_ROAM_RESULT_INFRA_ASSOCIATION_IND,
the driver passes csr_roam_info in
wlansap_roam_process_infra_assoc_ind without a NULL check for
the same, which may cause pointer dereference.
Fix is to call wlansap_roam_process_infra_assoc_ind only if
csr_roam_info is valid
Change-Id: I6388b7c8f7af827a5c2a862779f04b22c5c5f23e
CRs-Fixed: 2260094
In the API csr_roam_read_tsf, the driver assigns
pBssDescription to handoffNode.pBssDescription but
it may happen that handoffNode.pBssDescription was NULL,
which would result in a pointer dereference.
Fix is to assign pBssDescription, and perform related
operation with pBssDescription after valid check for
handoffNode.pBssDescription.
Change-Id: I2b9ff44e22aa86b1430d8a624bac2f0e50b91738
CRs-Fixed: 2259253
In function wma_extscan_change_results_event_handler(), numResults
in dest_chglist is assigning as total_entries in the event, but the
memory allocated to dest_chglist is based on the numap variable,
which may cause out of buffer read in extscan indication callback
function wlan_hdd_cfg80211_extscan_signif_wifi_change_results_ind().
Also tSirWifiSignificantChange array parsing in both the functions
is not efficient which may lead to accessing unallocated memory.
To address out of buffer read, assign numap to numResults in
dest_chglist and to address accessing of unallocated memory,
parse tSirWifiSignificantChange array with efficient logic.
Change-Id: Ia0c287147e80e17de84fe6b1cb83c8e3c29a1fa0
CRs-Fixed: 2253396
Beacon's channel is checked against ACS channel list before even
getting the beacon's channel resulting in no beacon parsing at all.
Check for beacon channel in ACS channel list after getting the
beacon's channel.
Change-Id: I16edcf9eaa0eafce289cc050652702eb90d79c9d
CRs-Fixed: 2271461
User can override the Listen Interval value set during association
by using wifi config set vendor command. Since there is no limit
check in host, a very high value causes an assert in the Firmware.
Add an upper limit check on the user Listen Interval value.
Change-Id: I8128ccbb875adf57c95a15d0391fb442d3dbbbc3
CRs-Fixed: 2256334
During the review of "qcacld-3.0: lim: Replace tSirRetStatus with
QDF_STATUS" it was observed that the documentation for function
pe_process_messages() referenced an incorrect return type and return
value. While addressing this issue it was further observed that
pe_process_messages() was only being called from within lim_api.c by
pe_mc_process_handler(). Since these are both trivial functions,
consolidate them into one function.
Change-Id: Ia66088b79003e0c8c517a8e3ae32540c19fec070
CRs-Fixed: 2271550
A recent set of changes replaced all tSirRetStatus definitions with
QDF_STATUS. However some code comments were overlooked since they
incorrectly referred to eSirRetStatus instead of tSirRetStatus. Change
those comments to correctly reference QDF_STATUS.
Change-Id: I3b5779d0a09e594f1371362d161d3ea4c887110c
CRs-Fixed: 2271549
Currently lim_post_msg_api() and lim_post_msg_high_priority() are
defined to return a uint32_t status. This is an artifact of many
generations of driver changes. These functions now return QDF_STATUS,
so update the signatures as well as all callers to properly expect
this return type. In addition remove the legacy wrapper function
pe_post_msg_api() since it is unused.
Change-Id: I00f991d64e3542336526e7ed2ca36e4112918cb7
CRs-Fixed: 2271548
Add CDP API to set RX MIC key in datapath.
Required to perform RX demic of fragmented packets.
Change-Id: I3c05da62ff20f8551cdc5780ce2f7b8d23c73a37
CRs-Fixed: 2217884
Add ultra low verbosity level to distinguish datapackets and special
packets. And post TPUT event to DPTrace logic so
that it can disable data packet logging during TPUT scenarios.
Disable print and in memory logging when packets per second exceeds
4 packets.
Change-Id: I70c9368de4cb2423901449b267452a34d652213d
CRs-Fixed: 2185186
