If disconnect command is in SME pending queue, when connect command
is received, the disconnect command is flushed and as SME is
already in connected state the new connect command is handled as
reassoc req and as no preauth was done with this new AP, SME does not
call proper HDD callback to indicate conenct failure. Thus HDD remains
stuck in connecting state leading to scans rejection.
To fix this do not flush disconnect command from SME on receiving
connect cmd and thus clean up the SME before connect is processed.
Change-Id: Icefe8866a24b332688c64d8e69a11642fd7215d9
CRs-Fixed: 2238873
For LFR 3.0, when HO failed, peer deletion is handled by FW,
No WMI_PEER_DELETE_CMDID will be sent to FW.
Reset the peer counter when HO failure is reported.
Change-Id: I07cecf3166f40d2bd103a286e4556f95d7465bba
CRs-Fixed: 2240059
To avoid excessive console logging reduce log level from warn
to debug in lim_detect_change_in_ap_capabilities function.
Change-Id: I72fdd2b8ac1ce647480ab1eb164fb65079da3784
CRs-Fixed: 2240699
Currently tx desc id is extracted from HTT message and it is used
without check. This may cause possible OOB array read. To address
this add check for valid tx desc id.
Change-Id: I121fc4d550aa587f00ec315e3a20dfb136f4d7af
CRs-Fixed: 2225461
qcacld-2.0 to qcacld-3.0 propagation
When Management frame Tx fails, tx_frm_ota_comp_cb is not set NULL
during cleanup, because of which assert is observed since session
is not available
Set tx_frm_ota_comp_cb NULL when Management frame tx fails
Change-Id: I318a6d04cce06955f6751f6f3df746fec50b9434
CRs-Fixed: 2127855
Vdev resp and hold req queue cleanup is called in kernel thread context
and this may lead to race condition where it may free the wma's iface
structure while MC thread is using the iface.
In case FW down is received during interface delete, driver complete wait
events and thus the interface delete remove the adapter before del sta
self resp is received and thus del sta self resp uses adapter after its
freed.
To avoid this call the vdev resp and hold req queue cleanup from MC
thread. Also call del sta self resp only when driver unload is in
progress. For FW down case the resp is not required.
Change-Id: I711f83c54df29251de365a3137077b3b8d82b448
CRs-Fixed: 2234547
While processing IOCTL - CCXBEACONREQ, when number of
beacon request IEs is zero, respective handler drv_cmd_ccx_beacon_req()
is trying to log measurement token from un-initialized struct variable
ese beacon request, which results in kernel info disclosure.
To fix this, initialize stack variable ese beacon request and return
error in disconnected state when number of beacon request IEs is zero.
Change-Id: I4b0a8c673f9ca92e8699a157b24a100bb0cffa83
CRs-Fixed: 2225338
The driver fills the mcs set array in
hdd_update_tgt_ht_cap for all rf chains
and does not have a upper boundary check to
cfg->num_rf_chains, which could lead
to out of bound write a valid value
to a memory which not allocated to mcs set
Fix is to have a check to cfg->num_rf_chains
Change-Id: Ibeb5e783e2369ebee1bbf3fc724d06736c174c69
CRs-Fixed: 2221902
The default value of /sys/class/net/xx/queues/rx-x/rps_cpus is 0,
It means that the RX thread and soft IRQ will run on same core.
In 8996AU, the t-put will be impacted by the default value 0 both
in LTE and WLAN interface. Add support to set WLAN RPS CPU mask when
there is high t-put requirement of WLAN to improve the performance.
Change-Id: I10127a763b768a29b25041070f3ea7b3f6769289
CRs-Fixed: 2195721
While processing set pno IOCTL, input argument 'extra' is printed
without making sure it's NULL terminated.
Log input string 'extra' after making sure it's NULL terminated.
Change-Id: I4158103a85c0828dad240cf00b34da94e6a8cc62
CRs-Fixed: 2228601
In __lim_handle_sme_stop_bss_request, it will try to disassociate
STAs of which AssocId is from 1 to pMac->lim.gLimAssocStaLimit - 1.
However, valid range of AssocId should be from 1 to
pMac->lim.gLimAssocStaLimit. This will cause STA and peer leakage
when there is an STA using AssocID equal to pMac->lim.gLimAssocStaLimit.
Update the uppper limit to pMac->lim.gLimAssocStaLimit accordingly.
Change-Id: Ifec315c0ae69f8b93ce8b87601cca7cc13c6bc88
CRs-Fixed: 2230757
__hdd_tx_timeout passes cdp_soc context dump_flow_pool_info callback
function. Lithium_dp interchangeably use cdp_soc and dp_soc as cdp_soc is
first element of dp_soc.
Same is not valid for iHelium datapath, do not expect caller to pass
the txrx_pdev context, instead get it from global cds_context.
Change-Id: I64932fefd1294275608258df49544135d3a0562c
CRs-Fixed: 2240099
qcacld-2.0 to qcacld-3.0 propagation
SoftAP is changing channel in response to ECSA frame from STA
Do not let SoftAP switch channel in response to ECSA.
Change-Id: Ie9ddbf10c13f62205fdd60c512a560b35c6610ba
CRs-Fixed: 2121117
Currently SAP beacon callback loops through PE sessions to check
if the beacon's channel matches any active SAP channel and then
invokes sch_beacon_process_for_ap API. In sch_beacon_process_for_ap
we again loop through all the PE sessions to identify the session
where the SAP is active.
Optimize this by looping only once through all PE sessions in
lim_handle_sap_beacon and invoke sch_beacon_process_for_ap with
the SAP session's session_id.
Change-Id: Ia74e17845de161508b6c8efff6aca82cf4d9c961
CRs-Fixed: 2226237
Currently wlan_hdd_reassoc_bssid_hint returns true if prev_bssid is
present in the connect request even if the hdd_reassoc fails leading
to connection not happening if the supplicant sends a prev_bssid
and bssid_hint in the connect request and if the current state is
not connected.
Fix return status in __wlan_hdd_cfg80211_connect to return 0 only
if hdd_reassoc is success else proceed with disconnect and connect
Change-Id: I513495797f2538fc8887ff0a9ce04e13035e0549
CRs-Fixed: 2238104
Currently the channel list received from the SETROAMSCANCHANNELS
driver command is passed directly to the FW without checking if it
contains any invalid channels leading the firmware to assert if the
list contains unsupported channels.
Validate the channel list received from the ioctl with the base
channel list and send to firmware only if all the channels in
the list are valid
Change-Id: Ia502eecb97e34de854a75a6af7ffb8ccc02a7e52
CRs-Fixed: 2231242
If FEATURE_WLAN_ESE is disable, there is a compilation error.
Remove the definition of hdd_wmm_inactivity_timer_cb and
hdd_wmm_disable_inactivity_timer if FEATURE_WLAN_ESE is disabled
as these apis are not getting used anywhere.
Change-Id: I2c236f63429bdc738be9ccb06f9671b694fd9a5d
CRs-Fixed: 2238180
Check for stats ext info data len does not take TLV header
size into account which could lead to buffer overflow
when copying data where TLV header size is taken into
account.
Fix is to subtract TLV header size and stats_ext_info
size from max allowed size when validating stats ext
info data length.
Change-Id: I34e35a0aab396af3d93a0f61e0ab6a2da09f22ab
CRs-Fixed: 2227263
The use TAILQ_FOREACH for freeing the fw_stats list during
pdev detach causes a use-after-free condition, which can lead
to unexpected behavior during the driver load or unload.
Fix the possible Use-after-free condition in pdev detach, by
using TAILQ_FOREACH_SAFE instead of TAILQ_FOREACH for freeing
the fw_stats list.
CRs-Fixed: 2214520
Change-Id: I5dfcc5e3f0d2e77a5f6226eca06bc6ab1af4e643
In the API sir_validate_and_rectify_ies, the driver rectifies
the RSN IE, if the AP hasnt filled the RSN capabilities in the
beacon/probe response, but has filled the length of IE as extra
2 bytes meant for the RSN capabilities.The driver tries to repair
these kind of frames and fills the last 2 bytes of RSN IE with
default RSN capabilities, to prevent the failure of unpacking
the IEs in unpack-core. But, the driver may write these default
RSN capabilities into some other allocated memory, because the
allocated memory is only the frame length, which would result
in OOB write.
Fix is to allocate some reserve bytes in the frame
for these type of issues.
Change-Id: I46c7301f3e40f84d2c68ec9ba38702baa6926306
CRs-Fixed: 2232542
Currently when transferring SSID information from the nl80211 TLV to
the internal data structure hdd_fill_pmksa_info() always copies
SIR_MAC_MAX_SSID_LENGTH bytes which can overread the buffer. In order
to prevent overread only copy as many bytes as the TLV contains.
Note that the destination buffer passed to hdd_fill_pmksa_info() is
always zero-filled so no additional zeroing of bytes is required.
Change-Id: I1f6773b70e9e728d6b1ce93ca26417348e96844c
CRs-Fixed: 2237462
In lim_process_switch_channel_rsp, if pe_find_session_by_session_id
returns NULL, memory of body pointer is not freed leading to memory
leak.
Free memory allocated for body pointer if session entry is NULL in
lim_process_switch_channel_rsp.
Change-Id: I939aceb3ed993fd1488b72db9df526c1724f0ac5
CRs-Fixed: 2236980
In a scenario where the below two HDD commands are executed at the
same time from different threads
1. Disconnect which does an RSO Stop and free the pCurRoamProfile
2. Set Blacklist BSSID which does and RSO Update and accessed
the pCurRoamProfile
pCurRoamProfile is accessed in the function csr_roam_offload_scan
after is freed from the other context.
The Disconnect command from HDD is protected under the global SME lock,
however, the set blacklist BSSID path is not protected under SME lock.
There are multiple instances where csr_roam_offload_scan is called
without the SME lock which could lead to similar issues.
Acquire SME lock before csr_roam_offload_scan from callers in
SME/HDD which can be from other threads.
Change-Id: I9666bab0001b56ec01dcf1df0becb36344fb6f9a
CRs-Fixed: 2226423
In function wma_form_rx_packet, mpdu_data_len is calculated as
(buf_len - mpdu_hdr_len). If the value of buf_len is less than
mpdu_hdr_len, then a integer underflow would occur while calculating
mpdu_data_len.
Add sanity check to return invalid if buf_len is less than mpdu_hdr_len.
Change-Id: I4522eadb65f6cd8b210ba071a91e53008eec042c
CRs-Fixed: 2230318
qcacld-2.0 to qcacld-3.0 propagation
Update LDPC flag from Vendor IE instead of VHT capabilities
for VHT20 case.
Change-Id: I7bb916353586529fb78f1caeda68687663e44af2
CRs-Fixed: 2091292
Fix typo in checking mlm status by adding missing
eLIM_MLM_WT_DEL_BSS_RSP_STATE state check in
__lim_process_sme_disassoc_cnf() function.
Change-Id: Id2acde09023ba117e1d938035db9e9a0d7b303b3
CRs-Fixed: 2232883
For LFR2.0 roaming policy, firmware will indicate roam event with
WMI_ROAM_REASON_SUITABLE_AP reason even ROAM_SCAN_OFFLOAD_STOP cmd
set with WMI_ROAM_SCAN_MODE_ROAMOFFLOAD, it doesn't obey LFR2.0
roaming policy design. Root cause is firmware only disable roam
scan with ROAM_SCAN_OFFLOAD_STOP cmd which must set scan mode with
WMI_ROAM_SCAN_MODE_NONE.
Fix is to always set scan mode with WMI_ROAM_SCAN_MODE_NONE for
LFR2.0 when host send ROAM_SCAN_OFFLOAD_STOP cmd.
Change-Id: Id5e8325f2767023daacd3dbd4104ce768de3857d
CRs-Fixed: 2228315
When Pre-Auth is failed, it will go to ROAM_SCAN_OFFLOAD_START
or ROAM_SCAN_OFFLOAD_RESTART process, it always uses zero as
session_id param for csr_roam_offload_scan, it's wrong, session_id
should be variable value.
Fix is to use variable session_id param for csr_roam_offload_scan.
Change-Id: Iaf5f234dc73001440aaf02d7931c7891903f9148
CRs-Fixed: 2239812
DPT_DEBUGFS_PERMS macro has been defined inside
ifdef QCA_SUPPORT_TXRX_LOCAL_PEER_ID. Since this can cause problems
when the above config is not set, defining it outside.
Change-Id: Ibf02f692ddaf0b5de17d647cce27a6e093f7b7df
CRs-Fixed: 2238106
Association request initiated by the host contains
the RSN capabilities which contains both the flags
of PMF, i.e PMF required and PMF capable. The DUT
may connect to a non PMF AP or only a PMF capable AP,
if the DUT is PMK capable and not PMF required,
but connection to a non PMF AP isnt allowed
if the DUT is configured as PMF required.
In the Association request, the DUT advertises its
RSN capabilities, and accrding to them, the connection
(PMF/non PMF) happens. But these capabilities arent
sent to the firmware, so while roaming, the DUT may
connect to a non-PMF AP, as in the re-assoc request
the DUT would still advertise PMF-REQUIRED as false,
which would be violation of protocol.
Fix is to send these RSN capabilities to the
firmware as part of roam scan offload params,
to have firmware save the configuration, and
send the RE-assoc request with PMF required as
true, if the DUT supports PMF required.
Change-Id: Iff58f7ba3b2fee7a834bd625225bbb3d62f33557
CRs-Fixed: 2234977
While SSR happen, hdd_reset_all_adapters will not clear
mac_ctx->sap.sapCtxList[sapctx->sessionId].pSapContext, and later the
sapctx will assign new sessionId after SSR restart SAP and update to
mac_ctx->sap.sapCtxList. So sapctx/old sessionId still can be
referenced by like wlan_sap_is_pre_cac_active and call pre cac cleanup
on unexpected port.
When SAP restart and set global sapCtxList in sap_set_session_param(),
find matched sapctx and clear it before assigning updated value.
Change-Id: Id02733cb22267ac0c1899d8caf9ac47c65e24a88
CRs-Fixed: 2232398
Vdev ref count is incremented in wma_state_info_dump
and not decremented before return. This results in
vdev not deleted physically as part of wlan0 hdd_stop.
On hdd_open, a new vdev is created for wlan0 with same
mac addr as the previous wlan0 vdev. In scan, API to
get vdev by mac addr will return NULL since the first
wlan0 vdev is not physically deleted and not removed from
vdev list.
Fix is to decrement vdev ref count in wma_state_info_dump.
Change-Id: I67c90a721643f5bb7c6e212846f6d398055a6672
CRs-Fixed: 2233997
In find_ie_defn function, if the current IE is an Ext IE with EID=255,
the third byte of the IE is accessed to get the extn_eid. However, if
the actual buffer length is less than 3, then an OOB read would occur
while trying to access extn_eid.
Add check to access pbuf + 2 for extn_eid only if nbuf is greater than 2.
Change-Id: Id9708176affe35a85eb21a07901ae8ed62b78b9e
CRs-Fixed: 2237141
Add Null pointer check for packet buffer before dereference
it in lim_send_addba_response_frame() API.
Change-Id: I46c637b7534fe200ec586b07e34d9a4baee5ac7e
CRs-Fixed: 2232740
'wma' pointer is initialized using the return value of
cds_get_context;This function can return NULL value.
Check for NULL pointer before dereferencing the 'wma'.
Change-Id: I529a34fba91f19bdd6c62d14e97cfabb476cdf7f
CRs-Fixed: 2239647
Currently in pe_handle_mgmt_frame, all management frames are posted
into the PE message queue. The beacon and probe response frames are
filtered before posting into the PE message queue, however the PE
message queue can still be flooded with probe request frames.
Post probe request frames via SCAN queue with the appropriate
callback function.
Change-Id: Ie29ad9602d3389af467b8f893624b86265a44421
CRs-Fixed: 2238190
Remove duplicate structs wmi_dual_mac_config and sir_dual_mac_config
and use policy_mgr_dual_mac_config.
Change-Id: I6da6539f519ec46ee274ba3f3ae042e5fd9c25d2
CRs-Fixed: 2190993
Use correct size to mem zero tCsrRoamConnectedProfile
In csr_roam_save_ndi_connected_info() function.
Change-Id: I54d2bef0bd9202971dff47f9b25d43ff40258630
CRs-Fixed: 2232891
The IOCTL handler mapping code for QCSAP_SET_FW_PROFILE_HIST_INTVL
mistakenly falls through to the next switch case. Add a break to prevent
executing two IOCTL callbacks for QCSAP_SET_FW_PROFILE_HIST_INTVL.
Change-Id: I6b0a17b87c22d1d2be3697456608e8ebe704afed
CRs-Fixed: 2232911
Currently wlan_hdd_cfg80211_register_frames falls through to error
handling at the end of the success path. Return success instead.
Change-Id: I28eda918d3d5858cc42ef3958abe918b9ed788e9
CRs-Fixed: 2240003
Apparently netbufs_ring is initialized only when reordering is not fully
offloaded. When a message of type HTT_T2H_MSG_TYPE_RX_OFFLOAD_DELIVER_IND
is sent, the driver does not check if reordering is offloaded.
Add a check, if reordering is offloaded, when a message of type
HTT_T2H_MSG_TYPE_RX_OFFLOAD_DELIVER_IND is sent.
Change-Id: I303b52182d97aa8185c23ccd99c37a97fb75a3d2
CRs-Fixed: 2213216
In the API lim_send_assoc_req_mgmt_frame, the host
allocates memory for the assoc request packet
taking all inputs of payload and the mac header
size etc, and in case the mem allocation fails
it clears away the memory allocated to the packet
with cds packet free, which was not even allocated
Fix is to remove the packet free in case of memory not
allocated
Change-Id: I3fb75b1947dfe039605c42aa19c2d0bacc7bf55d
CRs-Fixed: 2216741
If DBS opportunistic timer is still running while starting new SAP on
some DFS channel when STA is already present on some 2.4Ghz channel,
wrong hw mode will be set when timer expires as concurrency will only
be updated when VDEV_UP happens which will happen after at least 60
seconds in case of DFS channel. So, while starting SAP, hw mode was set
to DBS mode but on DBS opportunistic timer expiration, as VDEV_UP doesn't
happen yet, concurrency has not been updated till now causing hw mode to
reset to SINGLE_MAC resulting in DFS MCC which is not allowed.
Stop DBS opportunistic timer if running while starting new SAP to avoid
hw mode reset.
Change-Id: I9cef0ab5f6208e1822aff4a68c442d61a3f8a20e
CRs-Fixed: 2222386
Use get_wmi_unified_hdl_from_psoc instead of GET_WMI_HDL_FROM_PSOC due
to incompatible return types.
Solve renaming dependencies with common side changes.
Change-Id: Ie84641327d64876877c7d26b63d632c79770a88c
CRs-Fixed: 2203055
In the function convert_wsc_opaque, driver does copy of the
new parameters present in the additional IEs of the upstream
assoc request frame. While copy of the IE length pOld->length to
curAddIELen, possible integer truncation could occur, as the
curAddIELen is of the type uint8_t whereas pOld->length is of
type uint16_t.
Change the data type of curAddIELen to uint16_t. Make changes in
convert_p2p_opaque and convert_wfd_opaque as well.
Change-Id: Ic26660fca4a02a265bfc9553b066c7ee42f1d1f4
CRs-Fixed: 2231770
The skb buffer is freed after the ealier sanity and then pass along
to connectivity stats tracking. Rearragne the stats tracking into the
scope of the skb sanity to assure the skb poitner is valid before
accessing it and set to NULL after free to make sure it is cleared.
Change-Id: I08106bced48fa8f23955fd261c679a5362ddd7a6
CRs-fixed: 2232362
WLAN wake lock is created during module init but if probe
did not come from platform driver because of Q6 root/user
pd not coming up then during driver unload WLAN wake lock
is not destroyed which is leading to kernel panic because
WLAN driver is unloaded without cleaning up the wake up
source. Add fix to make sure to do hdd_deinit, pld_deinit
dispatcher_deinit and wlan wake up source deinit even if
hdd context is null because if probe did not happen from
platfrom driver then hdd_ctx will be null.
Change-Id: I213bded171b1c69da3332e84ebb0f7cbd940ef44
CRs-Fixed: 2240186
In the function drv_cmd_set_mc_rate, the variable targetRate, used to
store the value parsed from the command from user space, is not
initialized. The variable is assigned value inside a kernel API
kstrtouint that converts the string to an unsigned int. In a certain
case if the kernel API fails, it returns an error code without assigning
any value to the passed parameter. In this scenario, the variable
targetRate, still uninitialized is passed on to function
wlan_hdd_set_mc_rate where it is logged using hdd_debug. As the flow
goes on, it is then again logged using WMA_LOGE(). This might lead to
potential information leak.
Initialize the variable to zero to prevent the mentioned scenario.
Change-Id: Ideec0b1930e994f19ae8a669cd2963db4016eae1
CRs-Fixed: 2226172
In __iw_set_packet_filter_params(), a user controlled length value,
priv_data.length, is used to allocated a buffer. This buffer is then
cast to a struct pointer of struct pkt_filter_cfg type without ensuring
the buffer is large enough to hold the struct. This can lead to a buffer
overread if the user supplied size is smaller than the actual size of the
struct.
Add a sanity check on priv_data.length to ensure that the size is large
enough to hold the struct.
Change-Id: I227856484d4bd7a9b0a16a42e26febbc799f80b5
CRs-Fixed: 2228725
Presently, fw_crash_timeout is disabled as a result of which if
timeout happens for any VDEV related WMI command and device goes
in bad state, no assert or recovery is getting triggered. Due to
this, device crashes at some later point of time at some random
location making debugging difficult.
Enable fw_crash_timeout and trigger recovery if recovery is enabled
otherwise assert.
Change-Id: I9e9e51cba8086bd181be28884c490f0bd77663a8
CRs-Fixed: 2229101
In function update_fils_data, fils_indication->num_variable_data
is the actual length of the data present in the array variable_data.
While accessing variable_data array to copy cache identifier, HESSID
and realm identifiers, the length of the array is not checked and
could lead to OOB access.
Add check to validate remaining data length in variable_data array
before accessing it to copy various fields.
Change-Id: Ifc1f5d55964bcd7fdcc2676ea9c2afede0fe6803
CRs-Fixed: 2231767
As a result of P2P componentization a variety of P2P-related macros
are no longer used, so remove them.
Change-Id: I693c4f11575968ce0aae9f3ecac9e008b0dbf5b9
CRs-Fixed: 2237726
Replace typos "sucess" and "sucessful" with correct spellings
"success" and "successful"
Change-Id: I30746cbab4533da9b052261fa9bb87214188138b
CRs-Fixed: 2237724
The Linux Coding Style frowns upon mixed-case names and so-called
Hungarian notation, so rename fConnected to align with the Coding
Style.
Change-Id: I5987e3c31aed44448a1f1843d8931daa7dfeb0fe
CRs-Fixed: 2237723
Rename typedef tsap_Config_t and the underlying struct sap_Config to
align with the Linux coding standard.
Change-Id: I6e8f8b5ab9555c7781f1acf12a0475902866300c
CRs-Fixed: 2237721
The following structs are obsolete so remove them:
- struct sQcSapreq_wpaie
- struct sQcSapreq_wscie
Change-Id: Ie9fdba59cf31e9a2c5e468183c1328aee439709a
CRs-Fixed: 2237720
qcacld-2.0 to qcacld-3.0 propagation
Beacon does not show RSN IE after disabling/enabling SAP, hence
stations does not connect back while trying to associate in WPA.
While re-enable SAP from the hostapd_cli, the start_bss is called
twice, first from wps_init which does not populate RSNIE and secondly,
through bss_setup which has RSNIE but getting ignored as the BSS is
already started.
Added the RSN IE in case of BSS already started
Change-Id: I2a67156e66e255e7c007a5925cd81b859009114e
CRs-Fixed: 2144429
Add /* fallthrough */ comment in __lim_process_sme_deauth_req
as per linux checkpatch script while processing deauth req for
limSmeState 'eLIM_SME_LINK_EST_STATE'.
Change-Id: I38e0520aaec96e2ba35c916b39e79724c453632f
CRs-Fixed: 2233183
wlan_objmgr_get_vdev_by_macaddr_from_psoc and wlan_objmgr_get_peer
API's definitions have been changed to include pdev_id as an
argument.
Modify the callers of these APIs to include pdev_id as argument.
Change-Id: I3d0de6a0bc1dfefbe1b3cad51ec23f703baaf3ad
CRs-Fixed: 2210728
In hdd_send_association_event() and hdd_send_re_assoc_event(), there is
no check of pBssDesc against NULL which can lead to NULL pointer exception.
Circumvent this issue by adding NULL check.
Change-Id: Ic3a0142b4ea3f058e8d3993fb491d418ddb8f70d
CRs-Fixed: 2232721
Takecare to disable TCP delack internally if GRO is enabled.
This is required as enabling both will have adverse effect with
smaller window size and noisy scenario.
Change-Id: If91236620d87287c9b71901e9d8e3d176eebc648
CRs-Fixed: 2172652
Change I8e1b62cd9586f5b2be7acb863a106d2486be1b35 used unassigned
member dp_handle of wlan_objmgr_psoc, that causing failure on DP.
Assign dp_handle properly to avoid it.
CRs-Fixed: 2237072
Change-Id: If230b8a24f5ac9d26ac27f89779c7669cdee5455
Add /* fallthrough */ comment in sme_qos_add_ts_failure_fnp
as per linux checkpatch script in case of reason
SME_QOS_REASON_REQ_SUCCESS of flow request.
Change-Id: I6ea942e53cd6f0828dbe55cfdd77ecf75cf1cdbb
CRs-Fixed: 2233176
wma_is_service_enabled can't get valid service bitmap if call in
hdd_update_pmo_config, use psoc_ctx->caps.unified_wow instead to check
pattern id per vdev and legacy d0 wow capability.
Change-Id: If7bf316f482c49253fc4b95b94e172727b27ffd1
CRs-Fixed: 2225847
When do re-association, there is obsolete data exists in policy manager
until hdd_association_completion_handler updates the active session.
If check sap restart before this, will access the wrong data.
Change-Id: Ie62f86a5d523e70b6bb81b500bd358b63ae90ea8
CRs-Fixed: 2231675
In the API wma_process_pdev_hw_mode_trans_ind
the host doesnt check the upper limit of
num_vdev_mac_entries received from the firmware,
and fills the same to the host structure
hw_mode_trans_ind, which may cause OOB write.
Fix is to check for the max vdev supported in the
same API and return if the condition is false.
Change-Id: I54a9e12f777b87b49057d6c97c06ab71b9ad1d77
CRs-Fixed: 2221965
To avoid out-of-bounds access of mem_map_table from htt_rx_hash_deinit
, allocate mem_map_table size the same as maximum number of hash
entries, which is RX_NUM_HASH_BUCKETS * RX_ENTRIES_SIZE.
Change-Id: If25f97b47350196ceb2e8c60e7d5430a1484a01d
CRs-Fixed: 2214158
NAPI APIs in HDD are platform specific. So make these API's
conditionally compiled.
Change-Id: Id87c11da13f096d4f9ff735bbd98dcea23d52310
CRs-Fixed: 2235978
Initialize packet filter clear rule on stack properly to avoid
using un-initialized member variables.
Change-Id: I03b129e7660ed761b03ac163fdb3e7eee58ec034
CRs-Fixed: 2119208
In the function wma_set_epno_network_list,
req->networks[i].ssid.ssId is copied into the destination
params->networks[i].ssid.mac_ssid. But the ssid length is not
considered while copying and WMI_MAC_MAX_SSID_LENGTH is used as
the length for copying. This might result in possible buffer
overread if the ssid length is not WMI_MAC_MAX_SSID_LENGTH.
Similar issue is seen in wma_pno_start also.
Use pno->aNetworks[i].ssId.length as the size to mem copy the
ssid to the destination ssid buffer.
Change-Id: Id3f579da97e398663b7d583f5f46d4671eabeae3
CRs-Fixed: 2233682
GRO aggregations are hanging out of NAPI instance and We cannot use the
hif NAPI instance in Rx thread as gro_list inside NAPI is flushed out
at the start and end of NAPI poll, this will corrupt the gro_list on
which rx_thread is working. Address this concern by creating dummy
NAPI instances mapping to each hif NAPI and not scheduling them.
Change-Id: I6e1de57a669c56206a7863e86c3840bd0a9eabc1
CRs-Fixed: 2128450
Currently api hdd_wmm_free_context free the hdd_wmm context and
this api is getting invoked from several places without disabling
the inactivity timer.
Since the timer is not disabled, when hdd_wmm_inactivity_timer_cb
is invoked it tries to access the hdd_wmm context which is already
freed and the memory is reallocated to someone else resulting to
undefined behaviour.
To address this issue, disable hdd_wmm_inactivity timer before
calling hdd_wmm_free_context function and add a check for
hdd_wmm context in hdd_wmm_inactivity_timer_cb, if hdd_wmm context
is NULL don't proceed further and return.
Change-Id: Ib085c70b3e5a57b5cd494bc2cd21edd0580c16c4
CRs-Fixed: 2233987
During cfg80211 suspend there are couple of redundant log messages
which are logged on console. Change the log level to debug to avoid
logging them on console.
Change-Id: Id45cc261ec7c2c1397afa746216b090fc5d34d7a
CRs-Fixed: 2235798
Add pointer validation check for variable 'additional_ie' in
lim_send_probe_req_mgmt_frame() API before derefernce it.
Change-Id: I83f24b0707b129445b3b6bcdb84a5572aa4f0ccd
CRs-Fixed: 2232743
Add a check against for NULL pointer before accessing roam_info
object pointer.
Change-Id: Id03a47761fa9624ddf76305f110f1f83bcb0a7cd
CRs-Fixed: 2232419
Currently lim_create_fils_auth_data calls lim_create_fils_wrapper_data
to calculate length of the created wrapped data and stores it in an
unsigned variable wrapped_data_len. But return type of
lim_create_fils_wrapper_data is int so it could return negative value.
Less-than-zero comparison present in lim_create_fils_auth_data of an
unsigned value is never true, as unsigned value can never be less than 0.
Results lim_create_fils_auth_data returns improper 'fils auth data' which
used to be send in auth req.
To make 'less-than-zero comparison' effective in lim_create_fils_auth_data
change type of wrapped_data_len from unsigned int to signed int.
Change-Id: I66d872b76b2039179e3f3dd0ccbb6c135174e354
CRs-Fixed: 2233113
Add /* fallthrough */ comment in sme_qos_add_ts_success_fnp
as per linux checkpatch script in case of reason
SME_QOS_REASON_REQ_SUCCESS of flow request.
Change-Id: I6285ccdc74e5c19fb9bbb8a1b9e0dec5e54edc6e
CRs-Fixed: 2233179
In case of STA + SAP, when STA connect to a new AP, the SAP
initiate channel switch to the new channel of the STA. During
this transition period DUT will be in MCC scenario and thus
firmware changes the TBTT of SAP to get 50% channel time.
Due to this peer STA connected to DUT-SAP may miss all 5
beacons containing CSA info and when it comes out of hw-dtim
mode after 5 beacon misses the DUT SAP has already moved to
new channel and thus as SAP is not on the old channel the peer
STA will receive Heart beat failure.
To avoid this Heart beat failure on peer STA, increases the
default value of channel switch count (g_sap_chanswitch_beacon_cnt)
to 10 to increase the probability of receiving beacons with
CSA info.
Change-Id: I2e5182c299f2a100c9919ffc123aa6b1290324f9
CRs-Fixed: 2227704
Fix NPD in function lim_create_fils_wrapper_data, by moving the check
against NULL pointer before the access.
Change-Id: I00c6c4df0ff94ffdfe77a8a563b1747c29906b2f
CRs-Fixed: 2232734
cdp_get_pn_info() would output wild pointers and cause NULL
pointer reference in wma_is_ccmp_pn_replay_attack().
Add pointer check in wma_is_ccmp_pn_replay_attack().
CRs-Fixed: 2232554
Change-Id: Ic2e5487468aaced91d6567005bbe66a7c065f088
