Host driver drops incoming HDD IPA events during unloading prcess,
when IPA pipe unloading timeout occurs, and IPA offload state could
be mismatch between host driver and FW.
Fix by setting unloading complete before IPA pipe disable and putting
events into pending event queue for unloading timeout case as well.
Change-Id: If44caa07f328bf3ac2d2fc02aafb796176114678
CRs-Fixed: 2152490
qcacld-2.0 to qcacld-3.0 propagation
The return value validation is missing for dot11fUnpackIeRSN, thus
"dot11f_ie_rsn.pmkid_count" could be larger than 4. When it is larger
than 4 there will be a buffer over-read in vos_mem_compare. Add status
check of dot11fUnpackIeRSN in lim_process_fils_auth_frame2.
Change-Id: If563ddb13bbfcad5660d136c35c39846010594e1
CRs-Fixed: 2147955
Linux convention is to embed a list node in a structure that is meant to
be a member of a list. However, hdd_adapter_list_node_t is created to
contain both the list node and the list item itself. Remove
hdd_adapter_list_node_t and embed the list node directly into
hdd_adapter instead.
Change-Id: I62888a0212d88aa212fee34b886e3d8a4875e0c7
CRs-Fixed: 2159309
sme_stop and mac_stop are accessing share data structures which
create a race condition when it is called from rmmod context.
Change context of sme_stop and mac_stop from rmmod thread to
mc thread.
Change-Id: Ie30f99d6b0c2f7c6cf20371dd66323d156360474
CRs-Fixed: 2148771
Enable WIFI_FEATURE_CONFIG_NDO caps in __wlan_hdd_cfg80211_get_features
to help in VTS test case passing.
Change-Id: Iea56e53add127dc79a959f26e5f512662ed304cb
CRs-Fixed: 2155700
In function get_container_ies_len, nBuf is passed from caller function
as length of the buffer remaining in the frame. len is calculated from
the length field present in the IE. Then find_ie_defn is called with
nBuf + len as buffer length available leading to potential OOB read
in the function find_ie_defn.
Also in function get_container_ies_len, if len is greater than nBuf,
OOB read would occur in the caller function unpack_core.
In function unpack_core, len is calculated from the length field in
the IE buffer, then the IE is parsed in one of the unpack functions
where len is decremented without any check for min value of len.
If the value of len obtained from the IE buffer is less than the
minSize of the IE, then an integer underflow would occur.
1. In function get_container_ies_len, change calling of find_ie_defn
to use nbuf - len.
2. In function get_container_ies_len, if len > nbuf, return error.
3. In function unpack_core, add sanity check to make sure len is not
less thatn IE's minSize.
Change-Id: I8e42fb7e9674845d152d2ec26a592e02a1b562ab
CRs-Fixed: 2153003
While sending probe response template down to firmware, driver
populates some items in data-structure which is not getting used.
Remove those unused items and send only what is needed.
CRs-Fixed: 2148056
Change-Id: I1878f523f0f88c354854dfdb75e60e66c4ecb0e8
Add a SSID length validation check before
copying the SSID field to scan request
structure from connect profile.
Change-Id: Ic6297a28f8852db2e5d22c5c7d5b8eab7b76dbfd
CRs-Fixed: 2145706
Initialize message local variable on stack in SME get peer info request
API before posting message via scheduler API.
Change-Id: I4471f3c3eacaacfb8e9145e61dd4eb33b921936f
CRs-Fixed: 2158564
Avoid bit addressing for HE Caps and HE Ops, and use structures
to access fields within HE Caps and HE Ops.
Change-Id: I1afa1926d1f4c7da5446870a7ad3121c06762f98
CRs-Fixed: 2145511
Conditional check to avoid add of same softap interface again
during SSR in __wlan_hdd_add_virtual_intf() is causing
regression (Ic3cd1eebb23482e9cebf04683533face178698b4) and
not allowing to add more than one softap interface.
To fix, add check for newly requested softap interface name with
previously registered softap interfaces and add if name is different
else return the existing one.
Change-Id: I103bd577db5c38e53b1ef12278a856a39790f8f7
CRs-Fixed: 2155854
MC addr list is a ndo operation can be invoked by the kernel even
if the driver modules are closed which can result in accessing from
freed variables.
Reject the set/reset mc addr list when the modules are closed.
Change-Id: Ief83e18e6f8e431c7d68377f803ac602178f8913
CRs-Fixed: 2153099
TDLS peer delete function is not validating the return
status from PE, and it causes unpredictable errors.
Verify the return status and take the corresponding
action for the error cases.
Change-Id: I55c77842560917ca766fbfcbf26762d745a1d5e5
CRs-Fixed: 2144268
In addition to any other resource leak checks being done at runtime,
check for any leaked MC Timers as well.
Change-Id: Ic576eed3cf9b19824db6864a6b7b0466a6f03ea9
CRs-Fixed: 2125799
Add debugs to dump all the Vendor IEs of tag type 221 to identify
the IEs sent in the AP's beacons/probe response without need to sniffer.
Change-Id: I1896adc12b49a54e4cf39794e802c04f7ad22080
CRs-Fixed: 2156913
During frequent suspend/resume there is a possibility of csr scan timer
and hdd scan timer are racing eaching other. Increase the hdd scan timer
value to double of the csr scan timer value to reduce the race allowing
hdd to abort the scan incase of timeout.
Change-Id: I03995498df692dc92dc87e8ef1fc8fd316965df0
CRs-Fixed: 2151994
In function wlan_hdd_cfg80211_set_ie, RSN IE is parsed and copied
into the buffer for length eLen + 2.
However, the buffer WPARSNIE is allocated only for
size. If eLen + 2 is greater than MAX_WPA_RSN_IE_LEN, a buffer overflow
would occur.
Add sanity check to make sure eLen does not exceed MAX_WPA_RSN_IE_LEN - 2.
Also increase the size of to 255 as per the spec
Change-Id: Ibf44e8dc1010e6e32b2262357d3aa180926d5c99
CRs-Fixed: 2154216
Change the existing cdp_peer_find_by_addr by calls to
cdp_peer_get_ref_by_addr and cdp_peer_release_ref. The new APIs
make sure that the peer is valid as long as the peer reference is not
released (call to cdp_peer_release_ref)
Change-Id: Ibde9944a9721e5dcf0f7838058c229539efae7e4
CRs-Fixed: 2139801
The existing peer API cdp_peer_find_by_add does not maintain any peer
references. So a peer which is returned by the API may get deleted in a
different context. This may lead to access to a already deleted memory.
Fix the issue by introducing new APIs "peer_get_ref" and
"peer_release_ref" which make sure the peer is valid until it is
"released" (peer_release_ref is called).
Change-Id: I60175ee1d67f01e3ee4b48cb655d1728d29d08f4
CRs-Fixed: 2139801
Memory leak is detected while processing the
measurement report request while another request
is under processing.
Pass an address of the pointer to the rrm beacon
request API to get the allocated memory address.
Change-Id: I83c44a6a7a4a8e1ce56e48b008e7d784cca1dc6d
CRs-Fixed: 2144031
In the monitor mode when the system is suspended
FW trying to send packet to host which is not allowed leading to this
system crash.
Acquire wakelock once the device enters monitor mode and block
the system from entering suspend.
Change-Id: I27ba2d43fd7b84bc1ae7e6046ab635065872b2d2
CRs-Fixed: 2130546
If mac_ctx->roam.configParam.qcn_ie_support is enabled driver adds
qcn ie in directed probe req, even if its already present in the
additional scan IEs. Thus in probe request two qcn ie are present.
To fix this add qcn ie only if roam.configParam.qcn_ie_support is set
and qcn ie is not present in the additional scan IE.
Change-Id: I4c7ea32dc06e5c62b4043dbd3794348f8185fd9b
CRs-Fixed: 2152795
Avoid using WMI HE Ops macro in lim and use dot11f struct for
HE Ops instead. Keep the tranlation to FW interpratation of
HE Ops in wma layer only.
Change-Id: Ie94795541aaddb7ae291ff451b938ebb96f74dbf
CRs-Fixed: 2145510
The host defines the iface ptr with :-
iface = &wma_handle->interfaces[key_params->vdev_id], at line 1588
and if the WLAN_FEATURE_11W, is not enabled , the host sets the
iface->is_waiting_for_key as false , without a NULL check of iface.
Fix is to add a NULL check for iface
Change-Id: I69ed8f881b678458d16f1f74e87e31959c04ec63
CRs-Fixed: 2156921
WLAN Latency module (WLM) is added by fw to gain latency
because of schedule out of service like power saving,
scanning, roaming etc. per the level set by framework.
Change-Id: Id4305e5e66dcce464447aff56296c7d027347ea2
CRs-Fixed: 2142391
For sns test in some scenarios when tx hits invalid peer state it will
print massive log so that it will lead to WD bark issue.
Move log level to lower info high from warn if tx hits invalid peer state.
Change-Id: I91d414e7203bf1e00094ca7b2fcebf80f4102082
CRs-Fixed: 2156472
Regpair for DM, DO, HN, JM, NA, PA, SN, XA are missing
which results in a crash.
Add regpair for country codes DM, DO, HN, JM, NA, PA, SN, XA.
Change-Id: I6d29f16a549121b9588d6fb68b78e14375e8eb8e
CRs-Fixed: 2154385
When a BSS is being started, the WLAN driver will abort all
scan requests, including the ACS scan initiated by the
secondary SAP, which will result in secondary SAP start
failure.
Use a different function to abort scans initiated by the
current session which is doing BSS starting so ACS scan
initiated by a second SAP will not be affected.
Change-Id: I442431e92e31cc8d3eb302ccca4249d0b4bedf82
CRs-Fixed: 2154230
