In file sme_ft_api.c, function sme_set_ft_ies(),
the ft_ies_length is user-controlled so there is
a possibility of integer overflow.
Add Sanity check to avoid integer overflow.
Change-Id: Idab80abeca35397be7ec13ca81c7ccb8be8ef256
CRs-Fixed: 2100965
Currently, the MC thread is started once, on the transition from the
uninitialized to the open driver state, and is stopped only during
unload or recovery. Instead, start the MC thread on the transition from
closed to open and stop the MC thread of the transition from open to
closed driver states.
Change-Id: I2b45f95afb99b79f2515275776fe11c9e97bc150
CRs-Fixed: 2113596
The current check for peer_num in wma_get_ll_stats_ext_buf is
incorrect and subtracts total_peer_len from WMI_SVC_MSG_MAX_SIZE
and then divides it by the size of peer stats struct.
Fix the check in such a way that peer num is not greater than
WMI_SVC_MSG_MAX_SIZE divided by the sum of total_peer_len
and size of peer stats struct.
Change-Id: Idd21852052b14e9b30785f2ac4acbd172dd923ef
CRs-Fixed: 2143891
In set default key operation module, under SAP mode, there are
conditional checks on key type information derived from the
Station's context. Also in get/add key operations SAP or STA
context pointers are derived without knowing the device mode
first, which is incorrect.
Derive key type info from SAP context in set default key and
derive station or sap context pointers only after knowing the
device mode.
Change-Id: I09b0e6f8d6315677e7584c7c24f003daa3eca9a3
CRs-Fixed: 2127288
NULL check is not required as already check is present in caller
API sme_process_command
Change-Id: I7d1d6253d77faf427b7fd231dce7d1c8eac9538a
CRs-Fixed: 2139896
In file lim_api.c, function pe_handle_mgmt_frame(),
limit the error log "Failed to fill cds packet from
event buffer".
Add log rate limit to avoid avoid over-logging.
Change-Id: I8ea1a485db861f6c40b46aaba107ae4ea1552e21
CRs-Fixed: 2138713
htt_tx_mutex, NBUF_QUEUE_MUTEX and HTT credit_mutex should all be
initialized before the related message handlers are connected to
their corresponding services, or there will be racing conditions
happening during WLAN driver initialization which will cause
the Linux kernel complaining for bad magic of spin locks and
triggers watch dog bite.
Change-Id: Id89185d811bcbed95732f142ed6fd611e0d6e2a4
CRs-Fixed: 2109674
Firmware sends beacon/probe response, reassoc request and
reassoc response using new event WMI_ROAM_SYNCH_FRAME_EVENTID
when the data that it wants to send via WMI_ROAM_SYNCH_EVENTID
exceeds max length 2k in firmware. Add changes to handle
WMI_ROAM_SYNCH_FRAME_EVENTID in such a scenario.
Change-Id: I2c0821f3547b4ee86cd6860a150a5a7991947abb
CRs-Fixed: 2122429
Android framwork decides when to put driver in power
save state. When it disables powersave driver starts
a timer to re-enter power save which is not required.
Fix this by not starting auto ps timer for power save
disable case. Framwork sends disable power save in
disconneced state and driver returns error, Due to
this firmware power state is still in BMPS and it
reenables power save immediately after connection
and this causes power state mismatch between framwork
and driver/firmware. Fix is to handle full power
request in disconnected state and send this full power
request to firmware as it can handle it.
Change-Id: Ib17c898b8288de31c424896acbfe89216e59ff49
CRs-Fixed: 2143017
Identify all the places where memory is not free'd in
case of WMA delete STA request and free it.
Change-Id: I97db2595d0b1d96bcbf97a28e9e1345504b30239
CRs-Fixed: 2133514
csr_scan_save_bss_description allocate pCsrBssDescription which
is used to update the scan entry in scan module and after
update is done pCsrBssDescription is not freed.
Fix this by freeing pCsrBssDescription once entry is updated in
scan module.
Change-Id: I07f9bbea8fbf5b700203b03d8fd19a0871ea2881
CRs-Fixed: 2137082
Stop bss request is dropped during the
channel change request and it is causing
IPA disconnect event not to sent to IPA
module.
Process stop bss during channel change
request so that IPA disconnect is sent
to IPA module.
Change-Id: I41bb3c0d5ba9f9e9b3a655b67d126ee34c777f4d
CRs-Fixed: 2134143
Currently, only the Change-Id for HEAD is included in the build tag.
This can be problematic for builds which include hotfixes
(cherry-picks). Include the Change-Ids of every cherry-pick commit since
the last non-cherry-pick commit. This allows developers to quickly
identify the checkout point used to make the build, as well as any
hotfixes applied.
Change-Id: Ibe6259c2e0b46c820e0f1d73a12383e01c10abb8
CRs-Fixed: 2143443
Currently runtime PM lock for adapter is not freed in error cases
of hdd_open_adapter() which will result memory leak. Free it correctly
in the function for failure cases.
Change-Id: Ie325de8b2789c461d139dbea9001cbb0504bc024
CRs-fixed: 2142668
Remove the legacy function proc_set_req_internal which
is used as a handler for messages of type
WNI_CFG_SET_REQ or WNI_CFG_SET_REQ_NO_RSP.
Change-Id: If294329954f18c3890d977e7e9d4499b57ceba89
CRs-Fixed: 2140634
Add check for fils_config_info->key_nai_len to not exceed
FILS_MAX_KEYNAME_NAI_LENGTH . If it exceeds this length
then it causes out of bounds memory read issue for array keyname_nai
Change-Id: I9ea6386e91e5eaea6a14bb2d13f0e030072b1262
CRs-Fixed: 2139906
In the case when Load Driver and MODEM ssr triggered at same time,
the handling by wlan_hdd_purge_notifier lead to a page fault crash
as waitlist of mutex was empty.
Moved the initialization of iface_change_lock to reduce the probability
of the crash.
Change-Id: I069fcf3fa8a9443daa9d36518bceb9e575b57eb6
CRs-fixed: 2124520i
The RSSI value of the candidate AP should be higher than rssi_abs_thresh
to roam to the AP. 0 means no absolute minimum RSSI is required.
The value sent to the firmware is the offset from the noise floor in dB.
Change-Id: Ic956a184ac9a241e310b5d46ee6c70b9d1962446
CRs-Fixed: 2118279
In order to assist in debugging efforts, include both CLD and CMN change
Ids in a build tag. Include the build tag as a part of the driver
version string.
Change-Id: I66d159a1594f71fdf33f3e4b4e6be4840d7e140a
CRs-Fixed: 2142704
Remove IPA_OFFLOAD feature flag from hdd_ipa header file inclusion.
This will use stub functions for IPA feature disblaed.
Change-Id: I105f637922eecda07c2d4500e004df337e37f87e
CRs-fixed: 2141143
To abstract kernel header inclusion, create new QDF APIs for all IPA
APIs and redirect all IPA API calls through QDF interfaces.
Change-Id: I7bff975ad7cb32fc128320c124633594471e0a1f
CRs-Fixed: 2098903
IOCTL "WE_TDLS_CONFIG_PARAMS" is no longer used, and the code
related to the IOCTL can be removed.
Remove IOCTL "WE_TDLS_CONFIG_PARAMS" in the host driver
Change-Id: I5c873b9571228f0d2b4fcd4782267a2cc40fc20a
CRs-Fixed: 2120491
Add ini support to enable/disable WIFI data stall
detection feature. By default gEnableDataStallDetection
ini set to 0.
CRs-Fixed: 2124762
Change-Id: I2d9cd3fe0092aeb29c37cded2e5245c9f816ec08
Currently, FILS feature is enabled with ini parameter
[is_fils_enabled] at init time. This change adds support
to enable disable FILS from vendor command.
Change-Id: I0c84d777a6259c96233a4777f184ddf6f7bc58af
CRs-Fixed: 2121214
In function csr_update_fils_params_rso, fils_info->key_nai_length
is used to calculate username_length and then subsequently to
calculate realm_len. If the value of key_nai_length received from
the framework is 0, the value of username_length would also be 0
thereby making realm_len as -1. However since realm_len is uint32,
the int value would underflow to a very large value leading to crash
at qdf_mem_copy.
Add sanity check to return if the value of key_nai_length is 0
or if the pointer to keyname_nai is NULL.
Change-Id: I9bfaa8f3be608bd90a0cd818be6627c9f12217c8
CRs-Fixed: 2141458
Add support changes to fix compilation failure due to change in
scan req structure due to wide band scan changes in scan module.
Change-Id: I9ae1584fa3289fd97c5adf8708db731ae91848ab
CRs-Fixed: 2137835
The gerrit which separates TcpDelAck and TcpAdvWinScale, is involving
the regression issue, that API hdd_send_wlan_tp_ind will send
useless info to upper.
Need set flag and rx_level members properly in indication.
CRs-Fixed: 2141612
Change-Id: I85082e2513f843edaec8365e0abddf572112c535
