There is a chance that cumulative peer_id_ref_cnt of different
peers can exceed peer ref cnt. This can result in use after free
issue during peer unref delete in ol_txrx_peer_remove_obj_map_
entries. Add QDF_BUG to catch such case and avoid access of peer
after delete.
Change-Id: I5a3cecc6a20747fce2fbf36a5ae733c42a3bc88b
CRs-Fixed: 2206589
Check user configuration for HE Tx beamformee and beamformer
while updating the caps into global or session configuration.
Change-Id: Ie355a6f208499dd389117c02b8510094c8fd08fd
CRs-Fixed: 2241779
In lim_oper_chan_change_confirm_tx_complete_cnf, need free frame buf
alloced in lim_p2p_oper_chan_change_confirm_action_frame, or buffer is
leaked.
Change-Id: Ic479427282742fb4fbbe28ab1acdf91e0a511340
CRs-Fixed: 2238603
HE Tx beamforming config parameter setting fails due to incorrect
value range. Correct the HE Tx beamforming config parameter values
Change-Id: Idb0ada45417467122bd7473cca07d15cf54fd3cc
CRs-Fixed: 2244247
In hdd_get_class_a_statistics_cb api, context is actually
cookie and it can be NULL if this is the first request. on
class A stats request, when hdd_get_class_a_statistics_cb is
invoked with context as NULL, the NULL check in callback
will not update the latest stats result and will return.
Change-Id: I8c33a0e82d9915a4b3d76e695ceab7ecd9301b89
CRs-Fixed: 2244767
User sends driver a list of roaming scan channels to set through IOCTL
SETROAMSCANCHANNELS. The parameters include the number of elements in
the array, followed by channel array and then a NULL character. But
when driver loops through the channel array it doesn't have a NULL
check. An erroneous number of elements passed by user may cause buffer
overread.
Add a NULL check on channels passed in IOCTL SETROAMSCANCHANNELS.
Change-Id: I7342aa5cf8e5267b7ed06a4e35b1ed882fb97893
CRs-Fixed: 2227039
Fix tTxrateinfoflags as per linux coding guidelines, this will later
help move the struct to qcacmn.
Change-Id: I1911d25594aaecc7c166cf36b79111b61e6de457
CRs-Fixed: 2244834
While processing vendor command QCA_NL80211_VENDOR_SUBCMD_GET_WIFI_INFO,
respective handler wlan_hdd_cfg80211_get_wifi_info() is not allocating
memory for QCA_WLAN_VENDOR_ATTR_WIFI_INFO_RADIO_INDEX in event buffer
and trying to populate radio_index with nla_put_u32(). Buffer-overflow
is avoided with buffer length check in nla api but error is returned.
Return of error for valid user input is incorrect.
To fix this, add size of radio index in event buffer size calculation.
Change-Id: I39973814ae9b10466b9d5e3492a42b745a7f2a5e
CRs-Fixed: 2230298
Flow control resize implementaion as part of
Genoa enhancements to reduce total desc requirement
from 3600 to 2000.
Change-Id: Iee5d3ff08dcea13c11632cd29e6edba0dc3e979f
CRs-Fixed: 2223553
hdd_wlan_start_modules() currently takes an adapter parameter in order
to do management frame event deregistration. Instead, do management
frame event deregistration during adapter stop for symmetry with the
event registration. This allows us to remove the adapter parameter
completely from hdd_wlan_start_modules().
Change-Id: Ifb4619c80a129b8ef4e84c597dd98004d5cd713d
CRs-Fixed: 2240850
Address the following issues in the core/wma folder:
CHECK: 'accomodate' may be misspelled - perhaps 'accommodate'?
CHECK: 'acess' may be misspelled - perhaps 'access'?
CHECK: 'catagory' may be misspelled - perhaps 'category'?
CHECK: 'chnage' may be misspelled - perhaps 'change'?
CHECK: 'defintions' may be misspelled - perhaps 'definitions'?
CHECK: 'Intialize' may be misspelled - perhaps 'Initialize'?
CHECK: 'Intial' may be misspelled - perhaps 'Initial'?
CHECK: 'proces' may be misspelled - perhaps 'process'?
CHECK: 'progess' may be misspelled - perhaps 'progress'?
CHECK: 'refrence' may be misspelled - perhaps 'reference'?
CHECK: 'Relevent' may be misspelled - perhaps 'Relevant'?
CHECK: 'reponse' may be misspelled - perhaps 'response'?
Change-Id: Idc314b5a3a6945211581e2135cfaf9d0d5f69457
CRs-Fixed: 2241946
Address the following issues in the core/sme folder:
CHECK 'accomodates' may be misspelled - perhaps 'accommodates'?
(actually accommodated)
CHECK 'acknowledgement' may be misspelled - perhaps 'acknowledgment'?
CHECK 'becasue' may be misspelled - perhaps 'because'?
CHECK 'becuase' may be misspelled - perhaps 'because'?
CHECK 'catagory' may be misspelled - perhaps 'category'?
CHECK 'explictly' may be misspelled - perhaps 'explicitly'?
CHECK 'failue' may be misspelled - perhaps 'failure'?
CHECK 'fucntion' may be misspelled - perhaps 'function'?
CHECK 'infomation' may be misspelled - perhaps 'information'?
CHECK 'inteface' may be misspelled - perhaps 'interface'?
CHECK 'managment' may be misspelled - perhaps 'management'?
CHECK 'messsage' may be misspelled - perhaps 'message'?
CHECK 'Notifed' may be misspelled - perhaps 'Notified'?
As well as the following spotted during code review:
'sucsess' -> 'success'
Change-Id: Ieaa299d4dbc08c07f10aaf9d967336ac7b11d88d
CRs-Fixed: 2241947
From the IOCTL command WE_POLICY_MANAGER_PCL_CMD, we get the cds
concurrency mode as argument and pass it to cds_get_pcl to get
the pcl channel list. This concurrency mode parameter is used as
the array index to retrive the enum cds_pcl_type. If this value
is greater than CDS_MAX_NUM_OF_MODE an OOB read will occur in
iw_hdd_set_var_ints_getnone.
Add check to validate the input cds mode argument against the macro
CDS_MAX_NUM_OF_MODE. Return error if it is violated.
Change-Id: Iaa79d9698e0074a31a9c3f2396bd06d436d1e349
CRs-Fixed: 2216048
Address the following issues in the core/sap folder:
CHECK: 'availabe' may be misspelled - perhaps 'available'?
CHECK: 'defult' may be misspelled - perhaps 'default'?
CHECK: 'fucntion' may be misspelled - perhaps 'function'?
CHECK: 'Funtion' may be misspelled - perhaps 'Function'?
CHECK: 'intial' may be misspelled - perhaps 'initial'?
Change-Id: Id1e696f70d4d3c5ff650a353eb8402216909bc2c
CRs-Fixed: 2241944
When trying to add multiple softap interfaces, sanity checks in
wlan_hdd_allow_sap_add() are trying to access dev in adapter without
NULL check which can lead to NULL pointer exception.
To fix this, add NULL check for dev before access of its attributes.
Change-Id: I57577da1b60443a42e273f87e9f4feac123bc686
CRs-Fixed: 2232394
Fix overwrite when handling RSN element and WAPI AKM suite
list in wlan_hdd_cfg80211_set_ie.
Change-Id: I63528da4c2dfafa22f2c6fc73afe52727af02b64
CRs-Fixed: 2228031
Change "qcacld-3.0: Add support to send A-MSDU aggregation type
to firmware" combines the AMSDU/AMPDU configuration path in WMA
layer, which is causing some ampdu parameters be overwritten by
value of amsdu.
Avoid GEN_VDEV_PARAM_AMSDU handler to touch ampdu parameters.
CRs-Fixed: 2243571
Change-Id: I52119f2bbcb306f5fad704e912c4cbb179c6a369
Fix the HE mcs rates when the ack policy is set to no ack to
reduce the tx failures.
Change-Id: Iff923bcb6094d1a75ba1e14ff19897f9ca8c2e0a
CRs-Fixed: 2236565
Presently, while processing SET_PASSPOINT_LIST vendor command
HDD is not making sure realm string passed by upper-layer is NULL
terminated, this may lead to buffer overflow as strlen is used
to get realm string length to construct PASSPOINT WMA command.
Make sure realm is NULL terminated before passing the same to
down layers.
Change-Id: I417f2b89dc219664afe5deac00dc361cac4048d6
CRs-Fixed: 2180699
DISA encrypt/decrypt test is not supported by FW when power save is
enabled. Add check to reject DISA encrypt/decrypt vendor test command
if power save is enabled.
Change-Id: Ia83036f957a3298288d312f836d40284344ce8e8
CRs-Fixed: 2240880
If concurrent sap exists, which means dfs_init_radar_filters has
been called before, there is no need to call it again.
Change-Id: Ibf1805b0dbd27fbdf36c37450bdb95626195fb81
CRs-Fixed: 2241282
The obss active dwell time does not match with OBSS IE in association
response, it is a mistake to assign passive dwell time of OBSS IE to
active dwell time, and the passive dwell time value is from ini, not
updated to OBSS IE value.
Assign OBSS IE passive dwell time to passive dwell time parameter.
Change-Id: I5e7945353d00f0411ef3d92534c3f170dec440a5
CRs-Fixed: 2239670
LDPC dynamic configuration setting is not updated into session
configuration hence LDPC disable do not happen when user disable
it. Update the session configuration parameters for LDPC with
user settings.
Change-Id: Ic0b5f2b17cde5746054f90d78d6c99624444d086
CRs-Fixed: 2235936
mpdu_bytes_array_len, mpdu_msdus_array_len, and msdu_bytes_array_len
are used to calculate the record size, as well as used as
buffer offset, without any verification. This can cause to multiple
overflows and underflow leading to OOB reads.
Add checks for each arithmetic operation with these variables.
Change-Id: Ib6ec6ac6932eb8c541bc2357d45d3feaf39fdb7d
CRs-Fixed: 2226125
