In find_ie_defn function, if the current IE is an Ext IE with EID=255,
the third byte of the IE is accessed to get the extn_eid. However, if
the actual buffer length is less than 3, then an OOB read would occur
while trying to access extn_eid.
Add check to access pbuf + 2 for extn_eid only if nbuf is greater than 2.
Change-Id: Id9708176affe35a85eb21a07901ae8ed62b78b9e
CRs-Fixed: 2237141
Add Null pointer check for packet buffer before dereference
it in lim_send_addba_response_frame() API.
Change-Id: I46c637b7534fe200ec586b07e34d9a4baee5ac7e
CRs-Fixed: 2232740
'wma' pointer is initialized using the return value of
cds_get_context;This function can return NULL value.
Check for NULL pointer before dereferencing the 'wma'.
Change-Id: I529a34fba91f19bdd6c62d14e97cfabb476cdf7f
CRs-Fixed: 2239647
Currently in pe_handle_mgmt_frame, all management frames are posted
into the PE message queue. The beacon and probe response frames are
filtered before posting into the PE message queue, however the PE
message queue can still be flooded with probe request frames.
Post probe request frames via SCAN queue with the appropriate
callback function.
Change-Id: Ie29ad9602d3389af467b8f893624b86265a44421
CRs-Fixed: 2238190
Remove duplicate structs wmi_dual_mac_config and sir_dual_mac_config
and use policy_mgr_dual_mac_config.
Change-Id: I6da6539f519ec46ee274ba3f3ae042e5fd9c25d2
CRs-Fixed: 2190993
Use correct size to mem zero tCsrRoamConnectedProfile
In csr_roam_save_ndi_connected_info() function.
Change-Id: I54d2bef0bd9202971dff47f9b25d43ff40258630
CRs-Fixed: 2232891
The IOCTL handler mapping code for QCSAP_SET_FW_PROFILE_HIST_INTVL
mistakenly falls through to the next switch case. Add a break to prevent
executing two IOCTL callbacks for QCSAP_SET_FW_PROFILE_HIST_INTVL.
Change-Id: I6b0a17b87c22d1d2be3697456608e8ebe704afed
CRs-Fixed: 2232911
Currently wlan_hdd_cfg80211_register_frames falls through to error
handling at the end of the success path. Return success instead.
Change-Id: I28eda918d3d5858cc42ef3958abe918b9ed788e9
CRs-Fixed: 2240003
Apparently netbufs_ring is initialized only when reordering is not fully
offloaded. When a message of type HTT_T2H_MSG_TYPE_RX_OFFLOAD_DELIVER_IND
is sent, the driver does not check if reordering is offloaded.
Add a check, if reordering is offloaded, when a message of type
HTT_T2H_MSG_TYPE_RX_OFFLOAD_DELIVER_IND is sent.
Change-Id: I303b52182d97aa8185c23ccd99c37a97fb75a3d2
CRs-Fixed: 2213216
In the API lim_send_assoc_req_mgmt_frame, the host
allocates memory for the assoc request packet
taking all inputs of payload and the mac header
size etc, and in case the mem allocation fails
it clears away the memory allocated to the packet
with cds packet free, which was not even allocated
Fix is to remove the packet free in case of memory not
allocated
Change-Id: I3fb75b1947dfe039605c42aa19c2d0bacc7bf55d
CRs-Fixed: 2216741
If DBS opportunistic timer is still running while starting new SAP on
some DFS channel when STA is already present on some 2.4Ghz channel,
wrong hw mode will be set when timer expires as concurrency will only
be updated when VDEV_UP happens which will happen after at least 60
seconds in case of DFS channel. So, while starting SAP, hw mode was set
to DBS mode but on DBS opportunistic timer expiration, as VDEV_UP doesn't
happen yet, concurrency has not been updated till now causing hw mode to
reset to SINGLE_MAC resulting in DFS MCC which is not allowed.
Stop DBS opportunistic timer if running while starting new SAP to avoid
hw mode reset.
Change-Id: I9cef0ab5f6208e1822aff4a68c442d61a3f8a20e
CRs-Fixed: 2222386
Use get_wmi_unified_hdl_from_psoc instead of GET_WMI_HDL_FROM_PSOC due
to incompatible return types.
Solve renaming dependencies with common side changes.
Change-Id: Ie84641327d64876877c7d26b63d632c79770a88c
CRs-Fixed: 2203055
In the function convert_wsc_opaque, driver does copy of the
new parameters present in the additional IEs of the upstream
assoc request frame. While copy of the IE length pOld->length to
curAddIELen, possible integer truncation could occur, as the
curAddIELen is of the type uint8_t whereas pOld->length is of
type uint16_t.
Change the data type of curAddIELen to uint16_t. Make changes in
convert_p2p_opaque and convert_wfd_opaque as well.
Change-Id: Ic26660fca4a02a265bfc9553b066c7ee42f1d1f4
CRs-Fixed: 2231770
The skb buffer is freed after the ealier sanity and then pass along
to connectivity stats tracking. Rearragne the stats tracking into the
scope of the skb sanity to assure the skb poitner is valid before
accessing it and set to NULL after free to make sure it is cleared.
Change-Id: I08106bced48fa8f23955fd261c679a5362ddd7a6
CRs-fixed: 2232362
WLAN wake lock is created during module init but if probe
did not come from platform driver because of Q6 root/user
pd not coming up then during driver unload WLAN wake lock
is not destroyed which is leading to kernel panic because
WLAN driver is unloaded without cleaning up the wake up
source. Add fix to make sure to do hdd_deinit, pld_deinit
dispatcher_deinit and wlan wake up source deinit even if
hdd context is null because if probe did not happen from
platfrom driver then hdd_ctx will be null.
Change-Id: I213bded171b1c69da3332e84ebb0f7cbd940ef44
CRs-Fixed: 2240186
In the function drv_cmd_set_mc_rate, the variable targetRate, used to
store the value parsed from the command from user space, is not
initialized. The variable is assigned value inside a kernel API
kstrtouint that converts the string to an unsigned int. In a certain
case if the kernel API fails, it returns an error code without assigning
any value to the passed parameter. In this scenario, the variable
targetRate, still uninitialized is passed on to function
wlan_hdd_set_mc_rate where it is logged using hdd_debug. As the flow
goes on, it is then again logged using WMA_LOGE(). This might lead to
potential information leak.
Initialize the variable to zero to prevent the mentioned scenario.
Change-Id: Ideec0b1930e994f19ae8a669cd2963db4016eae1
CRs-Fixed: 2226172
In __iw_set_packet_filter_params(), a user controlled length value,
priv_data.length, is used to allocated a buffer. This buffer is then
cast to a struct pointer of struct pkt_filter_cfg type without ensuring
the buffer is large enough to hold the struct. This can lead to a buffer
overread if the user supplied size is smaller than the actual size of the
struct.
Add a sanity check on priv_data.length to ensure that the size is large
enough to hold the struct.
Change-Id: I227856484d4bd7a9b0a16a42e26febbc799f80b5
CRs-Fixed: 2228725
Presently, fw_crash_timeout is disabled as a result of which if
timeout happens for any VDEV related WMI command and device goes
in bad state, no assert or recovery is getting triggered. Due to
this, device crashes at some later point of time at some random
location making debugging difficult.
Enable fw_crash_timeout and trigger recovery if recovery is enabled
otherwise assert.
Change-Id: I9e9e51cba8086bd181be28884c490f0bd77663a8
CRs-Fixed: 2229101
In function update_fils_data, fils_indication->num_variable_data
is the actual length of the data present in the array variable_data.
While accessing variable_data array to copy cache identifier, HESSID
and realm identifiers, the length of the array is not checked and
could lead to OOB access.
Add check to validate remaining data length in variable_data array
before accessing it to copy various fields.
Change-Id: Ifc1f5d55964bcd7fdcc2676ea9c2afede0fe6803
CRs-Fixed: 2231767
As a result of P2P componentization a variety of P2P-related macros
are no longer used, so remove them.
Change-Id: I693c4f11575968ce0aae9f3ecac9e008b0dbf5b9
CRs-Fixed: 2237726
Replace typos "sucess" and "sucessful" with correct spellings
"success" and "successful"
Change-Id: I30746cbab4533da9b052261fa9bb87214188138b
CRs-Fixed: 2237724
The Linux Coding Style frowns upon mixed-case names and so-called
Hungarian notation, so rename fConnected to align with the Coding
Style.
Change-Id: I5987e3c31aed44448a1f1843d8931daa7dfeb0fe
CRs-Fixed: 2237723
Rename typedef tsap_Config_t and the underlying struct sap_Config to
align with the Linux coding standard.
Change-Id: I6e8f8b5ab9555c7781f1acf12a0475902866300c
CRs-Fixed: 2237721
The following structs are obsolete so remove them:
- struct sQcSapreq_wpaie
- struct sQcSapreq_wscie
Change-Id: Ie9fdba59cf31e9a2c5e468183c1328aee439709a
CRs-Fixed: 2237720
qcacld-2.0 to qcacld-3.0 propagation
Beacon does not show RSN IE after disabling/enabling SAP, hence
stations does not connect back while trying to associate in WPA.
While re-enable SAP from the hostapd_cli, the start_bss is called
twice, first from wps_init which does not populate RSNIE and secondly,
through bss_setup which has RSNIE but getting ignored as the BSS is
already started.
Added the RSN IE in case of BSS already started
Change-Id: I2a67156e66e255e7c007a5925cd81b859009114e
CRs-Fixed: 2144429
Add /* fallthrough */ comment in __lim_process_sme_deauth_req
as per linux checkpatch script while processing deauth req for
limSmeState 'eLIM_SME_LINK_EST_STATE'.
Change-Id: I38e0520aaec96e2ba35c916b39e79724c453632f
CRs-Fixed: 2233183
wlan_objmgr_get_vdev_by_macaddr_from_psoc and wlan_objmgr_get_peer
API's definitions have been changed to include pdev_id as an
argument.
Modify the callers of these APIs to include pdev_id as argument.
Change-Id: I3d0de6a0bc1dfefbe1b3cad51ec23f703baaf3ad
CRs-Fixed: 2210728
In hdd_send_association_event() and hdd_send_re_assoc_event(), there is
no check of pBssDesc against NULL which can lead to NULL pointer exception.
Circumvent this issue by adding NULL check.
Change-Id: Ic3a0142b4ea3f058e8d3993fb491d418ddb8f70d
CRs-Fixed: 2232721
Takecare to disable TCP delack internally if GRO is enabled.
This is required as enabling both will have adverse effect with
smaller window size and noisy scenario.
Change-Id: If91236620d87287c9b71901e9d8e3d176eebc648
CRs-Fixed: 2172652
Change I8e1b62cd9586f5b2be7acb863a106d2486be1b35 used unassigned
member dp_handle of wlan_objmgr_psoc, that causing failure on DP.
Assign dp_handle properly to avoid it.
CRs-Fixed: 2237072
Change-Id: If230b8a24f5ac9d26ac27f89779c7669cdee5455
Add /* fallthrough */ comment in sme_qos_add_ts_failure_fnp
as per linux checkpatch script in case of reason
SME_QOS_REASON_REQ_SUCCESS of flow request.
Change-Id: I6ea942e53cd6f0828dbe55cfdd77ecf75cf1cdbb
CRs-Fixed: 2233176
wma_is_service_enabled can't get valid service bitmap if call in
hdd_update_pmo_config, use psoc_ctx->caps.unified_wow instead to check
pattern id per vdev and legacy d0 wow capability.
Change-Id: If7bf316f482c49253fc4b95b94e172727b27ffd1
CRs-Fixed: 2225847
When do re-association, there is obsolete data exists in policy manager
until hdd_association_completion_handler updates the active session.
If check sap restart before this, will access the wrong data.
Change-Id: Ie62f86a5d523e70b6bb81b500bd358b63ae90ea8
CRs-Fixed: 2231675
In the API wma_process_pdev_hw_mode_trans_ind
the host doesnt check the upper limit of
num_vdev_mac_entries received from the firmware,
and fills the same to the host structure
hw_mode_trans_ind, which may cause OOB write.
Fix is to check for the max vdev supported in the
same API and return if the condition is false.
Change-Id: I54a9e12f777b87b49057d6c97c06ab71b9ad1d77
CRs-Fixed: 2221965
To avoid out-of-bounds access of mem_map_table from htt_rx_hash_deinit
, allocate mem_map_table size the same as maximum number of hash
entries, which is RX_NUM_HASH_BUCKETS * RX_ENTRIES_SIZE.
Change-Id: If25f97b47350196ceb2e8c60e7d5430a1484a01d
CRs-Fixed: 2214158
NAPI APIs in HDD are platform specific. So make these API's
conditionally compiled.
Change-Id: Id87c11da13f096d4f9ff735bbd98dcea23d52310
CRs-Fixed: 2235978
Initialize packet filter clear rule on stack properly to avoid
using un-initialized member variables.
Change-Id: I03b129e7660ed761b03ac163fdb3e7eee58ec034
CRs-Fixed: 2119208
In the function wma_set_epno_network_list,
req->networks[i].ssid.ssId is copied into the destination
params->networks[i].ssid.mac_ssid. But the ssid length is not
considered while copying and WMI_MAC_MAX_SSID_LENGTH is used as
the length for copying. This might result in possible buffer
overread if the ssid length is not WMI_MAC_MAX_SSID_LENGTH.
Similar issue is seen in wma_pno_start also.
Use pno->aNetworks[i].ssId.length as the size to mem copy the
ssid to the destination ssid buffer.
Change-Id: Id3f579da97e398663b7d583f5f46d4671eabeae3
CRs-Fixed: 2233682
GRO aggregations are hanging out of NAPI instance and We cannot use the
hif NAPI instance in Rx thread as gro_list inside NAPI is flushed out
at the start and end of NAPI poll, this will corrupt the gro_list on
which rx_thread is working. Address this concern by creating dummy
NAPI instances mapping to each hif NAPI and not scheduling them.
Change-Id: I6e1de57a669c56206a7863e86c3840bd0a9eabc1
CRs-Fixed: 2128450
Currently api hdd_wmm_free_context free the hdd_wmm context and
this api is getting invoked from several places without disabling
the inactivity timer.
Since the timer is not disabled, when hdd_wmm_inactivity_timer_cb
is invoked it tries to access the hdd_wmm context which is already
freed and the memory is reallocated to someone else resulting to
undefined behaviour.
To address this issue, disable hdd_wmm_inactivity timer before
calling hdd_wmm_free_context function and add a check for
hdd_wmm context in hdd_wmm_inactivity_timer_cb, if hdd_wmm context
is NULL don't proceed further and return.
Change-Id: Ib085c70b3e5a57b5cd494bc2cd21edd0580c16c4
CRs-Fixed: 2233987
During cfg80211 suspend there are couple of redundant log messages
which are logged on console. Change the log level to debug to avoid
logging them on console.
Change-Id: Id45cc261ec7c2c1397afa746216b090fc5d34d7a
CRs-Fixed: 2235798
Add pointer validation check for variable 'additional_ie' in
lim_send_probe_req_mgmt_frame() API before derefernce it.
Change-Id: I83f24b0707b129445b3b6bcdb84a5572aa4f0ccd
CRs-Fixed: 2232743
Add a check against for NULL pointer before accessing roam_info
object pointer.
Change-Id: Id03a47761fa9624ddf76305f110f1f83bcb0a7cd
CRs-Fixed: 2232419
Currently lim_create_fils_auth_data calls lim_create_fils_wrapper_data
to calculate length of the created wrapped data and stores it in an
unsigned variable wrapped_data_len. But return type of
lim_create_fils_wrapper_data is int so it could return negative value.
Less-than-zero comparison present in lim_create_fils_auth_data of an
unsigned value is never true, as unsigned value can never be less than 0.
Results lim_create_fils_auth_data returns improper 'fils auth data' which
used to be send in auth req.
To make 'less-than-zero comparison' effective in lim_create_fils_auth_data
change type of wrapped_data_len from unsigned int to signed int.
Change-Id: I66d872b76b2039179e3f3dd0ccbb6c135174e354
CRs-Fixed: 2233113
Add /* fallthrough */ comment in sme_qos_add_ts_success_fnp
as per linux checkpatch script in case of reason
SME_QOS_REASON_REQ_SUCCESS of flow request.
Change-Id: I6285ccdc74e5c19fb9bbb8a1b9e0dec5e54edc6e
CRs-Fixed: 2233179
In case of STA + SAP, when STA connect to a new AP, the SAP
initiate channel switch to the new channel of the STA. During
this transition period DUT will be in MCC scenario and thus
firmware changes the TBTT of SAP to get 50% channel time.
Due to this peer STA connected to DUT-SAP may miss all 5
beacons containing CSA info and when it comes out of hw-dtim
mode after 5 beacon misses the DUT SAP has already moved to
new channel and thus as SAP is not on the old channel the peer
STA will receive Heart beat failure.
To avoid this Heart beat failure on peer STA, increases the
default value of channel switch count (g_sap_chanswitch_beacon_cnt)
to 10 to increase the probability of receiving beacons with
CSA info.
Change-Id: I2e5182c299f2a100c9919ffc123aa6b1290324f9
CRs-Fixed: 2227704
Fix NPD in function lim_create_fils_wrapper_data, by moving the check
against NULL pointer before the access.
Change-Id: I00c6c4df0ff94ffdfe77a8a563b1747c29906b2f
CRs-Fixed: 2232734
cdp_get_pn_info() would output wild pointers and cause NULL
pointer reference in wma_is_ccmp_pn_replay_attack().
Add pointer check in wma_is_ccmp_pn_replay_attack().
CRs-Fixed: 2232554
Change-Id: Ic2e5487468aaced91d6567005bbe66a7c065f088
Log reason code while flushing logging events to precisely know
the reason of failure.
Change-Id: Ibe26563780f165e85490c54c2b4f83d959a3587f
CRs-Fixed: 2235138
Change data packets printing to one line
Add msdu-id to TX packets
Increase data packets size to include the complete IP packets
Indication/print when the throttling occurs
Change-Id: I4831c517b41f81003b8d28448a3093d911ac978c
CRs-Fixed: 2157768
The return value check logic is wrong in __iw_get_softap_linkspeed.
Which cause get linkspeed always failed.
Change-Id: If37732867f91e2b95996614ab863953d5ed5af93
CRs-Fixed: 2232332
Add Unified WDI API support for ol_txrx_ipa_set_perf_level and fix
client parameter for ipa_wdi_set_perf_profile.
Change-Id: Ieaaf7cf5231f74cd6ba358c02032ae173d9618f0
CRs-Fixed: 2211504
Move chanmode_to_chanwidth API to qcacmn since it will be used by ndp
schedule update event.
Change-Id: I13d00c0b818eb0da434c8a5372b2ab7b6693f22a
CRs-Fixed: 2216803
In shielding room, bring up one 2.4G SAP with HT40+ on channel 6,
but hostapd_cli command will report HT40-. Root cause is it uses
sec_ch_offset when calculate ACS result params, it's wrong.
Fix is to use secondary_ch when calculate ACS result params.
Change-Id: I41a5d0e4be0d2e3046d0004c25f11f2905a3b911
CRs-Fixed: 2221588
Add GRO support and make it configurable through INI(GROEnable).
GRO and LRO are mutually exclusive. Only one of them can be enabled.
And disable GRO during following conditions
1) Low TPUT scenario
2) Concurrency cases
3) For Rx packets when Peer is not connected
Change-Id: I15535827a03953231670d4138235c4876b16e045
CRs-Fixed: 2098772
INI item "gBmpsModListenInterval" is not used and hence remove
it from source code.
Change-Id: I32cae84a200541e9028667f16736ce5394bae4b7
CRs-Fixed: 2232887
In function dot11f_unpack functions length of buffer passed is
decremented as pointer advances in the buffer. Add a check for
integer underflow before decrementing the length.
Change-Id: I4ed39d326855c2027ff0bc3cbe5c8981a2ae2aa1
CRs-Fixed: 2231755
When the SSR is triggered after the modules are closed, uevent
notifier is trying to get the pdev which is alredy destroyed.
Reject the uevent notification if the modules are already closed.
Change-Id: I8074838b18b1e36dd67afa90125f9fbe06d32c34
CRs-Fixed: 2219843
Currently, in __wlan_hdd_cfg80211_set_limit_offchan_param() function after
parsing the 'tos' value from incoming netlink buffer there is no check
against the max value of tos. This tos value is passsed as an argument
to hdd_set_limit_off_chan_for_tos() function where it is using as an array
index for 'limit_off_chan_tbl' variable which is limited to HDD_MAX_AC.
This may cause out of bound access.
Add check to ensure the parsed tos value is not greater than
or equals to its max value.
Change-Id: I661af1f9559d9bec627594d119423be97978ac2c
CRs-Fixed: 2222803
Currently, there is no break statement between switch cases in
function hdd_stop_present_mode(), here first case has to
fall through the next case instead of using break statement.
Add /* fallthrough */ comment between the cases.
Change-Id: I518628fb8ee084a0ea8de5c98c18a9a6c20b2637
CRs-Fixed: 2233177
In wma_fill_roam_synch_buffer, fils_info is received from the FW
as part of roam synch event and contains kek_len and pmk_len. These
lengths are used to copy the kek and pmk from the FW buffer to the
roam_synch_ind_ptr respectively.
If the kek_len exceeds the SIR_KEK_KEY_LEN_FILS or pmk_len exceeds
the SIR_PMK_LEN value, a buffer overwrite would occur during
memcpy.
Add sanity check to return error if kek_len exceeds SIR_KEK_KEY_LEN_FILS
or if pmk_len exceeds SIR_PMK_LEN.
Change-Id: I8035c54cb4cbd5b4065646377f7d1d2824f9c436
CRs-Fixed: 2226386
In function wma_get_arp_stats_handler avoid un-initialized
access to arp rsp_stats by initializing it to 0s.
Change-Id: I95c41f89740bff276ed5c6736b4ad9da3ef6ce87
CRs-Fixed: 2232401
In hdd_stop_adapter() there is a switch statement where the logic for
case QDF_SAP_MODE falls through to the next case. Add a fallthrough
comment to explicitly document that this is the desired behavior as
opposed to a missing break statement.
Change-Id: I2fc7b2eeb07eb91b57d5008e74267667a5995c6e
CRs-Fixed: 2233181
In hdd_sme_roam_callback() there is a switch statement where the logic
for case eCSR_ROAM_CANCELLED falls through to the next case. Add a
fallthrough comment to explicitly document that this is the desired
behavior as opposed to a missing break statement.
Change-Id: Ic5fd5c92d7ab421a60d56dfc7761578b554349c6
CRs-Fixed: 2233180
In wlan_hdd_update_phymode() when the curr_band is set to BAND_5G the
channelBondingMode5GHz is not correctly set. Fix the logic which
currently has duplicated test for BAND_2G to test for both BAND_2G and
BAND_5G.
Change-Id: I70ed07d12ae891374e511905213ef7fcc7a7f1f1
CRs-Fixed: 2232919
Currently in __iw_get_char_setnone() while processing the
WE_GET_STATES ioctl a call is made to PMAC_STRUCT() to convert a HAL
handle into a tpAniSirGlobal (aka pMac). This is a data hiding
violation since use of pMac should be constrained to the UMAC -- HDD
should not be utilizing this data structure. And it turns out that
after PMAC_STRUCT() is called the resulting pMac actually isn't used
other than testing for NULL. Furthermore this is dead code since the
HAL handle was already tested for NULL and hence the pMac could never
be NULL at the point it is tested. So fix this data hiding violation
by completely removing the code that populates and tests pMac.
Change-Id: I73fc7c388f4482e5c483a4982231f934cc80ef6c
CRs-Fixed: 2232897
In __iw_set_host_offload() there is a switch statement where the logic
for case WLAN_OFFLOAD_ARP_AND_BC_FILTER_ENABLE falls through to the
next case. Add a fallthrough comment to explicitly document that this
is the desired behavior as opposed to a missing break statement.
Change-Id: I9a7d84841d9d059e822ee15ee482111ca9d87caf
CRs-Fixed: 2233178
Change ce_service_max_yield_time ini to us granularity to have
yield time of us order as well.
Change-Id: Ib9e421ad61b660194459c2ee44b2d36a07a21e61
CRs-fixed: 2086153
Add ini support to change ce service max rx indication flush num
to handle given number of rx indication at a time to maintain
napi yield timelines. This is used to tune the yield time based on
system needs.
Change-Id: Ib66f23c83d64f2bc16a352067816512c3d8defef
CRs-Fixed: 2068367
CCMP and GCMP both have different lengths of their MIC part. MIC
length for CCMP is 8 bytes whereas it is 16 bytes for GCMP. When
encryption type is GCMP/GCMP-256, sending packets with CCMP MIC
length causes fw to drop the GCMP encrypted management packets
leading to connection issues.
Send GCMP encrypted frames with GCMP MIC length.
Change-Id: Ia83fa6ffde880fe69e5e4c3e3c3ce9c62ad8fa3c
CRs-Fixed: 2203224
__iw_setint_getnone() allocates and frees an instance of
tSmeConfigParams, which is unused. Remove this local variable.
Change-Id: Iad8383ad4bd95978ac74b5a177923be14c45f0c0
CRs-Fixed: 2232057
Change default value of CSN to 4 to disable default capability of
8 stream beamformee. The value can still be configured with ini.
Change-Id: I814e10cc7da176dd12c154b8870b4d261ebb4789
CRs-Fixed: 2231358
Add ini support to change ce service max yield time, so that we can
tune the napi SWI context of execution based on the system needs and
add a variable in napi stats to record max time taken in NAPI poll.
Change-Id: Id2b47bcecb777b98e0b1192135ae140b681d387d
CRs-Fixed: 2055074
Currently variable "num_mpdu_ranges" is from message, which is used
directly without any validation which causes buffer over-write.
To avoid buffer over-write add check for the valid num_mpdu_ranges
Change-Id: I54e138d4bd63cbe7a0ae4faf0fe9d8e59ca92c71
CRs-Fixed: 2213655
Currently if the MAC is changed dynamically for any interface,
driver is allowing to configure a MAC which is already in use by
some other interface and it will allow different interfaces to
come up on same MAC address.
To address this issue add a check to configfure only different
MAC address.
Change-Id: Iece3bb063be30d5d983f4bec710d6d16b22bd2f9
CRs-Fixed: 2227656
If any WMA request is queued in wma hold req/vdev resp queue after fw
has crashed and sent the corresponding uevent to HOST, request will
timeout and if at the same time, SSR is also going on, it may lead to
various issues and crashes.
Check whether target is ready or not before queuing any request
in wma hold req/vdev resp queue.
Change-Id: I358841566f858e115b3b04f12f4d8b70b75d1dfc
CRs-Fixed: 2226497
1) In csr_start, CSR module's scan callback function is currently
registered after scan is enabled. This can result in a potential
memory leak of the per-session CSR scan profile's child buffers
when the following events take place in sequence:
(1) CSR scan is enabled
(2) Upper layer invokes CSR module for scan requests
(per-session CSR scan profile's child buffers are
allocated here)
(3) Scan finished, but no CSR callback is registered to
handle it so the previously allocated child buffers
are leaked
(4) CSR scan callback function is registered later, but
it's already too late
Move the CSR scan enabling code to a place after CSR scan
callback is registered to fix the potential memory leakage.
2) CSR scan should be stopped before sessions are closed, and
session init code should not re-enable CSR scan again during
session clean up stage. Or there will be another chance for
the same issue as in 1) to happen again.
3) CSR scan callback function should be deregistered before
a session is closed and cleaned up.
4) Per-session CSR scan profile pointer should be checked
during session clean up and its buffer and child buffers
should be freed to avoid any potential memory leak.
Change-Id: I99101170a58f63b239db620dea01d210e83d9367
CRs-Fixed: 2228321
Update the usage type of gTxAggSwRetryBE, gTxAggSwRetryBK,
gTxAggSwRetryVI, gTxAggSwRetryVO, gTxAggregationSizeBE,
gTxAggregationSizeBK, gTxAggregationSizeVI, gTxAggregationSizeVO
from external to internal.
Change-Id: Idd4c6d9f3c03fef9e3d3600871c20ad419bac6b0
CRs-Fixed: 2230035
runtime lock/pdev/pdev object are allocated when receive
rx ready event. If cdp_pdev_post_attach fails in cds_pre_enable,
such resources are also needed to release.
Change-Id: I549567d1125ce3b28c0ce6f3a9bda62e6209be09
CRs-Fixed: 2222363
There's an excessive log for IPA uC stat request reason even when
WDI pipe is suspended.
Enable IPA uC stat request reason log only when IPA pipe is resumed.
Change-Id: I35d98e02a9180738bc9cdb25f59e31d572df9e0e
CRs-Fixed: 2181952
While processing GETIBSSPEERINFO IOCTL command, respective handler
drv_cmd_get_ibss_peer_info() is logging user-buffer which can cause
page fault error.
To fix this, log local buffer (extra) instead of
user buffer (priv_data->buf).
Change-Id: I6260120690c4715de31fe0f9404aa5928c0feb49
CRs-Fixed: 2227050
