Currently in function wlan_hdd_cfg80211_start_bss(), copying
supported rates and extended rates from information element pointer
without checking for array bounds which may cause OOB access.
To address this issue, add length checks before copying supported
rates and extended rates.
Change-Id: Ic6363e97bb3498a5dd23bc5e5f9b9f3ce093509d
CRs-Fixed: 2312995
Below API's logs failure with caller information,
So no need logs at caller.
qdf_mem_malloc_atomic()
qdf_mem_malloc()
wmi_buf_alloc()
qdf_nbuf_alloc()
wmi_unified_cmd_send()
Change-Id: I392fd31f2ae1e46a0d7ceaa657b77fad4efd31eb
CRs-Fixed: 2327098
Below API's logs failure with caller information,
So no need logs at caller.
qdf_mem_malloc_atomic()
qdf_mem_malloc()
wmi_buf_alloc()
qdf_nbuf_alloc()
wmi_unified_cmd_send()
Change-Id: I5d7d49811d71f83ecafccd9f936af323073b32c6
CRs-Fixed: 2327098
PLD FW down uevent is asynchronous which races against all critical
driver transition events like probe, remove, shutdown, reinit and
hence move wmi_stop to wma shutdown notifier callbakk such that its
protected against all critical driver transition events.
Change-Id: I91046efeab8bc13b9f5c37d5a4d02b66c63e35a9
CRs-Fixed: 2330980
Add bound check for new fixed_param->total_num_tx_power_levels
with its old value of rs_results->total_num_tx_power_levels in
wma_unified_radio_tx_power_level_stats_event_handler.
rs_results->tx_time_per_power_level is allocated only once
if it has not been already allocated.This allocation is saved
into the global wma_handle structure.
If multiple invocations of this handler occur then a buffer
overflow can occur in the following scenario:
1. First message is used to allocate rs_results->tx_time_per_power_level
with a small, but valid size.
2. Second message skips allocation of rs_results->tx_time_per_power_level
since it was done with the first message. This message specifies a larger
valid value and causes the qdf_mem_copy() to overflow.
Change-Id: Ib9c7d3bd667e2ffc1408cd7356be35985331e028
CRs-Fixed: 2327688
Change I8cd30439d7ac3de7b550aa5042353cf30e04cbda recently introduced
misleading indentation in sme_update_tx_bfee_nstsi(). Not only does this
cause a build failure for some configurations, but is also dangerously
confusing for future readers. Remove the misleading indentation in
sme_update_tx_bfee_nstsi().
Change-Id: Ia971c414b433eeaff51eb4c65d3d2f56c49617b1
CRs-Fixed: 2330256
In the functioncsr_roam_chk_lnk_swt_ch_ind(), newChannelId is
updated to session->pConnectBssDesc->channelId and
pConnectBssDesc->ieFields is passed to wlan_cfg_get_ie_ptr().
the parameters of pConnectBssDesc are accessed without
validating pConnectBssDesc. This can result in possible null
pointer dereference.
Validate the session->pConnectBssDesc before access.
Change-Id: I45f2c090cea90052f91d678f1bacd1411c4b9496
CRs-Fixed: 2329317
When interface change timer expires, wma_wmi_service_close() is
called from hdd_iface_change_callback()->hdd_wlan_stop_modules()
->cds_close(). wmi_handle is made null here. At the same time,
if there is a modem reboot, host will receive early
indication from FW. Due to this, icnss driver sent
ICNSS_UEVENT_FW_DOWN event to host and it calls wmi_stop() again
from icnss_call_driver_uevent()->pld_snoc_uevent()->
wlan_hdd_pld_uevent() -> wlan_hdd_set_the_pld_uevent()->
wma_wmi_stop() -> wmi_stop(). As wmi_handle which was marked
null during wlan stop modules, this causes potential NULL
pointer dereference.
Flush iface_idle_work before wma_wmi_stop and add NULL check
before accessing wmi_handle.
Change-Id: I1bfa8ab7329040c0b5ba989c0d7de7bf7228dd35
CRs-Fixed: 2328575
Add sanity check for vdev_id in wma_lost_link_info_handler
against wma_handle->max_bssid.
Change-Id: I1f469b25ac88deb4d5bbaf754c0ea441e6cb04de
CRs-Fixed: 2325718
When disconnect is issued from userspace, lim_del_bss is invoked
and vdev stop is sent to firmware. If sending vdev stop fails,
WMA_DELETE_BSS_RSP is posted with failure. If an SSR is
happening during this time, then cds_mc_thread is preempted, and
as part of the pld uevent vdev resp queue cleanup is done . In
this path, lim_process_sta_mlm_del_bss_rsp is called and
msg->bodyptr is freed and pe session is deleted. After pld
uevent execution, the delete bss response processing in
cds_mc_thread as part of user space disconnect resumes and tries
to free the msg->bodyptr again. This results in double free.
Add check to validate if msg->bodyptr is NULL before freeing
the memory.
Change-Id: I491e5bab640aca6546b58755502dd00aa1bc6083
CRs-Fixed: 2324482
Make the following updates to the extscan get capabilities logic:
1) Exclusively use the Unified WMI data structures.
2) Update the HDD<=>SME interface to enforce the contract that SME
must not make any assumptions about the buffers provided by HDD.
Change-Id: I9e57c86a3da0924af01d82d626b61c28f7d520bf
CRs-Fixed: 2330211
In __wlan_hdd_cfg80211_suspend_wlan(), suspend process is bailed out
if hdd_suspend_wlan() < 0 due to which RX thread waits for completion
of ol_resume_rx_event.
Do completion of ol_resume_rx_event in __wlan_hdd_cfg80211_suspend_wlan
for error path to resume RX thread.
Change-Id: I8bf056f82d80e063b2e32a1a6573d7a36ced67dc
CRs-Fixed: 2327238
In con_mode handler, adapters are getting deinitialized
while cleaning up present mode which is happening after
stop modules. In stop modules driver checks for memory
leak which results in mem leak detection for the adapters
which are not freed yet.
To address this issue, move the deinitialization of the
adapters from clean up present mode to stop present mode, which
happens before stop modules.
Change-Id: I9cda456feb2b0c199f5c8d4debee21f0e07c47fb
CRs-Fixed: 2326340
Currenly if the dot11Mode INI is set to 11b_only mode and the BSS we
are trying to connect is 11b/g mixed mode, then the connection happens
with phyMode 1 (11 b/g) but the data rates are set only for 11b mode
which leads the FW to assert when a data traffic with 11g rates is
triggered.
Connect to the BSS in 11b mode only if the INI is set to 11b_only and
the BSS we are trying to connect is in 11b/g mode.
Change-Id: I952394323efeacf5baae39b3a6d2adf7eae96a81
CRs-Fixed: 2328434
Remove the QDF_BUG() from sanity check of pdev_id passed with
pdev_hw_mode_trans_ind event from FW.
Change-Id: I91bb697993e129bf3f8ff62900e21f85dbe85efc
CRs-Fixed: 2328603
Register recovering state query callback to common qdf
platform component to provide recovering state.
Change-Id: If5d1b30f0617d9f8cef41787da1e829a792105f8
CRs-Fixed: 2320797
Make the following updates to the extscan get cached results logic:
1) Exclusively use the Unified WMI data structures.
2) Update the HDD<=>SME interface to enforce the contract that SME
must not make any assumptions about the buffers provided by HDD.
Change-Id: I4144aa4cdb9c6d3ddaae30eedaec3096abf95857
CRs-Fixed: 2329405
Add pause and unpause statistics for below new netif actions:
WLAN_NETIF_VO_QUEUE_ON
WLAN_NETIF_VO_QUEUE_OFF
WLAN_NETIF_VI_QUEUE_ON
WLAN_NETIF_VI_QUEUE_OFF
WLAN_NETIF_BE_BK_QUEUE_OFF
This change is part of FR49094
Change-Id: I56452711b0e4c2176ed8ee398ea68fa5e60012ba
CRs-Fixed: 2307945
pmac->sme.get_chain_rssi_cb is never checked if
WMI_PDEV_DIV_RSSI_ANTID_EVENTID messages is sent anytime
by user.
pmac->sme.get_chain_rssi_cb can not be appropriately
registered and can result in NULL pointer dereference.
Change-Id: I64783a0e2d054b45678f126b42de20470d3264d3
CRs-Fixed: 2324128
Don't account length field size while comparing against max
beacon size.
Current driver starts from (ptr+4 bytes) then tries to copy
512 bytes from that point which creates to copy extra 4 bytes
beyond the array's boundary.
Instead copy only 508 bytes if driver starts copying from
(ptr+ 4bytes).
ptr
^
|
|
+---------------+--------------------------------+
| | |
| Length | Max Beacon payload |
| | |
+---------------+--------------------------------+
|<-- 4 bytes -->|<-------- 508 bytes ----------->|
|<------------- 512 bytes --------------------->|
CRs-Fixed: 2327052
Change-Id: I2646986ec424f7da31107ad01f673588734eaa52
qcacld-2.0 to qcacld-3.0 propagation.
AP and P2P GO mode, user issue DEAUTHENTICATE command with reason 6,
driver will change deauth reason code to eSIR_MAC_UNSPEC_FAILURE_REASON.
It should be only for station or p2p client mode. Otherwise,
'eSmeCommandRoam' will be stuck in 'smeCmdActiveList'. It will
trigger recover.
Change-Id: I126c0b682dbee12e6da903040e058ca370228c5f
CRs-Fixed: 2311077
VHT Part3: Add the basic infra for MLME CFG items and the APIs
to be used from other components for VHT.
Change-Id: I8cd30439d7ac3de7b550aa5042353cf30e04cbda
CRs-Fixed: 2322304
When the userspace disconnect is issued, as a part of wlan exit,
HDD sent below commands to sme:
1) Disconnect Req (DelBSS /Del Sta)
2) Close Session ( DelSelfSta ) in the following path:
hdd_stop_adapter() -> hdd_stop_adapter_ext() -> hdd_vdev_destroy
-> sme_close_session() -> csr_roam_close_session.
e_sme_command_del_sta_session is sent from csr_roam_close_session
with high priority. This causes vdev delete to be sent before
peer delete .
As HDD has already freed all the commands in
csr_roam_close_session, now sme should process the cmd only in
the pending queue order. Hence we should not send DEL_SELF_STA
as high priority cmd.
Send the e_sme_command_del_sta_session with normal priority.
Change-Id: Ic874ca792f84235c70b8257a232c02f0bd050618
CRs-Fixed: 2328462
