In the function wma_mgmt_rx_process, wbuf is the allocated skb
which houses the incoming management frame. An extra 100 bytes
buffer is allocated in wbuf->data to avoid OOB access when
additional headers are present in addition to ieee80211_frame.
This additional buffer is uninitialized and can cause potential
OOB for the management frames of length
sizeof(struct ieee80211_frame) and have no IE or any data.
Initialize the allocated extra bytes so that OOB is prevented.
Change-Id: I44047b0c6f3a731c741c5e0217f3bd0cdd8ed4dc
CRs-Fixed: 2249815
Currently in function csr_roam_issue_connect, if queue sme command
fail, the scan result will be purged by csr_release_command_roam(), but
some caller will also purge it again if don't return success status,
like csr_roam_connect().
Make csr_roam_issue_connect() to consume hBSSList always, and remove
double purging code in the callers.
Change-Id: If226ff300771ccbf1dcbfb2a82fb02498c334cdc
CRs-Fixed: 2237948
In the PI wma_tx_packet, host assigns downld_comp_required
to true/false according to tx_frm_download_comp_cb,
is_high_latency, tx_frm_ota_comp_cb, all the three
conditions to be true. Also the host checks
tx_frm_download_comp_cb, and assigns tx_frm_index
according to downld_comp_required, but in the else
case when tx_frm_download_comp_cb is false, the check
of downld_comp_required is void, as the downld_comp_required
cannot be true if prior tx_frm_download_comp_cb is false,
so the code in the else part which checks tx_frm_download_comp_cb
and assigns tx_frm_index is dead, and in any case cannot be
executed.
Fix is to remove the check of downld_comp_required in
the else case.
Change-Id: If1a376099234d541d508f18cee075dd0f1603294
CRs-Fixed: 2233558
WMI_SERVICE_READY_EXT_EVENT isn't supported in Rome F/W, service
ready ext timer shouldn't be started. Ext service bitmap is
passed to host by F/W event: WMI_SERVICE_AVAILABLE_EVENT.
Change-Id: Id8058c2e58c5771ef27482d3e4076869e560acf1
CRs-Fixed: 2251523
The same code is executed regardless of the conditioal
logic, so remove the redundant conditional block.
Change-Id: I46688f9e7b159a77dd3a2fa977e98237abe1777a
CRs-Fixed: 2232937
Currently, BTM offload config from the ini is sent to the FW as part
of the RSO start for the vdev which has roaming enabled. In case
of STA+STA concurrency, when roaming is enabled for second STA,
BTM config is sent for the second STA vdev leading the FW to assert
as the FW already has BTM offload enabled for the previous STA
session and supports only one vdev with BTM offload enabled at a time.
Send BTM offload config with flags as disabled as part of RSO Stop
so that the FW de-inits the BTM offload on the current connected vdev
before it inits BTM offload config on the new vdev for the second STA.
Change-Id: I7af499b0f7c77b5d52e6c74b09c28c845bdfcd9a
CRs-Fixed: 2251994
When add_bss is done for a STA vdev, the rmfEnabled flag is set
on the wma_txrx_node based on the PE session config. However this flag
is not reset during del_bss which leads to DPP public action frames
sent from supplicant with no session established to be considered
as rmf enabled (due to previous connected rmf session) and adding
additional bytes in the header. This leads to the DPP frame of
incorrect length to be transmitted and the other DPP STA receiving the
frame drops it.
Reset the rmfEnabled flag in wma_vdev_stop_resp_handler if set
previously for the VDEV.
Change-Id: I6ffb1f3efbfc8455768f54155a2abcc8ccf13fe6
CRs-Fixed: 2236476
During peer deletion, ol_txrx_is_peer_eligible_for_deletion() is
called to check if peer is eligible for deletion. Inside function,
vdev is dereferenced to extract pdev but due to race conditon peer
may get freed from the list and this may lead to NULL pointer
derefencing of vdev.
Avoid dereferencing of vdev and pass pdev itself as an argument to
ol_txrx_is_peer_eligible_for_deletion()
Change-Id: I743e2e2c83c3e07e5d5ec4fde7fc3b098766ca96
CRs-Fixed: 2252243
Peer get deleted during ol_txrx_peer_detach_force_delete when
WMA_ROAM_OFFLOAD_SYNCH_IND is received. As peer deletion is
happening in different context and ol_rx_send_pktlog_event is
accessing the peer in different context, a possible race condition
has occurred which leads to NULL pointer dereferencing of peer.
Ignore the peer deletion during ol_txrx_peer_detach_force_delete and
delete it during ol_rx_peer_unmap_handler.
Change-Id: Icf252612081a41f94db6df4684348f2962b2da9d
CRs-Fixed: 2238214
When loading sdio driver, need make sure sdio device is recognized,
break driver loading if no device.
Change-Id: I4d47575d793b58970012e4e47cc63b0c197f565d
CRs-Fixed: 2245495
When running embedded tput between client and SAP, there'll be
excessive logs per packet. Fix is to remove the per packet
debug message.
Change-Id: I846f4fd5e54cc8945b3159c56e04418feea0183f
CRs-Fixed: 2253186
In commit d217d19d7e ("qcacld-3.0: Add vendor cmd to support
antenna diversity") and commit 66831666b4 ("qcacld-3.0: Add
vendor attr to get rx aggregation statistics"), tHalHandle (pMac)
are passed by SME to WMA APIs that expect a tp_wma_handle.
To fix this, call cds_get_context() to get wma handle.
Change-Id: I01812b2390269805da4d1a5cb40a811d1e22ec56
CRs-Fixed: 2253253
Even though the bitrate is greater than zero, because of
incorrect conditional check, error log "Invalid bitrate" is
getting printed.
Hence, fix this by adding proper conditional check.
Change-Id: I2076c7a90e735e4a278f4d5894e51abc8bd091c0
CRs-Fixed: 2250687
Featurize fastpath feature cleanly and
also disable unused code when Fastpath
is enabled.
Change-Id: I3922af873ef32544fdca37be0b110ebbc2abc45a
CRs-Fixed: 2226918
qcacld-2.0 to qcacld-3.0 propagation
After station is associatied in VHT20, update station info
txrate bw field for VHT20 case when cfg80211_get_station is
triggered
Change-Id: Ia3547083d5f4fb031fd186234b2d13126d8a9712
CRs-Fixed: 2086316
The excess buffer check in wma_stats_event_handler is such that
if buflen is greater than WMI_SVC_MSG_MAX_SIZE, the resulting
difference of the two values will be a negative integer, which
will be treated as a very large positive integer since the data type
is unsigned. This will result in the check failing to detect overflow
when compared with sizeof(*event).
Fix the buflen check condition such that buflen is compared with the
difference of WMI_SVC_MSG_MAX_SIZE and sizeof(*event), eliminating
the possibility of overflow.
Change-Id: Ic20bfa554476db36e28557402cec23fcce5af85d
CRs-Fixed: 2224443
qcacld-2.0 to qcacld-3.0 propagation
After station is associatied in HT20, when cfg80211_get_station
is triggered, update station info txrate bw field for HT20
Change-Id: Icc2c5f318d7812696202705edda17c7352f66fba
CRs-Fixed: 2121005
Add spectral scan feature flag which can be
used to control the feature through build options.
Change-Id: Ide13e958cffff610626c891041307b40ac94c47d
CRs-Fixed: 2232167
Reset the soc before htc_stop when failure in the cds_pre_enable to stop
the copy engine which might continue deliver the data to host after
cleaning up the destination ring buffers to avoid the poison overwritten.
Change-Id: I2ef111926af4a889f1ee005681d68eafba7e5564
CRs-Fixed: 2250860
A large function call parameter is passed by value.
Refactor the code to send the large function call parameter by
reference.
Change-Id: I0a29ee9df797e245a4960160c66053df7b834be3
CRs-Fixed: 2232908
wlan_hdd_sap_pre_cac_success run in the work thread
scheduled by sap_pre_cac_work.
But hdd_stop_adapter will call
cds_flush_work(&hdd_ctx->sap_pre_cac_work);
That means the work waits itself to finish.
The Fix is to add flag to hdd_stop_adapter
to identify the "stop" running in the work handler
and skip the "sync" cancel the work self.
Change-Id: I875c2f14ffd54272fc9ea0df1cecc6dd1171e310
CRs-Fixed: 2252085
Currently the function typedef wma_tgt_cfg_cb is defined with two void
pointer parameters. However the types of the two parameters are known
to both the sender and the receiver, so fully specify the types of
those parameters.
Change-Id: I7cf7178015084599061b123da7b5f1f453ec5353
CRs-Fixed: 2254954
Per the Linux coding style "mixed-case names are frowned upon" so
rename typedef tHddHandle to hdd_handle_t to align with the Linux
typedef naming convention.
Change-Id: I34849ed819b31564ca561a1718083793bf30a0a3
CRs-Fixed: 2254953
In pe_mc_process_handler() the mac_ctx is currently typecast to a
tHalHandle when calling pe_process_messages(). However
pe_process_messages() actually expects a tpAniSirGlobal, and the
typecast results in a build failure when strict type checking is
enabled. To fix the build failure remove the typecast.
Change-Id: Ie8a38845f0e2bf76205326a1b5fe7691a8f8de12
CRs-Fixed: 2254952
Turning on strict type checking flagged multiple of instances of
hal_handle being declared incorrectly, so fix them.
Change-Id: I8781c7e2839dcc3532b3aca066802db39f989e07
CRs-Fixed: 2254951
Currently hdd_pre_enable_configure() calls cfg_set_str() to update
WNI_CFG_STA_ID in the cfg database. Buf cfg_set_str() is an internal
MAC API which should not be called by HDD, and this code fails to
compile when strict parameter checking is enabled because HDD is
passing a tHalHandle to a function which expects a tpAniSirGlobal.
Update hdd_pre_enable_configure() to instead call sme_cfg_set_str().
Change-Id: Ic3f249f18319c3e54786938f76fe61b2af37f25f
CRs-Fixed: 2254950
Currently HDD is directly calling csr_roam_get_wpa_rsn_req_ie() and
csr_roam_get_wpa_rsn_rsp_ie(). That is a layering violation since HDD
should be calling SME APIs; CSR APIs are meant to be called by
SME. And SME already exposes two APIs which, in turn, call those CSR
APIs. However those SME APIs, sme_roam_get_security_req_ie() and
sme_roam_get_security_rsp_ie(), are defined to take an extra secType
parameter which is then unused. To clean up this mess modify the SME
APIs to have the same naming and parameters as the CSR APIs and update
HDD to call the SME APIs.
Change-Id: I0ba2f056e089818ab04a8d421e3d8c571e312831
CRs-Fixed: 2254949
Use upstream extended feature flag NL80211_EXT_FEATURE_DFS_OFFLOAD
for DFS offload support.
Change-Id: I26f4998c7760d8913d1311e459eb873685279681
CRs-fixed: 2233627
Currently sme_update_channel_list() is defined to take a
tpAniSirGlobal mac_ctx. However SME APIs are supposed to hide the fact
that they operate on tpAniSirGlobal and instead should be taking a
tHalHandle. Furthermore a tHalHandle is what is currently being passed
by HDD. Therefore update sme_update_channel_list() to take a
tHalHandle.
Change-Id: I2f424a6c11342470fd6885968d635109327be3f0
CRs-Fixed: 2254947
The CDS module currently has a mixture of directly using QDF_TRACE
(with an assortment of module IDs) along with using its own CDS
logging APIs. Update the module to consistently use just the CDS
logging APIs.
Change-Id: I5581c960d2b3c973246b44bda3b5bbb740ac3bf3
CRs-Fixed: 2251991
