Function csrValidateCountryString() no longer exists, but there is
still an obsolete prototype for it, so remove it.
Change-Id: I40869b7160cbc3e64b785e44711237455f2e02b0
CRs-Fixed: 2255482
Currently hdd_handle_t is defined as a void pointer. This is
convenient from an information hiding point of view since that means a
non-HDD component cannot dereference an HDD handle to access HDD
private data. However this is not convenient from a defect prevention
point of view since the C standard allows any other pointer type to be
freely and silently converted to and from a void pointer, and hence
the compiler is unable to detect when an HDD handle is used in a
context where a different pointer type is expected.
An example of one such defect was addressed by Change-Id
I2bbf1bf4a7975e5cb44066b6a3b1a98e82df9fad (qcacld-3.0: Fix bad param
passed during QoS Map conversion).
To help prevent this kind of defect change the definition of
hdd_handle_t to be a pointer to an opaque struct.
Change-Id: I6e885f84c0554bbe5c8582474fddb65ab6a0fdac
CRs-Fixed: 2254907
In sir_convert_qos_map_configure_frame2_struct() a HDD Handle is being
passed as the first parameter to convert_qos_mapset_frame() which is
expecting a pMac. Change the call to pass the pMac.
Change-Id: I2bbf1bf4a7975e5cb44066b6a3b1a98e82df9fad
CRs-Fixed: 2254955
While processing FILS EAP TLVs present in FILS wrapped data in Auth Frame,
the tlv->length from the frame is used as the length to copy the buffer
into the FILS auth info without validating if the received buffer
length is at least greater than the length value in the TLV buffer.
This would lead to OOB read if the TLV length present in the frame is
greater than the actual data_len of the FILS wrapped data.
Add sanity check to return error if tlv->length is greater than wrapped
data_len + 2 with 2 bytes for the TLV header.
Change-Id: Ibe1183c8e318ceb75db6278c935786322a029d5c
CRs-Fixed: 2245944
Currently driver marks cache type as static when it sends valid
channel list to firmware to use for roaming. When cache type is
static, driver will not add WMI_ROAM_SCAN_MODE_RSSI_CHANGE in
wma_process_roaming_config.
Roam scan may not trigger upon RSSI change when mode does not
have WMI_ROAM_SCAN_MODE_RSSI_CHANGE and may have issues related
to roaming.
Mark channel list as dynamic based on newly added ini
"force_rssi_trigger" for valid channel list as well.
With this new ini , customers can tune the behaviour of
roaming scan in firmware based on RSSI trigger or periodic.
Change-Id: I04123cb954408fd510d41d2b6ba96144be0945f9
CRs-fixed: 2240544
If SAP comes up in 2.4Ghz channel in HT/VHT 20/40Mhz and channel
switch comes for a 5Ghz channel, SAP gets started in HT/VHT 20/40
Mhz only while it should connect in VHT80Mhz or HT40Mhz depending
on whether the initial connection is in HT or VHT.
Change the bw to 80Mhz if initial connection is in VHT and to 40Mhz
if initial connection is in HT if channel switch comes for a 5Ghz
channel.
Change-Id: I709dd35575866b7ec9fddcfb94078f114a78d1a2
CRs-Fixed: 2226979
Add support for Last Beacon Report indication sub element and
Beacon Report Frame Body Fragment ID sub element to the beacon report IE
of Radio Measurement Frame.
Change-Id: I07facc245ca96b375779b30f61fc7659f1aa679d
CRs-Fixed: 2254248
Currently PE session ID is filled in eWNI_SME_DISCONNECT_DONE_IND
__lim_process_sme_disassoc_cnf but this command is expected to fill
SME session ID instead.
Send SME session ID instead of PE session ID for
eWNI_SME_DISCONNECT_DONE_IND in __lim_process_sme_disassoc_cnf function.
Change-Id: I50f7ec31eea265d04a94d9717415227bde09bdb5
CRs-Fixed: 2246024
Currently in htt_t2h_msg_handler_fast, msg_len, which is in number of
bytes, is directly compared with pdev->rx_mpdu_range_offset_words,
which is in number of words. Thus their comparison becomes invalid.
In htt_t2h_msg_handler, in addition to similar issue as above, the
checks for message offset validations do not consider integer overflows
occurring.
In htt_t2h_msg_handler_fast, the check condition involving
pdev_rx_mpdu_range_offset_words were corrected to work with bytes,
and in htt_t2h_msg_handler checks for integer overflow were also
added.
Change-Id: I9ec7d30cc24d288ddcabd3bb30674a2ca21f2251
CRs-Fixed: 2248069
In the function wma_mgmt_rx_process, wbuf is the allocated skb
which houses the incoming management frame. An extra 100 bytes
buffer is allocated in wbuf->data to avoid OOB access when
additional headers are present in addition to ieee80211_frame.
This additional buffer is uninitialized and can cause potential
OOB for the management frames of length
sizeof(struct ieee80211_frame) and have no IE or any data.
Initialize the allocated extra bytes so that OOB is prevented.
Change-Id: I44047b0c6f3a731c741c5e0217f3bd0cdd8ed4dc
CRs-Fixed: 2249815
Currently in function csr_roam_issue_connect, if queue sme command
fail, the scan result will be purged by csr_release_command_roam(), but
some caller will also purge it again if don't return success status,
like csr_roam_connect().
Make csr_roam_issue_connect() to consume hBSSList always, and remove
double purging code in the callers.
Change-Id: If226ff300771ccbf1dcbfb2a82fb02498c334cdc
CRs-Fixed: 2237948
In the PI wma_tx_packet, host assigns downld_comp_required
to true/false according to tx_frm_download_comp_cb,
is_high_latency, tx_frm_ota_comp_cb, all the three
conditions to be true. Also the host checks
tx_frm_download_comp_cb, and assigns tx_frm_index
according to downld_comp_required, but in the else
case when tx_frm_download_comp_cb is false, the check
of downld_comp_required is void, as the downld_comp_required
cannot be true if prior tx_frm_download_comp_cb is false,
so the code in the else part which checks tx_frm_download_comp_cb
and assigns tx_frm_index is dead, and in any case cannot be
executed.
Fix is to remove the check of downld_comp_required in
the else case.
Change-Id: If1a376099234d541d508f18cee075dd0f1603294
CRs-Fixed: 2233558
WMI_SERVICE_READY_EXT_EVENT isn't supported in Rome F/W, service
ready ext timer shouldn't be started. Ext service bitmap is
passed to host by F/W event: WMI_SERVICE_AVAILABLE_EVENT.
Change-Id: Id8058c2e58c5771ef27482d3e4076869e560acf1
CRs-Fixed: 2251523
The same code is executed regardless of the conditioal
logic, so remove the redundant conditional block.
Change-Id: I46688f9e7b159a77dd3a2fa977e98237abe1777a
CRs-Fixed: 2232937
Currently, BTM offload config from the ini is sent to the FW as part
of the RSO start for the vdev which has roaming enabled. In case
of STA+STA concurrency, when roaming is enabled for second STA,
BTM config is sent for the second STA vdev leading the FW to assert
as the FW already has BTM offload enabled for the previous STA
session and supports only one vdev with BTM offload enabled at a time.
Send BTM offload config with flags as disabled as part of RSO Stop
so that the FW de-inits the BTM offload on the current connected vdev
before it inits BTM offload config on the new vdev for the second STA.
Change-Id: I7af499b0f7c77b5d52e6c74b09c28c845bdfcd9a
CRs-Fixed: 2251994
When add_bss is done for a STA vdev, the rmfEnabled flag is set
on the wma_txrx_node based on the PE session config. However this flag
is not reset during del_bss which leads to DPP public action frames
sent from supplicant with no session established to be considered
as rmf enabled (due to previous connected rmf session) and adding
additional bytes in the header. This leads to the DPP frame of
incorrect length to be transmitted and the other DPP STA receiving the
frame drops it.
Reset the rmfEnabled flag in wma_vdev_stop_resp_handler if set
previously for the VDEV.
Change-Id: I6ffb1f3efbfc8455768f54155a2abcc8ccf13fe6
CRs-Fixed: 2236476
During peer deletion, ol_txrx_is_peer_eligible_for_deletion() is
called to check if peer is eligible for deletion. Inside function,
vdev is dereferenced to extract pdev but due to race conditon peer
may get freed from the list and this may lead to NULL pointer
derefencing of vdev.
Avoid dereferencing of vdev and pass pdev itself as an argument to
ol_txrx_is_peer_eligible_for_deletion()
Change-Id: I743e2e2c83c3e07e5d5ec4fde7fc3b098766ca96
CRs-Fixed: 2252243
Peer get deleted during ol_txrx_peer_detach_force_delete when
WMA_ROAM_OFFLOAD_SYNCH_IND is received. As peer deletion is
happening in different context and ol_rx_send_pktlog_event is
accessing the peer in different context, a possible race condition
has occurred which leads to NULL pointer dereferencing of peer.
Ignore the peer deletion during ol_txrx_peer_detach_force_delete and
delete it during ol_rx_peer_unmap_handler.
Change-Id: Icf252612081a41f94db6df4684348f2962b2da9d
CRs-Fixed: 2238214
When loading sdio driver, need make sure sdio device is recognized,
break driver loading if no device.
Change-Id: I4d47575d793b58970012e4e47cc63b0c197f565d
CRs-Fixed: 2245495
When running embedded tput between client and SAP, there'll be
excessive logs per packet. Fix is to remove the per packet
debug message.
Change-Id: I846f4fd5e54cc8945b3159c56e04418feea0183f
CRs-Fixed: 2253186
In commit d217d19d7e ("qcacld-3.0: Add vendor cmd to support
antenna diversity") and commit 66831666b4 ("qcacld-3.0: Add
vendor attr to get rx aggregation statistics"), tHalHandle (pMac)
are passed by SME to WMA APIs that expect a tp_wma_handle.
To fix this, call cds_get_context() to get wma handle.
Change-Id: I01812b2390269805da4d1a5cb40a811d1e22ec56
CRs-Fixed: 2253253
Even though the bitrate is greater than zero, because of
incorrect conditional check, error log "Invalid bitrate" is
getting printed.
Hence, fix this by adding proper conditional check.
Change-Id: I2076c7a90e735e4a278f4d5894e51abc8bd091c0
CRs-Fixed: 2250687
Featurize fastpath feature cleanly and
also disable unused code when Fastpath
is enabled.
Change-Id: I3922af873ef32544fdca37be0b110ebbc2abc45a
CRs-Fixed: 2226918
qcacld-2.0 to qcacld-3.0 propagation
After station is associatied in VHT20, update station info
txrate bw field for VHT20 case when cfg80211_get_station is
triggered
Change-Id: Ia3547083d5f4fb031fd186234b2d13126d8a9712
CRs-Fixed: 2086316
The excess buffer check in wma_stats_event_handler is such that
if buflen is greater than WMI_SVC_MSG_MAX_SIZE, the resulting
difference of the two values will be a negative integer, which
will be treated as a very large positive integer since the data type
is unsigned. This will result in the check failing to detect overflow
when compared with sizeof(*event).
Fix the buflen check condition such that buflen is compared with the
difference of WMI_SVC_MSG_MAX_SIZE and sizeof(*event), eliminating
the possibility of overflow.
Change-Id: Ic20bfa554476db36e28557402cec23fcce5af85d
CRs-Fixed: 2224443
qcacld-2.0 to qcacld-3.0 propagation
After station is associatied in HT20, when cfg80211_get_station
is triggered, update station info txrate bw field for HT20
Change-Id: Icc2c5f318d7812696202705edda17c7352f66fba
CRs-Fixed: 2121005
