There are currently three issues which can result in a buffer overread
when processing PNO vendor commands:
1) __wlan_hdd_cfg80211_set_passpoint_list() specifies the wrong policy
when invoking nla_parse().
2) hdd_extscan_passpoint_fill_network_list() does not specify a policy
when invoking nla_parse().
3) __wlan_hdd_cfg80211_set_epno_list() specifies a policy but not all
of the attributes that are parsed are present in the policy.
To prevent buffer overread:
1) Update __wlan_hdd_cfg80211_set_passpoint_list() and
hdd_extscan_passpoint_fill_network_list() to use the policy
wlan_hdd_pno_config_policy.
2) Update wlan_hdd_pno_config_policy to contain all the fixed-length
attributes needed by __wlan_hdd_cfg80211_set_passpoint_list(),
hdd_extscan_passpoint_fill_network_list(), and
__wlan_hdd_cfg80211_set_epno_list().
Change-Id: I4a20e77ce87967ae78323b83a2aa9085fed2647f
CRs-Fixed: 2054770
While freeing ROC request nodes from the linked list a spinlock is
acquired. But it is not released if the API to remove node returns
failure. This will end up in a deadlock.
Release spinlock before returning from error.
Change-Id: I30281cc358b4827e59325554859c3dcffe6292b0
CRs-Fixed: 2042713
ipa_uc_rx_ring_elem_t structure is platform specific and current
definition cannot be used on 32-bit ARM platform where IPA 3.5
is attached. Add IPA 3.5 and 32-bit ARM compatible structure to
avoid IPA crash when data traffic is running
Change-Id: Ia5c141c9405675a64f59ba4c09f1ffd911158c9b
CRs-Fixed: 2046905
Add changes to correct vendor attribute to support external
ACS as defined in qca-vendor-copy.h
Change-Id: Ia09638f59aeea4d87bbd6d4f9ab03210a213a132
CRs-Fixed: 2049157
In case roaming was in progress when hdd_disconnect was called, avoid
defer disconnect as that will call hdd api in mcthread which waits on
event for about 5 seconds thus blocking everything. Also defer disconnect
makes supplicant and driver state go out of sync. Rather wait in hdd
for roaming to complete and then issue disconnect keeping state simple
and clean
Change-Id: I1b971226187892f32eb493047c13353bb0d1c867
CRs-Fixed: 2042394
When IEEE80211_PRIVACY is defined, cfg80211_get_bss should be called with
IEEE80211_BSS_TYPE_ESS as ieee80211_bss_type and IEEE80211_PRIVACY_ANY as
ieee80211_privacy
Change-Id: I28154ab45a7143f485824d6884c630315d47d0c7
CRs-Fixed: 2063345
Currently there is no ini parameter to disable the scanning if
the device is already connected.
Add ini parameter to support this feature.
Change-Id: I0f57be99ea335823c30a058d166b126d787e4461
CRs-Fixed: 2054521
If pe queue contain management frame and set key cmd is sent as low
priority the set key may timeout.
Thus to fix this post set key with high priority to lim,
so that it can be processed in priority.
Change-Id: I31e346da6662ab56f268f94260ed0f169b8f182b
CRs-Fixed: 2056378
If CSA Wide BW IE is present the sec channel offset is always set to
csa_params->sec_chan_offset which is always 0 and thus for next CSA the
BW will always be set to 20 MHz.
To fix this set proper sec channel offset if CSA Wide BW IE is present.
Change-Id: I813b04683cbce3f4f933562c23511de92ce4bcef
CRs-Fixed: 2062475
In case user space disconnects, directly send ROAM_SCAN_OFFLOAD_STOP to FW
to avoid delays in queues.
Change-Id: Ia6e458617818da5ad2e956cd30a203652949db21
CRs-Fixed: 2035160
Beacons with NULL IE's are triggering crash
in framework.
Add condition check in WMA to drop beacons
with NULL IE.
Change-Id: Ie28cd513713668334a77a2e8f5f345d79f68fcb5
CRs-Fixed: 2047525
Beacons from NAN devices triggering crash in framework.
Don't update the NL with the NAN device beacons.
Drop NAN device beacons in WMA before processed by PE.
Change-Id: I754591459d7a02848454d506b85847b1993aac53
CRs-Fixed: 2047525
Vdev restart cmd is sent in vdev stop response handler during the
hidden ssid restart process. Lim sends beacon template cmd after it
sends the hidden ssid restart cmd so beacon template is sent to FW
after the vdev stop cmd and before the vdev restart cmd as vdev
restart is sent during vdev stop response handler.
Send the beacon template after vdev restart is successful during
the hidden ssid restart process.
Change-Id: Ia75bde4ce8c564133e2b2a7bd4011089e52808e7
CRs-Fixed: 2039224
If CSA offload is enabled, FW send the CSA offload event for
the channel switch, so ignore the CSA IE check in beacon and
probe response frame processing.
Change-Id: I3f0d204317a4d26dc503c350307f4c144bf8672d
CRs-Fixed: 2060145
Host should keep the wake lock from the time it sends set hw mode request to FW
till it receives the set hw mode response. This will avoid any fatal
crash condition.
Change-Id: I6ab1020811100be1adbb70b90a06285dc8bed88c
CRs-Fixed: 2060010
Increase packet header bytes to 256, HL1.0 target offload features on
iHelium FW requires header bytes to be increased from 64 to 256bytes.
And round up the HTT_RX_BUF_SIZE to CACHE_LINE_SZ.
Change-Id: Iec45f5747956d0797411f76c2fec1368a13e7d6d
CRs-Fixed: 1039073
During p2p find one or more remain on channel requests are queued
for execution. Memory leak is observed if module exit happens before
roc cancel is called.
Free the memory allocated in the ROC request queue nodes during exit.
Change-Id: I10d77266652f497f556a0a26b617856d81e982a7
CRs-fixed: 2032162
A psoc object is being created in hdd_wlan_startup, but not freed in
case of an error. Free any allocated psoc object in hdd_wlan_startup
as part of the existing error handling.
Change-Id: I6292188c4b92198ea157f6e2f1519b89fc991ad5
CRs-Fixed: 2059166
Add audit comment in cfg80211_conditional_chan_switch to express the intent
why policy table is not used in this API.
Change-Id: Ia2e7dd4d92283794ce389d6c202d4a69338d89bd
CRs-Fixed: 2056564
Currently attributes are not validated in __wlan_hdd_cfg80211_do_acs,
this can lead to a buffer overread.
To resolve this issue, Define an nla_policy and validate the
attributes.
CRs-Fixed: 2054685
Change-Id: Ic1bd5abbef09407f925625b709f10cf9cb7c3d7f
Check if a IE has been encountered more than max possible for that IE
while parsing a frame.
Change-Id: I1054c7df18780469849be55fc4343f09ac502a49
CRs-Fixed: 2058261
WMI beacon template wmi cmd is converged in WMI layer.
Use converged beacon template WMI cmd and legacy cmd
is removed.
Change-Id: Ia76ec059489d9faa7b5420a8eb88c89ffe0807dc
CRs-Fixed: 2038284
Some of the TDLS functions have info level logs and it
causes kernel log buffer overeflow and triggers
WD bite.
Reduce the log level from info to debug.
Change-Id: I2878a617f4e06eea6c3aaafd218e0cbbdd999070
CRs-Fixed: 2043718
If the driver recovery is in progress, unmap events may not come
from firmware. Ignore the peer_unmap timeout in such case.
CRs-Fixed: 2033452
Change-Id: I284c57530a477953247ad325dfaddff72767aecf
Peer may get deleted between the time peer_unmap_timer fires and
the handler gets executed in mc thread context, causing memory
access error. Use qdf_timer_sync_cancel() to wait for the handler
to finish its job before freeing the peer object.
CRs-Fixed: 2026393
Change-Id: Ie60b5c300be529d529f7e836adc0e3be917fe2e8
Initialize peer_unmap_timer during peer attach instead of at the
time of peer detach. Then ol_txrx_unref_delete can destroy
the timer without peer detach getting called earlier.
CRs-Fixed: 2014183
Change-Id: Icebec27d5562350871a89b5cf71ae99f096feee8
Add a timeout handler that fires off 6000 ms after peer detach
operation is initiated. Used for debugging the scenario of missing
peer unmap events after deleting a STA type peer.
CRs-Fixed: 1109867
Change-Id: Iad18f374ba3c1458c5214befd1d5c1517a7bdedf
