PMO should not know about vdev data path handle, but
pmo_unpause_all_vdev() need it, so register a wma callback to retrieve
the vdev dp handle instead of keep a copy in pmo vdev private context.
Refine current code to retrieve vdev dp handle using a wma callback
Change-Id: I1f668fff633a5e5cdfc478e7f619e9600930b333
CRs-Fixed: 2227384
In __iw_set_packet_filter_params(), a user controlled length value,
priv_data.length, is used to allocated a buffer. This buffer is then
cast to a struct pointer of struct pkt_filter_cfg type without ensuring
the buffer is of proper length.
Add a sanity check on priv_data.length to ensure that the command being
issued has proper parameters.
Change-Id: Ia871e35ef938ca889fb6b1609a0c881d76f29e4b
CRs-Fixed: 2250775
1) Add timer callback function for resuming OS netdev queues once
they have been paused.
2) Add HDD function to register resume timer callback for High Latency
Data Path Flow Control.
HL netdev flow control will re-use some of the
QCA_LL_LEGACY_TX_FLOW_CONTROL functionality, hence some parts of the
legacy flow control code have been conditionally enabled for
QCA_HL_NETDEV_FLOW_CONTROL as well.
Change-Id: I4d4a03ddd5be980ce27fd0771fa9d6dc26138357
CRs-fixed: 2236321
The following memory leak issues of blocked scan requests
need to be addressed:
1. Add list for blocked scan requests
There could be multiple scan requests are blocked before related
callback can be executed. Currently there is only one pointer
for such requests. A list is added accordingly.
2. Cleanup blocked scan request when ifdown
Scheduled work for blocked scan might not be able to be executed
before ifdown. When the work is cancelled, related scan request is
not freed and will caused memory leak.
Call the relate callback when blocked scan work is cancelled to
cleanup the pending scan request.
Change-Id: Ifb5fc1b14a043ad67e4ba1d305ce4133b471188c
CRs-Fixed: 2166111
Fix overrunning callee's array of size 19 by evaluating argument tid
not to pass the maximum number.
Change-Id: I993339f4b9aea51e9566d213c9828825c5f2bf66
CRs-Fixed: 2232744
For txrx_stats command, there are two parameters are designed as
mandatory: 1st is statistics category, 2nd is mac id.
Add default value 0 for those parameters.
CRs-Fixed: 2248034
Change-Id: Ifc667e22bd78a295c3323f2b2e063f2f6ba12e8e
In case the current selected txq group, does not have enough credits,
try to borrow credits from the other txq group.
Change-Id: I86fbe990853d90598f6e09b13f7061e4ba1a78ae
CRs-fixed: 2246206
1) When a group is created i.e. the first vdev is added to it,
assign all the credits to it.
2) When the second group is created, transfer some minimum credits
to it.
3) When a group is deleted, transfer its credits to the other group.
Change-Id: I0c5532033718b250ab0633b4da4e219c0315cac9
CRs-fixed: 2246206
1) Add function: ol_tx_update_grp_frm_count() to maintain count of frames
per group.
2) Call ol_tx_update_grp_frm_count() from ol_tx_enqueue(),
ol_tx_dequeue() and ol_tx_queue_free().
Change-Id: If1b07ea5bbdcbc6ad6d0c91e6b2060c4264b9472
CRs-fixed: 2246206
During wlan unloading, target failure is ignored, no recovery
will happen, refer function ol_target_failure
During wlan unloading, cds_cfg may be freed, can't get
cds_is_self_recovery_enabled state correctly
Change-Id: I321d4029f299ef2eb7a6316faaed90f62e091b4e
CRs-Fixed: 2224058
After CSA, channel is not getting updated in DS params and HT info
IE in BSS descriptor of corresponding session. As a result, channel
in cfg80211 is still old due to which freq getting displayed in UI
is still the older one.
Update channel in DS params and HT info IE in BSS descriptor after CSA.
Change-Id: I4a0f301ccd6155dc459fa1bfa4fbd0c59c04e0f8
CRs-Fixed: 2244619
The API sme_process_msg lacks a break in switch case
after eWNI_SME_SET_DUAL_MAC_CFG_RESP. Due to this
execution falls through to the next case statement or
default.
Fix is to add a break after eWNI_SME_SET_DUAL_MAC_CFG_RESP
Change-Id: I7466dfdc8c8cbe186f61f47371137dca958e1d08
CRs-Fixed: 2233190
In __wlan_hdd_cfg80211_scan(), while copying ie data from
cfg80211_scan_request to local destination buffer, there is no check of
ie_len against maximum possible length of SIR_MAC_MAX_ADD_IE_LENGTH (2048).
This can result in buffer over-flow.
To address this, validate ie_len in cfg80211_scan_request.
Change-Id: I5da837395869704666762fdf57293d9561d3ad83
CRs-Fixed: 2247604
Add per-level logging wrappers to PE module,
which can be compiled in or out by the build
configuration.
Change-Id: Ie8ded666d1bd268a4bbc57091af32aeb5b285eb1
CRs-Fixed: 2260214
There are several logs in PMO that log debugging related information
at the INFO level. Reduce the logging level of these debug logs to
avoid spamming the console.
Change-Id: Ib1bb9279d5d8104104b58bd2c83869f72c0bde4a
CRs-Fixed: 2260190
As per WAPI spec, the akmsuite if of length 4 x akm suite count. This
was changed as part of I63528da4c2dfafa22f2c6fc73afe52727af02b64 and
causes WAPI connection failure due to mismatch in scan results.
Fix the correct length while copying akmsuite from supplicant IEs in
wlan_hdd_cfg80211_set_ie.
Change-Id: Ib0d60e82a3fbaef1a9405200dd03eb7882007fcb
CRs-Fixed: 2258136
Currently driver allows start_bss on SAP interface even when roaming is
in progress on STA interface. This leads to two simultaneous vdev starts
in FW which causes the FW to assert.
Add changes to reject the start_bss request for SAP if roaming is in
progress on any STA interface.
Also, when a connect for STA or start_bss for SAP is received and
roaming is not in progress for any STA interface, stop roaming on all
STA interfaces by sending WMI_ROAM_SCAN_MODE_NONE to FW. Also after
association or start_bss completion, enable roaming again on connected
STA interface.
Change-Id: I3baaffeef3b350e6527660cbac4b79fa4d9f83f0
CRs-Fixed: 2221337
Out of Buffer access may occur in wmi_get_buf_extscan_start_cmd()
function if user provided inputs are different for below parameters
which are assigned in hdd_extscan_start_fill_bucket_channel_spec()
function
1. QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC_NUM_CHANNEL_SPECS
2. QCA_WLAN_VENDOR_ATTR_EXTSCAN_CHANNEL_SPEC
To address this issue return failure status if numChannels is not
equal to the total number of channel entries.
Change-Id: I60d74161dc3752bd7f609af3910d7c86a99488ec
CRs-Fixed: 2255189
Presently, wrong channel is passed in ch_in_pcl() as a result of which
PCL discount is applied on wrong channel resulting in wrong ACS weight
calculation.
Pass correct channel in ch_in_pcl().
Change-Id: Id87c0afe501d7217ae6b170656bf6d2fab89b5b7
CRs-Fixed: 2257182
When gvendor_acs_support=1, ch_width provided by hostapd is not getting
copied to sap_cfg. As a result, ch_width is 0 (20Mhz) irrepective of
whatever provided by hostapd causing issues.
Copy ch_width irrespective of gvendor_acs_support value.
Change-Id: I7013eb7ee3610790194916078640d633747de15e
CRs-Fixed: 2247771
This reverts the change I48227166d722496afd2d9dd7aca1ae78d44c8833
because it is refering to the API csr_is_duplicate_bss_description()
which is deprecated and not defined.
Change-Id: I0f133eed437754f20547a1450090df09a6e0f2ba
The function hdd_validate_adapter() can expose kernel address space
with a bad adapter pointer. Fix this by removing unwanted information
from the error print.
Change-Id: I65caab9d710e031992661efdf6f8c72d0c7bf82c
CRs-Fixed: 2235225
WIFI_LOGGER_PACKET_FATE_SUPPORTED bit in logging features
indicates the support to packet fate stats. Set the bit to indicate
the packet fate stats support to user space.
Change-Id: Ie286b3bf994fc75a987a42a329dd159db978ebe6
CRs-Fixed: 2233537
When DUT P2P Go/SAP deauth ref STA, in race condition, scheduler
thread may try to clear peer data and drop pending rx packets
after peer freed in peer unmap handler in soft irq context,
use after free issue will happen.
Error log:
BUG: spinlock bad magic on CPU#1, scheduler_threa/28550
Unable to handle kernel paging request at virtual address
6b6b6b6b6b715b
Stackframe:
do_raw_spin_lock+0x34/0x154
_raw_spin_lock_bh+0x24/0x30
ol_txrx_clear_peer_internal+0x68/0xb0 [wlan]
ol_txrx_clear_peer+0x78/0xa0 [wlan]
hdd_softap_deregister_sta+0xd0/0x200 [wlan]
hdd_hostapd_sap_event_cb+0xca8/0x20b8 [wlan]
Change-Id: Ib8d133528f5ff22125218861206d241f96eaf0da
CRs-Fixed: 2247334
Propagation from cld2.0 to cld3.0.
While connected AP requires DUT to do radio
measurement for itself in passive scan mode,
DUT sends empty beacon report.
In passive scan, sta only listens beacons.
Connected AP beacon is offloaded to firmware, and
Firmware discards it except that special
IE exists in the beacon. Connected AP beacon will
not be sent to host. Hence, timer of connected BSS
is not updated in scan result lists
and cannot meet "scan timer > RRM_scan_timer".
Fix the issue by adding connected
BSS judging condition.
Change-Id: I48227166d722496afd2d9dd7aca1ae78d44c8833
CRs-Fixed: 2239559
Separate out QCA_LL_LEGACY_TX_FLOW_CONTROL
and QCA_LL_TX_FLOW_CONTROL_V2 flow control implementation
in different files to compile out features cleanly.
Change-Id: I5d6ddf9ea61b409b25d242852ed1f0102e94ad88
CRs-Fixed: 2228902
In lim_process_action_frame and lim_process_action_frame_no_session,
The Rx frame pointer is directly casted to the action frame header
to find the Action frame category and action ID without validating
the minimum length of the frame. If the frame len is less than the
action frame header len, then OOB read would occur.
Check if frame_len is less than the size of action frame header len
and return if true.
Change-ID: Idf8ca7eeacdf57171d2850fe6317784911830aac
CRs-Fixed: 2253243
In the API lim_process_deauth_frame, the reason-code is
fetched from the payload, and it may happen that the
payload received is empty, and the MPDU just contains the
header, so the driver may access the memory not allocated
to the frame, thus resulting in a OOB read.
Fix is to have a min length check of 16 bits for the
reason code before accessing it.
Change-Id: I7e7a435ba049356c13fb10240f4abb9bf6219af4
CRs-Fixed: 2249768
During a channel switch, host sends the beacon template to the FW.
Currently the CSA/ECSA Channel Switch count offset fields in the
WMI_BCN_TMPL_CMDID fixed params are not filled from the host.
Add changes to calculate the CSA/ECSA Switch count offset from
start of the beacon template data and fill it in the fixed
params field for WMI_BCN_TMPL_CMDID.
Change-Id: Icb568f59346972784c4aceef9b42c8543adaa889
CRs-Fixed: 2246600
In wma_is_pkt_drop_candidate the frame received time is updated
even when the frame was dropped and thus the received time of
the frame keeps on increasing. Thus the condition to check if
frame is allowed after WMA_MGMT_FRAME_DETECT_DOS_TIMER ms always
fails if driver continuously keep on getting the frames.
This can lead to dropping of valid deauth/disassoc frames in case
if RMF is enabled and some rouge peer keep on sending rogue
deauth/disassoc frames and thus even if peer send valid deauth
peer will not get disconnected.
To fix this update the rcvd time stamp only when the frame is
allowed, as this timestamp should be used to block the duplicate
frames for WMA_MGMT_FRAME_DETECT_DOS_TIMER ms.
Change-Id: I4f480e21369b585d78f240c5f4f062d010d889a8
CRs-Fixed: 2256679
The protocol stack has some lingering uses of the legacy status
enumeration eSirStatus (typedefed as tSirRetStatus). There is a desire
to transition all of these to QDF_STATUS. As a first step of this
transition replace all usage of enum eSirRetStatus with tSirRetStatus.
This will eventually allow a global replace of tSirRetStatus with
QDF_STATUS.
Change-Id: I84a748f75117af99890725e64fc32a6392d262d5
CRs-Fixed: 2258411
After parsing of Re/Association Response frame,
sir_convert_assoc_resp_frame2_struct populates association response
structure sSirAssocRsp. In case if FEATURE_WLAN_ESE is enabled,
the host runs a loop to memcopy for all WMM TSPEC info from the parsed
buffer to association response structure.
Currently, While copying parsed data to sSirAssocRsp,
sir_convert_assoc_resp_frame2_struct is passing (sizeof(tDot11fIEWMMTSPEC)
* ar->num_WMMTSPEC)) as length argument to qdf_mem_copy to copy individual
TSPECInfo. Which could result to buffer overflow, as size of per
TSPECInfo is only sizeof(tDot11fIEWMMTSPEC).
Pass correct length to qdf_mem_copy while coping TSPECInfo.
Change-Id: I9c74e3bbd387fda736a715625260d95c67f03ecc
CRs-Fixed: 2254946
In the function cds_is_gmac_mmie_valid, there is uninitialized
use of mic array elements that are passed into the function
qdf_crypto_aes_gmac which causes error report in coverty.
Initialize mic array before it is passed to qdf_crypto_aes_gmac.
Change-Id: I8650cc18d32f297f659ffaac0a514e183823f042
CRs-Fixed: 2233863
While processing QCA_NL80211_VENDOR_SUBCMD_TRIGGER_SCAN,
scan randomization attributes: SCAN_MAC and SCAN_MAC_MASK are not
validated using nla_policy for a minimum length check of
MAC_ADDR_SIZE (6 bytes) which can result in buffer over-read.
To address this, add nla_policy for randomization attributes.
Change-Id: I872e221b951809ca1e5c60b867be52b9fa738ddd
CRs-Fixed: 2232745
