The existing peer API cdp_peer_find_by_add does not maintain any peer
references. So a peer which is returned by the API may get deleted in a
different context. This may lead to access to a already deleted memory.
Fix the issue by introducing new APIs "peer_get_ref" and
"peer_release_ref" which make sure the peer is valid until it is
"released" (peer_release_ref is called).
Change-Id: I60175ee1d67f01e3ee4b48cb655d1728d29d08f4
CRs-Fixed: 2139801
Memory leak is detected while processing the
measurement report request while another request
is under processing.
Pass an address of the pointer to the rrm beacon
request API to get the allocated memory address.
Change-Id: I83c44a6a7a4a8e1ce56e48b008e7d784cca1dc6d
CRs-Fixed: 2144031
In the monitor mode when the system is suspended
FW trying to send packet to host which is not allowed leading to this
system crash.
Acquire wakelock once the device enters monitor mode and block
the system from entering suspend.
Change-Id: I27ba2d43fd7b84bc1ae7e6046ab635065872b2d2
CRs-Fixed: 2130546
If mac_ctx->roam.configParam.qcn_ie_support is enabled driver adds
qcn ie in directed probe req, even if its already present in the
additional scan IEs. Thus in probe request two qcn ie are present.
To fix this add qcn ie only if roam.configParam.qcn_ie_support is set
and qcn ie is not present in the additional scan IE.
Change-Id: I4c7ea32dc06e5c62b4043dbd3794348f8185fd9b
CRs-Fixed: 2152795
Avoid using WMI HE Ops macro in lim and use dot11f struct for
HE Ops instead. Keep the tranlation to FW interpratation of
HE Ops in wma layer only.
Change-Id: Ie94795541aaddb7ae291ff451b938ebb96f74dbf
CRs-Fixed: 2145510
The host defines the iface ptr with :-
iface = &wma_handle->interfaces[key_params->vdev_id], at line 1588
and if the WLAN_FEATURE_11W, is not enabled , the host sets the
iface->is_waiting_for_key as false , without a NULL check of iface.
Fix is to add a NULL check for iface
Change-Id: I69ed8f881b678458d16f1f74e87e31959c04ec63
CRs-Fixed: 2156921
WLAN Latency module (WLM) is added by fw to gain latency
because of schedule out of service like power saving,
scanning, roaming etc. per the level set by framework.
Change-Id: Id4305e5e66dcce464447aff56296c7d027347ea2
CRs-Fixed: 2142391
For sns test in some scenarios when tx hits invalid peer state it will
print massive log so that it will lead to WD bark issue.
Move log level to lower info high from warn if tx hits invalid peer state.
Change-Id: I91d414e7203bf1e00094ca7b2fcebf80f4102082
CRs-Fixed: 2156472
Regpair for DM, DO, HN, JM, NA, PA, SN, XA are missing
which results in a crash.
Add regpair for country codes DM, DO, HN, JM, NA, PA, SN, XA.
Change-Id: I6d29f16a549121b9588d6fb68b78e14375e8eb8e
CRs-Fixed: 2154385
When a BSS is being started, the WLAN driver will abort all
scan requests, including the ACS scan initiated by the
secondary SAP, which will result in secondary SAP start
failure.
Use a different function to abort scans initiated by the
current session which is doing BSS starting so ACS scan
initiated by a second SAP will not be affected.
Change-Id: I442431e92e31cc8d3eb302ccca4249d0b4bedf82
CRs-Fixed: 2154230
csr_roaming_state_msg_processor() is declaring roam_info on stack
which is of size 736 bytes. Kernel stack has limited size and all
big data structures should be allocated from heap to avoid stack
overflow. Hence allocate roam_info struct from heap and free it
after callback has returned.
Change-Id: I282d9baa9f3e679bfd5b628f0baaadf4beec86af
CRs-Fixed: 2143439
The memdump feature allocates memory after the module has started,
leading to a false positive memory leak when the module is subsequently
stopped. Move memdump init to before the module is started in
hdd_wlan_startup, and memdump deinit to after the module is stopped in
hdd_wlan_exit.
Change-Id: I8df48e55e0f1e90fb4599469ce10f7741fb7a9a0
CRs-Fixed: 2157112
Currently, resource leak detection happens when the driver module is
unloaded. Instead move as much leak detection as possible to when the
driver transitions back into the closed state. This better supports
load-once-never-unload and built-in driver configurations.
Change-Id: I88be641948ffa4fff397a8eae40cf3b05c543673
CRs-Fixed: 2113606
If roaming is happening and then a set key response is
generated from WMA to PE, then there is a possibility
of not finding the PE session as the roaming happened
and new session is established. In such cases, return
failure from PE to SME so that the set key command is
released and the command queue is not stuck
Change-Id: Ieba8ea76a2a53322f2e392e6b0bf30360b1e8f8a
CRs-Fixed: 2150731
With current implementation, if sme_open_session sends down a command
to the Firmware and an SSR/PDR occurs, the thread is stuck on waiting
on an event. The thread also holds the rtnl lock and will keep
blocking any other thread from acquiring it till timeout occurs. This
can result in deadlock situation with IPA driver trying to execute
driver ops during the SSR/PDR notification callback.
Use the wait_for_event_completion API for waiting on event. With this
the event will be purged when driver receives FW_DOWN indication.
Change-Id: I2920fd36c0eb5bb5994e66e584d12a2a9d8f409a
CRs-Fixed: 2120226
Add a new CONFIG_QCA6290_11AX flag to track & enable all 11ax related
header changes.
Change-Id: I265364eafb05c34eea18235a15c5e317716f6ecf
CRs-Fixed: 2124274
Limit the max join attempts to two less than 1/3 of the total
command timeout value.
Change-Id: Ic52ec1cfa268a9e24e944f5d6e875e42d5a7b2be
CRs-Fixed: 2137346
qcacld-2.0 to qcacld-3.0 propagation
For HTT_T2H_MSG_TYPE_RX_OFFLOAD_DELIVER_IND, the msdu_cnt is a signed
integer coming from firmware. If set the msdu_cnt to a negative value,
or be greater than the number of current elements in the queue, the loop
will execute lots of times in ol_rx_offload_deliver_ind_handler, the
htt_rx_netbuf_pop will cause the BUG_ON issue sooner or later if it is
low latency solution.
Change the msdu_cnt type from signed to unsigned and add the validity
msdu_cnt checking will fix this issue.
Change-Id: I436557a124074f59ab11fd937dfdc975b9caebe8
CRs-Fixed: 2149461
qcacld-2.0 to qcacld-3.0 propagation
Check for the validity of peer_id when received the htt message of
HTT_T2H_MSG_TYPE_PEER_MAP or HTT_T2H_MSG_TYPE_PEER_UNMAP from firmware
to ensure the buffer overflow does not happen.
Change-Id: Ib3f92f4de0b406a78bf34d348c07cb3981277513
CRs-Fixed: 2147119
qcacld-2.0 to qcacld-3.0 propagation
Check for the validity of tid when received the htt message of
HTT_T2H_MSG_TYPE_RX_FLUSH & HTT_T2H_MSG_TYPE_RX_PN_IND from firmware
to ensure the buffer overflow does not happen.
And correct the sequence number type from signed int to unsigned.
Change-Id: Ibff86e891c335bfe8c2f9db82410545036463ed3
CRs-Fixed: 2149399
qcacld-2.0 to qcacld-3.0 propagation
Check for the validity of num_msdus when received the htt message of
HTT_T2H_MSG_TYPE_TX_COMPL_IND or HTT_T2H_MSG_TYPE_TX_INSPECT_IND from
firmware to ensure the buffer overflow does not happen.
Change-Id: Ic6ce75f34c5e2705d174eda014350e6ef0391388
CRs-Fixed: 2146869
qcacld-2.0 to qcacld-3.0 propagation
Check for the validity of credits when received the htt message of
HTT_T2H_MSG_TYPE_TX_CREDIT_UPDATE_IND or HTT_T2H_MSG_TYPE_TX_COMPL_IND
from firmware to ensure the integer overflow does not happen if these
messages invoked many times.
Change-Id: I01386b88f1b677153f3e51e055b7fbac073cd6b3
CRs-Fixed: 2147127
