When a peer connected to a SAP session triggers disconnect,
lim_send_sme_disassoc_ntf is called with the reason
eLIM_PEER_ENTITY_DISASSOC. This leads to the PE sesssion for the SAP
being freed as part of the lim_send_disconnect_done_ind added in the
change Iec0176fecf218e07f31b258c0dc52aefb480defe.
Modify the lim_send_disconnect_done_ind API to just prepare the
disconnect done indication message and the calling function
lim_send_sme_disassoc_ntf would send the notification to SME and
free the PE session only if the current session is a STA.
Change-Id: I377f86f10becd467417d4c6409d167020e26fe87
CRs-Fixed: 2241899
When deauth is received from AP, while processing of deauth frame,
WM status change command is queued in SME command pending list with
priority set as true in which DEL_BSS and DEL_STA happens leading to
VDEV_STOP AND VDEV_DOWN correspondingly.
When disconnect is issued from upper layer, ROAM command with reason
eCsrForcedDisassoc gets queued in SME command pending list with priority
set as true which performs DEL_BSS nad DEL_STA and then
eSmeCommandDelStaSession SME command is queued with priority set as false
which performs DEL_SELF_STA.
If disconnect is issued from upper layer and deauth is received from AP at
the same time, it might happen that ROAM SME command and
eSmeCommandDelStaSession SME command gets queued in SME command pending
list but WM status change command gets queued on top of these as priority
is set to true before the former commands can be processed. While
processiing of WM status change command, eWNI_SME_DEAUTH_CNF msg gets
queued in SME message queue which queues WMA_DELETE_BSS_REQ in WMA msg
queue. If WM staus change command is released just after
eWNI_SME_DEAUTH_CNF is posted, it might happen that Roam and
eSmeCommandDelStaSession SME commands from SME command pending list gets
processed first which will queue WMA_DEL_STA_SELF_REQ in WMA msg queue
before eWNI_SME_DEAUTH_CNF gets processed and queue WMA_DELETE_BSS_REQ
in WMA msg queue. This leads to processing of WMA_DEL_STA_SELF_REQ before
WMA_DELETE_BSS_REQ causing assert as this is unexpected behaviour.
Release WM status change command only after eWNI_SME_DISCONNECT_DONE_IND
which happens after WMA_DELETE_BSS_REQ and WMA_DELETE_STA_REQ gets
processed so that ROAM and eSmeCommandDelStaSession SME commands gets to
process only after processing of DEL_BSS and DEL_STA and so
WMA_DEL_STA_SELF_REQ will always be processed after WMA_DELETE_BSS_REQ
avoidong system assert.
Change-Id: Iec0176fecf218e07f31b258c0dc52aefb480defe
CRs-Fixed: 2211622
Add support to set antenna mode for SAP using iwpriv commands
set_txchainmask and set_txchainmask.
Change-Id: Id74d8caf6b2d48b0afbcc3791bd347d6addd2e7d
CRs-Fixed: 2239648
Inside hdd_ndi_create_req_handler(), we need to check if
the operating channel is valid. The current checks do
not ensure the operating channel is checked against all
valid values.
Correct the check condition to validate the operating
channel against all valid values.
Change-Id: I01c035b996ab26779ee005bef437393875fdd95a
CRs-Fixed: 2233118
Currently, "channel_freq" is declared as uint16_t. But
htt_get_channel_freq returns "int" which is assigned to
"channel_freq". So, channel_freq != -1 is always true
regardless of the values of its operands.
Declare "channel_freq" as int and add the check if
channel_freq is positive.
Change-Id: I13ae35c1bee3cdf293227e320ede8d8cd2e968fe
CRs-Fixed: 2233556
Here the case is designed to fall through to the next case. So,
add a /* fallthrough */ comment where the break is expected.
Change-Id: Ide5b530c9b817a269fcee4ece679476930797ae7
CRs-Fixed: 2233186
IPA RM is not used when WDI_UNIFIED_API is defined.
Remove to use wake_lock and rm_lock, which are created from RM setup.
Change-Id: I6c614fde7d6d7f0ab94aa9933578f3dca814a40e
CRs-Fixed: 2231424
Currently tid is extracted from HTT message and it is used without
check. This may cause possible OOB array read. To address this add
check for valid tid.
Change-Id: Idb03236e05fe43326f9ab46ae8368adc9a92d92a
CRs-Fixed: 2225497
In the API, the driver inserts 0 after the SSID name, to mark the
end of the ssid, but if the SSID name is 32 characters which is
the max SSID length possible, the driver puts 0 at the 33rd
place of memory which is not the part of the SSID name, which
results in OOB write, or off-by-one write condition.
Fix is to remove the addition of 0 after ssid, as in every
case the driver prints the ssid, taking the ssid length
as the input, and in that case insertion of 0 will not serve
any purpose.
Change-Id: I1d58026ec9f48fe9d00bd2f50783c65899588978
CRs-Fixed: 2232526
Check for nan rsp data len does not take TLV header
size into account which could lead to buffer overflow
when copying data where TLV header size is taken into
account.
Fix is to subtract TLV header size and wmi_nan_event_hdr
size from max allowed size when validating nan rsp data
length.
Change-Id: I341779a33ed218fdda5d008e949ced0c8cf05590
CRs-Fixed: 2227248
In the function lim_process_sme_update_access_policy_vendor_ie,
update_vendor_ie is parsed from the incomming msg. num_bytes is
the length of the IE and is retrived as
update_vendor_ie->ie[1]+2. This num_bytes value is used as the
size to copy the IE to pe_session_entry->access_policy_vendor_ie
The update_vendor_ie->ie[1] can have a maximum value of
SIR_MAC_MAX_IE_LENGTH . As the num_bytes is of uint8_t,a
possible integer overflow can occur in
lim_process_sme_update_access_policy_vendor_ie when num_bytes is
assigned with update_vendor_ie->ie[1].
Change the data type of the num_bytes to uint16_t so that it can
hold the value of update_vendor_ie->ie[1] without truncation.
Change-Id: I05c7e83a741bf1c9c0707be51f97eae9eff1ac97
CRs-Fixed: 2235044
If disconnect command is in SME pending queue, when connect command
is received, the disconnect command is flushed and as SME is
already in connected state the new connect command is handled as
reassoc req and as no preauth was done with this new AP, SME does not
call proper HDD callback to indicate conenct failure. Thus HDD remains
stuck in connecting state leading to scans rejection.
To fix this do not flush disconnect command from SME on receiving
connect cmd and thus clean up the SME before connect is processed.
Change-Id: Icefe8866a24b332688c64d8e69a11642fd7215d9
CRs-Fixed: 2238873
For LFR 3.0, when HO failed, peer deletion is handled by FW,
No WMI_PEER_DELETE_CMDID will be sent to FW.
Reset the peer counter when HO failure is reported.
Change-Id: I07cecf3166f40d2bd103a286e4556f95d7465bba
CRs-Fixed: 2240059
To avoid excessive console logging reduce log level from warn
to debug in lim_detect_change_in_ap_capabilities function.
Change-Id: I72fdd2b8ac1ce647480ab1eb164fb65079da3784
CRs-Fixed: 2240699
Currently tx desc id is extracted from HTT message and it is used
without check. This may cause possible OOB array read. To address
this add check for valid tx desc id.
Change-Id: I121fc4d550aa587f00ec315e3a20dfb136f4d7af
CRs-Fixed: 2225461
qcacld-2.0 to qcacld-3.0 propagation
When Management frame Tx fails, tx_frm_ota_comp_cb is not set NULL
during cleanup, because of which assert is observed since session
is not available
Set tx_frm_ota_comp_cb NULL when Management frame tx fails
Change-Id: I318a6d04cce06955f6751f6f3df746fec50b9434
CRs-Fixed: 2127855
Vdev resp and hold req queue cleanup is called in kernel thread context
and this may lead to race condition where it may free the wma's iface
structure while MC thread is using the iface.
In case FW down is received during interface delete, driver complete wait
events and thus the interface delete remove the adapter before del sta
self resp is received and thus del sta self resp uses adapter after its
freed.
To avoid this call the vdev resp and hold req queue cleanup from MC
thread. Also call del sta self resp only when driver unload is in
progress. For FW down case the resp is not required.
Change-Id: I711f83c54df29251de365a3137077b3b8d82b448
CRs-Fixed: 2234547
While processing IOCTL - CCXBEACONREQ, when number of
beacon request IEs is zero, respective handler drv_cmd_ccx_beacon_req()
is trying to log measurement token from un-initialized struct variable
ese beacon request, which results in kernel info disclosure.
To fix this, initialize stack variable ese beacon request and return
error in disconnected state when number of beacon request IEs is zero.
Change-Id: I4b0a8c673f9ca92e8699a157b24a100bb0cffa83
CRs-Fixed: 2225338
The driver fills the mcs set array in
hdd_update_tgt_ht_cap for all rf chains
and does not have a upper boundary check to
cfg->num_rf_chains, which could lead
to out of bound write a valid value
to a memory which not allocated to mcs set
Fix is to have a check to cfg->num_rf_chains
Change-Id: Ibeb5e783e2369ebee1bbf3fc724d06736c174c69
CRs-Fixed: 2221902
The default value of /sys/class/net/xx/queues/rx-x/rps_cpus is 0,
It means that the RX thread and soft IRQ will run on same core.
In 8996AU, the t-put will be impacted by the default value 0 both
in LTE and WLAN interface. Add support to set WLAN RPS CPU mask when
there is high t-put requirement of WLAN to improve the performance.
Change-Id: I10127a763b768a29b25041070f3ea7b3f6769289
CRs-Fixed: 2195721
While processing set pno IOCTL, input argument 'extra' is printed
without making sure it's NULL terminated.
Log input string 'extra' after making sure it's NULL terminated.
Change-Id: I4158103a85c0828dad240cf00b34da94e6a8cc62
CRs-Fixed: 2228601
Use QDF_IPA_WLAN_EVENT_MAX instead of IPA_WLAN_EVENT_MAX to record
WLAN event to IPA.
Also record QDF_SWITCH_TO_MCC/SCC and QDF_WDI_ENABLE/DISABLE event.
Change-Id: Iada6c39d2b952f6b9a1690a86c5871d2ca588cd2
CRs-Fixed: 2240425
In __lim_handle_sme_stop_bss_request, it will try to disassociate
STAs of which AssocId is from 1 to pMac->lim.gLimAssocStaLimit - 1.
However, valid range of AssocId should be from 1 to
pMac->lim.gLimAssocStaLimit. This will cause STA and peer leakage
when there is an STA using AssocID equal to pMac->lim.gLimAssocStaLimit.
Update the uppper limit to pMac->lim.gLimAssocStaLimit accordingly.
Change-Id: Ifec315c0ae69f8b93ce8b87601cca7cc13c6bc88
CRs-Fixed: 2230757
__hdd_tx_timeout passes cdp_soc context dump_flow_pool_info callback
function. Lithium_dp interchangeably use cdp_soc and dp_soc as cdp_soc is
first element of dp_soc.
Same is not valid for iHelium datapath, do not expect caller to pass
the txrx_pdev context, instead get it from global cds_context.
Change-Id: I64932fefd1294275608258df49544135d3a0562c
CRs-Fixed: 2240099
IPA component needs to discard repetitive start_bss event in
case SAP is on DFS channel. Issue is we checked against
available SAP interface and this will lead to second SAP
interface setup failure.
Fix is to check against same SAP interface to see if it has
already been setup.
Change-Id: I2fc3656f5e1fba39dba14dba137c6202c5ec5af0
CRs-Fixed: 2240368
