While processing IOCTL - CCXBEACONREQ, when number of
beacon request IEs is zero, respective handler drv_cmd_ccx_beacon_req()
is trying to log measurement token from un-initialized struct variable
ese beacon request, which results in kernel info disclosure.
To fix this, initialize stack variable ese beacon request and return
error in disconnected state when number of beacon request IEs is zero.
Change-Id: I4b0a8c673f9ca92e8699a157b24a100bb0cffa83
CRs-Fixed: 2225338
The driver fills the mcs set array in
hdd_update_tgt_ht_cap for all rf chains
and does not have a upper boundary check to
cfg->num_rf_chains, which could lead
to out of bound write a valid value
to a memory which not allocated to mcs set
Fix is to have a check to cfg->num_rf_chains
Change-Id: Ibeb5e783e2369ebee1bbf3fc724d06736c174c69
CRs-Fixed: 2221902
The default value of /sys/class/net/xx/queues/rx-x/rps_cpus is 0,
It means that the RX thread and soft IRQ will run on same core.
In 8996AU, the t-put will be impacted by the default value 0 both
in LTE and WLAN interface. Add support to set WLAN RPS CPU mask when
there is high t-put requirement of WLAN to improve the performance.
Change-Id: I10127a763b768a29b25041070f3ea7b3f6769289
CRs-Fixed: 2195721
While processing set pno IOCTL, input argument 'extra' is printed
without making sure it's NULL terminated.
Log input string 'extra' after making sure it's NULL terminated.
Change-Id: I4158103a85c0828dad240cf00b34da94e6a8cc62
CRs-Fixed: 2228601
Use QDF_IPA_WLAN_EVENT_MAX instead of IPA_WLAN_EVENT_MAX to record
WLAN event to IPA.
Also record QDF_SWITCH_TO_MCC/SCC and QDF_WDI_ENABLE/DISABLE event.
Change-Id: Iada6c39d2b952f6b9a1690a86c5871d2ca588cd2
CRs-Fixed: 2240425
In __lim_handle_sme_stop_bss_request, it will try to disassociate
STAs of which AssocId is from 1 to pMac->lim.gLimAssocStaLimit - 1.
However, valid range of AssocId should be from 1 to
pMac->lim.gLimAssocStaLimit. This will cause STA and peer leakage
when there is an STA using AssocID equal to pMac->lim.gLimAssocStaLimit.
Update the uppper limit to pMac->lim.gLimAssocStaLimit accordingly.
Change-Id: Ifec315c0ae69f8b93ce8b87601cca7cc13c6bc88
CRs-Fixed: 2230757
__hdd_tx_timeout passes cdp_soc context dump_flow_pool_info callback
function. Lithium_dp interchangeably use cdp_soc and dp_soc as cdp_soc is
first element of dp_soc.
Same is not valid for iHelium datapath, do not expect caller to pass
the txrx_pdev context, instead get it from global cds_context.
Change-Id: I64932fefd1294275608258df49544135d3a0562c
CRs-Fixed: 2240099
IPA component needs to discard repetitive start_bss event in
case SAP is on DFS channel. Issue is we checked against
available SAP interface and this will lead to second SAP
interface setup failure.
Fix is to check against same SAP interface to see if it has
already been setup.
Change-Id: I2fc3656f5e1fba39dba14dba137c6202c5ec5af0
CRs-Fixed: 2240368
qcacld-2.0 to qcacld-3.0 propagation
SoftAP is changing channel in response to ECSA frame from STA
Do not let SoftAP switch channel in response to ECSA.
Change-Id: Ie9ddbf10c13f62205fdd60c512a560b35c6610ba
CRs-Fixed: 2121117
Currently SAP beacon callback loops through PE sessions to check
if the beacon's channel matches any active SAP channel and then
invokes sch_beacon_process_for_ap API. In sch_beacon_process_for_ap
we again loop through all the PE sessions to identify the session
where the SAP is active.
Optimize this by looping only once through all PE sessions in
lim_handle_sap_beacon and invoke sch_beacon_process_for_ap with
the SAP session's session_id.
Change-Id: Ia74e17845de161508b6c8efff6aca82cf4d9c961
CRs-Fixed: 2226237
Currently wlan_hdd_reassoc_bssid_hint returns true if prev_bssid is
present in the connect request even if the hdd_reassoc fails leading
to connection not happening if the supplicant sends a prev_bssid
and bssid_hint in the connect request and if the current state is
not connected.
Fix return status in __wlan_hdd_cfg80211_connect to return 0 only
if hdd_reassoc is success else proceed with disconnect and connect
Change-Id: I513495797f2538fc8887ff0a9ce04e13035e0549
CRs-Fixed: 2238104
Currently the channel list received from the SETROAMSCANCHANNELS
driver command is passed directly to the FW without checking if it
contains any invalid channels leading the firmware to assert if the
list contains unsupported channels.
Validate the channel list received from the ioctl with the base
channel list and send to firmware only if all the channels in
the list are valid
Change-Id: Ia502eecb97e34de854a75a6af7ffb8ccc02a7e52
CRs-Fixed: 2231242
If FEATURE_WLAN_ESE is disable, there is a compilation error.
Remove the definition of hdd_wmm_inactivity_timer_cb and
hdd_wmm_disable_inactivity_timer if FEATURE_WLAN_ESE is disabled
as these apis are not getting used anywhere.
Change-Id: I2c236f63429bdc738be9ccb06f9671b694fd9a5d
CRs-Fixed: 2238180
Check for stats ext info data len does not take TLV header
size into account which could lead to buffer overflow
when copying data where TLV header size is taken into
account.
Fix is to subtract TLV header size and stats_ext_info
size from max allowed size when validating stats ext
info data length.
Change-Id: I34e35a0aab396af3d93a0f61e0ab6a2da09f22ab
CRs-Fixed: 2227263
The use TAILQ_FOREACH for freeing the fw_stats list during
pdev detach causes a use-after-free condition, which can lead
to unexpected behavior during the driver load or unload.
Fix the possible Use-after-free condition in pdev detach, by
using TAILQ_FOREACH_SAFE instead of TAILQ_FOREACH for freeing
the fw_stats list.
CRs-Fixed: 2214520
Change-Id: I5dfcc5e3f0d2e77a5f6226eca06bc6ab1af4e643
In the API sir_validate_and_rectify_ies, the driver rectifies
the RSN IE, if the AP hasnt filled the RSN capabilities in the
beacon/probe response, but has filled the length of IE as extra
2 bytes meant for the RSN capabilities.The driver tries to repair
these kind of frames and fills the last 2 bytes of RSN IE with
default RSN capabilities, to prevent the failure of unpacking
the IEs in unpack-core. But, the driver may write these default
RSN capabilities into some other allocated memory, because the
allocated memory is only the frame length, which would result
in OOB write.
Fix is to allocate some reserve bytes in the frame
for these type of issues.
Change-Id: I46c7301f3e40f84d2c68ec9ba38702baa6926306
CRs-Fixed: 2232542
Currently when transferring SSID information from the nl80211 TLV to
the internal data structure hdd_fill_pmksa_info() always copies
SIR_MAC_MAX_SSID_LENGTH bytes which can overread the buffer. In order
to prevent overread only copy as many bytes as the TLV contains.
Note that the destination buffer passed to hdd_fill_pmksa_info() is
always zero-filled so no additional zeroing of bytes is required.
Change-Id: I1f6773b70e9e728d6b1ce93ca26417348e96844c
CRs-Fixed: 2237462
In lim_process_switch_channel_rsp, if pe_find_session_by_session_id
returns NULL, memory of body pointer is not freed leading to memory
leak.
Free memory allocated for body pointer if session entry is NULL in
lim_process_switch_channel_rsp.
Change-Id: I939aceb3ed993fd1488b72db9df526c1724f0ac5
CRs-Fixed: 2236980
In a scenario where the below two HDD commands are executed at the
same time from different threads
1. Disconnect which does an RSO Stop and free the pCurRoamProfile
2. Set Blacklist BSSID which does and RSO Update and accessed
the pCurRoamProfile
pCurRoamProfile is accessed in the function csr_roam_offload_scan
after is freed from the other context.
The Disconnect command from HDD is protected under the global SME lock,
however, the set blacklist BSSID path is not protected under SME lock.
There are multiple instances where csr_roam_offload_scan is called
without the SME lock which could lead to similar issues.
Acquire SME lock before csr_roam_offload_scan from callers in
SME/HDD which can be from other threads.
Change-Id: I9666bab0001b56ec01dcf1df0becb36344fb6f9a
CRs-Fixed: 2226423
In function wma_form_rx_packet, mpdu_data_len is calculated as
(buf_len - mpdu_hdr_len). If the value of buf_len is less than
mpdu_hdr_len, then a integer underflow would occur while calculating
mpdu_data_len.
Add sanity check to return invalid if buf_len is less than mpdu_hdr_len.
Change-Id: I4522eadb65f6cd8b210ba071a91e53008eec042c
CRs-Fixed: 2230318
qcacld-2.0 to qcacld-3.0 propagation
Update LDPC flag from Vendor IE instead of VHT capabilities
for VHT20 case.
Change-Id: I7bb916353586529fb78f1caeda68687663e44af2
CRs-Fixed: 2091292
Fix typo in checking mlm status by adding missing
eLIM_MLM_WT_DEL_BSS_RSP_STATE state check in
__lim_process_sme_disassoc_cnf() function.
Change-Id: Id2acde09023ba117e1d938035db9e9a0d7b303b3
CRs-Fixed: 2232883
For LFR2.0 roaming policy, firmware will indicate roam event with
WMI_ROAM_REASON_SUITABLE_AP reason even ROAM_SCAN_OFFLOAD_STOP cmd
set with WMI_ROAM_SCAN_MODE_ROAMOFFLOAD, it doesn't obey LFR2.0
roaming policy design. Root cause is firmware only disable roam
scan with ROAM_SCAN_OFFLOAD_STOP cmd which must set scan mode with
WMI_ROAM_SCAN_MODE_NONE.
Fix is to always set scan mode with WMI_ROAM_SCAN_MODE_NONE for
LFR2.0 when host send ROAM_SCAN_OFFLOAD_STOP cmd.
Change-Id: Id5e8325f2767023daacd3dbd4104ce768de3857d
CRs-Fixed: 2228315
When Pre-Auth is failed, it will go to ROAM_SCAN_OFFLOAD_START
or ROAM_SCAN_OFFLOAD_RESTART process, it always uses zero as
session_id param for csr_roam_offload_scan, it's wrong, session_id
should be variable value.
Fix is to use variable session_id param for csr_roam_offload_scan.
Change-Id: Iaf5f234dc73001440aaf02d7931c7891903f9148
CRs-Fixed: 2239812
