Currently host driver is dumping all the connection related
info for FILS connection.
Add changes to remove excessive logging for FILS connection
Change-Id: Ib23a90672413e00c06ae61f01fbbb0fb51edda56
CRs-Fixed: 2077465
When ACS is started, acs_cfg.hw_mode in AP context will
be set after mapping from values defined in enum
qca_wlan_vendor_acs_hw_mode to values defined in enum
eCsrPhyMode, but when ACS scan fails due to some reason,
such as scan timeout, the code in function
sap_select_default_oper_chan is still using values
defined in enum qca_wlan_vendor_acs_hw_mode to setup
the default channel.
Change the code in function sap_select_default_oper_chan
to use the values defined in enum eCsrPhyMode when
setting up the default channel.
Change-Id: Ic0d43c43bf9b9a9a36c290d2754c30ebb40bb0e3
CRs-Fixed: 2163658
DUT retries auth with open system if shared key
authentication is not supported by AP. If auth
response from AP for open system auth has same
sequence number as that of shared key response,
host drops the frame.
Fix is to drop the auth frame only if previous
sequence number and auth algo match with current
sequence number and auth algo.
Change-Id: Ia02408d72371dfb91a7cae190ae9399cdf2e2e8b
CRs-Fixed: 2163231
Determine bss transition status for preferrable candidates provided
by userspace based on the transition reason, rssi of connected and
candidate bssids and other parameters like whether transitiong to the
candidate will result in sub-optimal scenario. The transition status
is either accept or a reason for reject.
Change-Id: Ib83c81909f4d8e31b4125309b8ac392a26a0d6bf
CRs-Fixed: 2007107
__wlan_hdd_cfg80211_get_key was invoked when unloading driver.
SAP ctx had been freed at this time.wlan_sap_get_roam_profile will
return NULL.
Check NULL pointer before use roam_profile.
Change-Id: If1f11f0fb7027a6af4e3242fe9af722740d32850
CRs-Fixed: 2162395
qcacld-2.0 to qcacld-3.0 propagation
Check for the validity of tx_desc_id when received the htt message of
HTT_T2H_MSG_TYPE_MGMT_TX_COMPL_IND from firmware to ensure the buffer
overwrite does not happen.
Change-Id: I0afc781b7fff303525352b817e7eb60b8b05e4d3
CRs-Fixed: 2164705
Adapter resources are not being released until after stop modules. This
leads to resource leaks on PCIe targets. Move the call to close adapters
to before stop modules.
Change-Id: I18ceba26bb6aab634da91a14cc6890a7b7bd836f
CRs-Fixed: 2162868
TX data transmit error is flooding out the logging
system.
Rate limit the TX transmit error to avoid
log buffer overrun.
Change-Id: Ie6f857378f1d8d2ee07ba0d6e10639f6f5dcbd1c
CRs-Fixed: 2160835
In function lim_send_probe_rsp_template_to_hal, memset is done for the
allocated packet for length nBytes which is calculated as size of payload +
MAC header + addn_ielen.
However, the buffer used psessionEntry->pSchProbeRspTemplate is allocated
for length 512 (SCH_MAX_PROBE_RESP_SIZE) only as part of create session.
This leads to a potential overflow of the memory if nBytes calculated is
greater than 512 leading to kernel panic while freeing the memory in
delete session.
Add sanity check to make sure we do not exceed the SCH_MAX_PROBE_RESP_SIZE
before doing a memset on the buffer.
Change-Id: I4657d34a429b1f0c11ac8ca24869727c222669b8
CRs-Fixed: 2160086
In function __wlan_hdd_cfg80211_vendor_scan, when SCAN_SSIDS
and QCA_WLAN_VENDOR_ATTR_SCAN_FREQUENCIES are parsed, if the
number of SSIDs or number of channels are more then 255 in
netlink message, n_ssid and n_channels will get overflow
because n_ssid and n_channels are of type uint8_t.
Add a check to validate the max number of SCAN_SSIDs against
MAX_SCAN_SSID and max number of channels against MAX_CHANNEL.
Change-Id: Ib31dcc912fee8639e26d836d2fc5a32bf81fb43d
CRs-Fixed: 2153343
HDD calls several qdf_debug_domain APIs when that feature is not
enabled. Add conditional compilation to avoid these calls when runtime
leak detection is not enabled.
Change-Id: I78775c240b5352ed63f2e15f16e25159bbde5666
CRs-Fixed: 2162989
The statement register_netdevice_notifier(&hdd_netdev_notifier)
is replaced by hdd_register_notifiers(hdd_ctx) mistakenly when
propagating from 3.1 to 3.2.
Change-Id: Iddcc2b0375c0e81b944def117b40ea3015f91e4b
CRs-Fixed: 2163113
In function lim_parse_kde_elements, while parsing the KDE list from
the assoc response frame, elem_len is obtained from the frame buffer.
elem_len is then used to find the matching OUI for KDE OUI type and
then to calculate data_len based on the offset for the GTK/IGTK data
types.
If the value in elem_len field in the frame is less than the Data
Offset (which includes the OUI and data type) or the GTK/IGTK offset
then a OOB read would occur.
Add checks to validate the elem_len with Data offset and then with
the GTK/IGTK offset based on the data type.
Change-Id: I8ae31c6d6c28e88ad9bda757b3f1ff2585f8a553
CRs-Fixed: 2161920
When a peer object is to be removed in WLAN HDD object manager
code, it should be logically deleted first before it's ref
count is decreased and the peer object is freed, or there will
be a potential race condition, in which a freed peer object
buffer will be accessed.
Change-Id: Ib3179e8207d1e9bbaa9c2b8450a8016e23cfc3f3
CRs-Fixed: 2161627
With the existing implementation of TAILQ_FOREACH_REVERSE
in ol_txrx_remove_peers_for_vdev() function, host traverses
the list, stores the peer in the var, releases the lock and
later temp var is getting deleted as part of peer unmap and
host end up in accessing the stale peer entry.
To avoid this, host should check the peer delete in progress
first before assigning it to the temp var.
Change-Id: I5b9a401ae062efc6d2fbe608b25424a27c9d9f94
CRs-Fixed: 2159446
Check hdd_ctx, adapter and sta_ctx against null before dereferencing
them in wlan_hdd_nan_datapath.c
Change-Id: Ie81a359be4f03f4f7e411b56d583c12fa3bb03c0
CRs-Fixed: 2162244
Add null pointer validation and fix possible buffer overflow issue
in sap module.
Change-Id: I314e07a31368dd3ca854b9aeab4a0bce0402a81b
CRs-Fixed: 2162246
Presently, OFDM packets are assigned preamble type of
LONG_PREAMBLE when the type should be SHORT_PREAMBLE.
Assign the preamble type correctly.
Change-Id: Ie16936ba54cb8e1dfa5e96ccc52f3fc6693a5d48
CRs-Fixed: 2159511
Currently in the scoring logic the host has the same
score of 125 for the QBSS/ESP load between 50% to 75%
and 75% to 100% which sometimes may result in improper
scoring for cases where AP1 has air time fraction
127 which convertes to 51% load and other AP2 has air
time fraction 13 which convertes to 95 % load.
But the score is same for both AP and the host selects
randomly any one of the AP instead of AP1
Fix is to change score for QBSS/ESP load to differentiate
between 50-75% and 75-100% load
Change-Id: I96d0d8a6a0a1854b2faca4435afa612336bc3caf
CRs-Fixed: 2161778
The transition to/from FTM happens after the memdump feature is
initialized. However, the memdump init/deinit functions bail out if the
driver is currently in FTM. This leads to situations were memdump is
initialized, but skips deinitialization when the driver is in FTM at the
time of unload. Since memdump is always initialized during driver probe
(the driver is never in FTM at that time), always deinitialize on driver
unload.
Change-Id: Ib3555a89f64912403d8858877086ab070ce24e35
CRs-Fixed: 2162241
For sns test in some scenarios when tx hits invalid station id it will
print massive log so that it will lead to WD bark issue.
Move log level to lower info high from info if tx hits invalid station
id, also align with cld3.1 code.
Change-Id: I965033fc8232c8ead15ef06d26aa0d1d2b468e8a
CRs-Fixed: 2159529
Add changes identify and forward GAS public action frames to
supplicant in lim_process_action_frame_no_session.
Change-Id: Id872e2b0b8b7a203b472e0bd152f25f63c873b4f
CRs-Fixed: 2161785
FILS indication IE minimum length should be 4 bytes (2 bytes for tag and
length) + (2 bytes for realm hash). However current mininum is set to
5 bytes.
Usually AP sends cache identifier also in the FILS indication IE, which
is optional and causes the ie length to be greater than min of 5.
If the AP does not send Cache Identifier and sends only realm hash,
the IE length would be 4, which causes the IE to be skipped in parsing
thereby failing FILS connection.
Fix min IE length to 4 bytes in the frame parser for FILS Indication IE
Change-Id: I07f2b724f5840f9ba8ec663e0b303d8fc86663da
CRs-Fixed: 2161241
Add the WiderBWChanSwitchAnn to ext_chan_switch_ann action frame
as optional IE. Currently WiderBWChanSwitchAnn is added only in
beacon frames.
Change-Id: I4f76479bdb2befa93fcb83238590007a555af210
CRs-Fixed: 2141529
During SAP SSR scan default ie data pointer is cleared and
set to null hence avoid unnecessary qdf_mem_cpy when source
pointer is null.
Change-Id: I75960c69804144abee5b1978b43002110b0d0be4
CRs-Fixed: 2161056
When stop AP command is received from hostapd, all the stations
are deauthenticated and then stop bss is called. But stop bss is
called with high priority as true and so gets queued on the top
of the list while del sta commands are queued at the tail as high
priority is set to false for those. This leads to desynchronization
as the commands are not serialized.
Set high priority as false for stop bss sme command to serialize all
the commands.
Change-Id: I9c80032c418e05d3b5591bb3cfd70f8285f27fe8
CRs-Fixed: 2161257
The eGAP status update event handler is exhibiting a too verbose
debug printing.
Supress the eGAP status update by increasing the debug level.
Change-Id: I85e290abfe03d488ab770a3a403871d984ee8df9
CRs-Fixed: 2161713
In api "__wlan_hdd_cfg80211_vendor_scan", the ssid length is u8,
when memcpy is done for ssid, the length is not validated and
nla_len(attr) is used directly in memcpy which can result in buffer
overwrite.
Add a check to validate the max length of scan ssid against
SIR_MAC_MAX_SSID_LENGTH.
Change-Id: If4c25710973ee50094c5d52410269962f552ac3f
CRs-Fixed: 2153326
Set passive dwell time to 28msecs for active
scan when bt a2dp is enabled and hw is not dbs
capable and when sta is connected on 2G band.
Change-Id: I44f2e3d98f2d7ddc52e4902ba989131c256da4ef
CRs-Fixed: 2146311
Do not drop operating mode action frame if channel bonding is disabled.
Process NSS change if requested by frame.
Change-Id: Id342c5399a70be8ea1b3d6c9878983a75ca456ad
CRs-Fixed: 2157167
Implement a flag in hdd context to track the state of
pktlog events. Pktlog will be enabled/disabled after SSR/PDR,
depending upon the state of Pktlog events just before SSR/PDR
is triggered.
Change-Id: I18999d7fcf3677a86c21559d7d443ba1cd086528
CRs-Fixed: 2151296
Change default value of g_is_bssid_hint_priority to 0, as the driver
scoring logic will take care of the beat AP to select from the candidate
AP and the host can ignore the hint.
Change-Id: Ia372e3e0f580047eae33cc0b68b0a0d1460ebfc2
CRs-Fixed: 2160591
In cases where memory allocated at runtime is release during module
unload, it is tempting to label these memory leaks as false positives.
Add documentation to hdd_check_for_leaks explaining why these are real
memory leaks. This helps reduce confusion, and helps to dissuade
developers from "fixing" the runtime memory leak logic, instead of
fixing the memory leak.
Change-Id: I2f7574e7465630d2d9f96280ecf8180a51b41e0f
CRs-Fixed: 2161394
Since struct sps_iovc is obsolete in the latest kernel,
use a local macro instead of sizeof() . It should be
updated with the correct IPA size macro once it is
avaiable in the latest kernel.
CRs-Fixed: 2160658
Change-Id: Ifc2926d5182c96e07de6b4ddd50156764b7ad51e
In the api sap_get_channel_list, list is allocated memory to store the
channel list to be sent for scan request. This api is called by
sap_goto_channel_sel which initializes scan_request.ChannelInfo.ChannelList
to channel_list, without any prior NULL check of channel_list.
Also in scan callback wlansap_scan_callback, if the state machine structure
is in disconnected state , the host returns without freeing the memory
allocated to the channel list in sap_ctx .
Fix is to free the memory allocated to the channel list
and make the sap_ctx->channellist, sap_ctx->num_of_channel
as NULL and zero respectively in both the instances.
Change-Id: Ia54287d6e77e206c717bd3c205ebe57510ea801c
CRs-Fixed: 2159489
Change default value of pcl_weightage to 0, as pcl
weightage logic need some changes in algo to be used in LFR3.
Change-Id: I21559f7aaa8a19388cf399dee684c00c7905cfae
CRs-Fixed: 2160589
Add support for dual band in HE caps by:
1) Setting default value of HE dual_band support to 1.
2) Checking advertised FW MAC cap for support of both bands.
Change-Id: I978e4082364b832dc3f49f13a00ef9159f269f72
CRs-Fixed: 2160792
- Change the order of the deinit code of pktlog
- Change the order of the deinit code of runtime pm
Change-Id: I570b20b247b7892f9bba82f3d3a58aff9af09105
CRs-Fixed: 2160794
This ini will set the algo used in dwell time optimization
during host scan without connection.
Change-Id: Ie81636d32b6c42651aa9b5de52889970c17f6aca
CRs-Fixed: 2159656
Use string "wifi" instead of "wlan" in sysfs path for version string.
This is to avoid warning for same string name in the path.
Change-Id: Ifadabdb3e89d9a6564bbda58241f3ff38eeb4eb1
CRs-Fixed: 2153885
User-space needs sysfs interface for retrieving version
information for both firmware and driver. Add this new
sysfs interface.
Change-Id: I666aff1868f4d1d954773fae1ae85c1ebd0fdc87
CRs-Fixed: 2153885
In api csr_prepare_scan_filter,If bWPSAssociation is set or
bOSENAssociation is set, the security check while filtering
scan results need to be skipped.
Fix is to check for both bWPSAssociation and bOSENAssociation
to set the ignore security flag in converged scan filter
Change-Id: I1e850581ab1cd3b313e681bfd110280765fa6a2a
CRs-Fixed: 2161103
Fix is to get correct 64-bit htt rx in order address
when ENABLE_DEBUG_ADDRESS_MARKING is disabled.
Change-Id: I479ed4a2dd5cee3427f9a3714cda4ed50afa271a
CRs-Fixed: 2161207
It does not set channel width and set channel for HT40 mode SAP, which
causes SAP start at HT20 mode by default.
Change-Id: Ia29c44d897384569249149bccf8d3e0516cce0ce
CRs-Fixed: 2158079
As part of the wlan driver handlers for kernel ndo events, an inactivity
timer (effectively a watchdog timer) is started. This allows us to catch
instances where drvier operations take much longer than expected. In
cases where this inactivity timer expires, print the stack trace of the
inactive thread to expedite debugging efforts.
Change-Id: I4427207a5cd7d232486ce453555765f7e0f4fe17
CRs-Fixed: 2160837
WMI_xxx_EVENTID must re-define as wmi_xxx_event_id, otherwise module
init will fail when check event id.
Change-Id: Icf0562ddb9c6fd90b553ce06e502575d9e69b8d3
CRs-Fixed: 2159607
Get ARP stats command is sent to firmware with
inactive vdev id in stats param resulting in
firmware crash.
Fix is to add check to validate vdev id before
sending get ARP stats command to firmware.
Change-Id: I1483573f4f9649c307f8d47466d9c7e234e9a78e
CRs-Fixed: 2161031
In case of Monitor mode, headroom of skb, which originally
contains rx_desc data, is overwritten by radio tap header.
Host pulls skb data by radio tap header and the same skb is
passed on to packet log function which expects payload to
point to skb-> data and end up in wrong access.
Moreover, pktlog is meant to log rx_desc information which is
already overwritten by radio header and hence pkt logging is
of no use in this case.
CRs-Fixed: 2159130
Change-Id: Id19c0371a0ed31c70ada788fc2b396a8b1eac1f1
qcacld-2.0 to qcacld-3.0 propagation
While processing setHostOffload ioctl there is a possibility of
sending invalid data to lower layers as user sent data structure
is different from local buffer structure.
To mitigate this issue, initialize local buffer to zero and then
update local buffer member by member.
Change-Id: I657d2a8c7d37435b1ad28ef6de60ea80a235ead9
CRs-Fixed: 2152143
Log critical suspend/resume log using info log level such that
driver 3 stage suspend/resume state is known from available logs.
Change-Id: Id17133d406f2366058198b38445d7ff6afba3764
CRs-Fixed: 2160041
Current driver will create two apdaters in FTM mode, with device_mode
STA and P2P, where STA is incorrect and P2P is unnecessary.
And those types will cause memory leak in
qdf_mem_malloc()/sme_deregister_mgmt_frame(), when unloading driver.
Also, it is improper to fix the interface name to wlan0 for FTM mode,
as some platforms may use different naming rule.
Only create one adapter with FTM mode, with variable interface name.
CRs-Fixed: 2160513
Change-Id: If3bf4444e5535e6fe88c3ad2d87da217534984a0
Change "qcacmn: Rename enum tQDF_GLOBAL_CON_MODE" (qca-wifi-host-cmn
Change-Id I57933a62f6ce02b6594d97198be8132e61e8d1f6) renamed enum
tQDF_GLOBAL_CON_MODE to QDF_GLOBAL_MODE. Update all references to use
the new name.
Change-Id: I0e806e87a4c4828279dee83450b1fc20a236c9d3
CRs-Fixed: 2158636
Country code can be set by multiple sources. Print the source of country
code for debug purposes.
Change-Id: I54f8237de540d7a0d01671148109130a28516670
CRs-Fixed: 2149684
In function wma_is_vdev_valid, vdev_id received as argument is used
to access wma_handle->interfaces array directly without validation
of max value of vdev_id. If vdev_id is not less than max_bssid, then
an OOB read would occur in this function.
Also add free and break in wma_mc_process_msg while handling
SIR_HAL_CONFIG_GUARD_TIME message in WMA.
Change-Id: I5f4481c937d5c370b334f2a7f8a172d08140ab1d
CRs-Fixed: 2154304
Abort all outstanding scan requests on an SAP adapter synchronously
when the SAP adapter is to be stopped, so any scan callback
functions will not access the buffers for SAP adapter, ACS config,
etc. after they're freed.
Change-Id: Idc02b140c05a5de4dc652a547cd20b8d113447b6
CRs-Fixed: 2152962
During driver re-init, host might pass invalid(NULL) default scan
IEs to FW if host won't receive same IEs from supplicant as part
of vendor event QCA_NL80211_VENDOR_SUBCMD_SET_WIFI_CONFIGURATION.
Validate driver has default scan IEs, before sending same to
firmware.
Change-Id: I333ceead0c375bfb9309466e420a6860199826dc
CRs-Fixed: 2155312
Currently the Scan Default IEs configured via the attribute
QCA_WLAN_VENDOR_ATTR_CONFIG_SCAN_DEFAULT_IES are not validated. As a
result a buffer overread can occur when the Scan Default IEs are later
referenced. To address this issue validate the Scan Default IEs before
storing them.
Change-Id: Ifd8739c96a9990f01ff159eb59a7e904f7b8c592
CRs-Fixed: 2154346
The SAP configured in hidden ssid mode sends probe response
to BC probe requests in hidden ssid mode after force SCC.
In wma_set_channel, req.ssidhidden is not set by the host
which in turn sets the param->flags last bit to 0, and
the firmware receives these flags and sends the probe
responses.In the wma_vdev_start api, the host sets the flags
based upon the req.ssidhidden received from wma_set_channel
only in vdev start case , and not in vdev restart case.
Fix is to set the value of req.ssidhidden in wma_set_channel
and to set the hidden ssid flag in both vdev start and vdev
restart case.
Change-Id: I988d8d64b06128a37824c7d31d4407247ba46dce
CRs-Fixed: 2142430
Scan IEs are allocated at adapter runtime. Thus, scan IEs should be
freed during adapter stop.
Change-Id: Idd1ee68bc57ecd3dfea77a3d882b57aae21a478f
CRs-Fixed: 2159407
Scan command is entertained, when the firmware is down, and
it causes crash in the system.
Reject the scan command, when firmware is down.
Change-Id: Ib3501e14846dea9ea99f6fa13695108d4ae58bf0
CRs-Fixed: 2159449
Currently, the host sends a roam scan mode of
WMI_ROAM_SCAN_MODE_ROAMOFFLOAD to the firmware when roam
synch fails in the host. But the firmware expects a
WMI_ROAM_SCAN_MODE_NONE in the roam synch wait state
to respond with a HO_FAIL which will evetually lead
to a disconnection and clean up.
Change-Id: I39c768881c312ecbedf6e4a1742e3eaabcea1f4d
CRs-Fixed: 2159244
1\ Register the lim_process_rx_scan_handler with api
ucfg_scan_register_requester;
2\ Redefine function lim_send_preauth_scan_offload
to use api ucfg_scan_start;
Change-Id: I43a0b28c3abcce907575717dc3a4bfb190a32ec2
CRs-Fixed: 2144630
1\ The command content is wrongly reset and cause
the corresponding command could not find from the
active queue.
2\ It should release the command in time before issue
the next command.
Change-Id: I094a6ce0e34f4698222d85a785cb6424852e25f8
CRs-Fixed: 2144630
Firmware cannot handle scan IE more than a certain size owing to memory
restrictions. Check the scan IE length before passing params to firmware.
Change-Id: I73321a9d4932f4cbb876de904dacecf15c9083ff
CRs-Fixed: 2159363
In the file wma_unified_radio_tx_power_level_stats_event_handler ,
the driver allocates memory to rs_results->tx_time_per_power_level ,
also in api wma_unified_link_radio_stats_event_handler ,
rs_results->channels , without checking a previous allocated
memory for the same . Also the driver makes the pointers
rs_results->tx_time_per_power_level and rs_results->channels
as null without a prior check , which results in a memory leak.
Fix is to add a check for rs_results->channels and
rs_results->tx_time_per_power_level for NULL , and free
the already allocated memory for the same.
Change-Id: I02af53454270239bf68446a727b735c8ef10d434
CRs-Fixed: 2150714
Add a consistent set of logs for wlan module transition changes to aid
in debugging efforts.
Change-Id: Id7f039c03f25ba46194a101b64e08f8ae3042c50
CRs-Fixed: 2159403
Host driver drops incoming HDD IPA events during unloading prcess,
when IPA pipe unloading timeout occurs, and IPA offload state could
be mismatch between host driver and FW.
Fix by setting unloading complete before IPA pipe disable and putting
events into pending event queue for unloading timeout case as well.
Change-Id: If44caa07f328bf3ac2d2fc02aafb796176114678
CRs-Fixed: 2152490
qcacld-2.0 to qcacld-3.0 propagation
The return value validation is missing for dot11fUnpackIeRSN, thus
"dot11f_ie_rsn.pmkid_count" could be larger than 4. When it is larger
than 4 there will be a buffer over-read in vos_mem_compare. Add status
check of dot11fUnpackIeRSN in lim_process_fils_auth_frame2.
Change-Id: If563ddb13bbfcad5660d136c35c39846010594e1
CRs-Fixed: 2147955
Linux convention is to embed a list node in a structure that is meant to
be a member of a list. However, hdd_adapter_list_node_t is created to
contain both the list node and the list item itself. Remove
hdd_adapter_list_node_t and embed the list node directly into
hdd_adapter instead.
Change-Id: I62888a0212d88aa212fee34b886e3d8a4875e0c7
CRs-Fixed: 2159309
sme_stop and mac_stop are accessing share data structures which
create a race condition when it is called from rmmod context.
Change context of sme_stop and mac_stop from rmmod thread to
mc thread.
Change-Id: Ie30f99d6b0c2f7c6cf20371dd66323d156360474
CRs-Fixed: 2148771
Enable WIFI_FEATURE_CONFIG_NDO caps in __wlan_hdd_cfg80211_get_features
to help in VTS test case passing.
Change-Id: Iea56e53add127dc79a959f26e5f512662ed304cb
CRs-Fixed: 2155700
In function get_container_ies_len, nBuf is passed from caller function
as length of the buffer remaining in the frame. len is calculated from
the length field present in the IE. Then find_ie_defn is called with
nBuf + len as buffer length available leading to potential OOB read
in the function find_ie_defn.
Also in function get_container_ies_len, if len is greater than nBuf,
OOB read would occur in the caller function unpack_core.
In function unpack_core, len is calculated from the length field in
the IE buffer, then the IE is parsed in one of the unpack functions
where len is decremented without any check for min value of len.
If the value of len obtained from the IE buffer is less than the
minSize of the IE, then an integer underflow would occur.
1. In function get_container_ies_len, change calling of find_ie_defn
to use nbuf - len.
2. In function get_container_ies_len, if len > nbuf, return error.
3. In function unpack_core, add sanity check to make sure len is not
less thatn IE's minSize.
Change-Id: I8e42fb7e9674845d152d2ec26a592e02a1b562ab
CRs-Fixed: 2153003
While sending probe response template down to firmware, driver
populates some items in data-structure which is not getting used.
Remove those unused items and send only what is needed.
CRs-Fixed: 2148056
Change-Id: I1878f523f0f88c354854dfdb75e60e66c4ecb0e8
Add a SSID length validation check before
copying the SSID field to scan request
structure from connect profile.
Change-Id: Ic6297a28f8852db2e5d22c5c7d5b8eab7b76dbfd
CRs-Fixed: 2145706
Initialize message local variable on stack in SME get peer info request
API before posting message via scheduler API.
Change-Id: I4471f3c3eacaacfb8e9145e61dd4eb33b921936f
CRs-Fixed: 2158564
Avoid bit addressing for HE Caps and HE Ops, and use structures
to access fields within HE Caps and HE Ops.
Change-Id: I1afa1926d1f4c7da5446870a7ad3121c06762f98
CRs-Fixed: 2145511
Conditional check to avoid add of same softap interface again
during SSR in __wlan_hdd_add_virtual_intf() is causing
regression (Ic3cd1eebb23482e9cebf04683533face178698b4) and
not allowing to add more than one softap interface.
To fix, add check for newly requested softap interface name with
previously registered softap interfaces and add if name is different
else return the existing one.
Change-Id: I103bd577db5c38e53b1ef12278a856a39790f8f7
CRs-Fixed: 2155854
MC addr list is a ndo operation can be invoked by the kernel even
if the driver modules are closed which can result in accessing from
freed variables.
Reject the set/reset mc addr list when the modules are closed.
Change-Id: Ief83e18e6f8e431c7d68377f803ac602178f8913
CRs-Fixed: 2153099
TDLS peer delete function is not validating the return
status from PE, and it causes unpredictable errors.
Verify the return status and take the corresponding
action for the error cases.
Change-Id: I55c77842560917ca766fbfcbf26762d745a1d5e5
CRs-Fixed: 2144268
In addition to any other resource leak checks being done at runtime,
check for any leaked MC Timers as well.
Change-Id: Ic576eed3cf9b19824db6864a6b7b0466a6f03ea9
CRs-Fixed: 2125799
Add debugs to dump all the Vendor IEs of tag type 221 to identify
the IEs sent in the AP's beacons/probe response without need to sniffer.
Change-Id: I1896adc12b49a54e4cf39794e802c04f7ad22080
CRs-Fixed: 2156913
During frequent suspend/resume there is a possibility of csr scan timer
and hdd scan timer are racing eaching other. Increase the hdd scan timer
value to double of the csr scan timer value to reduce the race allowing
hdd to abort the scan incase of timeout.
Change-Id: I03995498df692dc92dc87e8ef1fc8fd316965df0
CRs-Fixed: 2151994
In function wlan_hdd_cfg80211_set_ie, RSN IE is parsed and copied
into the buffer for length eLen + 2.
However, the buffer WPARSNIE is allocated only for
size. If eLen + 2 is greater than MAX_WPA_RSN_IE_LEN, a buffer overflow
would occur.
Add sanity check to make sure eLen does not exceed MAX_WPA_RSN_IE_LEN - 2.
Also increase the size of to 255 as per the spec
Change-Id: Ibf44e8dc1010e6e32b2262357d3aa180926d5c99
CRs-Fixed: 2154216
Change the existing cdp_peer_find_by_addr by calls to
cdp_peer_get_ref_by_addr and cdp_peer_release_ref. The new APIs
make sure that the peer is valid as long as the peer reference is not
released (call to cdp_peer_release_ref)
Change-Id: Ibde9944a9721e5dcf0f7838058c229539efae7e4
CRs-Fixed: 2139801
The existing peer API cdp_peer_find_by_add does not maintain any peer
references. So a peer which is returned by the API may get deleted in a
different context. This may lead to access to a already deleted memory.
Fix the issue by introducing new APIs "peer_get_ref" and
"peer_release_ref" which make sure the peer is valid until it is
"released" (peer_release_ref is called).
Change-Id: I60175ee1d67f01e3ee4b48cb655d1728d29d08f4
CRs-Fixed: 2139801
Memory leak is detected while processing the
measurement report request while another request
is under processing.
Pass an address of the pointer to the rrm beacon
request API to get the allocated memory address.
Change-Id: I83c44a6a7a4a8e1ce56e48b008e7d784cca1dc6d
CRs-Fixed: 2144031
In the monitor mode when the system is suspended
FW trying to send packet to host which is not allowed leading to this
system crash.
Acquire wakelock once the device enters monitor mode and block
the system from entering suspend.
Change-Id: I27ba2d43fd7b84bc1ae7e6046ab635065872b2d2
CRs-Fixed: 2130546
If mac_ctx->roam.configParam.qcn_ie_support is enabled driver adds
qcn ie in directed probe req, even if its already present in the
additional scan IEs. Thus in probe request two qcn ie are present.
To fix this add qcn ie only if roam.configParam.qcn_ie_support is set
and qcn ie is not present in the additional scan IE.
Change-Id: I4c7ea32dc06e5c62b4043dbd3794348f8185fd9b
CRs-Fixed: 2152795
Avoid using WMI HE Ops macro in lim and use dot11f struct for
HE Ops instead. Keep the tranlation to FW interpratation of
HE Ops in wma layer only.
Change-Id: Ie94795541aaddb7ae291ff451b938ebb96f74dbf
CRs-Fixed: 2145510
The host defines the iface ptr with :-
iface = &wma_handle->interfaces[key_params->vdev_id], at line 1588
and if the WLAN_FEATURE_11W, is not enabled , the host sets the
iface->is_waiting_for_key as false , without a NULL check of iface.
Fix is to add a NULL check for iface
Change-Id: I69ed8f881b678458d16f1f74e87e31959c04ec63
CRs-Fixed: 2156921
WLAN Latency module (WLM) is added by fw to gain latency
because of schedule out of service like power saving,
scanning, roaming etc. per the level set by framework.
Change-Id: Id4305e5e66dcce464447aff56296c7d027347ea2
CRs-Fixed: 2142391
For sns test in some scenarios when tx hits invalid peer state it will
print massive log so that it will lead to WD bark issue.
Move log level to lower info high from warn if tx hits invalid peer state.
Change-Id: I91d414e7203bf1e00094ca7b2fcebf80f4102082
CRs-Fixed: 2156472
Regpair for DM, DO, HN, JM, NA, PA, SN, XA are missing
which results in a crash.
Add regpair for country codes DM, DO, HN, JM, NA, PA, SN, XA.
Change-Id: I6d29f16a549121b9588d6fb68b78e14375e8eb8e
CRs-Fixed: 2154385
When a BSS is being started, the WLAN driver will abort all
scan requests, including the ACS scan initiated by the
secondary SAP, which will result in secondary SAP start
failure.
Use a different function to abort scans initiated by the
current session which is doing BSS starting so ACS scan
initiated by a second SAP will not be affected.
Change-Id: I442431e92e31cc8d3eb302ccca4249d0b4bedf82
CRs-Fixed: 2154230
csr_roaming_state_msg_processor() is declaring roam_info on stack
which is of size 736 bytes. Kernel stack has limited size and all
big data structures should be allocated from heap to avoid stack
overflow. Hence allocate roam_info struct from heap and free it
after callback has returned.
Change-Id: I282d9baa9f3e679bfd5b628f0baaadf4beec86af
CRs-Fixed: 2143439
The memdump feature allocates memory after the module has started,
leading to a false positive memory leak when the module is subsequently
stopped. Move memdump init to before the module is started in
hdd_wlan_startup, and memdump deinit to after the module is stopped in
hdd_wlan_exit.
Change-Id: I8df48e55e0f1e90fb4599469ce10f7741fb7a9a0
CRs-Fixed: 2157112
Currently, resource leak detection happens when the driver module is
unloaded. Instead move as much leak detection as possible to when the
driver transitions back into the closed state. This better supports
load-once-never-unload and built-in driver configurations.
Change-Id: I88be641948ffa4fff397a8eae40cf3b05c543673
CRs-Fixed: 2113606
If roaming is happening and then a set key response is
generated from WMA to PE, then there is a possibility
of not finding the PE session as the roaming happened
and new session is established. In such cases, return
failure from PE to SME so that the set key command is
released and the command queue is not stuck
Change-Id: Ieba8ea76a2a53322f2e392e6b0bf30360b1e8f8a
CRs-Fixed: 2150731
With current implementation, if sme_open_session sends down a command
to the Firmware and an SSR/PDR occurs, the thread is stuck on waiting
on an event. The thread also holds the rtnl lock and will keep
blocking any other thread from acquiring it till timeout occurs. This
can result in deadlock situation with IPA driver trying to execute
driver ops during the SSR/PDR notification callback.
Use the wait_for_event_completion API for waiting on event. With this
the event will be purged when driver receives FW_DOWN indication.
Change-Id: I2920fd36c0eb5bb5994e66e584d12a2a9d8f409a
CRs-Fixed: 2120226
Limit the max join attempts to two less than 1/3 of the total
command timeout value.
Change-Id: Ic52ec1cfa268a9e24e944f5d6e875e42d5a7b2be
CRs-Fixed: 2137346
qcacld-2.0 to qcacld-3.0 propagation
For HTT_T2H_MSG_TYPE_RX_OFFLOAD_DELIVER_IND, the msdu_cnt is a signed
integer coming from firmware. If set the msdu_cnt to a negative value,
or be greater than the number of current elements in the queue, the loop
will execute lots of times in ol_rx_offload_deliver_ind_handler, the
htt_rx_netbuf_pop will cause the BUG_ON issue sooner or later if it is
low latency solution.
Change the msdu_cnt type from signed to unsigned and add the validity
msdu_cnt checking will fix this issue.
Change-Id: I436557a124074f59ab11fd937dfdc975b9caebe8
CRs-Fixed: 2149461
qcacld-2.0 to qcacld-3.0 propagation
Check for the validity of peer_id when received the htt message of
HTT_T2H_MSG_TYPE_PEER_MAP or HTT_T2H_MSG_TYPE_PEER_UNMAP from firmware
to ensure the buffer overflow does not happen.
Change-Id: Ib3f92f4de0b406a78bf34d348c07cb3981277513
CRs-Fixed: 2147119
qcacld-2.0 to qcacld-3.0 propagation
Check for the validity of tid when received the htt message of
HTT_T2H_MSG_TYPE_RX_FLUSH & HTT_T2H_MSG_TYPE_RX_PN_IND from firmware
to ensure the buffer overflow does not happen.
And correct the sequence number type from signed int to unsigned.
Change-Id: Ibff86e891c335bfe8c2f9db82410545036463ed3
CRs-Fixed: 2149399
qcacld-2.0 to qcacld-3.0 propagation
Check for the validity of num_msdus when received the htt message of
HTT_T2H_MSG_TYPE_TX_COMPL_IND or HTT_T2H_MSG_TYPE_TX_INSPECT_IND from
firmware to ensure the buffer overflow does not happen.
Change-Id: Ic6ce75f34c5e2705d174eda014350e6ef0391388
CRs-Fixed: 2146869
qcacld-2.0 to qcacld-3.0 propagation
Check for the validity of credits when received the htt message of
HTT_T2H_MSG_TYPE_TX_CREDIT_UPDATE_IND or HTT_T2H_MSG_TYPE_TX_COMPL_IND
from firmware to ensure the integer overflow does not happen if these
messages invoked many times.
Change-Id: I01386b88f1b677153f3e51e055b7fbac073cd6b3
CRs-Fixed: 2147127
