QCA6290 non-AX chipset is deprecated, so enable changes for QCA6290 AX
chipset by default.
Change-Id: I09b52dc58c1a79e36502671de94021d5940d0072
CRs-fixed: 2331182
Check for dhcp packet type before processing on packet sta_id.
This reduces per packet mem_copy and mem_cmp instructions for
sap Rx.
Change-Id: I4a2732ff4d9e3fa31aace25cc824f26b0c339b52
CRs-Fixed: 2331420
In proc_dnld_rsp, pHdr->sBufSize is coming from fw message
which could not be trusted. Before its use it should proc_dnld_rsp
should verify it against its max allowed size (UINT_MAX).
Fix is to add a sanity check for pHdr->sBufSize against UINT_MAX
before its use.
Change-Id: I6ec970483af860d5e42d6adac640274743f44f1a
CRs-Fixed: 2308333
There is no sanity check for hdd context and sap config in
start acs api which may lead to NULL pointer access.
To avoid this issue, validate hdd context and sap config
before accessing these pointers.
Change-Id: I0a3f6a91a6bc5a517c035c9e7d706e66aea62fd4
CRs-Fixed: 2331412
Currently only the WLAN_SER_CMD_DENIED_UNSPECIFIED is returned as
failure to HDD when a command is posted into serialization from
SME/CSR. This can lead to HDD getting a status as success if the
command posting failed due to some other reason code in serialization
like WLAN_SER_CMD_DENIED_LIST_FULL.
Handle all serialization reason codes in csr_queue_sme_command API.
Change-Id: Icce5b9f560320b99feb985dead9d06489caa8b5c
CRs-Fixed: 2330852
Currently in function wlan_hdd_cfg80211_start_bss(), copying
supported rates and extended rates from information element pointer
without checking for array bounds which may cause OOB access.
To address this issue, add length checks before copying supported
rates and extended rates.
Change-Id: Ic6363e97bb3498a5dd23bc5e5f9b9f3ce093509d
CRs-Fixed: 2312995
Below API's logs failure with caller information,
So no need logs at caller.
qdf_mem_malloc_atomic()
qdf_mem_malloc()
wmi_buf_alloc()
qdf_nbuf_alloc()
wmi_unified_cmd_send()
Change-Id: I392fd31f2ae1e46a0d7ceaa657b77fad4efd31eb
CRs-Fixed: 2327098
Below API's logs failure with caller information,
So no need logs at caller.
qdf_mem_malloc_atomic()
qdf_mem_malloc()
wmi_buf_alloc()
qdf_nbuf_alloc()
wmi_unified_cmd_send()
Change-Id: I5d7d49811d71f83ecafccd9f936af323073b32c6
CRs-Fixed: 2327098
PLD FW down uevent is asynchronous which races against all critical
driver transition events like probe, remove, shutdown, reinit and
hence move wmi_stop to wma shutdown notifier callbakk such that its
protected against all critical driver transition events.
Change-Id: I91046efeab8bc13b9f5c37d5a4d02b66c63e35a9
CRs-Fixed: 2330980
Add bound check for new fixed_param->total_num_tx_power_levels
with its old value of rs_results->total_num_tx_power_levels in
wma_unified_radio_tx_power_level_stats_event_handler.
rs_results->tx_time_per_power_level is allocated only once
if it has not been already allocated.This allocation is saved
into the global wma_handle structure.
If multiple invocations of this handler occur then a buffer
overflow can occur in the following scenario:
1. First message is used to allocate rs_results->tx_time_per_power_level
with a small, but valid size.
2. Second message skips allocation of rs_results->tx_time_per_power_level
since it was done with the first message. This message specifies a larger
valid value and causes the qdf_mem_copy() to overflow.
Change-Id: Ib9c7d3bd667e2ffc1408cd7356be35985331e028
CRs-Fixed: 2327688
Change I8cd30439d7ac3de7b550aa5042353cf30e04cbda recently introduced
misleading indentation in sme_update_tx_bfee_nstsi(). Not only does this
cause a build failure for some configurations, but is also dangerously
confusing for future readers. Remove the misleading indentation in
sme_update_tx_bfee_nstsi().
Change-Id: Ia971c414b433eeaff51eb4c65d3d2f56c49617b1
CRs-Fixed: 2330256
In the functioncsr_roam_chk_lnk_swt_ch_ind(), newChannelId is
updated to session->pConnectBssDesc->channelId and
pConnectBssDesc->ieFields is passed to wlan_cfg_get_ie_ptr().
the parameters of pConnectBssDesc are accessed without
validating pConnectBssDesc. This can result in possible null
pointer dereference.
Validate the session->pConnectBssDesc before access.
Change-Id: I45f2c090cea90052f91d678f1bacd1411c4b9496
CRs-Fixed: 2329317
When interface change timer expires, wma_wmi_service_close() is
called from hdd_iface_change_callback()->hdd_wlan_stop_modules()
->cds_close(). wmi_handle is made null here. At the same time,
if there is a modem reboot, host will receive early
indication from FW. Due to this, icnss driver sent
ICNSS_UEVENT_FW_DOWN event to host and it calls wmi_stop() again
from icnss_call_driver_uevent()->pld_snoc_uevent()->
wlan_hdd_pld_uevent() -> wlan_hdd_set_the_pld_uevent()->
wma_wmi_stop() -> wmi_stop(). As wmi_handle which was marked
null during wlan stop modules, this causes potential NULL
pointer dereference.
Flush iface_idle_work before wma_wmi_stop and add NULL check
before accessing wmi_handle.
Change-Id: I1bfa8ab7329040c0b5ba989c0d7de7bf7228dd35
CRs-Fixed: 2328575
Add sanity check for vdev_id in wma_lost_link_info_handler
against wma_handle->max_bssid.
Change-Id: I1f469b25ac88deb4d5bbaf754c0ea441e6cb04de
CRs-Fixed: 2325718
When disconnect is issued from userspace, lim_del_bss is invoked
and vdev stop is sent to firmware. If sending vdev stop fails,
WMA_DELETE_BSS_RSP is posted with failure. If an SSR is
happening during this time, then cds_mc_thread is preempted, and
as part of the pld uevent vdev resp queue cleanup is done . In
this path, lim_process_sta_mlm_del_bss_rsp is called and
msg->bodyptr is freed and pe session is deleted. After pld
uevent execution, the delete bss response processing in
cds_mc_thread as part of user space disconnect resumes and tries
to free the msg->bodyptr again. This results in double free.
Add check to validate if msg->bodyptr is NULL before freeing
the memory.
Change-Id: I491e5bab640aca6546b58755502dd00aa1bc6083
CRs-Fixed: 2324482
Make the following updates to the extscan get capabilities logic:
1) Exclusively use the Unified WMI data structures.
2) Update the HDD<=>SME interface to enforce the contract that SME
must not make any assumptions about the buffers provided by HDD.
Change-Id: I9e57c86a3da0924af01d82d626b61c28f7d520bf
CRs-Fixed: 2330211
In __wlan_hdd_cfg80211_suspend_wlan(), suspend process is bailed out
if hdd_suspend_wlan() < 0 due to which RX thread waits for completion
of ol_resume_rx_event.
Do completion of ol_resume_rx_event in __wlan_hdd_cfg80211_suspend_wlan
for error path to resume RX thread.
Change-Id: I8bf056f82d80e063b2e32a1a6573d7a36ced67dc
CRs-Fixed: 2327238
In con_mode handler, adapters are getting deinitialized
while cleaning up present mode which is happening after
stop modules. In stop modules driver checks for memory
leak which results in mem leak detection for the adapters
which are not freed yet.
To address this issue, move the deinitialization of the
adapters from clean up present mode to stop present mode, which
happens before stop modules.
Change-Id: I9cda456feb2b0c199f5c8d4debee21f0e07c47fb
CRs-Fixed: 2326340
Currenly if the dot11Mode INI is set to 11b_only mode and the BSS we
are trying to connect is 11b/g mixed mode, then the connection happens
with phyMode 1 (11 b/g) but the data rates are set only for 11b mode
which leads the FW to assert when a data traffic with 11g rates is
triggered.
Connect to the BSS in 11b mode only if the INI is set to 11b_only and
the BSS we are trying to connect is in 11b/g mode.
Change-Id: I952394323efeacf5baae39b3a6d2adf7eae96a81
CRs-Fixed: 2328434
Remove the QDF_BUG() from sanity check of pdev_id passed with
pdev_hw_mode_trans_ind event from FW.
Change-Id: I91bb697993e129bf3f8ff62900e21f85dbe85efc
CRs-Fixed: 2328603
In order to catch and debug long running transitions, add a watchdog
timer to Driver Synchronization Core (DSC) transition start/stop call
pairs. If the timer expires, panic the driver for offline debugging.
Change-Id: I9b64fdb9cc20e1225394702d58b24db92a2d67e1
CRs-Fixed: 2328596
In order to catch and debug long waiting transitions, add a watchdog
timer to Driver Synchronization Core (DSC) transition start wait calls.
If the timer expires, panic the driver for offline debugging.
Change-Id: I557f87ada182ced389e7d5e63fe8b78f47e1d6b5
CRs-Fixed: 2328594
Register recovering state query callback to common qdf
platform component to provide recovering state.
Change-Id: If5d1b30f0617d9f8cef41787da1e829a792105f8
CRs-Fixed: 2320797
Make the following updates to the extscan get cached results logic:
1) Exclusively use the Unified WMI data structures.
2) Update the HDD<=>SME interface to enforce the contract that SME
must not make any assumptions about the buffers provided by HDD.
Change-Id: I4144aa4cdb9c6d3ddaae30eedaec3096abf95857
CRs-Fixed: 2329405
