From f155c675e56f678b63279d6c04d98c5e32082f55 Mon Sep 17 00:00:00 2001
From: Jeff Johnson <jjohnson@codeaurora.org>
Date: Mon, 12 Jun 2017 10:42:48 -0700
Subject: [PATCH 1/3] qcacmn: Validate vendor abort scan command

In wlan_vendor_abort_scan(), nla_parse() is invoked without specifying
a policy. This can result in a buffer overread when processing the
QCA_WLAN_VENDOR_ATTR_SCAN_COOKIE attribute. To avoid this issue
introduce a "scan_policy" (replicated from qcacld-3.0) and use this
policy when invoking nla_parse().

Change-Id: Ia3e5cb7535bf0f700399e4a49c9c5da362a3ccf6
CRs-Fixed: 2059857
---
 os_if/linux/scan/src/wlan_cfg80211_scan.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/os_if/linux/scan/src/wlan_cfg80211_scan.c b/os_if/linux/scan/src/wlan_cfg80211_scan.c
index a0c421851b..66f95bde7f 100644
--- a/os_if/linux/scan/src/wlan_cfg80211_scan.c
+++ b/os_if/linux/scan/src/wlan_cfg80211_scan.c
@@ -38,6 +38,13 @@
 #include <wlan_policy_mgr_api.h>
 #endif
 
+static const
+struct nla_policy scan_policy[QCA_WLAN_VENDOR_ATTR_SCAN_MAX + 1] = {
+	[QCA_WLAN_VENDOR_ATTR_SCAN_FLAGS] = {.type = NLA_U32},
+	[QCA_WLAN_VENDOR_ATTR_SCAN_TX_NO_CCK_RATE] = {.type = NLA_FLAG},
+	[QCA_WLAN_VENDOR_ATTR_SCAN_COOKIE] = {.type = NLA_U64},
+};
+
 #if (LINUX_VERSION_CODE >= KERNEL_VERSION(4, 4, 0))
 static uint32_t hdd_config_sched_scan_start_delay(
 		struct cfg80211_sched_scan_request *request)
@@ -1330,7 +1337,7 @@ int wlan_vendor_abort_scan(struct wlan_objmgr_pdev *pdev,
 
 	pdev_id = wlan_objmgr_pdev_get_pdev_id(pdev);
 	if (nla_parse(tb, QCA_WLAN_VENDOR_ATTR_SCAN_MAX, data,
-	    data_len, NULL)) {
+		      data_len, scan_policy)) {
 		cfg80211_err("Invalid ATTR");
 		return ret;
 	}

From e99d6683f7313d90c7015baf4a1fce44b91a1b25 Mon Sep 17 00:00:00 2001
From: Deepak Dhamdhere <ddhamdhe@codeaurora.org>
Date: Thu, 9 Feb 2017 19:40:26 -0800
Subject: [PATCH 2/3] qcacmn: Enable PMK cache and OKC with RSO command

Firmware now supports PMK caching in addition to OKC
(Opportunistic Key Caching). Use additional bit flags to enable
PMK caching in PMK configuration in roam offload scan request.

CRs-Fixed: 2004963
Change-Id: I536a4d45d5d915ab02dc13db6124a1ce8949fe48
---
 wmi/inc/wmi_unified_param.h |  8 +++++---
 wmi/src/wmi_unified_tlv.c   | 17 ++++++++++++++---
 2 files changed, 19 insertions(+), 6 deletions(-)

diff --git a/wmi/inc/wmi_unified_param.h b/wmi/inc/wmi_unified_param.h
index 6a357c46f3..af5e192d45 100644
--- a/wmi/inc/wmi_unified_param.h
+++ b/wmi/inc/wmi_unified_param.h
@@ -1795,7 +1795,7 @@ struct mobility_domain_info {
 #define WMI_HOST_ROAM_OFFLOAD_NUM_MCS_SET     (16)
 
 /* This TLV will be filled only in case roam offload
- * for wpa2-psk/okc/ese/11r is enabled */
+ * for wpa2-psk/pmkid/ese/11r is enabled */
 typedef struct {
 	/*
 	 * TLV tag and len; tag equals
@@ -1838,7 +1838,8 @@ typedef struct {
  * @rokh_id: r0kh id
  * @roam_key_mgmt_offload_enabled: roam offload flag
  * @auth_mode: authentication mode
- * @okc_enabled: enable opportunistic key caching
+ * @fw_okc: use OKC in firmware
+ * @fw_pmksa_cache: use PMKSA cache in firmware
  * @is_ese_assoc: flag to determine ese assoc
  * @mdid: mobility domain info
  * @roam_offload_params: roam offload tlv params
@@ -1861,7 +1862,8 @@ struct roam_offload_scan_params {
 	uint8_t rokh_id[WMI_ROAM_R0KH_ID_MAX_LEN];
 	uint8_t roam_key_mgmt_offload_enabled;
 	int auth_mode;
-	bool okc_enabled;
+	bool fw_okc;
+	bool fw_pmksa_cache;
 #endif
 	bool is_ese_assoc;
 	struct mobility_domain_info mdid;
diff --git a/wmi/src/wmi_unified_tlv.c b/wmi/src/wmi_unified_tlv.c
index 07009e4dec..e27e1de4f8 100644
--- a/wmi/src/wmi_unified_tlv.c
+++ b/wmi/src/wmi_unified_tlv.c
@@ -5436,15 +5436,26 @@ static QDF_STATUS send_roam_scan_offload_mode_cmd_tlv(wmi_unified_t wmi_handle,
 				buf_ptr += WMI_TLV_HDR_SIZE;
 				roam_offload_11i =
 				     (wmi_roam_11i_offload_tlv_param *) buf_ptr;
+
 				if (roam_req->roam_key_mgmt_offload_enabled &&
-				    roam_req->okc_enabled) {
+				    roam_req->fw_okc) {
 					WMI_SET_ROAM_OFFLOAD_OKC_ENABLED
 						(roam_offload_11i->flags);
-					WMI_LOGE("LFR3:OKC Enabled");
+					WMI_LOGE("LFR3:OKC enabled");
 				} else {
 					WMI_SET_ROAM_OFFLOAD_OKC_DISABLED
 						(roam_offload_11i->flags);
-					WMI_LOGE("LFR3:OKC Disabled");
+					WMI_LOGE("LFR3:OKC disabled");
+				}
+				if (roam_req->roam_key_mgmt_offload_enabled &&
+				    roam_req->fw_pmksa_cache) {
+					WMI_SET_ROAM_OFFLOAD_PMK_CACHE_ENABLED
+						(roam_offload_11i->flags);
+					WMI_LOGE("LFR3:PMKSA caching enabled");
+				} else {
+					WMI_SET_ROAM_OFFLOAD_PMK_CACHE_DISABLED
+						(roam_offload_11i->flags);
+					WMI_LOGE("LFR3:PMKSA caching disabled");
 				}
 
 				qdf_mem_copy(roam_offload_11i->pmk,

From be23decc0672d8308c50253a12e7dc4654fec863 Mon Sep 17 00:00:00 2001
From: Kiran Venkatappa <kiranv@codeaurora.org>
Date: Thu, 22 Jun 2017 14:39:00 +0530
Subject: [PATCH 3/3] qcacmn: Initialize mac_phy_count to zero before
 populating macphy params

mac_phy_count should be initialized to zero before populating machphy
params. Target stop/start framework skips attach/detach which means
mac_phy_count should be initialized explicitly.

Change-Id: I9fe537c3a7e375397982174f6a63599a961ba8d3
CRs-Fixed: 2065321
---
 target_if/init_deinit/src/service_ready_event_handler.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/target_if/init_deinit/src/service_ready_event_handler.c b/target_if/init_deinit/src/service_ready_event_handler.c
index b416054a9a..dabbf6a7e3 100644
--- a/target_if/init_deinit/src/service_ready_event_handler.c
+++ b/target_if/init_deinit/src/service_ready_event_handler.c
@@ -298,6 +298,7 @@ int init_deinit_service_ext_ready_event_handler(ol_scn_t scn_handle,
 	if (err_code)
 		goto free_param_and_exit;
 
+	psoc->total_mac_phy = 0;
 	err_code =  populate_hw_mode_capability(wmi_handle,
 					    event,
 					    &psoc->total_mac_phy,