Memory will leak when pe_handle_mgmt_frame receive data frame
and FEATURE_WLAN_ESE undefine.
Change-Id: I2b3165d7209931e8de5049cd69bf3a3bb48dafd6
CRs-Fixed: 2147025
Currently during lro enablement (hdd_lro_enable), we reset tcp delack by
sending a message to cnss-daemon (hdd_reset_tcp_delack). This function
is also resetting tcp_adv_win_scale param. This ignores the ini param
gTcpAdvWinScaleEnable.
If gTcpAdvWinScaleEnable is set to "0", the WLAN driver should not
manipulte tcp_adv_win_scale system parameter.
Remove tcp_adv_win_scale manipulation from hdd_reset_tcp_delack
function.
CRs-Fixed: 2034097
Change-Id: I98769273059a8b874845a98873d9d4fcab52ad79
Typically set hw mode & Nss update happens at the same time. Since the
order of these 2 actions may not be same always, make them independent
of each other.
Change-Id: I652ad08e16680991535e0f064c7b5996f4f58792
CRs-Fixed: 2145006
In csr_issue_11d_scan API, driver initializes the timer of "scan_11d_cmd"
with "scan_cmd" timer param instead of "scan_11d_cmd" timer. So when this
timer is stopped/started timer API throws an error as its uninitialized
timer for 11d scan command.
Fix is to pass correct parameter scan_11d_cmd->u.scanCmd.csr_scan_timer
in function csr_issue_11d_scan in order to initialize timer for 11d scan.
Change-Id: I848c70eae45890dfc7b3b327cf649e0eac41d982
CRs-Fixed: 2143243
The target_type is incorrect in the hdd_context.
Call hdd_wlan_update_target_info after calling bmi_download_firmware,
which will get target_info from the target.
Change-Id: I0fa9834f4adb1fccfbb0d450e2026188bc2be942
CRs-Fixed: 2146174
In sme_rrm_process_beacon_report_req_ind() function
Memory is not freed for error condition, and it
causes leak in the system
Release the memory for all error
conditions.
Change-Id: Ie4447a8f347e2feeb91155cd36872c6a69307db3
CRs-fixed: 2144032
Current driver is creating PMF timer for all non-pmf as well as
PMF PEERs which is un-necessary.
Create PMF timer for each PEER when PEER associates in 80211W-PMF
mode.
CRs-Fixed: 2145687
Change-Id: I698de22a075f3307253db811b7ae616ebe48c127
Enable support for concurrent STA interface to be open during startup
using the ini param gEnableConcurrentSTA
Change-Id: Iede1f8673fb682753e31ed8f376453692938e4ba
When define MEMORY_DEBUG macro for debugging memory issue,
even in normal case it still will report double free for ipa
i2w SKB.
Fix is to add ipa i2w SKB to internal tracking table.
Change-Id: I27b0afc79e8c39c99a73ec9a65a348ebf85960b6
CRs-Fixed: 2145344
User defined wowl patterns are not freed in all
of the driver unload paths, and it causes
leaks in the system.
Free user defined wowl patterns in all the driver
unload paths.
Change-Id: I7b980a6392badb3d28f2c665a96108beb71f02d5
CRs-Fixed: 2144562
WLAN driver's vendor scan request handler function declares ie_len
as uint8_t whereas kernel's cfg80211_scan_request ie_len is declared
as size_t. This type mismatch for ie_len leads to WLAN driver allocating
less memory on heap because of implicit integer overflow when kernel's
ie_len(declared as size_t) is bigger than hex 0xFF and when scan request
data is copied it overflows the allocated heap memory.
In WLAN driver's vendor scan request handler declare ie_len and len also
of type size_t such that always correct size heap memory is allocated and
there is no heap overflow during memory copy.
Change-Id: I240113d34c561c7155303b0b8b253c0cbaf7724b
CRs-Fixed: 2145573
Replace target name sdxhedgehog with sdx20 to maintain
consistency with other components on the same platform.
Change-Id: I257c082c9427f5fb7d699d11924b6bdc1b59f661
CRs-Fixed: 2023531
Kernel print warning message: Division by zero in kernel
When gBusBandwidthComputeInterval > 1000,
thresh_time_limit will be set to 0.
Change-Id: Ibb1f87815e194cd74886d3731f6d6a0fee6a6732
CRs-Fixed: 2070938
As part of Ib22dfa375217a48448c5a7872a9a2ed154dd862f, reviewer has
provided comments to make __hdd_stop and __hdd_hostapd_stop symmetrical
to avoid any logical issue.
Along with above point, fix hdd_init_ap_mode to check event_flags
instead of sap context to find out if session is already opened and
initialized.
Change-Id: I49788157a95940dfd5ec396baf40db7e3df21359
CRs-Fixed: 2136351
wlan_serialization_remove_all_cmd_from_queue() is getting called
two times which causes reference count to be decreased two times.
1) 1st time from sme_stop() -> purge_sme_cmd_list()
-> wlan_serialization_remove_all_cmd_from_queue()
2) 2nd time from wlan_serialization_vdev_obj_destroy_notification()
-> serialization_purge_cmd_list()
-> wlan_serialization_remove_all_cmd_from_queue()
1st path has been there for quite a long time as per the old serialization
design but with new serialization design, it won't be required.
Change-Id: Ia8bd91c665340e7f7628ad73af64fa0044b45dde
CRs-Fixed: 2134851
In wlan_hdd_cfg80211_set_fils_config, incoming fils configs
are copied into local buffers. Buffer allocations happen with
internal length definitions, while lengths are checked against
definitions from WMI API's. This may cause a buffer overwrite
for fils erp realm buffer.
Use the same definitions for length checks that are used for
allocations.
Change-Id: Ie26bb1fdec9b12b429cb74dd290c155deb6c32f8
CRs-Fixed: 2137834
There is an interface idle work that stops the driver module in cases of
adapter inactivity. This work grabs the iface_change_lock, which is also
grabbed before synchronously cancelling the interface idle work. This can
cause a deadlock situation where cancelling the work never finishes,
because the caller holds the lock the work needs in order to complete.
Hoist the calls to cancel the work out of locked regions to avoid the
potential deadlock situation.
Change-Id: Ie421e69e2026ad1de626daba1f72d002d9751013
CRs-Fixed: 2120671
Currently, the interface idle (aka interface change) timeout uses a
qdf_mc_timer. This dependency on the MC thread means the MC thread
cannot be shutdown as part of the interface idle timeout work. This
wastes resources, and leads to the init/deinit paths to be out of sync
with respect to starting and stopping the MC thread. To address these
issues, use a delayed work to schedule the interface idle work instead
of a qdf_mc_timer.
Change-Id: I7570081112fa236a15d823e2a3857d252567f041
CRs-Fixed: 2112696
In hdd_stop_sap_due_to_invalid_channel, sap_adapter is derived using
container_of operation on work structure. It is dereferenced to print
the sessiond id immediately followed by a NULL check.
Move debug print after the NULL check.
Change-Id: Ib22aaeba6d312621e66496fcd646319331305cd2
CRs-Fixed: 2137807
In function wma_unified_debug_print_event_handler, datalen is
received from the FW and is used to mem copy data buffer from
FW into the local array dbgbuf. Since dbgbuf is a local array
of size 500 bytes, if datalen is greater than 500, buffer
overwrite occurs during memcpy.
Add sanity check to limit datalen to 500 bytes if value received
is greater than 500 bytes.
Change-Id: Id63b5106bc7a3d3836d17ae47d019bc8a71c928e
CRs-Fixed: 2134801
In file sme_ft_api.c, function sme_set_ft_ies(),
the ft_ies_length is user-controlled so there is
a possibility of integer overflow.
Add Sanity check to avoid integer overflow.
Change-Id: Idab80abeca35397be7ec13ca81c7ccb8be8ef256
CRs-Fixed: 2100965
Currently, the MC thread is started once, on the transition from the
uninitialized to the open driver state, and is stopped only during
unload or recovery. Instead, start the MC thread on the transition from
closed to open and stop the MC thread of the transition from open to
closed driver states.
Change-Id: I2b45f95afb99b79f2515275776fe11c9e97bc150
CRs-Fixed: 2113596
The current check for peer_num in wma_get_ll_stats_ext_buf is
incorrect and subtracts total_peer_len from WMI_SVC_MSG_MAX_SIZE
and then divides it by the size of peer stats struct.
Fix the check in such a way that peer num is not greater than
WMI_SVC_MSG_MAX_SIZE divided by the sum of total_peer_len
and size of peer stats struct.
Change-Id: Idd21852052b14e9b30785f2ac4acbd172dd923ef
CRs-Fixed: 2143891
In set default key operation module, under SAP mode, there are
conditional checks on key type information derived from the
Station's context. Also in get/add key operations SAP or STA
context pointers are derived without knowing the device mode
first, which is incorrect.
Derive key type info from SAP context in set default key and
derive station or sap context pointers only after knowing the
device mode.
Change-Id: I09b0e6f8d6315677e7584c7c24f003daa3eca9a3
CRs-Fixed: 2127288
NULL check is not required as already check is present in caller
API sme_process_command
Change-Id: I7d1d6253d77faf427b7fd231dce7d1c8eac9538a
CRs-Fixed: 2139896
In file lim_api.c, function pe_handle_mgmt_frame(),
limit the error log "Failed to fill cds packet from
event buffer".
Add log rate limit to avoid avoid over-logging.
Change-Id: I8ea1a485db861f6c40b46aaba107ae4ea1552e21
CRs-Fixed: 2138713
htt_tx_mutex, NBUF_QUEUE_MUTEX and HTT credit_mutex should all be
initialized before the related message handlers are connected to
their corresponding services, or there will be racing conditions
happening during WLAN driver initialization which will cause
the Linux kernel complaining for bad magic of spin locks and
triggers watch dog bite.
Change-Id: Id89185d811bcbed95732f142ed6fd611e0d6e2a4
CRs-Fixed: 2109674
Firmware sends beacon/probe response, reassoc request and
reassoc response using new event WMI_ROAM_SYNCH_FRAME_EVENTID
when the data that it wants to send via WMI_ROAM_SYNCH_EVENTID
exceeds max length 2k in firmware. Add changes to handle
WMI_ROAM_SYNCH_FRAME_EVENTID in such a scenario.
Change-Id: I2c0821f3547b4ee86cd6860a150a5a7991947abb
CRs-Fixed: 2122429