Check the channel width value in CSA IE before we process the
channel switch so that if the AP sends the wrong channel width in
CSA driver can process with correct configuration
Change-Id: Ib14a0146502b0f731f319ac1fe6657a389388cec
CRs-Fixed: 2162235
In wma_vdev_detach(), ignore vdev delete request at present if it is
received before VDEV_STOP and VDEV_DOWN which results in fw assert on
VDEV_START as no VDEV_DELETE is present before VDEV_START on the same vdev.
Do cds recovery or assert on vdev deletion or on vdev start if BSS
is already in started state and no VDEV_STOP is queued in the queue.
Change-Id: I273e6240840e7a0a54c2d7ad3de12c8a30d42a18
CRs-Fixed: 2164701
Add sanity check for rxNss value in lim_set_nss_change()
as rxNss cannot be zero.
Change-Id: Ie8043d41413a26469539a1f370ff4bca09870b61
CRs-Fixed: 2157501
This reverts commit 7cf307e148
as the check to drop auth frame if previous sequence number
and auth algo match with current sequence number and auth
algo returns true instead of false in a correct scenario.
Change-Id: I8dee272f535acaadb9dfff69ee9ce68ddea4eec1
CRs-Fixed: 2166125
Currently host is adding PMKSA cache on bssid from connect request
if PMKID is present in the RSNIE. This may cause duplicate
entry of PMKSA since supplicant may add the same PMKSA on basis of
SSID + cache identifier. This also cause different caches present
in driver and supplicant.
Setting PMKSA in connect request is not needed since supplicant
will always set/delete PMKSA cache using seperate kernel APIs.
Add changes to remove set PMKSA logic during connect path and
increased PMKSA cache path logging.
Change-Id: I7aa13daa59c4221380daebab3bee49de5d681d6b
CRs-Fixed: 2054351
Currently host driver is dumping all the connection related
info for FILS connection.
Add changes to remove excessive logging for FILS connection
Change-Id: Ib23a90672413e00c06ae61f01fbbb0fb51edda56
CRs-Fixed: 2077465
When ACS is started, acs_cfg.hw_mode in AP context will
be set after mapping from values defined in enum
qca_wlan_vendor_acs_hw_mode to values defined in enum
eCsrPhyMode, but when ACS scan fails due to some reason,
such as scan timeout, the code in function
sap_select_default_oper_chan is still using values
defined in enum qca_wlan_vendor_acs_hw_mode to setup
the default channel.
Change the code in function sap_select_default_oper_chan
to use the values defined in enum eCsrPhyMode when
setting up the default channel.
Change-Id: Ic0d43c43bf9b9a9a36c290d2754c30ebb40bb0e3
CRs-Fixed: 2163658
DUT retries auth with open system if shared key
authentication is not supported by AP. If auth
response from AP for open system auth has same
sequence number as that of shared key response,
host drops the frame.
Fix is to drop the auth frame only if previous
sequence number and auth algo match with current
sequence number and auth algo.
Change-Id: Ia02408d72371dfb91a7cae190ae9399cdf2e2e8b
CRs-Fixed: 2163231
Determine bss transition status for preferrable candidates provided
by userspace based on the transition reason, rssi of connected and
candidate bssids and other parameters like whether transitiong to the
candidate will result in sub-optimal scenario. The transition status
is either accept or a reason for reject.
Change-Id: Ib83c81909f4d8e31b4125309b8ac392a26a0d6bf
CRs-Fixed: 2007107
__wlan_hdd_cfg80211_get_key was invoked when unloading driver.
SAP ctx had been freed at this time.wlan_sap_get_roam_profile will
return NULL.
Check NULL pointer before use roam_profile.
Change-Id: If1f11f0fb7027a6af4e3242fe9af722740d32850
CRs-Fixed: 2162395
qcacld-2.0 to qcacld-3.0 propagation
Check for the validity of tx_desc_id when received the htt message of
HTT_T2H_MSG_TYPE_MGMT_TX_COMPL_IND from firmware to ensure the buffer
overwrite does not happen.
Change-Id: I0afc781b7fff303525352b817e7eb60b8b05e4d3
CRs-Fixed: 2164705
Adapter resources are not being released until after stop modules. This
leads to resource leaks on PCIe targets. Move the call to close adapters
to before stop modules.
Change-Id: I18ceba26bb6aab634da91a14cc6890a7b7bd836f
CRs-Fixed: 2162868
TX data transmit error is flooding out the logging
system.
Rate limit the TX transmit error to avoid
log buffer overrun.
Change-Id: Ie6f857378f1d8d2ee07ba0d6e10639f6f5dcbd1c
CRs-Fixed: 2160835
In function lim_send_probe_rsp_template_to_hal, memset is done for the
allocated packet for length nBytes which is calculated as size of payload +
MAC header + addn_ielen.
However, the buffer used psessionEntry->pSchProbeRspTemplate is allocated
for length 512 (SCH_MAX_PROBE_RESP_SIZE) only as part of create session.
This leads to a potential overflow of the memory if nBytes calculated is
greater than 512 leading to kernel panic while freeing the memory in
delete session.
Add sanity check to make sure we do not exceed the SCH_MAX_PROBE_RESP_SIZE
before doing a memset on the buffer.
Change-Id: I4657d34a429b1f0c11ac8ca24869727c222669b8
CRs-Fixed: 2160086
In function __wlan_hdd_cfg80211_vendor_scan, when SCAN_SSIDS
and QCA_WLAN_VENDOR_ATTR_SCAN_FREQUENCIES are parsed, if the
number of SSIDs or number of channels are more then 255 in
netlink message, n_ssid and n_channels will get overflow
because n_ssid and n_channels are of type uint8_t.
Add a check to validate the max number of SCAN_SSIDs against
MAX_SCAN_SSID and max number of channels against MAX_CHANNEL.
Change-Id: Ib31dcc912fee8639e26d836d2fc5a32bf81fb43d
CRs-Fixed: 2153343
HDD calls several qdf_debug_domain APIs when that feature is not
enabled. Add conditional compilation to avoid these calls when runtime
leak detection is not enabled.
Change-Id: I78775c240b5352ed63f2e15f16e25159bbde5666
CRs-Fixed: 2162989
The statement register_netdevice_notifier(&hdd_netdev_notifier)
is replaced by hdd_register_notifiers(hdd_ctx) mistakenly when
propagating from 3.1 to 3.2.
Change-Id: Iddcc2b0375c0e81b944def117b40ea3015f91e4b
CRs-Fixed: 2163113
In function lim_parse_kde_elements, while parsing the KDE list from
the assoc response frame, elem_len is obtained from the frame buffer.
elem_len is then used to find the matching OUI for KDE OUI type and
then to calculate data_len based on the offset for the GTK/IGTK data
types.
If the value in elem_len field in the frame is less than the Data
Offset (which includes the OUI and data type) or the GTK/IGTK offset
then a OOB read would occur.
Add checks to validate the elem_len with Data offset and then with
the GTK/IGTK offset based on the data type.
Change-Id: I8ae31c6d6c28e88ad9bda757b3f1ff2585f8a553
CRs-Fixed: 2161920
When a peer object is to be removed in WLAN HDD object manager
code, it should be logically deleted first before it's ref
count is decreased and the peer object is freed, or there will
be a potential race condition, in which a freed peer object
buffer will be accessed.
Change-Id: Ib3179e8207d1e9bbaa9c2b8450a8016e23cfc3f3
CRs-Fixed: 2161627
With the existing implementation of TAILQ_FOREACH_REVERSE
in ol_txrx_remove_peers_for_vdev() function, host traverses
the list, stores the peer in the var, releases the lock and
later temp var is getting deleted as part of peer unmap and
host end up in accessing the stale peer entry.
To avoid this, host should check the peer delete in progress
first before assigning it to the temp var.
Change-Id: I5b9a401ae062efc6d2fbe608b25424a27c9d9f94
CRs-Fixed: 2159446
