When define MEMORY_DEBUG macro for debugging memory issue,
even in normal case it still will report double free for ipa
i2w SKB.
Fix is to add ipa i2w SKB to internal tracking table.
Change-Id: I27b0afc79e8c39c99a73ec9a65a348ebf85960b6
CRs-Fixed: 2145344
User defined wowl patterns are not freed in all
of the driver unload paths, and it causes
leaks in the system.
Free user defined wowl patterns in all the driver
unload paths.
Change-Id: I7b980a6392badb3d28f2c665a96108beb71f02d5
CRs-Fixed: 2144562
WLAN driver's vendor scan request handler function declares ie_len
as uint8_t whereas kernel's cfg80211_scan_request ie_len is declared
as size_t. This type mismatch for ie_len leads to WLAN driver allocating
less memory on heap because of implicit integer overflow when kernel's
ie_len(declared as size_t) is bigger than hex 0xFF and when scan request
data is copied it overflows the allocated heap memory.
In WLAN driver's vendor scan request handler declare ie_len and len also
of type size_t such that always correct size heap memory is allocated and
there is no heap overflow during memory copy.
Change-Id: I240113d34c561c7155303b0b8b253c0cbaf7724b
CRs-Fixed: 2145573
Replace target name sdxhedgehog with sdx20 to maintain
consistency with other components on the same platform.
Change-Id: I257c082c9427f5fb7d699d11924b6bdc1b59f661
CRs-Fixed: 2023531
Kernel print warning message: Division by zero in kernel
When gBusBandwidthComputeInterval > 1000,
thresh_time_limit will be set to 0.
Change-Id: Ibb1f87815e194cd74886d3731f6d6a0fee6a6732
CRs-Fixed: 2070938
As part of Ib22dfa375217a48448c5a7872a9a2ed154dd862f, reviewer has
provided comments to make __hdd_stop and __hdd_hostapd_stop symmetrical
to avoid any logical issue.
Along with above point, fix hdd_init_ap_mode to check event_flags
instead of sap context to find out if session is already opened and
initialized.
Change-Id: I49788157a95940dfd5ec396baf40db7e3df21359
CRs-Fixed: 2136351
wlan_serialization_remove_all_cmd_from_queue() is getting called
two times which causes reference count to be decreased two times.
1) 1st time from sme_stop() -> purge_sme_cmd_list()
-> wlan_serialization_remove_all_cmd_from_queue()
2) 2nd time from wlan_serialization_vdev_obj_destroy_notification()
-> serialization_purge_cmd_list()
-> wlan_serialization_remove_all_cmd_from_queue()
1st path has been there for quite a long time as per the old serialization
design but with new serialization design, it won't be required.
Change-Id: Ia8bd91c665340e7f7628ad73af64fa0044b45dde
CRs-Fixed: 2134851
In wlan_hdd_cfg80211_set_fils_config, incoming fils configs
are copied into local buffers. Buffer allocations happen with
internal length definitions, while lengths are checked against
definitions from WMI API's. This may cause a buffer overwrite
for fils erp realm buffer.
Use the same definitions for length checks that are used for
allocations.
Change-Id: Ie26bb1fdec9b12b429cb74dd290c155deb6c32f8
CRs-Fixed: 2137834
There is an interface idle work that stops the driver module in cases of
adapter inactivity. This work grabs the iface_change_lock, which is also
grabbed before synchronously cancelling the interface idle work. This can
cause a deadlock situation where cancelling the work never finishes,
because the caller holds the lock the work needs in order to complete.
Hoist the calls to cancel the work out of locked regions to avoid the
potential deadlock situation.
Change-Id: Ie421e69e2026ad1de626daba1f72d002d9751013
CRs-Fixed: 2120671
Currently, the interface idle (aka interface change) timeout uses a
qdf_mc_timer. This dependency on the MC thread means the MC thread
cannot be shutdown as part of the interface idle timeout work. This
wastes resources, and leads to the init/deinit paths to be out of sync
with respect to starting and stopping the MC thread. To address these
issues, use a delayed work to schedule the interface idle work instead
of a qdf_mc_timer.
Change-Id: I7570081112fa236a15d823e2a3857d252567f041
CRs-Fixed: 2112696
In hdd_stop_sap_due_to_invalid_channel, sap_adapter is derived using
container_of operation on work structure. It is dereferenced to print
the sessiond id immediately followed by a NULL check.
Move debug print after the NULL check.
Change-Id: Ib22aaeba6d312621e66496fcd646319331305cd2
CRs-Fixed: 2137807
In function wma_unified_debug_print_event_handler, datalen is
received from the FW and is used to mem copy data buffer from
FW into the local array dbgbuf. Since dbgbuf is a local array
of size 500 bytes, if datalen is greater than 500, buffer
overwrite occurs during memcpy.
Add sanity check to limit datalen to 500 bytes if value received
is greater than 500 bytes.
Change-Id: Id63b5106bc7a3d3836d17ae47d019bc8a71c928e
CRs-Fixed: 2134801
In file sme_ft_api.c, function sme_set_ft_ies(),
the ft_ies_length is user-controlled so there is
a possibility of integer overflow.
Add Sanity check to avoid integer overflow.
Change-Id: Idab80abeca35397be7ec13ca81c7ccb8be8ef256
CRs-Fixed: 2100965
Currently, the MC thread is started once, on the transition from the
uninitialized to the open driver state, and is stopped only during
unload or recovery. Instead, start the MC thread on the transition from
closed to open and stop the MC thread of the transition from open to
closed driver states.
Change-Id: I2b45f95afb99b79f2515275776fe11c9e97bc150
CRs-Fixed: 2113596
The current check for peer_num in wma_get_ll_stats_ext_buf is
incorrect and subtracts total_peer_len from WMI_SVC_MSG_MAX_SIZE
and then divides it by the size of peer stats struct.
Fix the check in such a way that peer num is not greater than
WMI_SVC_MSG_MAX_SIZE divided by the sum of total_peer_len
and size of peer stats struct.
Change-Id: Idd21852052b14e9b30785f2ac4acbd172dd923ef
CRs-Fixed: 2143891
In set default key operation module, under SAP mode, there are
conditional checks on key type information derived from the
Station's context. Also in get/add key operations SAP or STA
context pointers are derived without knowing the device mode
first, which is incorrect.
Derive key type info from SAP context in set default key and
derive station or sap context pointers only after knowing the
device mode.
Change-Id: I09b0e6f8d6315677e7584c7c24f003daa3eca9a3
CRs-Fixed: 2127288
NULL check is not required as already check is present in caller
API sme_process_command
Change-Id: I7d1d6253d77faf427b7fd231dce7d1c8eac9538a
CRs-Fixed: 2139896
In file lim_api.c, function pe_handle_mgmt_frame(),
limit the error log "Failed to fill cds packet from
event buffer".
Add log rate limit to avoid avoid over-logging.
Change-Id: I8ea1a485db861f6c40b46aaba107ae4ea1552e21
CRs-Fixed: 2138713
htt_tx_mutex, NBUF_QUEUE_MUTEX and HTT credit_mutex should all be
initialized before the related message handlers are connected to
their corresponding services, or there will be racing conditions
happening during WLAN driver initialization which will cause
the Linux kernel complaining for bad magic of spin locks and
triggers watch dog bite.
Change-Id: Id89185d811bcbed95732f142ed6fd611e0d6e2a4
CRs-Fixed: 2109674
Firmware sends beacon/probe response, reassoc request and
reassoc response using new event WMI_ROAM_SYNCH_FRAME_EVENTID
when the data that it wants to send via WMI_ROAM_SYNCH_EVENTID
exceeds max length 2k in firmware. Add changes to handle
WMI_ROAM_SYNCH_FRAME_EVENTID in such a scenario.
Change-Id: I2c0821f3547b4ee86cd6860a150a5a7991947abb
CRs-Fixed: 2122429
Android framwork decides when to put driver in power
save state. When it disables powersave driver starts
a timer to re-enter power save which is not required.
Fix this by not starting auto ps timer for power save
disable case. Framwork sends disable power save in
disconneced state and driver returns error, Due to
this firmware power state is still in BMPS and it
reenables power save immediately after connection
and this causes power state mismatch between framwork
and driver/firmware. Fix is to handle full power
request in disconnected state and send this full power
request to firmware as it can handle it.
Change-Id: Ib17c898b8288de31c424896acbfe89216e59ff49
CRs-Fixed: 2143017
Identify all the places where memory is not free'd in
case of WMA delete STA request and free it.
Change-Id: I97db2595d0b1d96bcbf97a28e9e1345504b30239
CRs-Fixed: 2133514
csr_scan_save_bss_description allocate pCsrBssDescription which
is used to update the scan entry in scan module and after
update is done pCsrBssDescription is not freed.
Fix this by freeing pCsrBssDescription once entry is updated in
scan module.
Change-Id: I07f9bbea8fbf5b700203b03d8fd19a0871ea2881
CRs-Fixed: 2137082
Stop bss request is dropped during the
channel change request and it is causing
IPA disconnect event not to sent to IPA
module.
Process stop bss during channel change
request so that IPA disconnect is sent
to IPA module.
Change-Id: I41bb3c0d5ba9f9e9b3a655b67d126ee34c777f4d
CRs-Fixed: 2134143
Currently, only the Change-Id for HEAD is included in the build tag.
This can be problematic for builds which include hotfixes
(cherry-picks). Include the Change-Ids of every cherry-pick commit since
the last non-cherry-pick commit. This allows developers to quickly
identify the checkout point used to make the build, as well as any
hotfixes applied.
Change-Id: Ibe6259c2e0b46c820e0f1d73a12383e01c10abb8
CRs-Fixed: 2143443
Currently runtime PM lock for adapter is not freed in error cases
of hdd_open_adapter() which will result memory leak. Free it correctly
in the function for failure cases.
Change-Id: Ie325de8b2789c461d139dbea9001cbb0504bc024
CRs-fixed: 2142668
Remove the legacy function proc_set_req_internal which
is used as a handler for messages of type
WNI_CFG_SET_REQ or WNI_CFG_SET_REQ_NO_RSP.
Change-Id: If294329954f18c3890d977e7e9d4499b57ceba89
CRs-Fixed: 2140634
Add check for fils_config_info->key_nai_len to not exceed
FILS_MAX_KEYNAME_NAI_LENGTH . If it exceeds this length
then it causes out of bounds memory read issue for array keyname_nai
Change-Id: I9ea6386e91e5eaea6a14bb2d13f0e030072b1262
CRs-Fixed: 2139906
