Determine bss transition status for preferrable candidates provided
by userspace based on the transition reason, rssi of connected and
candidate bssids and other parameters like whether transitiong to the
candidate will result in sub-optimal scenario. The transition status
is either accept or a reason for reject.
Change-Id: Ib83c81909f4d8e31b4125309b8ac392a26a0d6bf
CRs-Fixed: 2007107
__wlan_hdd_cfg80211_get_key was invoked when unloading driver.
SAP ctx had been freed at this time.wlan_sap_get_roam_profile will
return NULL.
Check NULL pointer before use roam_profile.
Change-Id: If1f11f0fb7027a6af4e3242fe9af722740d32850
CRs-Fixed: 2162395
qcacld-2.0 to qcacld-3.0 propagation
Check for the validity of tx_desc_id when received the htt message of
HTT_T2H_MSG_TYPE_MGMT_TX_COMPL_IND from firmware to ensure the buffer
overwrite does not happen.
Change-Id: I0afc781b7fff303525352b817e7eb60b8b05e4d3
CRs-Fixed: 2164705
Adapter resources are not being released until after stop modules. This
leads to resource leaks on PCIe targets. Move the call to close adapters
to before stop modules.
Change-Id: I18ceba26bb6aab634da91a14cc6890a7b7bd836f
CRs-Fixed: 2162868
TX data transmit error is flooding out the logging
system.
Rate limit the TX transmit error to avoid
log buffer overrun.
Change-Id: Ie6f857378f1d8d2ee07ba0d6e10639f6f5dcbd1c
CRs-Fixed: 2160835
In function lim_send_probe_rsp_template_to_hal, memset is done for the
allocated packet for length nBytes which is calculated as size of payload +
MAC header + addn_ielen.
However, the buffer used psessionEntry->pSchProbeRspTemplate is allocated
for length 512 (SCH_MAX_PROBE_RESP_SIZE) only as part of create session.
This leads to a potential overflow of the memory if nBytes calculated is
greater than 512 leading to kernel panic while freeing the memory in
delete session.
Add sanity check to make sure we do not exceed the SCH_MAX_PROBE_RESP_SIZE
before doing a memset on the buffer.
Change-Id: I4657d34a429b1f0c11ac8ca24869727c222669b8
CRs-Fixed: 2160086
In function __wlan_hdd_cfg80211_vendor_scan, when SCAN_SSIDS
and QCA_WLAN_VENDOR_ATTR_SCAN_FREQUENCIES are parsed, if the
number of SSIDs or number of channels are more then 255 in
netlink message, n_ssid and n_channels will get overflow
because n_ssid and n_channels are of type uint8_t.
Add a check to validate the max number of SCAN_SSIDs against
MAX_SCAN_SSID and max number of channels against MAX_CHANNEL.
Change-Id: Ib31dcc912fee8639e26d836d2fc5a32bf81fb43d
CRs-Fixed: 2153343
HDD calls several qdf_debug_domain APIs when that feature is not
enabled. Add conditional compilation to avoid these calls when runtime
leak detection is not enabled.
Change-Id: I78775c240b5352ed63f2e15f16e25159bbde5666
CRs-Fixed: 2162989
The statement register_netdevice_notifier(&hdd_netdev_notifier)
is replaced by hdd_register_notifiers(hdd_ctx) mistakenly when
propagating from 3.1 to 3.2.
Change-Id: Iddcc2b0375c0e81b944def117b40ea3015f91e4b
CRs-Fixed: 2163113
In function lim_parse_kde_elements, while parsing the KDE list from
the assoc response frame, elem_len is obtained from the frame buffer.
elem_len is then used to find the matching OUI for KDE OUI type and
then to calculate data_len based on the offset for the GTK/IGTK data
types.
If the value in elem_len field in the frame is less than the Data
Offset (which includes the OUI and data type) or the GTK/IGTK offset
then a OOB read would occur.
Add checks to validate the elem_len with Data offset and then with
the GTK/IGTK offset based on the data type.
Change-Id: I8ae31c6d6c28e88ad9bda757b3f1ff2585f8a553
CRs-Fixed: 2161920
When a peer object is to be removed in WLAN HDD object manager
code, it should be logically deleted first before it's ref
count is decreased and the peer object is freed, or there will
be a potential race condition, in which a freed peer object
buffer will be accessed.
Change-Id: Ib3179e8207d1e9bbaa9c2b8450a8016e23cfc3f3
CRs-Fixed: 2161627
With the existing implementation of TAILQ_FOREACH_REVERSE
in ol_txrx_remove_peers_for_vdev() function, host traverses
the list, stores the peer in the var, releases the lock and
later temp var is getting deleted as part of peer unmap and
host end up in accessing the stale peer entry.
To avoid this, host should check the peer delete in progress
first before assigning it to the temp var.
Change-Id: I5b9a401ae062efc6d2fbe608b25424a27c9d9f94
CRs-Fixed: 2159446
Check hdd_ctx, adapter and sta_ctx against null before dereferencing
them in wlan_hdd_nan_datapath.c
Change-Id: Ie81a359be4f03f4f7e411b56d583c12fa3bb03c0
CRs-Fixed: 2162244
Add null pointer validation and fix possible buffer overflow issue
in sap module.
Change-Id: I314e07a31368dd3ca854b9aeab4a0bce0402a81b
CRs-Fixed: 2162246
Presently, OFDM packets are assigned preamble type of
LONG_PREAMBLE when the type should be SHORT_PREAMBLE.
Assign the preamble type correctly.
Change-Id: Ie16936ba54cb8e1dfa5e96ccc52f3fc6693a5d48
CRs-Fixed: 2159511
Currently in the scoring logic the host has the same
score of 125 for the QBSS/ESP load between 50% to 75%
and 75% to 100% which sometimes may result in improper
scoring for cases where AP1 has air time fraction
127 which convertes to 51% load and other AP2 has air
time fraction 13 which convertes to 95 % load.
But the score is same for both AP and the host selects
randomly any one of the AP instead of AP1
Fix is to change score for QBSS/ESP load to differentiate
between 50-75% and 75-100% load
Change-Id: I96d0d8a6a0a1854b2faca4435afa612336bc3caf
CRs-Fixed: 2161778
The transition to/from FTM happens after the memdump feature is
initialized. However, the memdump init/deinit functions bail out if the
driver is currently in FTM. This leads to situations were memdump is
initialized, but skips deinitialization when the driver is in FTM at the
time of unload. Since memdump is always initialized during driver probe
(the driver is never in FTM at that time), always deinitialize on driver
unload.
Change-Id: Ib3555a89f64912403d8858877086ab070ce24e35
CRs-Fixed: 2162241
For sns test in some scenarios when tx hits invalid station id it will
print massive log so that it will lead to WD bark issue.
Move log level to lower info high from info if tx hits invalid station
id, also align with cld3.1 code.
Change-Id: I965033fc8232c8ead15ef06d26aa0d1d2b468e8a
CRs-Fixed: 2159529
Add changes identify and forward GAS public action frames to
supplicant in lim_process_action_frame_no_session.
Change-Id: Id872e2b0b8b7a203b472e0bd152f25f63c873b4f
CRs-Fixed: 2161785
FILS indication IE minimum length should be 4 bytes (2 bytes for tag and
length) + (2 bytes for realm hash). However current mininum is set to
5 bytes.
Usually AP sends cache identifier also in the FILS indication IE, which
is optional and causes the ie length to be greater than min of 5.
If the AP does not send Cache Identifier and sends only realm hash,
the IE length would be 4, which causes the IE to be skipped in parsing
thereby failing FILS connection.
Fix min IE length to 4 bytes in the frame parser for FILS Indication IE
Change-Id: I07f2b724f5840f9ba8ec663e0b303d8fc86663da
CRs-Fixed: 2161241
Add the WiderBWChanSwitchAnn to ext_chan_switch_ann action frame
as optional IE. Currently WiderBWChanSwitchAnn is added only in
beacon frames.
Change-Id: I4f76479bdb2befa93fcb83238590007a555af210
CRs-Fixed: 2141529
During SAP SSR scan default ie data pointer is cleared and
set to null hence avoid unnecessary qdf_mem_cpy when source
pointer is null.
Change-Id: I75960c69804144abee5b1978b43002110b0d0be4
CRs-Fixed: 2161056
When stop AP command is received from hostapd, all the stations
are deauthenticated and then stop bss is called. But stop bss is
called with high priority as true and so gets queued on the top
of the list while del sta commands are queued at the tail as high
priority is set to false for those. This leads to desynchronization
as the commands are not serialized.
Set high priority as false for stop bss sme command to serialize all
the commands.
Change-Id: I9c80032c418e05d3b5591bb3cfd70f8285f27fe8
CRs-Fixed: 2161257
