In the function cds_is_gmac_mmie_valid, there is uninitialized
use of mic array elements that are passed into the function
qdf_crypto_aes_gmac which causes error report in coverty.
Initialize mic array before it is passed to qdf_crypto_aes_gmac.
Change-Id: I8650cc18d32f297f659ffaac0a514e183823f042
CRs-Fixed: 2233863
While processing QCA_NL80211_VENDOR_SUBCMD_TRIGGER_SCAN,
scan randomization attributes: SCAN_MAC and SCAN_MAC_MASK are not
validated using nla_policy for a minimum length check of
MAC_ADDR_SIZE (6 bytes) which can result in buffer over-read.
To address this, add nla_policy for randomization attributes.
Change-Id: I872e221b951809ca1e5c60b867be52b9fa738ddd
CRs-Fixed: 2232745
Currently there are no diag events to inform user space about
used AKM Suite, requested pairwise cipher, group cipher, and
group key management in assoc request and algo num used in auth
req.
Add such diag events which can be useful in automation.
Change-Id: I210773ded47a84a3d06390271401e53cbda83089
CRs-Fixed: 2203232
Add support to send regulatory sync event to user space for self
managed regulatory when regulatory info is updated.
Change-Id: Iacecb6f3e6a65c615d3a013509770463bdafe616
CRs-Fixed: 2242697
Add support for getting cfg integer from PMO. Register callbacks
during pe_open/close so that PMO can query CFG int values for
calculating parameters like listen interval etc.
Change-Id: I52d165586576e547e175ba276e6b7225db5b27e0
CRs-Fixed: 2252661
The driver allocates memory to channelist in the API
sap_get_channel_list, and stores the pointer to channel
list in sap_context, and frees the memory allocated for
the same in scan request callback.
But it may happen that before the callback, stop adapter
calls wlansap_context_put and frees the memory allocated
to sap context, without the mem free of channellist, which
results in a mem leak
Fix is to add a NULL check to sap context and free the memory
allocated to the sap context channel list in
sap_cleanup_channel_list.
Change-Id: I7030ca8325ae4c968db654bf14062e332f409b87
CRs-Fixed: 2254767
Currently after dp peer delete peer info is logged which leads
to invalid pointer access. Do not log the peer info after it is
deleted.
Change-Id: If4c2d9af7e3f2b29e3e034eec08fa68fd329257b
CRs-Fixed: 2259026
Before checking for other kinds of resources leaks, check to ensure all
objmgr vdevs have been properly freed.
Change-Id: Ie30daf22834ceb4a8ce19fbd1d4c9b231d3b70d4
CRs-Fixed: 2255511
Peer removal happens in MC thread context and the corrresponding
unmap events processed in soft IRQ context. But both the events
are not synchronized correctly and causes race condition
in the system.
Apply reference count for the peer to avoid this
problem.
Change-Id: If1ca656a4dc0325032069af926697784cdec9b2d
CRs-Fixed: 2183468
The function wlan_hdd_cfg80211_set_key_wapi is currently set as public
which is not required as it is called from the same file only.
Make the function static.
Change-Id: I8188cf02ec06b7212607b2aba759b47ec5cc58ac
CRs-Fixed: 2247639
hdd_inspect_dhcp_packet() Will be called for each TX packet in SAP
interface. Remove the print to avoid flush print which will impact
the TX performance.
CRs-Fixed: 2253186
Change-Id: I01766ad923725a0cb04b2c19952806d4de84b37e
The value that is received from the ini for the max number of peers
supported for SAP is not being updated to the sme database.
Update the ini param into the sme database
Change-Id: I319d825e8b1f643b04b5521577786f8a3ed20e13
CRs-Fixed: 2249919
In the function wma_update_intf_hw_mode_params, vdev_id received
from caller wma_pdev_set_hw_mode_resp_evt_handler, is used as
the array index for wma->interfaces. If vdev_id exceeds
wma->max_bssid then a possible OOB write could occur.
Add check to validate vdev_id against wma->max_bssid. Print
error if it exceeds.
Change-Id: I3ddf5e1b24fbd2bd401ac879219300857d05e4b7
CRs-Fixed: 2243990
The function sap_goto_channel_sel triggers the pre start bss
scan for SAP. After this scan is queued, the hostapd process
gets scheduled after 3 secs and proceeds to select the channel
to start the SAP. If scan completion for the ACS scan was not
received, it selects the default channels. ACS scan is sent to
firmware with low priority like other normal scan.
Increasing the priority of the scan will ensure that the scan
completion is done prior to the other existing scans pending on
the queue.
Escalate the priority of the ACS scan from low to high.
Change-Id: Ibe558a4a323f276cce6eaabb3b62db217dbd5a94
CRs-Fixed: 2245200
new INI gNumVdevs is added to allow number of VDEV support
for both Host and FW. Also Updated logic to calculate num_peers
and num_tids.
Change-Id: Ife5ff24e9594c8986913c06899ac5e41c83fc75c
CRs-Fixed: 2245506
There are several logs along the suspend/resume code paths that log
debugging related information at the INFO level. Reduce the logging
level of these debug logs to avoid spamming the console.
Change-Id: I0e81901e4a053038392c1012600ae125a1ad27a3
CRs-Fixed: 2258093
The API wma_inc_wow_stats lacks a break in switch case
after WOW_REASON_OEM_RESPONSE_EVENT. Due to this
execution falls through to the next case statement or
default.
Fix is to add a break after WOW_REASON_OEM_RESPONSE_EVENT
Change-Id: I0b95fd55403b29d74a471f038e518c58c81cfcf7
CRs-Fixed: 2233189
Currently the length of every FILS information is updated before buffer
pointer check which results in invalid update of FILS information.
Add non-zero buffer pointer check for all parameters of FILS information.
Change-Id: I2065f2f1984da473b5e97ffa25f4ab519e091c5b
CRs-Fixed: 2228062
In wma_unified_link_peer_stats_event_handler() we are checking
if buf_len is of proper value. At this point buf_len is may be
uninitialized, thus causing a compilation issue.
Initialize buf_len before use in the validation check.
Change-Id: Ia19de3c5c8bcd154670a44a9dafca31c6bf0b76b
CRs-Fixed: 2256229
In wma_unified_link_peer_stats_event_handler a check for excess WMI
buffer is done by comparing difference between WMI_SVC_MSG_MAX_SIZE and
buffer length with size of wmi_peer_stats_event_fixed_param. In case the
buffer length is a value larger than WMI_SVC_MSG_MAX_SIZE, and as buffer
length is an unsigned integer, it causes an integer overflow and results
in a very large value, thus invalidating the check.
Change the check to compare difference of WMI_SVC_MSG_MAX_SIZE and size
of wmi_peer_stats_event_fixed_param with the buffer length which
prevents chance of integer overflow.
Change-Id: Ic99d0cf6b34c7c45dde3c4feb50e102807564eff
CRs-Fixed: 2224451
In the function lim_process_messages, msg is received as the
argument. msg->bodyptr is accessed before checking if the msg is
NULL. This can cause a NULL pointer dereference if msg is NULL.
Moved the NULL check for the msg structure prior to accessing msg.
Change-Id: I61fc5fc65c9604bd5a82d7e226d9a4a9c30aebd2
CRs-Fixed: 2245791
Introducing integer overflow checks in htt_t2h_tx_ppdu_log_print()
contained use of %p which violates security guidelines.
Change %p to %pK.
Change-Id: I9e886e9b065ea6902aeedc3d9c25aac76a07d6de
CRs-Fixed: 2252217
Loading driver is fail because request_firmware returns
EAGAIN when it invokes usermodehelper_read_trylock during
system suspend happens. Though system suspend is aborted,
it hasn't invoked usermodehelper_enable yet.
To resolve this issue, retry again to check whether
usermodehelper_enable has done.
Change-Id: I80f95c2194039a67adbc463a32bfc0a15e68484b
CRs-Fixed: 2251604
The maximum value of the variable cRegTableEntries is defined in
MAX_CFG_INI_ITEMS. In the scenario the value is greater than this it
may cause an overrun may occur due to the weak guard.
Turn the runtime check into compile time check to prevent such scenario.
Change-Id: I58a0d47a32d457297d3caa456fd0ca03523ed9f5
CRs-Fixed: 2232723
In case of back to back connect req, if the 1st connect is in scan for
ssid phase, the 2nd connect req try to cleanup the 1st connect and wait
for disconnect complete variable for 5 sec. In this scenario as cleanup is
pending, the scan for ssid will fail and result in the association
failure.
But in association failure the disconnect complete variable is not
completed and thus the 2nd connect req keeps on waiting for 5 sec.
To fix this complete the disconnect complete variable in association
failure, if reason is scan for ssid failure and hdd disconnect is pending.
Change-Id: Ibc0cfb72d04442e82847dd624ede15eda340b766
CRs-Fixed: 2256376
Currently tHalHandle is used as the opaque handle for the primary data
structure within the protocol stack. This name is an anachronism given
that the HAL layer was moved to firmware many generations ago. In
addition the name does not conform to the Linux Kernel naming
convention.
To address these issues introduce a new identifier, mac_handle_t, to
be used as the opaque handle. Keep tHalHandle as a typedef to
mac_handle_t until such time that all references have been replaced.
In addition introduce a new set of conversion functions, MAC_CONTEXT()
and MAC_HANDLE(), to be used to convert between these two kinds of
references.
Change-Id: I9d0d7d109621237f29d66f7b06c5b63c38f63fb2
CRs-Fixed: 2257659
In function wma_send_offload_11k_params, check to support 11k offload
in FW fails due to usage of older WMI_SERVICE_EXT_IS_ENABLED leading
to 11k offload params not sent to FW.
Add changes to use wmi_service_enabled instead of
WMI_SERVICE_EXT_IS_ENABLED in wma_send_offload_11k_params.
Change-Id: Ic71043f448d74066a234ae1cb9513a1580011abd
CRs-Fixed: 2255255
Currently max_intf_count which report from target only update to hdd
layer, but there might be a race condition if don't update to objmgr:
There are already max_intf_count vdev created, one of the vdev is
closing by supplicant, vdev is logically deleted and referenced by
other function and waiting for cleaning. The interface count of hdd
layer is already decreased to accept opening new adapter, but the
vdev_id which derived from objmgr vdev is still occupied so the new
vdev have to choose max_intf_count as vdev_id, which makes target
assert.
Update max_vdev_count to psoc objmgr in hdd_update_tgt_cfg()
Change-Id: Ifff0b79cfb4645bb466a22da2d7d07040eee2bd0
CRs-Fixed: 2241098
Enable PNO feature in FW feature config such that WiFi
kernel space driver can return proper PNO feature capability
to user space.
Change-Id: I1360050aab0224b109ee9b3912d1aa428f5a5ed7
CRs-Fixed: 2249491
Current ucfg API's that disables wow events accept a u32 bitmap
variable. A pointer to that variable is passed to core API where
it assumes it as a u32 array of 4 bytes. This will lead to out of
bound memory access.
Change wow enable/disable API's to accept wow event type as the
parameter.
Change-Id: I220aaddfea62ab96f121014d0d65a1406988c946
CRs-Fixed: 2233108
ol_tx_update_connectivity_stats() in tx completion
path updates connectivity stats referenced from tx_desc.
In cases when vdev has gone down and tx completion are received
leads to NULL vdev access. So, add check before accessing vdev.
Change-Id: I402d740ab3ecd923aa1b632bd0c59447599c17df
CRs-Fixed: 2225053
