Currently in avoid frequency vendor command, data validation
is not being done, since this data comes from userspace driver
should not be using this data pointer without validation.
To address this issue add validation for data pointer and data
length received in driver.
Change-Id: I7b56e2ddcbcb5e98dd93d152033db48063e772d3
CRs-Fixed: 2252793
The command eSmeCommandDelStaSession issues vdev delete to
firmware. As this command eSmeCommandDelStaSession is not
serialized, this may issue delete vdev before the peers for the
vdev are deleted, resulting in fw assert. Serialization should
be brought in for this command, so that first eSmeCommandRoam
command will do vdev_stop-->remove_peer-->vdev_down and then
eSmeCommandDelStaSession will be processed which will send vdev
delete.
Post the command eSmeCommandDelStaSession to the serialization
module and WMA_DEL_STA_SELF_REQ will be posted from the sme
eSmeCommandDelStaSession handler.
Change-Id: I60fcbf622b961162c647db3638b5e019c5231971
CRs-Fixed: 2270982
Currently struct nan_datapath_peer_ind contains the following:
uint8_t session_id;
This is problematic since "session_id" is a legacy concept and should
not be used in the converged project. Fortunately this field does not
actually serve any purpose. But in order to cleanly remove it a 3-step
approach is required.
Step 1 (qcacld Change If6cf48ccbfe87b23b275720df51c6cc26af9fa5e):
Remove the logic from the converged NAN code which currently reads
this field and logs the value.
Step 2 (this change):
Remove the logic from the legacy NAN code which sets this field.
Step 3 (qcacld Change Ibeb8007c96ae1a902bfd7dd99a42ba4a291a1dc6):
Remove the session_id field from struct nan_datapath_peer_ind.
Change-Id: I2819556d48a9dd901158aaa04d6bda9c36f33012
CRs-Fixed: 2284400
If 11w is enabled, mmie should be included in broadcast
multicast rmf, length check need consider it to avoid buffer
overflow
CRs-Fixed: 2270117
Change-Id: I6c2ebe18fb5b6e4246ba6d28c1dbc55175279e30
Currently, all resource leaks are skipped during the SSR reinit stage.
However, recently added vdev and pdev leak checks apply equally as well
to SSR reinit. During SSR do as many resource leak checks as possible,
while retaining the entire set for normal use cases.
Change-Id: I33248a9fb0fbacddf9ea8682ff984290712c29d3
CRs-Fixed: 2284384
When wlan driver unloading is in progress, IPA_OPCODE_TX/RX_SUSPEND
will not be processed and resource_unloading may be left as true.
Moroever since driver will be unloaded, IPA_OPCODE_TX/RX_SUSPEND
interaction between Host and FW will not be necessary.
Fix is to disable IPA pipes directly when handling disconnection
if wlan driver unloading is in progress.
Change-Id: Ia4af1ab04052b1a9bab44105760de50ad6263dbb
CRs-Fixed: 2279044
This is an older implmenetation of handling blacklist and whitelist
OUI's. Hostapd doesn't send this information in start_ap now. There
is a possible out of bound memory access happening while parsing an
IE with this code. Remove the code to avoid security risk.
Remove redundant code handling blacklist and whitelist OUI IE's.
Change-Id: Ib16d26d6766bcffb53de34dca77073a3e986eee2
CRs-Fixed: 2239897
Max 3 BSS sessions and 10 peers are required in Genoa.
To support this, reduce SIR_MAX_SUPPORTED_BSS to 3 and
SIR_SAP_MAX_NUM_PEERS to 10.
Change-Id: Ic773b5b38193d446288321c2dfd740f6de57704e
CRs-Fixed: 2283825
The function wma_roam_synch_frame_event_handler, memory is
allocated for iface->roam_synch_frame_ind.bcn_probe_rsp,
iface->roam_synch_frame_ind.bcn_reassoc_req,
iface->roam_synch_frame_ind.bcn_reassoc_rsp when the wmi event
WMI_ROAM_SYNCH_FRAME_EVENT is received. This event is followed
by a WMI_ROAM_SYNCH_EVENT from the firmware where the host
copies the bcn_probe_rsp, bcn_reassoc_req, bcn_reassoc_rsp to
the structure roam_synch_ind_ptr and frees the allocated memory.
In this flow memory leak can happen in following cases:
1. Firmware sends multiple cascade of WMI_ROAM_SYNCH_FRAME_EVENT
the host allocates bcn_reassoc_req, bcn_reassoc_rsp and
bcn_probe_rsp with out freeing the previous instance.
2. Firmware sends WMI_ROAM_SYNCH_FRAME_EVENT with either
bcn_reassoc_req or bcn_reassoc_req or bcn_probe_rsp NULL or all
the three are NULL.
3. Firmware sends WMI_ROAM_SYNCH_FRAME_EVENT having
bcn_reassoc_req bcn_reassoc_req and bcn_probe_rsp. Then it sends
the WMI_ROAM_SYNCH_EVENT with non zero bcn_reassoc_req_len or
bcn_reassoc_rsp_len or bcn_probe_rsp length.
4. Host doesn't free the allocated memory in
wma_roam_synch_frame_event_handler during failure cases.
Check if received iface->roam_synch_frame_ind has non NULL
bcn_probe_rsp, bcn_reassoc_req, bcn_reassoc_rsp and free the
same before allocating new memory. Also free the allocated
bcn_probe_rsp, bcn_reassoc_req, bcn_reassoc_rsp in failure
return cases.
Change-Id: I2b76769d09fd61929f7837cb8661d778cd2f881a
CRs-Fixed: 2282413
Do not enable HL Flow Control config flags in Kbuild.
Instead depend on defconfig settings to enable/disable HL Flow
control flags.
Change-Id: I734c4cd26d056ce28ce064e8d353075ad22e39ee
CRs-Fixed: 2284686
Map all enter/exit log macros to enter/exit QDF TRACE macro
to provide option to compile out enter/exit logs if required.
Change-Id: I0c6cd633705e820fcfeb47e3f81a3522c9ef1974
CRs-Fixed: 2274850
Change the btm_offload_config INI default to disable the sending of
solicited BTM query frame from the host.
Change-Id: Ie1d1eeff268e445ed19c62413712ab2178c7ba54
CRs-Fixed: 2279249
Add support to send below two MWS-COEX configurations to FW
1. Enable/disable MWS-COEX 4G (LTE) Quick FTDM
2. Set MWS-COEX 5G-NR power limit
Change-Id: I14656ced91c9dec2be85590e6f6c1e7497505a28
CRs-Fixed: 2265352
The %pS format specifier causes a symbol lookup which disables
preemption in the Linux kernel. As such it is advisable to never use %pS
where __func__ could be used instead. Replace usage of %pS in
wlan_hdd_validate_context() with __func__ passed from the caller
instead.
Change-Id: I2b170bd6098f4acf2a4ccab537f546ba8de154ba
CRs-Fixed: 2283619
Scheduler thread enter suspend state when calling p2p callback from
pmo, and it can't execute cleanup task on time in p2p suspend handler.
So, cleanup roc and tx action frame before suspend mc thread. Add
cleaning up tx action frame by vdev in hdd layer.
Change-Id: Ib0ef1cb3a73c5a48b3c365935a6d5b9307d2aae0
CRs-Fixed: 2283298
When stop_ap command comes from userspace, __wlan_hdd_cfg80211_stop_ap
calls sap_fsm to change the states of SAP from started to disconnect.
In order to change SAP states, __wlan_hdd_cfg80211_stop_ap sends
WMI_VDEV_STOP_CMDID followed by WMI_VDEV_DOWN_CMDID and
WMI_VDEV_DELETE_CMDID to fw. After the successful change in state of
SAP machine, driver invokes an HDD callback, hdd_hostapd_sap_event_cb
for cleanup and subsequently invokes hdd_softap_stop_bss to reclaim all
resources. This API sends IPA_OFFLOAD_ENABLE_DISABLE cmd to fw for the
VDEV on which SAP started. Which results assert in firmware as host
sends HDD IPA event for the VDEV which is already deleted while changing
the state of SAP.
Fix is to send HDD_IPA_AP_DISCONNECT IPA events before stop BSS.
Change-Id: Ief9318bb476b480fd52f4155a0788a34c1e2ed53
CRs-Fixed: 2276125
There are multiple places where a tHalStopType parameter is passed but
unused. This is a historical artifact, so remove all instances of it.
Change-Id: Iebcbbac580495a376b7456b3a2901f33c2474f83
CRs-Fixed: 2283460
In the scenario of concurrent execution of __con_mode_handler and
triggering of SSR, there exists a possibility of driver sending power
off command while the target is not ready. In hdd_wlan_stop_modules, as
a part of __con_mode_handler context, pld_power_off was called after
the trigger of SSR, which caused assert in the platform driver.
To eliminate this, convert the static verfification of the driver state
at the start of the hdd_wlan_start_modules to dynamic. And also set the
target ready state to false in case SSR/FW_DOWN uevent is received.
These will ensure that the driver doesnot try to send the power off
command while the target is not ready.
Change-Id: Idf1056dc85107c535809bedf8b5534085033a1f5
CRs-Fixed: 2271096
Add support for action OUI extensions which can be used by station
to control mode of connection, connected AP's in-activity time and
Tx rate etc.,
Change-Id: Ie85e29c4b0ed7ac2815709d7a4e607c4ba46c6ca
CRs-Fixed: 2254502
In sme and lim, NULL check is available for h_hal. pmac is
casted resultant from h_hal and is retrieved using
PMAC_STRUCT macro, which is defined as ((tpAniSirGlobal)_hHal).
Null check is added for this p_mac also which is redundant.
Remove logically dead code to NULL check the p_mac.
Change-Id: I7a22de3691b83e8ae04391e43cde82541eaabc23
CRs-Fixed: 2276003
In the function cfg80211_rx_mgmt, data_len is calculated as
len - ieee80211_hdrlen(mgmt->frame_control). Len is not
validated before this calculation. So a possible integer
underflow will occur if len value is less than the value of
ieee80211_hdrlen(mgmt->frame_control).
Validate the value of len against
ieee80211_hdrlen(mgmt->frame_control) in the caller.
Change-Id: Iae776daf37b0c052bd4ce4da44ea728d121eae51
CRs-Fixed: 2263758
The current HDD session Id sanity check only checks for the magic
"invalid session Id" value. However, anything greater than or equal to
MAX_NUMBER_OF_ADAPTERS is an invalid session Id. Update the sanity check
to reject any session Id greater than or equal to
MAX_NUMBER_OF_ADAPTERS.
Change-Id: I7c5a3b82afde073e92fcd0dbf55002fa11a980b2
CRs-Fixed: 2283584
Currenly, as part of tdls add sta req gLimAddStaTdls is set to 1.
And as part of add sta response gLimAddStaTdls is checked if 1 to
map tdls add sta response.
This implementation needs to take care of all error cases of
add sta req failure to reset the gLimAddStaTdls value to 0.
Instead check for peer type in add sta rsp.
Change-Id: Ideaff239f743b95a9578806d2ec220e123d4d995
CRs-Fixed: 2281385
If driver receive stop adapter when STA is in connecting state, driver
queue a disconnect command without changing the connState of the STA.
Now even if the disconnect is in progress the connState indicate that
the connection is in progress. This may lead to sync issues between HDD
and SME.
Fix is to set the connState to disconnecting so that HDD indicate
proper state.
Change-Id: Ib9d607ad2ab05e5edc266e59516b4ae2b7668c78
CRs-Fixed: 2277633
Modify the keep alive time as 60 secs by default to cater to rouge AP
behavior in some cases
Change-Id: Id2bb1b61e5fcdc5994451c981bd1171c1860c7cf
CRs-Fixed: 2258825
