CVE-2020-26145
Broadcast and multicast frames should never be fragmented. Several devices
process broadcasted fragments as normal unfragmented frames. Moreover, some
devices accept plaintext fragmented broadcast or multicast frames in
protected Wi-Fi networks. An adversary can abuse this to inject packets
by encapsulating them in a fragmented plaintext broadcast frame. Even
unicast packets can be encapsulated in broadcast Wi-Fi frames and hence
be injected.
Change-Id: I3181a05e177cf9374a14edb748bc5001d058e0f3
CRs-Fixed: 2893212
Drop non-EAPOL frames from unauthorized peer in security mode.
Enabling this feature by default with this change.
Change-Id: I9878b37088149e34f456a38a9c0f722e4c5ee49a
CRs-Fixed: 2943789
Provide multiple combinations to configure the msi interrupts
of DP and CE based on the number of MSIs available in the platform.
Number of MSIs used for CE and DP can be changed by modifying the
MSI assignment table in platform driver. Best possible mask for that
MSI is automatically chosen based on predetermined settings.
Change-Id: I02b44fb033631d69d97f2d8d2d3f698541d37aad
In some RX backpressure cases, we see the HW accessing REO
queue descriptors of a deleted peer(after the queue descriptors
are unmapped/freed), this is leading to SMMU faults. There are
cases where the HW is accessing the stale REO queue descriptors
after ~12seconds after the queue descriptors were freed.
In order to avoid the problem, HW team has suggested to defer
unmapping/free of REO Queue descriptors. Add the logic for the
same.
Change-Id: I5b1fb966dc75b963ccc9d22c40272c8d1d8d6026
CRs-Fixed: 2939223
It's regression of change: qcacmn: Fix smmu fault for tx buffer unmapped.
Only 1 tx buffer is smmu mapped for IPA with it.
During STA-SAP tethering, when IPA access 2nd tx buffer, smmu fault
happens.
Remove qdf_assert_always since it already exists in
__dp_ipa_handle_buf_smmu_mapping.
Change-Id: Ife8ed17d85a8bcfc507c312001af4b905c9b3a27
CRs-Fixed: 2937435
Modify check to ensure packet number is consecutive for
fragments and drop the fragments if the check fails.
Change-Id: I2ca0ef6211594ba35aae894e6a385d3d5778bff6
CRs-Fixed: 2874369
Register dp_peer_flush_frags API in dp peer ops
for flushing fragments for a particular peer.
Change-Id: Ia179d3160bdc306ec965c465134042c66a0c40a6
CRs-Fixed: 2874366
For security cert TC, RSNIE length can be 1 but if the beacon is
dropped, old entry will remain in scan cache and cause cert TC
failure as connection with old entry with valid RSN IE will pass.
So instead of dropping the frame, do not store the RSN pointer so
that old entry is overwritten.
Change-Id: I2fe4d2dd2352be6850f7a18a2ec829733ded7ee8
CRs-Fixed: 2944120
Some of the targets require more QDF nbuf history
size, so making the size configurable keeping
default same.
Change-Id: Ic4ac43a1eacb1e58c0a05b794349525d614d7fc8
CRs-Fixed: 2929968
Firmware generates wmi Rx diag events every few milliseconds,
and processing the same in system shared work queue may lead to
work queue lock-up detection. Hence, move Rx diag event processing
to dedicated work queue.
Change-Id: I10cdde317794e35bc6d10677ab76ea24a66e1880
CRs-Fixed: 2941409
Add new ini's for assoc active and passive dwell time
for 6g. These will be applied if STA is connected.
Change-Id: I680fbd3038968ecf6ff9920fff982456135bfd77
CRs-Fixed: 2941359
Even though HP/TP updates are posted writes at CPU level, they
are getting blocked until soc comes out retention which is hogging
CPU.
To avoid this if EP is in low power state update HP/TP writes from
delayed work context. In delayed work vote for EP awake wait till it
comes out low power state and then proceed to HP/TP update.
Change-Id: I61d5795f58f25f850b5a9ad4d30e3181dba23713
CRs-Fixed: 2913495
In monitor mode, when the channel is set to any 2G band channel
the mac_id passed to dp_mon_process API is 1. As part of
dp_rx_buffers_replenish, refill history is logged and the
mac_id is used to index into the history array. The array is
of size 1 and OOB access would happen when ring_num which
is the mac_id, passed in is 1.
Fix is to pass the pdev->lmac_id instead to
dp_rx_refill_ring_record_entry and add ring_num sanity check.
Change-Id: Id824ec8b01e7923ad74771d5f34a25f5fccb65f3
CRs-Fixed: 2939544
For every channel change, a print is displayed onto console.
reduce log level to suppress print.
CRs-Fixed: 2921656
Change-Id: Ib300ecc17c09412aa6502cc45ec1c4b7da3b54ce
In cm_update_scan_db_on_connect_success, the current candidate is
always retrieved from connect req even when the resp is for reassoc
this can lead to invalid pointer access.
Fix this by getting current candidate from roam command for reassoc
resp.
Change-Id: I99afc49abd7581cf43279654a5fe1e67e2448bd0
CRs-Fixed: 2941836
In some of the targets modulo operator assembly API's
are not defined causing compilation error.
To avoid this use qdf based API's for modulo operations.
Change-Id: Ibc69b69aa38cadff5daa8dee8b65ceaacfe997b7
CRs-Fixed: 2940281
When obss scan is enabled, FW will trigger scan periodically by
a timer. If a scan was triggered, FW need to access host memory
for data transfer. Occasionally, suspend may happen during one
scan, then FW is unable to access host memory and fw will crash.
So disable the obss scan before suspend.
Change-Id: Ie507da929a3701473cb57888e96e702e34d4c95a
CRs-Fixed: 2927239
Allow object manager logging in console only for WIN as
it's a critical print. For MCC, this print will not be
logged to avoid console lock and excessive logging.
Change-Id: I09b6dc80486cfa727c130f3fe205f504a46dd0c0
CRs-Fixed: 2938507
In perf builds, add a ksize check and call qdf_mem_prealloc_put()
only when size is greater than 4K to avoid lookup overhead.
Change-Id: If01a7cbeaf1ee7f514f16296340169a937dafa78
CRs-Fixed: 2936464
Logs are printed inside a spinlock which was held for
losing more than 2 seconds.
To fix this, reducing log level so it is not printed
in the console and instead in driver logs.
Change-Id: Ib510ddc1b5bff63db012b45ffa0280eedc356cc6
CRs-Fixed: 2938590
If MBSSID ie contains only header and no payload
then current logic can cause OOB read.
Added validation check for length of IE before
accessing MBSSID IE payload.
Change-Id: Id8b34e5f516f1a1c85bc7d93d9128cad29393e9d
CRs-Fixed: 2838631
hal_get_entrysize_from_srng returns the entry size
in dwords but the caller expects in bytes. This results
in insufficient data to be recorded for CE event.
Fix is to left shift the entry size by two bits in
hal_get_entrysize_from_srng so that the entry size
value returned is in bytes.
Change-Id: If532da7abe5ce9c293969f0052455085f18b1926
CRs-Fixed: 2935196
Fill the primary 160MHz segment centers (mhz, ieee) for a 320MHz
channel in the given channel param.
Change-Id: I422bc90fabd2e2ecaa6732a6719218fcc18c19f2
When unregistering wmi handlers, the position of the
old handler is replaced with the last handler in the table.
But at this stage only handler was getting replaced, but
not the context. Hence, make sure to update the context
as well.
Change-Id: If90ea9d7663fb105e8e8ad7d7e6c70da20264e44
Add the history support to log Tx descriptors programmed
in Tx and completion HW rings.
Change-Id: I60954c93e2595e7dad1251c459eed8afc761e917
CRs-Fixed: 2924614
Firmware sends control frames in same wmi path as mgmt
frames. Currently, these frames will be dropped by mgmt
txrx component, so add support to handle control frames
in mgmt txrx component.
Change-Id: Ia046c1b3b25d40429a859e9c2659126b3d5eb3c0
CRs-Fixed: 2932123
Depreciated IPA APIs are currently getting compiled.
To fix this, adding linux kernel version check
Change-Id: I2288db34c09d60047c67a5df9081de08a6c2f62b
CRs-Fixed: 2927413
With the addition of MLO_SYNC_WAIT substate, now the active status
of the VDEV will be indicated by ACTIVE substate under UP state.
Add API to check if a given vdev is in UP_ACTIVE state.
Change-Id: Ia858765b07582f89e0eaa041d56c7f2aae6f1528
CRs-Fixed: 2924322
Fill peer assoc mlo params in peer assoc request command.
Also add definitions to the WMI_SERVICE_11BE.
Change-Id: Ied7959e022ee27f3bd698b84dc801491175f85b3
CRs-Fixed: 2934417
When host failed to find out vaddr by paddr from FW, output more
information for debug further.
Change-Id: I65c4965c12c2ffa3fe2a26a82df01d1b91501c73
CRs-Fixed: 2925194
issue happen when wpa_supplicant is creating vdev
and schedule_thread is destroy the same vdev.
if state is not WLAN_OBJ_STATE_LOGICALLY_DELETED,
return back here, otherwise it will cause the creating
vdev_id to be invalid.
Change-Id: I574838bca574add497f1167c75ede44938b7bf17
CRs-Fixed: 2935068
Fisa packet history is around 6KB for each sw fisa
flow entry and this is part of the dp_fisa_rx_sw_ft
structure. The total size of the SW FT as a result is
around 830KB and the higher order memory allocation via
kzalloc for this could fail in low/fragmented memory
scenarios.
Fix is to allocate memory for FISA pkt history separately
and attach it to the SW FT entry.
Change-Id: I7296d7269c1b86ec38ea1668e8a0893335bbdb6f
CRs-Fixed: 2936353
Currently when updating the single pmk capability for an AP,
the driver only changes for the sae single pmk OUI advertised
by the AP and not the ini value. This causes the crypto entry
for the AP to be updated with single pmk flag to true even when
the ini is disabled.
So check the sae single pmk ini also to update the scan entry
as sae single pmk bss.
Change-Id: I2ae16c8da5af397b041723f9d5a3b2d8a6e7c986
CRs-Fixed: 2935440
Add an API to set the AP power type and then recompute the current
channel list.
Change-Id: Iacd4d3244f601836f3ed0eae725eaa6375a3584c
CRs-fixed: 2934625
In WMI_HOST_TP_SCALE, add an option to support 6% transmit power scale
configuration.
Change-Id: I11a67f0efd13ba2c7f2d8d546643a1af37f33613
CRs-Fixed: 2936987
