qcacld-2.0 to qcacld-3.0 propagation
Check for the validity of credits when received the htt message of
HTT_T2H_MSG_TYPE_TX_CREDIT_UPDATE_IND or HTT_T2H_MSG_TYPE_TX_COMPL_IND
from firmware to ensure the integer overflow does not happen if these
messages invoked many times.
Change-Id: I01386b88f1b677153f3e51e055b7fbac073cd6b3
CRs-Fixed: 2147127
In function add missing check for regulatory domain before assuming
channel 120-130 to be ETSI weather channel.
Change-Id: Ief9761b5ac06a511a4132f71c0a63c796741149d
CRs-Fixed: 2150264
__wlan_hdd_cfg80211_do_acs mallocs memory of
adapter->session.ap.sap_config.acs_cfg.ch_list
without checking and free original memory.
If hostapd is killed by -9, and interface wlan0 keep on.
wlan_hdd_cfg80211_stop_ap and wlan_hdd_undo_acs isn't called,
acs_cfg.ch_list memory isn't freed.
if hostapd is started again, __wlan_hdd_cfg80211_do_acs is called again,
malloc memory of acs_cfg.ch_list again, last malloced memory is leaked
Change-Id: Ia45615aa75841381b13a2f779cb5d355526d78a2
CRs-Fixed: 2150040
During starting of SAP, after extracting the pointer to the country IE,
country code is copied without proper IE length validation. A smaller
than accceptible IE length can cause out of bound memory access.
Validate length with with the minimum acceptible length before copying.
Change-Id: Ie2115bdbd22badd51ea40d028331ef1a74b02281
CRs-Fixed: 2150285
qcacld-2.0 to qcacld-3.0 propagation
There can be a possible race in updation of roam substate
between csrRoamWaitForKeyTimeOutHandler and upper layer
disconnect in csrRoamIssueDeauth. Race can be as follows.
Driver roam substate is eCSR_ROAM_SUBSTATE_WAIT_FOR_KEY by
the time csrRoamWaitForKeyTimeOutHandler is invoked. This
can allow check CSR_IS_WAIT_FOR_KEY to pass. If MC thread
gets preempted and if driver processes upper layer disconnect,
then driver changes roam substate to eCSR_ROAM_SUBSTATE_DEAUTH_REQ
in csrRoamIssueDeauth. When MC thread resumes processing of
csrRoamWaitForKeyTimeOutHandler, then driver changes roam
substate to eCSR_ROAM_SUBSTATE_NONE. This can result in
unhandling of eWNI_SME_DEAUTH_RSP as roam substate is not in
eCSR_ROAM_SUBSTATE_DEAUTH_REQ and can result in active command
timeout. Hence, update roam substate atomically in same context
if CSR_IS_WAIT_FOR_KEY passes in csrRoamWaitForKeyTimeOutHandler.
Change-Id: I05cfc8de54fe4196df941c2fd48db8bedc7df779
CRs-Fixed: 2155141
When the SSR and interface down happen in parallel,
the driver rejects the interface down since the
recovery is in progress. Kernel ignores the -EAGAIN
request from the driver and as part of NET_DOWN notification
in cfg80211_netdown_notifer the kernel invokes the
___cfg80211_scan_done to free the request but dosen't not send
scan_result indication, since it expects the scan_done work to
get scheduled and then broadcast the request to upperlayer.
Change-Id: Id698044ebe30cf555300e909a916d74be1f8b94f
CRs-Fixed: 2115392
