In function __wlan_hdd_cfg80211_vendor_scan, when SCAN_SSIDS
and QCA_WLAN_VENDOR_ATTR_SCAN_FREQUENCIES are parsed, if the
number of SSIDs or number of channels are more then 255 in
netlink message, n_ssid and n_channels will get overflow
because n_ssid and n_channels are of type uint8_t.
Add a check to validate the max number of SCAN_SSIDs against
MAX_SCAN_SSID and max number of channels against MAX_CHANNEL.
Change-Id: Ib31dcc912fee8639e26d836d2fc5a32bf81fb43d
CRs-Fixed: 2153343
HDD calls several qdf_debug_domain APIs when that feature is not
enabled. Add conditional compilation to avoid these calls when runtime
leak detection is not enabled.
Change-Id: I78775c240b5352ed63f2e15f16e25159bbde5666
CRs-Fixed: 2162989
The statement register_netdevice_notifier(&hdd_netdev_notifier)
is replaced by hdd_register_notifiers(hdd_ctx) mistakenly when
propagating from 3.1 to 3.2.
Change-Id: Iddcc2b0375c0e81b944def117b40ea3015f91e4b
CRs-Fixed: 2163113
In function lim_parse_kde_elements, while parsing the KDE list from
the assoc response frame, elem_len is obtained from the frame buffer.
elem_len is then used to find the matching OUI for KDE OUI type and
then to calculate data_len based on the offset for the GTK/IGTK data
types.
If the value in elem_len field in the frame is less than the Data
Offset (which includes the OUI and data type) or the GTK/IGTK offset
then a OOB read would occur.
Add checks to validate the elem_len with Data offset and then with
the GTK/IGTK offset based on the data type.
Change-Id: I8ae31c6d6c28e88ad9bda757b3f1ff2585f8a553
CRs-Fixed: 2161920
When a peer object is to be removed in WLAN HDD object manager
code, it should be logically deleted first before it's ref
count is decreased and the peer object is freed, or there will
be a potential race condition, in which a freed peer object
buffer will be accessed.
Change-Id: Ib3179e8207d1e9bbaa9c2b8450a8016e23cfc3f3
CRs-Fixed: 2161627
With the existing implementation of TAILQ_FOREACH_REVERSE
in ol_txrx_remove_peers_for_vdev() function, host traverses
the list, stores the peer in the var, releases the lock and
later temp var is getting deleted as part of peer unmap and
host end up in accessing the stale peer entry.
To avoid this, host should check the peer delete in progress
first before assigning it to the temp var.
Change-Id: I5b9a401ae062efc6d2fbe608b25424a27c9d9f94
CRs-Fixed: 2159446
Check hdd_ctx, adapter and sta_ctx against null before dereferencing
them in wlan_hdd_nan_datapath.c
Change-Id: Ie81a359be4f03f4f7e411b56d583c12fa3bb03c0
CRs-Fixed: 2162244
Add null pointer validation and fix possible buffer overflow issue
in sap module.
Change-Id: I314e07a31368dd3ca854b9aeab4a0bce0402a81b
CRs-Fixed: 2162246
Presently, OFDM packets are assigned preamble type of
LONG_PREAMBLE when the type should be SHORT_PREAMBLE.
Assign the preamble type correctly.
Change-Id: Ie16936ba54cb8e1dfa5e96ccc52f3fc6693a5d48
CRs-Fixed: 2159511
Currently in the scoring logic the host has the same
score of 125 for the QBSS/ESP load between 50% to 75%
and 75% to 100% which sometimes may result in improper
scoring for cases where AP1 has air time fraction
127 which convertes to 51% load and other AP2 has air
time fraction 13 which convertes to 95 % load.
But the score is same for both AP and the host selects
randomly any one of the AP instead of AP1
Fix is to change score for QBSS/ESP load to differentiate
between 50-75% and 75-100% load
Change-Id: I96d0d8a6a0a1854b2faca4435afa612336bc3caf
CRs-Fixed: 2161778
The transition to/from FTM happens after the memdump feature is
initialized. However, the memdump init/deinit functions bail out if the
driver is currently in FTM. This leads to situations were memdump is
initialized, but skips deinitialization when the driver is in FTM at the
time of unload. Since memdump is always initialized during driver probe
(the driver is never in FTM at that time), always deinitialize on driver
unload.
Change-Id: Ib3555a89f64912403d8858877086ab070ce24e35
CRs-Fixed: 2162241
For sns test in some scenarios when tx hits invalid station id it will
print massive log so that it will lead to WD bark issue.
Move log level to lower info high from info if tx hits invalid station
id, also align with cld3.1 code.
Change-Id: I965033fc8232c8ead15ef06d26aa0d1d2b468e8a
CRs-Fixed: 2159529
Add changes identify and forward GAS public action frames to
supplicant in lim_process_action_frame_no_session.
Change-Id: Id872e2b0b8b7a203b472e0bd152f25f63c873b4f
CRs-Fixed: 2161785
FILS indication IE minimum length should be 4 bytes (2 bytes for tag and
length) + (2 bytes for realm hash). However current mininum is set to
5 bytes.
Usually AP sends cache identifier also in the FILS indication IE, which
is optional and causes the ie length to be greater than min of 5.
If the AP does not send Cache Identifier and sends only realm hash,
the IE length would be 4, which causes the IE to be skipped in parsing
thereby failing FILS connection.
Fix min IE length to 4 bytes in the frame parser for FILS Indication IE
Change-Id: I07f2b724f5840f9ba8ec663e0b303d8fc86663da
CRs-Fixed: 2161241
Add the WiderBWChanSwitchAnn to ext_chan_switch_ann action frame
as optional IE. Currently WiderBWChanSwitchAnn is added only in
beacon frames.
Change-Id: I4f76479bdb2befa93fcb83238590007a555af210
CRs-Fixed: 2141529
During SAP SSR scan default ie data pointer is cleared and
set to null hence avoid unnecessary qdf_mem_cpy when source
pointer is null.
Change-Id: I75960c69804144abee5b1978b43002110b0d0be4
CRs-Fixed: 2161056
When stop AP command is received from hostapd, all the stations
are deauthenticated and then stop bss is called. But stop bss is
called with high priority as true and so gets queued on the top
of the list while del sta commands are queued at the tail as high
priority is set to false for those. This leads to desynchronization
as the commands are not serialized.
Set high priority as false for stop bss sme command to serialize all
the commands.
Change-Id: I9c80032c418e05d3b5591bb3cfd70f8285f27fe8
CRs-Fixed: 2161257
The eGAP status update event handler is exhibiting a too verbose
debug printing.
Supress the eGAP status update by increasing the debug level.
Change-Id: I85e290abfe03d488ab770a3a403871d984ee8df9
CRs-Fixed: 2161713
In api "__wlan_hdd_cfg80211_vendor_scan", the ssid length is u8,
when memcpy is done for ssid, the length is not validated and
nla_len(attr) is used directly in memcpy which can result in buffer
overwrite.
Add a check to validate the max length of scan ssid against
SIR_MAC_MAX_SSID_LENGTH.
Change-Id: If4c25710973ee50094c5d52410269962f552ac3f
CRs-Fixed: 2153326
Set passive dwell time to 28msecs for active
scan when bt a2dp is enabled and hw is not dbs
capable and when sta is connected on 2G band.
Change-Id: I44f2e3d98f2d7ddc52e4902ba989131c256da4ef
CRs-Fixed: 2146311
Do not drop operating mode action frame if channel bonding is disabled.
Process NSS change if requested by frame.
Change-Id: Id342c5399a70be8ea1b3d6c9878983a75ca456ad
CRs-Fixed: 2157167
Implement a flag in hdd context to track the state of
pktlog events. Pktlog will be enabled/disabled after SSR/PDR,
depending upon the state of Pktlog events just before SSR/PDR
is triggered.
Change-Id: I18999d7fcf3677a86c21559d7d443ba1cd086528
CRs-Fixed: 2151296
Change default value of g_is_bssid_hint_priority to 0, as the driver
scoring logic will take care of the beat AP to select from the candidate
AP and the host can ignore the hint.
Change-Id: Ia372e3e0f580047eae33cc0b68b0a0d1460ebfc2
CRs-Fixed: 2160591
In cases where memory allocated at runtime is release during module
unload, it is tempting to label these memory leaks as false positives.
Add documentation to hdd_check_for_leaks explaining why these are real
memory leaks. This helps reduce confusion, and helps to dissuade
developers from "fixing" the runtime memory leak logic, instead of
fixing the memory leak.
Change-Id: I2f7574e7465630d2d9f96280ecf8180a51b41e0f
CRs-Fixed: 2161394
Since struct sps_iovc is obsolete in the latest kernel,
use a local macro instead of sizeof() . It should be
updated with the correct IPA size macro once it is
avaiable in the latest kernel.
CRs-Fixed: 2160658
Change-Id: Ifc2926d5182c96e07de6b4ddd50156764b7ad51e
In the api sap_get_channel_list, list is allocated memory to store the
channel list to be sent for scan request. This api is called by
sap_goto_channel_sel which initializes scan_request.ChannelInfo.ChannelList
to channel_list, without any prior NULL check of channel_list.
Also in scan callback wlansap_scan_callback, if the state machine structure
is in disconnected state , the host returns without freeing the memory
allocated to the channel list in sap_ctx .
Fix is to free the memory allocated to the channel list
and make the sap_ctx->channellist, sap_ctx->num_of_channel
as NULL and zero respectively in both the instances.
Change-Id: Ia54287d6e77e206c717bd3c205ebe57510ea801c
CRs-Fixed: 2159489
Change default value of pcl_weightage to 0, as pcl
weightage logic need some changes in algo to be used in LFR3.
Change-Id: I21559f7aaa8a19388cf399dee684c00c7905cfae
CRs-Fixed: 2160589
Add support for dual band in HE caps by:
1) Setting default value of HE dual_band support to 1.
2) Checking advertised FW MAC cap for support of both bands.
Change-Id: I978e4082364b832dc3f49f13a00ef9159f269f72
CRs-Fixed: 2160792
- Change the order of the deinit code of pktlog
- Change the order of the deinit code of runtime pm
Change-Id: I570b20b247b7892f9bba82f3d3a58aff9af09105
CRs-Fixed: 2160794
This ini will set the algo used in dwell time optimization
during host scan without connection.
Change-Id: Ie81636d32b6c42651aa9b5de52889970c17f6aca
CRs-Fixed: 2159656
