| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| | | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
In 11w mode, before link established, the unprotected
deauth/disassoc should be processed. If not process, the
driver will not disconnect the link.
Change-Id: I4eac02610ea0f1ca040261a453795def928bbd69
|
| | | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
propagation from qcacld-3.0 to qcacld-2.0
In function update_fils_data, fils_indication->num_variable_data
is the actual length of the data present in the array variable_data.
While accessing variable_data array to copy cache identifier, HESSID
and realm identifiers, the length of the array is not checked and
could lead to OOB access.
Add check to validate remaining data length in variable_data array
before accessing it to copy various fields.
Change-Id: Ifc1f5d55964bcd7fdcc2676ea9c2afede0fe6803
CRs-Fixed: 2288859
|
| | | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
Init wmi_mutex in routine wmi_unified_attach,
which is missed when rebase below change
I780f5dd6e89859660eb50a9b7443f2cdc46236c0
Change-Id: I6a2742b8719256c421f7bf847373319b8c64b523
CRs-Fixed: 2292286
|
| | | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
propagation from qcacld-3.0 to qcacld-2.0
Check for nan rsp data len does not take TLV header
size into account which could lead to buffer overflow
when copying data where TLV header size is taken into
account.
Fix is to subtract TLV header size and wmi_nan_event_hdr
size from max allowed size when validating nan rsp data
length.
Change-Id: I341779a33ed218fdda5d008e949ced0c8cf05590
CRs-Fixed: 2289026
|
| | |\ \ \ \ \ \ \ \ \
| | | |_|/ / / / / /
| | |/| | | | | | |
| | | | | | | | | | |
wlan-cld2.driver.lnx.1.0
|
| | | | |/ / / / / /
| | |/| | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
Ac comes from user space. Add check for ac in
limSetEdcaBcastACMFlag to avoid out-of-bounds write.
Change-Id: Id71cacc1cdadacaabe775395dc0cb230091bc21b
CRs-Fixed: 2288818
|
| | | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
Timer wma_fw_time_sync_timer will send wmi periodically, there
is a chance that wmi is sent after driver issue suspend cmd,
which will cause fw assert.
Current flag is_target_suspended can't prevent all race condition issue,
add wmi_mutex to let wmi send serialized.
Change-Id: I780f5dd6e89859660eb50a9b7443f2cdc46236c0
CRs-Fixed: 2288813
|
| | |\ \ \ \ \ \ \ \
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
wlan-cld2.driver.lnx.1.0
|
| | | |/ / / / / / /
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
In the API sir_validate_and_rectify_ies, the driver rectifies
the RSN IE, if the AP hasnt filled the RSN capabilities in the
beacon/probe response, but has filled the length of IE as extra
2 bytes meant for the RSN capabilities.The driver tries to repair
these kind of frames and fills the last 2 bytes of RSN IE with
default RSN capabilities, to prevent the failure of unpacking
the IEs in unpack-core. But, the driver may write these default
RSN capabilities into some other allocated memory, because the
allocated memory is only the frame length, which would result
in OOB write.
Fix is to allocate some reserve bytes in the frame
for these type of issues.
Change-Id: I46c7301f3e40f84d2c68ec9ba38702baa6926306
CRs-Fixed: 2289522
|
| | |/ / / / / / /
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
In SSR failure case, add protection to avoid
unexpected issues, and notify upper layer with
netlink message and record the status.
When unloading driver, check the status, and
try to do clean up.
Change-Id: Ia51bd99df1d0b7a437850dbfd825f6297f28f053
CRs-Fixed: 2202980
|
| | |\ \ \ \ \ \ \
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
wlan-cld2.driver.lnx.1.0
|
| | | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
Validate num and idx variables to avoid OOB access.
Change-Id: I920a3cd12744055cfc8315e3b16f8564a3cf9683
CRs-Fixed: 2278457
|
| | |\ \ \ \ \ \ \ \
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
wlan-cld2.driver.lnx.1.0
|
| | | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
If kernel version larger than 3.19.0, not only PCIe card
need orphan socket buffer asap, but SDIO card.
Change-Id: I8d25b952a4196d2de1ecc1baf1b0900efb215bfe
CRs-Fixed: 2278308
|
| | |\ \ \ \ \ \ \ \ \
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | | |
wlan-cld2.driver.lnx.1.0
|
| | | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | |
| | | | | | | | | | | |
The spin lock 'pool_lock' is not initialized before use.
Initialize this spin lock when init the descriptor pool.
Change-Id: I2f569bbfa94850a3d5d752872a55dd48a1b89196
CRs-Fixed: 2283114
|
| | |\ \ \ \ \ \ \ \ \ \
| | |_|/ / / / / / / /
| |/| | | | | | | | | |
|
| | | | |_|_|/ / / / /
| | |/| | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
Currently according to FW, SAP does not send probe request if bss peer
is not created, which means active scan triggered before SAP starting
does not work any more.
To make passive scan work well, dwell time will not be changed if ini
keep_dwell_time_passwive is set as 1 and interface is not started.
Change-Id: I01d2fce357c802dccffa9e028f572c9692ccc380
CRs-Fixed: 2281493
|
| | | |/ / / / / / /
| |/| | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
Set gShortGI20Mhz/gShortGI40Mhz/gEnableRXLDPC value
to fw when creating Vdev.
Change-Id: I1dd9562edbeef26d6296e859f998e4b6735f85dc
CRs-Fixed: 2218084
|
| | |\ \ \ \ \ \ \ \
| | | | | | | | | |
| | | | | | | | | |
| | | | | | | | | | |
wlan-cld2.driver.lnx.1.0
|
| | | | |_|/ / / / /
| | |/| | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
TO address this replace CSR_DOT11F_IE_RSN_MAX_LEN to with
DOT11F_IE_RSN_MAX_LEN and remove CSR_DOT11F_IE_RSN_MAX_LEN
as it is not getting used anywhere else.
Change-Id: I58f93f37bd17653db2840720ab106c01f10d535e
CRs-Fixed: 2278720
|
| | |\ \ \ \ \ \ \ \
| | |/ / / / / / /
| |/| | | | | | | |
|
| | | |/ / / / / /
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
MC thread should keep alive only when the suspend is
introduced by thermal. It should be suspended if the
suspend is not introduced by thermal. Disable the
thermal shutdown feature by default.
Change-Id: I92f0a3ada95a532b9070fada18b728751c87909b
CRs-Fixed: 2280791
|
| | |/ / / / / /
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Propagation from cld3.0 to cld2.0.
In the API limSendAssocReqMgmtFrame, the host
allocates memory for the assoc request packet
taking all inputs of payload and the mac header
size etc, and in case the mem allocation fails
it clears away the memory allocated to the packet
with packet free, which was not even allocated
Fix is to remove the packet free in case of memory not
allocated
Change-Id: I3fb75b1947dfe039605c42aa19c2d0bacc7bf55d
CRs-Fixed: 2280599
|
| | |/ / / / /
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Release 4.0.11.213W
Change-Id: I7db118c006473c89c80395b0c57bd585aee152ef
CRs-Fixed: 774533
|
| | |/ / / /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
propagation from qcacld-3.0 to qcacld-2.0
The routine wma_extscan_change_results_event_handler sends the ext scan
results to upper layers. This contains the bssid info, rssi values of
different APs that are scanner. If the num_rssi_samples is negative or
greater than UINT32_MAX,then an OOB write could happen.
Add check to ensure rssi_num is not negative or exceeds UINT32_MAX.
Also make sure the numap value is not negative.
Change-Id: If82c4fd1193c45d38bd4495c187a406deb25acad
CRs-Fixed: 2278276
|
| | |\ \ \ \
| | | | | |
| | | | | |
| | | | | | |
wlan-cld2.driver.lnx.1.0
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
The kernel address is used as cookie to keep track
of stats request. This address can be disclosed to
target leading to a security vulnerability.
Implement a FW stats descriptor pool, and use a
descriptor ID to keep track of stats requests,
instead of the kernel address, to prevent
kernel address leak.
Change-Id: Ib49150da899c0b9314f614868a90867f4aa92d3d
CRs-Fixed: 2276007
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Propagation from qcacld-3.0 to qcacld-2.0
In function wma_extscan_change_results_event_handler(), numResults
in dest_chglist is assigning as total_entries in the event, but the
memory allocated to dest_chglist is based on the numap variable,
which may cause out of buffer read in extscan indication callback
function wlan_hdd_cfg80211_extscan_signif_wifi_change_results_ind().
Also tSirWifiSignificantChange array parsing in both the functions
is not efficient which may lead to accessing unallocated memory.
To address out of buffer read, assign numap to numResults in
dest_chglist and to address accessing of unallocated memory,
parse tSirWifiSignificantChange array with efficient logic.
Change-Id: I469405d68cf075e58aa3a17e884032882a595b18
CRs-Fixed: 2275630
|
| | |\ \ \ \ \
| | | | | | |
| | | | | | |
| | | | | | | |
into wlan-cld2.driver.lnx.1.0
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Propagation from cld3.0 to cld2.0
Fix possible buffer overwrite in csrRoamCheckForLinkStatusChange
function.
Change-Id: Icf4a39e0a2a291f1c084353985aa7952e3c8e136
CRs-Fixed: 2276642
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Propagation from cld3.0 to cld2.0.
Add validation check on frameLength to avoid int overflow in
csrScanSavePreferredNetworkFound function.
Change-Id: I0f2a0557fa60e81f0b9d003ae73091f2974046e8
CRs-Fixed: 2276595
|
| | |/ / / / /
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
The dma maping of control packets is done twice
whereas it is unmapped just once.
It leads to overflow of swiotlb buffer on some of
the platforms.
Do not dma map control packets more than once.
Also, Handle dma map error when the mapping fails.
Change-Id: Ifc6ac3809b4ab3f59d8cce76835cc6ff12abf2c1
CRs-Fixed: 2243797
|
| | |\ \ \ \ \
| | |/ / / /
| |/| | | |
| | | | | | |
wlan-cld2.driver.lnx.1.0
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
According to hardware team suggestion, remove pulse duration, PRI
and Peak Index check, which was used to filter invalid pulses with
characteristics similar to real radar pulses.
Change-Id: I12b053efbdd2b6fe01aeb4c6491c3cc1f572877d
CRs-Fixed: 2274808
|
| | |\ \ \ \ \
| | | | | | |
| | | | | | |
| | | | | | | |
wlan-cld2.driver.lnx.1.0
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
If all the STA connected to AP support ecsa, wlan driver will call
lim_send_extended_chan_switch_action_frame to send action frame,
but this function missing limSetProtectedBit when 11w enable,
this violate spec, so generate a fix for this issue.
Change-Id: I80f111f21015c98ee0abdafe76ea42c3e79163ac
CRs-Fixed: 2275626
|
| | |\ \ \ \ \ \ |
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
propagation from qcacld-3.0 to qcacld-2.0
We are transitioning to the new request manager framework. Change
wlan_hdd_thermal_cmd_get_temperature() to this framework.
Change-Id: Id6c00ecee9a1a15f4902169f5b58f20b5d3765e4
CRs-Fixed: 2259094
|
| | | |_|/ / / /
| |/| | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
propagation from qcacld-3.0 to qcacld-2.0
The routine wma_unified_debug_print_event_handler logs the data from debug
print event handler. The param event data from firmware is copied to a
destination buffer .If the maximum size of the data exceeds or equals
BIG_ENDIAN_MAX_DEBUG_BUF for big endian hosts then possible OOB write will
occur in wma_unified_debug_print_event_handler. For other hosts, OOB read
could occur if datalen exceeds maximum firmware message size
WMI_SVC_MAX_SIZE.
Add check to validate datalen doesnot exceed the maximum firmware msg size
WMI_SVC_MAX_SIZE. Return failure if it exceeds.
Add check to ensure datalen doesnot exceed or equal the maximum buffer
length value for big endian hosts BIG_ENDIAN_MAX_DEBUG_BUF.
Add null termination at the end of the data recieved from the firmware.
Change-Id: Ibb662cb8e17ef8be8b7591308c422a78b71e331a
CRs-Fixed: 2273985
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
The word CARPLAY in macro FEATURE_WLAN_CARPLAY_CHANNEL_SWITCH
should not be appear, find a better name for this macro.
Change-Id: Ie1de60806dd89e1232d9e09670be1aa04935aefd
CRs-Fixed: 2273350
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Update IRAM bank number for QCA9377.
New QCA9377 firmware release requires more IRAM banks.
Update QCA9377 firmware files name.
Change-Id: I386b1529d655e478b0e69870c0701ece33093ff6
CRs-Fixed: 2272843
|
| | |\ \ \ \ \ \ |
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Release 4.0.11.213V
Change-Id: Iecf02c280a0a8093a3f7313b6f12e1d82270ff81
CRs-Fixed: 774533
|
| | |\ \ \ \ \ \ \
| | |/ / / / / /
| |/| | | | | | |
|
| | | | |/ / / /
| | |/| | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
The capture tsf request timer will be deleted when the timer timeout
or receive the tsf event. So if unload wlan driver before timer
timeout or receive the tsf event, the timer will not be destory.
This change will destory capture tsf request timer when wlan driver
unload.
Change-Id: If4178df57ea93eff053351e514753c0e49c69996
CRs-Fixed: 2271977
|
| | |\ \ \ \ \ \
| | | | | | | |
| | | | | | | |
| | | | | | | | |
wlan-cld2.driver.lnx.1.0
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Forbid the Carplay AP from switching channel after the app
send the disable channel switch indication.
Change-Id: I1d060c2faeb69d53101172fb3de774e32884bd2f
CRs-Fixed: 2235452
|
| | |\ \ \ \ \ \ \
| | |/ / / / / /
| |/| | | | | | |
|
| | | |/ / / / /
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Observed memory leak in driver unload. Per call stack, memory leak is
caused by sme_InitThermalInfo. Add memory free in wma_mc_process_msg.
Change-Id: Icdefe383144a55b2721b49be7d073f5051911b66
CRs-Fixed: 2269559
|
