| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| | | |/ / / /
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
propagation from qcacld-3.0 to qcacld-2.0.
The frame received time is updated even when the frame was
dropped and thus the received time of the frame keeps on increasing.
Thus the condition to check if frame is allowed after
TLSHIM_MGMT_FRAME_DETECT_DOS_TIMER ms always fails if driver
continuously keep on getting the frames.
This can lead to dropping of valid deauth/disassoc frames in case
if RMF is enabled and some rogue peer keep on sending rogue
deauth/disassoc frames and thus even if peer send valid deauth
peer will not get disconnected.
Fix this by updating the rcvd time stamp only when the frame is
allowed, as this timestamp should be used to block the duplicate
frames for TLSHIM_MGMT_FRAME_DETECT_DOS_TIMER ms.
Change-Id: I4f480e21369b585d78f240c5f4f062d010d889a8
CRs-Fixed: 2258844
|
| | |\ \ \ \ \
| | |/ / / /
| |/| | | |
| | | | | | |
wlan-cld2.driver.lnx.1.0
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
The use TAILQ_FOREACH for freeing the fw_stats list during
pdev detach causes a use-after-free condition, which can lead
to unexpected behavior during the driver load or unload.
Fix the possible Use-after-free condition in pdev detach, by
using TAILQ_FOREACH_SAFE instead of TAILQ_FOREACH for freeing
the fw_stats list.
CRs-Fixed: 2257124
Change-Id: I5dfcc5e3f0d2e77a5f6226eca06bc6ab1af4e643
|
| | |\ \ \ \ \
| | | | | | |
| | | | | | |
| | | | | | | |
SETROAMSCANCHANNELS" into wlan-cld2.driver.lnx.1.0
|
| | | |/ / / /
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
qcacld-3.0 to qcacld-2.0 propagation
User sends driver a list of roaming scan channels to set through IOCTL
SETROAMSCANCHANNELS. The parameters include the number of elements in
the array, followed by channel array and then a NULL character. But
when driver loops through the channel array it doesn't have a NULL
check. An erroneous number of elements passed by user may cause buffer
overread.
Add a NULL check on channels passed in IOCTL SETROAMSCANCHANNELS.
Change-Id: I7342aa5cf8e5267b7ed06a4e35b1ed882fb97893
CRs-Fixed: 2257064
|
| | |\ \ \ \ \
| | |/ / / /
| |/| | | |
| | | | | | |
htt_t2h_tx_ppdu_log_print()" into wlan-cld2.driver.lnx.1.0
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
mpdu_bytes_array_len, mpdu_msdus_array_len, and msdu_bytes_array_len
are used to calculate the record size, as well as used as
buffer offset, without any verification. This can cause to multiple
overflows and underflow leading to OOB reads.
Add checks for each arithmetic operation with these variables.
Change-Id: Ib6ec6ac6932eb8c541bc2357d45d3feaf39fdb7d
CRs-Fixed: 2226125
|
| | |\ \ \ \ \
| | | | | | |
| | | | | | |
| | | | | | | |
wlan-cld2.driver.lnx.1.0
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Change hdd_ocb_set_config_req to hdd request manager framework.
Change-Id: I57e327e61943f0754dd1b0db7e129ebb39be4f80
CRs-Fixed: 2230058
|
| | |\ \ \ \ \ \
| | | | | | | |
| | | | | | | |
| | | | | | | | |
wlan-cld2.driver.lnx.1.0
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
The buffer allocated with lenth "ATH6KL_FWLOG_PAYLOAD_SIZE "
is not initialized, this may lead to information leak during
memcpy when len < ATH6KL_FWLOG_PAYLOAD_SIZE.
To resolve this issue, memset the buffer for length
(ATH6KL_FWLOG_PAYLOAD_SIZE - len) to 0
Change-Id: If4a49347d674ad2af0438b408a4a4b9308c61026
CRs-Fixed: 2253103
|
| | |\ \ \ \ \ \ \
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
into wlan-cld2.driver.lnx.1.0
|
| | | |/ / / / / /
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Currently tx desc id is extracted from HTT message and it is used
without check. This may cause possible OOB array read. To address
this add check for valid tx desc id.
Change-Id: I121fc4d550aa587f00ec315e3a20dfb136f4d7af
CRs-Fixed: 2225461
|
| | |/ / / / / /
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Currently tid is extracted from HTT message and it is used without
check. This may cause possible OOB array read. To address this add
check for valid tid.
Change-Id: Idb03236e05fe43326f9ab46ae8368adc9a92d92a
CRs-Fixed: 2225497
|
| | | |/ / / /
| |/| | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Fix the issues that variables used but not initialized.
Add NULL pointer check before using.
Change-Id: I190ea3906cfaf2ba49713c7601dd8c05fbd31fd2
CRs-fixed: 2241951
|
| | |\ \ \ \ \
| | | | | | |
| | | | | | |
| | | | | | | |
wlan-cld2.driver.lnx.1.0
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
5g_rssi_boost_threshold/5g_rssi_penalize_threshold min/max value is
not correct, it should got switched.
Change-Id: If61a468593862ab0ce9eac1de215ec0ed1be8f8c
|
| | |\ \ \ \ \ \
| | | | | | | |
| | | | | | | |
| | | | | | | | |
wlan-cld2.driver.lnx.1.0
|
| | | |/ / / / /
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Currently, in ptt_sock_send_msg_to_app() function sizeof(tAniHdr) is adding
to payload, but this size is already added in length field of tAniHdr.
To address this issue, remove the addition of sizeof(tAniHdr) in
ptt_sock_send_msg_to_app(). Also remove the checking of length against
sizeof(tAniHdr) in ptt_cmd_handler() function.
Change-Id: I58036fd172f3a3c6963757205e0c82e407e2f69b
CRs-Fixed: 2247469
|
| | |\ \ \ \ \ \
| | |_|/ / / /
| |/| | | | |
| | | | | | | |
wlan-cld2.driver.lnx.1.0
|
| | | |/ / / /
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Driver has smeNeighborMiddleOfRoaming to check if STA is in middle
of roaming. Further sme_staInMiddleOfRoaming acquires lock to know
roam status, which is not required at all. Further driver can enter
sleep state because of mutex lock in suspend path and can result in
DPM device timeout.
Hence, replace sme_staInMiddleOfRoaming with smeNeighborMiddleOfRoaming
and remove redundant API sme_staInMiddleOfRoaming. Driver does not use
any lock in smeNeighborMiddleOfRoaming to check roaming status.
Change-Id: I96193becaa05a68044e092bb607eb5db60526a11
CRs-Fixed: 2250171
|
| | |\ \ \ \ \
| | | | | | |
| | | | | | |
| | | | | | | |
wlan-cld2.driver.lnx.1.0
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
WEXT IOCTL's iw_set_mode and iw_get_mode is very
unsafe to the driver and it needs to be
rejected.
Add changes to reject the IOCTL's iw_set_mode and
iw_get_mode.
Change-Id: Icba218feadabd5783568a75956a08cea09484be3
CRs-Fixed: 2232322
|
| | |\ \ \ \ \ \
| | | | | | | |
| | | | | | | |
| | | | | | | | |
wlan-cld2.driver.lnx.1.0
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Change wlan_hdd_cfg80211_ocb_get_tsf_timer to HDD request
manager framework.
Change-Id: I731cd303cfdee056039f0546408406fc70ab3448
CRs-Fixed: 2230953
|
| | |\| | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
wlan-cld2.driver.lnx.1.0
|
| | | | |/ / / /
| | |/| | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Change wlan_hdd_cfg80211_dcc_get_stats to HDD request manager framework.
Change-Id: I5cc4cdb3cc3b85988816eb80a93438ed6aff3e3a
CRs-Fixed: 2230971
|
| | |\ \ \ \ \ \
| | |_|/ / / /
| |/| | | | |
| | | | | | | |
wlan-cld2.driver.lnx.1.0
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Reassoc request fails as the logic for matching PMKID entry
causes wrong deletion when ssid and length are NULL. This
happens in kernel versions less than 4.9 as the ssid and
length are NULL. Fix is to check for non-zero ssid length.
Change-Id: Ibd3240466e8cf7e75ae82be0b05e13c5fac492ec
CRs-Fixed: 2200085
|
| | |\ \ \ \ \ \
| | | | | | | |
| | | | | | | |
| | | | | | | | |
wlan-cld2.driver.lnx.1.0
|
| | | | |/ / / /
| | |/| | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
While connected AP requires DUT to do radio
measurement for itself in passive scan mode,
DUT sends empty beacon report.
In passive scan, sta only listens beacons.
Connected AP beacon is offloaded to firmware, and
Firmware discards it except that special
IE exists in the beacon. Connected AP beacon will
not be sent to host. Hence, timer of connected BSS
is not updated in scan result lists
and cannot meet "scan timer > RRM_scan_timer".
Fix the issue by adding connected
BSS judging condition.
Change-Id: I8ac1fe87b6a8fa452b17018de744794cf8053afb
CRs-Fixed: 2242170
|
| | |\ \ \ \ \ \
| | | | | | | |
| | | | | | | |
| | | | | | | | |
wlan-cld2.driver.lnx.1.0
|
| | | |/ / / / /
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Add 8953_som support in android.mk
Change-Id: I67e8c55b98e15ed0172a28da2d35764cc93dd1af
CRs-Fixed: 2241965
|
| | |\ \ \ \ \ \
| | |_|/ / / /
| |/| | | | |
| | | | | | | |
into wlan-cld2.driver.lnx.1.0
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Propagation from cld3.0 to cld2.0.
In case where driver receives a scan request with a single SSID with
and empty string, it must be treated as an active scan with broadcast
probe requests. In case of p2p search, driver treats this type of
request as a passive scan. This results in a p2p connection failure.
Set flag WMI_SCAN_ADD_BCAST_PROBE_REQ for this type of p2p scan req.
Change-Id: Iacb44fb0cb5363f5af6cf7f6efb219857a799075
CRs-Fixed: 2234895
|
| | | |/ / / /
| |/| | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Remote malice AP may send beacon or probe response with
fake ssid IE length. Add sanity check for ssid IE length
in limLookupNaddHashEntry.
Change-Id: I5c79bff3427a842036af788fea5003a96c7696a6
CRs-Fixed: 2235576
|
| | |\ \ \ \ \
| | | | | | |
| | | | | | |
| | | | | | | |
wlan-cld2.driver.lnx.1.0
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Add length check to prevent the data overflow the wmi buffer. The
total length of data should not exceed max svc msg size.
CRs-Fixed: 2225113
Change-Id: I1543732fcfe0cb7e32f7175f7775c9550854cae8
|
| | |\ \ \ \ \ \ |
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Following changes were done to port cld2.0 on v4.11
1. Removed cpu hotplug notifier for kernel above v4.10.
2. Removed dev->last_rx, if required by any module then
add it to the dev->priv.
3. Using ieee80211_get_channel API directly instead of
indirection API __ieee80211_get_channel.
4. signal_pending API moved to <linux/sched/signal.h>
5. Updated MSI related API for PCI.
Change-Id: I59993d3c020619d83b478229faacc1420e25aab7
CRs-Fixed: 2238140
|
| | |/ / / / / /
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
While AP requires DUT to do radio measurement for itself,
DUT sends empty beacon report because the scan timer
of connected BSS is not changeable in scan result list.
Hence it cannot meet "scan timer should be larger
than RRM_scan_timer". Fix the issue by adding connected
BSS judgement.
Change-Id: I48227166d722496afd2d9dd7aca1ae78d44c8833
CRs-Fixed: 2242170
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Tx improvement achieved by increasing Tx buffers in FW
and by enabling Tx bundling feature in host.
Rx improvement achieved by introducing Rx completion task/thread
which helps in reducing DSR Handler workload.
Used FW feature which bundles variable size rx packets,
Using HTC Connect Service messages find if FW supports bundling
of different sized Rx packets. Handle the Rx bundling in host,
based on support in FW and maintain backward compatibility.
Rx Bundling helped in improving Chariot TCP Rx throughput
Change-Id: I63118395bf148f53a25304c7fd90e126c1f29270
CRs-Fixed: 2170127
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
If FEATURE_BUS_BANDWIDTH is not enabled, error
below happens when compiling cld driver:
"error: unused variable 'vos_timer_state'
[-Werror=unused-variable]"
To fix this issue, define a static function to
de-initiate bus_bw_timer.
Change-Id: Ie681df995c362c70bb6abdf95e02310741c00c46
CRs-Fixed: 2202980
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Add a flag for indicating the current vos
status: closed or not.
Set gpVosSchedContext to NULL once vos_sched
is closed.
To avoid redundant close operations for
vos/vos_sched.
Change-Id: I06c9633fe0c70e031553a79bdaa60670d47cd420
CRs-Fixed: 2202980
|
| | |\ \ \ \ \ \
| | | | | | | |
| | | | | | | |
| | | | | | | | |
into wlan-cld2.driver.lnx.1.0
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Add FEATURE_WLAN_TDLS feature flag to prevent compilation issues
Change-Id: Id17090a484bf2b6260fa55bf32b3017eaea4ab62
|
| | |\ \ \ \ \ \ \
| | |/ / / / / /
| |/| | | | | |
| | | | | | | | |
process_rx_info" into wlan-cld2.driver.lnx.1.0
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Currently data in "pl_tgt_hdr" is used directly from firmware without
any length check which may cause buffer over-read.
To address this issue add length check before accessing data offset
Change-Id: Ic2930fdf7168b79a8522be282b0e1cd19214742a
CRs-Fixed: 2240226
|
| | |\ \ \ \ \ \ \
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
into wlan-cld2.driver.lnx.1.0
|
| | | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | |
| | | | | | | | | |
Propagation from qcacld-3.0 to qcacld-2.0
The definition of module_param_call() was changed in 4.15 and
in order to have module params that work on the kernel both
before and after that change switch to using module_param_cb()
since its definition has not changed.
Change-Id: I4af7c802ae62041636eda3047805630a16490e75
CRs-Fixed: 2234702
|
