| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| | | |/ / / /
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
Currently variable "tid" is from message, which is used
directly as array size which causes buffer over-write.
To address this issue add check for the array size in the
ol_rx_delba_handler & ol_rx_pn_ind_handler.
Change-Id: I39e5d9c5315a2bf9f34a65651025a1d8fc919c28
CRs-Fixed: 2178818
|
| | |/ / / /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
It will have race condition issue when multiple
threads access some fields of global shared
variable ctl concurrently.
Fix is to add mutex lock for proc handlers.
Change-Id: Ifba428ae6544ccbdae0547a63972ab241ae68d7c
CRs-Fixed: 2173232
|
| | |\ \ \ \
| | | | | |
| | | | | |
| | | | | | |
wlan-cld2.driver.lnx.1.0
|
| | | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
prima to qcacld-2.0 propagation
Currently driver sends beacon report for each channel recursively
in beacon table mode. There is a chance that variables on stack
can exceed allocated stack size which can lead to corruption of
stack. Remove unnecessary variables which are not required for
beacon table mode to fix this issue.
Change-Id: I9aa35e7da916f5d4c6380862d292b44c254c9334
CRs-Fixed: 2184037
|
| | |/ / / /
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This reverts commit If69441e9c8e8de9845ef4caa85d678647b448d02
1.the project that need support ROME wlan was canceled.
2.this change will cause compile error in 32bit msm8937 platform.
Change-Id: I2c1116036ce1b9e3bcfe2b238aa889c94b5e50fa
CRs-Fixed: 2180920
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Connection fails after ssr due to the tx queues are paused by tx flow
control and ssr happens before tx resume, and the tx queues cannot be
resumed because of the unpaired status of pause map.
Resume tx queues and update pause map at the beginning of ssr if the tx
queues are paused by tx flow control.
Change-Id: Ib1ed8360c6effa4a47fc1702650375bf2380e65c
CRs-Fixed: 2146129
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.213S
Change-Id: Ic0fc2083d195ad0229a3c6f41f896b0546ba859f
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This reverts the changes I5969e35a92c82647ebfd62c2ceb9a22f17ec0f1f.
New QCA vendor commands in thermal shutdown feature should not be used
before the permission in qca-vendor.h.
Change-Id: Ifdf9a83e87949f5b56199494c91dfcbebc303db9
CRs-Fixed: 2176134
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.213R
Change-Id: I3e69996af5e8b0273ec4ebf9a271a831690e7a08
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
If SME is in disconnecting state disconnect from supplicant will not
get queued. Thus supplicant can start a connect req as soon
as HDD returns from disconnect req. If this connect req is processed
by HDD before the SME disconnect is indicated to HDD, it will cause
HDD/supplicant and SME out of sync.
This results into scan allowed even when SME is waiting for key.
SME will not allow scan until set key is completed, which may not
happened as HDD has indicated disconnect to supplicant after connect
was received by HDD.
To fix this wait for WLAN_WAIT_DISCONNECT_ALREADY_IN_PROGRESS time
in HDD for SME disconnect to get processed before returning.
Change-Id: I21f2c2e2f9b97fc50f9ac43bc5bbb5fd5188f3b7
CRs-Fixed: 2175203
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.213Q
Change-Id: I3055861576b1a4204657bfcd75736a1b88d3657b
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Check for the validity of group_id when received the htt message of
HTT_T2H_MSG_TYPE_TX_CREDIT_UPDATE_IND from firmware to ensure the buffer
overflow does not happen.
Change-Id: I17ac9f37a1450f32fb080c3b22f6317b6238068c
CRs-Fixed: 2174506
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
In some case, if the firmware loading is too heavy, it will drop some
event. So the tsf capture event may lost in this case. Add timeout
for capture tsf request, so the timestamp sync process will not hang
by the lost event.
Change-Id: Ib251c0fb4580e0d284f10ba7fd191cd2f684314d
CRs-Fixed: 2142059
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.213P
Change-Id: I4b62eb2be17c70dabb4e4a209a6784df8136fbf0
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Add sanity check for wma_ndp_confirm_event_handler and
wma_ndp_indication_event_handler to prevent OOB access.
Change-Id: I9ecf55a3606036d3e1f0916c948c4360475965fa
CRs-Fixed: 2170668
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Add num_peer check in wma_ibss_peer_info_event_handler()
to avoid OOB access.
Change-Id: Id798a2143b201e60fbcc4a3881c1cda3e3376eca
CRs-Fixed: 2163519
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.213O
Change-Id: I2cdeeb4e536d47617900982fde6812b6793609ed
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
In multiple WMA event handler functions, ssid_len is used to copy
ssid from FW buffer to local buffer and ssid_len value is received
from the FW. If the ssid_len value exceeds SIR_MAC_MAX_SSID_LENGTH
then a buffer overwrite would occur.
Add sanity check for ssid_len against SIR_MAC_MAX_SSID_LENGTH in
multiple WMA handler functions
Change-Id: I9e4b1f88c275093b4912496cdb936cf54a8880a2
CRs-Fixed: 2162678
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.213N
Change-Id: Ia36372fb05a4e02fe382b4aed84247f8c3434732
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Add config flag to kbuild for enabling the TCP delayed ACK feature
of qcacld driver.
Change-Id: I4bb289b75551736983a22b033254297966bbe18e
CRs-Fixed: 2173560
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.213M
Change-Id: I6c79c226080c8b6be3dc9b0073b755da14f7d43c
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Add data_len check in wma_stats_ext_event_handler()
to avoid OOB access.
Change-Id: I756ec66fee1cf937f144441a051e973cd561909d
CRs-Fixed: 2170655
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Add data_len check in wma_nan_rsp_event_handler()
to avoid OOB access.
Change-Id: Iff42da84567381a4b64bc07e69ff1a0cd4b5a543
CRs-Fixed: 2170630
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.213L
Change-Id: I85294d71fbd8a05fc9043ae83a661de7c914f2c5
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
In set_ie after receiving DOT11F_EID_RSN, WPA RSN IE is copied from
source without a check on the given IE length. A malicious IE length
can cause buffer overflow.
Apply the same logic from Id159d307e8f9c1de720d4553a7c29f23cbd28571
that was applied under DOT11F_EID_WPA. This adds maximum bound check
on WPA RSN IE length.
Change-Id: I04f980fe44328b1a3f6a6d4854228cc4c9f1a1c7
CRs-Fixed: 2169222
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.213K
Change-Id: Ie85bf72362b9b6437970b906d75e7580dc9eab47
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Enable timestamping plus feature in apq8009 board
Change-Id: I657b9ea9f2d51974737056c246b357406e914adb
CRs-Fixed: 2171436
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.213J
Change-Id: I57c9de6336d47d553569e991204f55ffa0e946ae
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Calculate buf_len properly for extscan hotlist event buffer in
wma_extscan_hotlist_match_event_handler()
Change-Id: I923f0d86d83902539a7d3a7b8ea8322dcb83ba00
CRs-Fixed: 2170578
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.213I
Change-Id: I45877122e7dbacdcbdeef4dd3cf64ef8596e5808
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
In function wma_unified_radio_tx_power_level_stats_event_handler,
power_level_offset is received from the FW and is used to memcpy data
from FW to local tx_time_per_power_level for num_tx_power_levels length.
However tx_time_per_power_level is allocated only for
total_num_tx_power_levels length.
If the power_level_offset is greater than total_num_tx_power_levels, then
a buffer overwrite would occur.
Add sanity check to make sure power_level_offset does not exceed
total_num_tx_power_levels
Change-Id: Ia363512ee35bb0e30b137c20bf092238c2e356da
CRs-Fixed: 2162715
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.213H
Change-Id: I61c0f861905973222d87d8ce63c12833d1ddc1a5
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
propagation from qcacld-3.0 to qcacld-2.0
__iw_set_ap_encodeext iterates over a key buffer based on a length that
may be larger than the key buffer size. Bounds check the key length
before iterating over the buffer, and reject the call if the length is
too large.
Change-Id: I2473905500470ab6c4e83f5822949bbc9d94f5f1
CRs-Fixed: 2165803
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.213G
Change-Id: I8d6631e67b2063869e8c748f2b024f944179d0f8
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
In hdd_parse_get_ibss_peer_info(), issue is reported by external
researcher that lack of string length validation might lead to
out-of-bounds read.
Related string length validation is added accordingly.
Change-Id: If04cc77b5fca782094dc577b21e1537dfe783282
CRs-Fixed: 2101686
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.213F
Change-Id: I2bf2a52111410c46b9dc9b5685ec934a455eb06c
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
The control app is able to send suspend and resume commands to driver,
and get temperature and configuration parameters from driver. Interfaces
are added to support this app.
Change-Id: I5969e35a92c82647ebfd62c2ceb9a22f17ec0f1f
CRs-Fixed: 2080395
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
If the temperature reported from fw is higher than the suspend threshold,
then trigger the suspend action, and if it is lower than the resume
threshold, the resume action is triggered.
Change-Id: I23ba5676967c4f89ec3ea697ec561f174038d21e
CRs-Fixed: 2080395
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Set auto shutdown timer value to 0 to indicate suspend and 1 to indicate
resume
Change-Id: I52a16050ce7f24e5aef1141764b4c65b6f471317
CRs-Fixed: 2080395
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Add new items in ini file and send these thermal shutdown configuration
parameters to fw.
Change-Id: I5cc3cf9c6f224c192bd4b0cdd529dfaa9b13ae16
CRs-Fixed: 2080395
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.213E
Change-Id: Iacbc317158f59143c3374174f6568156b8038271
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
The variables for nbuf alloc are not reset when calling
destory function, The adf_net_buf_debug_init will fail
in the following hdd_driver_init. The issue happens for
inkernel mode driver.
Reset variables to NULL or 0 once destory nbuf done.
Change-Id: Ia2815e3891b1a6483f7ff136eceea74b06030f7c
CRs-Fixed: 2168139
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.213D
Change-Id: Ib8af8d3ae63089ad5cd11e845513f116c1561cfa
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Extend the STA capability to sniff RSSI & Mac address.
this feature works only when STA is connected. meanwhile,
STA BMPS and roaming is disabled. Frame RSSI & Mac address
is indicated to OS through virtual monitor interface. Set
registry 'gEnableMonOnSta' = 1 in INI to enable this feature.
Ref test steps:
a. create virtual monitor interface and up.
iw dev wlan0 interface add mon0 type monitor
ifconfig mon0 up
b. STA connect
ifconfig wlan0 up
iw wlan0 connect "ssid"
c. collect sniffing frames
tcpdump -i mon0 -v -w /data/sniff.pkt
Change-Id: I8f435a7f74b53babae987dbd3e1487cbd518f00d
CRs-Fixed: 2048058
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.213C
Change-Id: I6e629b1bd2b39048c2dbe2251ee104e5d2c89358
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
1. Add support to build wlan driver on msm8937. So add msm8937 in
Build/Package options.
2. For msm8937 there are two wlan card, pronto and rome, the module
name should difference between two drivers. So need change the
module name for rome wlan driver.
Change-Id: If69441e9c8e8de9845ef4caa85d678647b448d02
CRs-Fixed: 2164003
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.11.213B
Change-Id: Ie0237eee4a44c18d6d728fd1e63316f7dec56b60
CRs-Fixed: 774533
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
In order to fix the VOP pre-cert test, need to increase the tx
descriptor numbers to avoid firmware drop VI packets.
Change-Id: Iee22b334139e6e45d8a99791cdffd5689aafc02b
CRs-Fixed: 2144485
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
In function wma_unified_link_iface_stats_event_handler, num_ac
is received from the firmware and is used in the loop to populate
values into results. However, the memory for results is allocated
only for WIFI_AC_MAX and a buffer overflow will occur if num_ac
is greater than or equal to WIFI_AC_MAX.
Add checks to make sure num_ac is not greater than or equal to
WIFI_AC_MAX.
Change-Id: Ife8b1d19aa853f85f4fad82d5791e49a8c892ca4
CRs-Fixed: 2154226
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Add sanity check for wow_buf_pkt_len in wma_wow_wakeup_host_event()
to avoid out of bound memory access.
Change-Id: Id3b0003aa366d9239739efe561f44eff1dceff5d
CRs-Fixed: 2161264
|
