| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
MSM platform has 64bits address space. MDM has only 32bits.
SKB Cb structure has some pointer elements and MSM case CB
structure will overflow 48 bytes. To fix overflow, some elements
only needed for MDM should be compiled out for MSM.
As a result, CB structure size will fit in 48bytes
Change-Id: I1e0bf7a4bb6c192e259cd71bcdec9e5f73bd8f16
CRs-fixed: 860206
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Currently in function ptt_sock_proc_reg_req, length of msg sent to
APP is size of tAniNlAppRegRsp. tAniNlAppRegRsp members: nlh and
radio are not being used from the struct object and are contributing
to extra len, that is causing out of bound access error.
This patch fixes this by removing unused struct members.
Change-Id: I63a1e5ea2401c8eb8e662d0b6b1599751a3a57d5
CRs-Fixed: 865847
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
prima to qcacld-2.0 propagation
When oemData_SendMBOemDataReq returns failure, caller function
doesn't handle the failure status and hence command stucks in
active queue. Failure in oemData_SendMBOemDataReq can happen
either because of memory allocation failure or invalid context.
Release the command when oemData_SendMBOemDataReq returns failure.
Change-Id: I82d4bd80ff37ece22b3dda9c8b5465809e0935df
CRs-Fixed: 794867
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
prima to qcacld-2.0 propagation
In function limSendSmeDisassocNtf, there are some
instance where we return from this func, without
calling peDeleteSession. In peDeleteSession, memory
allocated to various structure such as StartBssReq
are freed. As a result we have memory leak here. As
part of fix make sure the memory allocated is properly
freed.
Change-Id: If4f7148aa3b7d6478ccc173aa9125dd8599c5410
CRs-Fixed: 821512
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This is prima to qcacld-2.0 propagation
Array 'addIE' of size 255 may use index value(s) 0..285
Add the logic to check that (noaLen + len) doesnt
exceed by WNI_CFG_PROBE_RSP_BCN_ADDNIE_DATA_LEN (255)
instead of checking just for len.
Change-Id: Iefadc910d5c573cc1e3fffde36684edfb9cf9693
CRs-Fixed: 683088
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This is prima to qcacld-2.0 propagation
In limProcesSmeTdlsLinkEstablishReq(), size passed to vos_mem_set
is incorrect. This is causing crash during TDLS link setup due to
garbage value in pMsgTdlsLinkEstablishReq.
Change-Id: If1713daf7c42e4421031a13f4e6fff6fdad11c2b
CRs-Fixed: 685348
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This is prima to qcacld-2.0 propagation.
Static analyser is reporting errors for array bound
checking.
To resolve this, Check for condition array index
shouldn't exceed WNI_CFG_VALID_CHANNEL_LIST_LEN
before accessing ChannelList array.
Change-Id: I4b1385f0dd4a344aa5eeaf32ea48e4c80be63a20
CRs-Fixed: 696606
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Correct the regdomain mapping for Korea, Uganda and Japan.
Change-Id: If358974624f17695da43d7500362e03a447b48b0
CRs-Fixed: 869075
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
During driver load failure scenario's, we are not validating the
global mac context before dereferencing resulting in crash.
Change made to validate the global mac context.
Change-Id: I19f92f7896affa1cdf6c59c2a2cd4197ee94e68b
CRs-Fixed: 867435
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
As per the current implementation, if there is no BSS found during
scan on ACS list then we select first channel in ACS list as SAP
operating channel without validating the channel is enabled in current
regulatory domain.
Change the code to address above issue by validating the channel.
Change-Id: Iebb393c2c7dff5f2f4406098a851506978d9f2a8
CRs-Fixed: 867333
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
If (len + 1) is greater than priv_data.total_len then copy_to_user
results in writing more data than the buffer can hold.
Fix this by writing mininum of (len + 1) and priv_data.total_len.
Change-Id: I0f8623c2741332d4013237e99201fab295f13aef
CRs-Fixed: 865593
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
If (len + 1) is greater than priv_data.total_len then copy_to_user
results in writing more data than the buffer can hold.
Fix this by writing mininum of (len + 1) and priv_data.total_len.
Change-Id: I194ddaa93ce17f27ef228ba4b96964aaad7f7233
CRs-Fixed: 865589
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
If (len + 1) is greater than priv_data.total_len then copy_to_user
results in writing more data than the buffer can hold.
Fix this by writing mininum of (len + 1) and priv_data.total_len.
Change-Id: I70c6c4db1c7a83e614a6d4bc40a7d7ebca138568
CRs-Fixed: 865581
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
If (len + 1) is greater than priv_data.total_len then copy_to_user
results in writing more data than the buffer can hold.
Fix this by writing mininum of (len + 1) and priv_data.total_len.
Change-Id: Ibb765d280ee69930feee4aa221e30443d957f308
CRs-Fixed: 865574
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
If (len + 1) is greater than priv_data.total_len then copy_to_user
results in writing more data than the buffer can hold.
Fix this by writing mininum of (len + 1) and priv_data.total_len.
Change-Id: Icb4256ccf4267305a333ca59c945a7ef7e85647a
CRs-Fixed: 865573
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
If (len + 1) is greater than priv_data.total_len then copy_to_user
results in writing more data than the buffer can hold.
Fix this by writing mininum of (len + 1) and priv_data.total_len.
Change-Id: Ic52094eb93e01fd1dd653645127632677d31f7dc
CRs-Fixed: 865571
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
If (len + 1) is greater than priv_data.total_len then copy_to_user
results in writing more data than the buffer can hold.
Fix this by writing mininum of (len + 1) and priv_data.total_len.
Change-Id: Ib5c5c61704c810652206004c302c69a2243f9b5a
CRs-Fixed: 865565
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
If (len + 1) is greater than priv_data.total_len then copy_to_user
results in writing more data than the buffer can hold.
Fix this by writing mininum of (len + 1) and priv_data.total_len.
Change-Id: I545df0d5eff4c6296359029c1a78e66e37574b4d
CRs-Fixed: 865611
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
If (len + 1) is greater than priv_data.total_len then copy_to_user
results in writing more data than the buffer can hold.
Fix this by writing mininum of (len + 1) and priv_data.total_len.
Change-Id: Ic178a68b601513a9f405d740a1f5bae3e4c395b9
CRs-Fixed: 865608
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
If (len + 1) is greater than priv_data.total_len then copy_to_user
results in writing more data than the buffer can hold.
Fix this by writing mininum of (len + 1) and priv_data.total_len.
Change-Id: I7f63ee1453923e0ea3234f129eb85f5b5e9b575f
CRs-Fixed: 865602
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
If (len + 1) is greater than priv_data.total_len then copy_to_user
results in writing more data than the buffer can hold.
Fix this by writing mininum of (len + 1) and priv_data.total_len.
Change-Id: I18ec1501034282fca5d3e338f517cf2ed5699b78
CRs-Fixed: 865595
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
If (len + 1) is greater than priv_data.total_len then copy_to_user
results in writing more data than the buffer can hold.
Fix this by writing mininum of (len + 1) and priv_data.total_len.
Change-Id: Ic7a76773875ed60d1c37498e25d3ee3f5650fcb8
CRs-Fixed: 865561
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
If (len + 1) is greater than priv_data.total_len then copy_to_user
results in writing more data than the buffer can hold.
Fix this by writing mininum of (len + 1) and priv_data.total_len.
Change-Id: I9b4e118a8e145efe2f54b87f46030e874de67750
CRs-Fixed: 865556
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
If (len + 1) is greater than priv_data.total_len then copy_to_user
results in writing more data than the buffer can hold.
Fix this by writing mininum of (len + 1) and priv_data.total_len.
Change-Id: Ib8a0311d0e375310985f30fa6946685e1709ed0a
CRs-Fixed: 865555
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
If (len + 1) is greater than priv_data.total_len then copy_to_user
results in writing more data than the buffer can hold.
Fix this by writing mininum of (len + 1) and priv_data.total_len.
Change-Id: I1350af18469ad47b344f47c94577a11bb7b2074b
CRs-Fixed: 865553
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
If (len + 1) is greater than priv_data.total_len then copy_to_user
results in writing more data than the buffer can hold.
Fix this by writing mininum of (len + 1) and priv_data.total_len.
Change-Id: Ia3cbc677d246e069cd6aaa3ab6d4663dabb27862
CRs-Fixed: 861071
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
If (len + 1) is greater than priv_data.total_len then copy_to_user
results in writing more data than the buffer can hold.
Fix this by writing mininum of (len + 1) and priv_data.total_len.
Change-Id: Ie802ec5fbe63f6f20e910d9b285e0aa98e8c7008
CRs-Fixed: 861016
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.10.135
Change-Id: I78bc5fd46b6e4911f84e6056ac9a73364498e803
CRs-Fixed: 688141
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
prima to qcacld-2.0 propagation
This patch adds comments and log for TDLS HT/VHT cap update
Change-Id: Ic298e42f143d892d510d9a212ab384c6cda667f5
CRs-Fixed: 795012
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Currently in function limHandleDelBssInReAssocContext,
in switch statement mlmstate is used instead of SmeState.
As a part of fix, make sure that proper sme state is used.
Change-Id: I241c999605495f7181509e7c59ff52bfadd57be4
CRs-Fixed: 806804
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
In csrNeighborRoamTransitToCFGChanScan, it is possible that
mem alloc is done with size zero. This fix tries to avoid
such a case and return failure if there are no channels to scan.
Change-Id: I2b97d8bb4634e8417025aac8c19972e20c580fa2
CRs-Fixed: 812945
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Change to avoid potential out of bound issues when unsafe channel
numbers parameter are invalid.
Change-Id: I96f318418bfb53150f30bd1f07fbeaf1676c2c43
CRs-Fixed: 850501
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Do not allow cfg80211 vendor commands in FTM mode
Change-Id: I78c5762d917c4aeef5e2a9f670565e05254e2c5b
CRs-Fixed: 862803
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.10.134
Change-Id: I5f39c11fc52fcd9d14002414813c759c3de5abbc
CRs-Fixed: 688141
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
GCC 5 flagged an incorrect comparison in hdd_wmm_sme_callback(), so
replace it with a correct comparison.
Change-Id: Ie7bed6a66162cd3b9a1828e74bab9dc50d8ca8e8
CRs-Fixed: 865567
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
The original backport of the cfg80211 vendor commands into the 3.10
kernel had a flaw in the struct wiphy_vendor_command, and the original
set of functions were defined with an incorrect prototype. In order
to move to the correct prototype a 3-step approach was taken:
1) all .doit functions were typecast to (void *) so that they would
work with both the old and new definition, and the actual functions
were changed to the new prototype
2) struct wiphy_vendor_command was fixed in the kernel
3) all of the (void *) typecasts were removed
Unfortunately afterwards some new .doit functions were added with
unnecessary (void *) typecasts. Remove those unnecessary typecasts.
Change-Id: Id3f48dca15d2cd74216788be751d8bebb8cd762d
CRs-Fixed: 862288
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
There is a case that WOW_ENABLE TX complete interrupt comes after
WOW_ENABLE ACK from FW. Host driver doesn't need to crash for this
case, hence change VOS_BUG to VOS_ASSERT. Print one more register
for debug purpose also.
Change-Id: If2cbef1a85f8b63b6d9e3f3d7ee3ec49d4b72fbc
CRs-fixed: 866987
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
The Board File is selected based on the board_id returned
by executing otp binary.
Based on the chip id and the board_id, select the
appropriate board_data file and download.
The board file selection is as follows:
Mission mode: bdwlan<chip_id>.b<board_id>
Factory mode: utfbd<chip_id>.b<board_id>
If the Auto BDF Board files are not present in the filesystem,
then download the default board file i.e bdwlan<chip_id>.bin
Change-Id: I26c3eb377513d2c4439eddc4e5dc75eba66c78f4
CRs-Fixed: 805800
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Release 4.0.10.133
Change-Id: I6f46a28a0f454e90094d0ea1039b7ec69a0cb662
CRs-Fixed: 688141
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
If secondary channel is changed, host is not calling the callback
and thus the resume tx is not called once channel is changed.
This logic is already present in case if only primary channel
has changed.
Added the logic to call the callback in case secondary channel is
changed and thus resume TX will be called after channel is changed.
Change-Id: I2514af31b499101ff4da9b49f057bf9886c251df
CRs-Fixed: 801054
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Change credit threashold of MCAST_DATA of tx scheduler
to 17 to make it same as other access catagory.
CRs-Fixed: 866592
Change-Id: I5464c75949d73b34bf2acb43552916de21d34143
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
This reverts change If7100f0fedeaf3acba0be81ec95d0d5ab6a80d82.
Change If7100f0fedeaf3acba0be81ec95d0d5ab6a80d82 marks wmmAcAccessAllowed
as true if implicit Qos is disabled. This causes data to be tagged as VO
without Tspec negotiation. So, revert this change.
Change-Id: Ib257e44672dc1553c8b9a9250a1b52311f5b2d36
CRs-Fixed: 864625
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
IRAM dump is needed for debugging certain issues, hence add the support
to dump it when target asserts.
Change-Id: I4c1d991d69059034014b42f582fcdc71d9623485
CRs-fixed: 863564
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Fix compilation error in SDIO port due to typo.
Change-Id: Ieb797c5038575908b191b93ee0706d08ef9ebacf
CRs-fixed: 866902
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
10 clients are needed when dhcp server offload is enabled.
Change-Id: Id66e33b2b4b1f2eef9edb2e4dd2a979bce32d60c
CRs-Fixed: 865328
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
There is incorrect assignment of passive/radar flags happening
for channels without proper check. Remove it.
Change-Id: I6c2299f2a483de0cb5889003550ec6985dc1b740
CRs-Fixed: 865877
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
When wpa_supplicant issue connection, multi-candidate ap maybe
found by driver. Driver will try to connect these candidates
one by one until connection success or all candidates are tried.
When receive disconnction cmd from cfg80211, stop connection
immediately to avoid disconnction timeout, otherwise driver
and cfg80211 maybe out of sync.
Change-Id: I6daa59ad495bb91c0ed70846c7aa4ae96ba3507a
CRs-Fixed: 816517
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Validate arguments for TDLSOFFCHANNELMODE command
and return failure on invalid arguments.
Change-Id: I9ccb6e2a3106b6a1f2904bccd7964326d4fd621c
CRs-Fixed: 856466
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Validate arguments for ENABLEEXTWOW command
and return failure on invalid arguments.
Change-Id: I73556989f79754bca1bf4226ad71c2358b3a7526
CRs-Fixed: 857123
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
In csrNeighborRoamMergeChannelLists() possibility of
array out of bounds access
Add fix to check the length correctly.
Change-Id: I4b9b4a71423df91de437edaacb6d39fb47f49d22
CRs-Fixed: 850462
|
