| Age | Commit message (Collapse) | Author |
|---|
|
SBMerger: 325904710
Change-Id: I120f3321891093d7f45d74258bc15ccfcd067cf5
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
Currently, sequence number of the authentication frame is cached
to detect if the same frame is received again. But in SAP case,
it's possible to get authentication frame from two different
clients with the same sequence number. Host driver drops auth
frame from the second station as it is considered as a
duplicate frame. Though the driver drops the frame only if it's
a retry, it's possible to get auth frame from second client with
same sequence number and retry bit set.
Cache the client mac address along with sequence number to
avoid this.
Bug: 172309980
Change-Id: I194adc9e0f90d074aef50340d2cd6c7b138cc9b5
CRs-Fixed: 2815784
|
|
SBMerger: 325904710
Change-Id: I3249c1114d3deb565a5e155253abaa4aeec90400
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
In beacon report's RCPI, host updates current RSSI which is incorrect
according to "2008 11k spec reference: 18.4.8.5 RCPI Measurement".
Hence fill RCPI value in beacon report as per "2008 11k spec reference:
18.4.8.5 RCPI Measurement".
Bug: 168426596
Change-Id: I2ce88ad9f5d0db252d96f9e25db336b081cdd9bb
CRs-Fixed: 2776844
|
|
SBMerger: 325904710
Change-Id: I577a421bb13bd7bfe472f6181a32a569bb00354c
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
Currently in driver does not update the rate flags correctly
in wma as rate flags should include all the subsets of the
lower rartesets, which is not thye case today and driver only
updates the higher rate flag. Because of which it leads to
invalid computation of txrate at the kernel.
Bug: 166722837
Change-Id: I5529532b3d41b68693b5b4b8952ee0f1414354db
CRs-Fixed: 2776370
|
|
Currently driver acquires wakelock for scans received from hdd.
But for RRM scan initiated from AP for beacon reports, the
wakelock is not acquired and if host goes to suspend while scan
is in progress,FW asserts.
Fix is to avoid the system suspend by taking the wakelock
before rrm scan start.
Change-Id: I02ddc9b5e6ba5f1782d00e34f044ace34c54d0b0
CRs-Fixed: 2331741
Bug: 161624543
Signed-off-by: Vamsi Krishna <quic_vamsin@quicinc.com>
|
|
SBMerger: 325523750
Change-Id: I262a1134b864729e3c7503dcc4d0b8c70da6603d
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
Currently the driver is not synchronized properly between SSR and wifi
ON/OFF. This causes a potential deadlock.
To synchronize, add a wait in wlan_hdd_state_ctrl_param_write
which is called during WiFi ON/OFF. This wait will ensure that the
driver recovery is complete before proceeding with ON/OFF.
Bug: 157090295
Change-Id: Ia1c4f8d7076d77c591276ee380b55a747cf606bd
CRs-Fixed: 2701513
|
|
Driver receives roam invoke command from supplicant, Host start
processing it in wpa_supplicant thread and sends ROAM_INVOKE
command to firmware. FW indicates roam invoke failure, so host
clean up the AP (Disconnect). But wpa_supplicant did not get
scheduled till disconnection completion. After disconnection,
wpa_supplicant thread gets resume and sets the roaming in progress
true. This results in roaming in progress remain set in a
disconnection state.
sme_fast_reassoc should be protected with sme lock to avoid
the race between SB disconnect and sme_fast_reassoc.
Fix is to protect sme_fast_reassoc with sme lock and
set roaming in progress flag before sending sme_fast_reassoc
command to FW and reset it again if sme_fast_reassoc fail to
initiate the roam invoke.
Bug: 157172156
Change-Id: I05d92f8d5916decbd2c6f99eb67da0a29525ead5
CRs-Fixed: 2608398
|
|
SBMerger: 319053551
Change-Id: Iccadc687947cc32ceb1ef618f3db70b2ad9bbc53
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
Currently in the api hdd_process_ll_stats, if the stats
type is iface stats in that case the mem copy to the final
result uses the size of the structure pointer instead of
size of the structure which results in incorrect value for
the iface stats.
To address above issue use the size of the structure for
the memcopy of the iface stats.
Bug: 158521704
CRs-Fixed: 2710446
Change-Id: I2b6128f80fa994a5d2ed2fdd2feeaa1ae2e341d3
(cherry picked from commit 8450514e45e4a4a8a74a451ab06b58d19561d56b)
|
|
Currently in the api hdd_process_ll_stats, if the stats
type is iface stats in that case the mem copy to the final
result uses the size of the structure pointer instead of
size of the structure which results in incorrect value for
the iface stats.
To address above issue use the size of the structure for
the memcopy of the iface stats.
Bug: 158521704
CRs-Fixed: 2710446
Change-Id: I2b6128f80fa994a5d2ed2fdd2feeaa1ae2e341d3
|
|
SBMerger: 284775313
Change-Id: I6069ec58b48520fa9ff345966137fee79ced0241
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
SBMerger: 284775313
Change-Id: Iced89e0c48cf34e4d49071832c9c692cbe46b4af
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
SBMerger: 284775313
Change-Id: I9f428cfe9b69bc74553e4454435acd5ce5c67c70
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
SBMerger: 284775313
Change-Id: If7e19d45847f1932736c291d174c8c68c0ae44d3
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
android-msm-pixel-4.9-qt
AUG 2020.1
Bug: 157954141
Signed-off-by: Harrison Lingren <hlingren@google.com>
Change-Id: I78b3bf5fcd9d56f26dc22d6b2b1c12f6b89c3309
|
|
Clear the stats bitmap properly such that LL stats is complete.
Bug: 156497381
Change-Id: I1238c438e9d57000006ae46474569c4f2cf60e8f
CRs-Fixed: 2690186
|
|
Host driver do receives radio tx power level stats as part of
radio stats even though we have different event ID for that.
Handling the tx_power_level as part of radio stats only if
num_tx_power_level is set.
Bug: 155942196
Change-Id: I46aff51c70c444c94c9b10f32b7776ba4a1ca4e8
CRs-Fixed: 2686882
|
|
Copy WMI_LINK_STATS_ALL_PEER stats and number of channels in
radio stats properly to the buffer.
Bug: 153415344
Change-Id: I3219e3c46e93d43f2684ab51a2c5d98a63a3f88e
CRs-Fixed: 2649207
|
|
With recent code change, LL stats results are returned in the user
space context only. To do that, changes were made to buffer the LL
stats results received from FW till the time FW completes it. This
change is not taking case where FW sends LL stats for multiple radio
which is resulting SKB corruption.
Bug: 153415344
Change-Id: I49781f1ea9520ad0d9721536be1861d5d8151ea7
CRs-Fixed: 2649207
|
|
Return response for Link Layer stats command in caller
thread's context
Bug: 153415344
Change-Id: I8a6a0b21d7915cd21422dbef9b87fa17d99fb244
CRs-Fixed: 2619295
|
|
We are transitioning the usage of LL stats response event
to request manager framework.
Bug: 153415344
Change-Id: Ice8b3d53beb47b345ed569f2b4bf790e9f5ce506
CRs-Fixed: 2274933
|
|
In function rrm_fill_beacon_ies, do while loop is checked
for BcnNumIes if it is greater than IE length 0. Fix the
check to be greater than 2 as the first two bytes is IE
header(element ID and IE length fields both 1 byte each.)
Bug: 155654263
Change-Id: I11e5de481cd49a22acafee938fbe73f839f5b0e4
CRs-Fixed: 2626729
|
|
In function rrm_fill_beacon_ies, the total IE length is
calculated as sum of length field of the IE and 2 (element id 1
byte and IE length field 1 byte). The total IE length is defined
of type uint16_t and will overflow if the *(pBcnIes + 1)=0xfe.
Validate the len against total IE length to avoid overflow.
Bug: 155653491
Change-Id: If8f86952ce43c5923906fc6ef18705f1785c5d88
CRs-Fixed: 2573329
|
|
When host sends ft assoc response to supplicant, it
allocates a buffer of fixed size and copies a variable
length of assoc response IEs to this fixed sized buffer.
There is a possibility of OOB write to the allocated buffer
if the assoc response IEs length is greater than the
allocated buffer size.
To avoid above issue validate the assoc response IEs length
with the allocated buffer size before data copy to the buffer.
Bug: 155654321
Change-ID: Ife9c2071a8cc4a2918b9f349f4024478f94b2d78
CRs-Fixed: 2575144
|
|
SBMerger: 284775313
Change-Id: I5010c14c1ba7d852017118894cab60acbb9b56ef
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
SBMerger: 284775313
Change-Id: I2837d212e9139f74a21bf6ee062cfd900b16cf94
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
SBMerger: 284775313
Change-Id: Id67342a31d51a7b2c047449c175ddad3beb360d6
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
SBMerger: 284775313
Change-Id: Ia01b61ae8445daaec5540a17191b2973de1350da
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
JUL 2020.1
Bug: 155195707
Signed-off-by: Harrison Lingren <hlingren@google.com>
Change-Id: I7cf4254f80bba478b7755f7d42ef40562eeea112
|
|
In SME layer, boundary check for dscp_to_up_map array is not present.
The dscpmapping is an array of 0x40 elements. Values in dscp_exceptions
are used to index dscpmapping. The indices are not validated to be less
than 0x40. The dscp_exceptions array is received from association
response frame. A malicious AP can send values up to 0xff, causing OOB
write of dscpmapping array.
Hence, max index check is added to avoid OOB write of dscpmapping array.
Bug: 153345312
Test: Regression test
Change-Id: I73526849677e867673fc0bd0024ed2b003e4f89e
CRs-Fixed: 2569764
|
|
Allocated a memory to hold the mbo IEs stripped from IEs received
from userspace. But this buffer is not freed in all failure cases.
Move the freeing to a common label "end" to free the buffer in
all cases.
Bug: 153759907
Change-Id: I7ad268fed1898ac9f62e30eb4bd3740cce9bb4bc
CRs-Fixed: 2662225
Signed-off-by: Sunil Ravi <sunilravi@google.com>
|
|
The MBO IE sent from the supplicant supports multiple TLVs of the
same attribute type to be present. For example, for MBO case 5.2.8,
the supplicant sends 2 non-Preferred channel TLVs in the MBO IE.
However, when the driver unpacks the MBO IE for the Assoc Request
frame using frame parser, it supports only one unique TLV of each
attribute type in the MBO IE. So the second non-Preferred channel
TLV overwrrites the first TLV and the driver sends out Assoc Request
frame with only one non-Preferred Channel TLV in the MBO IE causing
the test case to fail.
Strip the MBO IE in the Additional IEs from supplicant and append
it to the end of the Assoc request frame without parsing it.
Bug: 152716519
Change-Id: I35ede59983ef63268e4648bb38217ebec2454382
CRs-Fixed: 2310297
Signed-off-by: Sunil Ravi <sunilravi@google.com>
Change-Id: I12444f0307da716b402ceb5b7913a75fc710cbfc
|
|
Currently MCS parameters are not getting correctly in
wiphy which results in incorrect capabilities for iw list
command output.
To resolve above issue, update MCS parameters correctly in
wiphy band capabilities.
Bug: 148982542
CRs-Fixed: 2633314
Change-Id: I830ad50aa4842bd2a79c97ed7b11b82c35148ff0
Signed-off-by: Sunil Ravi <sunilravi@google.com>
Change-Id: I2d0d7a8cd7ae05807378d1764bc13c81de44507a
|
|
When host sends assoc response to supplicant, it
allocates a buffer of fixed size and copies a variable
length of assoc response IEs to this fixed sized buffer.
There is a possibility of OOB write to the allocated buffer
if the assoc response IEs length is greater than the
allocated buffer size.
To avoid above issue validate the assoc response IEs length
with the allocated buffer size before data copy to the buffer.
Bug: 153344687
Test: Regression test
Change-ID: Ib12385e9ff04e5172ae8b505faf959e426fda439
CRs-Fixed: 2583124
|
|
Select the default channel from the list that the
hostpad gave instead of selecting a default channel
which can lead to discrepancy in the channels given
by the hostapd and the channel choosen for the SAP.
Bug: 149418331
Change-Id: Ib754ebdb4954607181ecea2727bca1e7cc67f39c
CRs-Fixed: 2635722
|
|
Currently the hotspot fail happens if the roaming is in
progress because of the check in start bss.
Ignore it and just do disable roaming to the FW.
If the roaming was in progress, it would disable it,
or it would do a disconnect if the EAPOL was in progress.
This is done to enable the hotspot as connect would be
taken care by the supplicant automatically, but the hotspot
needs user intervention.
Bug: 150834409
Change-Id: I0030f9affe60c064d490795be92ae035923738aa
CRs-Fixed: 2640136
|
|
Below are the scenarios where host fails to clear roam in
progress flag:
Case 1: While processing disconnection request
Host should clear roam in progress flag irrespective of
connection state of STA.
Case 2: While processing a try-disconnect request
Currently, Host waits for WLAN_WAIT_TIME_STOP_ROAM (4 sec) to
process disconnection, if firmware has already started roaming.
In case if Host doesn't receive roam completion indication from
fw, Host set connection state to not connected and fails to clear
roaming in progress flag. This results host refuses all further
connection request with reason connection in progress.
Fix is to clear roaming_in_progress flag in both cases.
Bug: 147821957
Bug: 150184372
Change-Id: I45d9771bcd546d8914321e3be1a6d0ce6566cdac
CRs-Fixed: 2588803
|
|
Move wlan_tgt_def_config.h wlan_tgt_def_config_hl.h to driver.
Bug: 144319790
Bug: 150182909
Change-Id: I5891d5ef557bb00b9a1632d79aa4c396074e0053
CRs-Fixed: 2474409
|
|
Configuration for Issue:-
DUT configuration:-
1. Configure DUT's country as US where channel 165 does
not support channel bandwidth of 40 mhz.
AP Configuration:-
1 Configure the AP in a country where channel 165
supports channel bandwidth 40MHZ.
Scenario of the issue:-
1.Connect to a diff AP on some channel x with same SSID,
and then roam to this AP.
Observation:-
The DUT would connect in 40 mhz to this AP instead of 20Mhz,
which violates the DUT's country reg rules.
Expectation:-
The DUT should re-connect only in 20Mhz on channel 165, or
only in max BW supported by reg in that country.
Issue:-
The DUT does not consider the max bandwidth allowed for the channel
in the country configured, and allow the re-association only
in the respective bandwidth.
Fix:-
Send the max BW supported by the channels in the current
reg domain to the FW so that it considers the max BW of the
channel and AP capability and then roam in the respective BW
only.
Bug: 144319790
Bug: 150182909
Change-Id: I1730d6c65d3dd305dcf2ebe340c3d5ad950761d7
CRs-Fixed: 2504900
|
|
SBMerger: 284775313
Change-Id: I5ac00d045d98033360b8a724d8c5e6ce941d2cc9
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
Channel 13 can cause regulatory violation when enabled in world
mode in OFDM mode. Therefore disable channel 13 in world mode.
Bug: 134633080
Test: Check support channel list by "iw list" and "iw reg get" in world
mode
Merged-In: I1fb0531bc23726de448498a90e4508f0714e33a2
Change-Id: I1fb0531bc23726de448498a90e4508f0714e33a2
CRs-Fixed: 112274312
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
(cherry picked from commit 546b2e599547b88fcf075dd28f38ce09f937c732)
|
|
wpa_supplicant sends connect request with open auth and pmkid
when PMK caching is enabled and if it has PMK/PMKID cached.
Set rsn_auth_type to SAE when connect request has AKM as SAE
auth_type as open.
Set negotiated auth type to OPEN in SAE with pmk cache case as
open authentication going to happen. Similar fix is applicable
for FT-SAE. Handle the same.
Bug: 150896394
Change-Id: I9ccc419bd439702041840b0194bb0622d7856255
CRs-Fixed: 2467813
Signed-off-by: Sunil Ravi <sunilravi@google.com>
|
|
SBMerger: 284775313
Change-Id: I5cf3da64d67a909314e82dd08f0189d2b1d1579d
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
Current driver configuration is as follow:
1. SME active roam command queue timeout is 30 seconds
2. SAE auth timeout is 5 seconds
3. Max BSS count in roam command (CSR_MAX_BSSID_COUNT) for SAE
authentication is 8
As SAE auth timeout is 5 seconds and SME active command queue timeout
are 30 seconds, so only 6 SAE auth timeouts (30/5 = 6) are enough to
trigger SME active command queue timeout for roam command.
In case of continuous SAE auth time out, Driver will try SAE
connection till 8th candidate. So when driver tries to process SAE
connection for 7th BSSID, device leads to crash as by this time
SAE roam command(connect command) gets removed from SME active roam
command queue.
Fix is to reduce the candidate list to 5 in roam command for SAE
authentication considering SME roam command queue timeout is of 30
seconds.
Merged-In: Ic43f44ef14ea4c3b972635682941a624cdc6dcc7
Change-Id: Ic43f44ef14ea4c3b972635682941a624cdc6dcc7
CRs-Fixed: 2551462
bug: 143129445
Signed-off-by: Isaac Chiou <isaacchiou@google.com>
(cherry picked from commit 49dd69705899ad2ee3266b0e3b0727f978d69dd1)
|
|
Currently the sta_context in add_bss params which is used to send the
peer_assoc command to the FW, the ht_enable and vht_enable are set based
on the AP's capability from the beacon. However, the channel width is
set based on the assoc response frame from the AP.
In a scenario where the AP advertises HT and VHT IEs in the beacon but
does not send HT and VHT IEs in the assoc response frame, we will end up
connecting in VHT/HT mode but with incorrect channel width.
Update the sta_context channel width also based on the AP's capability
from the beacon so that the connection would happen in the right channel
width even if HT/VHT IEs are missing in the assoc response frame.
bug: 142350508
bug: 144981147
Merged-In: Idb1907abebf32a34f88e935a30ebb8f1bce1d59c
Change-Id: Idb1907abebf32a34f88e935a30ebb8f1bce1d59c
CRs-Fixed: 2324434
Signed-off-by: Isaac Chiou <isaacchiou@google.com>
(cherry picked from commit dbee01d90764fd2d9c9cabb1d700ae1cf286eca6)
|
|
At present, IPA sys pipes setup done before ipa_wdi_init,
so chances for IPA uC is not yet up and running. As wdi init
succeeds only if uC is up and running, setting up IPA sys pipes
after ipa_wdi_init succeeds.
bug: 144733838
Merged-In: Iee9783b0238a3bc96a2e73e47ffebf3b44623485
Change-Id: Iee9783b0238a3bc96a2e73e47ffebf3b44623485
CRs-Fixed: 2573929
Signed-off-by: Isaac Chiou <isaacchiou@google.com>
(cherry picked from commit 9de09b5a744d931ad99e350cb6bc0642c54424a3)
|
|
Currently the driver does not check if the state
is key exchange in progress and suspends wlan
before set-key happens which further results in
FW also in wake up state.
This would result in delayed EAP exchange, and also
in power loss.
Scenario:-
1. Turn on STA and try to connect to enterprise network
2. Turn off display.
Here the display turn off would trigger APPS suspend
while the STA is trying to connect, and authenticate
and since there is no check in driver to prevent
suspend in set key in progress state, it would result
in a FW assert, as the expectation of FW is to allow
suspend only after set key has been done.
Fix is to prevent WLAN-suspend in case of connection
in progress, and allow suspend only in connected
and authenticated state.
bug: 145103580
Merged-In: Ic173116f7ba424005d938a43c75831a6a4dc874c
Change-Id: Ic173116f7ba424005d938a43c75831a6a4dc874c
CRs-Fixed: 2512866
Signed-off-by: Isaac Chiou <isaacchiou@google.com>
(cherry picked from commit 276984563e07e788f8d75f1257c12227593c4032)
|
