Age | Commit message (Collapse) | Author |
|
In wma_is_pkt_drop_candidate the enum values used to check the
frame subtype is not proper and disassoc subtype is compared to
SIR_MAC_MGMT_DISASSOC instead of IEEE80211_FC0_SUBTYPE_DISASSOC.
Similar enum mismatch is present for deauth frame.
Also the frame received time is updated even when the frame was
dropped and thus the received time of the frame keeps on increasing.
Thus the condition to check if frame is allowed after
WMA_MGMT_FRAME_DETECT_DOS_TIMER ms always fails if driver
continuously keep on getting the frames.
This can lead to dropping of valid deauth/disassoc frames in case
if RMF is enabled and some rouge peer keep on sending rogue
deauth/disassoc frames and thus even if peer send valid deauth
peer will not get disconnected.
Fix this by using proper enum values to map the frame subtype.
Also update the rcvd time stamp only when the frame is allowed,
as this timestamp should be used to block the duplicate
frames for WMA_MGMT_FRAME_DETECT_DOS_TIMER ms.
bug: 141690880
Change-Id: I4f480e21369b585d78f240c5f4f062d010d889a8
CRs-Fixed: 2256679
Signed-off-by: Isaac Chiou <isaacchiou@google.com>
|
|
If 11w is enabled, mmie should be included in broadcast
multicast rmf, length check need consider it to avoid buffer
overflow
CRs-Fixed: 2270117
Bug: 139890137
Change-Id: I6c2ebe18fb5b6e4246ba6d28c1dbc55175279e30
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
|
|
In wma_set_stakey key_params is memset to 0 in first loop for num_key
while being used in subsequent loops for num_key.
So with key_params all zero the vdev id used to send for next key is
always 0.
So memset key_params after loop before returning from wma_set_stakey.
Change-Id: I3990a5c5017f068bb41914c6e38c4e8c2155bb19
CRs-Fixed: 2441622
Bug: 130662095
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
|
|
CCMP and GCMP both have different lengths of their MIC part. MIC
length for CCMP is 8 bytes whereas it is 16 bytes for GCMP. When
encryption type is GCMP/GCMP-256, sending packets with CCMP MIC
length causes fw to drop the GCMP encrypted management packets
leading to connection issues.
Send GCMP encrypted frames with GCMP MIC length.
Change-Id: Ia83fa6ffde880fe69e5e4c3e3c3ce9c62ad8fa3c
CRs-Fixed: 2203224
Bug: 129483359
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
|
|
Currently the key information i.e the key, and the number of keys
are not getting cleared on wifi link disconnection from wifi
driver memory, which can lead to information disclosure.
Clear the key information i.e the number of keys and
keys from wifi driver memory to avoid any potential information
disclore after wifi is turned off.
Change-Id: I45306e0d648c500f63f723b4e3ccb6098c055158
CRs-Fixed: 2637541
Bug: 123907624
Signed-off-by: Varun Reddy Yeturu <quic_vyeturu@quicinc.com>
|
|
Update NSS command is remove once driver receive the tx completion
event for the beacon. If SAP is in CAC wait state driver will not
get the tx completion for the beacon and the update NSS will timeout
after 30 sec and the serialization cmds queues will get stuck.
To avoid this remove the update NSS command from active queue as
soon as beacon is sent to firmware
Bug: 115323802
Test: IFS and regression test: b/122336305
Test: ATCS for AU drop test: b/122336929
Change-Id: I6f5b6bce91bdfacd4621020f313be25f74696b9d
CRs-Fixed: 2332302
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
|
|
Add check for GMAC offload capability wmi_service_gmac_offload_support.
If firmware supports GMAC offload, trim MMIE when driver receives
PMF frame. Otherwise, driver calculates MIC and trims MMIE.
Also, add support for suiteB auth types during roaming in
e_csr_auth_type_to_rsn_authmode.
Change-Id: Id44f44a41297ca3e462d14905f5986f904a639fd
CRs-Fixed: 2185819
|
|
Add changes to support GMAC group management cipher suite
Change-Id: Ic4855b77268464a1ed61efcf213f76a2d99ff0c4
CRs-Fixed: 2164828
|
|
Add changes to validate MIC for the received protected
MC/BC frames with GMAC group management cipher suite.
Change-Id: Ie5f60674a452d2d930acc9ff9eb55de37645097a
CRs-Fixed: 2164828
|
|
1546cd7 Release 5.3.1.1Q
90fb661 qcacld-3.0: Fix invalid dereferencing of peer_id_to_obj_map for peer_ref
328a147 qcacld-3.0: OOB access may occur due to total numChannels exceeds max value
3820448 qcacld-3.0: Do not return if hdd_open_cesium_nl_sock fails during init
af391a4 qcacld-3.0: Update correct value for low power stats
c4706d2 qcacld-3.0: Add check for validity of COUNTRY driver cmd
e18a9cc Release 5.3.1.1P
aba1b5c qcacld-3.0: Check for minimum frame_len for action frames
3a1313a qcacld-3.0: Add suppport to forward GAS action frames to supplicant
14f6935 qcacld-3.0: Check for SAP restart after channel switch
569a17b qcacld-3.0: Use request manager for OCB
94b1bb4 qcacld-3.0: Pass correct channel in ch_in_pcl()
b6f35a0 qcacld-3.0: Fix OOB read in lim_process_deauth_frame
..................................
Bug: 110352942
Change-Id: Ie27e954d1cc51fc23244aec81f4fe3b0de188741
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
|
|
c9d57d1 qcacld-3.0: Fix clang compilation errors 'extraneous parentheses'
fb423e5 Revert "qcacld-3.0: Dont process driver unload during system reboot"
682b657 qcacld-3.0: Add Tx compl callback to check if OTA is needed for TX desc
74d0e31 qcacld-3.0: Send del_self_sta_resp during VDEV detach if target not ready
7edd94d Release 5.3.1.1O
b0fa6eb qcacld-3.0: Aquire tdls lock before calling wlan_hdd_tdls_implicit_enable
b37ff18 qcacld-3.0: Validate TLV length in FILS wrapped data before processing
a023aed qcacld-3.0: Remove redundant check for CDS_MAX_NUM_OF_MODE
3ab255b qcacld-3.0: Fix typo "doesnt" in generated dot11f.c code
a1117b2 qcacld-3.0: Fix NULL pointer dereferencing of vdev during peer deletion
72981b0 qcacld-3.0: Enable PNO feature in FW feature config
c029178 qcacld-3.0: Indications of DHCP START/STOP indication SAP/P2P GO
ef3d392 qcacld-3.0: Use same sap_context for different SAP wrongly
Bug: 109928450
Change-Id: I986b97c7e695642119550c178ddf87306222e752
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
|
|
43ea0b0 qcacld-3.0: Dont pass source argument as nla_data to nla_memcpy
193fd1a Release 5.3.1.1L
fc0db5e qcacld-3.0: Use request manager API for RCPI feature
03e6ec8 qcacld-3.0: Add per-chain RSSI prints in WMA layer
06cc9ce qcacld-3.0: Add a NULL check on channels in IOCTL SETROAMSCANCHANNELS
c10d8aa qcacld-3.0: Fix buffer overwrite in csr_roam_diag_joined_new_bss()
bd75dc7 qcacld-3.0: Fix buffer overwrite in lim_mlm_add_bss()
325214e qcacld-3.0: Fix NULL acs_cfg ptr access
318cfde qcacld-3.0: Avoid possible NULL pointer dereference
e34b18d qcacld-3.0: Fix possible OOB issue in ol_tx_desc_update_group_credit
c33a8be qcacld-3.0: Fix possible OOB access in ol_rx_reorder_detect_hole
12734b7 qcacld-3.0: Avoid VDEV start for new interface when roaming in progress
7622df0 qcacld-3.0: Reject DISA test vendor command if power save is enabled
..................
Bug: 80408179
Change-Id: I474badd9b1f3fc0927f991a1898343832dba93ea
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
|
|
f055636 qcacld-3.0: Fix issue while handling ndp response without iface name
a838a27 qcacld-3.0: Add SAR V2 support
594b96b qcacld-3.0: Add ini param to control RTT mac randomization
8ee11a2 Release 5.3.1.1D
05269e2 qcacld-3.0: Set bcast probe req flag for invalid bssid and ssid
d1144e8 qcacld-3.0: Fix potential buffer overflow in radio stats event handler
c228d66 qcacld-3.0: Send 11k offload disable to FW during RSO Stop
070054e qcacld-3.0: Dereference adapter after NULL check
1305e86 qcacld-3.0: Resolve possible OOB while posting SET PASSPOINT WMA event
54d7eea qcacld-3.0: Flush message queues before sending suspend event to firmware
0f3db67 qcacld-3.0: Complete all wait events before shutdown
949550c qcacld-3.0: Do not stop TDLS timers before restart
f0df927 qcacld-3.0: Assign center_freq1 and center_freq2 before use
7fb20d6 qcacld-3.0: Do not program phymode for opmode update
6567910 qcacld-3.0: Drop duplicate Beacon Report request
bc62a84 qcacld-3.0: rate limit scan failure logs
0196899 qcacld-3.0: Check for NULL after taking lock
6e97b18 qcacld-3.0: Add debugfs support for roam scan stats
....................
Bug: 77606671
Test: Passed Regression Test
Change-Id: I06757c61e4163513d4ab46f786b85a966b15aba3
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
|
|
20d718e qcacld-3.0: Add debugfs support for roam scan stats
78c1290 qcacld-3.0: Add debugfs support for offload info
98323f8 qcacld-3.0: Add debugfs support for connect info
22966f6 qcacld-3.0: Add debugfs framework support for CSR
7ff6211 Release 5.3.1.1B
f221f0d qcacld-3.0: Call the 11d state machine even for cached regulatory
02c24fd qcacld-3.0: Revert accidental removal of sanity check
4875bf1 qcacld-3.0: Fix use before malloc when ipa disable from ini
12b609c qcacld-3.0: Accept nan responder request without iface name
dddcead qcacld-3.0: Don't process set mac net dev operation on interface up
ea23ce3 qcacld-3.0: Ignore qdf debug fs create failure during init
Bug: 75978775
Change-Id: I6b0e9304081ca11d37163e1a512c527bc5121d68
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
|
|
6848dd2 qcacld-3.0: Enhance logging levels for some SAP ACS messages
4eaad9c qcacld-3.0: Do 11ac override only if channel list has 5Ghz channel(s)
636c306 qcacld-3.0: Assign acs_cfg->end_ch before use
3c52a40 qcacld-3.0: Support NDP Confirm with channel info and Schedule Update
072110f qcacld-3.0: Enable channel 12 and 13 in world mode
8ed6af2 qcacld-3.0: Add channels 5735-5835 to the world mode
5d122cf qcacld: Modify defualt world rules
63e10f7 qcacld-3.0: WLAN upgrade to 5.1.1.47F
Bug: 73290698
Change-Id: I0e405a517636b5546eca0faa9fe48cb055bbfc54
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
|
|
Add support to send the per chain rssi to upper layer
for each beacon and probe responses.
Bug: 68348227
Change-Id: I31bcfcf2b44c21b5901e7f70d5f1cdb1f5c4398b
CRs-Fixed: 2173155
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
|
|
3122353 qcacld-3.0: Update DTIM value in WMA for modulated DTIM
d5f23c7 qcacld-3.0: Fix dereferencing NULL peer
4d830ec qcacld-3.0: Enable channel 12 and 13 in world mode
3631077 qcacld-3.0: Add channels 5735-5835 to the world mode
7012990 qcacld: Modify defualt world rules
83d6273 Release 5.1.1.44V
15b1778 qcacld-3.0: At SAP,cache every station's info only once
55a9571 qcacld-3.0: Add a check for HAl context
f335516 Release 5.1.1.44U
40fe570 qcacmn: Untrack nbuf map on map failure
917c576 qcacmn: Hold lock for entire nbuf debug iteration
6bbcf5c qcacmn: Add nbuf map/unmap history tracking
d0f7852 qcacmn: Extend wmi interface command to support other connectivity stats
363936b qcacmn: Add connectivity stats rx function pointer
e82d3d0 fw-api: CL 4011873 - update fw common interface files
e13edce fw-api: CL 4003829 - update fw common interface files
c0c7c48 fw-api: CL 4003828 - update fw common interface files
Bug: 71763975
Bug: 72173962
Bug: 69611483
Bug: 67750750
Change-Id: I3c84e7e637b289410bdaa46d56a695b55b7bc938
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
|
|
The host defines the iface ptr with :-
iface = &wma_handle->interfaces[key_params->vdev_id], at line 1588
and if the WLAN_FEATURE_11W, is not enabled , the host sets the
iface->is_waiting_for_key as false , without a NULL check of iface.
Fix is to add a NULL check for iface
Change-Id: I69ed8f881b678458d16f1f74e87e31959c04ec63
CRs Fixed: 2156921
|
|
Send WOW timer pattern to firmware when suspend is requested and
INSTALL_KEY is not sent to firmware yet. This will allow firmware
to wake host in case Eapol frames are not received and do a graceful
disconnect.
Change-Id: Ibbcc0af85ee9ddcd7f6559c83c67274508193004
CRs-Fixed: 2127634
|
|
Certain AP cannot understand 2x2 chains for CCK rates. For such AP
set program firmware to just use 1x1 chain for CCK rates.
Change-Id: I4d800e84208ecf14792ae09bd73c2a163e6f61f3
CRs-Fixed: 2134140
|
|
In function wma_mgmt_tx_bundle_completion_handler
cmpl_params->num_reports, param_buf->desc_ids and param_buf->status
are received from the FW. num_reports is used as array index to access
desc_ids and status. If the value of num_reports exceeds the max
allowed array index, out of bounds access would happen.
Add sanity check to make sure num_reports does not exceed the max
allowed limit. Also make sure num_reports is not greater than
num_desc_ids and num_status
Change-Id: I300411febf6449680e873e5947fa767298afe962
CRs-Fixed: 2119439
|
|
SME module propagates KeyRSC to MAC/PE module but MAC/PE doesn't
pass this counter to WMA and due to which WMA is not able pass to
next module.
Add a fix to propagate KeyRSC field from MAC to WMA module and further
down in stack.
CRs-Fixed: 2130761
Change-Id: I157a44610e184b5e10d838fbc5d6b810e3efd6db
|
|
Currently, vdev_up flag is not set to false in all the missing cases,
Identify all the places and set vdev_up flag to false.
Change-Id: Ia527071036b9210051edc62f76f195f5ce5876b7
CRs-Fixed: 2129709
|
|
In wma_mgmt_rx_process, hdr->buf_len is read from message,
if hdr->buf_len is larger than data_len, it will over-read
from param_tlvs->bufp with corrupted message.
Change-Id: I7f06d81fd18960d0d6c57cdb4594680178022087
CRs-Fixed: 2126972
|
|
A previous update to wakelock timeout values incorrectly modified a few
firmware response timeout values. Restore these timeouts to their
original values.
Change-Id: I4ca4c629f0810f6fdb575c5c78904811920defeb
CRs-Fixed: 2127564
|
|
Currently the mpdu_data_len in Rx pkt meta is not checked for
upper bound in wma_process_rmf_frame.
Add sanity check to drop the packet if mpdu_data_len is
greater than 2000 bytes.
Change-Id: I156cf9766dda30ee3746361614a2e4586553f93d
CRs-Fixed: 2123807
|
|
Add 1 second wake lock for 4 way handshake to avoid APPS
power collapse in middle of eapol exchange which can delay
the association process.
Change-Id: Ife73dc00aa05b5a80d0a90afd18468bd033ebdd9
CRs-Fixed: 2118533
|
|
Currently resp_event->vdev_id, recevied from the FW, is directly used
to refer to wma->interfaces without validating if the vdev_id is valid.
Add sanity check to make sure vdev_id is less than max_bssid before
using it.
Change-Id: I734ff795a3936719b08493f868384dbde72a80df
CRs-Fixed: 2119394
|
|
Currently if_id used in the for loop is incremented based on vdev_map != 0
and vdev_map is a uint_32, received from FW, and is right shifted by one bit
for each iteration. This could result in if_id going upto max of 31 and cause
OOB read.
Add sanity check to make sure if_id is less than max_bssid.
Change-Id: I7e0c4e9a26cb67f41e35c60c2756d7ad02cf43ea
CRs-Fixed: 2119443
|
|
Ensure that the array index of WMI descriptor pool is
within the maximum pool size
Change-Id: I32bf6a9689d3119369cfe2284f51f6592aa00047
CRs-Fixed: 2119803
|
|
After deriving the vdev_id from the vdev map in
wma_beacon_swba_handler check for the validity
of the vdev_id
Change-Id: Ifc4577d8a00f447e2bcfa4e01fce5ac2dbe96a4d
CRs-Fixed: 2120751
|
|
Check for the maximum number of P2P NOA descriptors in
wma_send_bcn_buf_ll.
Change-Id: If7e5b3c53309412dc7d3cd748c2f5581898fbbfe
CRs-Fixed: 2114323
|
|
Change status logging in mgmt tx completion to string format.
Change-Id: I84c99e3c928a8a5c17048f20e1d9b3e990b911ad
CRs-Fixed: 2113615
|
|
Replace instances of unadorned %p in core/wma.
Change-Id: I44a975caa73f0837274536babf1902bef06c591a
CRs-Fixed: 2100997
|
|
Currently the mpdu_data_len in Rx pkt meta is not checked for
upper bound in wma_form_rx_packet.
Add sanity check to drop the packet if mpdu_data_len is
greater than 2000 bytes. Also add upper bound check for
frame_len in lim_process_auth_frame function.
Change-Id: I7ab454045e2f6d278351dcabde6da556f9f741e0
CRs-Fixed: 2093392
|
|
As beacon and probe rsp are not deferred in LIM the non-deferable
LIM msgs from WMA may get delayed due to processing of beacons and
probe responses.
To Avoid this post the non-deferable LIM msg from WMA with
high priority so that they can be processed before beacons and probes.
Change-Id: Ida7cb86be397a415893142a318b75b41c13578b5
CRs-Fixed: 2090173
|
|
Currently, a wakelock is acquired before vdev start is sent to firmware
and released after a vdev stop response is received. In some cases, this
can cause a race condition where the device will power collapse before
the association process is complete. Instead, release the wakelock after
either vdev up or vdev down is sent to firmware, ensuring the entire
association process is protected.
Change-Id: Iab1a241f1c5810d9f71bfd86e1e8036847ebf602
CRs-Fixed: 2082928
|
|
Enable FEATURE_WLAN_DOWOW for pcie.
This is for backward compatible with rome fw.
Change-Id: Ia2107ff6939666b4a0bd19d57149d17814f2dfb5
CRs-Fixed: 2070426
|
|
For encryption mode is WEP40 or WEP104, the default key index should
be set. if not set, the group key index will be zero always.
Change-Id: I3f2dae9d7b6cd4fbb7aa2882e6a5e89cf759cd11
CRs-Fixed: 2065988
|
|
Add support of GCMP (128/256) security cipher support.
Change-Id: I3c9cb3dc72cce0a2cae3e468d3c1f3c004e11adf
CRs-fixed: 2056168
|
|
qcacld-2.0 to qcacld-3.0 propagation
Current ini setting doesn't support configuring per band mgmt rate.
Add ini to configure per band mgmt rate.
Change-Id: I340b09324fc16b15846598b17de9976f92b93252
CRs-Fixed: 2056132
|
|
Beacons with NULL IE's are triggering crash
in framework.
Add condition check in WMA to drop beacons
with NULL IE.
Change-Id: Ie28cd513713668334a77a2e8f5f345d79f68fcb5
CRs-Fixed: 2047525
|
|
Function wma_mgmt_rx_process will drop packets when recovery is in
progress and when load/unload is in progress. During these events
if host receieves a lot of packets it might lead to WD bite. To fix
this reduce log level of "Recovery in progress" and "Load/Unload in
progress" in this function.
Change-Id: Ic926e23fe14dd3f670dd9269519866095d51539a
CRs-Fixed: 2049811
|
|
Add below changes to support SSR within SSR,
1.Add new driver state, CDS_DRIVER_STATE_BAD, which will be set
on re-init failure and reset on re-init success and if this
state is set, don't allow any north-bound calls.
2.Don't de-register wiphy/netdev on re-init failure.
3.BUG_ON if re-init or probe fails successively for two times.
4.During driver unload, don't wait for SSR to be completed.
Change-Id: Id05a3e4b592664c9b56c7dd83b965b973f1d5ca5
CRs-Fixed: 2037628
|
|
Beacons from NAN devices triggering crash in framework.
Don't update the NL with the NAN device beacons.
Drop NAN device beacons in WMA before processed by PE.
Change-Id: I754591459d7a02848454d506b85847b1993aac53
CRs-Fixed: 2047525
|
|
Add changes to move unwanted kernel message to debug prints to
stop flooding of kmsg.
CRs-Fixed: 2045053
Change-Id: I8af7d2896a3181f60264ac54eadbfa0a87e11328
|
|
Fix kernel module check patch warnings in WMA files
Change-Id: I236fc58152787a7ee906e5aa7d19f917ac69a17a
CRs-fixed: 2030824
|
|
1) Fix Wma target req msg,freed twice in wma_cleanup_vdev_resp_queue.
2) Packet buffer not freed if mgmt tx completion
is not received from firmware before driver unload.
Change-Id: I2a7e5f8dc0993588b569093d64cfba293069ae23
CRs-Fixed: 2038479
|
|
Logic to calculate max chainmask supported is used to calculate
max NSS and thus when NSS passed is 2 the firmware was sent value
3 which is causing firmware crash as max NSS supported is 2.
To fix, added logic that if NSS is greater than WMA_MAX_NSS(2) make
it WMA_MAX_NSS.
Change-Id: Ic7ff541b60434c0ce501d245462cd45e62dd9403
CRs-Fixed: 2033675
|
|
While processing RMF frame wma_process_rmf_frame can free the wbuf
in failure case. But after return even if wbuf is freed, it is used
to get the data pointer.
Fix this by returning before accessing the wbuf in case of failure.
Change-Id: Iddd445a8cd77a0d5a6d234fb0dc2157de09fb814
CRs-Fixed: 2034378
|