This fix will resolve memory leak issue where memory was not
getting released through calling csrFreeScanFilter.
CRs-Fixed: 802042
Change-Id: I5c20fc66add1903f0ea39be663a239e24cfb180d
Fix Out-of-bound access in sapInterferenceRssiCount, by checking
the limit of start address for channel info and end address for
channel info.
Change-Id: If21e09d0f11bd655a8e04139ccf55d3682734b17
CRs-Fixed: 2128512
At some places in code , break statement is missing.
Fix is to add break statement at missing places.
Change-Id: I315aa575d24d2713a4c7c2f35349fb4ed3364212
CRs-Fixed: 2078880
In environment with plenty of APs, scan result will contain hundreds
of APs (600+), which will require more ticks to process scan result.
To process those result, SME mutex is held - via sme_AcquireGlobalLock().
Meanwhile, suspend_handler invoked by OS, which will also try to
acquire same mutex in sme_staInMiddleOfRoaming().
The long time wait finally cause the crash.
To avoid it, check if scan in progress in suspend_handler,
before trying to acquire that mutex.
Refer to CR for more detail.
CRs-Fixed: 2084115
Change-Id: I76fd4511cc75a1ca61493ed34aaedc469c4502f5
prima to qcacld-2.0 propagation
Dereference of 'roamSession' pointer before NULL check in
csrRoamProcessResults().
Change-Id: If9595d00387734066386dc29591aed331f46d023
CRs-Fixed: 2030051
Once host try to create 3 vdev as sta, FW will assert due
to only 2 vbmiss entry supported which is the limitation for
both TF and Rome hardware.
The fix is to add sanity check to confirm the max value of
sta vdev count is 2 to avoid the issue.
Change-Id: I7f4b66df573558ab23955de9884cc80a6e4981c2
CRs-Fixed: 2030008
Sometimes delay is observed while scheduling async_task.
Set lower nice value to increase the priority.
Also, take care of the VosWDThread thread priority.
CRs-Fixed: 1112996
Change-Id: I164e8c915cc2e4ea0630b2b88417c9a33b4e0c6b
Currently host driver may receive lots of radar wmi events in
a short time because of hardware limitation, which may regard
WiFi calibration signals as radar pulses.
Driver allocates buffers for every wmi event in the interrupt
bottom half and free these buffers in the wmi event work queue,
so buffers may only be allocated and not freed when there are
too many radar wmi events.
Drop incoming radar wmi event if there is already 1000 radar
wmi event pending.
Change-Id: I20ab024bb87b5d883380796a9c080d1667d696ff
CRs-Fixed: 1030466
In high latency, Firmware will trigger crash when no more reorder buffer
left. The number of prealloc reorder buffers depend on tid number, which
equals 4 * clients number, so reassign num_tids in wmi_resource_config to
4 * no_of_peers_supported as Firmware suggested.
Change-Id: If715cf201a283fa956b53dcdaccd534e57986fcb
CRs-fixed: 2003903
qcacld-3.0 to qcacld-2.0 propogation
Fix memory leak in case of txrx_fw_st_rst command where
driver is not expecting any response from firmware.
CRs-Fixed: 964465
Change-Id: Iad91cb5557ef167d126ef68e07f02445ad7a0b97
If nss greater than 3 in operating mode IE the same value is sent
to firmware and firmware crash as it expect nss value to be 0-3.
To fix update nss to max supported value before sending to firmware.
Change-Id: I339dd67ce2e393c491633a4a9fd4559c693289c4
CRs-Fixed: 1110127
tx_msdu_info.peer should be reset to NULL for
each MSDU. Each MSDU will be classified by
ol_tx_classify to get peer.
Change-Id: I68fe619435a6edfdd82fa083ad9cb81251705ad5
CRs-Fixed: 1109984
prima to qcacld-2.0 propagation
Scan should be aborted before sending join request since DUT
needs to be at home channel during connection.
Add changes to abort current scans before try to connect to AP.
Change-Id: Ifa445a6e0898789ec6b57b446936565405c51328
CRs-Fixed: 1081496
As per the 80211 spec, except for setup req and resp frames all
other TDLS management frames shall be transmitted with AC VI. But
this may cause packet check failure for WMM certification-STAUT
-5.2.31 when Admission control is enable for VI.
To overcome this issue discard discovery request and setup cfm
frame when ACM is set for AC VI.
Change-Id: I13da566e9de5e9a366c1efc41c0af67320305570
CRs-Fixed: 1083561
prima to qcacld-2.0 propagation.
scnprintf returns the number of characters which are actually
written in the buffer. Currently there is no check, while filling
buffer. Hence, a situation might arise where the len is greater
than the sizeof of buffer. Later, this buffer is copied to user space
through api copy_to_user and since the len is greater than buffer
size, buffer over-flow would occur.
As a part of fix, make sure that buffer over write doesn't occur.
Change-Id: I652979cb26fd7fff36ee54f9ec60132453ac7913
CRs-Fixed: 908252
If we fail to allocate receive packet bundle buffer
it will return no memory without freeing receive pkt queue.
Fix is to free the receive pkt queue before returning from message handler.
Change-Id: I4bf2aeb7bc85cc68cfa1314e6dbf5057665ba7ce
CRs-Fixed: 1079623
Currently there are some places where array name is compared to NULL
in HDD. Add fix to correct it.
CRs-Fixed: 1063255
Change-Id: Ic8b6ce003a918890bae6d9c81f6732472333528e
prima to qcacld-2.0 propagation
In sme_UpdateDSCPtoUPMapping() function, we try to write into
the array dscpmapping in 255th location, if the location index
happens to be 255. But the size of dscpmapping array is 64 only
which is causing out of boundary access resulting in crash.
To address this, avoid writing in out of boundary. If the DSCP
range is 255, there is no mapping for such priority, so there is
no need assign anything for dscpmapping.
CRs-Fixed: 1027457
Change-Id: Ic4299122b10a990d17816f864ef8415c1b75b230
gscan priority should not cross normal scan.
Add changes to reduce gscan priority.
CRs-Fixed: 1066785
Change-Id: I7459367cfed5d932f07f8c846265c448b9a84555
Currently in BSS starting process if WMI_VDEV_START_RESP_EVENTID is not
received, WDA_ADD_BSS_REQ will time out. WMA will send WDA_ADD_BSS_RSP
back to MAC but do not delete peer. WDA_ADD_BSS_RSP with BSS starting
failed information will be handled by sapFsm() and trigger
sap_CloseSession(), then WMI_VDEV_DELETE_CMDID will be sent to firmware.
Since WMI_PEER_DELETE_CMDID have not been sent, FW will crash.
Delete peer before send WMI_VDEV_DELETE_CMDID to FW, this issue will
be resolved.
CRs-Fixed: 1066282
Change-Id: Idc9e813f16f600ce938a6454b94731a1712857b4
prima to qcacld-2.0 propagation
iw_setint_getnone can cause crash in monitor mode as hal
context is not initialized.
Modify the code to handle dereferencing hHal in Driver Monitor
mode.
CRs-Fixed: 1040579
Change-Id: If26cfab5374ac34c55e03b887c320c0736a9df23
Packets are not freed from cache buffer and causes memory
leak in SSR case. Flush cache RX frame queue to avoid this memory leak.
Change-Id: Idd9edde6fdb3b9ff3ecbe7d8139f9a66468b70af
CRs-Fixed: 1051019
prima to qcacld-2.0 propagation
Currently in ESE reassoc timer value is 1 sec. So if reassoc
is failed, then host sends the reassoc retry with the same
TSF value after 1 sec. AP rejects if the TSF time difference
is more than 1 sec.
Changes are done to retry the reassociation within 1sec.
change-Id: I3f3415d683d39721aef17937ab4a4d1454d513eb
CRs-Fixed: 789057
In a SNS case, driver receives ASSOC Req during the SAP
Stopping. The SAP stopping will issue WMI_VDEV_DOWN_CMDID
WMI command to firmware. And ASSOC req frame processing
will issue a WMI_PEER_CREATE_CMDID WMI command to firmware.
Then the firmware crash happens because firmware can't find
the necessary BSS information to create the peer. Firmware
doesn't support peer create after BSS down.
The fix is to ignore the ASSOC Req frame while the deleting
BSS is ongoing.
Change-Id: Ib517642da4fc6b4778ef1ce4e6afd92fa3edb112
CRs-Fixed: 1053809
If SAP receive auth from an already connected STA, it post
eWNI_SME_DISASSOC_IND msg to SME to delete the STA context and
return. STA may try to send auth again as it didnt receive auth
resp.
Now many frames (probe req, auth etc) may get accumulated in PE
message queue and unless PE queue is fully processed SME queue will
not be processed and thus del sta will get delayed. This may again
cause STA to send more auth req and every time MC thread process an
auth req before the sta is deleted, eWNI_SME_DISASSOC_IND msg is
posted in SME message queue.
And if PE keeps on getting auth before the sta is deleted,
SME queue will pile up leading to crash.
To fix this do not trigger del sta if it is already in progress.
Change-Id: Icff3778d35ef7ea646463fe49c4335e260e9e156
CRs-Fixed: 982329
prima to qcacld-2.0 propagation
Static analyser is reporting errors for array bound
checking and null pointer references.
To resolve this
1. Check for condition array index shouldn't exceed
WNI_CFG_VALID_CHANNEL_LIST_LEN before accessing
ChannelList array.
2. Check for NULL condition wherever necessary.
Change-Id: Idd0a23a8180dddabfdd353c0861899411aecfa16
CRs-Fixed: 534624
Change-Id Id016a65b58255b25b973c1904a9715c995f7d34a results
compilation error in TXRX.
Add changes to remove FL from the debug print.
Change-Id: Ib3c023e0a8abc5a43ddd2f757deec563592bd5d6
CRs-Fixed: 1028035
In limInitPeerIdxpool, driver initializes gLimAssocStaLimit/
gLimIbssStaLimit entries of peer index pool. But there is a chance
of allocating less memory for peer index pool in peCreateSession
which can overwrite adjacent memory locations as maxStation can be
different from gLimAssocStaLimit/gLimIbssStaLimit. Fix this by
initializing maxStation entries. Also, add change in
limCreateSessionForRemainOnChn to use pMac->lim.maxStation as
no of entries.
Change-Id: I915e67fe7a15ebe622273af971d8a88ad78585cf
CRs-Fixed: 1025378
When STA process Neighbor report from AP, session_id is declared
as one byte variable and its overwritten with four bytes value
in csrRoamGetSessionIdFromBSSID. This is observed on enabling stack
protection in kernel config(CONFIG_CC_STACKPROTECTOR).
Fix is to declare session_id as four bytes variable.
Change-Id: I6b2fd40a5466fe5dd72d394abb682229a550e0b1
CRs-Fixed: 1025272
When target enters suspend mode(WoW enabled), some unpause
events would be dropped by FW. So host TX queue would keep in
paused state even after host resumes. No following data
frames would be sent out.
Change-Id: I78fd23a384590c740c0147c3f2e7ec5b0da7aea8
CRs-Fixed: 1025669
It may possible to have random data in re_flag when host get
dfs event which may cause extra processing of the phy error.
Add change to initialize re_flag variable with zero.
Change-Id: I1f38bed9471de60cb32da3ac31eb1e08011c2074
CRs-Fixed: 1028556
peDeleteSession may get called twice for the same session during
disconnect. This leads to warnings while trying to delete timers
which is already deleted the first time.
Thus avoid calling PE delete session for non valid session.
Change-Id: I96f99f42467ec2650794718a5b11033c031c71ec
CRs-Fixed: 1021248
FW can enter into suspend mode even if the BMPS is not enabled.
Hence power save check is not required in suspend request.
Change-Id: Ic2b774cea10516ea0b23141922ba1e16aa33f395
CRs-Fixed: 974918
Currently the min value of gTDLSPrefOffChanBandwidth is set to zero which
is invalid, min value should be 1 (zeroth bit set) for 20MHz.
Change-Id: Ibc2da1c2cca7e704b21686ab795224462dd9f913
CRs-Fixed: 1007109
prima to qcacld-2.0 propagation
Due to pre-emption there could be probability that tdls context
is accessed in wlan_hdd_tdls_check_power_save_prohibited after its
released. This will result in kernel panic.
To Fix: protect tdls context with mutex lock before accessing
Change-Id: I33369320de5b0aadae661d7d27fbc5ba18e9e409
CRs-Fixed: 990645
prima to qcacld-2.0 propagation
Out of bound access is reported by kernel address
sanitizer (KASan) tool.
=================================================================
BUG: KASAN: slab-out-of-bounds in csrScanSmeScanResponse+0x148/0x35c
[wlan] at addr ffffffc01745b208
Read of size 4 by task VosMCThread/32563
=================================================================
BUG kmalloc-128 (Tainted: P B W O ): kasan: bad access detected
----------------------------------------------------------------------
[<ffffffc00008c80c>] dump_backtrace+0x0/0x284
[<ffffffc00008caa0>] show_stack+0x10/0x1c
[<ffffffc001e992fc>] dump_stack+0x74/0xfc
[<ffffffc0002f3094>] print_trailer+0x150/0x164
[<ffffffc0002f345c>] object_err+0x38/0x4c
[<ffffffc0002f8994>] kasan_report+0x34c/0x504
[<ffffffc0002f8ba0>] __asan_report_load4_noabort+0x14/0x20
[<ffffffbffc2adea8>] csrScanSmeScanResponse+0x144/0x35c [wlan]
[<ffffffbffc2ae1b0>] csrScanningStateMsgProcessor+0xf0/0x6e4 [wlan]
[<ffffffbffc2b6e10>] csrMsgProcessor+0x1f8/0x2c8 [wlan]
[<ffffffbffc252ff0>] sme_ProcessMsg+0x1024/0x115c [wlan]
[<ffffffbffc3a29d0>] VosMCThread+0x798/0x950 [wlan]
[<ffffffc0000f1f24>] kthread+0x22c/0x240
=================================================================
Improper type-casting of a buffer leads to out of bound access
of a buffer which may result in kernel panic.
To mitigate this issue typecast a buffer as per the caller function.
Change-Id: I7861ead27dff6b8dd45fbeafae8cf4c6f1ca4523
CRs-Fixed: 972671
prima to qcacld-2.0 propagation
In SME, if command posting fails then memory allocated for
command is not freed.
Free the memory if SME fails to post command.
Change-Id: I281ef5eb9492fe75d639b2bef7ed588aacee8e74
CRs-Fixed: 974567
In wma_dfs_indicate_radar, radar_event buffer should be
released in the failure case.
Change-Id: I7857bcf29958be054749affbf5df18485c2c7238
CRs-Fixed: 1002063
There is potential memory leakage in limStaSendAddBss().
pAddBssParams should be released once failed to look
up a STA state node in hash table.
In limAddSta(), there is another potential memory leakage
once failed to find a IBSS peer.
Change-Id: I28ecb1f5a449e3d471798185fd30ec38563b34de
CRs-Fixed: 1002063
Due to race between user triggered disconnect and OTA disconnect,
On receiving OTA disconnect PE sends DISCONNECT_IND to SME and
waits for conformation from SME. By the time if SME already received
disconnect from user it will give PE DEAUTH_REQ instead of DIASSOC_CNF
messgae. Upon receiving this PE will do the clean up and will send
DEAUTH_RSP message. SME will also process DISASSOC_IND and will send
eSmeCommandWmStatusChange. But this will be in pending queue as user
triggered deauth is in progress as a SME active command. If this is processed
after user initiated disconnect command, HDD will get two disconnects which
cause mess up of eConnectionState_Disconnecting/eConnectionState_NotConnected
states in hdd disconnect handler.
Fix is to remove pending eSmeCommandWmStatusChange command after
DEAUTH_RSP from SME.
Change-Id: I004834785491ab7cf3e90371dfd1910c25d0bbef
CRs-Fixed: 1003374
Check the return value of snprintf during STA info collection to identify
any insufficient buffer condition.
Change-Id: I4edd7c8e094c40f41fe2ec019a72ef9e82ac903f
CRs-Fixed: 1005996
Check the return value of snprintf during stats collection to
avoid any possible underflow.
Change-Id: I4e310c2c7fc6ed9631a1cc70d4e22599d13f6402
CRs-Fixed: 1005994
Replace 'scnprintf' with 'snprintf' to know the number of bytes that were
attempted to be copied while calculating the AP stats. This is needed to
know if the supplied buffer was long enough or not. Since ‘scnprintf’
returns only the number of characters written into the buffer, it is not
helpful here and hence replacing it with ‘snprintf’ which returns the
number of bytes attempted to copy. snprintf's return value doesn't
include the terminating null byte.
Change-Id: I141d65321afb16d589800cf5ac25edbf58775676
CRs-Fixed: 997777
Cancel ROC if any upon receiving wlan suspend request
to avoid potential wlan suspend failure issue.
Change-Id: I59f75005e375ea1a6599a1dd978c28effee29370
CRs-Fixed: 996156
Fix memory leak in del_bss_rsp params in case del_bss_rsp
is dropped at lim due to invalid session id.
Change-Id: I4dfc8697fd5248d8a16ad5a248d5f06e86a105d0
CRs-Fixed: 970601
In commit Change-Id: Id880c5fe423eb0b2a2c01677d8fa7c4a784c74df.
We add the case to exclude the support of the nl_srv for MULTI_IF_NAME.
The skb in the ucast and bcast transmit is not really sending to
kernel, so the driver itself has to free the skb.
Also move the MULTI_IF_NAME case to header file.
Change-Id: Ibd93feeed9d3456ed4ce17a1842a2132d438275a
CRs-fixed: 995209
"MEMORY_DEBUG" enabled driver shows the
tpDeleteBssParams is not freed upon driver unloading
in SNS test. This commit fixes this issue by
freeing tpDeleteBssParams once no referance to it.
Change-Id: I302e24048f6d0c25dc9d191b65a1435883a6c7e7
CRs-Fixed: 985334