Age | Commit message (Collapse) | Author |
|
Currently, in the driver, the minimum MBSSID IE length value
in the driver is set to 4. Some APs advertise this value as
1. In such situations, driver fails to parse this ie.
So, to avoid such cases, modify the minimum mbssid ie length
value to 1.
Bug: 326351573
Test: Regression Test
Change-Id: I6ef89706b95318cb9bd38e04cab56b0fdef99fd5
CRs-Fixed: 3684794
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
Handle integer underflow for subie_len in util_gen_new_ie
Bug: 318454936
Test: Regression Test
Change-Id: I2f73e5a7e0462100deae1e85e6a51f77bfc46b95
CRs-Fixed: 3582487
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
Add OCI IE element id extension
Bug: 318454936
Test: Regression Test
Change-Id: Ie0c85d3639b54aea28c80aa63acb70834570bd41
CRs-Fixed: 3609912
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
Add sanity check to fix OOB issue while generating scan entries
for beacon
Bug: 318454936
Test: Regression Test
Change-Id: I35b362bc89ab10fa2d2d6660263c726692384e07
CRs-Fixed: 3591858
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
Changes to fix OOB issue seen util_scan_parse_beacon_frame.
Bug: 318454936
Test: Regression Test
Change-Id: I53244be54d31e87b55d0b44ce94315c8001f417d
CRs-Fixed: 3582496
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
There is no valid check for oci ie_len buffer while
typecasting, which may lead to OOB access.
Use dot11f_unpack_ie_oci to parse OCI IE to avoid
OOB read.
Bug: 318454936
Test: Regression Test
Change-Id: Iad8cc82072e8d729a4b95bc04c2e8df31e2582f4
CRs-Fixed: 3581129
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
Bug: 317275628
Test: Regression Test
Change-Id: I7ecdb481ccec7dd036afe6cf8bf5db68cdd83efb
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
SBMerger: 571992243
Change-Id: I5d5f52f1cd72f2f966ade3391b53e59a8be580b7
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
Currently in the function hdd_send_roam_scan_channel_freq_list_to_sme,
the num_chan variable is declared as uint8_t and is incremented
for each nested attribute PARAM_SCAN_FREQ_LIST.
If the number of attributes sent by userspace is more than max value
of uint8_t, then an integer overflow occurs.
To avoid this issue, add a sanity check to see if num_chan has reached
SIR_MAX_SUPPORTED_CHANNEL_LIST before incrementing variable.
Bug: 314786500
Test: Regression Test
Change-Id: I4085338df68c80f316909f85c6c04e3ac8b93cc2
CRs-Fixed: 3568577
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
SBMerger: 571992243
Change-Id: Ib11c4a811338d33790a756b4345c4d17ca5bb865
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
This reverts commit 2c512635d66f69888648c1254b7bef710b315dab.
Reason for revert: Revert debug patch
Bug: 309879757
Test: Regression Test
Change-Id: Ie6effe566d395a22b49b540d5fe4906b572d8393
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
Currently host keeps on adding page fault timestamp in
pagefault_wakeups_ts upon receiving pf wow wakeup
and triggers SSR if below points are satisfied.
1) If num_page_fault_wakeups is equal to
CFG_MAX_PAGEFAULT_WAKEUPS_FOR_SSR.
2) If time difference between first pf wakeup
and current pf wakeup is lesser than
CFG_INTERVAL_FOR_PAGEFAULT_WAKEUP_COUNT.
3) If host didn't trigger SSR due to page fault in last
CFG_SSR_FREQUENCY_ON_PAGEFAULT time.
There is a possibility 1 and 3 criteria are met
and the first pf wakeup occurred in between 24
hours to 24 hours + CFG_INTERVAL_FOR_PAGEFAULT_WAKEUP_COUNT,
the difference between first pf wakeup and current pf wakeup
would be less than CFG_INTERVAL_FOR_PAGEFAULT_WAKEUP_COUNT,
but the actual time difference is greater than
CFG_INTERVAL_FOR_PAGEFAULT_WAKEUP_COUNT.
To address this issue add logic to ignore entries
older than CFG_INTERVAL_FOR_PAGEFAULT_WAKEUP_COUNT.
Bug: 306769308
Test: Regression Test
Change-Id: Ic902285c5e824583b94f8c2eeaded8b1af7971ac
CRs-Fixed: 3653166
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
Currently, below 11BE RNR TBTT field doesn't get processed when
11BE is not defined,
TBTT_NEIGHBOR_AP_BSSID_S_SSID_BSS_PARAM_20MHZ_PSD_MLD_PARAM
So, station is not able to parse the RNR IEs from the 11BE APs.
Parse TBTT_NEIGHBOR_AP_BSSID_S_SSID_BSS_PARAM_20MHZ_PSD_MLD_PARAM
always but extract 11be info only when 11BE define is enabled.
Also, cleanup the duplicate code.
Bug: 299869614
Test: Roaming test with 11BE AP
Change-Id: I49e38875f3f0a3ab238636f7a8e0f93c7aa4d04b
CRs-Fixed: 3624227
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
Update RNR IE fields as per 11be D1.4 specification.
Bug: 299869614
Test: Roaming test with 11BE AP
Change-Id: I46b04e430ee4477117e8396d65a9de4608cd8dbe
CRs-Fixed: 3157064
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
Bug: 300854197
SBMerger: 558810260
Change-Id: I08a99bb770081ebda0df784927460f88ca9bcff0
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
This reverts commit 29b52b7d8cf7d0291e593c09cab7f5b3c3d9f486.
Reason for revert: Remove debug patch before code freeze
Bug: 278546786
Test: build pass
Change-Id: I2e75ea666696134ab3274b3308aeb0097f41bacb
|
|
SBMerger: 526756187
Change-Id: I9244f1d00fbf7fe89ea33af96d0de45f9e9b0de9
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
AP advertises TPE IE Tx power as 8-bit unsigned int. STA
needs to convert it into an 8-bit 2s complement signed
integer in the range –64 dBm to 63 dBm with a 0.5 dB step.
Thus, halve the tx power received from AP's TPE IE.
Bug: 287645819
Test: Regression Test
Change-Id: Ibd3227a2f11f230b164af3c65a65f5e61879e25d
CRs-Fixed: 3313617
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
SBMerger: 526756187
Change-Id: If5e42685b5b21a7e4cf0fd8d2d7005413e738b46
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
android13-gs-pixel-5.10-udc
|
|
Dump the CE event history and hp/tp values for CE2 and CE3
when FW hang event received.
Bug: 285806723
Test: Regression Test
Change-Id: I5fa8b2675e8893f19496dff02f140789b7e8f7b6
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
Bug: 278546786
Test: Build Pass
Change-Id: I4146feb6aa9e761bd5400443a429af26fa5ada27
|
|
In present scenario, STA disconnects with AP if it receives
invalid channel in CSA IE. In this case STA shouldn't
disconnect with AP as this request may come from a spoof AP.
Ignore this CSA request as it might be from spoof AP and
if it is from genuine AP heart beat failure happens and
results in disconnection. After disconnection DUT may
reconnect to same or other APs.
Bug: 285903061
Test: Regression Test
Change-Id: I840508dd27d8c313a3e8f74c4e1f5aa64eecf6f9
CRs-Fixed: 3390251
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
android13-gs-pixel-5.10-udc" into android13-gs-pixel-5.10-udc
|
|
Bug: 281607159
SBMerger: 526756187
Change-Id: Ia144f4c9e28f4000b76a7f461f15caadde375eea
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
android13-gs-pixel-5.10-udc
|
|
When handling WMI_ROAM_SCAN_STATS_EVENTID,
the number of channels scanned for each roam trigger is fetched from
wmi_roam_scan_info TLV (wmi_roam_scan_info->roam_scan_channel_count),
The total number of channels for all the roam triggers is fetched from
param_buf->num_roam_scan_chan_info.
chan_idx is the index used to fetch the current channel info TLV to be
read. So if wmi_roam_scan_info->roam_scan_channel_count provided by
firmware exceeds the total param_buf->num_roam_scan_chan_info starting
from given chan_idx then OOB access of event buffer can happen.
To avoid this, validate the sum of the current chan_idx and
src_data->roam_scan_channel_count against
evt_buf->num_roam_scan_chan_info.
Bug: 280447263
Test: Regression Test
Change-Id: Ied94464d1f12690cf8832962b94595c2e00c33f8
CRs-Fixed: 3357714
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
In wma_group_num_bss_to_scan_id(), bssid_list may be accessed out
of boundary.
Add check to avoid potential OOB access for bssid_list.
Bug: 245789946
Test: Regression Test
Change-Id: I218af0fe617f64a50c7c296c622f7fac01e1b4fc
CRs-Fixed: 3357461
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
android13-gs-pixel-5.10-udc
|
|
This reverts commit fc261afaf30c774f6ad55be1ef240998f6b0720b.
Bug: 276750246
Reason for revert: It's already in the codebase.
Change-Id: Iae9a0e2e7a566de991615dab1a17c31cad608be7
|
|
Realloc memory for wmi_service_ext_bitmap when
WMI_SERVICE_AVAILABLE_EVENTID event come, and
the num of wmi_service_ext_bitmap large then
previous num.
Bug: 276762572
Test: Regression Test
Change-Id: I2800fe3274e5516369486ef065ce03ba121bd5b3
CRs-Fixed: 3346739
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
(cherry picked from commit 14031fdd0e125d00e2eb12e9d239e81bfb9a01fa)
|
|
WMA MGT RX process extraction are logged in err level.
Rate limit the logs to avoid excessive logs to kernel
logging.
Bug: 279300600
Test: Regression Test
Change-Id: Idde55ab4dab24d55ff9e7239a69d586bd4f855ef
CRs-Fixed: 3391246
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
into android13-gs-pixel-5.10-udc
|
|
The tx_stats array length num_entries can't be more than
param_buf->num_tx_stats from fw.
Otherwies out-of-bounds will happen when read wmi_tx_stats.
Bug: 276750246
Test: Regression Test
Change-Id: I7ab3c7cc7baef6d903ba6301622bd67efe52cebe
CRs-Fixed: 3104318
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
Realloc memory for wmi_service_ext_bitmap when
WMI_SERVICE_AVAILABLE_EVENTID event come, and
the num of wmi_service_ext_bitmap large then
previous num.
Bug: 276762572
Test: Regression Test
Change-Id: I2800fe3274e5516369486ef065ce03ba121bd5b3
CRs-Fixed: 3346739
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
SBMerger: 516612970
Change-Id: Iee59c1ecf8c0082bfdcc9e2894393355f33ee091
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
Add a wakelock to prevent system suspend when a remote client to DUT in
SAP/GO/NDP mode.
Bug: 272392384
Test: Regression Test
Change-Id: I98b26eda48d7223262879b6b6e725e2af521c8a7
CRs-Fixed: 2739956
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
* changes:
qcacmn: Enhance hang reason code mappings
qcacld-3.0: Enhance hang reason code mappings
qcacmn: Trigger recovery incase of scheduler watchdog timeout
qcacmn: Enhance QCA vendor interface with new hang reason codes
|
|
android13-gs-pixel-5.10-tm-qpr3
|
|
android13-gs-pixel-5.10-udc
|
|
This reverts commit e47c7684755c837dcd117e471ce1f08ff781abf8.
Bug: 274164492
Reason for revert: Revert this debug patch because we got ramdump file
Change-Id: Ieb131091d38c8b599ada495fa851c779782222af
|
|
Currently many host hang reason codes are not mapped to corresponding
userspace codes as a result these hang reason code will be invalid
for userspace and also QDF_REASON_UNSPECIFIED is used in some places
in host.
To add mappings for host hang codes to corresponding to userspace
hang codes and also add new hang codes.
Bug: 267416490
Test: Regression test
Change-Id: Idb21ccb4a34c9c94872798404912bdb743e9270b
CRs-Fixed: 3381229
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
Currently many host hang reason codes are not mapped to corresponding
userspace codes as a result these hang reason code will be invalid
for userspace and also QDF_REASON_UNSPECIFIED is used in some places
in host.
To add mappings for host hang codes to corresponding to userspace
hang codes and also add new hang codes.
Bug: 267416490
Test: Regression test
Change-Id: Id617c2bbfd72b0e83b50f522fd1313fbc9eea2cc
CRs-Fixed: 3381230
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
Trigger recovery instead of the apps panic incase of scheduler
watchdog timeout, so that the current logs are captured to
analyze the issue.
Bug: 267416490
Test: Regression test
Change-Id: I44a61bc5630c4866b9d9b18f7a7ba6221ca6e355
CRs-Fixed: 3312328
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
Add more hang reason codes for the hang reason in the
qca_wlan_vendor_hang_reason enum.
Bug: 267416490
Test: Regression test
Change-Id: Ia7f21c45d58c980219690cda390127f5d4004391
CRs-Fixed: 3380849
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
Currently in wma_extscan_hotlist_match_event_handler
API, dest_hotlist get memory allocation based on numap
which takes value from event->total_entries.
But numap is limited to WMA_EXTSCAN_MAX_HOTLIST_ENTRIES
and event->total_entries more than WMA_EXTSCAN_MAX_HOTLIST_ENTRIES
can cause out of bound issue.
Fix is to populate dest_hotlist->numOfAps from numap
instead of event->total_entries to avoid any out of bound issue.
Bug: 251051975
Test: Regression Test
Change-Id: I756f7e4a4dcd454508bba83d4a8bbbb139530905
CRs-Fixed: 3346781
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
SBMerger: 478053055
Change-Id: Ie5f8a8c8d3d159d606ceafeefb4ca36083caf7d5
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
|
|
If while roaming from 2.4 GHz to 5 GHz band with SAE
encryption, rates shouldn't be filled from the current
session/AP as this may lead to incorrectly filling rates
for instance this may lead to incorrectly filling CCk rates
for SAE Pre-Auth while roaming from 2.4 GHz to 5 GHz. As
even though with roaming offloaded, sae pre_auth due to
crypto limitations of fw has to be triggered by the driver.
Bug: 267412459
Test: Regression Test
Change-Id: I2293563db047e10ec8a2ade9f3b2a602cf3e3edf
CRs-Fixed: 3336853
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
Disable 11a support on 6 GHz band and change default rate of 6 GHz
frequency band by using WMI_PDEV_PARAM_DEFAULT_6GHZ_RATE.
Bug: 267412459
Test: Regression Test
Change-Id: I2db2dd54c03cf71e1b697796fa3dc58d2646a8b5
CRs-Fixed: 3251997
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
|
|
Trigger kernel panic to collect information of host side
Bug: 268819466
Test: Build pass
Change-Id: Ic9bc2ece1c65d9e45b932dcd66e0fa5326d5b91f
|