- 23 Nov, 2016 5 commits
-
-
Michal Kazior authored
WMI ops wrappers did not properly check for null function pointers for spectral scan. This caused null dereference crash with WMI-TLV based firmware which doesn't implement spectral scan. The crash could be triggered with: ip link set dev wlan0 up echo background > /sys/kernel/debug/ieee80211/phy0/ath10k/spectral_scan_ctl The crash looked like this: [ 168.031989] BUG: unable to handle kernel NULL pointer dereference at (null) [ 168.037406] IP: [< (null)>] (null) [ 168.040395] PGD cdd4067 PUD fa0f067 PMD 0 [ 168.043303] Oops: 0010 [#1] SMP [ 168.045377] Modules linked in: ath10k_pci(O) ath10k_core(O) ath mac80211 cfg80211 [last unloaded: cfg80211] [ 168.051560] CPU: 1 PID: 1380 Comm: bash Tainted: G W O 4.8.0 #78 [ 168.054336] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014 [ 168.059183] task: ffff88000c460c00 task.stack: ffff88000d4bc000 [ 168.061736] RIP: 0010:[<0000000000000000>] [< (null)>] (null) ... [ 168.100620] Call Trace: [ 168.101910] [<ffffffffa03b9566>] ? ath10k_spectral_scan_config+0x96/0x200 [ath10k_core] [ 168.104871] [<ffffffff811386e2>] ? filemap_fault+0xb2/0x4a0 [ 168.106696] [<ffffffffa03b97e6>] write_file_spec_scan_ctl+0x116/0x280 [ath10k_core] [ 168.109618] [<ffffffff812da3a1>] full_proxy_write+0x51/0x80 [ 168.111443] [<ffffffff811957b8>] __vfs_write+0x28/0x120 [ 168.113090] [<ffffffff812f1a2d>] ? security_file_permission+0x3d/0xc0 [ 168.114932] [<ffffffff8109b912>] ? percpu_down_read+0x12/0x60 [ 168.116680] [<ffffffff811965f8>] vfs_write+0xb8/0x1a0 [ 168.118293] [<ffffffff81197966>] SyS_write+0x46/0xa0 [ 168.119912] [<ffffffff818f2972>] entry_SYSCALL_64_fastpath+0x1a/0xa4 [ 168.121737] Code: Bad RIP value. [ 168.123318] RIP [< (null)>] (null) Signed-off-by:
Michal Kazior <michal.kazior@tieto.com> Signed-off-by:
Kalle Valo <kvalo@qca.qualcomm.com>
-
Pedersen, Thomas authored
Neither of these did the right thing: - get_tsf just returned 0 - set_tsf assumed a simple offset was applied against get_tsf(), which works, except in the case of calculating TSF from rx_mactime (actual TSF). Just remove them for now. We can reimplement set_tsf in terms of TSF increment/decrement in the future if get_tsf is ever supported by FW. Signed-off-by:
Thomas Pedersen <twp@qca.qualcomm.com> Signed-off-by:
-
Pedersen, Thomas authored
Current set_tsf is implemented in terms of TSF_INCREMENT only. Instead support new WMI command TSF_DECREMENT and export these through offset_tsf. Advantage is we get more accurate TSF adjustments, and don't calculate wrong offset in case absolute TSF was calculated from rx_mactime (actual TSF). The new WMI command is available in firmware 10.4-3.2.1-00033 for QCA4019 chips. Old drivers on new firmware or vice versa shouldn't be a problem since get/set tsf logic was already broken. Signed-off-by:
-
Rajkumar Manoharan authored
Indicate hardware (or firmware) supports that CQM packet-loss report will be generated based on station kickout algorithm. As of now mac80211 tracks connection loss by missing msdu counts (50) whereas ath10k firmware tracks them by missing ppdus (+ BAR tries). While firmware is trying to adapt its rate table, mac80211 might send out low_ack event to hostapd. This is causing frequent connect and disconnect iteration under noisy environment or when station is roaming around. Signed-off-by:
Rajkumar Manoharan <rmanohar@qti.qualcomm.com> Signed-off-by:
-
git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.gitKalle Valo authored
ath.git patches for 4.10. Major changes: ath9k * add device tree bindings * switch to use mac80211 intermediate software queues to reduce latency and fix bufferbloat
-
- 19 Nov, 2016 15 commits
-
-
Brian Norris authored
It should never be NULL here, and to think otherwise makes things confusing. Signed-off-by:
Brian Norris <briannorris@chromium.org> Signed-off-by:
Kalle Valo <kvalo@codeaurora.org>
-
Brian Norris authored
These are never NULL, so stop making people think they might be. I don't change this for SDIO because SDIO has a racy card-reset handler that reallocates this struct. I'd rather not touch that mess right now. Signed-off-by:
Xinming Hu <huxm@marvell.com> Signed-off-by:
Amitkumar Karwar <akarwar@marvell.com> Signed-off-by:
-
Brian Norris authored
sdio_func is retrieved via container_of() and should never be NULL. Checking for NULL just makes the logic more confusing than necessary. Stop doing that. Signed-off-by:
-
Brian Norris authored
SDIO and PCIe drivers handle this. Let's imitate it. Signed-off-by:
-
Xinming Hu authored
card->adapter gets initialized in mwifiex_register_dev(). As it's not cleared in mwifiex_unregister_dev(), we may end up accessing the memory which is already free in below scenario. Scenario: Driver initialization is failed due to incorrect firmware or some other reason. Meanwhile device reboot/unload occurs. This is safe, now that we've properly synchronized suspend() and remove() with the FW initialization thread; now that code can simply check for 'card->adapter == NULL' and exit safely. Signed-off-by:
-
Brian Norris authored
Signed-off-by:
-
Brian Norris authored
The device core will not allow suspend() to race with remove(). Signed-off-by:
-
Amitkumar Karwar authored
to_pci_dev() would just do struct offset arithmetic on struct device to get 'pdev' pointer. We never get NULL pdev pointer. Signed-off-by:
-
Brian Norris authored
It's possible for the FW init sequence to fail, which will trigger a device cleanup sequence in mwifiex_fw_dpc(). This sequence can race with device suspend() or remove() (e.g., reboot or unbind), and can trigger use-after-free issues. Currently, this driver attempts (poorly) to synchronize remove() using a semaphore, but it doesn't protect some of the critical sections properly. Particularly, we grab a pointer to the adapter struct (card->adapter) without checking if it's being freed or not. We later do a NULL check on the adapter, but that doesn't work if the adapter was freed. Also note that the PCIe interface driver doesn't ever set card->adapter to NULL, so even if we get the synchronization right, we still might try to redo the cleanup in ->remove(), even if the FW init failure sequence already did it. This patch replaces the static semaphore with a per-device completion struct, and uses that completion to synchronize the remove() thread with the mwifiex_fw_dpc(). A future patch will utilize this completion to synchronize the suspend() thread as well. Signed-off-by:
-
Shengzhen Li authored
Power save handshake with firmware might be blocked by on-going data transfer. this patch check the PS status in main process and complete previous blocked PS handshake. this patch also remove redudant check before call mwifiex_check_ps_cond function. Signed-off-by:
Cathy Luo <cluo@marvell.com> Signed-off-by:
Shengzhen Li <szli@marvell.com> Tested-by:
-
Shengzhen Li authored
We may get SLEEP event from firmware even if TXDone interrupt for last Tx packet is still pending. In this case, we may end up accessing PCIe memory for handling TXDone after power save handshake is completed. This causes kernel crash with external abort. This patch will only allow downloading sleep confirm when no tx done interrupt is pending in the hardware. Signed-off-by:
-
Rajat Jain authored
Commit ce4f6f0c ("mwifiex: add platform specific wakeup interrupt support") added WoWLAN feature only for sdio. This patch moves that code to the common module so that all the interface drivers can use it for free. It enables pcie and sdio for its use currently. Signed-off-by:
Rajat Jain <rajatja@google.com> Signed-off-by:
-
Rajat Jain authored
Introduce function mwifiex_probe_of() to parse common properties. Interface drivers get to decide whether or not the device tree node was a valid one (depending on the compatible property), Lets fill "adapter->dt_node" in mwifiex_add_card(). The function mwifiex_probe_of() is currently only a place holder with the next patch adding content to it. Signed-off-by:
-
Rajat Jain authored
Today all the interface drivers (usb/pcie/sdio) assign the adapter->dev in the register_dev() callback, although they have this piece of info well before hand. This patch makes the device structure available for mwifiex right at the beginning, so that it can be used for early initialization if needed. This is needed for subsequent patches in this patchset that intend to unify and consolidate some of the code that would otherwise have to be duplicated among the interface drivers (sdio, pcie, usb). Signed-off-by:
-
Xinming Hu authored
This patch derives device tree node from pcie bus layer framework. Device tree bindings file has been renamed(marvell-sd8xxx.txt -> marvell-8xxx.txt) to accommodate PCIe changes. Signed-off-by:
Rob Herring <robh@kernel.org> Signed-off-by:
-
- 18 Nov, 2016 3 commits
-
-
Brian Norris authored
The cleanup_if() callback is the inverse of init_if(). We allocate our 'card' interface structure in the probe() function, but we free it in cleanup_if(). That gives a few problems: (a) we leak this memory if probe() fails before we reach init_if() (b) we can't safely utilize 'card' after cleanup_if() -- namely, in remove() or suspend(), both of which might race with the cleanup paths in our asynchronous FW initialization path Solution: just use devm_kzalloc(), which will free this structure properly when the device is removed -- and drop the set_drvdata(..., NULL), since the driver core does this for us. This also removes the temptation to use drvdata == NULL as a hack for checking if the device has been "cleaned up." I *do* leave the set_drvdata(..., NULL) for the hacky SDIO mwifiex_recreate_adapter(), since the device core won't be able to clear that one for us. Signed-off-by: -
Amitkumar Karwar authored
Firmware may reject calibration data from host for certain OTP settings. In that case, we should continue initialisation ignoring the failure. Signed-off-by:
-
Shengzhen Li authored
This patch adds power save parameters(hs_wake_interval and hs_inactivity_timeout) in host sleep cfg cmd. Signed-off-by:
-
- 17 Nov, 2016 17 commits
-
-
Ricky Liang authored
kmemleak reports memory leak in mwifiex_save_hidden_ssid_channels(): unreferenced object 0xffffffc0a2914780 (size 192): comm "ksdioirqd/mmc2", pid 2004, jiffies 4307182506 (age 820.684s) hex dump (first 32 bytes): 00 06 47 49 4e 2d 32 67 01 03 c8 60 6c 03 01 40 ..GIN-2g...`l..@ 07 10 54 57 20 34 04 1e 64 05 24 84 03 24 95 04 ..TW 4..d.$..$.. backtrace: [<ffffffc0003375f4>] create_object+0x164/0x2b4 [<ffffffc0008e3530>] kmemleak_alloc+0x50/0x88 [<ffffffc000335120>] __kmalloc_track_caller+0x1bc/0x264 [<ffffffc00030899c>] kmemdup+0x38/0x64 [<ffffffbffc2311cc>] mwifiex_fill_new_bss_desc+0x3c/0x130 [mwifiex] [<ffffffbffc22ee9c>] mwifiex_save_curr_bcn+0x4ec/0x640 [mwifiex] [<ffffffbffc22f45c>] mwifiex_handle_event_ext_scan_report+0x1d4/0x268 [mwifiex] [<ffffffbffc2375d0>] mwifiex_process_sta_event+0x378/0x898 [mwifiex] [<ffffffbffc224dc8>] mwifiex_process_event+0x1a8/0x1e8 [mwifiex] [<ffffffbffc2228f0>] mwifiex_main_process+0x258/0x534 [mwifiex] [<ffffffbffc258858>] 0xffffffbffc258858 [<ffffffc00071ee90>] process_sdio_pending_irqs+0xf8/0x160 [<ffffffc00071efdc>] sdio_irq_thread+0x9c/0x1a4 [<ffffffc000240d08>] kthread+0xf4/0x100 [<ffffffc0002043fc>] ret_from_fork+0xc/0x50 [<ffffffffffffffff>] 0xffffffffffffffff Signed-off-by:Ricky Liang <jcliang@chromium.org> Acked-by:
-
Larry Finger authored
When there is a CRC error in the SPROM read from the device, the code attempts to handle a fallback SPROM. When this also fails, the driver returns zero rather than an error code. Signed-off-by:
Larry Finger <Larry.Finger@lwfinger.net> Cc: Stable <stable@vger.kernel.org> Signed-off-by:
-
Wei Yongjun authored
It is not allowed to call kfree_skb() from hardware interrupt context or with interrupts being disabled, spin_lock_irqsave() make sure always in irq disable context. So the kfree_skb() should be replaced with dev_kfree_skb_irq(). This is detected by Coccinelle semantic patch. Signed-off-by:
Wei Yongjun <weiyongjun1@huawei.com> Signed-off-by:
-
Arnd Bergmann authored
On x86, the cw1200 driver produces a rather silly warning about the possible use of the 'ret' variable without an initialization presumably after being confused by the architecture specific definition of WARN_ON: drivers/net/wireless/st/cw1200/wsm.c: In function ‘wsm_handle_rx’: drivers/net/wireless/st/cw1200/wsm.c:1457:9: error: ‘ret’ may be used uninitialized in this function [-Werror=maybe-uninitialized] We have already checked that 'count' is larger than 0 here, so we know that 'ret' is initialized. Changing the 'for' loop into do/while also makes this clear to the compiler. Suggested-by:
David Laight <David.Laight@ACULAB.COM> Signed-off-by:
Arnd Bergmann <arnd@arndb.de> Signed-off-by:
-
Arnd Bergmann authored
The hostap_80211_rx() function is supposed to set up the mac addresses for four possible cases, based on two bits of input data. For some reason, gcc decides that it's possible that none of the these four cases apply and the addresses remain uninitialized: drivers/net/wireless/intersil/hostap/hostap_80211_rx.c: In function ‘hostap_80211_rx’: arch/x86/include/asm/string_32.h:77:14: warning: ‘src’ may be used uninitialized in this function [-Wmaybe-uninitialized] drivers/net/wireless/intel/ipw2x00/libipw_rx.c: In function ‘libipw_rx’: arch/x86/include/asm/string_32.h:77:14: error: ‘dst’ may be used uninitialized in this function [-Werror=maybe-uninitialized] arch/x86/include/asm/string_32.h:78:22: error: ‘*((void *)&dst+4)’ may be used uninitialized in this function [-Werror=maybe-uninitialized] This warning is clearly nonsense, but changing the last case into 'default' makes it obvious to the compiler too, which avoids the warning and probably leads to better object code too. The same code is duplicated several times in the kernel, so this patch uses the same workaround for all copies. The exact configuration was hit only very rarely in randconfig builds and I only saw it in three drivers, but I assume that all of them are potentially affected, and it's better to keep the code consistent. Signed-off-by:
-
Jiri Slaby authored
gcc 7 complains: drivers/net/wireless/intersil/p54/fwio.c: In function 'p54_scan': drivers/net/wireless/intersil/p54/fwio.c:491:4: warning: 'memset' used with length equal to number of elements without multiplication by element size [-Wmemset-elt-size] Fix that by passing the correct size to memset. Signed-off-by:
Jiri Slaby <jslaby@suse.cz> Cc: Christian Lamparter <chunkeey@googlemail.com> Cc: Kalle Valo <kvalo@codeaurora.org> Cc: linux-wireless@vger.kernel.org Cc: netdev@vger.kernel.org Acked-by:
Christian Lamparter <chunkeey@googlemail.com> Signed-off-by:
-
Rafał Miłecki authored
This simplifies debugging. Format %s (%u) comes from similar debugging message in brcmf_fweh_event_worker. Signed-off-by:
Rafał Miłecki <rafal@milecki.pl> Signed-off-by:
-
Prameela Rani Garnepudi authored
* Command frame vap_capabilites is modified to use for vap add, vap delete and vap update in firmware, hence new filed vap status is added. * When interface is down this frame needs to be send with vap status delete. Otherwise it is considered as wrong frame for the same interface in firmware. * vap_update status is reserved for future. Signed-off-by:
Prameela Rani Garnepudi <prameela.j04cs@gmail.com> Signed-off-by:
-
Prameela Rani Garnepudi authored
Observed crash when module is unloaded if CONFIG_RSI_DEBUGSFS is not set. Fix: Debugfs entry removal moved inside CONFIG_RSI_DEBUGSFS flag in function rsi_mac80211_detach() Memory leak found and fixed for below structures in function rsi_mac80211_detach() * channel list for each supported band * rsi debugfs info Signed-off-by: -
James Minor authored
When in AP mode, scans can be done without changing firmware to the multi-role firmware. Allow the interface to scan if forced in the scan request. Signed-off-by:
James Minor <james.minor@ni.com> Signed-off-by:
Xander Huff <xander.huff@ni.com> Reviewed-by:
Ben Shelton <ben.shelton@ni.com> Reviewed-by:
Jaeden Amero <jaeden.amero@ni.com> Signed-off-by:
-
Larry Finger authored
Since this driver was added to the kernel, the checkpatch script was modified to request that the address of the FSF not be included. Signed-off-by:
-
Larry Finger authored
Since this driver was added to the kernel, the checkpatch script was modified to request that the address of the FSF not be included. Signed-off-by:
-
Larry Finger authored
Since this driver was added to the kernel, the checkpatch script was modified to request that the address of the FSF not be included. Signed-off-by:
-
Larry Finger authored
Since this driver was added to the kernel, the checkpatch script was modified to request that the address of the FSF not be included. Signed-off-by:
-
Larry Finger authored
Since this driver was added to the kernel, the checkpatch script was modified to request that the address of the FSF not be included. Signed-off-by:
-
Larry Finger authored
Since this driver was added to the kernel, the checkpatch script was modified to request that the address of the FSF not be included. Signed-off-by:
-
Larry Finger authored
Since this driver was added to the kernel, the checkpatch script was modified to request that the address of the FSF not be included. Signed-off-by:
-
