- 29 Nov, 2021 7 commits
-
-
Kees Cook authored
In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memcpy(), memmove(), and memset(), avoid intentionally writing across neighboring fields. Use struct_group() in struct hfa384x_tx_frame around members frame_control, duration_id, addr1, addr2, addr3, and seq_ctrl, so they can be referenced together. This will allow memcpy() and sizeof() to more easily reason about sizes, improve readability, and avoid future warnings about writing beyond the end of frame_control. "pahole" shows no size nor member offset changes to struct hfa384x_tx_frame. "objdump -d" shows no object code changes. Signed-off-by:
Kees Cook <keescook@chromium.org> Signed-off-by:
Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20211119004646.2347920-1-keescook@chromium.org
-
Kees Cook authored
In preparation for FORTIFY_SOURCE performing compile-time and run-time field array bounds checking for memcpy(), memmove(), and memset(), avoid intentionally writing across neighboring fields. Use struct_group() in struct txpd around members tx_dest_addr_high and tx_dest_addr_low so they can be referenced together. This will allow memcpy() and sizeof() to more easily reason about sizes, improve readability, and avoid future warnings about writing beyond the end of tx_dest_addr_high. "pahole" shows no size nor member offset changes to struct txpd. "objdump -d" shows no object code changes. Signed-off-by:
-
Kees Cook authored
In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memcpy(), memmove(), and memset(), avoid intentionally writing across neighboring fields. Use struct_group() in struct txpd around members tx_dest_addr_high and tx_dest_addr_low so they can be referenced together. This will allow memcpy() and sizeof() to more easily reason about sizes, improve readability, and avoid future warnings about writing beyond the end of queue_id. "pahole" shows no size nor member offset changes to struct txpd. "objdump -d" shows no object code changes. Signed-off-by:
-
Jason Wang authored
Static variables do not need to be initialized to false. The compiler will do that. Signed-off-by:
Jason Wang <wangborong@cdjrlc.com> Signed-off-by:
-
Zekun Shen authored
rsi_get_* functions rely on an offset variable from usb input. The size of usb input is RSI_MAX_RX_USB_PKT_SIZE(3000), while 2-byte offset can be up to 0xFFFF. Thus a large offset can cause out-of-bounds read. The patch adds a bound checking condition when rcv_pkt_len is 0, indicating it's USB. It's unclear whether this is triggerable from other type of bus. The following check might help in that case. offset > rcv_pkt_len - FRAME_DESC_SZ The bug is trigerrable with conpromised/malfunctioning USB devices. I tested the patch with the crashing input and got no more bug report. Attached is the KASAN report from fuzzing. BUG: KASAN: slab-out-of-bounds in rsi_read_pkt+0x42e/0x500 [rsi_91x] Read of size 2 at addr ffff888019439fdb by task RX-Thread/227 CPU: 0 PID: 227 Comm: RX-Thread Not tainted 5.6.0 #66 Call Trace: dump_stack+0x76/0xa0 print_address_description.constprop.0+0x16/0x200 ? rsi_read_pkt+0x42e/0x500 [rsi_91x] ? rsi_read_pkt+0x42e/0x500 [rsi_91x] __kasan_report.cold+0x37/0x7c ? rsi_read_pkt+0x42e/0x500 [rsi_91x] kasan_report+0xe/0x20 rsi_read_pkt+0x42e/0x500 [rsi_91x] rsi_usb_rx_thread+0x1b1/0x2fc [rsi_usb] ? rsi_probe+0x16a0/0x16a0 [rsi_usb] ? _raw_spin_lock_irqsave+0x7b/0xd0 ? _raw_spin_trylock_bh+0x120/0x120 ? __wake_up_common+0x10b/0x520 ? rsi_probe+0x16a0/0x16a0 [rsi_usb] kthread+0x2b5/0x3b0 ? kthread_create_on_node+0xd0/0xd0 ret_from_fork+0x22/0x40 Reported-by:
Brendan Dolan-Gavitt <brendandg@nyu.edu> Signed-off-by:
Zekun Shen <bruceshenzk@gmail.com> Signed-off-by:
-
Zekun Shen authored
When freeing rx_cb->rx_skb, the pointer is not set to NULL, a later rsi_rx_done_handler call will try to read the freed address. This bug will very likley lead to double free, although detected early as use-after-free bug. The bug is triggerable with a compromised/malfunctional usb device. After applying the patch, the same input no longer triggers the use-after-free. Attached is the kasan report from fuzzing. BUG: KASAN: use-after-free in rsi_rx_done_handler+0x354/0x430 [rsi_usb] Read of size 4 at addr ffff8880188e5930 by task modprobe/231 Call Trace: <IRQ> dump_stack+0x76/0xa0 print_address_description.constprop.0+0x16/0x200 ? rsi_rx_done_handler+0x354/0x430 [rsi_usb] ? rsi_rx_done_handler+0x354/0x430 [rsi_usb] __kasan_report.cold+0x37/0x7c ? dma_direct_unmap_page+0x90/0x110 ? rsi_rx_done_handler+0x354/0x430 [rsi_usb] kasan_report+0xe/0x20 rsi_rx_done_handler+0x354/0x430 [rsi_usb] __usb_hcd_giveback_urb+0x1e4/0x380 usb_giveback_urb_bh+0x241/0x4f0 ? __usb_hcd_giveback_urb+0x380/0x380 ? apic_timer_interrupt+0xa/0x20 tasklet_action_common.isra.0+0x135/0x330 __do_softirq+0x18c/0x634 ? handle_irq_event+0xcd/0x157 ? handle_edge_irq+0x1eb/0x7b0 irq_exit+0x114/0x140 do_IRQ+0x91/0x1e0 common_interrupt+0xf/0xf </IRQ> Reported-by:
-
Loic Poulain authored
When entering suspend as a client station with wowlan enabled, the Wi-Fi link is supposed to be maintained. In that state, no more data is generated from client side, and the link stays idle as long the station is suspended and as long the AP as no data to transmit. However, most of the APs kick-off such 'inactive' stations after few minutes, causing unexpected disconnect (reconnect, etc...). The usual way to prevent this is to submit a Null function frame periodically as a keep-alive. This is something that can be host /software generated (e.g. wpa_supplicant), but that needs to be offloaded to the Wi-Fi controller in case of suspended host. This change enables firmware generated keep-alive frames when entering wowlan suspend, using the 'mkeep_alive' IOVAR. Signed-off-by:
Loic Poulain <loic.poulain@linaro.org> Signed-off-by:
-
- 26 Nov, 2021 23 commits
-
-
Ajay Singh authored
Remove unused variables to avoid the below warnings: drivers/net/wireless/microchip/wilc1000/wlan.c: In function 'chip_wakeup': >> drivers/net/wireless/microchip/wilc1000/wlan.c:620:34: warning: variable 'to_host_from_fw_bit' set but not used [-Wunused-but-set-variable] 620 | u32 to_host_from_fw_reg, to_host_from_fw_bit; | ^~~~~~~~~~~~~~~~~~~ >> drivers/net/wireless/microchip/wilc1000/wlan.c:620:13: warning: variable 'to_host_from_fw_reg' set but not used [-Wunused-but-set-variable] 620 | u32 to_host_from_fw_reg, to_host_from_fw_bit; | ^~~~~~~~~~~~~~~~~~~ Reported-by:kernel test robot <lkp@intel.com> Signed-off-by:
Ajay Singh <ajay.kathat@microchip.com> Signed-off-by:
-
Emmanuel Grumbach authored
Read the rfkill state upon boot, mac start and mac stop. Reviewed-by:
Luciano Coelho <luciano.coelho@intel.com> Signed-off-by:
Emmanuel Grumbach <emmanuel.grumbach@intel.com> Signed-off-by:
-
Emmanuel Grumbach authored
Add the vendor commands that must be used by the network manager to allow proper operation of iwlmei. * Send information on the AP CSME is connected to * Notify the userspace when roaming is forbidden * Allow the userspace to require ownership Co-Developed-by:
Ayala Beker <ayala.beker@intel.com> Signed-off-by:
-
Emmanuel Grumbach authored
iwlmei needs to know about the follwing events: * Association * De-association * Country Code change * SW Rfkill change * SAR table changes iwlmei can take the device away from us, so report the new rfkill type when this happens. Advertise the required data from the CSME firmware to the usersapce: mostly, the AP that the CSME firmware is currently associated to in case there is an active link protection session. Generate the HOST_ASSOC / HOST_DISSASSOC messages. Don't support WPA1 (non-RSNA) for now. Don't support shared wep either. We can then determine the AUTH parameter by checking the AKM. Feed the cipher from the key installation. SW Rfkill will be implemented later when cfg80211 will allow us to read the SW Rfkill state. Co-Developed-by:
-
Emmanuel Grumbach authored
Add three debugfs hooks: * status: Check if we have a connection with the CSME firwmare. This hook is a read only. * req_ownership: Send a SAP command to request ownership. This flow should be triggered by iwlwifi (from user space through vendor commands really), but being able to trigger an ownership request from debugfs allows us to request ownership without connecting afterwards. This is an "error" flow that the CSME firmware is designed to handle this way: + Grant ownership since the host asked for it + Wait 3 seconds to let the host connect + If the host didn't connect, take the device back (forcefully). + Don't grant any new ownership request in the following 30 seconds. This debugfs hook allows us to test this flow. * send_start_message: Restart the communication with the CSME firmware from the very beginning. At the very beginning (upon iwlwifi start), iwlmei send a special message: SAP_ME_MSG_START. This hook allows to send it again and this will retrigger the whole flow. It is important to test this restart in the middle of normal operation since it can happen (in case the CSME firmware decided to reset for example). Signed-off-by:
-
Emmanuel Grumbach authored
CSME in two words ----------------- CSME stands for Converged Security and Management Engine. It is a CPU on the chipset and runs a dedicated firmware. AMT (Active Management Technology) is one of the applications that run on that CPU. AMT allows to control the platform remotely. Here is a partial list of the use cases: * View the screen of the plaform, with keyboard and mouse (KVM) * Attach a remote IDE device * Have a serial console to the device * Query the state of the platform * Reset / shut down / boot the platform Networking in CSME ------------------ For those uses cases, CSME's firmware has an embedded network stack and is able to use the network devices of the system: LAN and WLAN. This is thanks to the CSME's firmware WLAN driver. One can add a profile (SSID / key / certificate) to the CSME's OS and CSME will connect to that profile. Then, one can use the WLAN link to access the applications that run on CSME (AMT is one of them). Note that CSME is active during power state and power state transitions. For example, it is possible to have a KVM session open to the system while the system is rebooting and actually configure the BIOS remotely over WLAN thanks to AMT. How all this is related to Linux -------------------------------- In Linux, there is a driver that allows the OS to talk to the CSME firmware, this driver is drivers/misc/mei. This driver advertises a bus that allows other kernel drivers or even user space) to talk to components inside the CSME firmware. In practice, the system advertises a PCI device that allows to send / receive data to / from the CSME firmware. The mei bus drivers in drivers/misc/mei is an abstration on top of this PCI device. The driver being added here is called iwlmei and talks to the WLAN driver inside the CSME firmware through the mei bus driver. Note that the mei bus driver only gives bus services, it doesn't define the content of the communication. Why do we need this driver? -------------------------- CSME uses the same WLAN device that the OS is expecting to see hence we need an arbitration mechanism. This is what iwlmei is in charge of. iwlmei maintains the communication with the CSME firmware's WLAN driver. The language / protocol that is used between the CSME's firmware WLAN driver and iwlmei is OS agnostic and is called SAP which stands for Software Abritration Protocol. With SAP, iwlmei will be able to tell the CSME firmware's WLAN driver: 1) Please give me the device. 2) Please note that the SW/HW rfkill state change. 3) Please note that I am now associated to X. 4) Please note that I received this packet. etc... There are messages that go the opposite direction as well: 1) Please note that AMT is en/disable. 2) Please note that I believe the OS is broken and hence I'll take the device *now*, whether you like it or not, to make sure that connectivity is preserved. 3) Please note that I am willing to give the device if the OS needs it. 4) Please give me any packet that is sent on UDP / TCP on IP address XX.XX.XX.XX and an port ZZ. 5) Please send this packet. etc... Please check drivers/net/wireless/intel/iwlwifi/mei/sap.h for the full protocol specification. Arbitration is not the only purpose of iwlmei and SAP. SAP also allows to maintain the AMT's functionality even when the OS owns the device. To connect to AMT, one needs to initiate an HTTP connection to port 16992. iwlmei will listen to the Rx path and forward (through SAP) to the CSME firmware the data it got. Then, the embedded HTTP server in the chipset will reply to the request and send a SAP notification to ask iwlmei to send the reply. This way, AMT running on the CSME can still work. In practice this means that all the use cases quoted above (KVM, remote IDE device, etc...) will work even when the OS uses the WLAN device. How to disable all this? --------------------------- iwlmei won't be able to do anything if the CSME's networking stack is not enabled. By default, CSME's networking stack is disabled (this is a BIOS setting). In case the CSME's networking stack is disabled, iwlwifi will just get access to the device because there is no contention with any other actor and, hence, no arbitration is needed. In this patch, I only add the iwlmei driver. Integration with iwlwifi will be implemented in the next one. Co-Developed-by:
-
Alexander Usyskin authored
Expose the client dma mapping via mei client bus interface. The client dma has to be mapped before the device is enabled, therefore we need to create device linking already during mapping and we need to unmap after the client is disable hence we need to postpone the unlink and flush till unmapping or when destroying the device. Signed-off-by:
Alexander Usyskin <alexander.usyskin@intel.com> Co-developed-by:
Tomas Winkler <tomas.winkler@intel.com> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org> Link: https://lore.kernel.org/r/20210420172755.12178-1-emmanuel.grumbach@intel.comSigned-off-by:
-
Jonas Dreßler authored
The firmware of the 88W8897 PCIe+USB card sends those events very unreliably, sometimes bluetooth together with 2.4ghz-wifi is used and no COEX event comes in, and sometimes bluetooth is disabled but the coexistance mode doesn't get disabled. This means we sometimes end up capping the rx/tx window size while bluetooth is not enabled anymore, artifically limiting wifi speeds even though bluetooth is not being used. Since we can't fix the firmware, let's just ignore those events on the 88W8897 device. From some Wireshark capture sessions it seems that the Windows driver also doesn't change the rx/tx window sizes when bluetooth gets enabled or disabled, so this is fairly consistent with the Windows driver. Signed-off-by:
Jonas Dreßler <verdre@v0yd.nl> Signed-off-by:
-
Jonas Dreßler authored
We assume at a few places that priv->version_str is 0-terminated, but right now we trust the firmware that this is the case with the version string we get from it. Let's rather ensure this ourselves and replace the last character with '\0'. Signed-off-by:
-
Jonas Dreßler authored
The 88W8897 PCIe+USB card in the hardware revision 20 apparently has a hardware issue where the card wakes up from deep sleep randomly and very often, somewhat depending on the card activity, maybe the hardware has a floating wakeup pin or something. This was found by comparing two MS Surface Book 2 devices, where one devices wifi card experienced spurious wakeups, while the other one didn't. Those continuous wakeups prevent the card from entering host sleep when the computer suspends. And because the host won't answer to events from the card anymore while it's suspended, the firmwares internal power saving state machine seems to get confused and the card can't sleep anymore at all after that. Since we can't work around that hardware bug in the firmware, let's get the hardware revision string from the firmware and match it with known bad revisions. Then disable auto deep sleep for those revisions, which makes sure we no longer get those spurious wakeups. Signed-off-by:
-
Jonas Dreßler authored
Since the version string we get from the firmware is always 128 characters long, use a define for this size instead of having the number 128 copied all over the place. Signed-off-by:
-
Zekun Shen authored
Currently, with an unknown recv_type, mwifiex_usb_recv just return -1 without restoring the skb. Next time mwifiex_usb_rx_complete is invoked with the same skb, calling skb_put causes skb_over_panic. The bug is triggerable with a compromised/malfunctioning usb device. After applying the patch, skb_over_panic no longer shows up with the same input. Attached is the panic report from fuzzing. skbuff: skb_over_panic: text:000000003bf1b5fa len:2048 put:4 head:00000000dd6a115b data:000000000a9445d8 tail:0x844 end:0x840 dev:<NULL> kernel BUG at net/core/skbuff.c:109! invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 0 PID: 198 Comm: in:imklog Not tainted 5.6.0 #60 RIP: 0010:skb_panic+0x15f/0x161 Call Trace: <IRQ> ? mwifiex_usb_rx_complete+0x26b/0xfcd [mwifiex_usb] skb_put.cold+0x24/0x24 mwifiex_usb_rx_complete+0x26b/0xfcd [mwifiex_usb] __usb_hcd_giveback_urb+0x1e4/0x380 usb_giveback_urb_bh+0x241/0x4f0 ? __hrtimer_run_queues+0x316/0x740 ? __usb_hcd_giveback_urb+0x380/0x380 tasklet_action_common.isra.0+0x135/0x330 __do_softirq+0x18c/0x634 irq_exit+0x114/0x140 smp_apic_timer_interrupt+0xde/0x380 apic_timer_interrupt+0xf/0x20 </IRQ> Reported-by:
-
Ping-Ke Shih authored
8821CE causes random freezes on HP 250 G7 Notebook PC. Add a quirk to disable pci ASPM capability. Reported-by:
rtl8821cerfe2 <rtl8821cerfe2@protonmail.com> Signed-off-by:
Ping-Ke Shih <pkshih@realtek.com> Signed-off-by:
-
Yu-Yen Ting authored
The management frame with high rate e.g. 24M may not be transmitted smoothly in long range environment. Add a debugfs to force to use the lowest basic rate in order to debug the reachability of transmitting management frame. obtain current setting cat /sys/kernel/debug/ieee80211/phyX/rtw88/force_lowest_basic_rate force lowest rate: echo 1 > /sys/kernel/debug/ieee80211/phyX/rtw88/force_lowest_basic_rate Signed-off-by:
Yu-Yen Ting <steventing@realtek.com> Signed-off-by:
-
Yu-Yen Ting authored
By default the driver uses the 1M and 6M rate for managemnt frames in 2G and 5G bands respectively. But when the basic rates is configured from the mac80211, we need to send the management frames according to the basic rates. This commit makes the driver use the lowest basic rates to send the management frames. Signed-off-by:
-
Chia-Yuan Li authored
The AXIDMA is tx/rx packet transmission between PCIE host and device, and TX FIFO is MAC TX data. We dump them to verify that these memory buffers are correct. Signed-off-by:
Chia-Yuan Li <leo.li@realtek.com> Signed-off-by:
Larry Finger <Larry.Finger@lwfinger.net> Signed-off-by:
-
Ping-Ke Shih authored
The RF register array is used to help firmware to restore RF settings. The original code can potentially access out of range, if the size is between (RTW89_H2C_RF_PAGE_SIZE * RTW89_H2C_RF_PAGE_NUM + 1) to ((RTW89_H2C_RF_PAGE_SIZE + 1) * RTW89_H2C_RF_PAGE_NUM). Fortunately, current used size doesn't fall into the wrong case, and the size will not change if we don't update RF parameter. Reported-by:
Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by:
-
Changcheng Deng authored
Fix the following coccicheck review: ./drivers/net/wireless/realtek/rtw89/mac.c: 1096: 5-8: Unneeded variable Remove unneeded variable used to store return value. Reported-by:
Zeal Robot <zealci@zte.com.cn> Signed-off-by:
Changcheng Deng <deng.changcheng@zte.com.cn> Acked-by:
-
Ye Guojin authored
The conditional operator is unnecessary while assigning values to the bool variables. Reported-by:
Ye Guojin <ye.guojin@zte.com.cn> Acked-by:
-
Zong-Zhe Yang authored
Start to configure entries with RTW89_QATAR, RTW89_UKRAINE, RTW89_CN. Adjust some entries with explicit rtw89_regulatory instead of RTW89_WW. Signed-off-by:
Zong-Zhe Yang <kevin_yang@realtek.com> Signed-off-by:
-
Zong-Zhe Yang authored
Update tx power limit table and tx power limit_ru table to R54. Configure entries for MEXICO, CN, QATAR, and adjust some values of original entries. Signed-off-by:
-
Zong-Zhe Yang authored
Support QATAR in rtw89_regulation_type and reorder the enum to align realtek R58-R31 regulation definition. Besides, if an unassigned entry of limit/limit_ru tables is read, return the corresponding WW value for the unconfigured case. Signed-off-by:
-
Zong-Zhe Yang authored
This modification just replaces the number filled in the regd field with the corresponding enum. No assignment of a value in a table is changed. Doing this first is because the follow-up patches may adjust the order of enum declarations. Signed-off-by:
Brian Norris <briannorris@chromium.org> Signed-off-by:
-
- 19 Nov, 2021 4 commits
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.gitKalle Valo authored
ath.git patches for v5.17. Major changes: ath10k * fetch (pre-)calibration data via nvmem subsystem ath11k * enable 802.11 power save mode in station mode for qca6390 and wcn6855 * trace log support * proper board file detection for WCN6855 based on PCI ids * BSS color change support
-
Peter Seiderer authored
The struct ath_hw member intr_txqs is never reset/assigned outside of ath9k_hw_init_queues() and with the used bitwise-or in the interrupt handling ar9002_hw_get_isr() accumulates all ever set interrupt flags. Fix this by using a pure assign instead of bitwise-or for the first line (note: intr_txqs is only evaluated in case ATH9K_INT_TX bit is set). Signed-off-by:
Peter Seiderer <ps.report@gmx.net> Signed-off-by:
-
Seevalamuthu Mariappan authored
Wakeup mhi is needed before pci_read/write only for QCA6390 and WCN6855. Since wakeup & release mhi is enabled for all hardwares, below mhi assert is seen in QCN9074 when doing 'rmmod ath11k_pci': Kernel panic - not syncing: dev_wake != 0 CPU: 2 PID: 13535 Comm: procd Not tainted 4.4.60 #1 Hardware name: Generic DT based system [<80316dac>] (unwind_backtrace) from [<80313700>] (show_stack+0x10/0x14) [<80313700>] (show_stack) from [<805135dc>] (dump_stack+0x7c/0x9c) [<805135dc>] (dump_stack) from [<8032136c>] (panic+0x84/0x1f8) [<8032136c>] (panic) from [<80549b24>] (mhi_pm_disable_transition+0x3b8/0x5b8) [<80549b24>] (mhi_pm_disable_transition) from [<80549ddc>] (mhi_power_down+0xb8/0x100) [<80549ddc>] (mhi_power_down) from [<7f5242b0>] (ath11k_mhi_op_status_cb+0x284/0x3ac [ath11k_pci]) [E][__mhi_device_get_sync] Did not enter M0 state, cur_state:RESET pm_state:SHUTDOWN Process [E][__mhi_device_get_sync] Did not enter M0 state, cur_state:RESET pm_state:SHUTDOWN Process [E][__mhi_device_get_sync] Did not enter M0 state, cur_state:RESET pm_state:SHUTDOWN Process [<7f5242b0>] (ath11k_mhi_op_status_cb [ath11k_pci]) from [<7f524878>] (ath11k_mhi_stop+0x10/0x20 [ath11k_pci]) [<7f524878>] (ath11k_mhi_stop [ath11k_pci]) from [<7f525b94>] (ath11k_pci_power_down+0x54/0x90 [ath11k_pci]) [<7f525b94>] (ath11k_pci_power_down [ath11k_pci]) from [<8056b2a8>] (pci_device_shutdown+0x30/0x44) [<8056b2a8>] (pci_device_shutdown) from [<805cfa0c>] (device_shutdown+0x124/0x174) [<805cfa0c>] (device_shutdown) from [<8033aaa4>] (kernel_restart+0xc/0x50) [<8033aaa4>] (kernel_restart) from [<8033ada8>] (SyS_reboot+0x178/0x1ec) [<8033ada8>] (SyS_reboot) from [<80301b80>] (ret_fast_syscall+0x0/0x34) Hence, disable wakeup/release mhi using hw_param for other hardwares. Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.5.0.1-01060-QCAHKSWPL_SILICONZ-1 Fixes: a05bd851 ("ath11k: read and write registers below unwindowed address") Signed-off-by:
Seevalamuthu Mariappan <quic_seevalam@quicinc.com> Signed-off-by:
-
Jakub Kicinski authored
Merge tag 'regmap-no-bus-update-bits' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regmap Mark Brown says: =================== regmap: Allow regmap_update_bits() to be offloaded with no bus Some hardware can do this so let's use that capability. =================== Link: https://lore.kernel.org/all/YZWDOidBOssP10yS@sirena.org.uk/Signed-off-by:
Jakub Kicinski <kuba@kernel.org>
-
- 18 Nov, 2021 6 commits
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/netdev/netJakub Kicinski authored
Signed-off-by: -
git://git.kernel.org/pub/scm/linux/kernel/git/netdev/netLinus Torvalds authored
Pull networking fixes from Jakub Kicinski: "Including fixes from bpf, mac80211. Current release - regressions: - devlink: don't throw an error if flash notification sent before devlink visible - page_pool: Revert "page_pool: disable dma mapping support...", turns out there are active arches who need it Current release - new code bugs: - amt: cancel delayed_work synchronously in amt_fini() Previous releases - regressions: - xsk: fix crash on double free in buffer pool - bpf: fix inner map state pruning regression causing program rejections - mac80211: drop check for DONT_REORDER in __ieee80211_select_queue, preventing mis-selecting the best effort queue - mac80211: do not access the IV when it was stripped - mac80211: fix radiotap header generation, off-by-one - nl80211: fix getting radio statistics in survey dump - e100: fix device suspend/resume Previous releases - always broken: - tcp: fix uninitialized access in skb frags array for Rx 0cp - bpf: fix toctou on read-only map's constant scalar tracking - bpf: forbid bpf_ktime_get_coarse_ns and bpf_timer_* in tracing progs - tipc: only accept encrypted MSG_CRYPTO msgs - smc: transfer remaining wait queue entries during fallback, fix missing wake ups - udp: validate checksum in udp_read_sock() (when sockmap is used) - sched: act_mirred: drop dst for the direction from egress to ingress - virtio_net_hdr_to_skb: count transport header in UFO, prevent allowing bad skbs into the stack - nfc: reorder the logic in nfc_{un,}register_device, fix unregister - ipsec: check return value of ipv6_skip_exthdr - usb: r8152: add MAC passthrough support for more Lenovo Docks" * tag 'net-5.16-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (96 commits) ptp: ocp: Fix a couple NULL vs IS_ERR() checks net: ethernet: dec: tulip: de4x5: fix possible array overflows in type3_infoblock() net: tulip: de4x5: fix the problem that the array 'lp->phy[8]' may be out of bound ipv6: check return value of ipv6_skip_exthdr e100: fix device suspend/resume devlink: Don't throw an error if flash notification sent before devlink visible page_pool: Revert "page_pool: disable dma mapping support..." ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port() octeontx2-af: debugfs: don't corrupt user memory NFC: add NCI_UNREG flag to eliminate the race NFC: reorder the logic in nfc_{un,}register_device NFC: reorganize the functions in nci_request tipc: check for null after calling kmemdup i40e: Fix display error code in dmesg i40e: Fix creation of first queue by omitting it if is not power of two i40e: Fix warning message and call stack during rmmod i40e driver i40e: Fix ping is lost after configuring ADq on VF i40e: Fix changing previously set num_queue_pairs for PFs i40e: Fix NULL ptr dereference on VSI filter sync i40e: Fix correct max_pkt_size on VF RX queue ... -
git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linuxLinus Torvalds authored
Pull btrfs fixes from David Sterba: "Several xes and one old ioctl deprecation. Namely there's fix for crashes/warnings with lzo compression that was suspected to be caused by first pull merge resolution, but it was a different bug. Summary: - regression fix for a crash in lzo due to missing boundary checks of the page array - fix crashes on ARM64 due to missing barriers when synchronizing status bits between work queues - silence lockdep when reading chunk tree during mount - fix false positive warning in integrity checker on devices with disabled write caching - fix signedness of bitfields in scrub - start deprecation of balance v1 ioctl" * tag 'for-5.16-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux: btrfs: deprecate BTRFS_IOC_BALANCE ioctl btrfs: make 1-bit bit-fields of scrub_page unsigned int btrfs: check-integrity: fix a warning on write caching disabled disk btrfs: silence lockdep when reading chunk tree during mount btrfs: fix memory ordering between normal and ordered work functions btrfs: fix a out-of-bound access in copy_compressed_data_to_page() -
git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fsLinus Torvalds authored
Pull UDF fix from Jan Kara: "A fix for a long-standing UDF bug where we were not properly validating directory position inside readdir" * tag 'fs_for_v5.16-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs: udf: Fix crash after seekdir
-
git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linuxLinus Torvalds authored
Pull setattr idmapping fix from Christian Brauner: "This contains a simple fix for setattr. When determining the validity of the attributes the ia_{g,u}id fields contain the value that will be written to inode->i_{g,u}id. When the {g,u}id attribute of the file isn't altered and the caller's fs{g,u}id matches the current {g,u}id attribute the attribute change is allowed. The value in ia_{g,u}id does already account for idmapped mounts and will have taken the relevant idmapping into account. So in order to verify that the {g,u}id attribute isn't changed we simple need to compare the ia_{g,u}id value against the inode's i_{g,u}id value. This only has any meaning for idmapped mounts as idmapping helpers are idempotent without them. And for idmapped mounts this really only has a meaning when circular idmappings are used, i.e. mappings where e.g. id 1000 is mapped to id 1001 and id 1001 is mapped to id 1000. Such ciruclar mappings can e.g. be useful when sharing the same home directory between multiple users at the same time. Before this patch we could end up denying legitimate attribute changes and allowing invalid attribute changes when circular mappings are used. To even get into this situation the caller must've been privileged both to create that mapping and to create that idmapped mount. This hasn't been seen in the wild anywhere but came up when expanding the fstest suite during work on a series of hardening patches. All idmapped fstests pass without any regressions and we're adding new tests to verify the behavior of circular mappings. The new tests can be found at [1]" Link: https://lore.kernel.org/linux-fsdevel/20211109145713.1868404-2-brauner@kernel.org [1] * tag 'fs.idmapped.v5.16-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux: fs: handle circular mappings correctly -
git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linuxLinus Torvalds authored
Pull parisc fixes from Helge Deller: "parisc bug and warning fixes and wire up futex_waitv. Fix some warnings which showed up with allmodconfig builds, a revert of a change to the sigreturn trampoline which broke signal handling, wire up futex_waitv and add CONFIG_PRINTK_TIME=y to 32bit defconfig" * tag 'for-5.16/parisc-4' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux: parisc: Enable CONFIG_PRINTK_TIME=y in 32bit defconfig Revert "parisc: Reduce sigreturn trampoline to 3 instructions" parisc: Wrap assembler related defines inside __ASSEMBLY__ parisc: Wire up futex_waitv parisc: Include stringify.h to avoid build error in crypto/api.c parisc/sticon: fix reverse colors
-
