- 25 Oct, 2021 3 commits
-
-
Abinaya Kalaiselvan authored
Commit 9af7c32c ("ath10k: add target IRAM recovery feature support") introduced a new firmware feature flag ATH10K_FW_FEATURE_IRAM_RECOVERY. But this caused ath10k_pci module load to fail if ATH10K_FW_CRASH_DUMP_RAM_DATA bit was not enabled in the ath10k coredump_mask module parameter: [ 2209.328190] ath10k_pci 0000:02:00.0: qca9984/qca9994 hw1.0 target 0x01000000 chip_id 0x00000000 sub 168c:cafe [ 2209.434414] ath10k_pci 0000:02:00.0: kconfig debug 1 debugfs 1 tracing 1 dfs 1 testmode 1 [ 2209.547191] ath10k_pci 0000:02:00.0: firmware ver 10.4-3.9.0.2-00099 api 5 features no-p2p,mfp,peer-flow-ctrl,btcoex-param,allows-mesh-bcast,no-ps,peer-fixed-rate,iram-recovery crc32 cbade90a [ 2210.896485] ath10k_pci 0000:02:00.0: board_file api 1 bmi_id 0:1 crc32 a040efc2 [ 2213.603339] ath10k_pci 0000:02:00.0: failed to copy target iram contents: -12 [ 2213.839027] ath10k_pci 0000:02:00.0: could not init core (-12) [ 2213.933910] ath10k_pci 0000:02:00.0: could not probe fw (-12) And by default coredump_mask does not have ATH10K_FW_CRASH_DUMP_RAM_DATA enabled so anyone using a firmware with iram-recovery feature would fail. To my knowledge only QCA9984 firmwares starting from release 10.4-3.9.0.2-00099 enabled the feature. The reason for regression was that ath10k_core_copy_target_iram() used ath10k_coredump_get_mem_layout() to get the memory layout, but when ATH10K_FW_CRASH_DUMP_RAM_DATA was disabled it would get just NULL and bail out with an error. While looking at all this I noticed another bug: if CONFIG_DEV_COREDUMP is disabled but the firmware has iram-recovery enabled the module load fails with similar error messages. I fixed that by returning 0 from ath10k_core_copy_target_iram() when _ath10k_coredump_get_mem_layout() returns NULL. Tested-on: QCA9984 hw2.0 PCI 10.4-3.9.0.2-00139 Fixes: 9af7c32c ("ath10k: add target IRAM recovery feature support") Signed-off-by:
Abinaya Kalaiselvan <akalaise@codeaurora.org> Signed-off-by:
Jouni Malinen <jouni@codeaurora.org> Signed-off-by:
Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20211020075054.23061-1-kvalo@codeaurora.org
-
Arnd Bergmann authored
Using a kernel pointer in place of a dma_addr_t token can lead to undefined behavior if that makes it into cache management functions. The compiler caught one such attempt in a cast: drivers/net/wireless/ath/ath10k/mac.c: In function 'ath10k_add_interface': drivers/net/wireless/ath/ath10k/mac.c:5586:47: error: cast from pointer to integer of different size [-Werror=pointer-to-int-cast] 5586 | arvif->beacon_paddr = (dma_addr_t)arvif->beacon_buf; | ^ Looking through how this gets used down the way, I'm fairly sure that beacon_paddr is never accessed again for ATH10K_DEV_TYPE_HL devices, and if it was accessed, that would be a bug. Change the assignment to use a known-invalid address token instead, which avoids the warning and makes it easier to catch bugs if it does end up getting used. Fixes: e263bdab ("ath10k: high latency fixes for beacon buffer") Signed-off-by:Arnd Bergmann <arnd@arndb.de> Signed-off-by:
-
Baochen Qiang authored
QCA6390 firmware uses HAL_RX_BUF_RBM_SW1_BM, not HAL_RX_BUF_RBM_SW3_BM. This is needed to fix a case where an A-MSDU has an unexpected LLC/SNAP header in the first subframe (CVE-2020-24588). Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1 Signed-off-by:
Baochen Qiang <bqiang@codeaurora.org> Signed-off-by:
-
- 20 Oct, 2021 11 commits
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.gitKalle Valo authored
ath.git patches for v5.16. Major changes: ath9k * add option to reset the wifi chip via debugfs * convert Device Tree bindings to the json-schema * support Device Tree ieee80211-freq-limit property to limit channels
-
Jonas Dreßler authored
When powersaving (so either wifi powersaving or deep sleep, depending on which state the firmware is in) is disabled, the way the firmware goes into host sleep is different: Usually the firmware implicitely enters host sleep on the next SLEEP event we get when we configured host sleep via HSCFG before. When powersaving is disabled though, there are no SLEEP events, the way we enter host sleep in that case is different: The firmware will send us a HS_ACT_REQ event and after that we "manually" make the firmware enter host sleep by sending it another HSCFG command with the action HS_ACTIVATE. Now waking up from host sleep appears to be different depending on whether powersaving is enabled again: When powersaving is enabled, the firmware implicitely leaves host sleep as soon as it wakes up and sends us an AWAKE event. When powersaving is disabled though, it apparently doesn't implicitely leave host sleep, but instead we need to send it a HSCFG command with the HS_CONFIGURE action and the HS_CFG_CANCEL condition. We didn't do that so far, which is why waking up from host sleep was broken when powersaving is disabled. So add some additional state to mwifiex_adapter where we keep track of whether host sleep was activated manually via HS_ACTIVATE, and if that was the case, deactivate it manually again via HS_CFG_CANCEL. Signed-off-by:
Jonas Dreßler <verdre@v0yd.nl> Signed-off-by:
-
Jonas Dreßler authored
While looking at on-air packets using Wireshark, I noticed we're never setting the initiator bit when sending DELBA requests to the AP: While we set the bit on our del_ba_param_set bitmask, we forget to actually copy that bitmask over to the command struct, which means we never actually set the initiator bit. Fix that and copy the bitmask over to the host_cmd_ds_11n_delba command struct. Fixes: 5e6e3a92 ("wireless: mwifiex: initial commit for Marvell mwifiex driver") Signed-off-by:
Pali Rohár <pali@kernel.org> Signed-off-by:
-
Jonas Dreßler authored
We're sending DELBA requests here, not ADDBA requests. Signed-off-by:
-
Jonas Dreßler authored
Sometimes the KEY_MATERIAL command can fail with the 88W8897 firmware (when this happens exactly seems pretty random). This appears to prevent the access point from starting, so it seems like a good idea to log an error in that case. Signed-off-by:
-
Jonas Dreßler authored
It's not an error if someone chooses to put their computer to sleep, not wanting it to wake up because the person next door has just discovered what a magic packet is. So change the loglevel of this annoying message from ERROR to INFO. Signed-off-by:
-
Yang Li authored
Eliminate the following coccicheck warning: ./drivers/net/wireless/realtek/rtw89/pci.c:1348:2-3: Unneeded semicolon Reported-by:
Abaci Robot <abaci@linux.alibaba.com> Fixes: e3ec7017 ("rtw89: add Realtek 802.11ax driver") Signed-off-by:
Yang Li <yang.lee@linux.alibaba.com> Acked-by:
Ping-Ke Shih <pkshih@realtek.com> Signed-off-by:
-
Yang Yingliang authored
Fix the return value check which testing the wrong variable in rtw89_cam_send_sec_key_cmd(). Reported-by:
Hulk Robot <hulkci@huawei.com> Fixes: e3ec7017 ("rtw89: add Realtek 802.11ax driver") Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Acked-by:
-
Zheyu Ma authored
When the driver fails to request the firmware, it calls its error handler. In the error handler, the driver detaches device from driver first before releasing the firmware, which can cause a use-after-free bug. Fix this by releasing firmware first. The following log reveals it: [ 9.007301 ] BUG: KASAN: use-after-free in mwl8k_fw_state_machine+0x320/0xba0 [ 9.010143 ] Workqueue: events request_firmware_work_func [ 9.010830 ] Call Trace: [ 9.010830 ] dump_stack_lvl+0xa8/0xd1 [ 9.010830 ] print_address_description+0x87/0x3b0 [ 9.010830 ] kasan_report+0x172/0x1c0 [ 9.010830 ] ? mutex_unlock+0xd/0x10 [ 9.010830 ] ? mwl8k_fw_state_machine+0x320/0xba0 [ 9.010830 ] ? mwl8k_fw_state_machine+0x320/0xba0 [ 9.010830 ] __asan_report_load8_noabort+0x14/0x20 [ 9.010830 ] mwl8k_fw_state_machine+0x320/0xba0 [ 9.010830 ] ? mwl8k_load_firmware+0x5f0/0x5f0 [ 9.010830 ] request_firmware_work_func+0x172/0x250 [ 9.010830 ] ? read_lock_is_recursive+0x20/0x20 [ 9.010830 ] ? process_one_work+0x7a1/0x1100 [ 9.010830 ] ? request_firmware_nowait+0x460/0x460 [ 9.010830 ] ? __this_cpu_preempt_check+0x13/0x20 [ 9.010830 ] process_one_work+0x9bb/0x1100 Signed-off-by:
Zheyu Ma <zheyuma97@gmail.com> Signed-off-by:
-
Ziyang Xuan authored
When fail to init coex module, free 'common' and 'adapter' directly, but common->tx_thread which will access 'common' and 'adapter' is running at the same time. That will trigger the UAF bug. ================================================================== BUG: KASAN: use-after-free in rsi_tx_scheduler_thread+0x50f/0x520 [rsi_91x] Read of size 8 at addr ffff8880076dc000 by task Tx-Thread/124777 CPU: 0 PID: 124777 Comm: Tx-Thread Not tainted 5.15.0-rc5+ #19 Call Trace: dump_stack_lvl+0xe2/0x152 print_address_description.constprop.0+0x21/0x140 ? rsi_tx_scheduler_thread+0x50f/0x520 kasan_report.cold+0x7f/0x11b ? rsi_tx_scheduler_thread+0x50f/0x520 rsi_tx_scheduler_thread+0x50f/0x520 ... Freed by task 111873: kasan_save_stack+0x1b/0x40 kasan_set_track+0x1c/0x30 kasan_set_free_info+0x20/0x30 __kasan_slab_free+0x109/0x140 kfree+0x117/0x4c0 rsi_91x_init+0x741/0x8a0 [rsi_91x] rsi_probe+0x9f/0x1750 [rsi_usb] Stop thread before free 'common' and 'adapter' to fix it. Fixes: 2108df3c ("rsi: add coex support") Signed-off-by:
Ziyang Xuan <william.xuanziyang@huawei.com> Signed-off-by:
-
Ryder Lee authored
Add more MTK folks to actively maintain the wireless chipsets across segments. The work is becoming increasingly complicated and various and we can provides hardware related perspectives to offload Felix's workload, especially for the 11ax and upcoming 11be devices Signed-off-by:
Ryder Lee <ryder.lee@mediatek.com> Acked-by:
Felix Fietkau <nbd@nbd.name> Signed-off-by:
-
- 18 Oct, 2021 6 commits
-
-
Qing Wang authored
coccicheck complains about the use of snprintf() in sysfs show functions. Fix the coccicheck warning: WARNING: use scnprintf or sprintf. Use sysfs_emit instead of scnprintf or sprintf makes more sense. Signed-off-by:
Qing Wang <wangqing@vivo.com> Signed-off-by:
-
Colin Ian King authored
The function rtw89_mac_enable_bb_rf is a void return type, so there is no return error code to ret, so the following check for an error in ret is redundant dead code and can be removed. Addresses-Coverity: ("Logically dead code") Fixes: e3ec7017 ("rtw89: add Realtek 802.11ax driver") Signed-off-by:Colin Ian King <colin.king@canonical.com> Acked-by:
-
Colin Ian King authored
There are two spelling mistakes in rtw89_debug messages. Fix them. Signed-off-by:
-
Ping-Ke Shih authored
Add maintainer and email to MAINTAINERS file. Signed-off-by:
-
Jonas Dreßler authored
It seems that the PCIe+USB firmware (latest version 15.68.19.p21) of the 88W8897 card sometimes ignores or misses when we try to wake it up by writing to the firmware status register. This leads to the firmware wakeup timeout expiring and the driver resetting the card because we assume the firmware has hung up or crashed. Turns out that the firmware actually didn't hang up, but simply "missed" our wakeup request and didn't send us an interrupt with an AWAKE event. Trying again to read the firmware status register after a short timeout usually makes the firmware wake up as expected, so add a small retry loop to mwifiex_pm_wakeup_card() that looks at the interrupt status to check whether the card woke up. The number of tries and timeout lengths for this were determined experimentally: The firmware usually takes about 500 us to wake up after we attempt to read the status register. In some cases where the firmware is very busy (for example while doing a bluetooth scan) it might even miss our requests for multiple milliseconds, which is why after 15 tries the waiting time gets increased to 10 ms. The maximum number of tries it took to wake the firmware when testing this was around 20, so a maximum number of 50 tries should give us plenty of safety margin. Here's a reproducer for those firmware wakeup failures I've found: 1) Make sure wifi powersaving is enabled (iw dev wlp1s0 set power_save on) 2) Connect to any wifi network (makes firmware go into wifi powersaving mode, not deep sleep) 3) Make sure bluetooth is turned off (to ensure the firmware actually enters powersave mode and doesn't keep the radio active doing bluetooth stuff) 4) To confirm that wifi powersaving is entered ping a device on the LAN, pings should be a few ms higher than without powersaving 5) Run "while true; do iwconfig; sleep 0.0001; done", this wakes and suspends the firmware extremely often 6) Wait until things explode, for me it consistently takes <5 minutes BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=109681 Cc: stable@vger.kernel.org Signed-off-by:
-
Jonas Dreßler authored
On the 88W8897 PCIe+USB card the firmware randomly crashes after setting the TX ring write pointer. The issue is present in the latest firmware version 15.68.19.p21 of the PCIe+USB card. Those firmware crashes can be worked around by reading any PCI register of the card after setting that register, so read the PCI_VENDOR_ID register here. The reason this works is probably because we keep the bus from entering an ASPM state for a bit longer, because that's what causes the cards firmware to crash. This fixes a bug where during RX/TX traffic and with ASPM L1 substates enabled (the specific substates where the issue happens appear to be platform dependent), the firmware crashes and eventually a command timeout appears in the logs. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=109681 Cc: stable@vger.kernel.org Signed-off-by:
-
- 13 Oct, 2021 8 commits
-
-
Christophe JAILLET authored
'destroy_workqueue()' already drains the queue before destroying it, so there is no need to flush it explicitly. Remove the redundant 'flush_workqueue()' calls. This was generated with coccinelle: @@ expression E; @@ - flush_workqueue(E); destroy_workqueue(E); Signed-off-by:
Christophe JAILLET <christophe.jaillet@wanadoo.fr> Signed-off-by:
-
Colin Ian King authored
The variable ret is being initialized with a value that is never read, it is assigned later on with a different value. The initialization is redundant and can be removed. Addresses-Coverity: ("Unused value") Signed-off-by:Jakub Kicinski <kubakici@wp.pl> Signed-off-by:
-
Colin Ian King authored
The variable version is being initialized with a value that is never read, it is being updated afterwards in both branches of an if statement. The assignment is redundant and can be removed. Addresses-Coverity: ("Unused value") Signed-off-by: -
Ping-Ke Shih authored
This driver named rtw89, which is the next generation of rtw88, supports Realtek 8852AE 802.11ax 2x2 chip whose new features are OFDMA, DBCC, Spatial reuse, TWT and BSS coloring; now some of them aren't implemented though. The chip architecture is entirely different from the chips supported by rtw88 like RTL8822CE 802.11ac chip. First of all, register address ranges are totally redefined, so it's impossible to reuse register definition. To communicate with firmware, new H2C/C2H format is proposed. In order to have better utilization, TX DMA flow is changed to two stages DMA. To provide rich RX status information, additional RX PPDU packets are added. Since there are so many differences mentioned above, we decide to propose a new driver. It has many authors, they are listed in alphabetic order: Chin-Yen Lee <timlee@realtek.com> Ping-Ke Shih <pkshih@realtek.com> Po Hao Huang <phhuang@realtek.com> Tzu-En Huang <tehuang@realtek.com> Vincent Fann <vincent_fann@realtek.com> Yan-Hsuan Chuang <tony0620emma@gmail.com> Zong-Zhe Yang <kevin_yang@realtek.com> Tested-by:
Aaron Ma <aaron.ma@canonical.com> Tested-by:
Brian Norris <briannorris@chromium.org> Signed-off-by:
-
Sven Eckelmann authored
Most of the txpower for the ath10k firmware is stored as twicepower (0.5 dB steps). This isn't the case for max_antenna_gain - which is still expected by the firmware as dB. The firmware is converting it from dB to the internal (twicepower) representation when it calculates the limits of a channel. This can be seen in tpc_stats when configuring "12" as max_antenna_gain. Instead of the expected 12 (6 dB), the tpc_stats shows 24 (12 dB). Tested on QCA9888 and IPQ4019 with firmware 10.4-3.5.3-00057. Fixes: 02256930 ("ath10k: use proper tx power unit") Signed-off-by:
Sven Eckelmann <seckelmann@datto.com> Signed-off-by:
-
Dan Carpenter authored
The devm_kmemdup() function doesn't return error pointers, it returns NULL on error. Fixes: eb3a97a6 ("ath9k: fetch calibration data via nvmem subsystem") Signed-off-by:
Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by:
-
Baochen Qiang authored
WMI_CHAN_INFO_DFS flag should be set when configuring a DFS channel included in scan channel list. Without it, firmware will not send a probe request frame which is needed in connection to an AP configured with hidden SSID/network_id. So fix this to allow probe request frames to be sent in cases where a beacon frame has been seen on the channel first. Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-01720.1-QCAHSPSWPL_V1_V2_SILICONZ_LITE-1 Signed-off-by:
-
Christian Lamparter authored
The common DT property can be used to limit the available channels but ath9k has to manually call wiphy_read_of_freq_limits(). I would have put this into ath9k_of_init(). But it didn't work there. The reason is that in ath9k_of_init() the channels and bands are not yet registered in the wiphy struct. So there isn't any channel to flag as disabled. Signed-off-by:
Christian Lamparter <chunkeey@gmail.com> Signed-off-by:
-
- 11 Oct, 2021 7 commits
-
-
Baochen Qiang authored
Some targets, QCA6390 for example, use only one TCL ring, it is better to initialize only one ring and leave others untouched for such targets. This is a theoretical fix found during code review, no visible impact. Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1 Signed-off-by:
-
Baochen Qiang authored
When doing "rmmod ath11k_pci", ath11k performs global SOC reset and MHI reset, where 0 address access is captured by IOMMU. See log below: ... [ 133.953860] ath11k_pci 0000:02:00.0: setting mhi state: DEINIT(1) [ 133.959714] ath11k_pci 0000:02:00.0: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x000a address=0x0 flags=0x0020] [ 133.973854] ath11k_pci 0000:02:00.0: MHISTATUS 0xff04 [ 133.974095] ath11k_pci 0000:02:00.0: AMD-Vi: Event logged [IO_PAGE_FAULT domain=0x000a address=0x0 flags=0x0020] ... This issue is also observed in SSR process, cause a similar sequence as above is performed. Such an invalid access occurs because, during rmmod or SSR, MSI address is cleared but HW MSI functionality not disabled, thus HW target is able to raise an MSI transaction with 0 as MSI address. So it can be fixed by simply disabling MSI before reset. For SSR, since MSI functionality is still needed after target is brought back, we need to reenable it. Also change naming of some interfaces related. Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1 Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-01720.1-QCAHSPSWPL_V1_V2_SILICONZ_LITE-1 Signed-off-by:
-
Tuo Li authored
kzalloc() is used to allocate memory for cd->detectors, and if it fails, channel_detector_exit() behind the label fail will be called: channel_detector_exit(dpd, cd); In channel_detector_exit(), cd->detectors is dereferenced through: struct pri_detector *de = cd->detectors[i]; To fix this possible null-pointer dereference, check cd->detectors before the for loop to dereference cd->detectors. Reported-by:
TOTE Robot <oslab@tsinghua.edu.cn> Signed-off-by:
Tuo Li <islituo@gmail.com> Signed-off-by:
-
Gustavo A. R. Silva authored
Use 2-factor multiplication argument form kcalloc() instead of kzalloc(). Link: https://github.com/KSPP/linux/issues/162Signed-off-by:
Gustavo A. R. Silva <gustavoars@kernel.org> Signed-off-by:
-
Colin Ian King authored
Variable fw_size is being assigned a value that is never read and being re-assigned a new value in the next statement. The assignment is redundant and can be removed. Addresses-Coverity: ("Unused value") Fixes: 336e7b53 ("ath11k: clean up BDF download functions") Signed-off-by: -
Dan Carpenter authored
The problem is that "channel" is an unsigned int, when it's less 5 the value of "channel - 5" is not a negative number as one would expect but is very high positive value instead. This means that "start" becomes a very high positive value. The result of that is that we never enter the "for (i = start; i <= end; i++) {" loop. Instead of storing the result from b43legacy_radio_aci_detect() it just uses zero. Fixes: ef1a628d ("b43: Implement dynamic PHY API") Signed-off-by:Michael Büsch <m@bues.ch> Signed-off-by:
-
Dan Carpenter authored
The problem is that "channel" is an unsigned int, when it's less 5 the value of "channel - 5" is not a negative number as one would expect but is very high positive value instead. This means that "start" becomes a very high positive value. The result of that is that we never enter the "for (i = start; i <= end; i++) {" loop. Instead of storing the result from b43legacy_radio_aci_detect() it just uses zero. Fixes: 75388acd ("[B43LEGACY]: add mac80211-based driver for legacy BCM43xx devices") Signed-off-by:
-
- 10 Oct, 2021 5 commits
-
-
Subbaraya Sundeep authored
This patch separates the logic of configuring hardware maximum transmit frame size and receive frame size. This simplifies the logic to calculate receive buffer size and using cqe descriptor of different size. Also additional size of skb_shared_info structure is allocated for each receive buffer pointer given to hardware which is not necessary. Hence change the size calculation to remove the size of skb_shared_info. Add a check for array out of bounds while adding fragments to the network stack. Signed-off-by:
Subbaraya Sundeep <sbhatta@marvell.com> Signed-off-by:
Hariprasad Kelam <hkelam@marvell.com> Signed-off-by:
Sunil Goutham <sgoutham@marvell.com> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
Christophe JAILLET authored
'destroy_workqueue()' already drains the queue before destroying it, so there is no need to flush it explicitly. Remove the redundant 'flush_workqueue()' calls. This was generated with coccinelle: @@ expression E; @@ - flush_workqueue(E); destroy_workqueue(E); Signed-off-by:
-
Li RongQing authored
networking benchmark shows that __rcu_read_lock and __rcu_read_unlock takes some cpu cycles, and we can avoid calling them partially in virtio rx path by check xdp_enabled of vi, and xdp is disabled most of time Signed-off-by:
Li RongQing <lirongqing@baidu.com> Signed-off-by:
-
Antoine Tenart authored
Cosmetic commit making dev_get_port_parent_id slightly more readable. There is no need to split the condition to return after calling devlink_compat_switch_id_get and after that 'recurse' is always true. Signed-off-by:
Antoine Tenart <atenart@kernel.org> Signed-off-by:
-
Ansuel Smith authored
Give a name to known debug regs from Documentation instead of using unknown hex values. Signed-off-by:
Ansuel Smith <ansuelsmth@gmail.com> Reviewed-by:
Andrew Lunn <andrew@lunn.ch> Signed-off-by:
-
