- 28 Jan, 2022 1 commit
-
-
Pavel Skripkin authored
Syzbot reported 2 KMSAN bugs in ath9k. All of them are caused by missing field initialization. In htc_connect_service() svc_meta_len and pad are not initialized. Based on code it looks like in current skb there is no service data, so simply initialize svc_meta_len to 0. htc_issue_send() does not initialize htc_frame_hdr::control array. Based on firmware code, it will initialize it by itself, so simply zero whole array to make KMSAN happy Fail logs: BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline] hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479 htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline] htc_connect_service+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275 ... Uninit was created at: slab_post_alloc_hook mm/slab.h:524 [inline] slab_alloc_node mm/slub.c:3251 [inline] __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974 kmalloc_reserve net/core/skbuff.c:354 [inline] __alloc_skb+0x545/0xf90 net/core/skbuff.c:426 alloc_skb include/linux/skbuff.h:1126 [inline] htc_connect_service+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:258 ... Bytes 4-7 of 18 are uninitialized Memory access of size 18 starts at ffff888027377e00 BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline] hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479 htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline] htc_connect_service+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275 ... Uninit was created at: slab_post_alloc_hook mm/slab.h:524 [inline] slab_alloc_node mm/slub.c:3251 [inline] __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974 kmalloc_reserve net/core/skbuff.c:354 [inline] __alloc_skb+0x545/0xf90 net/core/skbuff.c:426 alloc_skb include/linux/skbuff.h:1126 [inline] htc_connect_service+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:258 ... Bytes 16-17 of 18 are uninitialized Memory access of size 18 starts at ffff888027377e00 Fixes: fb9987d0 ("ath9k_htc: Support for AR9271 chipset.") Reported-by: syzbot+f83a1df1ed4f67e8d8ad@syzkaller.appspotmail.com Signed-off-by:
Pavel Skripkin <paskripkin@gmail.com> Signed-off-by:
Kalle Valo <quic_kvalo@quicinc.com> Link: https://lore.kernel.org/r/20220115122733.11160-1-paskripkin@gmail.com
-
- 19 Jan, 2022 4 commits
-
-
Bryan O'Donoghue authored
Add support for get_survey() reporting. Current channel and noise-floor are reported, other parameters such as scan, busy, TX and RX time are not immediately available. Noise is a useful metric to report, so bring it out now. Reported-by:
kernel test robot <lkp@intel.com> Signed-off-by:
Bryan O'Donoghue <bryan.odonoghue@linaro.org> Signed-off-by:
-
Bryan O'Donoghue authored
The BDs for each RX frame contain both the RSSI and SNR for the received frame. If we track and store this information it can be useful to us in get_survey() and potentially elsewhere. Reported-by:
-
Bryan O'Donoghue authored
Track the band and channel we are currently tuned to by way of pointers to the standard structures that describe them both embedded within the driver. Tracking of the pair makes it much easier when implementing ieee80211_ops->get_survey to return quickly captured metrics for the currently tuned channel. Signed-off-by:
-
Bryan O'Donoghue authored
The wcn36xx BD phy descriptor returns both Received Signal Strength Information (RSSI) and Signal To Noise Ratio (SNR) with each delivered BD. The macro to extract this data is a simple-one liner, easily imported from prima driver. This data will be useful to us when implementing mac80211-ops->get_survey(). Signed-off-by:
Loic Poulain <loic.poulain@linaro.org> Signed-off-by:
-
- 17 Jan, 2022 14 commits
-
-
Francesco Magliocca authored
QCA6174 card often hangs with the current htt_rx_desc memory layout in some circumstances, because its firmware fails to handle length differences. Therefore we must abstract the htt_rx_desc structure and operations on it, to allow different wireless cards to use different, unrelated rx descriptor structures. Define a base htt_rx_desc structure and htt_rx_desc_v1 for use with the QCA family of ath10k supported cards and htt_rx_desc_v2 for use with the WCN3990 card. Define htt_rx_desc_ops which contains the abstract operations to access the generic htt_rx_desc, give implementations for each card and update htt_rx.c to use the defined abstract interface to rx descriptors. Fixes: e3def6f7 ("ath10k: Update rx descriptor for WCN3990 target") Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00157-QCARMSWPZ-1 Co-developed-by:
Enrico Lumetti <enrico@fracta.dev> Signed-off-by:
Francesco Magliocca <franciman12@gmail.com> Link: https://lore.kernel.org/ath10k/CAH4F6usFu8-A6k5Z7rU9__iENcSC6Zr-NtRhh_aypR74UvN1uQ@mail.gmail.com/Signed-off-by:
-
Lad Prabhakar authored
platform_get_resource_byname(pdev, IORESOURCE_IRQ, ..) relies on static allocation of IRQ resources in DT core code, this causes an issue when using hierarchical interrupt domains using "interrupts" property in the node as this bypasses the hierarchical setup and messes up the irq chaining. In preparation for removal of static setup of IRQ resource from DT core code use platform_get_irq_byname(). Signed-off-by:
Lad Prabhakar <prabhakar.mahadev-lad.rj@bp.renesas.com> Signed-off-by:
-
Minghao Chi authored
Return value directly instead of taking this in another redundant variable. Reported-by:
Zeal Robot <zealci@zte.com.cn> Signed-off-by:
Minghao Chi <chi.minghao@zte.com.cn> Signed-off-by:
CGEL ZTE <cgel.zte@gmail.com> Signed-off-by:
-
Baochen Qiang authored
There is an issue that WCN6855 tries to connect to an AP using a hardware rate of 1Mb/s , even though the AP has announced expected rates as [24, 36, 48, 54] in Probe Response frame. The reason is that WCN6855 firmware clears hardware rate info of management frames when vdev starts and uses 1Mb/s as default. To solve it, reconfigure the rate after vdev is started. Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-01720.1-QCAHSPSWPL_V1_V2_SILICONZ_LITE-1 Signed-off-by:
Baochen Qiang <quic_bqiang@quicinc.com> Signed-off-by:
-
Christophe JAILLET authored
kmalloc_array()/kcalloc() should be used to avoid potential overflow when a multiplication is needed to compute the size of the requested memory. kmalloc_array() can be used here instead of kcalloc() because the array is fully initialized in the next 'for' loop. Finally, 'cd->detectors' is defined as 'struct pri_detector **detectors;'. So 'cd->detectors' and '*cd->detectors' are both some pointer. So use a more logical 'sizeof(*cd->detectors)'. Signed-off-by:
Christophe JAILLET <christophe.jaillet@wanadoo.fr> Signed-off-by:
-
Lad Prabhakar authored
platform_get_resource(pdev, IORESOURCE_IRQ, ..) relies on static allocation of IRQ resources in DT core code, this causes an issue when using hierarchical interrupt domains using "interrupts" property in the node as this bypasses the hierarchical setup and messes up the irq chaining. In preparation for removal of static setup of IRQ resource from DT core code use platform_get_irq(). Signed-off-by:
-
Peter Seiderer authored
The struct ath5k_hw member ah_txq_isr_txok_all is never reset/assigned outside of ath5k_hw_get_isr() and with the used bitwise-or in the interrupt handling accumulates all ever set interrupt flags. Fix this by clearing ah_txq_isr_txok_all before assigning. Patch tested with Senao NMP-8602 card Qualcomm Atheros AR5413/AR5414 Wireless Network Adapter [AR5006X(S) 802.11abg] (rev 01) ath5k: phy6: Atheros AR5413 chip found (MAC: 0xa4, PHY: 0x61) running IBSS mode against Atheros (ath9k) card using ping and iperf traffic. Signed-off-by:
Peter Seiderer <ps.report@gmx.net> Signed-off-by:
-
Peter Seiderer authored
Remove unused ah_txq_isr_txurn member from struct ath5k_hw (set in ath5k_hw_get_isr() but never used anywhere). Signed-off-by:
-
Peter Seiderer authored
Remove unused ah_txq_isr_qcborn member from struct ath5k_hw (set in ath5k_hw_get_isr() but never used anywhere). Signed-off-by:
-
Peter Seiderer authored
Remove unused ah_txq_isr_qcburn member from struct ath5k_hw (set in ath5k_hw_get_isr() but never used anywhere). Signed-off-by:
-
Peter Seiderer authored
Remove unused ah_txq_isr_qtrig member from struct ath5k_hw (set in ath5k_hw_get_isr() but never used anywhere). Signed-off-by:
-
Dan Carpenter authored
The "ret" vairable is not set at this point. It could be uninitialized or zero. The correct thing to return is -ENODEV. Fixes: 6ac04bdc ("ath11k: Use reserved host DDR addresses from DT for PCI devices") Signed-off-by:
Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by:
-
Aloka Dixit authored
Move the function below ath11k_dp_rx_mon_dest_process() and remove the forward declaration. Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1-01179-QCAHKSWPL_SILICONZ-1 Signed-off-by:
Aloka Dixit <quic_alokad@quicinc.com> Signed-off-by:
-
Miles Hu authored
RX PPDU statistics collection is missing when monitor mode co-exists with other modes. This commit combines the processing of the destination ring with the status ring to fix the issue. Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1-01179-QCAHKSWPL_SILICONZ-1 Signed-off-by:
Miles Hu <milehu@codeaurora.org> Signed-off-by:
-
- 12 Jan, 2022 3 commits
-
-
Zekun Shen authored
The bug was found during fuzzing. Stacktrace locates it in ath5k_eeprom_convert_pcal_info_5111. When none of the curve is selected in the loop, idx can go up to AR5K_EEPROM_N_PD_CURVES. The line makes pd out of bound. pd = &chinfo[pier].pd_curves[idx]; There are many OOB writes using pd later in the code. So I added a sanity check for idx. Checks for other loops involving AR5K_EEPROM_N_PD_CURVES are not needed as the loop index is not used outside the loops. The patch is NOT tested with real device. The following is the fuzzing report BUG: KASAN: slab-out-of-bounds in ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] Write of size 1 at addr ffff8880174a4d60 by task modprobe/214 CPU: 0 PID: 214 Comm: modprobe Not tainted 5.6.0 #1 Call Trace: dump_stack+0x76/0xa0 print_address_description.constprop.0+0x16/0x200 ? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] ? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] __kasan_report.cold+0x37/0x7c ? ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] kasan_report+0xe/0x20 ath5k_eeprom_read_pcal_info_5111+0x126a/0x1390 [ath5k] ? apic_timer_interrupt+0xa/0x20 ? ath5k_eeprom_init_11a_pcal_freq+0xbc0/0xbc0 [ath5k] ? ath5k_pci_eeprom_read+0x228/0x3c0 [ath5k] ath5k_eeprom_init+0x2513/0x6290 [ath5k] ? ath5k_eeprom_init_11a_pcal_freq+0xbc0/0xbc0 [ath5k] ? usleep_range+0xb8/0x100 ? apic_timer_interrupt+0xa/0x20 ? ath5k_eeprom_read_pcal_info_2413+0x2f20/0x2f20 [ath5k] ath5k_hw_init+0xb60/0x1970 [ath5k] ath5k_init_ah+0x6fe/0x2530 [ath5k] ? kasprintf+0xa6/0xe0 ? ath5k_stop+0x140/0x140 [ath5k] ? _dev_notice+0xf6/0xf6 ? apic_timer_interrupt+0xa/0x20 ath5k_pci_probe.cold+0x29a/0x3d6 [ath5k] ? ath5k_pci_eeprom_read+0x3c0/0x3c0 [ath5k] ? mutex_lock+0x89/0xd0 ? ath5k_pci_eeprom_read+0x3c0/0x3c0 [ath5k] local_pci_probe+0xd3/0x160 pci_device_probe+0x23f/0x3e0 ? pci_device_remove+0x280/0x280 ? pci_device_remove+0x280/0x280 really_probe+0x209/0x5d0 Reported-by:
Brendan Dolan-Gavitt <brendandg@nyu.edu> Signed-off-by:
Zekun Shen <bruceshenzk@gmail.com> Signed-off-by:
-
Wen Gong authored
Commit b4a0f541 ("ath11k: move peer delete after vdev stop of station for QCA6390 and WCN6855") is to fix firmware crash by changing the WMI command sequence, but actually skip all the peer delete operation, then it lead commit 58595c98 ("ath11k: Fixing dangling pointer issue upon peer delete failure") not take effect, and then happened a use-after-free warning from KASAN. because the peer->sta is not set to NULL and then used later. Change to only skip the WMI_PEER_DELETE_CMDID for QCA6390/WCN6855. log of user-after-free: [ 534.888665] BUG: KASAN: use-after-free in ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k] [ 534.888696] Read of size 8 at addr ffff8881396bb1b8 by task rtcwake/2860 [ 534.888705] CPU: 4 PID: 2860 Comm: rtcwake Kdump: loaded Tainted: G W 5.15.0-wt-ath+ #523 [ 534.888712] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 05/28/2021 [ 534.888716] Call Trace: [ 534.888720] <IRQ> [ 534.888726] dump_stack_lvl+0x57/0x7d [ 534.888736] print_address_description.constprop.0+0x1f/0x170 [ 534.888745] ? ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k] [ 534.888771] kasan_report.cold+0x83/0xdf [ 534.888783] ? ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k] [ 534.888810] ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k] [ 534.888840] ath11k_dp_rx_process_mon_status+0x529/0xa70 [ath11k] [ 534.888874] ? ath11k_dp_rx_mon_status_bufs_replenish+0x3f0/0x3f0 [ath11k] [ 534.888897] ? check_prev_add+0x20f0/0x20f0 [ 534.888922] ? __lock_acquire+0xb72/0x1870 [ 534.888937] ? find_held_lock+0x33/0x110 [ 534.888954] ath11k_dp_rx_process_mon_rings+0x297/0x520 [ath11k] [ 534.888981] ? rcu_read_unlock+0x40/0x40 [ 534.888990] ? ath11k_dp_rx_pdev_alloc+0xd90/0xd90 [ath11k] [ 534.889026] ath11k_dp_service_mon_ring+0x67/0xe0 [ath11k] [ 534.889053] ? ath11k_dp_rx_process_mon_rings+0x520/0x520 [ath11k] [ 534.889075] call_timer_fn+0x167/0x4a0 [ 534.889084] ? add_timer_on+0x3b0/0x3b0 [ 534.889103] ? lockdep_hardirqs_on_prepare.part.0+0x18c/0x370 [ 534.889117] __run_timers.part.0+0x539/0x8b0 [ 534.889123] ? ath11k_dp_rx_process_mon_rings+0x520/0x520 [ath11k] [ 534.889157] ? call_timer_fn+0x4a0/0x4a0 [ 534.889164] ? mark_lock_irq+0x1c30/0x1c30 [ 534.889173] ? clockevents_program_event+0xdd/0x280 [ 534.889189] ? mark_held_locks+0xa5/0xe0 [ 534.889203] run_timer_softirq+0x97/0x180 [ 534.889213] __do_softirq+0x276/0x86a [ 534.889230] __irq_exit_rcu+0x11c/0x180 [ 534.889238] irq_exit_rcu+0x5/0x20 [ 534.889244] sysvec_apic_timer_interrupt+0x8e/0xc0 [ 534.889251] </IRQ> [ 534.889254] <TASK> [ 534.889259] asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 534.889265] RIP: 0010:_raw_spin_unlock_irqrestore+0x38/0x70 [ 534.889271] Code: 74 24 10 e8 ea c2 bf fd 48 89 ef e8 12 53 c0 fd 81 e3 00 02 00 00 75 25 9c 58 f6 c4 02 75 2d 48 85 db 74 01 fb bf 01 00 00 00 <e8> 13 a7 b5 fd 65 8b 05 cc d9 9c 5e 85 c0 74 0a 5b 5d c3 e8 a0 ee [ 534.889276] RSP: 0018:ffffc90002e5f880 EFLAGS: 00000206 [ 534.889284] RAX: 0000000000000006 RBX: 0000000000000200 RCX: ffffffff9f256f10 [ 534.889289] RDX: 0000000000000000 RSI: ffffffffa1c6e420 RDI: 0000000000000001 [ 534.889293] RBP: ffff8881095e6200 R08: 0000000000000001 R09: ffffffffa40d2b8f [ 534.889298] R10: fffffbfff481a571 R11: 0000000000000001 R12: ffff8881095e6e68 [ 534.889302] R13: ffffc90002e5f908 R14: 0000000000000246 R15: 0000000000000000 [ 534.889316] ? mark_lock+0xd0/0x14a0 [ 534.889332] klist_next+0x1d4/0x450 [ 534.889340] ? dpm_wait_for_subordinate+0x2d0/0x2d0 [ 534.889350] device_for_each_child+0xa8/0x140 [ 534.889360] ? device_remove_class_symlinks+0x1b0/0x1b0 [ 534.889370] ? __lock_release+0x4bd/0x9f0 [ 534.889378] ? dpm_suspend+0x26b/0x3f0 [ 534.889390] dpm_wait_for_subordinate+0x82/0x2d0 [ 534.889400] ? dpm_for_each_dev+0xa0/0xa0 [ 534.889410] ? dpm_suspend+0x233/0x3f0 [ 534.889427] __device_suspend+0xd4/0x10c0 [ 534.889440] ? wait_for_completion_io+0x270/0x270 [ 534.889456] ? async_suspend_late+0xe0/0xe0 [ 534.889463] ? async_schedule_node_domain+0x468/0x640 [ 534.889482] dpm_suspend+0x25a/0x3f0 [ 534.889491] ? dpm_suspend_end+0x1a0/0x1a0 [ 534.889497] ? ktime_get+0x214/0x2f0 [ 534.889502] ? lockdep_hardirqs_on+0x79/0x100 [ 534.889509] ? recalibrate_cpu_khz+0x10/0x10 [ 534.889516] ? ktime_get+0x119/0x2f0 [ 534.889528] dpm_suspend_start+0xab/0xc0 [ 534.889538] suspend_devices_and_enter+0x1ca/0x350 [ 534.889546] ? suspend_enter+0x850/0x850 [ 534.889566] enter_state+0x27c/0x3d7 [ 534.889575] pm_suspend.cold+0x42/0x189 [ 534.889583] state_store+0xab/0x160 [ 534.889595] ? sysfs_file_ops+0x160/0x160 [ 534.889601] kernfs_fop_write_iter+0x2b5/0x450 [ 534.889615] new_sync_write+0x36a/0x600 [ 534.889625] ? new_sync_read+0x600/0x600 [ 534.889639] ? rcu_read_unlock+0x40/0x40 [ 534.889668] vfs_write+0x619/0x910 [ 534.889681] ksys_write+0xf4/0x1d0 [ 534.889689] ? __ia32_sys_read+0xa0/0xa0 [ 534.889699] ? lockdep_hardirqs_on_prepare.part.0+0x18c/0x370 [ 534.889707] ? syscall_enter_from_user_mode+0x1d/0x50 [ 534.889719] do_syscall_64+0x3b/0x90 [ 534.889725] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 534.889731] RIP: 0033:0x7f0b9bc931e7 [ 534.889736] Code: 64 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24 [ 534.889741] RSP: 002b:00007ffd9d34cc88 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 534.889749] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f0b9bc931e7 [ 534.889753] RDX: 0000000000000004 RSI: 0000561cd023c5f0 RDI: 0000000000000004 [ 534.889757] RBP: 0000561cd023c5f0 R08: 0000000000000000 R09: 0000000000000004 [ 534.889761] R10: 0000561ccef842a6 R11: 0000000000000246 R12: 0000000000000004 [ 534.889765] R13: 0000561cd0239590 R14: 00007f0b9bd6f4a0 R15: 00007f0b9bd6e8a0 [ 534.889789] </TASK> [ 534.889796] Allocated by task 2711: [ 534.889800] kasan_save_stack+0x1b/0x40 [ 534.889805] __kasan_kmalloc+0x7c/0x90 [ 534.889810] sta_info_alloc+0x98/0x1ef0 [mac80211] [ 534.889874] ieee80211_prep_connection+0x30b/0x11e0 [mac80211] [ 534.889950] ieee80211_mgd_auth+0x529/0xe00 [mac80211] [ 534.890024] cfg80211_mlme_auth+0x332/0x6f0 [cfg80211] [ 534.890090] nl80211_authenticate+0x839/0xcf0 [cfg80211] [ 534.890147] genl_family_rcv_msg_doit+0x1f4/0x2f0 [ 534.890154] genl_rcv_msg+0x280/0x500 [ 534.890160] netlink_rcv_skb+0x11c/0x340 [ 534.890165] genl_rcv+0x1f/0x30 [ 534.890170] netlink_unicast+0x42b/0x700 [ 534.890176] netlink_sendmsg+0x71b/0xc60 [ 534.890181] sock_sendmsg+0xdf/0x110 [ 534.890187] ____sys_sendmsg+0x5c0/0x850 [ 534.890192] ___sys_sendmsg+0xe4/0x160 [ 534.890197] __sys_sendmsg+0xb2/0x140 [ 534.890202] do_syscall_64+0x3b/0x90 [ 534.890207] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 534.890215] Freed by task 2825: [ 534.890218] kasan_save_stack+0x1b/0x40 [ 534.890223] kasan_set_track+0x1c/0x30 [ 534.890227] kasan_set_free_info+0x20/0x30 [ 534.890232] __kasan_slab_free+0xce/0x100 [ 534.890237] slab_free_freelist_hook+0xf0/0x1a0 [ 534.890242] kfree+0xe5/0x370 [ 534.890248] __sta_info_flush+0x333/0x4b0 [mac80211] [ 534.890308] ieee80211_set_disassoc+0x324/0xd20 [mac80211] [ 534.890382] ieee80211_mgd_deauth+0x537/0xee0 [mac80211] [ 534.890472] cfg80211_mlme_deauth+0x349/0x810 [cfg80211] [ 534.890526] cfg80211_mlme_down+0x1ce/0x270 [cfg80211] [ 534.890578] cfg80211_disconnect+0x4f5/0x7b0 [cfg80211] [ 534.890631] cfg80211_leave+0x24/0x40 [cfg80211] [ 534.890677] wiphy_suspend+0x23d/0x2f0 [cfg80211] [ 534.890723] dpm_run_callback+0xf4/0x1b0 [ 534.890728] __device_suspend+0x648/0x10c0 [ 534.890733] async_suspend+0x16/0xe0 [ 534.890737] async_run_entry_fn+0x90/0x4f0 [ 534.890741] process_one_work+0x866/0x1490 [ 534.890747] worker_thread+0x596/0x1010 [ 534.890751] kthread+0x35d/0x420 [ 534.890756] ret_from_fork+0x22/0x30 [ 534.890763] The buggy address belongs to the object at ffff8881396ba000 which belongs to the cache kmalloc-8k of size 8192 [ 534.890767] The buggy address is located 4536 bytes inside of 8192-byte region [ffff8881396ba000, ffff8881396bc000) [ 534.890772] The buggy address belongs to the page: [ 534.890775] page:ffffea0004e5ae00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1396b8 [ 534.890780] head:ffffea0004e5ae00 order:3 compound_mapcount:0 compound_pincount:0 [ 534.890784] flags: 0x200000000010200(slab|head|node=0|zone=2) [ 534.890791] raw: 0200000000010200 ffffea000562be08 ffffea0004b04c08 ffff88810004e340 [ 534.890795] raw: 0000000000000000 0000000000010001 00000001ffffffff 0000000000000000 [ 534.890798] page dumped because: kasan: bad access detected [ 534.890804] Memory state around the buggy address: [ 534.890807] ffff8881396bb080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 534.890811] ffff8881396bb100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 534.890814] >ffff8881396bb180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 534.890817] ^ [ 534.890821] ffff8881396bb200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 534.890824] ffff8881396bb280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 534.890827] ================================================================== [ 534.890830] Disabling lock debugging due to kernel taint Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-01720.1-QCAHSPSWPL_V1_V2_SILICONZ_LITE-1 Fixes: b4a0f541 ("ath11k: move peer delete after vdev stop of station for QCA6390 and WCN6855") Signed-off-by:
Wen Gong <quic_wgong@quicinc.com> Signed-off-by:
-
P Praneesh authored
LDPC is one the FEC type advertised in msdu_start info2 for HT packet type. Hence, add hardware specific callback for fetching LDPC support from msdu start and enable RX_ENC_FLAG_LDPC flag while passing rx status to mac80211. Tested-on: IPQ8074 WLAN.HK.2.4.0.1-01467-QCAHKSWPL_SILICONZ-1 Signed-off-by:
P Praneesh <quic_ppranees@quicinc.com> Signed-off-by:
-
- 11 Jan, 2022 4 commits
-
-
Karthikeyan Periyasamy authored
When there is an error in peer create process from ath11k_peer_find(), the code attempts to handle a fallback for peer create. When this fallback fails, the driver returns the fallback return code rather than actual error code (-ENOENT). So refactor the fallback routine to return the actual error code. Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.5.0.1-01067-QCAHKSWPL_SILICONZ-1 Signed-off-by:
Karthikeyan Periyasamy <periyasa@codeaurora.org> Signed-off-by:
-
Aditya Kumar Singh authored
Currently, ath11k_core_alloc() creates a single thread workqueue. This workqueue is not detroyed during clean up when ath11k modules are unloaded from the kernel and is left as it is. If workqueue is not destroyed, it could lead to kernel memory scarcity in a longer run. This could affect self and other drivers workability as well. Add destroy workqueue in ath11k_core_free(). Tested on: IPQ8074 WLAN.HK.2.4.0.1-01746-QCAHKSWPL_SILICONZ-1 Signed-off-by:
Aditya Kumar Singh <quic_adisi@quicinc.com> Signed-off-by:
-
Wen Gong authored
In function ath10k_wow_convert_8023_to_80211(), it will do memcpy for the new->pattern, and currently the new->pattern and new->mask is same with the old, then the memcpy of new->pattern will also overwrite the old->pattern, because the header format of new->pattern is 802.11, its length is larger than the old->pattern which is 802.3. Then the operation of "Copy frame body" will copy a mistake value because the body memory has been overwrite when memcpy the new->pattern. Assign another empty value to new_pattern to avoid the overwrite issue. Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00049 Fixes: fa3440fa ("ath10k: convert wow pattern from 802.3 to 802.11") Signed-off-by:
-
Yang Yingliang authored
The node pointer is returned by of_find_node_by_type() or of_parse_phandle() with refcount incremented. Calling of_node_put() to aovid the refcount leak. Fixes: 6ac04bdc ("ath11k: Use reserved host DDR addresses from DT for PCI devices") Reported-by:
Hulk Robot <hulkci@huawei.com> Signed-off-by:
Yang Yingliang <yangyingliang@huawei.com> Signed-off-by:
-
- 10 Jan, 2022 14 commits
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/netdev/netJakub Kicinski authored
Merge in fixes directly in prep for the 5.17 merge window. No conflicts. Signed-off-by:Jakub Kicinski <kuba@kernel.org>
-
Benjamin Yim authored
After this parameter is passed in, there is no usage, and deleting it will not bring any impact. Reviewed-by:
Eric Dumazet <edumazet@google.com> Signed-off-by:
Benjamin Yim <yan2228598786@gmail.com> Link: https://lore.kernel.org/r/20220109130824.2776-1-yan2228598786@gmail.comSigned-off-by:
-
Christophe JAILLET authored
As stated in [1], dma_set_mask() with a 64-bit mask never fails if dev->dma_mask is non-NULL. So, if it fails, the 32 bits case will also fail for the same reason. So, if dma_set_mask_and_coherent() succeeds, 'pci_using_dac' is known to be 1. Simplify code and remove some dead code accordingly. [1]: https://lkml.org/lkml/2021/6/7/398Signed-off-by:
-
Christophe JAILLET authored
As stated in [1], dma_set_mask() with a 64-bit mask never fails if dev->dma_mask is non-NULL. So, if it fails, the 32 bits case will also fail for the same reason. Simplify code and remove some dead code accordingly. [1]: https://lkml.org/lkml/2021/6/7/398Signed-off-by:
-
Christophe JAILLET authored
As stated in [1], dma_set_mask() with a 64-bit mask never fails if dev->dma_mask is non-NULL. So, if it fails, the 32 bits case will also fail for the same reason. Simplify code and remove some dead code accordingly. [1]: https://lkml.org/lkml/2021/6/7/398Signed-off-by:
-
Christophe JAILLET authored
As stated in [1], dma_set_mask() with a 64-bit mask never fails if dev->dma_mask is non-NULL. So, if it fails, the 32 bits case will also fail for the same reason. Simplify code and remove some dead code accordingly. [1]: https://lkml.org/lkml/2021/6/7/398Signed-off-by:
-
Christophe JAILLET authored
As stated in [1], dma_set_mask() with a 64-bit mask never fails if dev->dma_mask is non-NULL. So, if it fails, the 32 bits case will also fail for the same reason. Simplify code and remove some dead code accordingly. [1]: https://lkml.org/lkml/2021/6/7/398Signed-off-by:
-
Christophe JAILLET authored
As stated in [1], dma_set_mask() with a 64-bit mask never fails if dev->dma_mask is non-NULL. So, if it fails, the 32 bits case will also fail for the same reason. So, if dma_set_mask_and_coherent() succeeds, 'pci_using_dac' is known to be 1. Simplify code and remove some dead code accordingly. [1]: https://lkml.org/lkml/2021/6/7/398Signed-off-by:
-
Christophe JAILLET authored
As stated in [1], dma_set_mask() with a 64-bit mask never fails if dev->dma_mask is non-NULL. So, if it fails, the 32 bits case will also fail for the same reason. So, if dma_set_mask_and_coherent() succeeds, 'highdma' is known to be true. Simplify code and remove some dead code accordingly. [1]: https://lkml.org/lkml/2021/6/7/398Signed-off-by:
-
Christophe JAILLET authored
As stated in [1], dma_set_mask() with a 64-bit mask never fails if dev->dma_mask is non-NULL. So, if it fails, the 32 bits case will also fail for the same reason. So, if dma_set_mask_and_coherent() succeeds, 'pci_using_dac' is known to be 1. Simplify code and remove some dead code accordingly. [1]: https://lkml.org/lkml/2021/6/7/398Signed-off-by:
-
Christophe JAILLET authored
As stated in [1], dma_set_mask() with a 64-bit mask never fails if dev->dma_mask is non-NULL. So, if it fails, the 32 bits case will also fail for the same reason. Moreover, dma_set_mask_and_coherent() returns 0 or -EIO, so the return code of the function can be used directly. Finally, inline bnx2x_set_coherency_mask() because it is now only a wrapper for a single dma_set_mask_and_coherent() call. Simplify code and remove some dead code accordingly. [1]: https://lkml.org/lkml/2021/6/7/398Signed-off-by:
-
Christophe JAILLET authored
As stated in [1], dma_set_mask() with a 64-bit mask never fails if dev->dma_mask is non-NULL. So, if it fails, the 32 bits case will also fail for the same reason. Moreover, dma_set_mask_and_coherent() returns 0 or -EIO, so the return code of the function can be used directly. There is no need to 'rc = -EIO' explicitly. Simplify code and remove some dead code accordingly. [1]: https://lkml.org/lkml/2021/6/7/398Signed-off-by:
-
Christophe JAILLET authored
As stated in [1], dma_set_mask() with a 64-bit mask never fails if dev->dma_mask is non-NULL. So, if it fails, the 32 bits case will also fail for the same reason. So if dma_set_mask_and_coherent() succeeds, 'netdev->features' will have NETIF_F_HIGHDMA in all cases. Move the assignment of this feature in be_netdev_init() instead be_probe() which is a much logical place. Simplify code and remove some dead code accordingly. [1]: https://lkml.org/lkml/2021/6/7/398Signed-off-by:
-
Christophe JAILLET authored
As stated in [1], dma_set_mask() with a 64-bit mask never fails if dev->dma_mask is non-NULL. So, if it fails, the 32 bits case will also fail for the same reason. So if dma_set_mask_and_coherent() succeeds, 'dma64' is know to be 'true'. Simplify code and remove some dead code accordingly. [1]: https://lkml.org/lkml/2021/6/7/398Signed-off-by:
-
