1. 01 May, 2019 1 commit
    • Dan Carpenter's avatar
      brcm80211: potential NULL dereference in brcmf_cfg80211_vndr_cmds_dcmd_handler() · e025da3d
      Dan Carpenter authored
      If "ret_len" is negative then it could lead to a NULL dereference.
      
      The "ret_len" value comes from nl80211_vendor_cmd(), if it's negative
      then we don't allocate the "dcmd_buf" buffer.  Then we pass "ret_len" to
      brcmf_fil_cmd_data_set() where it is cast to a very high u32 value.
      Most of the functions in that call tree check whether the buffer we pass
      is NULL but there are at least a couple places which don't such as
      brcmf_dbg_hex_dump() and brcmf_msgbuf_query_dcmd().  We memcpy() to and
      from the buffer so it would result in a NULL dereference.
      
      The fix is to change the types so that "ret_len" can't be negative.  (If
      we memcpy() zero bytes to NULL, that's a no-op and doesn't cause an
      issue).
      
      Fixes: 1bacb048 ("brcmfmac: replace cfg80211 testmode with vendor command")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      e025da3d
  2. 30 Apr, 2019 1 commit
    • Yan-Hsuan Chuang's avatar
      rtw88: new Realtek 802.11ac driver · e3037485
      Yan-Hsuan Chuang authored
      This is a new mac80211 driver for Realtek 802.11ac wireless network chips.
      rtw88 now supports RTL8822BE/RTL8822CE now, with basic station mode
      functionalities. The firmware for both can be found at linux-firmware.
      
      https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git
      For RTL8822BE: rtw88/rtw8822b_fw.bin
      For RTL8822CE: rtw88/rtw8822c_fw.bin
      
      And for now, only PCI buses (RTL8xxxE) are supported. We will add support
      for USB and SDIO in the future. The bus interface abstraction can be seen
      in this driver such as hci.h. Most of the hardware setting are the same
      except for some TRX path or probing setup should be separated.
      
      Supported:
      
       * Basic STA/AP/ADHOC mode, and TDLS (STA is well tested)
      
      Missing feature:
      
       * WOW/PNO
       * USB & SDIO bus (such as RTL8xxxU/RTL8xxxS)
       * BT coexistence (8822B/8822C are combo ICs)
       * Multiple interfaces (for now single STA is better supported)
       * Dynamic hardware calibrations (to improve/stabilize performance)
      
      Potential problems:
      
       * static calibration spends too much time, and it is painful for
         driver to leave IDLE state. And slows down associate process.
         But reload function are under development, will be added soon!
       * TRX statictics misleading, as we are not reporting status correctly,
         or say, not reporting for "every" packet.
      
      The next patch set should have BT coexistence code since RTL8822B/C are
      combo ICs, and the driver for BT can be found after Linux Kernel v4.20.
      So it is better to add it first to make WiFi + BT work concurrently.
      
      Although now rtw88 is simple but we are developing more features for it.
      Even we want to add support for more chips such as RTL8821C/RTL8814B.
      
      Finally, rtw88 has many authors, listed alphabetically:
      
      Ping-Ke Shih <pkshih@realtek.com>
      Tzu-En Huang <tehuang@realtek.com>
      Yan-Hsuan Chuang <yhchuang@realtek.com>
      Reviewed-by: default avatarStanislaw Gruszka <sgruszka@redhat.com>
      Reviewed-by: default avatarBrian Norris <briannorris@chromium.org>
      Tested-by: default avatarBrian Norris <briannorris@chromium.org>
      Signed-off-by: default avatarYan-Hsuan Chuang <yhchuang@realtek.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      e3037485
  3. 29 Apr, 2019 17 commits
  4. 26 Apr, 2019 6 commits
  5. 25 Apr, 2019 15 commits
    • Paolo Bonzini's avatar
      wlcore: simplify/fix/optimize reg_ch_conf_pending operations · 147b502b
      Paolo Bonzini authored
      Bitmaps are defined on unsigned longs, so the usage of u32[2] in the
      wlcore driver is incorrect.  As noted by Peter Zijlstra, casting arrays
      to a bitmap is incorrect for big-endian architectures.
      
      When looking at it I observed that:
      
      - operations on reg_ch_conf_pending is always under the wl_lock mutex,
      so set_bit is overkill
      
      - the only case where reg_ch_conf_pending is accessed a u32 at a time is
      unnecessary too.
      
      This patch cleans up everything in this area, and changes tmp_ch_bitmap
      to have the proper alignment.
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarFenghua Yu <fenghua.yu@intel.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      147b502b
    • Kalle Valo's avatar
      Revert "brcmfmac: send mailbox interrupt twice for specific hardware device" · 324f1feb
      Kalle Valo authored
      This reverts commit 99d94ef3. I accidentally
      applied this broken (failed to compile) patch due to a bug in my patchwork
      script.
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      324f1feb
    • Wright Feng's avatar
      brcmfmac: send mailbox interrupt twice for specific hardware device · 99d94ef3
      Wright Feng authored
      For PCIE wireless device with core revision less than 14, device may miss
      PCIE to System Backplane Interrupt via PCIEtoSBMailbox. So add sending
      mail box interrupt twice as a hardware workaround.
      Signed-off-by: default avatarWright Feng <wright.feng@cypress.com>
      Reviewed-by: default avatarArend van Spriel <arend.vanspriel@broadcom.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      99d94ef3
    • Gabor Juhos's avatar
      rt2x00: add RT3883 support · d0e61a0f
      Gabor Juhos authored
      Patch add support for RT3883 chip. Code was taken direclty
      from openwrt project and merge into one patch.
      Signed-off-by: default avatarGabor Juhos <juhosg@openwrt.org>
      Signed-off-by: default avatarStanislaw Gruszka <sgruszka@redhat.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      d0e61a0f
    • Hans de Goede's avatar
      brcmfmac: Add DMI nvram filename quirk for ACEPC T8 and T11 mini PCs · b1a0ba8f
      Hans de Goede authored
      The ACEPC T8 and T11 mini PCs contain quite generic names in the sys_vendor
      and product_name DMI strings, without this patch brcmfmac will try to load:
      "brcmfmac43455-sdio.Default string-Default string.txt" as nvram file which
      is way too generic.
      
      The DMI strings on which we are matching are somewhat generic too, but
      "To be filled by O.E.M." is less common then "Default string" and the
      system-sku and bios-version strings are pretty unique. Beside the DMI
      strings we also check the wifi-module chip-id and revision. I'm confident
      that the combination of all this is unique.
      
      Both the T8 and T11 use the same wifi-module, this commit adds DMI
      quirks for both mini PCs pointing to brcmfmac43455-sdio.acepc-t8.txt .
      
      BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1690852
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      b1a0ba8f
    • Pan Bian's avatar
      p54: drop device reference count if fails to enable device · 8149069d
      Pan Bian authored
      The function p54p_probe takes an extra reference count of the PCI
      device. However, the extra reference count is not dropped when it fails
      to enable the PCI device. This patch fixes the bug.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarPan Bian <bianpan2016@163.com>
      Acked-by: default avatarChristian Lamparter <chunkeey@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      8149069d
    • Gustavo A. R. Silva's avatar
      rtlwifi: rtl8723ae: Fix missing break in switch statement · 84242b82
      Gustavo A. R. Silva authored
      Add missing break statement in order to prevent the code from falling
      through to case 0x1025, and erroneously setting rtlhal->oem_id to
      RT_CID_819X_ACER when rtlefuse->eeprom_svid is equal to 0x10EC and
      none of the cases in switch (rtlefuse->eeprom_smid) match.
      
      This bug was found thanks to the ongoing efforts to enable
      -Wimplicit-fallthrough.
      
      Fixes: 238ad2dd ("rtlwifi: rtl8723ae: Clean up the hardware info routine")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      84242b82
    • Colin Ian King's avatar
      mwifiex: fix spelling mistake "capabilties" -> "capabilities" · 3b989e58
      Colin Ian King authored
      There various spelling mistakes in function names and in message
      text. Fix these.
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Reviewed-by: default avatarMukesh Ojha <mojha@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      3b989e58
    • Colin Ian King's avatar
      iwlegacy: fix spelling mistake "acumulative" -> "accumulative" · b9574ce1
      Colin Ian King authored
      Fix spelling mistakes in rx stats text. I missed these from an earlier
      round of fixing the same spelling mistake.
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Reviewed-by: default avatarMukesh Ojha <mojha@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      b9574ce1
    • Tamás Szűcs's avatar
      mwifiex: add support for SD8987 chipset · 938c7c80
      Tamás Szűcs authored
      This patch adds support for Marvell 88W8987 chipset with SDIO interface.
      Register offsets and supported feature flags are updated. The corresponding
      firmware image file shall be "mrvl/sd8987_uapsta.bin".
      Signed-off-by: default avatarTamás Szűcs <tszucs@protonmail.ch>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      938c7c80
    • Petr Štetiar's avatar
      mwl8k: Fix rate_idx underflow · 6b583201
      Petr Štetiar authored
      It was reported on OpenWrt bug tracking system[1], that several users
      are affected by the endless reboot of their routers if they configure
      5GHz interface with channel 44 or 48.
      
      The reboot loop is caused by the following excessive number of WARN_ON
      messages:
      
       WARNING: CPU: 0 PID: 0 at backports-4.19.23-1/net/mac80211/rx.c:4516
                                   ieee80211_rx_napi+0x1fc/0xa54 [mac80211]
      
      as the messages are being correctly emitted by the following guard:
      
       case RX_ENC_LEGACY:
            if (WARN_ON(status->rate_idx >= sband->n_bitrates))
      
      as the rate_idx is in this case erroneously set to 251 (0xfb). This fix
      simply converts previously used magic number to proper constant and
      guards against substraction which is leading to the currently observed
      underflow.
      
      1. https://bugs.openwrt.org/index.php?do=details&task_id=2218
      
      Fixes: 85478344 ("mwl8k: properly set receive status rate index on 5 GHz receive")
      Cc: <stable@vger.kernel.org>
      Tested-by: default avatarEubert Bao <bunnier@gmail.com>
      Reported-by: default avatarEubert Bao <bunnier@gmail.com>
      Signed-off-by: default avatarPetr Štetiar <ynezz@true.cz>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      6b583201
    • YueHaibing's avatar
      at76c50x-usb: Don't register led_trigger if usb_register_driver failed · 09ac2694
      YueHaibing authored
      Syzkaller report this:
      
      [ 1213.468581] BUG: unable to handle kernel paging request at fffffbfff83bf338
      [ 1213.469530] #PF error: [normal kernel read fault]
      [ 1213.469530] PGD 237fe4067 P4D 237fe4067 PUD 237e60067 PMD 1c868b067 PTE 0
      [ 1213.473514] Oops: 0000 [#1] SMP KASAN PTI
      [ 1213.473514] CPU: 0 PID: 6321 Comm: syz-executor.0 Tainted: G         C        5.1.0-rc3+ #8
      [ 1213.473514] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
      [ 1213.473514] RIP: 0010:strcmp+0x31/0xa0
      [ 1213.473514] Code: 00 00 00 00 fc ff df 55 53 48 83 ec 08 eb 0a 84 db 48 89 ef 74 5a 4c 89 e6 48 89 f8 48 89 fa 48 8d 6f 01 48 c1 e8 03 83 e2 07 <42> 0f b6 04 28 38 d0 7f 04 84 c0 75 50 48 89 f0 48 89 f2 0f b6 5d
      [ 1213.473514] RSP: 0018:ffff8881f2b7f950 EFLAGS: 00010246
      [ 1213.473514] RAX: 1ffffffff83bf338 RBX: ffff8881ea6f7240 RCX: ffffffff825350c6
      [ 1213.473514] RDX: 0000000000000000 RSI: ffffffffc1ee19c0 RDI: ffffffffc1df99c0
      [ 1213.473514] RBP: ffffffffc1df99c1 R08: 0000000000000001 R09: 0000000000000004
      [ 1213.473514] R10: 0000000000000000 R11: ffff8881de353f00 R12: ffff8881ee727900
      [ 1213.473514] R13: dffffc0000000000 R14: 0000000000000001 R15: ffffffffc1eeaaf0
      [ 1213.473514] FS:  00007fa66fa01700(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
      [ 1213.473514] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 1213.473514] CR2: fffffbfff83bf338 CR3: 00000001ebb9e005 CR4: 00000000007606f0
      [ 1213.473514] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [ 1213.473514] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [ 1213.473514] PKRU: 55555554
      [ 1213.473514] Call Trace:
      [ 1213.473514]  led_trigger_register+0x112/0x3f0
      [ 1213.473514]  led_trigger_register_simple+0x7a/0x110
      [ 1213.473514]  ? 0xffffffffc1c10000
      [ 1213.473514]  at76_mod_init+0x77/0x1000 [at76c50x_usb]
      [ 1213.473514]  do_one_initcall+0xbc/0x47d
      [ 1213.473514]  ? perf_trace_initcall_level+0x3a0/0x3a0
      [ 1213.473514]  ? kasan_unpoison_shadow+0x30/0x40
      [ 1213.473514]  ? kasan_unpoison_shadow+0x30/0x40
      [ 1213.473514]  do_init_module+0x1b5/0x547
      [ 1213.473514]  load_module+0x6405/0x8c10
      [ 1213.473514]  ? module_frob_arch_sections+0x20/0x20
      [ 1213.473514]  ? kernel_read_file+0x1e6/0x5d0
      [ 1213.473514]  ? find_held_lock+0x32/0x1c0
      [ 1213.473514]  ? cap_capable+0x1ae/0x210
      [ 1213.473514]  ? __do_sys_finit_module+0x162/0x190
      [ 1213.473514]  __do_sys_finit_module+0x162/0x190
      [ 1213.473514]  ? __ia32_sys_init_module+0xa0/0xa0
      [ 1213.473514]  ? __mutex_unlock_slowpath+0xdc/0x690
      [ 1213.473514]  ? wait_for_completion+0x370/0x370
      [ 1213.473514]  ? vfs_write+0x204/0x4a0
      [ 1213.473514]  ? do_syscall_64+0x18/0x450
      [ 1213.473514]  do_syscall_64+0x9f/0x450
      [ 1213.473514]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [ 1213.473514] RIP: 0033:0x462e99
      [ 1213.473514] Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
      [ 1213.473514] RSP: 002b:00007fa66fa00c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
      [ 1213.473514] RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
      [ 1213.473514] RDX: 0000000000000000 RSI: 0000000020000300 RDI: 0000000000000003
      [ 1213.473514] RBP: 00007fa66fa00c70 R08: 0000000000000000 R09: 0000000000000000
      [ 1213.473514] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa66fa016bc
      [ 1213.473514] R13: 00000000004bcefa R14: 00000000006f6fb0 R15: 0000000000000004
      
      If usb_register failed, no need to call led_trigger_register_simple.
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Fixes: 1264b951 ("at76c50x-usb: add driver")
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      09ac2694
    • Alexey Khoroshilov's avatar
      mwl8k: fix error handling in mwl8k_post_cmd() · d1717282
      Alexey Khoroshilov authored
      If pci_map_single() fails in mwl8k_post_cmd(),
      it returns -ENOMEM immediately, while cleanup is required.
      
      Found by Linux Driver Verification project (linuxtesting.org).
      Signed-off-by: default avatarAlexey Khoroshilov <khoroshilov@ispras.ru>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      d1717282
    • Larry Finger's avatar
      b43: Remove empty function lpphy_papd_cal() · b25105e1
      Larry Finger authored
      In commit d825db346270e ("b43: shut up clang -Wuninitialized variable
      warning"), the message noted that function lpphy_papd_cal() was empty
      and had an old TODO regarding its implementation. As the reverse
      engineering project that created the LP-PHY version of this driver
      has not been active for some time, it is safe to remove this empty
      function.
      Signed-off-by: default avatarLarry Finger <Larry.Finger@lwfinger.net>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      b25105e1
    • Dan Carpenter's avatar
      mwifiex: prevent an array overflow · b4c35c17
      Dan Carpenter authored
      The "rate_index" is only used as an index into the phist_data->rx_rate[]
      array in the mwifiex_hist_data_set() function.  That array has
      MWIFIEX_MAX_AC_RX_RATES (74) elements and it's used to generate some
      debugfs information.  The "rate_index" variable comes from the network
      skb->data[] and it is a u8 so it's in the 0-255 range.  We need to cap
      it to prevent an array overflow.
      
      Fixes: cbf6e055 ("mwifiex: add rx histogram statistics support")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      b4c35c17