1. 25 Jun, 2019 21 commits
    • Yan-Hsuan Chuang's avatar
      rtw88: 8822c: disable rx clock gating before counter reset · e0274466
      Yan-Hsuan Chuang authored
      Driver Could fail to reset counter if rx clock gating is not disabled.
      So we need to disable rx clock gating before resetting counters.
      Otherwise counters may increase unexpected.
      Signed-off-by: default avatarYan-Hsuan Chuang <yhchuang@realtek.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      e0274466
    • Chien-Hsun Liao's avatar
      rtw88: 8822c: update channel and bandwidth BB setting · f859e71f
      Chien-Hsun Liao authored
      In 2G channels, the cck source and rxagc should be set to different
      values based on different bandwidth to increase the performance of rx
      sensitivity.
      
      To improve rx throughput performance, the values of sbd subtune and
      pt_opt should be changed in different bandwidth.
      Signed-off-by: default avatarChien-Hsun Liao <ben.liao@realtek.com>
      Signed-off-by: default avatarYan-Hsuan Chuang <yhchuang@realtek.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      f859e71f
    • Chien-Hsun Liao's avatar
      rtw88: 8822c: add rf write protection when switching channel · 818d46e7
      Chien-Hsun Liao authored
      Collision of writing rf registers could occur if the driver writes
      rf registers by direct write while the hardware is writing other rf
      registers by pi write simultaneously.
      
      Hardware pi write can be triggered by rf calibrations sometimes, so
      the driver can not always write rf registers by direct write
      protection. Direct write protection can make sure that there is no
      hardware pi write during the direct write.
      
      According to some experiments, if we add direct write protection
      when switching channel, the performance of rf calibration will not
      be affected.
      Signed-off-by: default avatarChien-Hsun Liao <ben.liao@realtek.com>
      Signed-off-by: default avatarYan-Hsuan Chuang <yhchuang@realtek.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      818d46e7
    • Chin-Yen Lee's avatar
      rtw88: add beacon function setting · 6fabdc4a
      Chin-Yen Lee authored
      Add beacon function setting routines for each hardware port.
      If beacon function is not enabled, the hardware is not able
      to synchronize with AP's beacon and can miss the beacons
      under some scenarios such as PS mode.
      
      For AP and Adhoc modes that require to send beacons, do not
      update the TSF, otherwise the beacon interval may be affected.
      Signed-off-by: default avatarChin-Yen Lee <timlee@realtek.com>
      Signed-off-by: default avatarYan-Hsuan Chuang <yhchuang@realtek.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      6fabdc4a
    • Yan-Hsuan Chuang's avatar
      rtw88: add support for random mac scan · 44cc4c63
      Yan-Hsuan Chuang authored
      When driver uses random mac address to scan, the unicast probe response
      will not be received because the addr1 is not matched. Configure port
      address by requested mac address to receive probe response from AP.
      
      To support random mac scan, we need to configure the mac address during
      scan period to receive unicast prop_resp. After scan is completed,
      configure the mac address back to the original one that the port used.
      Signed-off-by: default avatarYan-Hsuan Chuang <yhchuang@realtek.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      44cc4c63
    • Yan-Hsuan Chuang's avatar
      rtw88: add fast xmit support · e6fec313
      Yan-Hsuan Chuang authored
      With dynamic power save support, rtw88 is able to support fast tx
      path, claim it to mac80211.
      Signed-off-by: default avatarYan-Hsuan Chuang <yhchuang@realtek.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      e6fec313
    • Greg Kroah-Hartman's avatar
      iwlegacy: 4965: no need to check return value of debugfs_create functions · ffb92649
      Greg Kroah-Hartman authored
      When calling debugfs functions, there is no need to ever check the
      return value.  This driver was saving the debugfs file away to be
      removed at a later time.  However, the 80211 core would delete the whole
      directory that the debugfs files are created in, after it asks the
      driver to do the deletion, so just rely on the 80211 core to do all of
      the cleanup for us, making us not need to keep a pointer to the dentries
      around at all.
      
      This cleans up the structure of the driver data a bit and makes the code
      a tiny bit smaller.
      
      Cc: Stanislaw Gruszka <sgruszka@redhat.com>
      Cc: Kalle Valo <kvalo@codeaurora.org>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: linux-wireless@vger.kernel.org
      Cc: netdev@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      ffb92649
    • Greg Kroah-Hartman's avatar
      iwlegacy: 3945: no need to check return value of debugfs_create functions · f503c769
      Greg Kroah-Hartman authored
      When calling debugfs functions, there is no need to ever check the
      return value.  This driver was saving the debugfs file away to be
      removed at a later time.  However, the 80211 core would delete the whole
      directory that the debugfs files are created in, after it asks the
      driver to do the deletion, so just rely on the 80211 core to do all of
      the cleanup for us, making us not need to keep a pointer to the dentries
      around at all.
      
      This cleans up the structure of the driver data a bit and makes the code
      a tiny bit smaller.
      
      Cc: Stanislaw Gruszka <sgruszka@redhat.com>
      Cc: Kalle Valo <kvalo@codeaurora.org>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: linux-wireless@vger.kernel.org
      Cc: netdev@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      f503c769
    • Michael Büsch's avatar
      ssb/gpio: Remove unnecessary WARN_ON from driver_gpio · e73e4324
      Michael Büsch authored
      The WARN_ON triggers on older BCM4401-B0 100Base-TX ethernet controllers.
      The warning serves no purpose. So let's just remove it.
      Reported-by: default avatarH Buus <ubuntu@hbuus.com>
      Signed-off-by: default avatarMichael Büsch <m@bues.ch>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      e73e4324
    • Colin Ian King's avatar
      rtlwifi: rtl8188ee: remove redundant assignment to rtstatus · 25a986e4
      Colin Ian King authored
      Variable rtstatus is being initialized with a value that is never read
      as rtstatus is being re-assigned a little later on. The assignment is
      redundant and hence can be removed.
      
      Addresses-Coverity: ("Unused value")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      25a986e4
    • Gustavo A. R. Silva's avatar
      qtnfmac: Use struct_size() in kzalloc() · 9a1ace64
      Gustavo A. R. Silva authored
      One of the more common cases of allocation size calculations is finding
      the size of a structure that has a zero-sized array at the end, along
      with memory for some number of elements for that array. For example:
      
      struct ieee80211_regdomain {
      	...
              struct ieee80211_reg_rule reg_rules[];
      };
      
      instance = kzalloc(sizeof(*mac->rd) +
                                sizeof(struct ieee80211_reg_rule) *
                                count, GFP_KERNEL);
      
      Instead of leaving these open-coded and prone to type mistakes, we can
      now use the new struct_size() helper:
      
      instance = kzalloc(struct_size(instance, reg_rules, count), GFP_KERNEL);
      
      This code was detected with the help of Coccinelle.
      Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
      Reviewed-by: default avatarSergey Matyukevich <sergey.matyukevich.os@quantenna.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      9a1ace64
    • Lorenzo Bianconi's avatar
      mt7601u: fix possible memory leak when the device is disconnected · 23377c20
      Lorenzo Bianconi authored
      When the device is disconnected while passing traffic it is possible
      to receive out of order urbs causing a memory leak since the skb linked
      to the current tx urb is not removed. Fix the issue deallocating the skb
      cleaning up the tx ring. Moreover this patch fixes the following kernel
      warning
      
      [   57.480771] usb 1-1: USB disconnect, device number 2
      [   57.483451] ------------[ cut here ]------------
      [   57.483462] TX urb mismatch
      [   57.483481] WARNING: CPU: 1 PID: 32 at drivers/net/wireless/mediatek/mt7601u/dma.c:245 mt7601u_complete_tx+0x165/00
      [   57.483483] Modules linked in:
      [   57.483496] CPU: 1 PID: 32 Comm: kworker/1:1 Not tainted 5.2.0-rc1+ #72
      [   57.483498] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.12.0-2.fc30 04/01/2014
      [   57.483502] Workqueue: usb_hub_wq hub_event
      [   57.483507] RIP: 0010:mt7601u_complete_tx+0x165/0x1e0
      [   57.483510] Code: 8b b5 10 04 00 00 8b 8d 14 04 00 00 eb 8b 80 3d b1 cb e1 00 00 75 9e 48 c7 c7 a4 ea 05 82 c6 05 f
      [   57.483513] RSP: 0000:ffffc900000a0d28 EFLAGS: 00010092
      [   57.483516] RAX: 000000000000000f RBX: ffff88802c0a62c0 RCX: ffffc900000a0c2c
      [   57.483518] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff810a8371
      [   57.483520] RBP: ffff88803ced6858 R08: 0000000000000000 R09: 0000000000000001
      [   57.483540] R10: 0000000000000002 R11: 0000000000000000 R12: 0000000000000046
      [   57.483542] R13: ffff88802c0a6c88 R14: ffff88803baab540 R15: ffff88803a0cc078
      [   57.483548] FS:  0000000000000000(0000) GS:ffff88803eb00000(0000) knlGS:0000000000000000
      [   57.483550] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   57.483552] CR2: 000055e7f6780100 CR3: 0000000028c86000 CR4: 00000000000006a0
      [   57.483554] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [   57.483556] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [   57.483559] Call Trace:
      [   57.483561]  <IRQ>
      [   57.483565]  __usb_hcd_giveback_urb+0x77/0xe0
      [   57.483570]  xhci_giveback_urb_in_irq.isra.0+0x8b/0x140
      [   57.483574]  handle_cmd_completion+0xf5b/0x12c0
      [   57.483577]  xhci_irq+0x1f6/0x1810
      [   57.483581]  ? lockdep_hardirqs_on+0x9e/0x180
      [   57.483584]  ? _raw_spin_unlock_irq+0x24/0x30
      [   57.483588]  __handle_irq_event_percpu+0x3a/0x260
      [   57.483592]  handle_irq_event_percpu+0x1c/0x60
      [   57.483595]  handle_irq_event+0x2f/0x4c
      [   57.483599]  handle_edge_irq+0x7e/0x1a0
      [   57.483603]  handle_irq+0x17/0x20
      [   57.483607]  do_IRQ+0x54/0x110
      [   57.483610]  common_interrupt+0xf/0xf
      [   57.483612]  </IRQ>
      Acked-by: default avatarJakub Kicinski <kubakici@wp.pl>
      Signed-off-by: default avatarLorenzo Bianconi <lorenzo@kernel.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      23377c20
    • Lorenzo Bianconi's avatar
      mt7601u: do not schedule rx_tasklet when the device has been disconnected · 4079e8cc
      Lorenzo Bianconi authored
      Do not schedule rx_tasklet when the usb dongle is disconnected.
      Moreover do not grub rx_lock in mt7601u_kill_rx since usb_poison_urb
      can run concurrently with urb completion and we can unlink urbs from rx
      ring in any order.
      This patch fixes the common kernel warning reported when
      the device is removed.
      
      [   24.921354] usb 3-14: USB disconnect, device number 7
      [   24.921593] ------------[ cut here ]------------
      [   24.921594] RX urb mismatch
      [   24.921675] WARNING: CPU: 4 PID: 163 at drivers/net/wireless/mediatek/mt7601u/dma.c:200 mt7601u_complete_rx+0xcb/0xd0 [mt7601u]
      [   24.921769] CPU: 4 PID: 163 Comm: kworker/4:2 Tainted: G           OE     4.19.31-041931-generic #201903231635
      [   24.921770] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./Z97 Extreme4, BIOS P1.30 05/23/2014
      [   24.921782] Workqueue: usb_hub_wq hub_event
      [   24.921797] RIP: 0010:mt7601u_complete_rx+0xcb/0xd0 [mt7601u]
      [   24.921800] RSP: 0018:ffff9bd9cfd03d08 EFLAGS: 00010086
      [   24.921802] RAX: 0000000000000000 RBX: ffff9bd9bf043540 RCX: 0000000000000006
      [   24.921803] RDX: 0000000000000007 RSI: 0000000000000096 RDI: ffff9bd9cfd16420
      [   24.921804] RBP: ffff9bd9cfd03d28 R08: 0000000000000002 R09: 00000000000003a8
      [   24.921805] R10: 0000002f485fca34 R11: 0000000000000000 R12: ffff9bd9bf043c1c
      [   24.921806] R13: ffff9bd9c62fa3c0 R14: 0000000000000082 R15: 0000000000000000
      [   24.921807] FS:  0000000000000000(0000) GS:ffff9bd9cfd00000(0000) knlGS:0000000000000000
      [   24.921808] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   24.921808] CR2: 00007fb2648b0000 CR3: 0000000142c0a004 CR4: 00000000001606e0
      [   24.921809] Call Trace:
      [   24.921812]  <IRQ>
      [   24.921819]  __usb_hcd_giveback_urb+0x8b/0x140
      [   24.921821]  usb_hcd_giveback_urb+0xca/0xe0
      [   24.921828]  xhci_giveback_urb_in_irq.isra.42+0x82/0xf0
      [   24.921834]  handle_cmd_completion+0xe02/0x10d0
      [   24.921837]  xhci_irq+0x274/0x4a0
      [   24.921838]  xhci_msi_irq+0x11/0x20
      [   24.921851]  __handle_irq_event_percpu+0x44/0x190
      [   24.921856]  handle_irq_event_percpu+0x32/0x80
      [   24.921861]  handle_irq_event+0x3b/0x5a
      [   24.921867]  handle_edge_irq+0x80/0x190
      [   24.921874]  handle_irq+0x20/0x30
      [   24.921889]  do_IRQ+0x4e/0xe0
      [   24.921891]  common_interrupt+0xf/0xf
      [   24.921892]  </IRQ>
      [   24.921900] RIP: 0010:usb_hcd_flush_endpoint+0x78/0x180
      [   24.921354] usb 3-14: USB disconnect, device number 7
      Signed-off-by: default avatarLorenzo Bianconi <lorenzo@kernel.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      4079e8cc
    • Colin Ian King's avatar
      rtlwifi: remove redundant assignment to variable k · f0822dfc
      Colin Ian King authored
      The assignment of 0 to variable k is never read once we break out of
      the loop, so the assignment is redundant and can be removed.
      
      Addresses-Coverity: ("Unused value")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      f0822dfc
    • Colin Ian King's avatar
      rtlwifi: remove redundant assignment to variable badworden · 5315f9d4
      Colin Ian King authored
      The variable badworden is assigned with a value that is never read and
      it is re-assigned a new value immediately afterwards.  The assignment is
      redundant and can be removed.
      
      Addresses-Coverity: ("Unused value")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Acked-by: default avatarLarry Finger <Larry.Finger@lwfinger.net>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      5315f9d4
    • Ping-Ke Shih's avatar
      rtlwifi: rtl8192cu: fix error handle when usb probe failed · 6c0ed66f
      Ping-Ke Shih authored
      rtl_usb_probe() must do error handle rtl_deinit_core() only if
      rtl_init_core() is done, otherwise goto error_out2.
      
      | usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
      | rtl_usb: reg 0xf0, usbctrl_vendorreq TimeOut! status:0xffffffb9 value=0x0
      | rtl8192cu: Chip version 0x10
      | rtl_usb: reg 0xa, usbctrl_vendorreq TimeOut! status:0xffffffb9 value=0x0
      | rtl_usb: Too few input end points found
      | INFO: trying to register non-static key.
      | the code is fine but needs lockdep annotation.
      | turning off the locking correctness validator.
      | CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.1.0-rc4-319354-g9a33b36 #3
      | Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      | Google 01/01/2011
      | Workqueue: usb_hub_wq hub_event
      | Call Trace:
      |   __dump_stack lib/dump_stack.c:77 [inline]
      |   dump_stack+0xe8/0x16e lib/dump_stack.c:113
      |   assign_lock_key kernel/locking/lockdep.c:786 [inline]
      |   register_lock_class+0x11b8/0x1250 kernel/locking/lockdep.c:1095
      |   __lock_acquire+0xfb/0x37c0 kernel/locking/lockdep.c:3582
      |   lock_acquire+0x10d/0x2f0 kernel/locking/lockdep.c:4211
      |   __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
      |   _raw_spin_lock_irqsave+0x44/0x60 kernel/locking/spinlock.c:152
      |   rtl_c2hcmd_launcher+0xd1/0x390
      | drivers/net/wireless/realtek/rtlwifi/base.c:2344
      |   rtl_deinit_core+0x25/0x2d0 drivers/net/wireless/realtek/rtlwifi/base.c:574
      |   rtl_usb_probe.cold+0x861/0xa70
      | drivers/net/wireless/realtek/rtlwifi/usb.c:1093
      |   usb_probe_interface+0x31d/0x820 drivers/usb/core/driver.c:361
      |   really_probe+0x2da/0xb10 drivers/base/dd.c:509
      |   driver_probe_device+0x21d/0x350 drivers/base/dd.c:671
      |   __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778
      |   bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454
      |   __device_attach+0x223/0x3a0 drivers/base/dd.c:844
      |   bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514
      |   device_add+0xad2/0x16e0 drivers/base/core.c:2106
      |   usb_set_configuration+0xdf7/0x1740 drivers/usb/core/message.c:2021
      |   generic_probe+0xa2/0xda drivers/usb/core/generic.c:210
      |   usb_probe_device+0xc0/0x150 drivers/usb/core/driver.c:266
      |   really_probe+0x2da/0xb10 drivers/base/dd.c:509
      |   driver_probe_device+0x21d/0x350 drivers/base/dd.c:671
      |   __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778
      |   bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454
      |   __device_attach+0x223/0x3a0 drivers/base/dd.c:844
      |   bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514
      |   device_add+0xad2/0x16e0 drivers/base/core.c:2106
      |   usb_new_device.cold+0x537/0xccf drivers/usb/core/hub.c:2534
      |   hub_port_connect drivers/usb/core/hub.c:5089 [inline]
      |   hub_port_connect_change drivers/usb/core/hub.c:5204 [inline]
      |   port_event drivers/usb/core/hub.c:5350 [inline]
      |   hub_event+0x138e/0x3b00 drivers/usb/core/hub.c:5432
      |   process_one_work+0x90f/0x1580 kernel/workqueue.c:2269
      |   worker_thread+0x9b/0xe20 kernel/workqueue.c:2415
      |   kthread+0x313/0x420 kernel/kthread.c:253
      |   ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
      
      Reported-by: syzbot+1fcc5ef45175fc774231@syzkaller.appspotmail.com
      Signed-off-by: default avatarPing-Ke Shih <pkshih@realtek.com>
      Acked-by: default avatarLarry Finger <Larry.Finger@lwfinger.net>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      6c0ed66f
    • Swati Kushwaha's avatar
      mwifiex: ignore processing invalid command response · 74f202aa
      Swati Kushwaha authored
      Firmware can send invalid command response, the processing of
      which can attempt to modify unexpected context and cause issues.
      To fix this, driver should check that the command response ID is
      same as the one it downloaded, and ignore processing of invalid
      response.
      Signed-off-by: default avatarSwati Kushwaha <swatiuma@marvell.com>
      Signed-off-by: default avatarGanapathi Bhat <gbhat@marvell.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      74f202aa
    • Sharvari Harisangam's avatar
      mwifiex: update set_mac_address logic · 7afb94da
      Sharvari Harisangam authored
      In set_mac_address, driver check for interfaces with same bss_type
      For first STA entry, this would return 3 interfaces since all priv's have
      bss_type as 0 due to kzalloc. Thus mac address gets changed for STA
      unexpected. This patch adds check for first STA and avoids mac address
      change. This patch also adds mac_address change for p2p based on bss_num
      type.
      Signed-off-by: default avatarSharvari Harisangam <sharvari@marvell.com>
      Signed-off-by: default avatarGanapathi Bhat <gbhat@marvell.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      7afb94da
    • Brian Norris's avatar
      mwifiex: print PCI mmap with %pK · 2fc0aa45
      Brian Norris authored
      Unadorned '%p' has restrictive policies these days, such that it usually
      just prints garbage at early boot (see
      Documentation/core-api/printk-formats.rst, "kernel will print
      ``(ptrval)`` until it gathers enough entropy"). Annotating with %pK
      (for "kernel pointer") allows the kptr_restrict sysctl to control
      printing policy better.
      
      We might just as well drop this message entirely, but this fix was easy
      enough for now.
      Signed-off-by: default avatarBrian Norris <briannorris@chromium.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      2fc0aa45
    • Brian Norris's avatar
      mwifiex: drop 'set_consistent_dma_mask' log message · f7369179
      Brian Norris authored
      This message is pointless.
      
      While we're at it, include the error code in the error message, which is
      not pointless.
      Signed-off-by: default avatarBrian Norris <briannorris@chromium.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      f7369179
    • Alan Stern's avatar
      p54usb: Fix race between disconnect and firmware loading · 6e41e225
      Alan Stern authored
      The syzbot fuzzer found a bug in the p54 USB wireless driver.  The
      issue involves a race between disconnect and the firmware-loader
      callback routine, and it has several aspects.
      
      One big problem is that when the firmware can't be loaded, the
      callback routine tries to unbind the driver from the USB _device_ (by
      calling device_release_driver) instead of from the USB _interface_ to
      which it is actually bound (by calling usb_driver_release_interface).
      
      The race involves access to the private data structure.  The driver's
      disconnect handler waits for a completion that is signalled by the
      firmware-loader callback routine.  As soon as the completion is
      signalled, you have to assume that the private data structure may have
      been deallocated by the disconnect handler -- even if the firmware was
      loaded without errors.  However, the callback routine does access the
      private data several times after that point.
      
      Another problem is that, in order to ensure that the USB device
      structure hasn't been freed when the callback routine runs, the driver
      takes a reference to it.  This isn't good enough any more, because now
      that the callback routine calls usb_driver_release_interface, it has
      to ensure that the interface structure hasn't been freed.
      
      Finally, the driver takes an unnecessary reference to the USB device
      structure in the probe function and drops the reference in the
      disconnect handler.  This extra reference doesn't accomplish anything,
      because the USB core already guarantees that a device structure won't
      be deallocated while a driver is still bound to any of its interfaces.
      
      To fix these problems, this patch makes the following changes:
      
      	Call usb_driver_release_interface() rather than
      	device_release_driver().
      
      	Don't signal the completion until after the important
      	information has been copied out of the private data structure,
      	and don't refer to the private data at all thereafter.
      
      	Lock udev (the interface's parent) before unbinding the driver
      	instead of locking udev->parent.
      
      	During the firmware loading process, take a reference to the
      	USB interface instead of the USB device.
      
      	Don't take an unnecessary reference to the device during probe
      	(and then don't drop it during disconnect).
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-and-tested-by: syzbot+200d4bb11b23d929335f@syzkaller.appspotmail.com
      CC: <stable@vger.kernel.org>
      Acked-by: default avatarChristian Lamparter <chunkeey@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      6e41e225
  2. 28 May, 2019 19 commits