2011-03-22 08:00:50 +07:00
|
|
|
/*
|
|
|
|
* Marvell Wireless LAN device driver: major functions
|
|
|
|
*
|
2014-06-20 11:38:57 +07:00
|
|
|
* Copyright (C) 2011-2014, Marvell International Ltd.
|
2011-03-22 08:00:50 +07:00
|
|
|
*
|
|
|
|
* This software file (the "File") is distributed by Marvell International
|
|
|
|
* Ltd. under the terms of the GNU General Public License Version 2, June 1991
|
|
|
|
* (the "License"). You may use, redistribute and/or modify this File in
|
|
|
|
* accordance with the terms and conditions of the License, a copy of which
|
|
|
|
* is available by writing to the Free Software Foundation, Inc.,
|
|
|
|
* 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA or on the
|
|
|
|
* worldwide web at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
|
|
|
|
*
|
|
|
|
* THE FILE IS DISTRIBUTED AS-IS, WITHOUT WARRANTY OF ANY KIND, AND THE
|
|
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE
|
|
|
|
* ARE EXPRESSLY DISCLAIMED. The License provides additional details about
|
|
|
|
* this warranty disclaimer.
|
|
|
|
*/
|
|
|
|
|
2017-02-24 13:24:31 +07:00
|
|
|
#include <linux/suspend.h>
|
|
|
|
|
2011-03-22 08:00:50 +07:00
|
|
|
#include "main.h"
|
|
|
|
#include "wmm.h"
|
|
|
|
#include "cfg80211.h"
|
|
|
|
#include "11n.h"
|
|
|
|
|
|
|
|
#define VERSION "1.0"
|
2016-09-02 14:35:06 +07:00
|
|
|
#define MFG_FIRMWARE "mwifiex_mfg.bin"
|
2011-03-22 08:00:50 +07:00
|
|
|
|
2015-05-12 02:18:18 +07:00
|
|
|
static unsigned int debug_mask = MWIFIEX_DEFAULT_DEBUG_MASK;
|
|
|
|
module_param(debug_mask, uint, 0);
|
|
|
|
MODULE_PARM_DESC(debug_mask, "bitmap for debug flags");
|
|
|
|
|
2011-03-22 08:00:50 +07:00
|
|
|
const char driver_version[] = "mwifiex " VERSION " (%s) ";
|
2013-05-18 07:50:25 +07:00
|
|
|
static char *cal_data_cfg;
|
|
|
|
module_param(cal_data_cfg, charp, 0);
|
2011-03-22 08:00:50 +07:00
|
|
|
|
2014-11-05 21:08:11 +07:00
|
|
|
static unsigned short driver_mode;
|
|
|
|
module_param(driver_mode, ushort, 0);
|
|
|
|
MODULE_PARM_DESC(driver_mode,
|
|
|
|
"station=0x1(default), ap-sta=0x3, station-p2p=0x5, ap-sta-p2p=0x7");
|
|
|
|
|
2016-09-02 14:35:06 +07:00
|
|
|
bool mfg_mode;
|
|
|
|
module_param(mfg_mode, bool, 0);
|
|
|
|
MODULE_PARM_DESC(mfg_mode, "manufacturing mode enable:1, disable:0");
|
|
|
|
|
2011-03-22 08:00:50 +07:00
|
|
|
/*
|
|
|
|
* This function registers the device and performs all the necessary
|
|
|
|
* initializations.
|
|
|
|
*
|
|
|
|
* The following initialization operations are performed -
|
|
|
|
* - Allocate adapter structure
|
|
|
|
* - Save interface specific operations table in adapter
|
|
|
|
* - Call interface specific initialization routine
|
|
|
|
* - Allocate private structures
|
|
|
|
* - Set default adapter structure parameters
|
|
|
|
* - Initialize locks
|
|
|
|
*
|
|
|
|
* In case of any errors during inittialization, this function also ensures
|
|
|
|
* proper cleanup before exiting.
|
|
|
|
*/
|
2017-03-11 08:39:22 +07:00
|
|
|
static int mwifiex_register(void *card, struct device *dev,
|
|
|
|
struct mwifiex_if_ops *if_ops, void **padapter)
|
2011-03-22 08:00:50 +07:00
|
|
|
{
|
2011-04-16 10:50:42 +07:00
|
|
|
struct mwifiex_adapter *adapter;
|
|
|
|
int i;
|
2011-03-22 08:00:50 +07:00
|
|
|
|
|
|
|
adapter = kzalloc(sizeof(struct mwifiex_adapter), GFP_KERNEL);
|
|
|
|
if (!adapter)
|
2011-05-09 03:50:09 +07:00
|
|
|
return -ENOMEM;
|
2011-03-22 08:00:50 +07:00
|
|
|
|
2011-06-08 22:09:20 +07:00
|
|
|
*padapter = adapter;
|
2017-03-11 08:39:22 +07:00
|
|
|
adapter->dev = dev;
|
2011-03-22 08:00:50 +07:00
|
|
|
adapter->card = card;
|
|
|
|
|
|
|
|
/* Save interface specific operations in adapter */
|
|
|
|
memmove(&adapter->if_ops, if_ops, sizeof(struct mwifiex_if_ops));
|
2015-05-12 02:18:18 +07:00
|
|
|
adapter->debug_mask = debug_mask;
|
2011-03-22 08:00:50 +07:00
|
|
|
|
|
|
|
/* card specific initialization has been deferred until now .. */
|
2012-04-19 10:08:28 +07:00
|
|
|
if (adapter->if_ops.init_if)
|
|
|
|
if (adapter->if_ops.init_if(adapter))
|
|
|
|
goto error;
|
2011-03-22 08:00:50 +07:00
|
|
|
|
|
|
|
adapter->priv_num = 0;
|
|
|
|
|
2012-05-09 08:30:13 +07:00
|
|
|
for (i = 0; i < MWIFIEX_MAX_BSS_NUM; i++) {
|
|
|
|
/* Allocate memory for private structure */
|
|
|
|
adapter->priv[i] =
|
|
|
|
kzalloc(sizeof(struct mwifiex_private), GFP_KERNEL);
|
|
|
|
if (!adapter->priv[i])
|
|
|
|
goto error;
|
2011-09-27 10:37:26 +07:00
|
|
|
|
2012-05-09 08:30:13 +07:00
|
|
|
adapter->priv[i]->adapter = adapter;
|
|
|
|
adapter->priv_num++;
|
|
|
|
}
|
2011-09-30 10:43:41 +07:00
|
|
|
mwifiex_init_lock_list(adapter);
|
2011-03-22 08:00:50 +07:00
|
|
|
|
2014-12-26 21:35:56 +07:00
|
|
|
setup_timer(&adapter->cmd_timer, mwifiex_cmd_timeout_func,
|
|
|
|
(unsigned long)adapter);
|
2011-03-22 08:00:50 +07:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
error:
|
2015-05-12 02:18:20 +07:00
|
|
|
mwifiex_dbg(adapter, ERROR,
|
|
|
|
"info: leave mwifiex_register with error\n");
|
2011-03-22 08:00:50 +07:00
|
|
|
|
2011-09-27 10:37:26 +07:00
|
|
|
for (i = 0; i < adapter->priv_num; i++)
|
2011-03-22 08:00:50 +07:00
|
|
|
kfree(adapter->priv[i]);
|
2011-09-27 10:37:26 +07:00
|
|
|
|
2011-03-22 08:00:50 +07:00
|
|
|
kfree(adapter);
|
|
|
|
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* This function unregisters the device and performs all the necessary
|
|
|
|
* cleanups.
|
|
|
|
*
|
|
|
|
* The following cleanup operations are performed -
|
|
|
|
* - Free the timers
|
|
|
|
* - Free beacon buffers
|
|
|
|
* - Free private structures
|
|
|
|
* - Free adapter structure
|
|
|
|
*/
|
|
|
|
static int mwifiex_unregister(struct mwifiex_adapter *adapter)
|
|
|
|
{
|
2011-05-04 10:11:46 +07:00
|
|
|
s32 i;
|
2011-03-22 08:00:50 +07:00
|
|
|
|
2013-07-23 09:17:50 +07:00
|
|
|
if (adapter->if_ops.cleanup_if)
|
|
|
|
adapter->if_ops.cleanup_if(adapter);
|
|
|
|
|
2014-02-19 06:47:55 +07:00
|
|
|
del_timer_sync(&adapter->cmd_timer);
|
2011-03-22 08:00:50 +07:00
|
|
|
|
|
|
|
/* Free private structures */
|
|
|
|
for (i = 0; i < adapter->priv_num; i++) {
|
|
|
|
if (adapter->priv[i]) {
|
|
|
|
mwifiex_free_curr_bcn(adapter->priv[i]);
|
|
|
|
kfree(adapter->priv[i]);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-01-13 16:26:54 +07:00
|
|
|
if (adapter->nd_info) {
|
|
|
|
for (i = 0 ; i < adapter->nd_info->n_matches ; i++)
|
|
|
|
kfree(adapter->nd_info->matches[i]);
|
|
|
|
kfree(adapter->nd_info);
|
|
|
|
adapter->nd_info = NULL;
|
|
|
|
}
|
|
|
|
|
2016-08-09 21:50:46 +07:00
|
|
|
kfree(adapter->regd);
|
|
|
|
|
2014-10-31 17:38:26 +07:00
|
|
|
vfree(adapter->chan_stats);
|
2011-03-22 08:00:50 +07:00
|
|
|
kfree(adapter);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2015-03-13 19:07:54 +07:00
|
|
|
void mwifiex_queue_main_work(struct mwifiex_adapter *adapter)
|
|
|
|
{
|
|
|
|
unsigned long flags;
|
|
|
|
|
|
|
|
spin_lock_irqsave(&adapter->main_proc_lock, flags);
|
|
|
|
if (adapter->mwifiex_processing) {
|
|
|
|
adapter->more_task_flag = true;
|
|
|
|
spin_unlock_irqrestore(&adapter->main_proc_lock, flags);
|
|
|
|
} else {
|
|
|
|
spin_unlock_irqrestore(&adapter->main_proc_lock, flags);
|
|
|
|
queue_work(adapter->workqueue, &adapter->main_work);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(mwifiex_queue_main_work);
|
|
|
|
|
|
|
|
static void mwifiex_queue_rx_work(struct mwifiex_adapter *adapter)
|
|
|
|
{
|
|
|
|
unsigned long flags;
|
|
|
|
|
|
|
|
spin_lock_irqsave(&adapter->rx_proc_lock, flags);
|
|
|
|
if (adapter->rx_processing) {
|
|
|
|
spin_unlock_irqrestore(&adapter->rx_proc_lock, flags);
|
|
|
|
} else {
|
|
|
|
spin_unlock_irqrestore(&adapter->rx_proc_lock, flags);
|
|
|
|
queue_work(adapter->rx_workqueue, &adapter->rx_work);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2014-09-12 21:38:59 +07:00
|
|
|
static int mwifiex_process_rx(struct mwifiex_adapter *adapter)
|
|
|
|
{
|
|
|
|
unsigned long flags;
|
|
|
|
struct sk_buff *skb;
|
2015-03-13 19:07:58 +07:00
|
|
|
struct mwifiex_rxinfo *rx_info;
|
2014-09-12 21:38:59 +07:00
|
|
|
|
|
|
|
spin_lock_irqsave(&adapter->rx_proc_lock, flags);
|
|
|
|
if (adapter->rx_processing || adapter->rx_locked) {
|
|
|
|
spin_unlock_irqrestore(&adapter->rx_proc_lock, flags);
|
|
|
|
goto exit_rx_proc;
|
|
|
|
} else {
|
|
|
|
adapter->rx_processing = true;
|
|
|
|
spin_unlock_irqrestore(&adapter->rx_proc_lock, flags);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Check for Rx data */
|
|
|
|
while ((skb = skb_dequeue(&adapter->rx_data_q))) {
|
|
|
|
atomic_dec(&adapter->rx_pending);
|
2014-11-25 21:43:04 +07:00
|
|
|
if ((adapter->delay_main_work ||
|
|
|
|
adapter->iface_type == MWIFIEX_USB) &&
|
2014-09-29 23:14:14 +07:00
|
|
|
(atomic_read(&adapter->rx_pending) < LOW_RX_PENDING)) {
|
2014-11-05 18:34:29 +07:00
|
|
|
if (adapter->if_ops.submit_rem_rx_urbs)
|
|
|
|
adapter->if_ops.submit_rem_rx_urbs(adapter);
|
2014-09-12 21:38:59 +07:00
|
|
|
adapter->delay_main_work = false;
|
2015-03-13 19:07:54 +07:00
|
|
|
mwifiex_queue_main_work(adapter);
|
2014-09-12 21:38:59 +07:00
|
|
|
}
|
2015-03-13 19:07:58 +07:00
|
|
|
rx_info = MWIFIEX_SKB_RXCB(skb);
|
|
|
|
if (rx_info->buf_type == MWIFIEX_TYPE_AGGR_DATA) {
|
|
|
|
if (adapter->if_ops.deaggr_pkt)
|
|
|
|
adapter->if_ops.deaggr_pkt(adapter, skb);
|
|
|
|
dev_kfree_skb_any(skb);
|
|
|
|
} else {
|
|
|
|
mwifiex_handle_rx_packet(adapter, skb);
|
2014-09-12 21:38:59 +07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
spin_lock_irqsave(&adapter->rx_proc_lock, flags);
|
|
|
|
adapter->rx_processing = false;
|
|
|
|
spin_unlock_irqrestore(&adapter->rx_proc_lock, flags);
|
|
|
|
|
|
|
|
exit_rx_proc:
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2011-03-22 08:00:50 +07:00
|
|
|
/*
|
|
|
|
* The main process.
|
|
|
|
*
|
|
|
|
* This function is the main procedure of the driver and handles various driver
|
|
|
|
* operations. It runs in a loop and provides the core functionalities.
|
|
|
|
*
|
|
|
|
* The main responsibilities of this function are -
|
|
|
|
* - Ensure concurrency control
|
|
|
|
* - Handle pending interrupts and call interrupt handlers
|
|
|
|
* - Wake up the card if required
|
|
|
|
* - Handle command responses and call response handlers
|
|
|
|
* - Handle events and call event handlers
|
|
|
|
* - Execute pending commands
|
|
|
|
* - Transmit pending data packets
|
|
|
|
*/
|
|
|
|
int mwifiex_main_process(struct mwifiex_adapter *adapter)
|
|
|
|
{
|
|
|
|
int ret = 0;
|
|
|
|
unsigned long flags;
|
|
|
|
|
|
|
|
spin_lock_irqsave(&adapter->main_proc_lock, flags);
|
|
|
|
|
|
|
|
/* Check if already processing */
|
2015-03-13 19:07:51 +07:00
|
|
|
if (adapter->mwifiex_processing || adapter->main_locked) {
|
2015-02-12 00:42:24 +07:00
|
|
|
adapter->more_task_flag = true;
|
2011-03-22 08:00:50 +07:00
|
|
|
spin_unlock_irqrestore(&adapter->main_proc_lock, flags);
|
2016-11-16 20:09:05 +07:00
|
|
|
return 0;
|
2011-03-22 08:00:50 +07:00
|
|
|
} else {
|
|
|
|
adapter->mwifiex_processing = true;
|
2015-04-17 18:18:29 +07:00
|
|
|
spin_unlock_irqrestore(&adapter->main_proc_lock, flags);
|
2011-03-22 08:00:50 +07:00
|
|
|
}
|
|
|
|
process_start:
|
|
|
|
do {
|
2016-11-16 20:09:05 +07:00
|
|
|
if (adapter->hw_status == MWIFIEX_HW_STATUS_NOT_READY)
|
2011-03-22 08:00:50 +07:00
|
|
|
break;
|
|
|
|
|
2014-11-25 21:43:04 +07:00
|
|
|
/* For non-USB interfaces, If we process interrupts first, it
|
|
|
|
* would increase RX pending even further. Avoid this by
|
|
|
|
* checking if rx_pending has crossed high threshold and
|
|
|
|
* schedule rx work queue and then process interrupts.
|
|
|
|
* For USB interface, there are no interrupts. We already have
|
|
|
|
* HIGH_RX_PENDING check in usb.c
|
2014-09-12 21:38:59 +07:00
|
|
|
*/
|
2014-11-25 21:43:04 +07:00
|
|
|
if (atomic_read(&adapter->rx_pending) >= HIGH_RX_PENDING &&
|
|
|
|
adapter->iface_type != MWIFIEX_USB) {
|
2014-09-12 21:38:59 +07:00
|
|
|
adapter->delay_main_work = true;
|
2015-03-13 19:07:54 +07:00
|
|
|
mwifiex_queue_rx_work(adapter);
|
2014-09-12 21:38:59 +07:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
2011-03-22 08:00:50 +07:00
|
|
|
/* Handle pending interrupt if any */
|
|
|
|
if (adapter->int_status) {
|
|
|
|
if (adapter->hs_activated)
|
|
|
|
mwifiex_process_hs_config(adapter);
|
2012-04-19 10:08:28 +07:00
|
|
|
if (adapter->if_ops.process_int_status)
|
|
|
|
adapter->if_ops.process_int_status(adapter);
|
2011-03-22 08:00:50 +07:00
|
|
|
}
|
|
|
|
|
2014-09-12 21:38:59 +07:00
|
|
|
if (adapter->rx_work_enabled && adapter->data_received)
|
2015-03-13 19:07:54 +07:00
|
|
|
mwifiex_queue_rx_work(adapter);
|
2014-09-12 21:38:59 +07:00
|
|
|
|
2011-03-22 08:00:50 +07:00
|
|
|
/* Need to wake up the card ? */
|
|
|
|
if ((adapter->ps_state == PS_STATE_SLEEP) &&
|
|
|
|
(adapter->pm_wakeup_card_req &&
|
|
|
|
!adapter->pm_wakeup_fw_try) &&
|
2012-03-14 09:22:37 +07:00
|
|
|
(is_command_pending(adapter) ||
|
2015-03-13 19:07:57 +07:00
|
|
|
!skb_queue_empty(&adapter->tx_data_q) ||
|
2015-06-22 20:36:17 +07:00
|
|
|
!mwifiex_bypass_txlist_empty(adapter) ||
|
2012-03-14 09:22:37 +07:00
|
|
|
!mwifiex_wmm_lists_empty(adapter))) {
|
2011-03-22 08:00:50 +07:00
|
|
|
adapter->pm_wakeup_fw_try = true;
|
2014-12-31 17:36:41 +07:00
|
|
|
mod_timer(&adapter->wakeup_timer, jiffies + (HZ*3));
|
2011-03-22 08:00:50 +07:00
|
|
|
adapter->if_ops.wakeup(adapter);
|
|
|
|
continue;
|
|
|
|
}
|
2012-04-19 10:08:28 +07:00
|
|
|
|
2011-03-22 08:00:50 +07:00
|
|
|
if (IS_CARD_RX_RCVD(adapter)) {
|
2014-09-12 21:38:59 +07:00
|
|
|
adapter->data_received = false;
|
2011-03-22 08:00:50 +07:00
|
|
|
adapter->pm_wakeup_fw_try = false;
|
2015-03-12 14:38:40 +07:00
|
|
|
del_timer(&adapter->wakeup_timer);
|
2011-03-22 08:00:50 +07:00
|
|
|
if (adapter->ps_state == PS_STATE_SLEEP)
|
|
|
|
adapter->ps_state = PS_STATE_AWAKE;
|
|
|
|
} else {
|
|
|
|
/* We have tried to wakeup the card already */
|
|
|
|
if (adapter->pm_wakeup_fw_try)
|
|
|
|
break;
|
2016-11-18 21:00:25 +07:00
|
|
|
if (adapter->ps_state == PS_STATE_PRE_SLEEP)
|
|
|
|
mwifiex_check_ps_cond(adapter);
|
|
|
|
|
2015-09-18 20:32:17 +07:00
|
|
|
if (adapter->ps_state != PS_STATE_AWAKE)
|
2011-03-22 08:00:50 +07:00
|
|
|
break;
|
2015-09-18 20:32:17 +07:00
|
|
|
if (adapter->tx_lock_flag) {
|
|
|
|
if (adapter->iface_type == MWIFIEX_USB) {
|
|
|
|
if (!adapter->usb_mc_setup)
|
|
|
|
break;
|
|
|
|
} else
|
|
|
|
break;
|
|
|
|
}
|
2011-03-22 08:00:50 +07:00
|
|
|
|
2014-09-12 21:38:56 +07:00
|
|
|
if ((!adapter->scan_chan_gap_enabled &&
|
|
|
|
adapter->scan_processing) || adapter->data_sent ||
|
2015-06-22 20:36:10 +07:00
|
|
|
mwifiex_is_tdls_chan_switching
|
|
|
|
(mwifiex_get_priv(adapter,
|
|
|
|
MWIFIEX_BSS_ROLE_STA)) ||
|
2015-03-13 19:07:57 +07:00
|
|
|
(mwifiex_wmm_lists_empty(adapter) &&
|
2015-06-22 20:36:17 +07:00
|
|
|
mwifiex_bypass_txlist_empty(adapter) &&
|
2015-03-13 19:07:57 +07:00
|
|
|
skb_queue_empty(&adapter->tx_data_q))) {
|
2012-03-14 09:22:37 +07:00
|
|
|
if (adapter->cmd_sent || adapter->curr_cmd ||
|
2015-06-22 20:36:10 +07:00
|
|
|
!mwifiex_is_send_cmd_allowed
|
|
|
|
(mwifiex_get_priv(adapter,
|
|
|
|
MWIFIEX_BSS_ROLE_STA)) ||
|
2012-03-14 09:22:37 +07:00
|
|
|
(!is_command_pending(adapter)))
|
2011-03-22 08:00:50 +07:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2014-04-15 05:31:05 +07:00
|
|
|
/* Check for event */
|
|
|
|
if (adapter->event_received) {
|
|
|
|
adapter->event_received = false;
|
|
|
|
mwifiex_process_event(adapter);
|
|
|
|
}
|
|
|
|
|
2011-03-22 08:00:50 +07:00
|
|
|
/* Check for Cmd Resp */
|
|
|
|
if (adapter->cmd_resp_received) {
|
|
|
|
adapter->cmd_resp_received = false;
|
|
|
|
mwifiex_process_cmdresp(adapter);
|
|
|
|
|
|
|
|
/* call mwifiex back when init_fw is done */
|
|
|
|
if (adapter->hw_status == MWIFIEX_HW_STATUS_INIT_DONE) {
|
|
|
|
adapter->hw_status = MWIFIEX_HW_STATUS_READY;
|
|
|
|
mwifiex_init_fw_complete(adapter);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Check if we need to confirm Sleep Request
|
|
|
|
received previously */
|
2016-11-18 21:00:25 +07:00
|
|
|
if (adapter->ps_state == PS_STATE_PRE_SLEEP)
|
|
|
|
mwifiex_check_ps_cond(adapter);
|
2011-03-22 08:00:50 +07:00
|
|
|
|
|
|
|
/* * The ps_state may have been changed during processing of
|
|
|
|
* Sleep Request event.
|
|
|
|
*/
|
2012-03-14 09:22:37 +07:00
|
|
|
if ((adapter->ps_state == PS_STATE_SLEEP) ||
|
|
|
|
(adapter->ps_state == PS_STATE_PRE_SLEEP) ||
|
2015-09-18 20:32:17 +07:00
|
|
|
(adapter->ps_state == PS_STATE_SLEEP_CFM)) {
|
2011-03-22 08:00:50 +07:00
|
|
|
continue;
|
2015-02-12 00:42:24 +07:00
|
|
|
}
|
2011-03-22 08:00:50 +07:00
|
|
|
|
2015-09-18 20:32:17 +07:00
|
|
|
if (adapter->tx_lock_flag) {
|
|
|
|
if (adapter->iface_type == MWIFIEX_USB) {
|
|
|
|
if (!adapter->usb_mc_setup)
|
|
|
|
continue;
|
|
|
|
} else
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
2015-06-22 20:36:10 +07:00
|
|
|
if (!adapter->cmd_sent && !adapter->curr_cmd &&
|
|
|
|
mwifiex_is_send_cmd_allowed
|
|
|
|
(mwifiex_get_priv(adapter, MWIFIEX_BSS_ROLE_STA))) {
|
2011-03-22 08:00:50 +07:00
|
|
|
if (mwifiex_exec_next_cmd(adapter) == -1) {
|
|
|
|
ret = -1;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-09-18 20:32:17 +07:00
|
|
|
/** If USB Multi channel setup ongoing,
|
|
|
|
* wait for ready to tx data.
|
|
|
|
*/
|
|
|
|
if (adapter->iface_type == MWIFIEX_USB &&
|
|
|
|
adapter->usb_mc_setup)
|
|
|
|
continue;
|
|
|
|
|
2015-03-13 19:07:57 +07:00
|
|
|
if ((adapter->scan_chan_gap_enabled ||
|
|
|
|
!adapter->scan_processing) &&
|
|
|
|
!adapter->data_sent &&
|
|
|
|
!skb_queue_empty(&adapter->tx_data_q)) {
|
|
|
|
mwifiex_process_tx_queue(adapter);
|
|
|
|
if (adapter->hs_activated) {
|
|
|
|
adapter->is_hs_configured = false;
|
|
|
|
mwifiex_hs_activated_event
|
|
|
|
(mwifiex_get_priv
|
|
|
|
(adapter, MWIFIEX_BSS_ROLE_ANY),
|
|
|
|
false);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-06-22 20:36:17 +07:00
|
|
|
if ((adapter->scan_chan_gap_enabled ||
|
|
|
|
!adapter->scan_processing) &&
|
|
|
|
!adapter->data_sent &&
|
|
|
|
!mwifiex_bypass_txlist_empty(adapter) &&
|
|
|
|
!mwifiex_is_tdls_chan_switching
|
|
|
|
(mwifiex_get_priv(adapter, MWIFIEX_BSS_ROLE_STA))) {
|
|
|
|
mwifiex_process_bypass_tx(adapter);
|
|
|
|
if (adapter->hs_activated) {
|
|
|
|
adapter->is_hs_configured = false;
|
|
|
|
mwifiex_hs_activated_event
|
|
|
|
(mwifiex_get_priv
|
|
|
|
(adapter, MWIFIEX_BSS_ROLE_ANY),
|
|
|
|
false);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2014-09-12 21:38:56 +07:00
|
|
|
if ((adapter->scan_chan_gap_enabled ||
|
2014-09-12 21:38:58 +07:00
|
|
|
!adapter->scan_processing) &&
|
2015-06-22 20:36:10 +07:00
|
|
|
!adapter->data_sent && !mwifiex_wmm_lists_empty(adapter) &&
|
|
|
|
!mwifiex_is_tdls_chan_switching
|
|
|
|
(mwifiex_get_priv(adapter, MWIFIEX_BSS_ROLE_STA))) {
|
2011-03-22 08:00:50 +07:00
|
|
|
mwifiex_wmm_process_tx(adapter);
|
|
|
|
if (adapter->hs_activated) {
|
|
|
|
adapter->is_hs_configured = false;
|
|
|
|
mwifiex_hs_activated_event
|
|
|
|
(mwifiex_get_priv
|
|
|
|
(adapter, MWIFIEX_BSS_ROLE_ANY),
|
|
|
|
false);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (adapter->delay_null_pkt && !adapter->cmd_sent &&
|
2012-03-14 09:22:37 +07:00
|
|
|
!adapter->curr_cmd && !is_command_pending(adapter) &&
|
2015-03-13 19:07:57 +07:00
|
|
|
(mwifiex_wmm_lists_empty(adapter) &&
|
2015-06-22 20:36:17 +07:00
|
|
|
mwifiex_bypass_txlist_empty(adapter) &&
|
2015-03-13 19:07:57 +07:00
|
|
|
skb_queue_empty(&adapter->tx_data_q))) {
|
2011-03-22 08:00:50 +07:00
|
|
|
if (!mwifiex_send_null_packet
|
|
|
|
(mwifiex_get_priv(adapter, MWIFIEX_BSS_ROLE_STA),
|
|
|
|
MWIFIEX_TxPD_POWER_MGMT_NULL_PACKET |
|
|
|
|
MWIFIEX_TxPD_POWER_MGMT_LAST_PACKET)) {
|
|
|
|
adapter->delay_null_pkt = false;
|
|
|
|
adapter->ps_state = PS_STATE_SLEEP;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
} while (true);
|
|
|
|
|
2013-09-28 00:55:38 +07:00
|
|
|
spin_lock_irqsave(&adapter->main_proc_lock, flags);
|
2015-04-17 18:18:29 +07:00
|
|
|
if (adapter->more_task_flag) {
|
|
|
|
adapter->more_task_flag = false;
|
|
|
|
spin_unlock_irqrestore(&adapter->main_proc_lock, flags);
|
2011-03-22 08:00:50 +07:00
|
|
|
goto process_start;
|
2015-04-17 18:18:29 +07:00
|
|
|
}
|
2011-03-22 08:00:50 +07:00
|
|
|
adapter->mwifiex_processing = false;
|
|
|
|
spin_unlock_irqrestore(&adapter->main_proc_lock, flags);
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
2012-11-06 07:59:15 +07:00
|
|
|
EXPORT_SYMBOL_GPL(mwifiex_main_process);
|
2011-03-22 08:00:50 +07:00
|
|
|
|
|
|
|
/*
|
|
|
|
* This function frees the adapter structure.
|
|
|
|
*
|
|
|
|
* Additionally, this closes the netlink socket, frees the timers
|
|
|
|
* and private structures.
|
|
|
|
*/
|
|
|
|
static void mwifiex_free_adapter(struct mwifiex_adapter *adapter)
|
|
|
|
{
|
|
|
|
if (!adapter) {
|
|
|
|
pr_err("%s: adapter is NULL\n", __func__);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
mwifiex_unregister(adapter);
|
|
|
|
pr_debug("info: %s: free adapter\n", __func__);
|
|
|
|
}
|
|
|
|
|
2013-07-23 09:17:55 +07:00
|
|
|
/*
|
|
|
|
* This function cancels all works in the queue and destroys
|
|
|
|
* the main workqueue.
|
|
|
|
*/
|
|
|
|
static void mwifiex_terminate_workqueue(struct mwifiex_adapter *adapter)
|
|
|
|
{
|
2016-07-26 21:01:44 +07:00
|
|
|
if (adapter->workqueue) {
|
|
|
|
flush_workqueue(adapter->workqueue);
|
|
|
|
destroy_workqueue(adapter->workqueue);
|
|
|
|
adapter->workqueue = NULL;
|
|
|
|
}
|
2014-09-12 21:38:59 +07:00
|
|
|
|
|
|
|
if (adapter->rx_workqueue) {
|
|
|
|
flush_workqueue(adapter->rx_workqueue);
|
|
|
|
destroy_workqueue(adapter->rx_workqueue);
|
|
|
|
adapter->rx_workqueue = NULL;
|
|
|
|
}
|
2013-07-23 09:17:55 +07:00
|
|
|
}
|
|
|
|
|
2011-03-22 08:00:50 +07:00
|
|
|
/*
|
2012-04-10 10:06:57 +07:00
|
|
|
* This function gets firmware and initializes it.
|
2011-03-22 08:00:50 +07:00
|
|
|
*
|
|
|
|
* The main initialization steps followed are -
|
|
|
|
* - Download the correct firmware to card
|
|
|
|
* - Issue the init commands to firmware
|
|
|
|
*/
|
mwifiex: catch mwifiex_fw_dpc() errors properly in reset
When resetting the device, we take a synchronous firmware-loading code
path, which borrows a lot from the asynchronous path used at probe time.
We don't catch errors correctly though, which means that in the PCIe
driver, we may try to dereference the 'adapter' struct after
mwifiex_fw_dpc() has freed it. See this (erronous) print in
mwifiex_pcie_reset_notify():
mwifiex_dbg(adapter, INFO, "%s, successful\n", __func__);
Let's instead refactor the synchronous (or "!req_fw_nowait") path so
that we propagate errors and handle them properly.
This fixes a use-after-free issue in the PCIe driver, as well as a
misleading debug message ("successful"). It looks like the SDIO driver
doesn't have these problems, since it doesn't do anything after
mwifiex_reinit_sw().
Fixes: 4c5dae59d2e9 ("mwifiex: add PCIe function level reset support")
Signed-off-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2017-03-29 06:59:33 +07:00
|
|
|
static int _mwifiex_fw_dpc(const struct firmware *firmware, void *context)
|
2011-03-22 08:00:50 +07:00
|
|
|
{
|
2013-11-15 10:10:38 +07:00
|
|
|
int ret;
|
2012-04-10 10:06:57 +07:00
|
|
|
char fmt[64];
|
|
|
|
struct mwifiex_adapter *adapter = context;
|
2011-03-22 08:00:50 +07:00
|
|
|
struct mwifiex_fw_image fw;
|
2013-07-31 07:18:15 +07:00
|
|
|
bool init_failed = false;
|
2013-11-15 10:10:37 +07:00
|
|
|
struct wireless_dev *wdev;
|
mwifiex: resolve races between async FW init (failure) and device removal
It's possible for the FW init sequence to fail, which will trigger a
device cleanup sequence in mwifiex_fw_dpc(). This sequence can race with
device suspend() or remove() (e.g., reboot or unbind), and can trigger
use-after-free issues. Currently, this driver attempts (poorly) to
synchronize remove() using a semaphore, but it doesn't protect some of
the critical sections properly. Particularly, we grab a pointer to the
adapter struct (card->adapter) without checking if it's being freed or
not. We later do a NULL check on the adapter, but that doesn't work if
the adapter was freed.
Also note that the PCIe interface driver doesn't ever set card->adapter
to NULL, so even if we get the synchronization right, we still might try
to redo the cleanup in ->remove(), even if the FW init failure sequence
already did it.
This patch replaces the static semaphore with a per-device completion
struct, and uses that completion to synchronize the remove() thread with
the mwifiex_fw_dpc(). A future patch will utilize this completion to
synchronize the suspend() thread as well.
Signed-off-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2016-11-18 21:00:26 +07:00
|
|
|
struct completion *fw_done = adapter->fw_done;
|
2011-03-22 08:00:50 +07:00
|
|
|
|
2012-04-10 10:06:57 +07:00
|
|
|
if (!firmware) {
|
2015-05-12 02:18:20 +07:00
|
|
|
mwifiex_dbg(adapter, ERROR,
|
|
|
|
"Failed to get firmware %s\n", adapter->fw_name);
|
2013-07-23 09:17:55 +07:00
|
|
|
goto err_dnld_fw;
|
2011-03-22 08:00:50 +07:00
|
|
|
}
|
2012-04-10 10:06:57 +07:00
|
|
|
|
|
|
|
memset(&fw, 0, sizeof(struct mwifiex_fw_image));
|
|
|
|
adapter->firmware = firmware;
|
2011-03-22 08:00:50 +07:00
|
|
|
fw.fw_buf = (u8 *) adapter->firmware->data;
|
|
|
|
fw.fw_len = adapter->firmware->size;
|
|
|
|
|
2016-05-19 10:53:43 +07:00
|
|
|
if (adapter->if_ops.dnld_fw) {
|
2012-04-19 10:08:28 +07:00
|
|
|
ret = adapter->if_ops.dnld_fw(adapter, &fw);
|
2016-05-19 10:53:43 +07:00
|
|
|
} else {
|
2012-04-19 10:08:28 +07:00
|
|
|
ret = mwifiex_dnld_fw(adapter, &fw);
|
2016-05-19 10:53:43 +07:00
|
|
|
}
|
|
|
|
|
2011-03-22 08:00:50 +07:00
|
|
|
if (ret == -1)
|
2013-07-23 09:17:55 +07:00
|
|
|
goto err_dnld_fw;
|
2011-03-22 08:00:50 +07:00
|
|
|
|
2015-05-12 02:18:20 +07:00
|
|
|
mwifiex_dbg(adapter, MSG, "WLAN FW is active\n");
|
2011-03-22 08:00:50 +07:00
|
|
|
|
2013-05-18 07:50:25 +07:00
|
|
|
if (cal_data_cfg) {
|
|
|
|
if ((request_firmware(&adapter->cal_data, cal_data_cfg,
|
|
|
|
adapter->dev)) < 0)
|
2015-05-12 02:18:20 +07:00
|
|
|
mwifiex_dbg(adapter, ERROR,
|
|
|
|
"Cal data request_firmware() failed\n");
|
2013-05-18 07:50:25 +07:00
|
|
|
}
|
|
|
|
|
2013-07-13 21:57:10 +07:00
|
|
|
/* enable host interrupt after fw dnld is successful */
|
2013-07-23 09:17:55 +07:00
|
|
|
if (adapter->if_ops.enable_int) {
|
|
|
|
if (adapter->if_ops.enable_int(adapter))
|
|
|
|
goto err_dnld_fw;
|
|
|
|
}
|
2013-07-13 21:57:10 +07:00
|
|
|
|
2011-03-22 08:00:50 +07:00
|
|
|
adapter->init_wait_q_woken = false;
|
|
|
|
ret = mwifiex_init_fw(adapter);
|
|
|
|
if (ret == -1) {
|
2013-07-23 09:17:55 +07:00
|
|
|
goto err_init_fw;
|
2011-03-22 08:00:50 +07:00
|
|
|
} else if (!ret) {
|
|
|
|
adapter->hw_status = MWIFIEX_HW_STATUS_READY;
|
|
|
|
goto done;
|
|
|
|
}
|
|
|
|
/* Wait for mwifiex_init to complete */
|
2016-09-02 14:35:06 +07:00
|
|
|
if (!adapter->mfg_mode) {
|
|
|
|
wait_event_interruptible(adapter->init_wait_q,
|
|
|
|
adapter->init_wait_q_woken);
|
|
|
|
if (adapter->hw_status != MWIFIEX_HW_STATUS_READY)
|
|
|
|
goto err_init_fw;
|
|
|
|
}
|
2012-04-10 10:06:57 +07:00
|
|
|
|
2016-07-26 21:01:44 +07:00
|
|
|
if (!adapter->wiphy) {
|
|
|
|
if (mwifiex_register_cfg80211(adapter)) {
|
|
|
|
mwifiex_dbg(adapter, ERROR,
|
|
|
|
"cannot register with cfg80211\n");
|
|
|
|
goto err_init_fw;
|
|
|
|
}
|
2012-04-10 10:06:57 +07:00
|
|
|
}
|
|
|
|
|
2014-10-31 17:38:26 +07:00
|
|
|
if (mwifiex_init_channel_scan_gap(adapter)) {
|
2015-05-12 02:18:20 +07:00
|
|
|
mwifiex_dbg(adapter, ERROR,
|
|
|
|
"could not init channel stats table\n");
|
2014-10-31 17:38:26 +07:00
|
|
|
goto err_init_fw;
|
|
|
|
}
|
|
|
|
|
2014-11-05 21:08:11 +07:00
|
|
|
if (driver_mode) {
|
|
|
|
driver_mode &= MWIFIEX_DRIVER_MODE_BITMASK;
|
|
|
|
driver_mode |= MWIFIEX_DRIVER_MODE_STA;
|
|
|
|
}
|
|
|
|
|
2012-04-10 10:06:57 +07:00
|
|
|
rtnl_lock();
|
|
|
|
/* Create station interface by default */
|
2015-03-18 17:13:39 +07:00
|
|
|
wdev = mwifiex_add_virtual_intf(adapter->wiphy, "mlan%d", NET_NAME_ENUM,
|
2013-11-15 10:10:37 +07:00
|
|
|
NL80211_IFTYPE_STATION, NULL, NULL);
|
|
|
|
if (IS_ERR(wdev)) {
|
2015-05-12 02:18:20 +07:00
|
|
|
mwifiex_dbg(adapter, ERROR,
|
|
|
|
"cannot create default STA interface\n");
|
2013-11-15 10:10:38 +07:00
|
|
|
rtnl_unlock();
|
2012-04-10 10:06:57 +07:00
|
|
|
goto err_add_intf;
|
2011-03-22 08:00:50 +07:00
|
|
|
}
|
2014-11-05 21:08:11 +07:00
|
|
|
|
|
|
|
if (driver_mode & MWIFIEX_DRIVER_MODE_UAP) {
|
2015-03-18 17:13:39 +07:00
|
|
|
wdev = mwifiex_add_virtual_intf(adapter->wiphy, "uap%d", NET_NAME_ENUM,
|
2014-11-05 21:08:11 +07:00
|
|
|
NL80211_IFTYPE_AP, NULL, NULL);
|
|
|
|
if (IS_ERR(wdev)) {
|
2015-05-12 02:18:20 +07:00
|
|
|
mwifiex_dbg(adapter, ERROR,
|
|
|
|
"cannot create AP interface\n");
|
2014-11-05 21:08:11 +07:00
|
|
|
rtnl_unlock();
|
|
|
|
goto err_add_intf;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (driver_mode & MWIFIEX_DRIVER_MODE_P2P) {
|
2015-03-18 17:13:39 +07:00
|
|
|
wdev = mwifiex_add_virtual_intf(adapter->wiphy, "p2p%d", NET_NAME_ENUM,
|
2014-11-05 21:08:11 +07:00
|
|
|
NL80211_IFTYPE_P2P_CLIENT, NULL,
|
|
|
|
NULL);
|
|
|
|
if (IS_ERR(wdev)) {
|
2015-05-12 02:18:20 +07:00
|
|
|
mwifiex_dbg(adapter, ERROR,
|
|
|
|
"cannot create p2p client interface\n");
|
2014-11-05 21:08:11 +07:00
|
|
|
rtnl_unlock();
|
|
|
|
goto err_add_intf;
|
|
|
|
}
|
|
|
|
}
|
2012-04-10 10:06:57 +07:00
|
|
|
rtnl_unlock();
|
|
|
|
|
|
|
|
mwifiex_drv_get_driver_version(adapter, fmt, sizeof(fmt) - 1);
|
2015-05-12 02:18:20 +07:00
|
|
|
mwifiex_dbg(adapter, MSG, "driver_version = %s\n", fmt);
|
2012-04-10 10:06:57 +07:00
|
|
|
goto done;
|
2011-03-22 08:00:50 +07:00
|
|
|
|
2012-04-10 10:06:57 +07:00
|
|
|
err_add_intf:
|
2013-07-23 09:17:55 +07:00
|
|
|
wiphy_unregister(adapter->wiphy);
|
|
|
|
wiphy_free(adapter->wiphy);
|
2012-04-10 10:06:57 +07:00
|
|
|
err_init_fw:
|
2013-07-13 21:57:10 +07:00
|
|
|
if (adapter->if_ops.disable_int)
|
|
|
|
adapter->if_ops.disable_int(adapter);
|
2013-07-23 09:17:55 +07:00
|
|
|
err_dnld_fw:
|
2015-05-12 02:18:20 +07:00
|
|
|
mwifiex_dbg(adapter, ERROR,
|
|
|
|
"info: %s: unregister device\n", __func__);
|
2013-07-23 09:17:55 +07:00
|
|
|
if (adapter->if_ops.unregister_dev)
|
|
|
|
adapter->if_ops.unregister_dev(adapter);
|
|
|
|
|
2016-11-16 20:09:05 +07:00
|
|
|
adapter->surprise_removed = true;
|
|
|
|
mwifiex_terminate_workqueue(adapter);
|
|
|
|
|
2014-12-31 17:36:38 +07:00
|
|
|
if (adapter->hw_status == MWIFIEX_HW_STATUS_READY) {
|
2013-07-23 09:17:55 +07:00
|
|
|
pr_debug("info: %s: shutdown mwifiex\n", __func__);
|
2016-11-16 20:09:05 +07:00
|
|
|
mwifiex_shutdown_drv(adapter);
|
2013-07-23 09:17:55 +07:00
|
|
|
}
|
2016-11-16 20:09:05 +07:00
|
|
|
|
2013-07-31 07:18:15 +07:00
|
|
|
init_failed = true;
|
2011-03-22 08:00:50 +07:00
|
|
|
done:
|
2013-05-18 07:50:25 +07:00
|
|
|
if (adapter->cal_data) {
|
|
|
|
release_firmware(adapter->cal_data);
|
|
|
|
adapter->cal_data = NULL;
|
|
|
|
}
|
2013-07-31 07:18:15 +07:00
|
|
|
if (adapter->firmware) {
|
|
|
|
release_firmware(adapter->firmware);
|
|
|
|
adapter->firmware = NULL;
|
|
|
|
}
|
|
|
|
if (init_failed)
|
|
|
|
mwifiex_free_adapter(adapter);
|
mwifiex: resolve races between async FW init (failure) and device removal
It's possible for the FW init sequence to fail, which will trigger a
device cleanup sequence in mwifiex_fw_dpc(). This sequence can race with
device suspend() or remove() (e.g., reboot or unbind), and can trigger
use-after-free issues. Currently, this driver attempts (poorly) to
synchronize remove() using a semaphore, but it doesn't protect some of
the critical sections properly. Particularly, we grab a pointer to the
adapter struct (card->adapter) without checking if it's being freed or
not. We later do a NULL check on the adapter, but that doesn't work if
the adapter was freed.
Also note that the PCIe interface driver doesn't ever set card->adapter
to NULL, so even if we get the synchronization right, we still might try
to redo the cleanup in ->remove(), even if the FW init failure sequence
already did it.
This patch replaces the static semaphore with a per-device completion
struct, and uses that completion to synchronize the remove() thread with
the mwifiex_fw_dpc(). A future patch will utilize this completion to
synchronize the suspend() thread as well.
Signed-off-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2016-11-18 21:00:26 +07:00
|
|
|
/* Tell all current and future waiters we're finished */
|
|
|
|
complete_all(fw_done);
|
mwifiex: catch mwifiex_fw_dpc() errors properly in reset
When resetting the device, we take a synchronous firmware-loading code
path, which borrows a lot from the asynchronous path used at probe time.
We don't catch errors correctly though, which means that in the PCIe
driver, we may try to dereference the 'adapter' struct after
mwifiex_fw_dpc() has freed it. See this (erronous) print in
mwifiex_pcie_reset_notify():
mwifiex_dbg(adapter, INFO, "%s, successful\n", __func__);
Let's instead refactor the synchronous (or "!req_fw_nowait") path so
that we propagate errors and handle them properly.
This fixes a use-after-free issue in the PCIe driver, as well as a
misleading debug message ("successful"). It looks like the SDIO driver
doesn't have these problems, since it doesn't do anything after
mwifiex_reinit_sw().
Fixes: 4c5dae59d2e9 ("mwifiex: add PCIe function level reset support")
Signed-off-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2017-03-29 06:59:33 +07:00
|
|
|
|
|
|
|
return init_failed ? -EIO : 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void mwifiex_fw_dpc(const struct firmware *firmware, void *context)
|
|
|
|
{
|
|
|
|
_mwifiex_fw_dpc(firmware, context);
|
2012-04-10 10:06:57 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
mwifiex: catch mwifiex_fw_dpc() errors properly in reset
When resetting the device, we take a synchronous firmware-loading code
path, which borrows a lot from the asynchronous path used at probe time.
We don't catch errors correctly though, which means that in the PCIe
driver, we may try to dereference the 'adapter' struct after
mwifiex_fw_dpc() has freed it. See this (erronous) print in
mwifiex_pcie_reset_notify():
mwifiex_dbg(adapter, INFO, "%s, successful\n", __func__);
Let's instead refactor the synchronous (or "!req_fw_nowait") path so
that we propagate errors and handle them properly.
This fixes a use-after-free issue in the PCIe driver, as well as a
misleading debug message ("successful"). It looks like the SDIO driver
doesn't have these problems, since it doesn't do anything after
mwifiex_reinit_sw().
Fixes: 4c5dae59d2e9 ("mwifiex: add PCIe function level reset support")
Signed-off-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2017-03-29 06:59:33 +07:00
|
|
|
* This function gets the firmware and (if called asynchronously) kicks off the
|
|
|
|
* HW init when done.
|
2012-04-10 10:06:57 +07:00
|
|
|
*/
|
2016-07-26 21:01:44 +07:00
|
|
|
static int mwifiex_init_hw_fw(struct mwifiex_adapter *adapter,
|
|
|
|
bool req_fw_nowait)
|
2012-04-10 10:06:57 +07:00
|
|
|
{
|
|
|
|
int ret;
|
|
|
|
|
2016-09-02 14:35:06 +07:00
|
|
|
/* Override default firmware with manufacturing one if
|
|
|
|
* manufacturing mode is enabled
|
|
|
|
*/
|
|
|
|
if (mfg_mode) {
|
|
|
|
if (strlcpy(adapter->fw_name, MFG_FIRMWARE,
|
|
|
|
sizeof(adapter->fw_name)) >=
|
|
|
|
sizeof(adapter->fw_name)) {
|
|
|
|
pr_err("%s: fw_name too long!\n", __func__);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
}
|
2016-07-26 21:01:44 +07:00
|
|
|
|
|
|
|
if (req_fw_nowait) {
|
|
|
|
ret = request_firmware_nowait(THIS_MODULE, 1, adapter->fw_name,
|
|
|
|
adapter->dev, GFP_KERNEL, adapter,
|
|
|
|
mwifiex_fw_dpc);
|
|
|
|
} else {
|
|
|
|
ret = request_firmware(&adapter->firmware,
|
|
|
|
adapter->fw_name,
|
|
|
|
adapter->dev);
|
|
|
|
}
|
|
|
|
|
mwifiex: catch mwifiex_fw_dpc() errors properly in reset
When resetting the device, we take a synchronous firmware-loading code
path, which borrows a lot from the asynchronous path used at probe time.
We don't catch errors correctly though, which means that in the PCIe
driver, we may try to dereference the 'adapter' struct after
mwifiex_fw_dpc() has freed it. See this (erronous) print in
mwifiex_pcie_reset_notify():
mwifiex_dbg(adapter, INFO, "%s, successful\n", __func__);
Let's instead refactor the synchronous (or "!req_fw_nowait") path so
that we propagate errors and handle them properly.
This fixes a use-after-free issue in the PCIe driver, as well as a
misleading debug message ("successful"). It looks like the SDIO driver
doesn't have these problems, since it doesn't do anything after
mwifiex_reinit_sw().
Fixes: 4c5dae59d2e9 ("mwifiex: add PCIe function level reset support")
Signed-off-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2017-03-29 06:59:33 +07:00
|
|
|
if (ret < 0)
|
|
|
|
mwifiex_dbg(adapter, ERROR, "request_firmware%s error %d\n",
|
|
|
|
req_fw_nowait ? "_nowait" : "", ret);
|
2011-03-22 08:00:50 +07:00
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* CFG802.11 network device handler for open.
|
|
|
|
*
|
|
|
|
* Starts the data queue.
|
|
|
|
*/
|
|
|
|
static int
|
|
|
|
mwifiex_open(struct net_device *dev)
|
|
|
|
{
|
2015-01-19 17:24:36 +07:00
|
|
|
netif_carrier_off(dev);
|
|
|
|
|
2011-03-22 08:00:50 +07:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* CFG802.11 network device handler for close.
|
|
|
|
*/
|
|
|
|
static int
|
|
|
|
mwifiex_close(struct net_device *dev)
|
|
|
|
{
|
2012-10-20 09:19:16 +07:00
|
|
|
struct mwifiex_private *priv = mwifiex_netdev_get_priv(dev);
|
|
|
|
|
|
|
|
if (priv->scan_request) {
|
2016-07-05 21:10:13 +07:00
|
|
|
struct cfg80211_scan_info info = {
|
|
|
|
.aborted = true,
|
|
|
|
};
|
|
|
|
|
2015-05-12 02:18:20 +07:00
|
|
|
mwifiex_dbg(priv->adapter, INFO,
|
|
|
|
"aborting scan on ndo_stop\n");
|
2016-07-05 21:10:13 +07:00
|
|
|
cfg80211_scan_done(priv->scan_request, &info);
|
2012-10-20 09:19:16 +07:00
|
|
|
priv->scan_request = NULL;
|
2013-05-18 07:50:20 +07:00
|
|
|
priv->scan_aborting = true;
|
2012-10-20 09:19:16 +07:00
|
|
|
}
|
|
|
|
|
2016-04-18 20:42:55 +07:00
|
|
|
if (priv->sched_scanning) {
|
|
|
|
mwifiex_dbg(priv->adapter, INFO,
|
|
|
|
"aborting bgscan on ndo_stop\n");
|
|
|
|
mwifiex_stop_bg_scan(priv);
|
|
|
|
cfg80211_sched_scan_stopped(priv->wdev.wiphy);
|
|
|
|
}
|
|
|
|
|
2011-03-22 08:00:50 +07:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2015-06-22 20:36:17 +07:00
|
|
|
static bool
|
|
|
|
mwifiex_bypass_tx_queue(struct mwifiex_private *priv,
|
|
|
|
struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
struct ethhdr *eth_hdr = (struct ethhdr *)skb->data;
|
|
|
|
|
|
|
|
if (ntohs(eth_hdr->h_proto) == ETH_P_PAE ||
|
|
|
|
mwifiex_is_skb_mgmt_frame(skb) ||
|
|
|
|
(GET_BSS_ROLE(priv) == MWIFIEX_BSS_ROLE_STA &&
|
|
|
|
ISSUPP_TDLS_ENABLED(priv->adapter->fw_cap_info) &&
|
|
|
|
(ntohs(eth_hdr->h_proto) == ETH_P_TDLS))) {
|
|
|
|
mwifiex_dbg(priv->adapter, DATA,
|
|
|
|
"bypass txqueue; eth type %#x, mgmt %d\n",
|
|
|
|
ntohs(eth_hdr->h_proto),
|
|
|
|
mwifiex_is_skb_mgmt_frame(skb));
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
return false;
|
|
|
|
}
|
2012-09-26 10:23:32 +07:00
|
|
|
/*
|
|
|
|
* Add buffer into wmm tx queue and queue work to transmit it.
|
|
|
|
*/
|
|
|
|
int mwifiex_queue_tx_pkt(struct mwifiex_private *priv, struct sk_buff *skb)
|
|
|
|
{
|
2012-11-02 08:44:16 +07:00
|
|
|
struct netdev_queue *txq;
|
|
|
|
int index = mwifiex_1d_to_wmm_queue[skb->priority];
|
|
|
|
|
|
|
|
if (atomic_inc_return(&priv->wmm_tx_pending[index]) >= MAX_TX_PENDING) {
|
|
|
|
txq = netdev_get_tx_queue(priv->netdev, index);
|
|
|
|
if (!netif_tx_queue_stopped(txq)) {
|
|
|
|
netif_tx_stop_queue(txq);
|
2015-05-12 02:18:20 +07:00
|
|
|
mwifiex_dbg(priv->adapter, DATA,
|
|
|
|
"stop queue: %d\n", index);
|
2012-11-02 08:44:16 +07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-06-22 20:36:17 +07:00
|
|
|
if (mwifiex_bypass_tx_queue(priv, skb)) {
|
|
|
|
atomic_inc(&priv->adapter->tx_pending);
|
|
|
|
atomic_inc(&priv->adapter->bypass_tx_pending);
|
|
|
|
mwifiex_wmm_add_buf_bypass_txqueue(priv, skb);
|
|
|
|
} else {
|
|
|
|
atomic_inc(&priv->adapter->tx_pending);
|
|
|
|
mwifiex_wmm_add_buf_txqueue(priv, skb);
|
|
|
|
}
|
2012-09-26 10:23:32 +07:00
|
|
|
|
2015-03-13 19:07:54 +07:00
|
|
|
mwifiex_queue_main_work(priv->adapter);
|
2012-09-26 10:23:32 +07:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2014-11-25 21:43:06 +07:00
|
|
|
struct sk_buff *
|
2014-11-25 21:43:05 +07:00
|
|
|
mwifiex_clone_skb_for_tx_status(struct mwifiex_private *priv,
|
2014-11-25 21:43:06 +07:00
|
|
|
struct sk_buff *skb, u8 flag, u64 *cookie)
|
2014-11-25 21:43:05 +07:00
|
|
|
{
|
|
|
|
struct sk_buff *orig_skb = skb;
|
|
|
|
struct mwifiex_txinfo *tx_info, *orig_tx_info;
|
|
|
|
|
|
|
|
skb = skb_clone(skb, GFP_ATOMIC);
|
|
|
|
if (skb) {
|
|
|
|
unsigned long flags;
|
|
|
|
int id;
|
|
|
|
|
|
|
|
spin_lock_irqsave(&priv->ack_status_lock, flags);
|
|
|
|
id = idr_alloc(&priv->ack_status_frames, orig_skb,
|
2015-12-31 21:24:15 +07:00
|
|
|
1, 0x10, GFP_ATOMIC);
|
2014-11-25 21:43:05 +07:00
|
|
|
spin_unlock_irqrestore(&priv->ack_status_lock, flags);
|
|
|
|
|
|
|
|
if (id >= 0) {
|
|
|
|
tx_info = MWIFIEX_SKB_TXCB(skb);
|
|
|
|
tx_info->ack_frame_id = id;
|
|
|
|
tx_info->flags |= flag;
|
|
|
|
orig_tx_info = MWIFIEX_SKB_TXCB(orig_skb);
|
|
|
|
orig_tx_info->ack_frame_id = id;
|
|
|
|
orig_tx_info->flags |= flag;
|
2014-11-25 21:43:06 +07:00
|
|
|
|
|
|
|
if (flag == MWIFIEX_BUF_FLAG_ACTION_TX_STATUS && cookie)
|
|
|
|
orig_tx_info->cookie = *cookie;
|
|
|
|
|
2014-11-25 21:43:05 +07:00
|
|
|
} else if (skb_shared(skb)) {
|
|
|
|
kfree_skb(orig_skb);
|
|
|
|
} else {
|
|
|
|
kfree_skb(skb);
|
|
|
|
skb = orig_skb;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
/* couldn't clone -- lose tx status ... */
|
|
|
|
skb = orig_skb;
|
|
|
|
}
|
|
|
|
|
|
|
|
return skb;
|
|
|
|
}
|
|
|
|
|
2011-03-22 08:00:50 +07:00
|
|
|
/*
|
|
|
|
* CFG802.11 network device handler for data transmission.
|
|
|
|
*/
|
|
|
|
static int
|
|
|
|
mwifiex_hard_start_xmit(struct sk_buff *skb, struct net_device *dev)
|
|
|
|
{
|
|
|
|
struct mwifiex_private *priv = mwifiex_netdev_get_priv(dev);
|
2011-05-04 10:11:46 +07:00
|
|
|
struct sk_buff *new_skb;
|
2011-03-22 08:00:50 +07:00
|
|
|
struct mwifiex_txinfo *tx_info;
|
2014-11-25 21:43:05 +07:00
|
|
|
bool multicast;
|
2011-03-22 08:00:50 +07:00
|
|
|
|
2015-05-12 02:18:20 +07:00
|
|
|
mwifiex_dbg(priv->adapter, DATA,
|
|
|
|
"data: %lu BSS(%d-%d): Data <= kernel\n",
|
|
|
|
jiffies, priv->bss_type, priv->bss_num);
|
2011-03-22 08:00:50 +07:00
|
|
|
|
|
|
|
if (priv->adapter->surprise_removed) {
|
2011-05-09 03:50:09 +07:00
|
|
|
kfree_skb(skb);
|
2011-03-22 08:00:50 +07:00
|
|
|
priv->stats.tx_dropped++;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
if (!skb->len || (skb->len > ETH_FRAME_LEN)) {
|
2015-05-12 02:18:20 +07:00
|
|
|
mwifiex_dbg(priv->adapter, ERROR,
|
|
|
|
"Tx: bad skb len %d\n", skb->len);
|
2011-05-09 03:50:09 +07:00
|
|
|
kfree_skb(skb);
|
2011-03-22 08:00:50 +07:00
|
|
|
priv->stats.tx_dropped++;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
if (skb_headroom(skb) < MWIFIEX_MIN_DATA_HEADER_LEN) {
|
2015-05-12 02:18:20 +07:00
|
|
|
mwifiex_dbg(priv->adapter, DATA,
|
|
|
|
"data: Tx: insufficient skb headroom %d\n",
|
|
|
|
skb_headroom(skb));
|
2011-03-22 08:00:50 +07:00
|
|
|
/* Insufficient skb headroom - allocate a new skb */
|
|
|
|
new_skb =
|
|
|
|
skb_realloc_headroom(skb, MWIFIEX_MIN_DATA_HEADER_LEN);
|
|
|
|
if (unlikely(!new_skb)) {
|
2015-05-12 02:18:20 +07:00
|
|
|
mwifiex_dbg(priv->adapter, ERROR,
|
|
|
|
"Tx: cannot alloca new_skb\n");
|
2011-05-09 03:50:09 +07:00
|
|
|
kfree_skb(skb);
|
2011-03-22 08:00:50 +07:00
|
|
|
priv->stats.tx_dropped++;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
kfree_skb(skb);
|
|
|
|
skb = new_skb;
|
2015-05-12 02:18:20 +07:00
|
|
|
mwifiex_dbg(priv->adapter, INFO,
|
|
|
|
"info: new skb headroomd %d\n",
|
|
|
|
skb_headroom(skb));
|
2011-03-22 08:00:50 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
tx_info = MWIFIEX_SKB_TXCB(skb);
|
2014-06-21 01:45:25 +07:00
|
|
|
memset(tx_info, 0, sizeof(*tx_info));
|
2012-01-12 11:06:11 +07:00
|
|
|
tx_info->bss_num = priv->bss_num;
|
|
|
|
tx_info->bss_type = priv->bss_type;
|
2013-12-03 14:17:55 +07:00
|
|
|
tx_info->pkt_len = skb->len;
|
2012-11-02 08:44:16 +07:00
|
|
|
|
2014-11-25 21:43:05 +07:00
|
|
|
multicast = is_multicast_ether_addr(skb->data);
|
|
|
|
|
|
|
|
if (unlikely(!multicast && skb->sk &&
|
|
|
|
skb_shinfo(skb)->tx_flags & SKBTX_WIFI_STATUS &&
|
|
|
|
priv->adapter->fw_api_ver == MWIFIEX_FW_V15))
|
|
|
|
skb = mwifiex_clone_skb_for_tx_status(priv,
|
|
|
|
skb,
|
2014-11-25 21:43:06 +07:00
|
|
|
MWIFIEX_BUF_FLAG_EAPOL_TX_STATUS, NULL);
|
2014-11-25 21:43:05 +07:00
|
|
|
|
2012-11-02 08:44:16 +07:00
|
|
|
/* Record the current time the packet was queued; used to
|
|
|
|
* determine the amount of time the packet was queued in
|
|
|
|
* the driver before it was sent to the firmware.
|
|
|
|
* The delay is then sent along with the packet to the
|
|
|
|
* firmware for aggregate delay calculation for stats and
|
|
|
|
* MSDU lifetime expiry.
|
|
|
|
*/
|
2014-06-12 14:31:34 +07:00
|
|
|
__net_timestamp(skb);
|
2011-03-22 08:00:50 +07:00
|
|
|
|
2014-11-13 23:24:16 +07:00
|
|
|
if (ISSUPP_TDLS_ENABLED(priv->adapter->fw_cap_info) &&
|
|
|
|
priv->bss_type == MWIFIEX_BSS_TYPE_STA &&
|
|
|
|
!ether_addr_equal_unaligned(priv->cfg_bssid, skb->data)) {
|
|
|
|
if (priv->adapter->auto_tdls && priv->check_tdls_tx)
|
|
|
|
mwifiex_tdls_check_tx(priv, skb);
|
|
|
|
}
|
|
|
|
|
2012-09-26 10:23:32 +07:00
|
|
|
mwifiex_queue_tx_pkt(priv, skb);
|
2011-03-22 08:00:50 +07:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* CFG802.11 network device handler for setting MAC address.
|
|
|
|
*/
|
|
|
|
static int
|
|
|
|
mwifiex_set_mac_address(struct net_device *dev, void *addr)
|
|
|
|
{
|
|
|
|
struct mwifiex_private *priv = mwifiex_netdev_get_priv(dev);
|
2011-06-21 05:21:48 +07:00
|
|
|
struct sockaddr *hw_addr = addr;
|
2011-05-04 10:11:46 +07:00
|
|
|
int ret;
|
2011-03-22 08:00:50 +07:00
|
|
|
|
|
|
|
memcpy(priv->curr_addr, hw_addr->sa_data, ETH_ALEN);
|
|
|
|
|
2011-04-14 07:27:06 +07:00
|
|
|
/* Send request to firmware */
|
2014-02-28 10:35:12 +07:00
|
|
|
ret = mwifiex_send_cmd(priv, HostCmd_CMD_802_11_MAC_ADDRESS,
|
|
|
|
HostCmd_ACT_GEN_SET, 0, NULL, true);
|
2011-04-14 07:27:06 +07:00
|
|
|
|
|
|
|
if (!ret)
|
|
|
|
memcpy(priv->netdev->dev_addr, priv->curr_addr, ETH_ALEN);
|
|
|
|
else
|
2015-05-12 02:18:20 +07:00
|
|
|
mwifiex_dbg(priv->adapter, ERROR,
|
|
|
|
"set mac address failed: ret=%d\n", ret);
|
2011-04-14 07:27:06 +07:00
|
|
|
|
2011-03-22 08:00:50 +07:00
|
|
|
memcpy(dev->dev_addr, priv->curr_addr, ETH_ALEN);
|
|
|
|
|
2011-04-14 07:27:06 +07:00
|
|
|
return ret;
|
2011-03-22 08:00:50 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* CFG802.11 network device handler for setting multicast list.
|
|
|
|
*/
|
|
|
|
static void mwifiex_set_multicast_list(struct net_device *dev)
|
|
|
|
{
|
|
|
|
struct mwifiex_private *priv = mwifiex_netdev_get_priv(dev);
|
2011-04-14 07:27:06 +07:00
|
|
|
struct mwifiex_multicast_list mcast_list;
|
|
|
|
|
|
|
|
if (dev->flags & IFF_PROMISC) {
|
|
|
|
mcast_list.mode = MWIFIEX_PROMISC_MODE;
|
|
|
|
} else if (dev->flags & IFF_ALLMULTI ||
|
|
|
|
netdev_mc_count(dev) > MWIFIEX_MAX_MULTICAST_LIST_SIZE) {
|
|
|
|
mcast_list.mode = MWIFIEX_ALL_MULTI_MODE;
|
|
|
|
} else {
|
|
|
|
mcast_list.mode = MWIFIEX_MULTICAST_MODE;
|
2013-06-15 02:24:24 +07:00
|
|
|
mcast_list.num_multicast_addr =
|
|
|
|
mwifiex_copy_mcast_addr(&mcast_list, dev);
|
2011-04-14 07:27:06 +07:00
|
|
|
}
|
|
|
|
mwifiex_request_set_multicast_list(priv, &mcast_list);
|
2011-03-22 08:00:50 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* CFG802.11 network device handler for transmission timeout.
|
|
|
|
*/
|
|
|
|
static void
|
|
|
|
mwifiex_tx_timeout(struct net_device *dev)
|
|
|
|
{
|
|
|
|
struct mwifiex_private *priv = mwifiex_netdev_get_priv(dev);
|
|
|
|
|
|
|
|
priv->num_tx_timeout++;
|
2013-03-09 01:58:45 +07:00
|
|
|
priv->tx_timeout_cnt++;
|
2015-05-12 02:18:20 +07:00
|
|
|
mwifiex_dbg(priv->adapter, ERROR,
|
|
|
|
"%lu : Tx timeout(#%d), bss_type-num = %d-%d\n",
|
|
|
|
jiffies, priv->tx_timeout_cnt, priv->bss_type,
|
|
|
|
priv->bss_num);
|
2013-03-09 01:58:45 +07:00
|
|
|
mwifiex_set_trans_start(dev);
|
|
|
|
|
|
|
|
if (priv->tx_timeout_cnt > TX_TIMEOUT_THRESHOLD &&
|
|
|
|
priv->adapter->if_ops.card_reset) {
|
2015-05-12 02:18:20 +07:00
|
|
|
mwifiex_dbg(priv->adapter, ERROR,
|
|
|
|
"tx_timeout_cnt exceeds threshold.\t"
|
|
|
|
"Triggering card reset!\n");
|
2013-03-09 01:58:45 +07:00
|
|
|
priv->adapter->if_ops.card_reset(priv->adapter);
|
|
|
|
}
|
2011-03-22 08:00:50 +07:00
|
|
|
}
|
|
|
|
|
2015-09-18 20:32:17 +07:00
|
|
|
void mwifiex_multi_chan_resync(struct mwifiex_adapter *adapter)
|
|
|
|
{
|
|
|
|
struct usb_card_rec *card = adapter->card;
|
|
|
|
struct mwifiex_private *priv;
|
|
|
|
u16 tx_buf_size;
|
|
|
|
int i, ret;
|
|
|
|
|
|
|
|
card->mc_resync_flag = true;
|
|
|
|
for (i = 0; i < MWIFIEX_TX_DATA_PORT; i++) {
|
|
|
|
if (atomic_read(&card->port[i].tx_data_urb_pending)) {
|
|
|
|
mwifiex_dbg(adapter, WARN, "pending data urb in sys\n");
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
card->mc_resync_flag = false;
|
|
|
|
tx_buf_size = 0xffff;
|
|
|
|
priv = mwifiex_get_priv(adapter, MWIFIEX_BSS_ROLE_ANY);
|
|
|
|
ret = mwifiex_send_cmd(priv, HostCmd_CMD_RECONFIGURE_TX_BUFF,
|
|
|
|
HostCmd_ACT_GEN_SET, 0, &tx_buf_size, false);
|
|
|
|
if (ret)
|
|
|
|
mwifiex_dbg(adapter, ERROR,
|
|
|
|
"send reconfig tx buf size cmd err\n");
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(mwifiex_multi_chan_resync);
|
|
|
|
|
2016-11-16 20:09:07 +07:00
|
|
|
int mwifiex_drv_info_dump(struct mwifiex_adapter *adapter, void **drv_info)
|
2014-12-23 20:44:10 +07:00
|
|
|
{
|
|
|
|
void *p;
|
|
|
|
char drv_version[64];
|
|
|
|
struct usb_card_rec *cardp;
|
|
|
|
struct sdio_mmc_card *sdio_card;
|
|
|
|
struct mwifiex_private *priv;
|
|
|
|
int i, idx;
|
|
|
|
struct netdev_queue *txq;
|
|
|
|
struct mwifiex_debug_info *debug_info;
|
2016-11-16 20:09:07 +07:00
|
|
|
void *drv_info_dump;
|
2014-12-23 20:44:10 +07:00
|
|
|
|
2015-05-26 20:34:30 +07:00
|
|
|
mwifiex_dbg(adapter, MSG, "===mwifiex driverinfo dump start===\n");
|
2014-12-23 20:44:10 +07:00
|
|
|
|
2016-11-16 20:09:07 +07:00
|
|
|
/* memory allocate here should be free in mwifiex_upload_device_dump*/
|
|
|
|
drv_info_dump = vzalloc(MWIFIEX_DRV_INFO_SIZE_MAX);
|
2014-12-23 20:44:10 +07:00
|
|
|
|
2016-11-16 20:09:07 +07:00
|
|
|
if (!drv_info_dump)
|
|
|
|
return 0;
|
2014-12-23 20:44:10 +07:00
|
|
|
|
2016-11-16 20:09:07 +07:00
|
|
|
p = (char *)(drv_info_dump);
|
2014-12-23 20:44:10 +07:00
|
|
|
p += sprintf(p, "driver_name = " "\"mwifiex\"\n");
|
|
|
|
|
|
|
|
mwifiex_drv_get_driver_version(adapter, drv_version,
|
|
|
|
sizeof(drv_version) - 1);
|
|
|
|
p += sprintf(p, "driver_version = %s\n", drv_version);
|
|
|
|
|
|
|
|
if (adapter->iface_type == MWIFIEX_USB) {
|
|
|
|
cardp = (struct usb_card_rec *)adapter->card;
|
|
|
|
p += sprintf(p, "tx_cmd_urb_pending = %d\n",
|
|
|
|
atomic_read(&cardp->tx_cmd_urb_pending));
|
2015-09-18 20:32:16 +07:00
|
|
|
p += sprintf(p, "tx_data_urb_pending_port_0 = %d\n",
|
|
|
|
atomic_read(&cardp->port[0].tx_data_urb_pending));
|
|
|
|
p += sprintf(p, "tx_data_urb_pending_port_1 = %d\n",
|
|
|
|
atomic_read(&cardp->port[1].tx_data_urb_pending));
|
2014-12-23 20:44:10 +07:00
|
|
|
p += sprintf(p, "rx_cmd_urb_pending = %d\n",
|
|
|
|
atomic_read(&cardp->rx_cmd_urb_pending));
|
|
|
|
p += sprintf(p, "rx_data_urb_pending = %d\n",
|
|
|
|
atomic_read(&cardp->rx_data_urb_pending));
|
|
|
|
}
|
|
|
|
|
|
|
|
p += sprintf(p, "tx_pending = %d\n",
|
|
|
|
atomic_read(&adapter->tx_pending));
|
|
|
|
p += sprintf(p, "rx_pending = %d\n",
|
|
|
|
atomic_read(&adapter->rx_pending));
|
|
|
|
|
|
|
|
if (adapter->iface_type == MWIFIEX_SDIO) {
|
|
|
|
sdio_card = (struct sdio_mmc_card *)adapter->card;
|
|
|
|
p += sprintf(p, "\nmp_rd_bitmap=0x%x curr_rd_port=0x%x\n",
|
|
|
|
sdio_card->mp_rd_bitmap, sdio_card->curr_rd_port);
|
|
|
|
p += sprintf(p, "mp_wr_bitmap=0x%x curr_wr_port=0x%x\n",
|
|
|
|
sdio_card->mp_wr_bitmap, sdio_card->curr_wr_port);
|
|
|
|
}
|
|
|
|
|
|
|
|
for (i = 0; i < adapter->priv_num; i++) {
|
|
|
|
if (!adapter->priv[i] || !adapter->priv[i]->netdev)
|
|
|
|
continue;
|
|
|
|
priv = adapter->priv[i];
|
|
|
|
p += sprintf(p, "\n[interface : \"%s\"]\n",
|
|
|
|
priv->netdev->name);
|
|
|
|
p += sprintf(p, "wmm_tx_pending[0] = %d\n",
|
|
|
|
atomic_read(&priv->wmm_tx_pending[0]));
|
|
|
|
p += sprintf(p, "wmm_tx_pending[1] = %d\n",
|
|
|
|
atomic_read(&priv->wmm_tx_pending[1]));
|
|
|
|
p += sprintf(p, "wmm_tx_pending[2] = %d\n",
|
|
|
|
atomic_read(&priv->wmm_tx_pending[2]));
|
|
|
|
p += sprintf(p, "wmm_tx_pending[3] = %d\n",
|
|
|
|
atomic_read(&priv->wmm_tx_pending[3]));
|
|
|
|
p += sprintf(p, "media_state=\"%s\"\n", !priv->media_connected ?
|
|
|
|
"Disconnected" : "Connected");
|
|
|
|
p += sprintf(p, "carrier %s\n", (netif_carrier_ok(priv->netdev)
|
|
|
|
? "on" : "off"));
|
|
|
|
for (idx = 0; idx < priv->netdev->num_tx_queues; idx++) {
|
|
|
|
txq = netdev_get_tx_queue(priv->netdev, idx);
|
|
|
|
p += sprintf(p, "tx queue %d:%s ", idx,
|
|
|
|
netif_tx_queue_stopped(txq) ?
|
|
|
|
"stopped" : "started");
|
|
|
|
}
|
|
|
|
p += sprintf(p, "\n%s: num_tx_timeout = %d\n",
|
|
|
|
priv->netdev->name, priv->num_tx_timeout);
|
|
|
|
}
|
|
|
|
|
2016-04-05 15:04:40 +07:00
|
|
|
if (adapter->iface_type == MWIFIEX_SDIO ||
|
|
|
|
adapter->iface_type == MWIFIEX_PCIE) {
|
|
|
|
p += sprintf(p, "\n=== %s register dump===\n",
|
|
|
|
adapter->iface_type == MWIFIEX_SDIO ?
|
|
|
|
"SDIO" : "PCIE");
|
2014-12-23 20:44:11 +07:00
|
|
|
if (adapter->if_ops.reg_dump)
|
|
|
|
p += adapter->if_ops.reg_dump(adapter, p);
|
|
|
|
}
|
2015-05-26 20:34:30 +07:00
|
|
|
p += sprintf(p, "\n=== more debug information\n");
|
2014-12-23 20:44:10 +07:00
|
|
|
debug_info = kzalloc(sizeof(*debug_info), GFP_KERNEL);
|
|
|
|
if (debug_info) {
|
|
|
|
for (i = 0; i < adapter->priv_num; i++) {
|
|
|
|
if (!adapter->priv[i] || !adapter->priv[i]->netdev)
|
|
|
|
continue;
|
|
|
|
priv = adapter->priv[i];
|
|
|
|
mwifiex_get_debug_info(priv, debug_info);
|
|
|
|
p += mwifiex_debug_info_to_buffer(priv, p, debug_info);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
kfree(debug_info);
|
|
|
|
}
|
|
|
|
|
2015-05-26 20:34:30 +07:00
|
|
|
mwifiex_dbg(adapter, MSG, "===mwifiex driverinfo dump end===\n");
|
2016-11-16 20:09:07 +07:00
|
|
|
*drv_info = drv_info_dump;
|
|
|
|
return p - drv_info_dump;
|
2014-12-23 20:44:10 +07:00
|
|
|
}
|
2015-05-26 20:34:31 +07:00
|
|
|
EXPORT_SYMBOL_GPL(mwifiex_drv_info_dump);
|
2014-12-23 20:44:10 +07:00
|
|
|
|
2016-11-16 20:09:07 +07:00
|
|
|
void mwifiex_upload_device_dump(struct mwifiex_adapter *adapter, void *drv_info,
|
|
|
|
int drv_info_size)
|
2015-05-26 20:34:32 +07:00
|
|
|
{
|
|
|
|
u8 idx, *dump_data, *fw_dump_ptr;
|
|
|
|
u32 dump_len;
|
|
|
|
|
|
|
|
dump_len = (strlen("========Start dump driverinfo========\n") +
|
2016-11-16 20:09:07 +07:00
|
|
|
drv_info_size +
|
2015-05-26 20:34:32 +07:00
|
|
|
strlen("\n========End dump========\n"));
|
|
|
|
|
|
|
|
for (idx = 0; idx < adapter->num_mem_types; idx++) {
|
|
|
|
struct memory_type_mapping *entry =
|
|
|
|
&adapter->mem_type_mapping_tbl[idx];
|
|
|
|
|
|
|
|
if (entry->mem_ptr) {
|
|
|
|
dump_len += (strlen("========Start dump ") +
|
|
|
|
strlen(entry->mem_name) +
|
|
|
|
strlen("========\n") +
|
|
|
|
(entry->mem_size + 1) +
|
|
|
|
strlen("\n========End dump========\n"));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
dump_data = vzalloc(dump_len + 1);
|
|
|
|
if (!dump_data)
|
|
|
|
goto done;
|
|
|
|
|
|
|
|
fw_dump_ptr = dump_data;
|
|
|
|
|
|
|
|
/* Dump all the memory data into single file, a userspace script will
|
|
|
|
* be used to split all the memory data to multiple files
|
|
|
|
*/
|
|
|
|
mwifiex_dbg(adapter, MSG,
|
|
|
|
"== mwifiex dump information to /sys/class/devcoredump start");
|
|
|
|
|
|
|
|
strcpy(fw_dump_ptr, "========Start dump driverinfo========\n");
|
|
|
|
fw_dump_ptr += strlen("========Start dump driverinfo========\n");
|
2016-11-16 20:09:07 +07:00
|
|
|
memcpy(fw_dump_ptr, drv_info, drv_info_size);
|
|
|
|
fw_dump_ptr += drv_info_size;
|
2015-05-26 20:34:32 +07:00
|
|
|
strcpy(fw_dump_ptr, "\n========End dump========\n");
|
|
|
|
fw_dump_ptr += strlen("\n========End dump========\n");
|
|
|
|
|
|
|
|
for (idx = 0; idx < adapter->num_mem_types; idx++) {
|
|
|
|
struct memory_type_mapping *entry =
|
|
|
|
&adapter->mem_type_mapping_tbl[idx];
|
|
|
|
|
|
|
|
if (entry->mem_ptr) {
|
|
|
|
strcpy(fw_dump_ptr, "========Start dump ");
|
|
|
|
fw_dump_ptr += strlen("========Start dump ");
|
|
|
|
|
|
|
|
strcpy(fw_dump_ptr, entry->mem_name);
|
|
|
|
fw_dump_ptr += strlen(entry->mem_name);
|
|
|
|
|
|
|
|
strcpy(fw_dump_ptr, "========\n");
|
|
|
|
fw_dump_ptr += strlen("========\n");
|
|
|
|
|
|
|
|
memcpy(fw_dump_ptr, entry->mem_ptr, entry->mem_size);
|
|
|
|
fw_dump_ptr += entry->mem_size;
|
|
|
|
|
|
|
|
strcpy(fw_dump_ptr, "\n========End dump========\n");
|
|
|
|
fw_dump_ptr += strlen("\n========End dump========\n");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/* device dump data will be free in device coredump release function
|
|
|
|
* after 5 min
|
|
|
|
*/
|
|
|
|
dev_coredumpv(adapter->dev, dump_data, dump_len, GFP_KERNEL);
|
|
|
|
mwifiex_dbg(adapter, MSG,
|
|
|
|
"== mwifiex dump information to /sys/class/devcoredump end");
|
|
|
|
|
|
|
|
done:
|
|
|
|
for (idx = 0; idx < adapter->num_mem_types; idx++) {
|
|
|
|
struct memory_type_mapping *entry =
|
|
|
|
&adapter->mem_type_mapping_tbl[idx];
|
|
|
|
|
2016-11-16 20:09:07 +07:00
|
|
|
vfree(entry->mem_ptr);
|
|
|
|
entry->mem_ptr = NULL;
|
2015-05-26 20:34:32 +07:00
|
|
|
entry->mem_size = 0;
|
|
|
|
}
|
|
|
|
|
2016-11-16 20:09:07 +07:00
|
|
|
vfree(drv_info);
|
2015-05-26 20:34:32 +07:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(mwifiex_upload_device_dump);
|
|
|
|
|
2011-03-22 08:00:50 +07:00
|
|
|
/*
|
|
|
|
* CFG802.11 network device handler for statistics retrieval.
|
|
|
|
*/
|
|
|
|
static struct net_device_stats *mwifiex_get_stats(struct net_device *dev)
|
|
|
|
{
|
|
|
|
struct mwifiex_private *priv = mwifiex_netdev_get_priv(dev);
|
|
|
|
|
|
|
|
return &priv->stats;
|
|
|
|
}
|
|
|
|
|
2012-11-02 08:44:16 +07:00
|
|
|
static u16
|
2014-01-10 15:18:26 +07:00
|
|
|
mwifiex_netdev_select_wmm_queue(struct net_device *dev, struct sk_buff *skb,
|
2014-02-16 21:55:20 +07:00
|
|
|
void *accel_priv, select_queue_fallback_t fallback)
|
2012-11-02 08:44:16 +07:00
|
|
|
{
|
2013-12-17 14:01:30 +07:00
|
|
|
skb->priority = cfg80211_classify8021d(skb, NULL);
|
2012-11-02 08:44:16 +07:00
|
|
|
return mwifiex_1d_to_wmm_queue[skb->priority];
|
|
|
|
}
|
|
|
|
|
2011-03-22 08:00:50 +07:00
|
|
|
/* Network device handlers */
|
|
|
|
static const struct net_device_ops mwifiex_netdev_ops = {
|
|
|
|
.ndo_open = mwifiex_open,
|
|
|
|
.ndo_stop = mwifiex_close,
|
|
|
|
.ndo_start_xmit = mwifiex_hard_start_xmit,
|
|
|
|
.ndo_set_mac_address = mwifiex_set_mac_address,
|
2015-10-09 18:26:34 +07:00
|
|
|
.ndo_validate_addr = eth_validate_addr,
|
2011-03-22 08:00:50 +07:00
|
|
|
.ndo_tx_timeout = mwifiex_tx_timeout,
|
|
|
|
.ndo_get_stats = mwifiex_get_stats,
|
2011-08-16 13:29:01 +07:00
|
|
|
.ndo_set_rx_mode = mwifiex_set_multicast_list,
|
2012-11-02 08:44:16 +07:00
|
|
|
.ndo_select_queue = mwifiex_netdev_select_wmm_queue,
|
2011-03-22 08:00:50 +07:00
|
|
|
};
|
|
|
|
|
|
|
|
/*
|
|
|
|
* This function initializes the private structure parameters.
|
|
|
|
*
|
|
|
|
* The following wait queues are initialized -
|
|
|
|
* - IOCTL wait queue
|
|
|
|
* - Command wait queue
|
|
|
|
* - Statistics wait queue
|
|
|
|
*
|
|
|
|
* ...and the following default parameters are set -
|
|
|
|
* - Current key index : Set to 0
|
|
|
|
* - Rate index : Set to auto
|
|
|
|
* - Media connected : Set to disconnected
|
|
|
|
* - Adhoc link sensed : Set to false
|
|
|
|
* - Nick name : Set to null
|
|
|
|
* - Number of Tx timeout : Set to 0
|
|
|
|
* - Device address : Set to current address
|
2014-12-23 20:44:07 +07:00
|
|
|
* - Rx histogram statistc : Set to 0
|
2011-03-22 08:00:50 +07:00
|
|
|
*
|
|
|
|
* In addition, the CFG80211 work queue is also created.
|
|
|
|
*/
|
2011-09-27 10:37:26 +07:00
|
|
|
void mwifiex_init_priv_params(struct mwifiex_private *priv,
|
2015-01-28 17:12:05 +07:00
|
|
|
struct net_device *dev)
|
2011-03-22 08:00:50 +07:00
|
|
|
{
|
|
|
|
dev->netdev_ops = &mwifiex_netdev_ops;
|
2013-05-07 09:46:54 +07:00
|
|
|
dev->destructor = free_netdev;
|
2011-03-22 08:00:50 +07:00
|
|
|
/* Initialize private structure */
|
|
|
|
priv->current_key_index = 0;
|
|
|
|
priv->media_connected = false;
|
2012-05-09 08:30:28 +07:00
|
|
|
memset(priv->mgmt_ie, 0,
|
|
|
|
sizeof(struct mwifiex_ie) * MAX_MGMT_IE_INDEX);
|
2012-05-09 08:30:29 +07:00
|
|
|
priv->beacon_idx = MWIFIEX_AUTO_IDX_MASK;
|
|
|
|
priv->proberesp_idx = MWIFIEX_AUTO_IDX_MASK;
|
|
|
|
priv->assocresp_idx = MWIFIEX_AUTO_IDX_MASK;
|
2015-01-28 17:24:20 +07:00
|
|
|
priv->gen_idx = MWIFIEX_AUTO_IDX_MASK;
|
2011-03-22 08:00:50 +07:00
|
|
|
priv->num_tx_timeout = 0;
|
2015-01-28 17:12:01 +07:00
|
|
|
ether_addr_copy(priv->curr_addr, priv->adapter->perm_addr);
|
2011-03-22 08:00:50 +07:00
|
|
|
memcpy(dev->dev_addr, priv->curr_addr, ETH_ALEN);
|
2014-12-23 20:44:07 +07:00
|
|
|
|
|
|
|
if (GET_BSS_ROLE(priv) == MWIFIEX_BSS_ROLE_STA ||
|
|
|
|
GET_BSS_ROLE(priv) == MWIFIEX_BSS_ROLE_UAP) {
|
|
|
|
priv->hist_data = kmalloc(sizeof(*priv->hist_data), GFP_KERNEL);
|
|
|
|
if (priv->hist_data)
|
|
|
|
mwifiex_hist_data_reset(priv);
|
|
|
|
}
|
2011-03-22 08:00:50 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* This function check if command is pending.
|
|
|
|
*/
|
|
|
|
int is_command_pending(struct mwifiex_adapter *adapter)
|
|
|
|
{
|
|
|
|
unsigned long flags;
|
|
|
|
int is_cmd_pend_q_empty;
|
|
|
|
|
|
|
|
spin_lock_irqsave(&adapter->cmd_pending_q_lock, flags);
|
|
|
|
is_cmd_pend_q_empty = list_empty(&adapter->cmd_pending_q);
|
|
|
|
spin_unlock_irqrestore(&adapter->cmd_pending_q_lock, flags);
|
|
|
|
|
|
|
|
return !is_cmd_pend_q_empty;
|
|
|
|
}
|
|
|
|
|
2014-09-12 21:38:59 +07:00
|
|
|
/*
|
|
|
|
* This is the RX work queue function.
|
|
|
|
*
|
|
|
|
* It handles the RX operations.
|
|
|
|
*/
|
|
|
|
static void mwifiex_rx_work_queue(struct work_struct *work)
|
|
|
|
{
|
|
|
|
struct mwifiex_adapter *adapter =
|
|
|
|
container_of(work, struct mwifiex_adapter, rx_work);
|
|
|
|
|
|
|
|
if (adapter->surprise_removed)
|
|
|
|
return;
|
|
|
|
mwifiex_process_rx(adapter);
|
|
|
|
}
|
|
|
|
|
2011-03-22 08:00:50 +07:00
|
|
|
/*
|
|
|
|
* This is the main work queue function.
|
|
|
|
*
|
|
|
|
* It handles the main process, which in turn handles the complete
|
|
|
|
* driver operations.
|
|
|
|
*/
|
|
|
|
static void mwifiex_main_work_queue(struct work_struct *work)
|
|
|
|
{
|
|
|
|
struct mwifiex_adapter *adapter =
|
|
|
|
container_of(work, struct mwifiex_adapter, main_work);
|
|
|
|
|
|
|
|
if (adapter->surprise_removed)
|
|
|
|
return;
|
|
|
|
mwifiex_main_process(adapter);
|
|
|
|
}
|
|
|
|
|
2016-07-26 21:01:44 +07:00
|
|
|
/*
|
|
|
|
* This function gets called during PCIe function level reset. Required
|
|
|
|
* code is extracted from mwifiex_remove_card()
|
|
|
|
*/
|
2016-12-14 21:10:47 +07:00
|
|
|
int
|
mwifiex: resolve races between async FW init (failure) and device removal
It's possible for the FW init sequence to fail, which will trigger a
device cleanup sequence in mwifiex_fw_dpc(). This sequence can race with
device suspend() or remove() (e.g., reboot or unbind), and can trigger
use-after-free issues. Currently, this driver attempts (poorly) to
synchronize remove() using a semaphore, but it doesn't protect some of
the critical sections properly. Particularly, we grab a pointer to the
adapter struct (card->adapter) without checking if it's being freed or
not. We later do a NULL check on the adapter, but that doesn't work if
the adapter was freed.
Also note that the PCIe interface driver doesn't ever set card->adapter
to NULL, so even if we get the synchronization right, we still might try
to redo the cleanup in ->remove(), even if the FW init failure sequence
already did it.
This patch replaces the static semaphore with a per-device completion
struct, and uses that completion to synchronize the remove() thread with
the mwifiex_fw_dpc(). A future patch will utilize this completion to
synchronize the suspend() thread as well.
Signed-off-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2016-11-18 21:00:26 +07:00
|
|
|
mwifiex_shutdown_sw(struct mwifiex_adapter *adapter)
|
2016-07-26 21:01:44 +07:00
|
|
|
{
|
|
|
|
struct mwifiex_private *priv;
|
|
|
|
int i;
|
|
|
|
|
2016-09-16 16:37:31 +07:00
|
|
|
if (!adapter)
|
|
|
|
goto exit_return;
|
|
|
|
|
mwifiex: resolve races between async FW init (failure) and device removal
It's possible for the FW init sequence to fail, which will trigger a
device cleanup sequence in mwifiex_fw_dpc(). This sequence can race with
device suspend() or remove() (e.g., reboot or unbind), and can trigger
use-after-free issues. Currently, this driver attempts (poorly) to
synchronize remove() using a semaphore, but it doesn't protect some of
the critical sections properly. Particularly, we grab a pointer to the
adapter struct (card->adapter) without checking if it's being freed or
not. We later do a NULL check on the adapter, but that doesn't work if
the adapter was freed.
Also note that the PCIe interface driver doesn't ever set card->adapter
to NULL, so even if we get the synchronization right, we still might try
to redo the cleanup in ->remove(), even if the FW init failure sequence
already did it.
This patch replaces the static semaphore with a per-device completion
struct, and uses that completion to synchronize the remove() thread with
the mwifiex_fw_dpc(). A future patch will utilize this completion to
synchronize the suspend() thread as well.
Signed-off-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2016-11-18 21:00:26 +07:00
|
|
|
wait_for_completion(adapter->fw_done);
|
|
|
|
/* Caller should ensure we aren't suspending while this happens */
|
|
|
|
reinit_completion(adapter->fw_done);
|
2016-07-26 21:01:44 +07:00
|
|
|
|
|
|
|
priv = mwifiex_get_priv(adapter, MWIFIEX_BSS_ROLE_ANY);
|
|
|
|
mwifiex_deauthenticate(priv, NULL);
|
|
|
|
|
|
|
|
/* We can no longer handle interrupts once we start doing the teardown
|
|
|
|
* below.
|
|
|
|
*/
|
|
|
|
if (adapter->if_ops.disable_int)
|
|
|
|
adapter->if_ops.disable_int(adapter);
|
|
|
|
|
|
|
|
adapter->surprise_removed = true;
|
|
|
|
mwifiex_terminate_workqueue(adapter);
|
|
|
|
|
|
|
|
/* Stop data */
|
|
|
|
for (i = 0; i < adapter->priv_num; i++) {
|
|
|
|
priv = adapter->priv[i];
|
|
|
|
if (priv && priv->netdev) {
|
|
|
|
mwifiex_stop_net_dev_queue(priv->netdev, adapter);
|
|
|
|
if (netif_carrier_ok(priv->netdev))
|
|
|
|
netif_carrier_off(priv->netdev);
|
|
|
|
netif_device_detach(priv->netdev);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
mwifiex_dbg(adapter, CMD, "cmd: calling mwifiex_shutdown_drv...\n");
|
|
|
|
|
2016-11-16 20:09:05 +07:00
|
|
|
mwifiex_shutdown_drv(adapter);
|
2016-07-26 21:01:44 +07:00
|
|
|
if (adapter->if_ops.down_dev)
|
|
|
|
adapter->if_ops.down_dev(adapter);
|
|
|
|
|
|
|
|
mwifiex_dbg(adapter, CMD, "cmd: mwifiex_shutdown_drv done\n");
|
|
|
|
if (atomic_read(&adapter->rx_pending) ||
|
|
|
|
atomic_read(&adapter->tx_pending) ||
|
|
|
|
atomic_read(&adapter->cmd_pending)) {
|
|
|
|
mwifiex_dbg(adapter, ERROR,
|
|
|
|
"rx_pending=%d, tx_pending=%d,\t"
|
|
|
|
"cmd_pending=%d\n",
|
|
|
|
atomic_read(&adapter->rx_pending),
|
|
|
|
atomic_read(&adapter->tx_pending),
|
|
|
|
atomic_read(&adapter->cmd_pending));
|
|
|
|
}
|
|
|
|
|
|
|
|
for (i = 0; i < adapter->priv_num; i++) {
|
|
|
|
priv = adapter->priv[i];
|
|
|
|
if (!priv)
|
|
|
|
continue;
|
|
|
|
rtnl_lock();
|
|
|
|
if (priv->netdev &&
|
|
|
|
priv->wdev.iftype != NL80211_IFTYPE_UNSPECIFIED)
|
|
|
|
mwifiex_del_virtual_intf(adapter->wiphy, &priv->wdev);
|
|
|
|
rtnl_unlock();
|
|
|
|
}
|
|
|
|
|
|
|
|
mwifiex_dbg(adapter, INFO, "%s, successful\n", __func__);
|
2016-09-16 16:37:31 +07:00
|
|
|
exit_return:
|
2016-07-26 21:01:44 +07:00
|
|
|
return 0;
|
|
|
|
}
|
2016-12-14 21:10:47 +07:00
|
|
|
EXPORT_SYMBOL_GPL(mwifiex_shutdown_sw);
|
2016-07-26 21:01:44 +07:00
|
|
|
|
|
|
|
/* This function gets called during PCIe function level reset. Required
|
|
|
|
* code is extracted from mwifiex_add_card()
|
|
|
|
*/
|
2016-12-14 21:10:47 +07:00
|
|
|
int
|
|
|
|
mwifiex_reinit_sw(struct mwifiex_adapter *adapter)
|
2016-07-26 21:01:44 +07:00
|
|
|
{
|
mwifiex: catch mwifiex_fw_dpc() errors properly in reset
When resetting the device, we take a synchronous firmware-loading code
path, which borrows a lot from the asynchronous path used at probe time.
We don't catch errors correctly though, which means that in the PCIe
driver, we may try to dereference the 'adapter' struct after
mwifiex_fw_dpc() has freed it. See this (erronous) print in
mwifiex_pcie_reset_notify():
mwifiex_dbg(adapter, INFO, "%s, successful\n", __func__);
Let's instead refactor the synchronous (or "!req_fw_nowait") path so
that we propagate errors and handle them properly.
This fixes a use-after-free issue in the PCIe driver, as well as a
misleading debug message ("successful"). It looks like the SDIO driver
doesn't have these problems, since it doesn't do anything after
mwifiex_reinit_sw().
Fixes: 4c5dae59d2e9 ("mwifiex: add PCIe function level reset support")
Signed-off-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2017-03-29 06:59:33 +07:00
|
|
|
int ret;
|
|
|
|
|
2016-07-26 21:01:44 +07:00
|
|
|
mwifiex_init_lock_list(adapter);
|
|
|
|
if (adapter->if_ops.up_dev)
|
|
|
|
adapter->if_ops.up_dev(adapter);
|
|
|
|
|
|
|
|
adapter->hw_status = MWIFIEX_HW_STATUS_INITIALIZING;
|
|
|
|
adapter->surprise_removed = false;
|
|
|
|
init_waitqueue_head(&adapter->init_wait_q);
|
|
|
|
adapter->is_suspended = false;
|
|
|
|
adapter->hs_activated = false;
|
|
|
|
init_waitqueue_head(&adapter->hs_activate_wait_q);
|
|
|
|
init_waitqueue_head(&adapter->cmd_wait_q.wait);
|
|
|
|
adapter->cmd_wait_q.status = 0;
|
|
|
|
adapter->scan_wait_q_woken = false;
|
|
|
|
|
|
|
|
if ((num_possible_cpus() > 1) || adapter->iface_type == MWIFIEX_USB)
|
|
|
|
adapter->rx_work_enabled = true;
|
|
|
|
|
|
|
|
adapter->workqueue =
|
|
|
|
alloc_workqueue("MWIFIEX_WORK_QUEUE",
|
|
|
|
WQ_HIGHPRI | WQ_MEM_RECLAIM | WQ_UNBOUND, 1);
|
|
|
|
if (!adapter->workqueue)
|
|
|
|
goto err_kmalloc;
|
|
|
|
|
|
|
|
INIT_WORK(&adapter->main_work, mwifiex_main_work_queue);
|
|
|
|
|
|
|
|
if (adapter->rx_work_enabled) {
|
|
|
|
adapter->rx_workqueue = alloc_workqueue("MWIFIEX_RX_WORK_QUEUE",
|
|
|
|
WQ_HIGHPRI |
|
|
|
|
WQ_MEM_RECLAIM |
|
|
|
|
WQ_UNBOUND, 1);
|
|
|
|
if (!adapter->rx_workqueue)
|
|
|
|
goto err_kmalloc;
|
|
|
|
INIT_WORK(&adapter->rx_work, mwifiex_rx_work_queue);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Register the device. Fill up the private data structure with
|
|
|
|
* relevant information from the card. Some code extracted from
|
|
|
|
* mwifiex_register_dev()
|
|
|
|
*/
|
|
|
|
mwifiex_dbg(adapter, INFO, "%s, mwifiex_init_hw_fw()...\n", __func__);
|
|
|
|
|
|
|
|
if (mwifiex_init_hw_fw(adapter, false)) {
|
|
|
|
mwifiex_dbg(adapter, ERROR,
|
|
|
|
"%s: firmware init failed\n", __func__);
|
|
|
|
goto err_init_fw;
|
|
|
|
}
|
mwifiex: catch mwifiex_fw_dpc() errors properly in reset
When resetting the device, we take a synchronous firmware-loading code
path, which borrows a lot from the asynchronous path used at probe time.
We don't catch errors correctly though, which means that in the PCIe
driver, we may try to dereference the 'adapter' struct after
mwifiex_fw_dpc() has freed it. See this (erronous) print in
mwifiex_pcie_reset_notify():
mwifiex_dbg(adapter, INFO, "%s, successful\n", __func__);
Let's instead refactor the synchronous (or "!req_fw_nowait") path so
that we propagate errors and handle them properly.
This fixes a use-after-free issue in the PCIe driver, as well as a
misleading debug message ("successful"). It looks like the SDIO driver
doesn't have these problems, since it doesn't do anything after
mwifiex_reinit_sw().
Fixes: 4c5dae59d2e9 ("mwifiex: add PCIe function level reset support")
Signed-off-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2017-03-29 06:59:33 +07:00
|
|
|
|
|
|
|
/* _mwifiex_fw_dpc() does its own cleanup */
|
|
|
|
ret = _mwifiex_fw_dpc(adapter->firmware, adapter);
|
|
|
|
if (ret) {
|
|
|
|
pr_err("Failed to bring up adapter: %d\n", ret);
|
|
|
|
return ret;
|
|
|
|
}
|
2016-07-26 21:01:44 +07:00
|
|
|
mwifiex_dbg(adapter, INFO, "%s, successful\n", __func__);
|
mwifiex: resolve races between async FW init (failure) and device removal
It's possible for the FW init sequence to fail, which will trigger a
device cleanup sequence in mwifiex_fw_dpc(). This sequence can race with
device suspend() or remove() (e.g., reboot or unbind), and can trigger
use-after-free issues. Currently, this driver attempts (poorly) to
synchronize remove() using a semaphore, but it doesn't protect some of
the critical sections properly. Particularly, we grab a pointer to the
adapter struct (card->adapter) without checking if it's being freed or
not. We later do a NULL check on the adapter, but that doesn't work if
the adapter was freed.
Also note that the PCIe interface driver doesn't ever set card->adapter
to NULL, so even if we get the synchronization right, we still might try
to redo the cleanup in ->remove(), even if the FW init failure sequence
already did it.
This patch replaces the static semaphore with a per-device completion
struct, and uses that completion to synchronize the remove() thread with
the mwifiex_fw_dpc(). A future patch will utilize this completion to
synchronize the suspend() thread as well.
Signed-off-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2016-11-18 21:00:26 +07:00
|
|
|
|
2016-07-26 21:01:44 +07:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
err_init_fw:
|
|
|
|
mwifiex_dbg(adapter, ERROR, "info: %s: unregister device\n", __func__);
|
|
|
|
if (adapter->if_ops.unregister_dev)
|
|
|
|
adapter->if_ops.unregister_dev(adapter);
|
2016-11-16 20:09:05 +07:00
|
|
|
|
|
|
|
err_kmalloc:
|
|
|
|
adapter->surprise_removed = true;
|
|
|
|
mwifiex_terminate_workqueue(adapter);
|
2016-07-26 21:01:44 +07:00
|
|
|
if (adapter->hw_status == MWIFIEX_HW_STATUS_READY) {
|
|
|
|
mwifiex_dbg(adapter, ERROR,
|
|
|
|
"info: %s: shutdown mwifiex\n", __func__);
|
2016-11-16 20:09:05 +07:00
|
|
|
mwifiex_shutdown_drv(adapter);
|
2016-07-26 21:01:44 +07:00
|
|
|
}
|
|
|
|
|
mwifiex: resolve races between async FW init (failure) and device removal
It's possible for the FW init sequence to fail, which will trigger a
device cleanup sequence in mwifiex_fw_dpc(). This sequence can race with
device suspend() or remove() (e.g., reboot or unbind), and can trigger
use-after-free issues. Currently, this driver attempts (poorly) to
synchronize remove() using a semaphore, but it doesn't protect some of
the critical sections properly. Particularly, we grab a pointer to the
adapter struct (card->adapter) without checking if it's being freed or
not. We later do a NULL check on the adapter, but that doesn't work if
the adapter was freed.
Also note that the PCIe interface driver doesn't ever set card->adapter
to NULL, so even if we get the synchronization right, we still might try
to redo the cleanup in ->remove(), even if the FW init failure sequence
already did it.
This patch replaces the static semaphore with a per-device completion
struct, and uses that completion to synchronize the remove() thread with
the mwifiex_fw_dpc(). A future patch will utilize this completion to
synchronize the suspend() thread as well.
Signed-off-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2016-11-18 21:00:26 +07:00
|
|
|
complete_all(adapter->fw_done);
|
2016-07-26 21:01:44 +07:00
|
|
|
mwifiex_dbg(adapter, INFO, "%s, error\n", __func__);
|
|
|
|
|
|
|
|
return -1;
|
|
|
|
}
|
2016-12-14 21:10:47 +07:00
|
|
|
EXPORT_SYMBOL_GPL(mwifiex_reinit_sw);
|
2016-07-26 21:01:44 +07:00
|
|
|
|
2016-11-15 20:36:04 +07:00
|
|
|
static irqreturn_t mwifiex_irq_wakeup_handler(int irq, void *priv)
|
|
|
|
{
|
|
|
|
struct mwifiex_adapter *adapter = priv;
|
|
|
|
|
|
|
|
if (adapter->irq_wakeup >= 0) {
|
|
|
|
dev_dbg(adapter->dev, "%s: wake by wifi", __func__);
|
|
|
|
adapter->wake_by_wifi = true;
|
|
|
|
disable_irq_nosync(irq);
|
|
|
|
}
|
|
|
|
|
|
|
|
/* Notify PM core we are wakeup source */
|
|
|
|
pm_wakeup_event(adapter->dev, 0);
|
2017-02-24 13:24:31 +07:00
|
|
|
pm_system_wakeup();
|
2016-11-15 20:36:04 +07:00
|
|
|
|
|
|
|
return IRQ_HANDLED;
|
|
|
|
}
|
|
|
|
|
2016-11-15 20:36:03 +07:00
|
|
|
static void mwifiex_probe_of(struct mwifiex_adapter *adapter)
|
|
|
|
{
|
2016-11-15 20:36:04 +07:00
|
|
|
int ret;
|
2016-11-15 20:36:03 +07:00
|
|
|
struct device *dev = adapter->dev;
|
|
|
|
|
|
|
|
if (!dev->of_node)
|
2017-02-11 04:55:25 +07:00
|
|
|
goto err_exit;
|
2016-11-15 20:36:03 +07:00
|
|
|
|
|
|
|
adapter->dt_node = dev->of_node;
|
2016-11-15 20:36:04 +07:00
|
|
|
adapter->irq_wakeup = irq_of_parse_and_map(adapter->dt_node, 0);
|
|
|
|
if (!adapter->irq_wakeup) {
|
2017-02-11 04:55:25 +07:00
|
|
|
dev_dbg(dev, "fail to parse irq_wakeup from device tree\n");
|
|
|
|
goto err_exit;
|
2016-11-15 20:36:04 +07:00
|
|
|
}
|
|
|
|
|
|
|
|
ret = devm_request_irq(dev, adapter->irq_wakeup,
|
|
|
|
mwifiex_irq_wakeup_handler, IRQF_TRIGGER_LOW,
|
|
|
|
"wifi_wake", adapter);
|
|
|
|
if (ret) {
|
|
|
|
dev_err(dev, "Failed to request irq_wakeup %d (%d)\n",
|
|
|
|
adapter->irq_wakeup, ret);
|
|
|
|
goto err_exit;
|
|
|
|
}
|
|
|
|
|
|
|
|
disable_irq(adapter->irq_wakeup);
|
|
|
|
if (device_init_wakeup(dev, true)) {
|
|
|
|
dev_err(dev, "fail to init wakeup for mwifiex\n");
|
|
|
|
goto err_exit;
|
|
|
|
}
|
|
|
|
return;
|
|
|
|
|
|
|
|
err_exit:
|
2017-02-11 04:55:25 +07:00
|
|
|
adapter->irq_wakeup = -1;
|
2016-11-15 20:36:03 +07:00
|
|
|
}
|
|
|
|
|
2011-03-22 08:00:50 +07:00
|
|
|
/*
|
|
|
|
* This function adds the card.
|
|
|
|
*
|
|
|
|
* This function follows the following major steps to set up the device -
|
|
|
|
* - Initialize software. This includes probing the card, registering
|
|
|
|
* the interface operations table, and allocating/initializing the
|
|
|
|
* adapter structure
|
|
|
|
* - Set up the netlink socket
|
|
|
|
* - Create and start the main work queue
|
|
|
|
* - Register the device
|
|
|
|
* - Initialize firmware and hardware
|
|
|
|
* - Add logical interfaces
|
|
|
|
*/
|
|
|
|
int
|
mwifiex: resolve races between async FW init (failure) and device removal
It's possible for the FW init sequence to fail, which will trigger a
device cleanup sequence in mwifiex_fw_dpc(). This sequence can race with
device suspend() or remove() (e.g., reboot or unbind), and can trigger
use-after-free issues. Currently, this driver attempts (poorly) to
synchronize remove() using a semaphore, but it doesn't protect some of
the critical sections properly. Particularly, we grab a pointer to the
adapter struct (card->adapter) without checking if it's being freed or
not. We later do a NULL check on the adapter, but that doesn't work if
the adapter was freed.
Also note that the PCIe interface driver doesn't ever set card->adapter
to NULL, so even if we get the synchronization right, we still might try
to redo the cleanup in ->remove(), even if the FW init failure sequence
already did it.
This patch replaces the static semaphore with a per-device completion
struct, and uses that completion to synchronize the remove() thread with
the mwifiex_fw_dpc(). A future patch will utilize this completion to
synchronize the suspend() thread as well.
Signed-off-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2016-11-18 21:00:26 +07:00
|
|
|
mwifiex_add_card(void *card, struct completion *fw_done,
|
2016-11-15 20:36:02 +07:00
|
|
|
struct mwifiex_if_ops *if_ops, u8 iface_type,
|
|
|
|
struct device *dev)
|
2011-03-22 08:00:50 +07:00
|
|
|
{
|
2011-04-16 10:50:42 +07:00
|
|
|
struct mwifiex_adapter *adapter;
|
2011-03-22 08:00:50 +07:00
|
|
|
|
2017-03-11 08:39:22 +07:00
|
|
|
if (mwifiex_register(card, dev, if_ops, (void **)&adapter)) {
|
2011-03-22 08:00:50 +07:00
|
|
|
pr_err("%s: software init failed\n", __func__);
|
|
|
|
goto err_init_sw;
|
|
|
|
}
|
|
|
|
|
2016-11-15 20:36:03 +07:00
|
|
|
mwifiex_probe_of(adapter);
|
|
|
|
|
2011-10-12 07:41:21 +07:00
|
|
|
adapter->iface_type = iface_type;
|
mwifiex: resolve races between async FW init (failure) and device removal
It's possible for the FW init sequence to fail, which will trigger a
device cleanup sequence in mwifiex_fw_dpc(). This sequence can race with
device suspend() or remove() (e.g., reboot or unbind), and can trigger
use-after-free issues. Currently, this driver attempts (poorly) to
synchronize remove() using a semaphore, but it doesn't protect some of
the critical sections properly. Particularly, we grab a pointer to the
adapter struct (card->adapter) without checking if it's being freed or
not. We later do a NULL check on the adapter, but that doesn't work if
the adapter was freed.
Also note that the PCIe interface driver doesn't ever set card->adapter
to NULL, so even if we get the synchronization right, we still might try
to redo the cleanup in ->remove(), even if the FW init failure sequence
already did it.
This patch replaces the static semaphore with a per-device completion
struct, and uses that completion to synchronize the remove() thread with
the mwifiex_fw_dpc(). A future patch will utilize this completion to
synchronize the suspend() thread as well.
Signed-off-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2016-11-18 21:00:26 +07:00
|
|
|
adapter->fw_done = fw_done;
|
2011-10-12 07:41:21 +07:00
|
|
|
|
2011-03-22 08:00:50 +07:00
|
|
|
adapter->hw_status = MWIFIEX_HW_STATUS_INITIALIZING;
|
|
|
|
adapter->surprise_removed = false;
|
|
|
|
init_waitqueue_head(&adapter->init_wait_q);
|
|
|
|
adapter->is_suspended = false;
|
|
|
|
adapter->hs_activated = false;
|
|
|
|
init_waitqueue_head(&adapter->hs_activate_wait_q);
|
2011-04-14 07:27:06 +07:00
|
|
|
init_waitqueue_head(&adapter->cmd_wait_q.wait);
|
|
|
|
adapter->cmd_wait_q.status = 0;
|
2011-10-13 10:28:06 +07:00
|
|
|
adapter->scan_wait_q_woken = false;
|
2011-03-22 08:00:50 +07:00
|
|
|
|
2014-11-05 18:34:27 +07:00
|
|
|
if ((num_possible_cpus() > 1) || adapter->iface_type == MWIFIEX_USB) {
|
2014-09-12 21:38:59 +07:00
|
|
|
adapter->rx_work_enabled = true;
|
|
|
|
pr_notice("rx work enabled, cpus %d\n", num_possible_cpus());
|
|
|
|
}
|
|
|
|
|
2013-10-12 08:33:04 +07:00
|
|
|
adapter->workqueue =
|
|
|
|
alloc_workqueue("MWIFIEX_WORK_QUEUE",
|
|
|
|
WQ_HIGHPRI | WQ_MEM_RECLAIM | WQ_UNBOUND, 1);
|
2011-03-22 08:00:50 +07:00
|
|
|
if (!adapter->workqueue)
|
|
|
|
goto err_kmalloc;
|
|
|
|
|
|
|
|
INIT_WORK(&adapter->main_work, mwifiex_main_work_queue);
|
2014-09-12 21:38:59 +07:00
|
|
|
|
|
|
|
if (adapter->rx_work_enabled) {
|
|
|
|
adapter->rx_workqueue = alloc_workqueue("MWIFIEX_RX_WORK_QUEUE",
|
|
|
|
WQ_HIGHPRI |
|
|
|
|
WQ_MEM_RECLAIM |
|
|
|
|
WQ_UNBOUND, 1);
|
|
|
|
if (!adapter->rx_workqueue)
|
|
|
|
goto err_kmalloc;
|
|
|
|
|
|
|
|
INIT_WORK(&adapter->rx_work, mwifiex_rx_work_queue);
|
|
|
|
}
|
|
|
|
|
2011-03-22 08:00:50 +07:00
|
|
|
/* Register the device. Fill up the private data structure with relevant
|
2013-07-13 21:57:10 +07:00
|
|
|
information from the card. */
|
2011-03-22 08:00:50 +07:00
|
|
|
if (adapter->if_ops.register_dev(adapter)) {
|
|
|
|
pr_err("%s: failed to register mwifiex device\n", __func__);
|
|
|
|
goto err_registerdev;
|
|
|
|
}
|
|
|
|
|
2016-07-26 21:01:44 +07:00
|
|
|
if (mwifiex_init_hw_fw(adapter, true)) {
|
2011-03-22 08:00:50 +07:00
|
|
|
pr_err("%s: firmware init failed\n", __func__);
|
|
|
|
goto err_init_fw;
|
|
|
|
}
|
2011-04-16 10:50:42 +07:00
|
|
|
|
2011-03-22 08:00:50 +07:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
err_init_fw:
|
|
|
|
pr_debug("info: %s: unregister device\n", __func__);
|
2012-04-19 10:08:28 +07:00
|
|
|
if (adapter->if_ops.unregister_dev)
|
|
|
|
adapter->if_ops.unregister_dev(adapter);
|
2013-07-23 09:17:55 +07:00
|
|
|
err_registerdev:
|
|
|
|
adapter->surprise_removed = true;
|
|
|
|
mwifiex_terminate_workqueue(adapter);
|
2016-11-16 20:09:05 +07:00
|
|
|
if (adapter->hw_status == MWIFIEX_HW_STATUS_READY) {
|
|
|
|
pr_debug("info: %s: shutdown mwifiex\n", __func__);
|
|
|
|
mwifiex_shutdown_drv(adapter);
|
|
|
|
}
|
2013-07-23 09:17:55 +07:00
|
|
|
err_kmalloc:
|
2011-03-22 08:00:50 +07:00
|
|
|
mwifiex_free_adapter(adapter);
|
|
|
|
|
|
|
|
err_init_sw:
|
|
|
|
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(mwifiex_add_card);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* This function removes the card.
|
|
|
|
*
|
|
|
|
* This function follows the following major steps to remove the device -
|
|
|
|
* - Stop data traffic
|
|
|
|
* - Shutdown firmware
|
|
|
|
* - Remove the logical interfaces
|
|
|
|
* - Terminate the work queue
|
|
|
|
* - Unregister the device
|
|
|
|
* - Free the adapter structure
|
|
|
|
*/
|
mwifiex: resolve races between async FW init (failure) and device removal
It's possible for the FW init sequence to fail, which will trigger a
device cleanup sequence in mwifiex_fw_dpc(). This sequence can race with
device suspend() or remove() (e.g., reboot or unbind), and can trigger
use-after-free issues. Currently, this driver attempts (poorly) to
synchronize remove() using a semaphore, but it doesn't protect some of
the critical sections properly. Particularly, we grab a pointer to the
adapter struct (card->adapter) without checking if it's being freed or
not. We later do a NULL check on the adapter, but that doesn't work if
the adapter was freed.
Also note that the PCIe interface driver doesn't ever set card->adapter
to NULL, so even if we get the synchronization right, we still might try
to redo the cleanup in ->remove(), even if the FW init failure sequence
already did it.
This patch replaces the static semaphore with a per-device completion
struct, and uses that completion to synchronize the remove() thread with
the mwifiex_fw_dpc(). A future patch will utilize this completion to
synchronize the suspend() thread as well.
Signed-off-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2016-11-18 21:00:26 +07:00
|
|
|
int mwifiex_remove_card(struct mwifiex_adapter *adapter)
|
2011-03-22 08:00:50 +07:00
|
|
|
{
|
|
|
|
struct mwifiex_private *priv = NULL;
|
|
|
|
int i;
|
|
|
|
|
|
|
|
if (!adapter)
|
|
|
|
goto exit_remove;
|
|
|
|
|
2013-07-13 21:57:10 +07:00
|
|
|
/* We can no longer handle interrupts once we start doing the teardown
|
|
|
|
* below. */
|
|
|
|
if (adapter->if_ops.disable_int)
|
|
|
|
adapter->if_ops.disable_int(adapter);
|
|
|
|
|
2011-03-22 08:00:50 +07:00
|
|
|
adapter->surprise_removed = true;
|
|
|
|
|
2014-12-31 17:36:39 +07:00
|
|
|
mwifiex_terminate_workqueue(adapter);
|
|
|
|
|
2011-03-22 08:00:50 +07:00
|
|
|
/* Stop data */
|
|
|
|
for (i = 0; i < adapter->priv_num; i++) {
|
|
|
|
priv = adapter->priv[i];
|
2011-09-27 10:37:26 +07:00
|
|
|
if (priv && priv->netdev) {
|
2012-11-02 08:44:16 +07:00
|
|
|
mwifiex_stop_net_dev_queue(priv->netdev, adapter);
|
2011-03-22 08:00:50 +07:00
|
|
|
if (netif_carrier_ok(priv->netdev))
|
|
|
|
netif_carrier_off(priv->netdev);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-05-12 02:18:20 +07:00
|
|
|
mwifiex_dbg(adapter, CMD,
|
|
|
|
"cmd: calling mwifiex_shutdown_drv...\n");
|
2011-04-16 10:50:40 +07:00
|
|
|
|
2016-11-16 20:09:05 +07:00
|
|
|
mwifiex_shutdown_drv(adapter);
|
2015-05-12 02:18:20 +07:00
|
|
|
mwifiex_dbg(adapter, CMD,
|
|
|
|
"cmd: mwifiex_shutdown_drv done\n");
|
2011-03-22 08:00:50 +07:00
|
|
|
if (atomic_read(&adapter->rx_pending) ||
|
|
|
|
atomic_read(&adapter->tx_pending) ||
|
2011-04-14 07:27:06 +07:00
|
|
|
atomic_read(&adapter->cmd_pending)) {
|
2015-05-12 02:18:20 +07:00
|
|
|
mwifiex_dbg(adapter, ERROR,
|
|
|
|
"rx_pending=%d, tx_pending=%d,\t"
|
|
|
|
"cmd_pending=%d\n",
|
|
|
|
atomic_read(&adapter->rx_pending),
|
|
|
|
atomic_read(&adapter->tx_pending),
|
|
|
|
atomic_read(&adapter->cmd_pending));
|
2011-03-22 08:00:50 +07:00
|
|
|
}
|
|
|
|
|
2011-09-27 10:37:26 +07:00
|
|
|
for (i = 0; i < adapter->priv_num; i++) {
|
|
|
|
priv = adapter->priv[i];
|
|
|
|
|
|
|
|
if (!priv)
|
|
|
|
continue;
|
|
|
|
|
|
|
|
rtnl_lock();
|
2015-01-28 17:12:00 +07:00
|
|
|
if (priv->netdev &&
|
|
|
|
priv->wdev.iftype != NL80211_IFTYPE_UNSPECIFIED)
|
|
|
|
mwifiex_del_virtual_intf(adapter->wiphy, &priv->wdev);
|
2011-09-27 10:37:26 +07:00
|
|
|
rtnl_unlock();
|
|
|
|
}
|
|
|
|
|
2013-12-03 14:17:57 +07:00
|
|
|
wiphy_unregister(adapter->wiphy);
|
|
|
|
wiphy_free(adapter->wiphy);
|
2012-05-09 08:30:13 +07:00
|
|
|
|
2017-03-11 08:39:23 +07:00
|
|
|
if (adapter->irq_wakeup >= 0)
|
|
|
|
device_init_wakeup(adapter->dev, false);
|
|
|
|
|
2011-03-22 08:00:50 +07:00
|
|
|
/* Unregister device */
|
2015-05-12 02:18:20 +07:00
|
|
|
mwifiex_dbg(adapter, INFO,
|
|
|
|
"info: unregister device\n");
|
2012-04-19 10:08:28 +07:00
|
|
|
if (adapter->if_ops.unregister_dev)
|
|
|
|
adapter->if_ops.unregister_dev(adapter);
|
2011-03-22 08:00:50 +07:00
|
|
|
/* Free adapter structure */
|
2015-05-12 02:18:20 +07:00
|
|
|
mwifiex_dbg(adapter, INFO,
|
|
|
|
"info: free adapter\n");
|
2011-03-22 08:00:50 +07:00
|
|
|
mwifiex_free_adapter(adapter);
|
|
|
|
|
|
|
|
exit_remove:
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(mwifiex_remove_card);
|
|
|
|
|
2015-09-01 00:46:45 +07:00
|
|
|
void _mwifiex_dbg(const struct mwifiex_adapter *adapter, int mask,
|
|
|
|
const char *fmt, ...)
|
|
|
|
{
|
|
|
|
struct va_format vaf;
|
|
|
|
va_list args;
|
|
|
|
|
|
|
|
if (!adapter->dev || !(adapter->debug_mask & mask))
|
|
|
|
return;
|
|
|
|
|
|
|
|
va_start(args, fmt);
|
|
|
|
|
|
|
|
vaf.fmt = fmt;
|
|
|
|
vaf.va = &args;
|
|
|
|
|
|
|
|
dev_info(adapter->dev, "%pV", &vaf);
|
|
|
|
|
|
|
|
va_end(args);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(_mwifiex_dbg);
|
|
|
|
|
2011-03-22 08:00:50 +07:00
|
|
|
/*
|
|
|
|
* This function initializes the module.
|
|
|
|
*
|
|
|
|
* The debug FS is also initialized if configured.
|
|
|
|
*/
|
|
|
|
static int
|
|
|
|
mwifiex_init_module(void)
|
|
|
|
{
|
|
|
|
#ifdef CONFIG_DEBUG_FS
|
|
|
|
mwifiex_debugfs_init();
|
|
|
|
#endif
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* This function cleans up the module.
|
|
|
|
*
|
|
|
|
* The debug FS is removed if available.
|
|
|
|
*/
|
|
|
|
static void
|
|
|
|
mwifiex_cleanup_module(void)
|
|
|
|
{
|
|
|
|
#ifdef CONFIG_DEBUG_FS
|
|
|
|
mwifiex_debugfs_remove();
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
|
|
|
|
module_init(mwifiex_init_module);
|
|
|
|
module_exit(mwifiex_cleanup_module);
|
|
|
|
|
|
|
|
MODULE_AUTHOR("Marvell International Ltd.");
|
|
|
|
MODULE_DESCRIPTION("Marvell WiFi-Ex Driver version " VERSION);
|
|
|
|
MODULE_VERSION(VERSION);
|
|
|
|
MODULE_LICENSE("GPL v2");
|