Commit Graph

31576 Commits

Author SHA1 Message Date
Johannes Berg
0e00270863 iwlwifi: pcie: validate queue ID before array deref/bit ops
Validate that the queue ID is in range before trying to use it as
an index or for test_bit() - the previous bug showed that this has
in fact happened, and it was lucky that we caught it there, had the
bit been set then we'd have actually used the value despite being
far out of range.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
2019-12-23 11:54:31 +02:00
Johannes Berg
cfdc20efeb iwlwifi: pcie: use partial pages if applicable
If we have only 2k RBs like on the latest (AX210) hardware, then
even on x86 where PAGE_SIZE is 4k we currently waste half of the
memory.

If this is the case, return partial pages from the allocator and
track the offset in each RBD (to be able to find the data in them
and remap them later.)

This might also address other platforms with larger PAGE_SIZE by
putting more RBs into a single large page.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
2019-12-23 11:54:31 +02:00
Johannes Berg
80084e3591 iwlwifi: pcie: map only used part of RX buffers
We don't need to map *everything* of the RX buffers, we won't use
that much, map only the part we're going to use. This save some
IOMMU space (if applicable and it can deal with that) and also
prepares a bit for mapping partial pages for 2K buffers later.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
2019-12-23 11:54:31 +02:00
Johannes Berg
c042f0c77f iwlwifi: allocate more receive buffers for HE devices
For HE-capable devices, we need to allocate more receive buffers as
there could be 256 frames aggregated into a single A-MPDU, and then
they might contain A-MSDUs as well. Until 22000 family, the devices
are able to put multiple frames into a single RB and the default RB
size is 4k, but starting from AX210 family this is no longer true.
On the other hand, those newer devices only use 2k receive buffers
(by default).

Modify the code and configuration to allocate an appropriate number
of RBs depending on the device capabilities:

 * 4096 for AX210 HE devices, which use 2k buffers by default,
 * 2048 for 22000 family devices which use 4k buffers by default,
 * 512 for existing 9000 family devices, which doesn't really
   change anything since that's the default before this patch,
 * 512 also for AX210/22000 family devices that don't do HE.

Theoretically, for devices lower than AX210, we wouldn't have to
allocate that many RBs if the RB size was manually increased, but
to support that the code got more complex, and it didn't really
seem necessary as that's a use case for monitor mode only, where
hopefully the wasted memory isn't really much of a concern.

Note that AX210 devices actually support bigger than 12-bit VID,
which is required here as we want to allocate 4096 buffers plus
some for quick recycling, so adjust the code for that as well.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
2019-12-23 11:54:31 +02:00
Avraham Stern
b1a6db1320 iwlwifi: mvm: add support for responder config command version 7
The new API requires the driver to config the supported frame format
(legacy, HT, VHT etc.).

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
2019-12-23 11:54:31 +02:00
Avraham Stern
b59ec4cac5 iwlwifi: mvm: add support for location range request version 8
The new API requires the driver to set the frame format
(legacy, HT, VHT etc.) to be used for the measurement.

The new API also supports 11az and secured measurement, but
these are not supported by the driver for now.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
2019-12-23 11:50:53 +02:00
Tova Mussai
5b5b9d35e0 iwlwifi: scan: remove support for fw scan api v11
The fw already support scan api v12,
v11 is not needed anymore.

Signed-off-by: Tova Mussai <tova.mussai@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
2019-12-20 14:23:24 +02:00
Luca Coelho
efaaa97c0e iwlwifi: dbg_ini: don't skip a TX FIFO when dumping
Before we start looping over the internal TX FIFOs increase the fifo
number, but that's incorrect and causes a FIFO to be skipped.  This is
probably due to a copy and paste from the previous loop.

Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
2019-12-20 14:23:24 +02:00
Johannes Berg
1019f9efcb iwlwifi: mvm: update powersave correctly for D3
This fixes a long-standing bug - we haven't been able to check the
firmware image that was loaded for D3/not-D3 since the introduction
of the unified image...

Fix this by keeping a status flag for D3 instead of checking for
the firmware image that's loaded.

This reduces occurrences of checks for IWL_UCODE_WOWLAN to just the
code that actually loads the image or deals with it in other ways.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
2019-12-20 14:23:24 +02:00
Kalle Valo
ae0a723c4c Merge ath-next from git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git
ath.git patches for v5.6. Major changes:

wil6210

* support set_multicast_to_unicast cfg80211 operation

* support set_cqm_rssi_config cfg80211 operation

wcn36xx

* disable HW_CONNECTION_MONITOR as firmware is buggy
2019-12-19 18:27:36 +02:00
Kees Cook
ca0e477931 ath11k: Use sizeof_field() instead of FIELD_SIZEOF()
The FIELD_SIZEOF() macro was redundant, and is being removed from the
kernel. Since commit c593642c8b ("treewide: Use sizeof_field() macro")
this is one of the last users of the old macro, so replace it.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-12-19 18:18:30 +02:00
John Crispin
77ea8b455c ath11k: explicitly cast wmi commands to their correct struct type
Three of the WMI command handlers were not casting to the right data type.
Lets make the code consistent with the other handlers.

Signed-off-by: John Crispin <john@phrozen.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-12-19 18:17:41 +02:00
Dedy Lansky
4315a74a48 wil6210: add support for set_cqm_rssi_config
set_cqm_rssi_config() is used by the kernel to configure connection
quality monitor RSSI threshold.
wil6210 uses WMI_SET_LINK_MONITOR_CMDID to set the RSSI threshold to
FW which in turn reports RSSI threshold changes with
WMI_LINK_MONITOR_EVENTID.

Signed-off-by: Dedy Lansky <dlansky@codeaurora.org>
Signed-off-by: Maya Erez <merez@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-12-19 18:16:54 +02:00
Ahmad Masri
5e5f069c30 wil6210: support set_multicast_to_unicast cfg80211 operation
Wil6210 AP has a separate ring for transmitting multicast packets,
multicast packets are transmitted without an ack from the receiver side.
Therefore, 802.11 spec defines some low MCS rates for multicat packets.
However, there is no guarantee that these packets were really received
and handled on the client side.

Some applications that rely on multicast packets, may prefer to
transmit these packets as a unicast to ensure reliability, and also
to ensure better performance with high MCS rates.
multicast to unicast is done by duplicating multicast packets to all
clients and changing the DA (multicast) to the MAC address of the
client.
see NL80211_CMD_SET_MULTICAST_TO_UNICAST for more info.

Signed-off-by: Ahmad Masri <amasri@codeaurora.org>
Signed-off-by: Maya Erez <merez@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-12-19 18:16:42 +02:00
Dedy Lansky
18beb61d84 wil6210: fix MID valid bits in Rx status message
Fix incorrect definitions of MAC ID bits inside Rx status message.

Signed-off-by: Dedy Lansky <dlansky@codeaurora.org>
Signed-off-by: Maya Erez <merez@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-12-19 18:16:31 +02:00
Dedy Lansky
c99d5f8d61 wil6210: reduce ucode_debug memory region
ucode_debug memory region defined as 4K bytes. Fix this according to
Talyn device memory map.

Signed-off-by: Dedy Lansky <dlansky@codeaurora.org>
Signed-off-by: Maya Erez <merez@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-12-19 18:16:19 +02:00
Alexei Avshalom Lazar
5c5d88a29d wil6210: add verification for cid upper bound
max_assoc_sta can receive values (from the user or from the FW)
that are higher than WIL6210_MAX_CID.
Verify that cid doesn't exceed the upper bound of WIL6210_MAX_CID.

Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
Signed-off-by: Maya Erez <merez@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-12-19 18:16:07 +02:00
Alexei Avshalom Lazar
c715b38473 wil6210: take mem_lock for writing in crash dump collection
On some crash dump cases mem_lock is already taken, error
returns and crash dump copy fails.
In this case wait until mem_lock available instead of failing
the operation.
Also take the mem_lock for writing to prevent other threads from
altering the state of the device while collecting crash dump.

Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
Signed-off-by: Maya Erez <merez@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-12-19 18:15:56 +02:00
Alexei Avshalom Lazar
d3214d4280 wil6210: minimize the time that mem_lock is held
mem_lock is taken for the entire wil_reset().
Optimize this by taking mem_lock just before device is
being reset and release the lock after FW download.

Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
Signed-off-by: Maya Erez <merez@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-12-19 18:15:44 +02:00
Ahmad Masri
7be3c2331d wil6210: dump Rx status message on errors
Dump all the Rx status message on different errors to allow more
visibility of the case.

Signed-off-by: Ahmad Masri <amasri@codeaurora.org>
Signed-off-by: Maya Erez <merez@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-12-19 18:15:32 +02:00
Aditya Pakki
c705f9fc6a orinoco: avoid assertion in case of NULL pointer
In ezusb_init, if upriv is NULL, the code crashes. However, the caller
in ezusb_probe can handle the error and print the failure message.
The patch replaces the BUG_ON call to error return.

Signed-off-by: Aditya Pakki <pakki001@umn.edu>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-12-18 21:09:33 +02:00
Dmitry Osipenko
a32de68eda brcmfmac: Keep OOB wake-interrupt disabled when it shouldn't be enabled
NVIDIA Tegra SoCs do not like when OOB wake is enabled and WiFi interface
is in DOWN state during suspend. This results in a CPU hang on programming
OOB wake-up state of the GPIO controller during of system's suspend.

The solution is trivial: don't enable wake for the OOB interrupt when it
should be disabled.

This fixes hang on Tegra20 (Acer A500) and Tegra30 (Nexus 7) devices which
are using BCM4329 and BCM4330 WiFi chips respectively.

Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-12-18 21:09:02 +02:00
Navid Emamdoost
4282dc057d brcmfmac: Fix memory leak in brcmf_usbdev_qinit
In the implementation of brcmf_usbdev_qinit() the allocated memory for
reqs is leaking if usb_alloc_urb() fails. Release reqs in the error
handling path.

Fixes: 71bb244ba2 ("brcm80211: fmac: add USB support for bcm43235/6/8 chipsets")
Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-12-18 21:08:29 +02:00
Wright Feng
2635853ce4 brcmfmac: not set mbss in vif if firmware does not support MBSS
With RSDB mode, FMAC and firmware are able to create 2 or more AP,
so we should not set mbss in vif structure if firmware does not
support MBSS feature.

Signed-off-by: Wright Feng <wright.feng@cypress.com>
Signed-off-by: Soeren Moch <smoch@web.de>
Reviewed-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-12-18 21:07:45 +02:00
Wright Feng
837482e69a brcmfmac: add RSDB condition when setting interface combinations
With firmware RSDB feature
1. The maximum support interface is four.
2. The maximum difference channel is two.
3. The maximum interfaces of {station/p2p client/AP} are two.
4. The maximum interface of p2p device is one.

Signed-off-by: Wright Feng <wright.feng@cypress.com>
Signed-off-by: Soeren Moch <smoch@web.de>
Reviewed-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-12-18 21:07:44 +02:00
Soeren Moch
d4aef15939 brcmfmac: add support for BCM4359 SDIO chipset
BCM4359 is a 2x2 802.11 abgn+ac Dual-Band HT80 combo chip and it
supports Real Simultaneous Dual Band feature.

Based on a similar patch by: Wright Feng <wright.feng@cypress.com>

Signed-off-by: Soeren Moch <smoch@web.de>
Acked-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
Acked-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-12-18 21:07:42 +02:00
Soeren Moch
c12c8913d7 brcmfmac: make errors when setting roaming parameters non-fatal
4359 dongles do not support setting roaming parameters (error -52).
Do not fail the 80211 configuration in this case.

Signed-off-by: Soeren Moch <smoch@web.de>
Acked-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-12-18 21:07:41 +02:00
Soeren Moch
6647274ed9 brcmfmac: fix rambase for 4359/9
Newer 4359 chip revisions need a different rambase address.
This fixes firmware download on such devices which fails otherwise.

Signed-off-by: Soeren Moch <smoch@web.de>
Acked-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-12-18 21:07:40 +02:00
Chung-Hsien Hsu
172f685455 brcmfmac: set F2 blocksize and watermark for 4359
Set F2 blocksize to 256 bytes and watermark to 0x40 for 4359. Also
enable and configure F1 MesBusyCtrl. It fixes DMA error while having
UDP bi-directional traffic.

Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
[slightly adapted for rebase on mainline linux]
Signed-off-by: Soeren Moch <smoch@web.de>
Reviewed-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-12-18 21:07:39 +02:00
Wright Feng
1b8d2e0a9e brcmfmac: reset two D11 cores if chip has two D11 cores
There are two D11 cores in RSDB chips like 4359. We have to reset two
D11 cores simutaneously before firmware download, or the firmware may
not be initialized correctly and cause "fw initialized failed" error.

Signed-off-by: Wright Feng <wright.feng@cypress.com>
Signed-off-by: Soeren Moch <smoch@web.de>
Reviewed-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-12-18 21:07:38 +02:00
Michael Straube
716c733f52 rtlwifi: rtl8192de: use generic rtl_signal_scale_mapping
Function _rtl92de_signal_scale_mapping is identical to the generic
version rtl_signal_scale_mapping. Remove _rtl92de_signal_scale_mapping
and use the generic function.

Signed-off-by: Michael Straube <straube.linux@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-12-18 21:06:53 +02:00
Michael Straube
fef91a2b5f rtlwifi: rtl8192cu: use generic rtl_signal_scale_mapping
Function _rtl92c_signal_scale_mapping is identical to the generic
version rtl_signal_scale_mapping. Remove _rtl92c_signal_scale_mapping
and use the generic function.

Signed-off-by: Michael Straube <straube.linux@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-12-18 21:06:52 +02:00
Michael Straube
d01b267342 rtlwifi: rtl8192ce: use generic rtl_signal_scale_mapping
Function _rtl92ce_signal_scale_mapping is identical to the generic
version rtl_signal_scale_mapping. Remove _rtl92ce_signal_scale_mapping
and use the generic function.

Signed-off-by: Michael Straube <straube.linux@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-12-18 21:06:51 +02:00
Michael Straube
5a87ae1d67 rtlwifi: rtl8192de: use generic rtl_query_rxpwrpercentage
Function _rtl92d_query_rxpwrpercentage is identical to the generic
version rtl_query_rxpwrpercentage. Remove _rtl92d_query_rxpwrpercentage
and use the generic function.

Signed-off-by: Michael Straube <straube.linux@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-12-18 21:06:50 +02:00
Michael Straube
b8a19dd645 rtlwifi: rtl8192cu: use generic rtl_query_rxpwrpercentage
Function _rtl92c_query_rxpwrpercentage is identical to the generic
version rtl_query_rxpwrpercentage. Remove _rtl92c_query_rxpwrpercentage
and use the generic function.

Signed-off-by: Michael Straube <straube.linux@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-12-18 21:06:49 +02:00
Michael Straube
f365f2f67b rtlwifi: rtl8192ce: use generic rtl_query_rxpwrpercentage
Function _rtl92c_query_rxpwrpercentage is identical to the generic
version rtl_query_rxpwrpercentage. Remove _rtl92c_query_rxpwrpercentage
and use the generic function.

Signed-off-by: Michael Straube <straube.linux@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-12-18 21:06:48 +02:00
Johan Hovold
2d68bb2687 zd1211rw: fix storage endpoint lookup
Make sure to use the current alternate setting when verifying the
storage interface descriptors to avoid submitting an URB to an invalid
endpoint.

Failing to do so could cause the driver to misbehave or trigger a WARN()
in usb_submit_urb() that kernels with panic_on_warn set would choke on.

Fixes: a1030e92c1 ("[PATCH] zd1211rw: Convert installer CDROM device into WLAN device")
Cc: stable <stable@vger.kernel.org>     # 2.6.19
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-12-18 21:06:07 +02:00
Johan Hovold
3139b18090 rsi_91x_usb: fix interface sanity check
Make sure to use the current alternate setting when verifying the
interface descriptors to avoid binding to an invalid interface.

Failing to do so could cause the driver to misbehave or trigger a WARN()
in usb_submit_urb() that kernels with panic_on_warn set would choke on.

Fixes: dad0d04fa7 ("rsi: Add RS9113 wireless driver")
Cc: stable <stable@vger.kernel.org>     # 3.15
Cc: Fariya Fatima <fariyaf@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-12-18 21:06:06 +02:00
Johan Hovold
39a4281c31 rtl8xxxu: fix interface sanity check
Make sure to use the current alternate setting when verifying the
interface descriptors to avoid binding to an invalid interface.

Failing to do so could cause the driver to misbehave or trigger a WARN()
in usb_submit_urb() that kernels with panic_on_warn set would choke on.

Fixes: 26f1fad29a ("New driver: rtl8xxxu (mac80211)")
Cc: stable <stable@vger.kernel.org>     # 4.4
Cc: Jes Sorensen <Jes.Sorensen@redhat.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-12-18 21:06:05 +02:00
Johan Hovold
b73e05aa54 orinoco_usb: fix interface sanity check
Make sure to use the current alternate setting when verifying the
interface descriptors to avoid binding to an invalid interface.

Failing to do so could cause the driver to misbehave or trigger a WARN()
in usb_submit_urb() that kernels with panic_on_warn set would choke on.

Fixes: 9afac70a73 ("orinoco: add orinoco_usb driver")
Cc: stable <stable@vger.kernel.org>     # 2.6.35
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-12-18 21:06:04 +02:00
Johan Hovold
3428fbcd6e brcmfmac: fix interface sanity check
Make sure to use the current alternate setting when verifying the
interface descriptors to avoid binding to an invalid interface.

Failing to do so could cause the driver to misbehave or trigger a WARN()
in usb_submit_urb() that kernels with panic_on_warn set would choke on.

Fixes: 71bb244ba2 ("brcm80211: fmac: add USB support for bcm43235/6/8 chipsets")
Cc: stable <stable@vger.kernel.org>     # 3.4
Cc: Arend van Spriel <arend@broadcom.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-12-18 21:06:03 +02:00
Johan Hovold
af615abd15 at76c50x-usb: fix endpoint debug message
Make sure to use the current alternate setting, which may not be the
same as the first alternate setting, also when printing the number of
endpoints at probe.

Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-12-18 21:06:02 +02:00
Rafał Miłecki
8d9627b05b brcmfmac: set interface carrier to off by default
It's important as brcmfmac creates one main interface for each PHY and
doesn't allow deleting it. Not setting carrier could result in other
subsystems misbehaving (e.g. LEDs "netdev" trigger turning LED on).

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-12-18 21:05:26 +02:00
Brian Norris
1c9f329b08 mwifiex: delete unused mwifiex_get_intf_num()
Commit 7afb94da3c ("mwifiex: update set_mac_address logic") fixed the
only user of this function, partly because the author seems to have
noticed that, as written, it's on the borderline between highly
misleading and buggy.

Anyway, no sense in keeping dead code around: let's drop it.

Fixes: 7afb94da3c ("mwifiex: update set_mac_address logic")
Signed-off-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-12-18 21:04:43 +02:00
Christophe JAILLET
ffc7b2826a rt2x00usb: Fix a warning message in 'rt2x00usb_watchdog_tx_dma()'
'forced' is duplicated in the message, axe one of them.

Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-12-18 20:58:48 +02:00
Dan Carpenter
216b44000a brcmfmac: Fix use after free in brcmf_sdio_readframes()
The brcmu_pkt_buf_free_skb() function frees "pkt" so it leads to a
static checker warning:

    drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c:1974 brcmf_sdio_readframes()
    error: dereferencing freed memory 'pkt'

It looks like there was supposed to be a continue after we free "pkt".

Fixes: 4754fceeb9 ("brcmfmac: streamline SDIO read frame routine")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-12-18 20:58:11 +02:00
Johan Hovold
960da557f4 rsi: add missing endpoint sanity checks
The driver expects at least one bulk-in endpoint when in "wifi-alone"
operating mode and two bulk-in endpoints otherwise, and would otherwise
fail to to submit the corresponding bulk URB to the default pipe during
probe with a somewhat cryptic message:

	rsi_91x: rsi_rx_urb_submit: Failed in urb submission
	rsi_91x: rsi_probe: Failed in probe...Exiting
	RSI-USB WLAN: probe of 2-2.4:1.0 failed with error -8

The current endpoint sanity check looks broken and would only bail out
early if there was no bulk-in endpoint but at least one bulk-out
endpoint.

Tighten this check to always require at least one bulk-in and one
bulk-out endpoint, and add the missing sanity check for a Bluetooth
bulk-in endpoint when in a BT operating mode. Also make sure to log an
informative error message when the expected endpoints are missing.

Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-12-18 20:57:07 +02:00
Johan Hovold
b9b9f9fea2 rsi: fix non-atomic allocation in completion handler
USB completion handlers are called in atomic context and must
specifically not allocate memory using GFP_KERNEL.

Fixes: a1854fae14 ("rsi: improve RX packet handling in USB interface")
Cc: stable <stable@vger.kernel.org> # 4.17
Cc: Prameela Rani Garnepudi <prameela.j04cs@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-12-18 20:57:06 +02:00
Johan Hovold
4776829748 rsi: fix memory leak on failed URB submission
Make sure to free the skb on failed receive-URB submission (e.g. on
disconnect or currently also due to a missing endpoint).

Fixes: a1854fae14 ("rsi: improve RX packet handling in USB interface")
Cc: stable <stable@vger.kernel.org>     # 4.17
Cc: Prameela Rani Garnepudi <prameela.j04cs@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-12-18 20:57:05 +02:00
Johan Hovold
92aafe7712 rsi: fix use-after-free on probe errors
The driver would fail to stop the command timer in most error paths,
something which specifically could lead to the timer being freed while
still active on I/O errors during probe.

Fix this by making sure that each function starting the timer also stops
it in all relevant error paths.

Reported-by: syzbot+1d1597a5aa3679c65b9f@syzkaller.appspotmail.com
Fixes: b78e91bcfb ("rsi: Add new firmware loading method")
Cc: stable <stable@vger.kernel.org>     # 4.12
Cc: Prameela Rani Garnepudi <prameela.j04cs@gmail.com>
Cc: Amitkumar Karwar <amit.karwar@redpinesignals.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-12-18 20:57:04 +02:00