1. 07 May, 2019 6 commits
  2. 03 May, 2019 9 commits
  3. 29 Apr, 2019 19 commits
    • Arnd Bergmann's avatar
      wireless: carl9170: fix clang build warning · 62acdcfa
      Arnd Bergmann authored
      clang fails to eliminate some dead code with always-taken branches
      when CONFIG_PROFILE_ANNOTATED_BRANCHES is set, leading to a false-positive
      warning:
      
      drivers/net/wireless/ath/carl9170/mac.c:522:3: error: variable 'power' is used uninitialized whenever 'if' condition is
            false [-Werror,-Wsometimes-uninitialized]
                      BUG_ON(1);
                      ^~~~~~~~~
      
      Change both instances of BUG_ON(1) in carl9170 to the simpler BUG()
      to avoid the warning.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Acked-by: default avatarChristian Lamparter <chunkeey@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      62acdcfa
    • Gustavo A. R. Silva's avatar
      wil6210: fix potential out-of-bounds read · bfabdd69
      Gustavo A. R. Silva authored
      Notice that *rc* can evaluate to up to 5, include/linux/netdevice.h:
      
      enum gro_result {
              GRO_MERGED,
              GRO_MERGED_FREE,
              GRO_HELD,
              GRO_NORMAL,
              GRO_DROP,
              GRO_CONSUMED,
      };
      typedef enum gro_result gro_result_t;
      
      In case *rc* evaluates to 5, we end up having an out-of-bounds read
      at drivers/net/wireless/ath/wil6210/txrx.c:821:
      
      	wil_dbg_txrx(wil, "Rx complete %d bytes => %s\n",
      		     len, gro_res_str[rc]);
      
      Fix this by adding element "GRO_CONSUMED" to array gro_res_str.
      
      Addresses-Coverity-ID: 1444666 ("Out-of-bounds read")
      Fixes: 194b482b ("wil6210: Debug print GRO Rx result")
      Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
      Reviewed-by: default avatarMaya Erez <merez@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      bfabdd69
    • Anilkumar Kolli's avatar
      ath: DFS JP domain W56 fixed pulse type 3 RADAR detection · d8792393
      Anilkumar Kolli authored
      Increase pulse width range from 1-2usec to 0-4usec.
      During data traffic HW occasionally fails detecting radar pulses,
      so that SW cannot get enough radar reports to achieve the success rate.
      
      Tested ath10k hw and fw:
      	* QCA9888(10.4-3.5.1-00052)
      	* QCA4019(10.4-3.2.1.1-00017)
      	* QCA9984(10.4-3.6-00104)
      	* QCA988X(10.2.4-1.0-00041)
      
      Tested ath9k hw: AR9300
      Tested-by: default avatarTamizh chelvam <tamizhr@codeaurora.org>
      Signed-off-by: default avatarTamizh chelvam <tamizhr@codeaurora.org>
      Signed-off-by: default avatarAnilkumar Kolli <akolli@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      d8792393
    • Tomislav Požega's avatar
      ath9k: drop redundant code in ar9003_hw_set_channel · d3c2be90
      Tomislav Požega authored
      AR9330, AR9485, AR9531, AR9550, AR9561 and AR9565 all use same
      channel set register configuration which allows for small code
      size reduction.
      Signed-off-by: default avatarTomislav Požega <pozega.tomislav@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      d3c2be90
    • Tomislav Požega's avatar
      ath: drop duplicated define · b50fd29c
      Tomislav Požega authored
      Remove duplicate NO_CTL that is just 2 lines below.
      Signed-off-by: default avatarTomislav Požega <pozega.tomislav@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      b50fd29c
    • YueHaibing's avatar
      ath9k: Remove some set but not used variables · 05039f01
      YueHaibing authored
      Fixes gcc '-Wunused-but-set-variable' warning:
      
      drivers/net/wireless/ath/ath9k/xmit.c: In function 'ath_tx_count_frames':
      drivers/net/wireless/ath/ath9k/xmit.c:413:25: warning: variable 'fi' set but not used [-Wunused-but-set-variable]
      drivers/net/wireless/ath/ath9k/xmit.c: In function 'ath_tx_complete_aggr':
      drivers/net/wireless/ath/ath9k/xmit.c:449:24: warning: variable 'hdr' set but not used [-Wunused-but-set-variable]
      drivers/net/wireless/ath/ath9k/xmit.c: In function 'ath_tx_start':
      drivers/net/wireless/ath/ath9k/xmit.c:2274:18: warning: variable 'avp' set but not used [-Wunused-but-set-variable]
      drivers/net/wireless/ath/ath9k/xmit.c:2269:24: warning: variable 'hdr' set but not used [-Wunused-but-set-variable]
      
      These variables are not used any more
      and can be removed.
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      05039f01
    • Sven Eckelmann's avatar
      ath9k: Differentiate between max combined and per chain power · b037b107
      Sven Eckelmann authored
      The ath9k driver uses as maximum allowed txpower the constant
      MAX_RATE_POWER. It is used to set a maximum txpower limit for the PHY
      (which is combined txpower) and also the maximum txpower for per chain
      rates. Its value 63 is derived from the maximum number the registers can
      store for the per chain txpower.
      
      The max txpower a user can set because of this is 31 dBm (floor(63 / 2)).
      This also means that a device with multiple tx chains is even limited
      further:
      
      * 1 chain:  31 dBm per chain
      * 2 chains: 28 dBm per chain
      * 3 chains: 26 dBm per chain
      
      This combined txpower limit of 31 dBm becomes even more problematic when
      some extra antenna gain is set in the EEPROM. A high power device is then
      no longer able to reach its potential limits.
      
      Instead the code dealing with the combined txpower must use a higher limit
      than 63 and only the code dealing with the per chain txpower have to use
      the limit of 63. Since the antenna gain can be quite large and 8 bit
      variables are often used in ath9k for txpower, a large, divisible by two
      number like 254 is a good choice for this new limit.
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      b037b107
    • Tim Schumacher's avatar
      ath9k: Check for errors when reading SREV register · 2f90c7e5
      Tim Schumacher authored
      Right now, if an error is encountered during the SREV register
      read (i.e. an EIO in ath9k_regread()), that error code gets
      passed all the way to __ath9k_hw_init(), where it is visible
      during the "Chip rev not supported" message.
      
          ath9k_htc 1-1.4:1.0: ath9k_htc: HTC initialized with 33 credits
          ath: phy2: Mac Chip Rev 0x0f.3 is not supported by this driver
          ath: phy2: Unable to initialize hardware; initialization status: -95
          ath: phy2: Unable to initialize hardware; initialization status: -95
          ath9k_htc: Failed to initialize the device
      
      Check for -EIO explicitly in ath9k_hw_read_revisions() and return
      a boolean based on the success of the operation. Check for that in
      __ath9k_hw_init() and abort with a more debugging-friendly message
      if reading the revisions wasn't successful.
      
          ath9k_htc 1-1.4:1.0: ath9k_htc: HTC initialized with 33 credits
          ath: phy2: Failed to read SREV register
          ath: phy2: Could not read hardware revision
          ath: phy2: Unable to initialize hardware; initialization status: -95
          ath: phy2: Unable to initialize hardware; initialization status: -95
          ath9k_htc: Failed to initialize the device
      
      This helps when debugging by directly showing the first point of
      failure and it could prevent possible errors if a 0x0f.3 revision
      is ever supported.
      Signed-off-by: default avatarTim Schumacher <timschumi@gmx.de>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      2f90c7e5
    • Toke Høiland-Jørgensen's avatar
      ath9k: Don't trust TX status TID number when reporting airtime · 389b72e5
      Toke Høiland-Jørgensen authored
      As already noted a comment in ath_tx_complete_aggr(), the hardware will
      occasionally send a TX status with the wrong tid number. If we trust the
      value, airtime usage will be reported to the wrong AC, which can cause the
      deficit on that AC to become very low, blocking subsequent attempts to
      transmit.
      
      To fix this, account airtime usage to the TID number from the original skb,
      instead of the one in the hardware TX status report.
      Reported-by: default avatarMiguel Catalan Cid <miguel.catalan@i2cat.net>
      Signed-off-by: default avatarToke Høiland-Jørgensen <toke@redhat.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      389b72e5
    • Colin Ian King's avatar
      ath6kl: remove redundant check of status != 0 · e643da21
      Colin Ian King authored
      The check on status not being zero is redundant as previous code
      paths that set status to an error value break out of the while
      loop and hence status is never non-zero at the check. Remove
      this redundant code.
      
      Addresses-Coverity: ("Logically dead code")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Reviewed-by: default avatarMukesh Ojha <mojha@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      e643da21
    • Dan Carpenter's avatar
      ath6kl: add some bounds checking · 5d6751ea
      Dan Carpenter authored
      The "ev->traffic_class" and "reply->ac" variables come from the network
      and they're used as an offset into the wmi->stream_exist_for_ac[] array.
      Those variables are u8 so they can be 0-255 but the stream_exist_for_ac[]
      array only has WMM_NUM_AC (4) elements.  We need to add a couple bounds
      checks to prevent array overflows.
      
      I also modified one existing check from "if (traffic_class > 3) {" to
      "if (traffic_class >= WMM_NUM_AC) {" just to make them all consistent.
      
      Fixes: bdcd8170 (" Add ath6kl cleaned up driver")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      5d6751ea
    • Gustavo A. R. Silva's avatar
      ath6kl: wmi: use struct_size() helper · 83d9562b
      Gustavo A. R. Silva authored
      Make use of the struct_size() helper instead of an open-coded version
      in order to avoid any potential type mistakes, in particular in the
      context in which this code is being used.
      
      So, replace code of the following form:
      
      sizeof(*ev) + ev->num_neighbors * sizeof(struct wmi_neighbor_info)
      
      with:
      
      struct_size(ev, neighbor, ev->num_neighbors)
      
      This code was detected with the help of Coccinelle.
      Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      83d9562b
    • Gustavo A. R. Silva's avatar
      ath6kl: debug: Use struct_size() helper · df75786b
      Gustavo A. R. Silva authored
      Make use of the struct_size() helper instead of an open-coded version
      in order to avoid any potential type mistakes, in particular in the
      context in which this code is being used.
      
      So, change the following form:
      
      sizeof(*tbl) + num_entries * sizeof(struct wmi_bss_roam_info)
      
       to :
      
      struct_size(tbl, info, num_entries)
      
      This code was detected with the help of Coccinelle.
      Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      df75786b
    • Pradeep kumar Chitrapu's avatar
      ath10k: fix incorrect multicast/broadcast rate setting · 93ee3d10
      Pradeep kumar Chitrapu authored
      Invalid rate code is sent to firmware when multicast rate value of 0 is
      sent to driver indicating disabled case, causing broken mesh path.
      so fix that.
      
      Tested on QCA9984 with firmware 10.4-3.6.1-00827
      
      Sven tested on IPQ4019 with 10.4-3.5.3-00057 and QCA9888 with 10.4-3.5.3-00053
      (ath10k-firmware) and 10.4-3.6-00140 (linux-firmware 2018-12-16-211de167).
      
      Fixes: cd93b83a ("ath10k: support for multicast rate control")
      Co-developed-by: default avatarZhi Chen <zhichen@codeaurora.org>
      Signed-off-by: default avatarZhi Chen <zhichen@codeaurora.org>
      Signed-off-by: default avatarPradeep Kumar Chitrapu <pradeepc@codeaurora.org>
      Tested-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      93ee3d10
    • Wen Gong's avatar
      ath10k: enable QCA6174 hw3.2 SDIO hardware · a8b10da0
      Wen Gong authored
      After implementing PN replay check we can enable SDIO support on QCA6174.
      Tested with client mode on all security modes, and fragmentation as well. AP
      mode does not work yet.
      
      Also tone down the warning about SDIO being not ready yet.
      
      Tested on QCA6174 SDIO with firmware WLAN.RMH.4.4.1-00007-QCARMSWP-1. AP mode
      is not working yet.
      Signed-off-by: default avatarWen Gong <wgong@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      a8b10da0
    • Wen Gong's avatar
      ath10k: add fragmentation handler for high latency devices · 33f97472
      Wen Gong authored
      On high latency devices (SDIO, USB) ath10k did not handle fragmented frames and
      all fragmented frames on receive path were lost in ath10k. Even a simple ping
      test failed with fragmentation.
      
      The fragmented packets are decapsulated based on the security mode, then the PN
      is checked and the fragmented frame is passed to mac80211.  mac80211 in
      ieee80211_rx_h_defragment() will then combine the fragment frames and forward
      to upper layers.
      
      Tested on QCA6174 SDIO with firmware WLAN.RMH.4.4.1-00007-QCARMSWP-1.
      Signed-off-by: default avatarWen Gong <wgong@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      33f97472
    • Wen Gong's avatar
      ath10k: add PN replay protection for high latency devices · 130c7749
      Wen Gong authored
      On high latency devices (SDIO, USB) ath10k did not do PN replay check, a data
      frame with an invalid PN number was not discard as it should have been. So this
      patch implements PN replay in ath10k. PN replay check for fragmented frames is
      implemented in followup patch.
      
      With low latency devices (PCI, AHB) hardware can store the data
      frames's content to host memory directly and the firmware can fully reorder
      data frames, and do PN replay check at the same time. But for high latency
      devices all data frames will be received and stored in firmware's memory and it
      is hard to do full reorder because of the memory size limitations in the
      firmware. This is why the PN replay protections needs to be implemented in host
      driver.
      
      Tested on QCA6174 SDIO with firmware WLAN.RMH.4.4.1-00007-QCARMSWP-1.
      Signed-off-by: default avatarWen Gong <wgong@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      130c7749
    • Wen Gong's avatar
      ath10k: add handler for HTT_T2H_MSG_TYPE_SEC_IND event · 28ce53b6
      Wen Gong authored
      Add the handler for HTT_T2H_MSG_TYPE_SEC_IND event from firmware, which stores
      PN for replay check implemented in the following patch.
      
      Tested on QCA6174 SDIO with firmware WLAN.RMH.4.4.1-00007-QCARMSWP-1.
      Signed-off-by: default avatarWen Gong <wgong@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      28ce53b6
    • Wen Gong's avatar
      ath10k: add struct for high latency PN replay protection · e1bddde9
      Wen Gong authored
      Add the struct for PN replay protection and fragment packet
      handler.
      
      Also fix the bitmask of HTT_RX_DESC_HL_INFO_MCAST_BCAST to match what's currently
      used by SDIO firmware. The defines are not used yet so it's safe to modify
      them. Remove the conflicting HTT_RX_DESC_HL_INFO_FRAGMENT as
      it's not either used in ath10k.
      
      Tested on QCA6174 SDIO with firmware WLAN.RMH.4.4.1-00007-QCARMSWP-1.
      Signed-off-by: default avatarWen Gong <wgong@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      e1bddde9
  4. 23 Apr, 2019 6 commits
    • Erik Stromdahl's avatar
      ath10k: sdio: add missing error check · f91b63b0
      Erik Stromdahl authored
      Although not likely, the bundle allocation might fail.
      Add proper error check and warning print.
      Signed-off-by: default avatarErik Stromdahl <erik.stromdahl@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      f91b63b0
    • Alagu Sankar's avatar
      ath10k: add initialization of HTC header · fbd428a5
      Alagu Sankar authored
      HTC header carries junk values that may be interpreted by the firmware
      differently. Enable credit update only if flow control is enabled for
      the corresponding endpoint.
      Signed-off-by: default avatarAlagu Sankar <alagusankar@silex-india.com>
      Signed-off-by: default avatarErik Stromdahl <erik.stromdahl@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      fbd428a5
    • Kalle Valo's avatar
      ath10k: fix use-after-free on SDIO data frames · 30382dd1
      Kalle Valo authored
      With SDIO there's a use after free after a data frame is transfered, call stack
      below. This happens because ath10k_htt_tx_hl() directly transmits the skb
      provided by mac80211 using ath10k_htc_send(), all other HTT functions use
      separate skb created with ath10k_htc_alloc_skb() to transmit the HTC packet.
      After the packet is transmitted mac80211 frees the skb in ieee80211_tx_status()
      but HTT layer expects  that it still owns the skb, and frees it in
      ath10k_htt_htc_tx_complete().
      
      To fix this take a reference of skb before sending it to HTC layer to make sure
      we still own the skb.
      
      Tested on QCA6174 SDIO with firmware WLAN.RMH.4.4.1-00007-QCARMSWP-1.
      ath10k_htt_tx_hl() is only used by SDIO and USB so other busses (PCI, AHB and
      SNOC) should be unaffected.
      
      call stack of use-after-free:
      dump_backtrace+0x0/0x2d8
      show_stack+0x20/0x2c
      __dump_stack+0x20/0x28
      dump_stack+0xc8/0xec
      print_address_description+0x74/0x240
      kasan_report+0x258/0x274
      __asan_report_load4_noabort+0x20/0x28
      skb_pull+0xbc/0x114
      ath10k_htc_notify_tx_completion+0x190/0x2a4 [ath10k_core]
      ath10k_sdio_write_async_work+0x1e4/0x2c4 [ath10k_sdio]
      process_one_work+0x3d8/0x8b0
      worker_thread+0x518/0x7e0
      kthread+0x260/0x278
      ret_from_fork+0x10/0x18
      
      Allocated by one task:
      kasan_kmalloc+0xa0/0x13c
      kasan_slab_alloc+0x14/0x1c
      kmem_cache_alloc+0x144/0x208
      __alloc_skb+0xec/0x394
      alloc_skb_with_frags+0x8c/0x374
      sock_alloc_send_pskb+0x520/0x5d4
      sock_alloc_send_skb+0x40/0x50
      __ip_append_data+0xf5c/0x1858
      ip_make_skb+0x194/0x1d4
      udp_sendmsg+0xf24/0x1ab8
      inet_sendmsg+0x1b0/0x2e0
      sock_sendmsg+0x88/0xa0
      __sys_sendto+0x220/0x3a8
      __arm64_sys_sendto+0x78/0x80
      el0_svc_common+0x120/0x1e0
      el0_svc_compat_handler+0x64/0x80
      el0_svc_compat+0x8/0x18
      
      Freed by another task:
      __kasan_slab_free+0x120/0x1d4
      kasan_slab_free+0x10/0x1c
      kmem_cache_free+0x74/0x504
      kfree_skbmem+0x88/0xc8
      __kfree_skb+0x24/0x2c
      consume_skb+0x114/0x18c
      __ieee80211_tx_status+0xb7c/0xf60 [mac80211]
      ieee80211_tx_status+0x224/0x270 [mac80211]
      ath10k_txrx_tx_unref+0x564/0x950 [ath10k_core]
      ath10k_htt_t2h_msg_handler+0x178c/0x2a38 [ath10k_core]
      ath10k_htt_htc_t2h_msg_handler+0x20/0x30 [ath10k_core]
      ath10k_sdio_irq_handler+0xcc0/0x1654 [ath10k_sdio]
      process_sdio_pending_irqs+0xec/0x358
      sdio_run_irqs+0x68/0xe4
      sdio_irq_work+0x1c/0x28
      process_one_work+0x3d8/0x8b0
      worker_thread+0x518/0x7e0
      kthread+0x260/0x278
      ret_from_fork+0x10/0x18
      Reported-by: default avatarWen Gong <wgong@codeaurora.org>
      Tested-by: default avatarWen Gong <wgong@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      30382dd1
    • Alagu Sankar's avatar
      ath10k: htt: support MSDU ids with SDIO · 8ea51e40
      Alagu Sankar authored
      Transmit completion for SDIO is similar to PCIe, modify the high
      latency path to allow SDIO modules to use the msdu id.
      
      kvalo: the original patch from Alagu enabled this only for SDIO but I'm not
      sure should we also enable this with USB. I'll use bus params to enable this
      for so that it's easy to enable also for USB later.
      
      Tested with QCA6174 SDIO with firmware WLAN.RMH.4.4.1-00007-QCARMSWP-1.
      Co-developed-by: default avatarWen Gong <wgong@codeaurora.org>
      Signed-off-by: default avatarAlagu Sankar <alagusankar@silex-india.com>
      Signed-off-by: Wen Gong <wgong@codeaurora.org>.
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      8ea51e40
    • Kalle Valo's avatar
      ath10k: initialise struct ath10k_bus params to zero · 6d084ac2
      Kalle Valo authored
      This way we don't need to set every variable and give them to default, which is
      zero. This is also safer in case we forgot to initalise a new field in some of
      the bus modules.
      
      Compile tested only.
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      6d084ac2
    • Alagu Sankar's avatar
      ath10k: htt: don't use txdone_fifo with SDIO · e2a6b711
      Alagu Sankar authored
      HTT High Latency (ATH10K_DEV_TYPE_HL) does not use txdone_fifo at all, we don't
      even initialise it by skipping ath10k_htt_tx_alloc_buf() in
      ath10k_htt_tx_start(). Because of this using QCA6174 SDIO
      ath10k_htt_rx_tx_compl_ind() will crash when it accesses unitialised
      txdone_fifo. So skip txdone_fifo when using High Latency mode.
      
      Tested with QCA6174 SDIO with firmware WLAN.RMH.4.4.1-00007-QCARMSWP-1.
      Co-developed-by: default avatarWen Gong <wgong@codeaurora.org>
      Signed-off-by: default avatarAlagu Sankar <alagusankar@silex-india.com>
      Signed-off-by: default avatarWen Gong <wgong@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      e2a6b711