1. 25 Jun, 2019 11 commits
    • Gustavo A. R. Silva's avatar
      qtnfmac: Use struct_size() in kzalloc() · 9a1ace64
      Gustavo A. R. Silva authored
      One of the more common cases of allocation size calculations is finding
      the size of a structure that has a zero-sized array at the end, along
      with memory for some number of elements for that array. For example:
      
      struct ieee80211_regdomain {
      	...
              struct ieee80211_reg_rule reg_rules[];
      };
      
      instance = kzalloc(sizeof(*mac->rd) +
                                sizeof(struct ieee80211_reg_rule) *
                                count, GFP_KERNEL);
      
      Instead of leaving these open-coded and prone to type mistakes, we can
      now use the new struct_size() helper:
      
      instance = kzalloc(struct_size(instance, reg_rules, count), GFP_KERNEL);
      
      This code was detected with the help of Coccinelle.
      Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
      Reviewed-by: default avatarSergey Matyukevich <sergey.matyukevich.os@quantenna.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      9a1ace64
    • Lorenzo Bianconi's avatar
      mt7601u: fix possible memory leak when the device is disconnected · 23377c20
      Lorenzo Bianconi authored
      When the device is disconnected while passing traffic it is possible
      to receive out of order urbs causing a memory leak since the skb linked
      to the current tx urb is not removed. Fix the issue deallocating the skb
      cleaning up the tx ring. Moreover this patch fixes the following kernel
      warning
      
      [   57.480771] usb 1-1: USB disconnect, device number 2
      [   57.483451] ------------[ cut here ]------------
      [   57.483462] TX urb mismatch
      [   57.483481] WARNING: CPU: 1 PID: 32 at drivers/net/wireless/mediatek/mt7601u/dma.c:245 mt7601u_complete_tx+0x165/00
      [   57.483483] Modules linked in:
      [   57.483496] CPU: 1 PID: 32 Comm: kworker/1:1 Not tainted 5.2.0-rc1+ #72
      [   57.483498] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.12.0-2.fc30 04/01/2014
      [   57.483502] Workqueue: usb_hub_wq hub_event
      [   57.483507] RIP: 0010:mt7601u_complete_tx+0x165/0x1e0
      [   57.483510] Code: 8b b5 10 04 00 00 8b 8d 14 04 00 00 eb 8b 80 3d b1 cb e1 00 00 75 9e 48 c7 c7 a4 ea 05 82 c6 05 f
      [   57.483513] RSP: 0000:ffffc900000a0d28 EFLAGS: 00010092
      [   57.483516] RAX: 000000000000000f RBX: ffff88802c0a62c0 RCX: ffffc900000a0c2c
      [   57.483518] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff810a8371
      [   57.483520] RBP: ffff88803ced6858 R08: 0000000000000000 R09: 0000000000000001
      [   57.483540] R10: 0000000000000002 R11: 0000000000000000 R12: 0000000000000046
      [   57.483542] R13: ffff88802c0a6c88 R14: ffff88803baab540 R15: ffff88803a0cc078
      [   57.483548] FS:  0000000000000000(0000) GS:ffff88803eb00000(0000) knlGS:0000000000000000
      [   57.483550] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   57.483552] CR2: 000055e7f6780100 CR3: 0000000028c86000 CR4: 00000000000006a0
      [   57.483554] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [   57.483556] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [   57.483559] Call Trace:
      [   57.483561]  <IRQ>
      [   57.483565]  __usb_hcd_giveback_urb+0x77/0xe0
      [   57.483570]  xhci_giveback_urb_in_irq.isra.0+0x8b/0x140
      [   57.483574]  handle_cmd_completion+0xf5b/0x12c0
      [   57.483577]  xhci_irq+0x1f6/0x1810
      [   57.483581]  ? lockdep_hardirqs_on+0x9e/0x180
      [   57.483584]  ? _raw_spin_unlock_irq+0x24/0x30
      [   57.483588]  __handle_irq_event_percpu+0x3a/0x260
      [   57.483592]  handle_irq_event_percpu+0x1c/0x60
      [   57.483595]  handle_irq_event+0x2f/0x4c
      [   57.483599]  handle_edge_irq+0x7e/0x1a0
      [   57.483603]  handle_irq+0x17/0x20
      [   57.483607]  do_IRQ+0x54/0x110
      [   57.483610]  common_interrupt+0xf/0xf
      [   57.483612]  </IRQ>
      Acked-by: default avatarJakub Kicinski <kubakici@wp.pl>
      Signed-off-by: default avatarLorenzo Bianconi <lorenzo@kernel.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      23377c20
    • Lorenzo Bianconi's avatar
      mt7601u: do not schedule rx_tasklet when the device has been disconnected · 4079e8cc
      Lorenzo Bianconi authored
      Do not schedule rx_tasklet when the usb dongle is disconnected.
      Moreover do not grub rx_lock in mt7601u_kill_rx since usb_poison_urb
      can run concurrently with urb completion and we can unlink urbs from rx
      ring in any order.
      This patch fixes the common kernel warning reported when
      the device is removed.
      
      [   24.921354] usb 3-14: USB disconnect, device number 7
      [   24.921593] ------------[ cut here ]------------
      [   24.921594] RX urb mismatch
      [   24.921675] WARNING: CPU: 4 PID: 163 at drivers/net/wireless/mediatek/mt7601u/dma.c:200 mt7601u_complete_rx+0xcb/0xd0 [mt7601u]
      [   24.921769] CPU: 4 PID: 163 Comm: kworker/4:2 Tainted: G           OE     4.19.31-041931-generic #201903231635
      [   24.921770] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./Z97 Extreme4, BIOS P1.30 05/23/2014
      [   24.921782] Workqueue: usb_hub_wq hub_event
      [   24.921797] RIP: 0010:mt7601u_complete_rx+0xcb/0xd0 [mt7601u]
      [   24.921800] RSP: 0018:ffff9bd9cfd03d08 EFLAGS: 00010086
      [   24.921802] RAX: 0000000000000000 RBX: ffff9bd9bf043540 RCX: 0000000000000006
      [   24.921803] RDX: 0000000000000007 RSI: 0000000000000096 RDI: ffff9bd9cfd16420
      [   24.921804] RBP: ffff9bd9cfd03d28 R08: 0000000000000002 R09: 00000000000003a8
      [   24.921805] R10: 0000002f485fca34 R11: 0000000000000000 R12: ffff9bd9bf043c1c
      [   24.921806] R13: ffff9bd9c62fa3c0 R14: 0000000000000082 R15: 0000000000000000
      [   24.921807] FS:  0000000000000000(0000) GS:ffff9bd9cfd00000(0000) knlGS:0000000000000000
      [   24.921808] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   24.921808] CR2: 00007fb2648b0000 CR3: 0000000142c0a004 CR4: 00000000001606e0
      [   24.921809] Call Trace:
      [   24.921812]  <IRQ>
      [   24.921819]  __usb_hcd_giveback_urb+0x8b/0x140
      [   24.921821]  usb_hcd_giveback_urb+0xca/0xe0
      [   24.921828]  xhci_giveback_urb_in_irq.isra.42+0x82/0xf0
      [   24.921834]  handle_cmd_completion+0xe02/0x10d0
      [   24.921837]  xhci_irq+0x274/0x4a0
      [   24.921838]  xhci_msi_irq+0x11/0x20
      [   24.921851]  __handle_irq_event_percpu+0x44/0x190
      [   24.921856]  handle_irq_event_percpu+0x32/0x80
      [   24.921861]  handle_irq_event+0x3b/0x5a
      [   24.921867]  handle_edge_irq+0x80/0x190
      [   24.921874]  handle_irq+0x20/0x30
      [   24.921889]  do_IRQ+0x4e/0xe0
      [   24.921891]  common_interrupt+0xf/0xf
      [   24.921892]  </IRQ>
      [   24.921900] RIP: 0010:usb_hcd_flush_endpoint+0x78/0x180
      [   24.921354] usb 3-14: USB disconnect, device number 7
      Signed-off-by: default avatarLorenzo Bianconi <lorenzo@kernel.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      4079e8cc
    • Colin Ian King's avatar
      rtlwifi: remove redundant assignment to variable k · f0822dfc
      Colin Ian King authored
      The assignment of 0 to variable k is never read once we break out of
      the loop, so the assignment is redundant and can be removed.
      
      Addresses-Coverity: ("Unused value")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      f0822dfc
    • Colin Ian King's avatar
      rtlwifi: remove redundant assignment to variable badworden · 5315f9d4
      Colin Ian King authored
      The variable badworden is assigned with a value that is never read and
      it is re-assigned a new value immediately afterwards.  The assignment is
      redundant and can be removed.
      
      Addresses-Coverity: ("Unused value")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Acked-by: default avatarLarry Finger <Larry.Finger@lwfinger.net>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      5315f9d4
    • Ping-Ke Shih's avatar
      rtlwifi: rtl8192cu: fix error handle when usb probe failed · 6c0ed66f
      Ping-Ke Shih authored
      rtl_usb_probe() must do error handle rtl_deinit_core() only if
      rtl_init_core() is done, otherwise goto error_out2.
      
      | usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
      | rtl_usb: reg 0xf0, usbctrl_vendorreq TimeOut! status:0xffffffb9 value=0x0
      | rtl8192cu: Chip version 0x10
      | rtl_usb: reg 0xa, usbctrl_vendorreq TimeOut! status:0xffffffb9 value=0x0
      | rtl_usb: Too few input end points found
      | INFO: trying to register non-static key.
      | the code is fine but needs lockdep annotation.
      | turning off the locking correctness validator.
      | CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.1.0-rc4-319354-g9a33b36 #3
      | Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      | Google 01/01/2011
      | Workqueue: usb_hub_wq hub_event
      | Call Trace:
      |   __dump_stack lib/dump_stack.c:77 [inline]
      |   dump_stack+0xe8/0x16e lib/dump_stack.c:113
      |   assign_lock_key kernel/locking/lockdep.c:786 [inline]
      |   register_lock_class+0x11b8/0x1250 kernel/locking/lockdep.c:1095
      |   __lock_acquire+0xfb/0x37c0 kernel/locking/lockdep.c:3582
      |   lock_acquire+0x10d/0x2f0 kernel/locking/lockdep.c:4211
      |   __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
      |   _raw_spin_lock_irqsave+0x44/0x60 kernel/locking/spinlock.c:152
      |   rtl_c2hcmd_launcher+0xd1/0x390
      | drivers/net/wireless/realtek/rtlwifi/base.c:2344
      |   rtl_deinit_core+0x25/0x2d0 drivers/net/wireless/realtek/rtlwifi/base.c:574
      |   rtl_usb_probe.cold+0x861/0xa70
      | drivers/net/wireless/realtek/rtlwifi/usb.c:1093
      |   usb_probe_interface+0x31d/0x820 drivers/usb/core/driver.c:361
      |   really_probe+0x2da/0xb10 drivers/base/dd.c:509
      |   driver_probe_device+0x21d/0x350 drivers/base/dd.c:671
      |   __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778
      |   bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454
      |   __device_attach+0x223/0x3a0 drivers/base/dd.c:844
      |   bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514
      |   device_add+0xad2/0x16e0 drivers/base/core.c:2106
      |   usb_set_configuration+0xdf7/0x1740 drivers/usb/core/message.c:2021
      |   generic_probe+0xa2/0xda drivers/usb/core/generic.c:210
      |   usb_probe_device+0xc0/0x150 drivers/usb/core/driver.c:266
      |   really_probe+0x2da/0xb10 drivers/base/dd.c:509
      |   driver_probe_device+0x21d/0x350 drivers/base/dd.c:671
      |   __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778
      |   bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454
      |   __device_attach+0x223/0x3a0 drivers/base/dd.c:844
      |   bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514
      |   device_add+0xad2/0x16e0 drivers/base/core.c:2106
      |   usb_new_device.cold+0x537/0xccf drivers/usb/core/hub.c:2534
      |   hub_port_connect drivers/usb/core/hub.c:5089 [inline]
      |   hub_port_connect_change drivers/usb/core/hub.c:5204 [inline]
      |   port_event drivers/usb/core/hub.c:5350 [inline]
      |   hub_event+0x138e/0x3b00 drivers/usb/core/hub.c:5432
      |   process_one_work+0x90f/0x1580 kernel/workqueue.c:2269
      |   worker_thread+0x9b/0xe20 kernel/workqueue.c:2415
      |   kthread+0x313/0x420 kernel/kthread.c:253
      |   ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
      
      Reported-by: syzbot+1fcc5ef45175fc774231@syzkaller.appspotmail.com
      Signed-off-by: default avatarPing-Ke Shih <pkshih@realtek.com>
      Acked-by: default avatarLarry Finger <Larry.Finger@lwfinger.net>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      6c0ed66f
    • Swati Kushwaha's avatar
      mwifiex: ignore processing invalid command response · 74f202aa
      Swati Kushwaha authored
      Firmware can send invalid command response, the processing of
      which can attempt to modify unexpected context and cause issues.
      To fix this, driver should check that the command response ID is
      same as the one it downloaded, and ignore processing of invalid
      response.
      Signed-off-by: default avatarSwati Kushwaha <swatiuma@marvell.com>
      Signed-off-by: default avatarGanapathi Bhat <gbhat@marvell.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      74f202aa
    • Sharvari Harisangam's avatar
      mwifiex: update set_mac_address logic · 7afb94da
      Sharvari Harisangam authored
      In set_mac_address, driver check for interfaces with same bss_type
      For first STA entry, this would return 3 interfaces since all priv's have
      bss_type as 0 due to kzalloc. Thus mac address gets changed for STA
      unexpected. This patch adds check for first STA and avoids mac address
      change. This patch also adds mac_address change for p2p based on bss_num
      type.
      Signed-off-by: default avatarSharvari Harisangam <sharvari@marvell.com>
      Signed-off-by: default avatarGanapathi Bhat <gbhat@marvell.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      7afb94da
    • Brian Norris's avatar
      mwifiex: print PCI mmap with %pK · 2fc0aa45
      Brian Norris authored
      Unadorned '%p' has restrictive policies these days, such that it usually
      just prints garbage at early boot (see
      Documentation/core-api/printk-formats.rst, "kernel will print
      ``(ptrval)`` until it gathers enough entropy"). Annotating with %pK
      (for "kernel pointer") allows the kptr_restrict sysctl to control
      printing policy better.
      
      We might just as well drop this message entirely, but this fix was easy
      enough for now.
      Signed-off-by: default avatarBrian Norris <briannorris@chromium.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      2fc0aa45
    • Brian Norris's avatar
      mwifiex: drop 'set_consistent_dma_mask' log message · f7369179
      Brian Norris authored
      This message is pointless.
      
      While we're at it, include the error code in the error message, which is
      not pointless.
      Signed-off-by: default avatarBrian Norris <briannorris@chromium.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      f7369179
    • Alan Stern's avatar
      p54usb: Fix race between disconnect and firmware loading · 6e41e225
      Alan Stern authored
      The syzbot fuzzer found a bug in the p54 USB wireless driver.  The
      issue involves a race between disconnect and the firmware-loader
      callback routine, and it has several aspects.
      
      One big problem is that when the firmware can't be loaded, the
      callback routine tries to unbind the driver from the USB _device_ (by
      calling device_release_driver) instead of from the USB _interface_ to
      which it is actually bound (by calling usb_driver_release_interface).
      
      The race involves access to the private data structure.  The driver's
      disconnect handler waits for a completion that is signalled by the
      firmware-loader callback routine.  As soon as the completion is
      signalled, you have to assume that the private data structure may have
      been deallocated by the disconnect handler -- even if the firmware was
      loaded without errors.  However, the callback routine does access the
      private data several times after that point.
      
      Another problem is that, in order to ensure that the USB device
      structure hasn't been freed when the callback routine runs, the driver
      takes a reference to it.  This isn't good enough any more, because now
      that the callback routine calls usb_driver_release_interface, it has
      to ensure that the interface structure hasn't been freed.
      
      Finally, the driver takes an unnecessary reference to the USB device
      structure in the probe function and drops the reference in the
      disconnect handler.  This extra reference doesn't accomplish anything,
      because the USB core already guarantees that a device structure won't
      be deallocated while a driver is still bound to any of its interfaces.
      
      To fix these problems, this patch makes the following changes:
      
      	Call usb_driver_release_interface() rather than
      	device_release_driver().
      
      	Don't signal the completion until after the important
      	information has been copied out of the private data structure,
      	and don't refer to the private data at all thereafter.
      
      	Lock udev (the interface's parent) before unbinding the driver
      	instead of locking udev->parent.
      
      	During the firmware loading process, take a reference to the
      	USB interface instead of the USB device.
      
      	Don't take an unnecessary reference to the device during probe
      	(and then don't drop it during disconnect).
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-and-tested-by: syzbot+200d4bb11b23d929335f@syzkaller.appspotmail.com
      CC: <stable@vger.kernel.org>
      Acked-by: default avatarChristian Lamparter <chunkeey@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      6e41e225
  2. 28 May, 2019 26 commits
  3. 27 May, 2019 3 commits
    • Kalle Valo's avatar
      Merge ath-next from git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git · 889ca180
      Kalle Valo authored
      ath.git patches for 5.3. Major changes:
      
      ath10k
      
      * enable SDIO support, first one being QCA6174 hw3.2
      889ca180
    • YueHaibing's avatar
      cxgb4: Make t4_get_tp_e2c_map static · f4aa8012
      YueHaibing authored
      Fix sparse warning:
      
      drivers/net/ethernet/chelsio/cxgb4/t4_hw.c:6216:14:
       warning: symbol 't4_get_tp_e2c_map' was not declared. Should it be static?
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f4aa8012
    • David Ahern's avatar
      selftest: Fixes for icmp_redirect test · 99513cfa
      David Ahern authored
      I was really surprised that the IPv6 mtu exception followed by redirect
      test was passing as nothing about the code suggests it should. The problem
      is actually with the logic in the test script.
      
      Fix the test cases as follows:
      1. add debug function to dump the initial and redirect gateway addresses
         for ipv6. This is shown only in verbose mode. It helps verify the
         output of 'route get'.
      
      2. fix the check_exception logic for the reset case to make sure that
         for IPv4 neither mtu nor redirect appears in the 'route get' output.
         For IPv6, make sure mtu is not present and the gateway is the initial
         R1 lladdr.
      
      3. fix the reset logic by using a function to delete the routes added by
         initial_route_*. This format works better for the nexthop version of
         the tests.
      
      While improving the test cases, go ahead and ensure that forwarding is
      disabled since IPv6 redirect requires it.
      
      Also, runs with kernel debugging enabled sometimes show a failure with
      one of the ipv4 tests, so spread the pings over longer time interval.
      
      The end result is that 2 tests now show failures:
      
      TEST: IPv6: mtu exception plus redirect                    [FAIL]
      
      and the VRF version.
      
      This is a bug in the IPv6 logic that will need to be fixed
      separately. Redirect followed by MTU works because __ip6_rt_update_pmtu
      hits the 'if (!rt6_cache_allowed_for_pmtu(rt6))' path and updates the
      mtu on the exception rt6_info.
      
      MTU followed by redirect does not have this logic. rt6_do_redirect
      creates a new exception and then rt6_insert_exception removes the old
      one which has the MTU exception.
      
      Fixes: ec810535 ("selftests: Add redirect tests")
      Signed-off-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      99513cfa