1. 17 Aug, 2020 13 commits
  2. 15 Aug, 2020 4 commits
    • Wen Gong's avatar
      ath10k: correct the array index from mcs index for HT mode for QCA6174 · db04b755
      Wen Gong authored
      The mcs index of HT mode is 0 to 31, please refer http://mcsindex.com/.
      Its spatial stream(Nss) number is from 1 to 4, mcs index is 0~7 for
      Nss=1, 8~15 for Nss=2, 16~23 for Nss=3 and 24~31 is for Nss=4.
      
      The mcs is reported from firmware in wmi_tlv_peer_stats_info of
      event WMI_TLV_PEER_STATS_INFO_EVENTID, its range is from 0~15 for
      QCA6174 SDIO and PCIe. It is for both Nss=1 and Nss=2, and it has 2
      rate table supported_ht_mcs_rate_nss1 and supported_ht_mcs_rate_nss2
      in ath10k, they are for Nss=1 and Nss=2, each table has 8 rates.
      
      It need to find the matched row number with the mcs index, for example,
      mcs index is 2, it is <=7, so it is Nss=1, and match row 2 in table of
      Nss=1. If mcs index is 12, it is >= 8 and <= 15, so it is Nss=2, it
      match row 4(12-8) in table of Nss=2. If mcs index is >=16, it is for
      Nss=3/4, it need to add rate table, so it is not support in current
      ath10k.
      
      This patch is to find the row number in rate table of Nss=1 or Nss=2
      with the mcs index reported from firmware.
      
      This patch only effect the chips which supports_peer_stats_info of its
      hw_params is true, it is true only for QCA6174 currently.
      
      Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00048
      Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1
      Signed-off-by: default avatarWen Gong <wgong@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Link: https://lore.kernel.org/r/1597392294-13124-1-git-send-email-wgong@codeaurora.org
      db04b755
    • Wen Gong's avatar
      ath10k: enable supports_peer_stats_info for QCA6174 PCI devices · cbcbabb9
      Wen Gong authored
      When using QCA6174 PCI devices working in station mode, after connected
      to AP, tx bitrate is always '1.0 MBit/s' in output of command 'iw wlan0
      station dump'. (QCA6174 SDIO devices are working fine.)
      
      After this patch, it show correct bitrate:
      
      Station c4:04:15:5d:97:22 (on wls1)
              inactive time:  312 ms
              rx bytes:       31496
              rx packets:     173
              tx bytes:       8625
              tx packets:     46
              tx retries:     0
              tx failed:      0
              signal:         -76 [-88, -80] dBm
              signal avg:     -75 [-82, -77] dBm
              tx bitrate:     39.0 MBit/s MCS 4
              rx bitrate:     26.0 MBit/s MCS 3
      
      Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1
      Signed-off-by: default avatarWen Gong <wgong@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Link: https://lore.kernel.org/r/1597312029-32348-4-git-send-email-wgong@codeaurora.org
      cbcbabb9
    • Wen Gong's avatar
      ath10k: remove return for NL80211_STA_INFO_TX_BITRATE · 1cd6ba8a
      Wen Gong authored
      ath10k_sta_statistics is used to report many info to iw wlan0 link,
      if it return for empty legacy and nss of arsta->txrate, then the other
      stats after it will not be set.
      
      It has 4 bit to set after the return:
      NL80211_STA_INFO_TX_FAILED
      NL80211_STA_INFO_RX_BITRATE
      NL80211_STA_INFO_TX_BITRATE
      NL80211_STA_INFO_TX_RETRIES
      
      This patch not effect the info of above 4 bit for all hardware, reason
      as below:
      
      NL80211_STA_INFO_TX_FAILED is only for htt.disable_tx_comp is true, it
      is for QCA6174 SDIO.
      
      NL80211_STA_INFO_RX_BITRATE and NL80211_STA_INFO_TX_BITRATE are both
      set in ath10k_mac_sta_get_peer_stats_info, it is only enabled for chips
      which supports_peer_stats_info is true in hw_params, recently only for
      QCA6174 SDIO, NL80211_STA_INFO_TX_BITRATE is set again in function
      ath10k_mac_sta_get_peer_stats_info because the value which parsed from
      arsta->tx_rate_code and arsta->tx_bitrate_kbps is correct for QCA6174
      SDIO and PCIe, and the value arsta->txrate is not correct for QCA6174
      SDIO and PCIe, so it need to set again with the correct value.
      
      NL80211_STA_INFO_TX_RETRIES is use value of arsta->tx_retries, it is set
      in ath10k_update_per_peer_tx_stats, which accumulate the retry_pkts in
      HTT message from firmware, if the chips not support this feature, then
      it is always 0 after accumulate, then iw wlan0 station dump always show
      0 for retry count. If not set NL80211_STA_INFO_TX_RETRIES here, then it
      is still 0, so the result is same, then set NL80211_STA_INFO_TX_RETRIES
      has no effect.
      
      Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00048
      Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1
      Signed-off-by: default avatarWen Gong <wgong@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Link: https://lore.kernel.org/r/1597312029-32348-3-git-send-email-wgong@codeaurora.org
      1cd6ba8a
    • Wen Gong's avatar
      ath10k: add wmi service peer stat info for wmi tlv · e39f32af
      Wen Gong authored
      ath10k_sta_statistics is used to report info for iw wlan0 link,
      it check ath10k_peer_stats_enabled, and ath10k_peer_stats_enabled
      check WMI_SERVICE_PEER_STATS bit of ar->wmi.svc_map. SVCMAP() for
      WMI_SERVICE_PEER_STATS was defined only for wmi_10x_svc_map and
      wmi_10_4_svc_map interfaces, it missed in wmi_tlv_svc_map, so it is
      not usable for iw wlan0 link for wmi tlv interface.
      
      If firmware report WMI_TLV_SERVICE_PEER_STATS_INFO for wmi tlv, then
      enable the WMI_SERVICE_PEER_STATS bit in ath10k, and then it pass check
      in ath10k_peer_stats_enabled and ath10k_sta_statistics pass check.
      
      Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00048
      Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1
      Signed-off-by: default avatarWen Gong <wgong@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Link: https://lore.kernel.org/r/1597312029-32348-2-git-send-email-wgong@codeaurora.org
      e39f32af
  3. 14 Aug, 2020 11 commits
  4. 20 Jul, 2020 2 commits
    • Zekun Shen's avatar
      ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n() · bad60b8d
      Zekun Shen authored
      The idx in __ath10k_htt_rx_ring_fill_n function lives in
      consistent dma region writable by the device. Malfunctional
      or malicious device could manipulate such idx to have a OOB
      write. Either by
          htt->rx_ring.netbufs_ring[idx] = skb;
      or by
          ath10k_htt_set_paddrs_ring(htt, paddr, idx);
      
      The idx can also be negative as it's signed, giving a large
      memory space to write to.
      
      It's possibly exploitable by corruptting a legit pointer with
      a skb pointer. And then fill skb with payload as rougue object.
      
      Part of the log here. Sometimes it appears as UAF when writing
      to a freed memory by chance.
      
       [   15.594376] BUG: unable to handle page fault for address: ffff887f5c1804f0
       [   15.595483] #PF: supervisor write access in kernel mode
       [   15.596250] #PF: error_code(0x0002) - not-present page
       [   15.597013] PGD 0 P4D 0
       [   15.597395] Oops: 0002 [#1] SMP KASAN PTI
       [   15.597967] CPU: 0 PID: 82 Comm: kworker/u2:2 Not tainted 5.6.0 #69
       [   15.598843] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
       BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
       [   15.600438] Workqueue: ath10k_wq ath10k_core_register_work [ath10k_core]
       [   15.601389] RIP: 0010:__ath10k_htt_rx_ring_fill_n
       (linux/drivers/net/wireless/ath/ath10k/htt_rx.c:173) ath10k_core
      Signed-off-by: default avatarZekun Shen <bruceshenzk@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Link: https://lore.kernel.org/r/20200623221105.3486-1-bruceshenzk@gmail.com
      bad60b8d
    • Bolarinwa Olayemi Saheed's avatar
      ath9k: Check the return value of pcie_capability_read_*() · 9a8ab2bf
      Bolarinwa Olayemi Saheed authored
      On failure pcie_capability_read_dword() sets it's last parameter, val
      to 0. However, with Patch 14/14, it is possible that val is set to ~0 on
      failure. This would introduce a bug because (x & x) == (~0 & x).
      
      This bug can be avoided without changing the function's behaviour if the
      return value of pcie_capability_read_dword is checked to confirm success.
      
      Check the return value of pcie_capability_read_dword() to ensure success.
      Suggested-by: default avatarBjorn Helgaas <bjorn@helgaas.com>
      Signed-off-by: default avatarBolarinwa Olayemi Saheed <refactormyself@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Link: https://lore.kernel.org/r/20200713175529.29715-2-refactormyself@gmail.com
      9a8ab2bf
  5. 23 Jun, 2020 10 commits