- 17 Aug, 2020 13 commits
-
-
Govind Singh authored
QMI service instance id is used for qmi service lookup, IPQ8074 and QCA6390 uses different instance id for service lookup. Fill appropriate QMI service instance id for respective targets. Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1 Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.1.0.1-01238-QCAHKSWPL_SILICONZ-2 Signed-off-by: Govind Singh <govinds@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1597389030-13887-4-git-send-email-kvalo@codeaurora.org
-
Govind Singh authored
PCI devices like QCA6390 load the board file differently, add support for that and the method is chosen using bus_params variables. Add support to create board name for different targets. This board name is used to parse the board data from board-2.bin for ahb/pci based targets. As struct target_mem_chunk::vaddr was changed from 'u32' to 'u32 *' in ath11k_qmi_assign_target_mem_chunk() vaddr assignments were changed to NULL to avoid a compilation warning. IPQ8074 does not use the vaddr field for anything so that change does not affect functionality. At the moment this only supports board files with BIN type. Support for ELF type, which seems to be more popular on QCA6390 devices, needs to be added later. Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1 Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.1.0.1-01238-QCAHKSWPL_SILICONZ-2 Signed-off-by: Govind Singh <govinds@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1597389030-13887-3-git-send-email-kvalo@codeaurora.org
-
Govind Singh authored
PCI devices like QCA6390 have a separate firmware image for the m3 micro-controller. Add support to load the firmware using m3.bin file. Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1 Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.1.0.1-01238-QCAHKSWPL_SILICONZ-2 Signed-off-by: Govind Singh <govinds@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1597389030-13887-2-git-send-email-kvalo@codeaurora.org
-
Govind Singh authored
QCA6390 and other PCI devices use MHI based firmware loading and do not use remoteproc, so enable it only for AHB devices. Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1 Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.1.0.1-01238-QCAHKSWPL_SILICONZ-2 Signed-off-by: Govind Singh <govinds@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1597309466-19688-11-git-send-email-kvalo@codeaurora.org
-
Govind Singh authored
Define CE pipe/qmi config and setup pci irq for the same. Call ath11k_core_init(). Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1 Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.1.0.1-01238-QCAHKSWPL_SILICONZ-2 Signed-off-by: Govind Singh <govinds@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1597309466-19688-10-git-send-email-kvalo@codeaurora.org
-
Govind Singh authored
Modem Host Interface (MHI) is a communication protocol to communicate with external Qualcomm modems and Wi-Fi chipsets over high speed peripheral buses. Even though MHI doesn’t dictate underlying physical layer, protocol and MHI stack is structured for PCI based devices. Register directly with MHI subsystem as a MHI device driver for firmware download to QCA6390. Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1 Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.1.0.1-01238-QCAHKSWPL_SILICONZ-2 Signed-off-by: Govind Singh <govinds@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1597309466-19688-9-git-send-email-kvalo@codeaurora.org
-
Kalle Valo authored
This is needed to initialise hw_params before MHI registration starts. MHI needs location of firmware directory and that's delivered via hw_params. Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1 Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.1.0.1-01238-QCAHKSWPL_SILICONZ-2 Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1597309466-19688-8-git-send-email-kvalo@codeaurora.org
-
Govind Singh authored
QCA6390 uses PCI MSI for CE/MHI/DP interrupt. Add MSI vector mapping and MSI enable/disable operations. Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1 Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.1.0.1-01238-QCAHKSWPL_SILICONZ-2 Signed-off-by: Govind Singh <govinds@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1597309466-19688-7-git-send-email-kvalo@codeaurora.org
-
Govind Singh authored
Add support for setting up pci region and dma mask. Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1 Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.1.0.1-01238-QCAHKSWPL_SILICONZ-2 Signed-off-by: Govind Singh <govinds@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1597309466-19688-6-git-send-email-kvalo@codeaurora.org
-
Govind Singh authored
QCA6390 is a PCI based 11ax chipset, split AHB into own kernel module ath11k_ahb.ko and add ath11k_pci.ko for PCI devices. Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1 Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.1.0.1-01238-QCAHKSWPL_SILICONZ-2 Signed-off-by: Govind Singh <govinds@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1597309466-19688-5-git-send-email-kvalo@codeaurora.org
-
Kalle Valo authored
This is needed for splitting ahb and pci modules as they have different ring mask settings. Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1 Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.1.0.1-01238-QCAHKSWPL_SILICONZ-2 Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1597309466-19688-4-git-send-email-kvalo@codeaurora.org
-
Carl Huang authored
Define own firmware directory and settings for QCA6390. Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1 Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.1.0.1-01238-QCAHKSWPL_SILICONZ-2 Signed-off-by: Carl Huang <cjhuang@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1597309466-19688-3-git-send-email-kvalo@codeaurora.org
-
Carl Huang authored
With only IPQ8074 supported ath11k was only usable on Qualcomm architectures. But now that we are adding QCA6390 PCI support to ath11k that's not the case anymore and it can be used on any architecture supporting PCI. So remove the dependency on ARCH_QCOM. After that there is also no need to depend on COMPILE_TEST. Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1 Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.1.0.1-01238-QCAHKSWPL_SILICONZ-2 Signed-off-by: Carl Huang <cjhuang@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1597309466-19688-2-git-send-email-kvalo@codeaurora.org
-
- 15 Aug, 2020 4 commits
-
-
Wen Gong authored
The mcs index of HT mode is 0 to 31, please refer http://mcsindex.com/. Its spatial stream(Nss) number is from 1 to 4, mcs index is 0~7 for Nss=1, 8~15 for Nss=2, 16~23 for Nss=3 and 24~31 is for Nss=4. The mcs is reported from firmware in wmi_tlv_peer_stats_info of event WMI_TLV_PEER_STATS_INFO_EVENTID, its range is from 0~15 for QCA6174 SDIO and PCIe. It is for both Nss=1 and Nss=2, and it has 2 rate table supported_ht_mcs_rate_nss1 and supported_ht_mcs_rate_nss2 in ath10k, they are for Nss=1 and Nss=2, each table has 8 rates. It need to find the matched row number with the mcs index, for example, mcs index is 2, it is <=7, so it is Nss=1, and match row 2 in table of Nss=1. If mcs index is 12, it is >= 8 and <= 15, so it is Nss=2, it match row 4(12-8) in table of Nss=2. If mcs index is >=16, it is for Nss=3/4, it need to add rate table, so it is not support in current ath10k. This patch is to find the row number in rate table of Nss=1 or Nss=2 with the mcs index reported from firmware. This patch only effect the chips which supports_peer_stats_info of its hw_params is true, it is true only for QCA6174 currently. Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00048 Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1 Signed-off-by: Wen Gong <wgong@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1597392294-13124-1-git-send-email-wgong@codeaurora.org
-
Wen Gong authored
When using QCA6174 PCI devices working in station mode, after connected to AP, tx bitrate is always '1.0 MBit/s' in output of command 'iw wlan0 station dump'. (QCA6174 SDIO devices are working fine.) After this patch, it show correct bitrate: Station c4:04:15:5d:97:22 (on wls1) inactive time: 312 ms rx bytes: 31496 rx packets: 173 tx bytes: 8625 tx packets: 46 tx retries: 0 tx failed: 0 signal: -76 [-88, -80] dBm signal avg: -75 [-82, -77] dBm tx bitrate: 39.0 MBit/s MCS 4 rx bitrate: 26.0 MBit/s MCS 3 Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1 Signed-off-by: Wen Gong <wgong@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1597312029-32348-4-git-send-email-wgong@codeaurora.org
-
Wen Gong authored
ath10k_sta_statistics is used to report many info to iw wlan0 link, if it return for empty legacy and nss of arsta->txrate, then the other stats after it will not be set. It has 4 bit to set after the return: NL80211_STA_INFO_TX_FAILED NL80211_STA_INFO_RX_BITRATE NL80211_STA_INFO_TX_BITRATE NL80211_STA_INFO_TX_RETRIES This patch not effect the info of above 4 bit for all hardware, reason as below: NL80211_STA_INFO_TX_FAILED is only for htt.disable_tx_comp is true, it is for QCA6174 SDIO. NL80211_STA_INFO_RX_BITRATE and NL80211_STA_INFO_TX_BITRATE are both set in ath10k_mac_sta_get_peer_stats_info, it is only enabled for chips which supports_peer_stats_info is true in hw_params, recently only for QCA6174 SDIO, NL80211_STA_INFO_TX_BITRATE is set again in function ath10k_mac_sta_get_peer_stats_info because the value which parsed from arsta->tx_rate_code and arsta->tx_bitrate_kbps is correct for QCA6174 SDIO and PCIe, and the value arsta->txrate is not correct for QCA6174 SDIO and PCIe, so it need to set again with the correct value. NL80211_STA_INFO_TX_RETRIES is use value of arsta->tx_retries, it is set in ath10k_update_per_peer_tx_stats, which accumulate the retry_pkts in HTT message from firmware, if the chips not support this feature, then it is always 0 after accumulate, then iw wlan0 station dump always show 0 for retry count. If not set NL80211_STA_INFO_TX_RETRIES here, then it is still 0, so the result is same, then set NL80211_STA_INFO_TX_RETRIES has no effect. Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00048 Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1 Signed-off-by: Wen Gong <wgong@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1597312029-32348-3-git-send-email-wgong@codeaurora.org
-
Wen Gong authored
ath10k_sta_statistics is used to report info for iw wlan0 link, it check ath10k_peer_stats_enabled, and ath10k_peer_stats_enabled check WMI_SERVICE_PEER_STATS bit of ar->wmi.svc_map. SVCMAP() for WMI_SERVICE_PEER_STATS was defined only for wmi_10x_svc_map and wmi_10_4_svc_map interfaces, it missed in wmi_tlv_svc_map, so it is not usable for iw wlan0 link for wmi tlv interface. If firmware report WMI_TLV_SERVICE_PEER_STATS_INFO for wmi tlv, then enable the WMI_SERVICE_PEER_STATS bit in ath10k, and then it pass check in ath10k_peer_stats_enabled and ath10k_sta_statistics pass check. Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00048 Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1 Signed-off-by: Wen Gong <wgong@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1597312029-32348-2-git-send-email-wgong@codeaurora.org
-
- 14 Aug, 2020 11 commits
-
-
Wen Gong authored
When simulate random transfer fail for sdio write and read, it happened "payload length exceeds max htc length" and recovery later sometimes. Test steps: 1. Add config and update kernel: CONFIG_FAIL_MMC_REQUEST=y CONFIG_FAULT_INJECTION=y CONFIG_FAULT_INJECTION_DEBUG_FS=y 2. Run simulate fail: cd /sys/kernel/debug/mmc1/fail_mmc_request echo 10 > probability echo 10 > times # repeat until hitting issues 3. It happened payload length exceeds max htc length. [ 199.935506] ath10k_sdio mmc1:0001:1: payload length 57005 exceeds max htc length: 4088 .... [ 264.990191] ath10k_sdio mmc1:0001:1: payload length 57005 exceeds max htc length: 4088 4. after some time, such as 60 seconds, it start recovery which triggered by wmi command timeout for periodic scan. [ 269.229232] ieee80211 phy0: Hardware restart was requested [ 269.734693] ath10k_sdio mmc1:0001:1: device successfully recovered The simulate fail of sdio is not a real sdio transter fail, it only set an error status in mmc_should_fail_request after the transfer end, actually the transfer is success, then sdio_io_rw_ext_helper will return error status and stop transfer the left data. For example, the really RX len is 286 bytes, then it will split to 2 blocks in sdio_io_rw_ext_helper, one is 256 bytes, left is 30 bytes, if the first 256 bytes get an error status by mmc_should_fail_request,then the left 30 bytes will not read in this RX operation. Then when the next RX arrive, the left 30 bytes will be considered as the header of the read, the top 4 bytes of the 30 bytes will be considered as lookaheads, but actually the 4 bytes is not the lookaheads, so the len from this lookaheads is not correct, it exceeds max htc length 4088 sometimes. When happened exceeds, the buffer chain is not matched between firmware and ath10k, then it need to start recovery ASAP. Recently then recovery will be started by wmi command timeout, but it will be long time later, for example, it is 60+ seconds later from the periodic scan, if it does not have periodic scan, it will be longer. Start recovery when it happened "payload length exceeds max htc length" will be reasonable. This patch only effect sdio chips. Tested with QCA6174 SDIO with firmware WLAN.RMH.4.4.1-00029. Signed-off-by: Wen Gong <wgong@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20200108031957.22308-3-wgong@codeaurora.org
-
Alexander A. Klimov authored
Rationale: Reduces attack surface on kernel devs opening the links for MITM as HTTPS traffic is much harder to manipulate. Deterministic algorithm: For each file: If not .svg: For each line: If doesn't contain `\bxmlns\b`: For each link, `\bhttp://[^# \t\r\n]*(?:\w|/)`: If neither `\bgnu\.org/license`, nor `\bmozilla\.org/MPL\b`: If both the HTTP and HTTPS versions return 200 OK and serve the same content: Replace HTTP with HTTPS. Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20200719104041.57916-1-grandmaster@al2klimov.de
-
Julia Lawall authored
list_for_each_entry{_safe} is able to handle an empty list. The only effect of avoiding the loop is not initializing the index variable. Drop list_empty tests in cases where these variables are not used. Note that list_for_each_entry{_safe} is defined in terms of list_first_entry, which indicates that it should not be used on an empty list. But in list_for_each_entry{_safe}, the element obtained by list_first_entry is not really accessed, only the address of its list_head field is compared to the address of the list head, so the list_first_entry is safe. The semantic patch that makes this change for the list_for_each_entry case is as follows: (http://coccinelle.lip6.fr/) <smpl> @@ expression x,e; statement S; identifier i; @@ -if (!(list_empty(x))) list_for_each_entry(i,x,...) S ... when != i ? i = e </smpl> Signed-off-by: Julia Lawall <Julia.Lawall@inria.fr> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1595761112-11003-8-git-send-email-Julia.Lawall@inria.fr
-
Gustavo A. R. Silva authored
Replace the existing /* fall through */ comments and its variants with the new pseudo-keyword macro fallthrough[1]. [1] https://www.kernel.org/doc/html/v5.7/process/deprecated.html?highlight=fallthrough#implicit-switch-case-fall-throughSigned-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20200727193520.GA832@embeddedor
-
Loic Poulain authored
Instead of using the firmware generated sequence number, use the one already allocated by the mac80211 layer. This allows better control of the sequence numbers and avoid to rely on same sequence for Data, QOS Data and QOS Null Data packets. Signed-off-by: Loic Poulain <loic.poulain@linaro.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1595586052-16081-7-git-send-email-loic.poulain@linaro.org
-
Loic Poulain authored
This patch contains the following fixes: - Use correct queue for submitting QoS packet. The queue id to use is a one-to-one mapping with the TID. - Don't encrypt a frame with IEEE80211_TX_INTFL_DONT_ENCRYPT flag. - Use the 'special queue' for null packets, preventing the firmware to submit it as AMPDU. Signed-off-by: Loic Poulain <loic.poulain@linaro.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1595586052-16081-5-git-send-email-loic.poulain@linaro.org
-
Loic Poulain authored
Increase the short/long retry limit to 15 in order to impove TX robustness in noisy/busy environment. 15 is the default value defined in the downstream driver. Observed number of ack timeout is reduced with this change. Signed-off-by: Loic Poulain <loic.poulain@linaro.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1595586052-16081-4-git-send-email-loic.poulain@linaro.org
-
Loic Poulain authored
The controller is capable of reporting TX indication which can be used to report TX ack when IEEE80211_TX_CTL_REQ_TX_STATUS is set. The support was only partially implemented. The firmware can be configured for reporting event when a packet is acked, without specifying which packet though. In order to send a packet flagged with TX status callback, we need to stop the queue, submit the packet and wait for the firmware ack event. Then the queue can be restarted and mac80211 status callback called. In case the packet is not acked, no ack event will be received, therefore a timeout mechanism is introduced to restart the queue and call the status cb in case no event is received after a 100ms. Signed-off-by: Loic Poulain <loic.poulain@linaro.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1595586052-16081-3-git-send-email-loic.poulain@linaro.org
-
Loic Poulain authored
Several AMPDU sessions can be started, e.g. for different TIDs. Currently the driver does not take care of the session ID when requesting block-ack (statically set to 0), which leads to never block-acked packet with sessions other than 0. Fix this by saving the session id when creating the ba session and use it in subsequent ba operations. This issue can be reproduced with iperf in two steps (tid 0 strem then tid 6 stream). 1.0 iperf -s # wcn36xx side 1.1 iperf -c ${IP_ADDR} # host side Then 2.0 iperf -s -u -S 0xC0 # wcn36xx side 2.1 iperf -c ${IP_ADDR} -u -S 0xC0 -l 2000 # host side Signed-off-by: Loic Poulain <loic.poulain@linaro.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1595586052-16081-2-git-send-email-loic.poulain@linaro.org
-
Pavel Machek authored
Typo "destoy" made me wonder if correct patch is wrong; fix it. No functional change. Signed-off-by: Pavel Machek (CIP) <pavel@denx.de> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20200724083910.GA31930@amd
-
Alexander A. Klimov authored
Rationale: Reduces attack surface on kernel devs opening the links for MITM as HTTPS traffic is much harder to manipulate. Deterministic algorithm: For each file: If not .svg: For each line: If doesn't contain `\bxmlns\b`: For each link, `\bhttp://[^# \t\r\n]*(?:\w|/)`: If neither `\bgnu\.org/license`, nor `\bmozilla\.org/MPL\b`: If both the HTTP and HTTPS versions return 200 OK and serve the same content: Replace HTTP with HTTPS. Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20200719105052.57997-1-grandmaster@al2klimov.de
-
- 20 Jul, 2020 2 commits
-
-
Zekun Shen authored
The idx in __ath10k_htt_rx_ring_fill_n function lives in consistent dma region writable by the device. Malfunctional or malicious device could manipulate such idx to have a OOB write. Either by htt->rx_ring.netbufs_ring[idx] = skb; or by ath10k_htt_set_paddrs_ring(htt, paddr, idx); The idx can also be negative as it's signed, giving a large memory space to write to. It's possibly exploitable by corruptting a legit pointer with a skb pointer. And then fill skb with payload as rougue object. Part of the log here. Sometimes it appears as UAF when writing to a freed memory by chance. [ 15.594376] BUG: unable to handle page fault for address: ffff887f5c1804f0 [ 15.595483] #PF: supervisor write access in kernel mode [ 15.596250] #PF: error_code(0x0002) - not-present page [ 15.597013] PGD 0 P4D 0 [ 15.597395] Oops: 0002 [#1] SMP KASAN PTI [ 15.597967] CPU: 0 PID: 82 Comm: kworker/u2:2 Not tainted 5.6.0 #69 [ 15.598843] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 [ 15.600438] Workqueue: ath10k_wq ath10k_core_register_work [ath10k_core] [ 15.601389] RIP: 0010:__ath10k_htt_rx_ring_fill_n (linux/drivers/net/wireless/ath/ath10k/htt_rx.c:173) ath10k_core Signed-off-by: Zekun Shen <bruceshenzk@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20200623221105.3486-1-bruceshenzk@gmail.com
-
Bolarinwa Olayemi Saheed authored
On failure pcie_capability_read_dword() sets it's last parameter, val to 0. However, with Patch 14/14, it is possible that val is set to ~0 on failure. This would introduce a bug because (x & x) == (~0 & x). This bug can be avoided without changing the function's behaviour if the return value of pcie_capability_read_dword is checked to confirm success. Check the return value of pcie_capability_read_dword() to ensure success. Suggested-by: Bjorn Helgaas <bjorn@helgaas.com> Signed-off-by: Bolarinwa Olayemi Saheed <refactormyself@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20200713175529.29715-2-refactormyself@gmail.com
-
- 23 Jun, 2020 10 commits
-
-
Kalle Valo authored
It's just a duplicate of ATH11K_DEFAULT_CAL_FILE. Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1592316055-24958-13-git-send-email-kvalo@codeaurora.org
-
Kalle Valo authored
These defines are not used anywhere else so to avoid extra indirection add the values directly to hw_params. No functional changes. Compile tested only. Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1592316055-24958-12-git-send-email-kvalo@codeaurora.org
-
Kalle Valo authored
Use simplified format, just like ath10k uses, which is easier to read. Compile tested only. Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1592316055-24958-11-git-send-email-kvalo@codeaurora.org
-
Kalle Valo authored
ath11k should not be spamming these to the logs. If these are important they should be debug messages, but I just remove them for now. Compile tested only. Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1592316055-24958-10-git-send-email-kvalo@codeaurora.org
-
Kalle Valo authored
Use the helper added in previous comment to create the full path, instead of doing it manually. No functional changes. Compile tested only. Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1592316055-24958-9-git-send-email-kvalo@codeaurora.org
-
Kalle Valo authored
The downside of using defines in struct ath11k_hw_params.fw.dir is that it's easy to get it wrong as the full path is not visible. So drop the use of defines and instead create the patch runtime using a static inline function ath11k_core_create_firmware_path(). Hopefully this reduces the chances of using incorrect firmware path. No functional changes. Compile tested only. Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1592316055-24958-8-git-send-email-kvalo@codeaurora.org
-
Kalle Valo authored
To avoid duplicating the logic how the full firmware path is created create a common function ath11k_core_firmware_request() and convert also qmi.c to use it. Also remove a useless info print, it's more like a debug message anyway. No functional changes. Compile tested only. Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1592316055-24958-7-git-send-email-kvalo@codeaurora.org
-
Anilkumar Kolli authored
bdf-addr is different for IPQ8074 and IPQ6018 so add it to hw_params. No functional changes. Compile tested only. Signed-off-by: Anilkumar Kolli <akolli@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1592316055-24958-6-git-send-email-kvalo@codeaurora.org
-
Anilkumar Kolli authored
pdev_id to hw_mac is different for ipq8074 and ipq6018 Below table has the mapping pdev_id ipq8074 ipq6018 ------- ------- ------- 0 0 0 1 2 1 2 1 Not applicable No functional changes. Compile tested only. Signed-off-by: Anilkumar Kolli <akolli@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1592316055-24958-5-git-send-email-kvalo@codeaurora.org
-
Anilkumar Kolli authored
IPQ6018 needs different value for max_radios so make it configurable via hw_params. No functional changes. Compile tested only. Signed-off-by: Anilkumar Kolli <akolli@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1592316055-24958-4-git-send-email-kvalo@codeaurora.org
-