1. 12 Sep, 2019 7 commits
    • Dedy Lansky's avatar
      wil6210: make sure DR bit is read before rest of the status message · f4519fd9
      Dedy Lansky authored
      Due to compiler optimization, it's possible that dr_bit (descriptor
      ready) is read last from the status message.
      Due to race condition between HW writing the status message and
      driver reading it, other fields that were read earlier (before dr_bit)
      could have invalid values.
      
      Fix this by explicitly reading the dr_bit first and then using rmb
      before reading the rest of the status message.
      Signed-off-by: default avatarDedy Lansky <dlansky@codeaurora.org>
      Signed-off-by: default avatarMaya Erez <merez@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      f4519fd9
    • Ahmad Masri's avatar
      wil6210: fix PTK re-key race · 42fe1e51
      Ahmad Masri authored
      Fix a race between cfg80211 add_key call and transmitting of 4/4 EAP
      packet. In case the transmit is delayed until after the add key takes
      place, message 4/4 will be encrypted with the new key, and the
      receiver side (AP) will drop it due to MIC error.
      
      Wil6210 will monitor and look for the transmitted packet 4/4 eap key.
      In case add_key takes place before the transmission completed, then
      wil6210 will let the FW store the key and wil6210 will notify the FW
      to use the PTK key only after 4/4 eap packet transmission was
      completed.
      Signed-off-by: default avatarAhmad Masri <amasri@codeaurora.org>
      Signed-off-by: default avatarMaya Erez <merez@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      42fe1e51
    • Dedy Lansky's avatar
      wil6210: add debugfs to show PMC ring content · 977c45ab
      Dedy Lansky authored
      PMC is a hardware debug mechanism which allows capturing real time
      debug data and stream it to host memory. The driver allocates memory
      buffers and set them inside PMC ring of descriptors.
      Add pmcring debugfs that application can use to read the binary
      content of descriptors inside the PMC ring (cat pmcring).
      Signed-off-by: default avatarDedy Lansky <dlansky@codeaurora.org>
      Signed-off-by: default avatarMaya Erez <merez@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      977c45ab
    • Dedy Lansky's avatar
      wil6210: add wil_netif_rx() helper function · f99fe49f
      Dedy Lansky authored
      Move common part of wil_netif_rx_any into new helper function and add
      support for non-gro receive using netif_rx_ni.
      Signed-off-by: default avatarDedy Lansky <dlansky@codeaurora.org>
      Signed-off-by: default avatarMaya Erez <merez@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      f99fe49f
    • Rakesh Pillai's avatar
      ath10k: fix channel info parsing for non tlv target · 6be6c04b
      Rakesh Pillai authored
      The tlv targets such as WCN3990 send more data in the chan info event, which is
      not sent by the non tlv targets. There is a minimum size check in the wmi event
      for non-tlv targets and hence we cannot update the common channel info
      structure as it was done in commit 13104929 ("ath10k: fill the channel
      survey results for WCN3990 correctly"). This broke channel survey results on
      10.x firmware versions.
      
      If the common channel info structure is updated, the size check for chan info
      event for non-tlv targets will fail and return -EPROTO and we see the below
      error messages
      
         ath10k_pci 0000:01:00.0: failed to parse chan info event: -71
      
      Add tlv specific channel info structure and restore the original size of the
      common channel info structure to mitigate this issue.
      
      Tested HW: WCN3990
      	   QCA9887
      Tested FW: WLAN.HL.3.1-00784-QCAHLSWMTPLZ-1
      	   10.2.4-1.0-00037
      
      Fixes: 13104929 ("ath10k: fill the channel survey results for WCN3990 correctly")
      Cc: stable@vger.kernel.org # 5.0
      Signed-off-by: default avatarRakesh Pillai <pillair@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      6be6c04b
    • Nicolas Boichat's avatar
      ath10k: adjust skb length in ath10k_sdio_mbox_rx_packet · b7139960
      Nicolas Boichat authored
      When the FW bundles multiple packets, pkt->act_len may be incorrect
      as it refers to the first packet only (however, the FW will only
      bundle packets that fit into the same pkt->alloc_len).
      
      Before this patch, the skb length would be set (incorrectly) to
      pkt->act_len in ath10k_sdio_mbox_rx_packet, and then later manually
      adjusted in ath10k_sdio_mbox_rx_process_packet.
      
      The first problem is that ath10k_sdio_mbox_rx_process_packet does not
      use proper skb_put commands to adjust the length (it directly changes
      skb->len), so we end up with a mismatch between skb->head + skb->tail
      and skb->data + skb->len. This is quite serious, and causes corruptions
      in the TCP stack, as the stack tries to coalesce packets, and relies
      on skb->tail being correct (that is, skb_tail_pointer must point to
      the first byte_after_ the data).
      
      Instead of re-adjusting the size in ath10k_sdio_mbox_rx_process_packet,
      this moves the code to ath10k_sdio_mbox_rx_packet, and also add a
      bounds check, as skb_put would crash the kernel if not enough space is
      available.
      
      Tested with QCA6174 SDIO with firmware
      WLAN.RMH.4.4.1-00007-QCARMSWP-1.
      
      Fixes: 8530b4e7 ("ath10k: sdio: set skb len for all rx packets")
      Signed-off-by: default avatarNicolas Boichat <drinkcat@chromium.org>
      Signed-off-by: default avatarWen Gong <wgong@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      b7139960
    • Ben Greear's avatar
      ath10k: free beacon buf later in vdev teardown · b3281c6c
      Ben Greear authored
      My wave-1 firmware often crashes when I am bringing down
      AP vdevs, and sometimes at least some machines lockup hard
      after spewing IOMMU errors.
      
      I don't see the same issue in STA mode, so I suspect beacons
      are the issue.
      
      Moving the beacon buf deletion to later in the vdev teardown
      logic appears to help this problem.  Firmware still crashes
      often, but several iterations did not show IOMMU errors and
      machine didn't hang.
      
      Tested hardware: QCA9880
      Tested firmware: ath10k-ct from beginning of 2019, exact version unknown
      Signed-off-by: default avatarBen Greear <greearb@candelatech.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      b3281c6c
  2. 10 Sep, 2019 5 commits
  3. 04 Sep, 2019 13 commits
    • Hui Peng's avatar
      ath6kl: fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe() · 39d170b3
      Hui Peng authored
      The `ar_usb` field of `ath6kl_usb_pipe_usb_pipe` objects
      are initialized to point to the containing `ath6kl_usb` object
      according to endpoint descriptors read from the device side, as shown
      below in `ath6kl_usb_setup_pipe_resources`:
      
      for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
      	endpoint = &iface_desc->endpoint[i].desc;
      
      	// get the address from endpoint descriptor
      	pipe_num = ath6kl_usb_get_logical_pipe_num(ar_usb,
      						endpoint->bEndpointAddress,
      						&urbcount);
      	......
      	// select the pipe object
      	pipe = &ar_usb->pipes[pipe_num];
      
      	// initialize the ar_usb field
      	pipe->ar_usb = ar_usb;
      }
      
      The driver assumes that the addresses reported in endpoint
      descriptors from device side  to be complete. If a device is
      malicious and does not report complete addresses, it may trigger
      NULL-ptr-deref `ath6kl_usb_alloc_urb_from_pipe` and
      `ath6kl_usb_free_urb_to_pipe`.
      
      This patch fixes the bug by preventing potential NULL-ptr-deref
      (CVE-2019-15098).
      Signed-off-by: default avatarHui Peng <benquike@gmail.com>
      Reported-by: default avatarHui Peng <benquike@gmail.com>
      Reported-by: default avatarMathias Payer <mathias.payer@nebelwelt.net>
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      39d170b3
    • Arnd Bergmann's avatar
      wcn36xx: use dynamic allocation for large variables · 355cf319
      Arnd Bergmann authored
      clang triggers a warning about oversized stack frames that gcc does not
      notice because of slightly different inlining decisions:
      
      ath/wcn36xx/smd.c:1409:5: error: stack frame size of 1040 bytes in function 'wcn36xx_smd_config_bss' [-Werror,-Wframe-larger-than=]
      ath/wcn36xx/smd.c:640:5: error: stack frame size of 1032 bytes in function 'wcn36xx_smd_start_hw_scan' [-Werror,-Wframe-larger-than=]
      
      Basically the wcn36xx_hal_start_scan_offload_req_msg,
      wcn36xx_hal_config_bss_req_msg_v1, and wcn36xx_hal_config_bss_req_msg
      structures are too large to be put on the kernel stack, but small
      enough that gcc does not warn about them.
      
      Use kzalloc() to allocate them all. There are similar structures in other
      parts of this driver, but they are all smaller, with the next largest
      stack frame at 480 bytes for wcn36xx_smd_send_beacon.
      
      Fixes: 8e84c258 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680 hardware")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      355cf319
    • Jia-Ju Bai's avatar
      ath6kl: Fix a possible null-pointer dereference in ath6kl_htc_mbox_create() · 0e7bf23e
      Jia-Ju Bai authored
      In ath6kl_htc_mbox_create(), when kzalloc() on line 2855 fails,
      target->dev is assigned to NULL, and ath6kl_htc_mbox_cleanup(target) is
      called on line 2885.
      
      In ath6kl_htc_mbox_cleanup(), target->dev is used on line 2895:
          ath6kl_hif_cleanup_scatter(target->dev->ar);
      
      Thus, a null-pointer dereference may occur.
      
      To fix this bug, kfree(target) is called and NULL is returned when
      kzalloc() on line 2855 fails.
      
      This bug is found by a static analysis tool STCheck written by us.
      Signed-off-by: default avatarJia-Ju Bai <baijiaju1990@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      0e7bf23e
    • Lorenzo Bianconi's avatar
      ath9k: dynack: set ackto to max timeout in ath_dynack_reset · 72bb1aa9
      Lorenzo Bianconi authored
      Initialize acktimeout to the maximum configurable value in
      ath_dynack_reset in order to not disconnect long distance static links
      enabling dynack and even to take care of possible errors configuring
      a static timeout. Moreover initialize station timeout value to the current
      acktimeout value
      Tested-by: default avatarKoen Vandeputte <koen.vandeputte@ncentric.com>
      Signed-off-by: default avatarLorenzo Bianconi <lorenzo@kernel.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      72bb1aa9
    • Lorenzo Bianconi's avatar
      ath9k: dynack: set max timeout according to channel width · 86e39299
      Lorenzo Bianconi authored
      Compute maximum configurable ackimeout/ctstimeout according to channel
      width (clockrate)
      Tested-by: default avatarKoen Vandeputte <koen.vandeputte@ncentric.com>
      Signed-off-by: default avatarLorenzo Bianconi <lorenzo@kernel.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      86e39299
    • Lorenzo Bianconi's avatar
      ath9k: dynack: properly set last timeout timestamp in ath_dynack_reset · 6999e40d
      Lorenzo Bianconi authored
      Add compute timeout to last computation timestamp in
      ath_dynack_reset in order to not run ath_dynack_compute_ackto
      immediately
      Tested-by: default avatarKoen Vandeputte <koen.vandeputte@ncentric.com>
      Signed-off-by: default avatarLorenzo Bianconi <lorenzo@kernel.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      6999e40d
    • Lorenzo Bianconi's avatar
      ath9k: dyanck: introduce ath_dynack_set_timeout routine · 5df65dd5
      Lorenzo Bianconi authored
      Introduce ath_dynack_set_timeout routine to configure slottime/ack/cts
      timeouts and remove duplicated code
      Tested-by: default avatarKoen Vandeputte <koen.vandeputte@ncentric.com>
      Signed-off-by: default avatarLorenzo Bianconi <lorenzo@kernel.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      5df65dd5
    • Lorenzo Bianconi's avatar
      ath9k: dynack: fix possible deadlock in ath_dynack_node_{de}init · e1aa1a1d
      Lorenzo Bianconi authored
      Fix following lockdep warning disabling bh in
      ath_dynack_node_init/ath_dynack_node_deinit
      
      [   75.955878] --------------------------------
      [   75.955880] inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
      [   75.955884] swapper/0/0 [HC0[0]:SC1[3]:HE1:SE0] takes:
      [   75.955888] 00000000792a7ee0 (&(&da->qlock)->rlock){+.?.}, at: ath_dynack_sample_ack_ts+0x4d/0xa0 [ath9k_hw]
      [   75.955905] {SOFTIRQ-ON-W} state was registered at:
      [   75.955912]   lock_acquire+0x9a/0x160
      [   75.955917]   _raw_spin_lock+0x2c/0x70
      [   75.955927]   ath_dynack_node_init+0x2a/0x60 [ath9k_hw]
      [   75.955934]   ath9k_sta_state+0xec/0x160 [ath9k]
      [   75.955976]   drv_sta_state+0xb2/0x740 [mac80211]
      [   75.956008]   sta_info_insert_finish+0x21a/0x420 [mac80211]
      [   75.956039]   sta_info_insert_rcu+0x12b/0x2c0 [mac80211]
      [   75.956069]   sta_info_insert+0x7/0x70 [mac80211]
      [   75.956093]   ieee80211_prep_connection+0x42e/0x730 [mac80211]
      [   75.956120]   ieee80211_mgd_auth.cold+0xb9/0x15c [mac80211]
      [   75.956152]   cfg80211_mlme_auth+0x143/0x350 [cfg80211]
      [   75.956169]   nl80211_authenticate+0x25e/0x2b0 [cfg80211]
      [   75.956172]   genl_family_rcv_msg+0x198/0x400
      [   75.956174]   genl_rcv_msg+0x42/0x90
      [   75.956176]   netlink_rcv_skb+0x35/0xf0
      [   75.956178]   genl_rcv+0x1f/0x30
      [   75.956180]   netlink_unicast+0x154/0x200
      [   75.956182]   netlink_sendmsg+0x1bf/0x3d0
      [   75.956186]   ___sys_sendmsg+0x2c2/0x2f0
      [   75.956187]   __sys_sendmsg+0x44/0x80
      [   75.956190]   do_syscall_64+0x55/0x1a0
      [   75.956192]   entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [   75.956194] irq event stamp: 2357092
      [   75.956196] hardirqs last  enabled at (2357092): [<ffffffff818c62de>] _raw_spin_unlock_irqrestore+0x3e/0x50
      [   75.956199] hardirqs last disabled at (2357091): [<ffffffff818c60b1>] _raw_spin_lock_irqsave+0x11/0x80
      [   75.956202] softirqs last  enabled at (2357072): [<ffffffff8106dc09>] irq_enter+0x59/0x60
      [   75.956204] softirqs last disabled at (2357073): [<ffffffff8106dcbe>] irq_exit+0xae/0xc0
      [   75.956206]
                     other info that might help us debug this:
      [   75.956207]  Possible unsafe locking scenario:
      
      [   75.956208]        CPU0
      [   75.956209]        ----
      [   75.956210]   lock(&(&da->qlock)->rlock);
      [   75.956213]   <Interrupt>
      [   75.956214]     lock(&(&da->qlock)->rlock);
      [   75.956216]
                      *** DEADLOCK ***
      
      [   75.956217] 1 lock held by swapper/0/0:
      [   75.956219]  #0: 000000003bb5675c (&(&sc->sc_pcu_lock)->rlock){+.-.}, at: ath9k_tasklet+0x55/0x240 [ath9k]
      [   75.956225]
                     stack backtrace:
      [   75.956228] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.3.0-rc1-wdn+ #13
      [   75.956229] Hardware name: Dell Inc. Studio XPS 1340/0K183D, BIOS A11 09/08/2009
      [   75.956231] Call Trace:
      [   75.956233]  <IRQ>
      [   75.956236]  dump_stack+0x67/0x90
      [   75.956239]  mark_lock+0x4c1/0x640
      [   75.956242]  ? check_usage_backwards+0x130/0x130
      [   75.956245]  ? sched_clock_local+0x12/0x80
      [   75.956247]  __lock_acquire+0x484/0x7a0
      [   75.956250]  ? __lock_acquire+0x3b9/0x7a0
      [   75.956252]  lock_acquire+0x9a/0x160
      [   75.956259]  ? ath_dynack_sample_ack_ts+0x4d/0xa0 [ath9k_hw]
      [   75.956262]  _raw_spin_lock_bh+0x34/0x80
      [   75.956268]  ? ath_dynack_sample_ack_ts+0x4d/0xa0 [ath9k_hw]
      [   75.956275]  ath_dynack_sample_ack_ts+0x4d/0xa0 [ath9k_hw]
      [   75.956280]  ath_rx_tasklet+0xd09/0xe90 [ath9k]
      [   75.956286]  ath9k_tasklet+0x102/0x240 [ath9k]
      [   75.956288]  tasklet_action_common.isra.0+0x6d/0x170
      [   75.956291]  __do_softirq+0xcc/0x425
      [   75.956294]  irq_exit+0xae/0xc0
      [   75.956296]  do_IRQ+0x8a/0x110
      [   75.956298]  common_interrupt+0xf/0xf
      [   75.956300]  </IRQ>
      [   75.956303] RIP: 0010:cpuidle_enter_state+0xb2/0x400
      [   75.956308] RSP: 0018:ffffffff82203e70 EFLAGS: 00000202 ORIG_RAX: ffffffffffffffd7
      [   75.956310] RAX: ffffffff82219800 RBX: ffffffff822bd0a0 RCX: 0000000000000000
      [   75.956312] RDX: 0000000000000046 RSI: 0000000000000006 RDI: ffffffff82219800
      [   75.956314] RBP: ffff888155a01c00 R08: 00000011af51aabe R09: 0000000000000000
      [   75.956315] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002
      [   75.956317] R13: 00000011af51aabe R14: 0000000000000003 R15: ffffffff82219800
      [   75.956321]  cpuidle_enter+0x24/0x40
      [   75.956323]  do_idle+0x1ac/0x220
      [   75.956326]  cpu_startup_entry+0x14/0x20
      [   75.956329]  start_kernel+0x482/0x489
      [   75.956332]  secondary_startup_64+0xa4/0xb0
      
      Fixes: c774d57f ("ath9k: add dynamic ACK timeout estimation")
      Signed-off-by: default avatarLorenzo Bianconi <lorenzo@kernel.org>
      Tested-by: default avatarKoen Vandeputte <koen.vandeputte@ncentric.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      e1aa1a1d
    • Christian Lamparter's avatar
      ath9k: add loader for AR92XX (and older) pci(e) · 5a4f2040
      Christian Lamparter authored
      Atheros cards with a AR92XX generation (and older) chip usually
      store their pci(e) initialization vectors on an external eeprom chip.
      However these chips technically don't need the eeprom chip attached,
      the AR9280 Datasheet in section "6.1.2 DEVICE_ID" describes that
      "... if the EEPROM content is not valid, a value of 0xFF1C returns
      when read from the register". So, they will show up on the system's
      pci bus. However in that state, ath9k can't load, since it relies
      on having the correct pci-id, otherwise it doesn't know what chip it
      actually is. This happens on many embedded devices like routers
      and accesspoint since they want to keep the BOM low and store the
      pci(e) initialization vectors together with the calibration data
      on the system's FLASH, which is out of reach of the ath9k chip.
      
      Furthermore, Some devices (like the Cisco Meraki Z1 Cloud Managed
      Teleworker Gateway) need to be able to initialize the PCIe wifi device.
      Normally, this should be done as a pci quirk during the early stages of
      booting linux. However, this isn't possible for devices which have the
      init code for the Atheros chip stored on NAND in an UBI volume.
      Hence, this module can be used to initialize the chip when the
      user-space is ready to extract the init code.
      
      Martin Blumenstingl prodived the following fixes:
      owl-loader: add support for OWL emulation PCI devices
      owl-loader: don't re-scan the bus when ath9k_pci_fixup failed
      owl-loader: use dev_* instead of pr_* logging functions
      owl-loader: auto-generate the eeprom filename as fallback
      owl-loader: add a debug message when swapping the eeprom data
      owl-loader: add missing newlines in log messages
      Reviewed-by: default avatarJulian Calaby <julian.calaby@gmail.com>
      Signed-off-by: default avatarChristian Lamparter <chunkeey@gmail.com>
      Signed-off-by: default avatarMartin Blumenstingl <martin.blumenstingl@googlemail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      5a4f2040
    • YueHaibing's avatar
      carl9170: remove set but not used variable 'udev' · 68092f9c
      YueHaibing authored
      Fixes gcc '-Wunused-but-set-variable' warning:
      
      drivers/net/wireless/ath/carl9170/usb.c: In function carl9170_usb_disconnect:
      drivers/net/wireless/ath/carl9170/usb.c:1110:21:
       warning: variable udev set but not used [-Wunused-but-set-variable]
      
      It is not use since commit feb09b29 ("carl9170:
      fix misuse of device driver API")
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Acked-by: default avatarChristian Lamparter <chunkeey@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      68092f9c
    • Markus Elfring's avatar
      wil6210: Delete an unnecessary kfree() call in wil_tid_ampdu_rx_alloc() · d20b1e6c
      Markus Elfring authored
      A null pointer would be passed to a call of the function “kfree”
      directly after a call of the function “kcalloc” failed at one place.
      Remove this superfluous function call.
      
      This issue was detected by using the Coccinelle software.
      Signed-off-by: default avatarMarkus Elfring <elfring@users.sourceforge.net>
      Reviewed-by: default avatarMaya Erez <merez@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      d20b1e6c
    • Alexei Avshalom Lazar's avatar
      wil6210: Add EDMG channel support · 9abe3e30
      Alexei Avshalom Lazar authored
      Add support for Enhanced Directional Multi-Gigabit (EDMG) channels 9-11.
      wil6210 reports it's EDMG capabilities (that are also based on FW
      capability) to cfg80211 by filling
      wiphy->bands[NL80211_BAND_60GHZ]->edmg_cap.
      wil6210 handles edmg.channels and edmg.bw_config requested in connect
      and start_ap operations.
      Signed-off-by: default avatarAlexei Avshalom Lazar <ailizaro@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      9abe3e30
    • Colin Ian King's avatar
      wil6210: fix wil_cid_valid with negative cid values · 23bb9f69
      Colin Ian King authored
      There are several occasions where a negative cid value is passed
      into wil_cid_valid and this is converted into a u8 causing the
      range check of cid >= 0 to always succeed.  Fix this by making
      the cid argument an int to handle any -ve error value of cid.
      
      An example of this behaviour is in wil_cfg80211_dump_station,
      where cid is assigned -ENOENT if the call to wil_find_cid_by_idx
      fails, and this -ve value is passed to wil_cid_valid.  I believe
      that the conversion of -ENOENT to the u8 value 254 which is
      greater than wil->max_assoc_sta causes wil_find_cid_by_idx to
      currently work fine, but I think is by luck and not the
      intended behaviour.
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Reviewed-by: default avatarMaya Erez <merez@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      23bb9f69
  4. 02 Sep, 2019 10 commits
    • David S. Miller's avatar
      Merge branch 'mvpp2-per-cpu-buffers' · 67538eb5
      David S. Miller authored
      Matteo Croce says:
      
      ====================
      mvpp2: per-cpu buffers
      
      This patchset workarounds an PP2 HW limitation which prevents to use
      per-cpu rx buffers.
      The first patch is just a refactor to prepare for the second one.
      The second one allocates percpu buffers if the following conditions are met:
      - CPU number is less or equal 4
      - no port is using jumbo frames
      
      If the following conditions are not met at load time, of jumbo frame is enabled
      later on, the shared allocation is reverted.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      67538eb5
    • Matteo Croce's avatar
      mvpp2: percpu buffers · 7d04b0b1
      Matteo Croce authored
      Every mvpp2 unit can use up to 8 buffers mapped by the BM (the HW buffer
      manager). The HW will place the frames in the buffer pool depending on the
      frame size: short (< 128 bytes), long (< 1664) or jumbo (up to 9856).
      
      As any unit can have up to 4 ports, the driver allocates only 2 pools,
      one for small and one long frames, and share them between ports.
      When the first port MTU is set higher than 1664 bytes, a third pool is
      allocated for jumbo frames.
      
      This shared allocation makes impossible to use percpu allocators,
      and creates contention between HW queues.
      
      If possible, i.e. if the number of possible CPU are less than 8 and jumbo
      frames are not used, switch to a new scheme: allocate 8 per-cpu pools for
      short and long frames and bind every pool to an RXQ.
      
      When the first port MTU is set higher than 1664 bytes, the allocation
      scheme is reverted to the old behaviour (3 shared pools), and when all
      ports MTU are lowered, the per-cpu buffers are allocated again.
      Signed-off-by: default avatarMatteo Croce <mcroce@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7d04b0b1
    • Matteo Croce's avatar
      mvpp2: refactor BM pool functions · 13616361
      Matteo Croce authored
      Refactor mvpp2_bm_pool_create(), mvpp2_bm_pool_destroy() and
      mvpp2_bm_pools_init() so that they accept a struct device instead
      of a struct platform_device, as they just need platform_device->dev.
      
      Removing such dependency makes the BM code more reusable in context
      where we don't have a pointer to the platform_device.
      Signed-off-by: default avatarMatteo Croce <mcroce@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      13616361
    • Vladimir Oltean's avatar
      net: dsa: Fix off-by-one number of calls to devlink_port_unregister · 4ba0ebbc
      Vladimir Oltean authored
      When a function such as dsa_slave_create fails, currently the following
      stack trace can be seen:
      
      [    2.038342] sja1105 spi0.1: Probed switch chip: SJA1105T
      [    2.054556] sja1105 spi0.1: Reset switch and programmed static config
      [    2.063837] sja1105 spi0.1: Enabled switch tagging
      [    2.068706] fsl-gianfar soc:ethernet@2d90000 eth2: error -19 setting up slave phy
      [    2.076371] ------------[ cut here ]------------
      [    2.080973] WARNING: CPU: 1 PID: 21 at net/core/devlink.c:6184 devlink_free+0x1b4/0x1c0
      [    2.088954] Modules linked in:
      [    2.092005] CPU: 1 PID: 21 Comm: kworker/1:1 Not tainted 5.3.0-rc6-01360-g41b52e38d2b6-dirty #1746
      [    2.100912] Hardware name: Freescale LS1021A
      [    2.105162] Workqueue: events deferred_probe_work_func
      [    2.110287] [<c03133a4>] (unwind_backtrace) from [<c030d8cc>] (show_stack+0x10/0x14)
      [    2.117992] [<c030d8cc>] (show_stack) from [<c10b08d8>] (dump_stack+0xb4/0xc8)
      [    2.125180] [<c10b08d8>] (dump_stack) from [<c0349d04>] (__warn+0xe0/0xf8)
      [    2.132018] [<c0349d04>] (__warn) from [<c0349e34>] (warn_slowpath_null+0x40/0x48)
      [    2.139549] [<c0349e34>] (warn_slowpath_null) from [<c0f19d74>] (devlink_free+0x1b4/0x1c0)
      [    2.147772] [<c0f19d74>] (devlink_free) from [<c1064fc0>] (dsa_switch_teardown+0x60/0x6c)
      [    2.155907] [<c1064fc0>] (dsa_switch_teardown) from [<c1065950>] (dsa_register_switch+0x8e4/0xaa8)
      [    2.164821] [<c1065950>] (dsa_register_switch) from [<c0ba7fe4>] (sja1105_probe+0x21c/0x2ec)
      [    2.173216] [<c0ba7fe4>] (sja1105_probe) from [<c0b35948>] (spi_drv_probe+0x80/0xa4)
      [    2.180920] [<c0b35948>] (spi_drv_probe) from [<c0a4c1cc>] (really_probe+0x108/0x400)
      [    2.188711] [<c0a4c1cc>] (really_probe) from [<c0a4c694>] (driver_probe_device+0x78/0x1bc)
      [    2.196933] [<c0a4c694>] (driver_probe_device) from [<c0a4a3dc>] (bus_for_each_drv+0x58/0xb8)
      [    2.205414] [<c0a4a3dc>] (bus_for_each_drv) from [<c0a4c024>] (__device_attach+0xd0/0x168)
      [    2.213637] [<c0a4c024>] (__device_attach) from [<c0a4b1d0>] (bus_probe_device+0x84/0x8c)
      [    2.221772] [<c0a4b1d0>] (bus_probe_device) from [<c0a4b72c>] (deferred_probe_work_func+0x84/0xc4)
      [    2.230686] [<c0a4b72c>] (deferred_probe_work_func) from [<c03650a4>] (process_one_work+0x218/0x510)
      [    2.239772] [<c03650a4>] (process_one_work) from [<c03660d8>] (worker_thread+0x2a8/0x5c0)
      [    2.247908] [<c03660d8>] (worker_thread) from [<c036b348>] (kthread+0x148/0x150)
      [    2.255265] [<c036b348>] (kthread) from [<c03010e8>] (ret_from_fork+0x14/0x2c)
      [    2.262444] Exception stack(0xea965fb0 to 0xea965ff8)
      [    2.267466] 5fa0:                                     00000000 00000000 00000000 00000000
      [    2.275598] 5fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      [    2.283729] 5fe0: 00000000 00000000 00000000 00000000 00000013 00000000
      [    2.290333] ---[ end trace ca5d506728a0581a ]---
      
      devlink_free is complaining right here:
      
      	WARN_ON(!list_empty(&devlink->port_list));
      
      This happens because devlink_port_unregister is no longer done right
      away in dsa_port_setup when a DSA_PORT_TYPE_USER has failed.
      Vivien said about this change that:
      
          Also no need to call devlink_port_unregister from within dsa_port_setup
          as this step is inconditionally handled by dsa_port_teardown on error.
      
      which is not really true. The devlink_port_unregister function _is_
      being called unconditionally from within dsa_port_setup, but not for
      this port that just failed, just for the previous ones which were set
      up.
      
      ports_teardown:
      	for (i = 0; i < port; i++)
      		dsa_port_teardown(&ds->ports[i]);
      
      Initially I was tempted to fix this by extending the "for" loop to also
      cover the port that failed during setup. But this could have potentially
      unforeseen consequences unrelated to devlink_port or even other types of
      ports than user ports, which I can't really test for. For example, if
      for some reason devlink_port_register itself would fail, then
      unconditionally unregistering it in dsa_port_teardown would not be a
      smart idea. The list might go on.
      
      So just make dsa_port_setup undo the setup it had done upon failure, and
      let the for loop undo the work of setting up the previous ports, which
      are guaranteed to be brought up to a consistent state.
      
      Fixes: 955222ca ("net: dsa: use a single switch statement for port setup")
      Signed-off-by: default avatarVladimir Oltean <olteanv@gmail.com>
      Reviewed-by: default avatarVivien Didelot <vivien.didelot@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4ba0ebbc
    • Jiri Pirko's avatar
      mlx5: Add missing init_net check in FIB notifier · a21cf11b
      Jiri Pirko authored
      Take only FIB events that are happening in init_net into account. No other
      namespaces are supported.
      Signed-off-by: default avatarJiri Pirko <jiri@mellanox.com>
      Acked-by: default avatarRoi Dayan <roid@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a21cf11b
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 765b7590
      David S. Miller authored
      r8152 conflicts are the NAPI fixes in 'net' overlapping with
      some tasklet stuff in net-next
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      765b7590
    • Linus Torvalds's avatar
      Linux 5.3-rc7 · 089cf7f6
      Linus Torvalds authored
      089cf7f6
    • Linus Torvalds's avatar
      Merge tag 'char-misc-5.3-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · 49ffdb4c
      Linus Torvalds authored
      Pull char/misc driver fixes from Greg KH:
       "Here are some small char and misc driver fixes for reported issues for
        5.3-rc7
      
        Also included in here is the documentation for how we are handling
        hardware issues under embargo that everyone has finally agreed on, as
        well as a MAINTAINERS update for the suckers who agreed to handle the
        LICENSES/ files.
      
        All of these have been in linux-next last week with no reported
        issues"
      
      * tag 'char-misc-5.3-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
        fsi: scom: Don't abort operations for minor errors
        vmw_balloon: Fix offline page marking with compaction
        VMCI: Release resource if the work is already queued
        Documentation/process: Embargoed hardware security issues
        lkdtm/bugs: fix build error in lkdtm_EXHAUST_STACK
        mei: me: add Tiger Lake point LP device ID
        intel_th: pci: Add Tiger Lake support
        intel_th: pci: Add support for another Lewisburg PCH
        stm class: Fix a double free of stm_source_device
        MAINTAINERS: add entry for LICENSES and SPDX stuff
        fpga: altera-ps-spi: Fix getting of optional confd gpio
      49ffdb4c
    • Linus Torvalds's avatar
      Merge tag 'usb-5.3-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · 2c248f92
      Linus Torvalds authored
      Pull USB fixes from Greg KH:
       "Here are some small USB fixes that have been in linux-next this past
        week for 5.3-rc7
      
        They fix the usual xhci, syzbot reports, and other small issues that
        have come up last week.
      
        All have been in linux-next with no reported issues"
      
      * tag 'usb-5.3-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        USB: cdc-wdm: fix race between write and disconnect due to flag abuse
        usb: host: xhci: rcar: Fix typo in compatible string matching
        usb: host: xhci-tegra: Set DMA mask correctly
        USB: storage: ums-realtek: Whitelist auto-delink support
        USB: storage: ums-realtek: Update module parameter description for auto_delink_en
        usb: host: ohci: fix a race condition between shutdown and irq
        usb: hcd: use managed device resources
        typec: tcpm: fix a typo in the comparison of pdo_max_voltage
        usb-storage: Add new JMS567 revision to unusual_devs
        usb: chipidea: udc: don't do hardware access if gadget has stopped
        usbtmc: more sanity checking for packet size
        usb: udc: lpc32xx: silence fall-through warning
      2c248f92
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 345464fb
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix some length checks during OGM processing in batman-adv, from
          Sven Eckelmann.
      
       2) Fix regression that caused netfilter conntrack sysctls to not be
          per-netns any more. From Florian Westphal.
      
       3) Use after free in netpoll, from Feng Sun.
      
       4) Guard destruction of pfifo_fast per-cpu qdisc stats with
          qdisc_is_percpu_stats(), from Davide Caratti. Similar bug is fixed
          in pfifo_fast_enqueue().
      
       5) Fix memory leak in mld_del_delrec(), from Eric Dumazet.
      
       6) Handle neigh events on internal ports correctly in nfp, from John
          Hurley.
      
       7) Clear SKB timestamp in NF flow table code so that it does not
          confuse fq scheduler. From Florian Westphal.
      
       8) taprio destroy can crash if it is invoked in a failure path of
          taprio_init(), because the list head isn't setup properly yet and
          the list del is unconditional. Perform the list add earlier to
          address this. From Vladimir Oltean.
      
       9) Make sure to reapply vlan filters on device up, in aquantia driver.
          From Dmitry Bogdanov.
      
      10) sgiseeq driver releases DMA memory using free_page() instead of
          dma_free_attrs(). From Christophe JAILLET.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (58 commits)
        net: seeq: Fix the function used to release some memory in an error handling path
        enetc: Add missing call to 'pci_free_irq_vectors()' in probe and remove functions
        net: bcmgenet: use ethtool_op_get_ts_info()
        tc-testing: don't hardcode 'ip' in nsPlugin.py
        net: dsa: microchip: add KSZ8563 compatibility string
        dt-bindings: net: dsa: document additional Microchip KSZ8563 switch
        net: aquantia: fix out of memory condition on rx side
        net: aquantia: linkstate irq should be oneshot
        net: aquantia: reapply vlan filters on up
        net: aquantia: fix limit of vlan filters
        net: aquantia: fix removal of vlan 0
        net/sched: cbs: Set default link speed to 10 Mbps in cbs_set_port_rate
        taprio: Set default link speed to 10 Mbps in taprio_set_picos_per_byte
        taprio: Fix kernel panic in taprio_destroy
        net: dsa: microchip: fill regmap_config name
        rxrpc: Fix lack of conn cleanup when local endpoint is cleaned up [ver #2]
        net: stmmac: dwmac-rk: Don't fail if phy regulator is absent
        amd-xgbe: Fix error path in xgbe_mod_init()
        netfilter: nft_meta_bridge: Fix get NFT_META_BRI_IIFVPROTO in network byteorder
        mac80211: Correctly set noencrypt for PAE frames
        ...
      345464fb
  5. 01 Sep, 2019 5 commits