The decoded_size is wrongly assigned in ath11k_qmi_msg_handlers and it results
in out of boundary access in qmi_decode. The correct decoded_size should be
calculated from the related ind_msg structure.
This issue is exposed with QCA6390 because it needs 11 small memory chunks
which are stored in qmi_wlanfw_request_mem_ind_msg_v01 and hence the
decoded_size exceeds the wrongly assigend decoded_size.
Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1
Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.1.0.1-01238-QCAHKSWPL_SILICONZ-2
Signed-off-by: Carl Huang <cjhuang@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1597389030-13887-9-git-send-email-kvalo@codeaurora.org
On x86 it's sometimes difficult to allocate a large contigous DMA
memory, so instead allocate blocks of small chunk memory.
In ath11k_qmi_msg_mem_request_cb() the error handling was cleaned up to avoid
an unused variable warning. Also changed the test from (ret < 0) to just (ret)
as the functions don't return any positive values.
Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1
Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.1.0.1-01238-QCAHKSWPL_SILICONZ-2
Signed-off-by: Carl Huang <cjhuang@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1597389030-13887-8-git-send-email-kvalo@codeaurora.org
CE srng is used for control path and CE srng processing is done using tasklet
bottom half. Setup ce tasklet initialization and scheduling for control path.
Needed for PCI support.
Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1
Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.1.0.1-01238-QCAHKSWPL_SILICONZ-2
Signed-off-by: Govind Singh <govinds@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1597389030-13887-7-git-send-email-kvalo@codeaurora.org
QMI service instance id is used for qmi service lookup, IPQ8074 and QCA6390
uses different instance id for service lookup. Fill appropriate QMI service
instance id for respective targets.
Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1
Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.1.0.1-01238-QCAHKSWPL_SILICONZ-2
Signed-off-by: Govind Singh <govinds@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1597389030-13887-4-git-send-email-kvalo@codeaurora.org
PCI devices like QCA6390 load the board file differently, add support for that
and the method is chosen using bus_params variables.
Add support to create board name for different targets. This board name is
used to parse the board data from board-2.bin for ahb/pci based targets.
As struct target_mem_chunk::vaddr was changed from 'u32' to 'u32 *' in
ath11k_qmi_assign_target_mem_chunk() vaddr assignments were changed to NULL to
avoid a compilation warning. IPQ8074 does not use the vaddr field for anything
so that change does not affect functionality.
At the moment this only supports board files with BIN type. Support for ELF
type, which seems to be more popular on QCA6390 devices, needs to be added later.
Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1
Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.1.0.1-01238-QCAHKSWPL_SILICONZ-2
Signed-off-by: Govind Singh <govinds@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1597389030-13887-3-git-send-email-kvalo@codeaurora.org
Modem Host Interface (MHI) is a communication protocol to communicate with
external Qualcomm modems and Wi-Fi chipsets over high speed peripheral buses.
Even though MHI doesn’t dictate underlying physical layer, protocol and MHI
stack is structured for PCI based devices.
Register directly with MHI subsystem as a MHI device driver for firmware
download to QCA6390.
Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1
Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.1.0.1-01238-QCAHKSWPL_SILICONZ-2
Signed-off-by: Govind Singh <govinds@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1597309466-19688-9-git-send-email-kvalo@codeaurora.org
This is needed to initialise hw_params before MHI registration starts. MHI
needs location of firmware directory and that's delivered via hw_params.
Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1
Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.1.0.1-01238-QCAHKSWPL_SILICONZ-2
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1597309466-19688-8-git-send-email-kvalo@codeaurora.org
With only IPQ8074 supported ath11k was only usable on Qualcomm architectures.
But now that we are adding QCA6390 PCI support to ath11k that's not the case
anymore and it can be used on any architecture supporting PCI. So remove the
dependency on ARCH_QCOM. After that there is also no need to depend on
COMPILE_TEST.
Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1
Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.1.0.1-01238-QCAHKSWPL_SILICONZ-2
Signed-off-by: Carl Huang <cjhuang@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1597309466-19688-2-git-send-email-kvalo@codeaurora.org
The mcs index of HT mode is 0 to 31, please refer http://mcsindex.com/.
Its spatial stream(Nss) number is from 1 to 4, mcs index is 0~7 for
Nss=1, 8~15 for Nss=2, 16~23 for Nss=3 and 24~31 is for Nss=4.
The mcs is reported from firmware in wmi_tlv_peer_stats_info of
event WMI_TLV_PEER_STATS_INFO_EVENTID, its range is from 0~15 for
QCA6174 SDIO and PCIe. It is for both Nss=1 and Nss=2, and it has 2
rate table supported_ht_mcs_rate_nss1 and supported_ht_mcs_rate_nss2
in ath10k, they are for Nss=1 and Nss=2, each table has 8 rates.
It need to find the matched row number with the mcs index, for example,
mcs index is 2, it is <=7, so it is Nss=1, and match row 2 in table of
Nss=1. If mcs index is 12, it is >= 8 and <= 15, so it is Nss=2, it
match row 4(12-8) in table of Nss=2. If mcs index is >=16, it is for
Nss=3/4, it need to add rate table, so it is not support in current
ath10k.
This patch is to find the row number in rate table of Nss=1 or Nss=2
with the mcs index reported from firmware.
This patch only effect the chips which supports_peer_stats_info of its
hw_params is true, it is true only for QCA6174 currently.
Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00048
Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1
Signed-off-by: Wen Gong <wgong@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1597392294-13124-1-git-send-email-wgong@codeaurora.org
When using QCA6174 PCI devices working in station mode, after connected
to AP, tx bitrate is always '1.0 MBit/s' in output of command 'iw wlan0
station dump'. (QCA6174 SDIO devices are working fine.)
After this patch, it show correct bitrate:
Station c4:04:15:5d:97:22 (on wls1)
inactive time: 312 ms
rx bytes: 31496
rx packets: 173
tx bytes: 8625
tx packets: 46
tx retries: 0
tx failed: 0
signal: -76 [-88, -80] dBm
signal avg: -75 [-82, -77] dBm
tx bitrate: 39.0 MBit/s MCS 4
rx bitrate: 26.0 MBit/s MCS 3
Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1
Signed-off-by: Wen Gong <wgong@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1597312029-32348-4-git-send-email-wgong@codeaurora.org
ath10k_sta_statistics is used to report many info to iw wlan0 link,
if it return for empty legacy and nss of arsta->txrate, then the other
stats after it will not be set.
It has 4 bit to set after the return:
NL80211_STA_INFO_TX_FAILED
NL80211_STA_INFO_RX_BITRATE
NL80211_STA_INFO_TX_BITRATE
NL80211_STA_INFO_TX_RETRIES
This patch not effect the info of above 4 bit for all hardware, reason
as below:
NL80211_STA_INFO_TX_FAILED is only for htt.disable_tx_comp is true, it
is for QCA6174 SDIO.
NL80211_STA_INFO_RX_BITRATE and NL80211_STA_INFO_TX_BITRATE are both
set in ath10k_mac_sta_get_peer_stats_info, it is only enabled for chips
which supports_peer_stats_info is true in hw_params, recently only for
QCA6174 SDIO, NL80211_STA_INFO_TX_BITRATE is set again in function
ath10k_mac_sta_get_peer_stats_info because the value which parsed from
arsta->tx_rate_code and arsta->tx_bitrate_kbps is correct for QCA6174
SDIO and PCIe, and the value arsta->txrate is not correct for QCA6174
SDIO and PCIe, so it need to set again with the correct value.
NL80211_STA_INFO_TX_RETRIES is use value of arsta->tx_retries, it is set
in ath10k_update_per_peer_tx_stats, which accumulate the retry_pkts in
HTT message from firmware, if the chips not support this feature, then
it is always 0 after accumulate, then iw wlan0 station dump always show
0 for retry count. If not set NL80211_STA_INFO_TX_RETRIES here, then it
is still 0, so the result is same, then set NL80211_STA_INFO_TX_RETRIES
has no effect.
Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00048
Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1
Signed-off-by: Wen Gong <wgong@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1597312029-32348-3-git-send-email-wgong@codeaurora.org
ath10k_sta_statistics is used to report info for iw wlan0 link,
it check ath10k_peer_stats_enabled, and ath10k_peer_stats_enabled
check WMI_SERVICE_PEER_STATS bit of ar->wmi.svc_map. SVCMAP() for
WMI_SERVICE_PEER_STATS was defined only for wmi_10x_svc_map and
wmi_10_4_svc_map interfaces, it missed in wmi_tlv_svc_map, so it is
not usable for iw wlan0 link for wmi tlv interface.
If firmware report WMI_TLV_SERVICE_PEER_STATS_INFO for wmi tlv, then
enable the WMI_SERVICE_PEER_STATS bit in ath10k, and then it pass check
in ath10k_peer_stats_enabled and ath10k_sta_statistics pass check.
Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00048
Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1
Signed-off-by: Wen Gong <wgong@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1597312029-32348-2-git-send-email-wgong@codeaurora.org
When simulate random transfer fail for sdio write and read, it happened
"payload length exceeds max htc length" and recovery later sometimes.
Test steps:
1. Add config and update kernel:
CONFIG_FAIL_MMC_REQUEST=y
CONFIG_FAULT_INJECTION=y
CONFIG_FAULT_INJECTION_DEBUG_FS=y
2. Run simulate fail:
cd /sys/kernel/debug/mmc1/fail_mmc_request
echo 10 > probability
echo 10 > times # repeat until hitting issues
3. It happened payload length exceeds max htc length.
[ 199.935506] ath10k_sdio mmc1:0001:1: payload length 57005 exceeds max htc length: 4088
....
[ 264.990191] ath10k_sdio mmc1:0001:1: payload length 57005 exceeds max htc length: 4088
4. after some time, such as 60 seconds, it start recovery which triggered
by wmi command timeout for periodic scan.
[ 269.229232] ieee80211 phy0: Hardware restart was requested
[ 269.734693] ath10k_sdio mmc1:0001:1: device successfully recovered
The simulate fail of sdio is not a real sdio transter fail, it only
set an error status in mmc_should_fail_request after the transfer end,
actually the transfer is success, then sdio_io_rw_ext_helper will
return error status and stop transfer the left data. For example,
the really RX len is 286 bytes, then it will split to 2 blocks in
sdio_io_rw_ext_helper, one is 256 bytes, left is 30 bytes, if the
first 256 bytes get an error status by mmc_should_fail_request,then
the left 30 bytes will not read in this RX operation. Then when the
next RX arrive, the left 30 bytes will be considered as the header
of the read, the top 4 bytes of the 30 bytes will be considered as
lookaheads, but actually the 4 bytes is not the lookaheads, so the len
from this lookaheads is not correct, it exceeds max htc length 4088
sometimes. When happened exceeds, the buffer chain is not matched between
firmware and ath10k, then it need to start recovery ASAP. Recently then
recovery will be started by wmi command timeout, but it will be long time
later, for example, it is 60+ seconds later from the periodic scan, if
it does not have periodic scan, it will be longer.
Start recovery when it happened "payload length exceeds max htc length"
will be reasonable.
This patch only effect sdio chips.
Tested with QCA6174 SDIO with firmware WLAN.RMH.4.4.1-00029.
Signed-off-by: Wen Gong <wgong@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20200108031957.22308-3-wgong@codeaurora.org
Rationale:
Reduces attack surface on kernel devs opening the links for MITM
as HTTPS traffic is much harder to manipulate.
Deterministic algorithm:
For each file:
If not .svg:
For each line:
If doesn't contain `\bxmlns\b`:
For each link, `\bhttp://[^# \t\r\n]*(?:\w|/)`:
If neither `\bgnu\.org/license`, nor `\bmozilla\.org/MPL\b`:
If both the HTTP and HTTPS versions
return 200 OK and serve the same content:
Replace HTTP with HTTPS.
Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20200719104041.57916-1-grandmaster@al2klimov.de
list_for_each_entry{_safe} is able to handle an empty list.
The only effect of avoiding the loop is not initializing the
index variable.
Drop list_empty tests in cases where these variables are not
used.
Note that list_for_each_entry{_safe} is defined in terms of
list_first_entry, which indicates that it should not be used on an
empty list. But in list_for_each_entry{_safe}, the element obtained
by list_first_entry is not really accessed, only the address of its
list_head field is compared to the address of the list head, so the
list_first_entry is safe.
The semantic patch that makes this change for the list_for_each_entry
case is as follows: (http://coccinelle.lip6.fr/)
<smpl>
@@
expression x,e;
statement S;
identifier i;
@@
-if (!(list_empty(x)))
list_for_each_entry(i,x,...) S
... when != i
? i = e
</smpl>
Signed-off-by: Julia Lawall <Julia.Lawall@inria.fr>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1595761112-11003-8-git-send-email-Julia.Lawall@inria.fr
The controller is capable of reporting TX indication which can be used
to report TX ack when IEEE80211_TX_CTL_REQ_TX_STATUS is set.
The support was only partially implemented.
The firmware can be configured for reporting event when a packet is
acked, without specifying which packet though. In order to send a
packet flagged with TX status callback, we need to stop the queue,
submit the packet and wait for the firmware ack event. Then the queue
can be restarted and mac80211 status callback called.
In case the packet is not acked, no ack event will be received,
therefore a timeout mechanism is introduced to restart the queue
and call the status cb in case no event is received after a 100ms.
Signed-off-by: Loic Poulain <loic.poulain@linaro.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1595586052-16081-3-git-send-email-loic.poulain@linaro.org
Several AMPDU sessions can be started, e.g. for different TIDs.
Currently the driver does not take care of the session ID when
requesting block-ack (statically set to 0), which leads to never
block-acked packet with sessions other than 0.
Fix this by saving the session id when creating the ba session and
use it in subsequent ba operations.
This issue can be reproduced with iperf in two steps (tid 0 strem
then tid 6 stream).
1.0 iperf -s # wcn36xx side
1.1 iperf -c ${IP_ADDR} # host side
Then
2.0 iperf -s -u -S 0xC0 # wcn36xx side
2.1 iperf -c ${IP_ADDR} -u -S 0xC0 -l 2000 # host side
Signed-off-by: Loic Poulain <loic.poulain@linaro.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1595586052-16081-2-git-send-email-loic.poulain@linaro.org
Rationale:
Reduces attack surface on kernel devs opening the links for MITM
as HTTPS traffic is much harder to manipulate.
Deterministic algorithm:
For each file:
If not .svg:
For each line:
If doesn't contain `\bxmlns\b`:
For each link, `\bhttp://[^# \t\r\n]*(?:\w|/)`:
If neither `\bgnu\.org/license`, nor `\bmozilla\.org/MPL\b`:
If both the HTTP and HTTPS versions
return 200 OK and serve the same content:
Replace HTTP with HTTPS.
Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20200719105052.57997-1-grandmaster@al2klimov.de
Pull networking updates from David Miller:
1) Support 6Ghz band in ath11k driver, from Rajkumar Manoharan.
2) Support UDP segmentation in code TSO code, from Eric Dumazet.
3) Allow flashing different flash images in cxgb4 driver, from Vishal
Kulkarni.
4) Add drop frames counter and flow status to tc flower offloading,
from Po Liu.
5) Support n-tuple filters in cxgb4, from Vishal Kulkarni.
6) Various new indirect call avoidance, from Eric Dumazet and Brian
Vazquez.
7) Fix BPF verifier failures on 32-bit pointer arithmetic, from
Yonghong Song.
8) Support querying and setting hardware address of a port function via
devlink, use this in mlx5, from Parav Pandit.
9) Support hw ipsec offload on bonding slaves, from Jarod Wilson.
10) Switch qca8k driver over to phylink, from Jonathan McDowell.
11) In bpftool, show list of processes holding BPF FD references to
maps, programs, links, and btf objects. From Andrii Nakryiko.
12) Several conversions over to generic power management, from Vaibhav
Gupta.
13) Add support for SO_KEEPALIVE et al. to bpf_setsockopt(), from Dmitry
Yakunin.
14) Various https url conversions, from Alexander A. Klimov.
15) Timestamping and PHC support for mscc PHY driver, from Antoine
Tenart.
16) Support bpf iterating over tcp and udp sockets, from Yonghong Song.
17) Support 5GBASE-T i40e NICs, from Aleksandr Loktionov.
18) Add kTLS RX HW offload support to mlx5e, from Tariq Toukan.
19) Fix the ->ndo_start_xmit() return type to be netdev_tx_t in several
drivers. From Luc Van Oostenryck.
20) XDP support for xen-netfront, from Denis Kirjanov.
21) Support receive buffer autotuning in MPTCP, from Florian Westphal.
22) Support EF100 chip in sfc driver, from Edward Cree.
23) Add XDP support to mvpp2 driver, from Matteo Croce.
24) Support MPTCP in sock_diag, from Paolo Abeni.
25) Commonize UDP tunnel offloading code by creating udp_tunnel_nic
infrastructure, from Jakub Kicinski.
26) Several pci_ --> dma_ API conversions, from Christophe JAILLET.
27) Add FLOW_ACTION_POLICE support to mlxsw, from Ido Schimmel.
28) Add SK_LOOKUP bpf program type, from Jakub Sitnicki.
29) Refactor a lot of networking socket option handling code in order to
avoid set_fs() calls, from Christoph Hellwig.
30) Add rfc4884 support to icmp code, from Willem de Bruijn.
31) Support TBF offload in dpaa2-eth driver, from Ioana Ciornei.
32) Support XDP_REDIRECT in qede driver, from Alexander Lobakin.
33) Support PCI relaxed ordering in mlx5 driver, from Aya Levin.
34) Support TCP syncookies in MPTCP, from Flowian Westphal.
35) Fix several tricky cases of PMTU handling wrt. briding, from Stefano
Brivio.
* git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next: (2056 commits)
net: thunderx: initialize VF's mailbox mutex before first usage
usb: hso: remove bogus check for EINPROGRESS
usb: hso: no complaint about kmalloc failure
hso: fix bailout in error case of probe
ip_tunnel_core: Fix build for archs without _HAVE_ARCH_IPV6_CSUM
selftests/net: relax cpu affinity requirement in msg_zerocopy test
mptcp: be careful on subflow creation
selftests: rtnetlink: make kci_test_encap() return sub-test result
selftests: rtnetlink: correct the final return value for the test
net: dsa: sja1105: use detected device id instead of DT one on mismatch
tipc: set ub->ifindex for local ipv6 address
ipv6: add ipv6_dev_find()
net: openvswitch: silence suspicious RCU usage warning
Revert "vxlan: fix tos value before xmit"
ptp: only allow phase values lower than 1 period
farsync: switch from 'pci_' to 'dma_' API
wan: wanxl: switch from 'pci_' to 'dma_' API
hv_netvsc: do not use VF device if link is down
dpaa2-eth: Fix passing zero to 'PTR_ERR' warning
net: macb: Properly handle phylink on at91sam9x
...
The UDP reuseport conflict was a little bit tricky.
The net-next code, via bpf-next, extracted the reuseport handling
into a helper so that the BPF sk lookup code could invoke it.
At the same time, the logic for reuseport handling of unconnected
sockets changed via commit efc6b6f6c3
which changed the logic to carry on the reuseport result into the
rest of the lookup loop if we do not return immediately.
This requires moving the reuseport_has_conns() logic into the callers.
While we are here, get rid of inline directives as they do not belong
in foo.c files.
The other changes were cases of more straightforward overlapping
modifications.
Signed-off-by: David S. Miller <davem@davemloft.net>
Kalle Valo says:
====================
wireless-drivers fixes for v5.8
Second set of fixes for v5.8, and hopefully also the last. Three
important regressions fixed.
ath9k
* fix a regression which broke support for all ath9k usb devices
ath10k
* fix a regression which broke support for all QCA4019 AHB devices
iwlwifi
* fix a regression which broke support for some Killer Wireless-AC 1550 cards
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Kalle Valo says:
====================
wireless-drivers-next patches for v5.9
First set of patches for v5.9. This comes later than usual as I was
offline for two weeks. The biggest change here is moving Microchip
wilc1000 driver from staging. There was an immutable topic branch with
one commit moving the whole driver and the topic branch was pulled
both to staging-next and wireless-drivers-next. At the moment the only
reported conflict is in MAINTAINERS file, so I'm hoping the move
should go smoothly.
Other notable changes are ath11k getting 6 GHz band support and rtw88
supporting RTL8821CE. And there's also the usual fixes, API changes
and cleanups all over.
Major changes:
wilc1000
* move from drivers/staging to drivers/net/wireless/microchip
ath11k
* add 6G band support
* add spectral scan support
iwlwifi
* make FW reconfiguration quieter by not using warn level
rtw88
* add support for RTL8821CE
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
The idx in __ath10k_htt_rx_ring_fill_n function lives in
consistent dma region writable by the device. Malfunctional
or malicious device could manipulate such idx to have a OOB
write. Either by
htt->rx_ring.netbufs_ring[idx] = skb;
or by
ath10k_htt_set_paddrs_ring(htt, paddr, idx);
The idx can also be negative as it's signed, giving a large
memory space to write to.
It's possibly exploitable by corruptting a legit pointer with
a skb pointer. And then fill skb with payload as rougue object.
Part of the log here. Sometimes it appears as UAF when writing
to a freed memory by chance.
[ 15.594376] BUG: unable to handle page fault for address: ffff887f5c1804f0
[ 15.595483] #PF: supervisor write access in kernel mode
[ 15.596250] #PF: error_code(0x0002) - not-present page
[ 15.597013] PGD 0 P4D 0
[ 15.597395] Oops: 0002 [#1] SMP KASAN PTI
[ 15.597967] CPU: 0 PID: 82 Comm: kworker/u2:2 Not tainted 5.6.0 #69
[ 15.598843] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
[ 15.600438] Workqueue: ath10k_wq ath10k_core_register_work [ath10k_core]
[ 15.601389] RIP: 0010:__ath10k_htt_rx_ring_fill_n
(linux/drivers/net/wireless/ath/ath10k/htt_rx.c:173) ath10k_core
Signed-off-by: Zekun Shen <bruceshenzk@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20200623221105.3486-1-bruceshenzk@gmail.com
On failure pcie_capability_read_dword() sets it's last parameter, val
to 0. However, with Patch 14/14, it is possible that val is set to ~0 on
failure. This would introduce a bug because (x & x) == (~0 & x).
This bug can be avoided without changing the function's behaviour if the
return value of pcie_capability_read_dword is checked to confirm success.
Check the return value of pcie_capability_read_dword() to ensure success.
Suggested-by: Bjorn Helgaas <bjorn@helgaas.com>
Signed-off-by: Bolarinwa Olayemi Saheed <refactormyself@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20200713175529.29715-2-refactormyself@gmail.com
The napi_gro_receive function no longer returns GRO_DROP ever, making
handling GRO_DROP dead code. This commit removes that dead code.
Further, it's not even clear that device drivers have any business in
taking action after passing off received packets; that's arguably out of
their hands. In this case, too, the non-gro path didn't bother checking
the return value. Plus, this had some clunky debugging functions that
duplicated code from elsewhere and was generally pretty messy. So, this
commit cleans that all up too.
Fixes: 6570bc79c0 ("net: core: use listified Rx for GRO_NORMAL in napi_gro_receive()")
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
