1. 08 8月, 2017 1 次提交
  2. 28 7月, 2017 8 次提交
    • C
      mwifiex: usb: fix spelling mistake: "aggreataon"-> "aggregation" · c5597172
      Colin Ian King 提交于
      Trivial fix to spelling mistake in aggr_ctrl module parameter
      message text.
      Signed-off-by: NColin Ian King <colin.king@canonical.com>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      c5597172
    • J
      mwifiex: uninit wakeup info in the error handling · f101d964
      Jeffy Chen 提交于
      We inited wakeup info at the beginning of mwifiex_add_card, so we need
      to uninit it in the error handling.
      
      It's much the same as what we did in:
      36908c4e mwifiex: uninit wakeup info when removing device
      Signed-off-by: NJeffy Chen <jeffy.chen@rock-chips.com>
      Reviewed-by: NBrian Norris <briannorris@chromium.org>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      f101d964
    • B
      mwifiex: drop num CPU notice · 0bc03cfd
      Brian Norris 提交于
      This print isn't very useful. It's also different between
      mwifiex_add_card() and mwifiex_reinit_sw(), and I'd like to consolidate
      them eventually.
      Signed-off-by: NBrian Norris <briannorris@chromium.org>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      0bc03cfd
    • B
      mwifiex: fixup init_channel_scan_gap error case · c253a62d
      Brian Norris 提交于
      In reading through _mwifiex_fw_dpc(), I noticed that after we've
      registered our wiphy, we still have error paths that don't free it back
      up. Let's do that.
      Signed-off-by: NBrian Norris <briannorris@chromium.org>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      c253a62d
    • B
      mwifiex: unregister wiphy before freeing resources · ce32d1d8
      Brian Norris 提交于
      It's possible for some control interfaces (e.g., scans, set freq) to be
      active after we've stopped our main work queue and the netif TX queues.
      These don't get completely shut out until we've unregistered the wdevs
      and wiphy.
      
      So let's only free command buffers and poison our lists after
      wiphy_unregister().
      
      This resolves various use-after-free issues seen when resetting the
      device.
      
      Cc: Johannes Berg <johannes@sipsolutions.net>
      Signed-off-by: NBrian Norris <briannorris@chromium.org>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      ce32d1d8
    • B
      mwifiex: re-register wiphy across reset · 643acea6
      Brian Norris 提交于
      In general, it's helpful to use the same code for device removal as for
      device reset, as this tends to have fewer bugs. Let's move the wiphy
      unregistration code into the common reset and removal code.
      
      In particular, it's very hard to properly handle the reset sequence when
      something fails. Currently, if mwifiex_reinit_sw() fails, we've failed
      to unregister the associated wiphy, and so running something as simple
      as "iw phy" can trigger an OOPS, as the wiphy still has hooks back into
      freed mwifiex data structures. For example, KASAN complained:
      
      [... see reset fail for other reasons ...]
      [ 1184.821158] mwifiex_pcie 0000:01:00.0: info: dnld wifi firmware from 174948 bytes
      [ 1186.870914] mwifiex_pcie 0000:01:00.0: info: FW download over, size 608396 bytes
      [ 1187.685990] mwifiex_pcie 0000:01:00.0: WLAN FW is active
      [ 1187.692673] mwifiex_pcie 0000:01:00.0: cmd_wait_q terminated: -512
      [ 1187.699075] mwifiex_pcie 0000:01:00.0: info: _mwifiex_fw_dpc: unregister device
      [ 1187.713476] mwifiex: Failed to bring up adapter: -5
      [ 1187.718644] mwifiex_pcie 0000:01:00.0: reinit failed: -5
      
      [... run `iw phy` ...]
      [ 1212.902419] ==================================================================
      [ 1212.909806] BUG: KASAN: use-after-free in mwifiex_cfg80211_get_antenna+0x54/0xfc [mwifiex] at addr ffffffc0ad1a8028
      [ 1212.920246] Read of size 1 by task iw/3127
      [...]
      [ 1212.934946] page dumped because: kasan: bad access detected
      [...]
      [ 1212.950665] Call trace:
      [ 1212.953148] [<ffffffc00020a69c>] dump_backtrace+0x0/0x190
      [ 1212.958572] [<ffffffc00020a96c>] show_stack+0x20/0x28
      [ 1212.963648] [<ffffffc0005ce18c>] dump_stack+0xa4/0xcc
      [ 1212.968723] [<ffffffc0003c4430>] kasan_report+0x378/0x500
      [ 1212.974140] [<ffffffc0003c3358>] __asan_load1+0x44/0x4c
      [ 1212.979462] [<ffffffbffc2e8360>] mwifiex_cfg80211_get_antenna+0x54/0xfc [mwifiex]
      [ 1212.987131] [<ffffffbffc084fc4>] nl80211_send_wiphy+0x75c/0x2de0 [cfg80211]
      [ 1212.994246] [<ffffffbffc094f60>] nl80211_dump_wiphy+0x32c/0x438 [cfg80211]
      [ 1213.001149] [<ffffffc000ab6404>] genl_lock_dumpit+0x48/0x64
      [ 1213.006746] [<ffffffc000ab3474>] netlink_dump+0x178/0x398
      [ 1213.012171] [<ffffffc000ab3d18>] __netlink_dump_start+0x1bc/0x260
      [...]
      
      This all goes away if we just tear down the wiphy on the way down, and
      set it back up if/when we bring the device back up.
      Signed-off-by: NBrian Norris <briannorris@chromium.org>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      643acea6
    • B
      mwifiex: reset interrupt status across device reset · 4b1f5a0d
      Brian Norris 提交于
      When resetting the device, we might have queued up interrupts that
      didn't get a chance to finish processing. We really don't need to handle
      them at this point; we just want to make sure they don't cause us to try
      to process old commands from before the device was reset.
      Signed-off-by: NBrian Norris <briannorris@chromium.org>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      4b1f5a0d
    • B
      mwifiex: reunite copy-and-pasted remove/reset code · b6658b66
      Brian Norris 提交于
      When PCIe FLR code was added, it explicitly copy-and-pasted much of
      mwifiex_remove_card() into mwifiex_shutdown_sw(). This is unnecessary,
      as almost all of the code should be reused.
      
      Let's reunite what we can for now.
      
      The only functional changes for now:
      
       * call netif_device_detach() in the remove() code path -- this wasn't
         done before, but it really should be a no-op, when the device is
         getting totally unregistered soon anyway
      
       * call the ->down_dev() driver callback only after we've finished all
         SW teardown -- this should have no significant effect, since the only
         user (pcie.c) does very minimal work there, and it doesn't matter
         that we reorder this
      Signed-off-by: NBrian Norris <briannorris@chromium.org>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      b6658b66
  3. 08 6月, 2017 1 次提交
    • D
      net: Fix inconsistent teardown and release of private netdev state. · cf124db5
      David S. Miller 提交于
      Network devices can allocate reasources and private memory using
      netdev_ops->ndo_init().  However, the release of these resources
      can occur in one of two different places.
      
      Either netdev_ops->ndo_uninit() or netdev->destructor().
      
      The decision of which operation frees the resources depends upon
      whether it is necessary for all netdev refs to be released before it
      is safe to perform the freeing.
      
      netdev_ops->ndo_uninit() presumably can occur right after the
      NETDEV_UNREGISTER notifier completes and the unicast and multicast
      address lists are flushed.
      
      netdev->destructor(), on the other hand, does not run until the
      netdev references all go away.
      
      Further complicating the situation is that netdev->destructor()
      almost universally does also a free_netdev().
      
      This creates a problem for the logic in register_netdevice().
      Because all callers of register_netdevice() manage the freeing
      of the netdev, and invoke free_netdev(dev) if register_netdevice()
      fails.
      
      If netdev_ops->ndo_init() succeeds, but something else fails inside
      of register_netdevice(), it does call ndo_ops->ndo_uninit().  But
      it is not able to invoke netdev->destructor().
      
      This is because netdev->destructor() will do a free_netdev() and
      then the caller of register_netdevice() will do the same.
      
      However, this means that the resources that would normally be released
      by netdev->destructor() will not be.
      
      Over the years drivers have added local hacks to deal with this, by
      invoking their destructor parts by hand when register_netdevice()
      fails.
      
      Many drivers do not try to deal with this, and instead we have leaks.
      
      Let's close this hole by formalizing the distinction between what
      private things need to be freed up by netdev->destructor() and whether
      the driver needs unregister_netdevice() to perform the free_netdev().
      
      netdev->priv_destructor() performs all actions to free up the private
      resources that used to be freed by netdev->destructor(), except for
      free_netdev().
      
      netdev->needs_free_netdev is a boolean that indicates whether
      free_netdev() should be done at the end of unregister_netdevice().
      
      Now, register_netdevice() can sanely release all resources after
      ndo_ops->ndo_init() succeeds, by invoking both ndo_ops->ndo_uninit()
      and netdev->priv_destructor().
      
      And at the end of unregister_netdevice(), we invoke
      netdev->priv_destructor() and optionally call free_netdev().
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      cf124db5
  4. 31 5月, 2017 1 次提交
  5. 28 4月, 2017 1 次提交
  6. 20 4月, 2017 4 次提交
  7. 13 4月, 2017 1 次提交
  8. 05 4月, 2017 2 次提交
    • B
      mwifiex: catch mwifiex_fw_dpc() errors properly in reset · 755b37c9
      Brian Norris 提交于
      When resetting the device, we take a synchronous firmware-loading code
      path, which borrows a lot from the asynchronous path used at probe time.
      We don't catch errors correctly though, which means that in the PCIe
      driver, we may try to dereference the 'adapter' struct after
      mwifiex_fw_dpc() has freed it. See this (erronous) print in
      mwifiex_pcie_reset_notify():
      
      	mwifiex_dbg(adapter, INFO, "%s, successful\n", __func__);
      
      Let's instead refactor the synchronous (or "!req_fw_nowait") path so
      that we propagate errors and handle them properly.
      
      This fixes a use-after-free issue in the PCIe driver, as well as a
      misleading debug message ("successful"). It looks like the SDIO driver
      doesn't have these problems, since it doesn't do anything after
      mwifiex_reinit_sw().
      
      Fixes: 4c5dae59 ("mwifiex: add PCIe function level reset support")
      Signed-off-by: NBrian Norris <briannorris@chromium.org>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      755b37c9
    • B
      mwifiex: fix use-after-free for FW reinit errors · ce8fad9a
      Brian Norris 提交于
      If we fail to reinit the FW when resetting the device (in the
      synchronous version of mwifiex_init_hw_fw() -> mwifiex_fw_dpc()),
      mwifiex_fw_dpc() will tear down the interface and free up the adapter.
      But we don't actually check for all failure cases of mwifiex_fw_dpc(),
      so some of them fall through and dereference adapter->fw_done with a
      freed adapter, causing a use-after-free bug.
      
      In any case, mwifiex_fw_dpc() will always signal FW completion -- in the
      error OR success case -- so at best, this was repeat work. Let's not do
      it.
      Signed-off-by: NBrian Norris <briannorris@chromium.org>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      ce8fad9a
  9. 21 3月, 2017 1 次提交
  10. 16 3月, 2017 2 次提交
    • B
      mwifiex: uninit wakeup info when removing device · 36908c4e
      Brian Norris 提交于
      We manually init wakeup info, but we don't detach it on device removal.
      This means that if we (for example) rmmod + modprobe the driver, the
      device framework might return -EEXIST the second time, and we'll
      complain in the logs:
      
      [  839.311881] mwifiex_pcie 0000:01:00.0: fail to init wakeup for mwifiex
      
      AFAICT, there's no other negative effect.
      
      But we can fix this by disabling wakeup on remove, similar to what a few
      other drivers do (e.g., the power supply framework).
      
      This code (and bug) has existed on SDIO for a while, but it got moved
      around and enabled for PCIe with commit 853402a0 ("mwifiex: Enable
      WoWLAN for both sdio and pcie").
      Signed-off-by: NBrian Norris <briannorris@chromium.org>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      36908c4e
    • B
      mwifiex: set adapter->dev before starting to use mwifiex_dbg() · ba1c7e45
      Brian Norris 提交于
      The mwifiex_dbg() log handler utilizes the struct device in
      adapter->dev. Without it, it decides not to print anything.
      
      As of commit 2e02b581 ("mwifiex: Allow mwifiex early access to device
      structure"), we started assigning that pointer only after we finished
      mwifiex_register() -- this effectively neuters any mwifiex_dbg() logging
      done before this point.
      
      Let's move the device assignment into mwifiex_register().
      
      Fixes: 2e02b581 ("mwifiex: Allow mwifiex early access to device structure")
      Cc: Rajat Jain <rajatja@google.com>
      Signed-off-by: NBrian Norris <briannorris@chromium.org>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      ba1c7e45
  11. 15 2月, 2017 1 次提交
    • B
      mwifiex: don't enable/disable IRQ 0 during suspend/resume · 2447e2ca
      Brian Norris 提交于
      If we don't have an out-of-band wakeup IRQ configured through DT (as
      most platforms don't), then we fall out of this function with
      'irq_wakeup == 0'. Other code (e.g., mwifiex_disable_wake() and
      mwifiex_enable_wake()) treats 'irq_wakeup >= 0' as a valid IRQ, and so
      we end up calling {enable,disable}_irq() on IRQ 0.
      
      That seems bad, so let's not do that.
      
      Same problem as fixed in this patch:
      
      https://patchwork.kernel.org/patch/9531693/
      [PATCH v2 2/3] btmrvl: set irq_bt to -1 when failed to parse it
      
      with the difference that:
      (a) this one is actually a regression and
      (b) this affects both device tree and non-device-tree systems
      
      While fixing the regression, also drop the verbosity on the parse
      failure, so we don't see this when a DT node is present but doesn't have
      an interrupt property (this is perfectly legal):
      
      [   21.999000] mwifiex_pcie 0000:01:00.0: fail to parse irq_wakeup from device tree
      
      Fixes: 853402a0 ("mwifiex: Enable WoWLAN for both sdio and pcie")
      Signed-off-by: NBrian Norris <briannorris@chromium.org>
      Acked-by: NRajat Jain <rajatja@google.com>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      2447e2ca
  12. 12 1月, 2017 4 次提交
  13. 29 11月, 2016 1 次提交
  14. 19 11月, 2016 5 次提交
  15. 17 9月, 2016 1 次提交
  16. 09 9月, 2016 2 次提交
  17. 03 9月, 2016 1 次提交
  18. 06 7月, 2016 1 次提交
    • A
      nl80211: support beacon report scanning · 1d76250b
      Avraham Stern 提交于
      Beacon report radio measurement requires reporting observed BSSs
      on the channels specified in the beacon request. If the measurement
      mode is set to passive or active, it requires actually performing a
      scan (passive or active, accordingly), and reporting the time that
      the scan was started and the time each beacon/probe was received
      (both in terms of TSF of the BSS of the requesting AP). If the
      request mode is table, this information is optional.
      In addition, the radio measurement request specifies the channel
      dwell time for the measurement.
      
      In order to use scan for beacon report when the mode is active or
      passive, add a parameter to scan request that specifies the
      channel dwell time, and add scan start time and beacon received time
      to scan results information.
      
      Supporting beacon report is required for Multi Band Operation (MBO).
      Signed-off-by: NAssaf Krauss <assaf.krauss@intel.com>
      Signed-off-by: NDavid Spinadel <david.spinadel@intel.com>
      Signed-off-by: NAvraham Stern <avraham.stern@intel.com>
      Signed-off-by: NLuca Coelho <luciano.coelho@intel.com>
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      1d76250b
  19. 18 6月, 2016 1 次提交
    • A
      mwifiex: fix link error against sdio · 2095b142
      Arnd Bergmann 提交于
      Calling sdio_claim_host() from the interface independent part of
      the mwifiex driver is not only a layering violation, but also causes
      a link error if MMC support is disabled, or if CONFIG_MMC=m
      and CONFIG_MWIFIEX=y:
      
      drivers/net/built-in.o: In function `mwifiex_fw_dpc':
      :(.text+0xff138): undefined reference to `sdio_claim_host'
      :(.text+0xff158): undefined reference to `sdio_release_host'
      
      The right way to do this is to have the sdio specific code in the
      sdio driver front-end, and we already have a callback pointer that
      we can use for this after exporting the generic fw download
      function from the core driver.
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Fixes: 65c71efe ("mwifiex: fix racing condition when downloading firmware")
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      2095b142
  20. 14 6月, 2016 1 次提交
    • W
      mwifiex: fix racing condition when downloading firmware · 65c71efe
      Wei-Ning Huang 提交于
      The action 'check for winner' and 'download firmware' should be an
      atomic action. This is true for btmrvl driver but not mwmfiex, which
      cause firmware download to fail when the following senerio happens:
      
      1) mwifiex check winner status: true
      2) btmrvl check winner status: true, and start downloading firmware
      3) mwfieix tries to download firmware, but failed because btmrvl is
      already downloading.
      
      This won't happen if 1) and 3) is an atomic action. This patch adds
      sdio_claim/release_host call around those two actions to make sure it's
      atomic.
      Signed-off-by: NWei-Ning Huang <wnhuang@chromium.org>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      65c71efe