- 28 7月, 2017 1 次提交
-
-
由 Brian Norris 提交于
In rogue cases (due to other bugs) it's possible we try to process an old command response *after* resetting the device. This could trigger a double-free (or the SKB can get reallocated elsewhere...causing other memory corruptions) in mwifiex_pcie_process_cmd_complete(). For safety (and symmetry) let's always NULL out the command buffer as we free it up. We're already doing this for the command response buffer. Signed-off-by: NBrian Norris <briannorris@chromium.org> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
- 03 7月, 2017 1 次提交
-
-
由 Christoph Hellwig 提交于
The pci_error_handlers->reset_notify() method had a flag to indicate whether to prepare for or clean up after a reset. The prepare and done cases have no shared functionality whatsoever, so split them into separate methods. [bhelgaas: changelog, update locking comments] Link: http://lkml.kernel.org/r/20170601111039.8913-3-hch@lst.deSigned-off-by: NChristoph Hellwig <hch@lst.de> Signed-off-by: NBjorn Helgaas <bhelgaas@google.com>
-
- 31 5月, 2017 1 次提交
-
-
由 Xinming Hu 提交于
Usb tx aggregation feature will utilize 4-bytes bus interface header, otherwise it will be set to zero in default case. Signed-off-by: NXinming Hu <huxm@marvell.com> Signed-off-by: NCathy Luo <cluo@marvell.com> Signed-off-by: NGanapathi Bhat <gbhat@marvell.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
- 19 5月, 2017 3 次提交
-
-
由 Brian Norris 提交于
These are already handled by mwifiex_shutdown_sw() and mwifiex_reinit_sw(). Ideally, we'll kill the flag entirely eventually, as I suspect it breeds race conditions. Signed-off-by: NBrian Norris <briannorris@chromium.org> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Brian Norris 提交于
Signed-off-by: NBrian Norris <briannorris@chromium.org> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Brian Norris 提交于
This code was duplicated as part of the PCIe FLR code added to this driver. Let's de-duplicate it to: * make things easier to read (mwifiex_pcie_free_buffers() now has a corresponding mwifiex_pcie_alloc_buffers()) * reduce likelihood of bugs * make error logging equally verbose * save lines of code! Also drop some of the commentary that isn't really needed. Signed-off-by: NBrian Norris <briannorris@chromium.org> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
- 18 5月, 2017 2 次提交
-
-
由 Brian Norris 提交于
Similar to the SDIO driver, we should implement this so that we will automatically reset the device whenever there's a command timeout or similar. Signed-off-by: NBrian Norris <briannorris@chromium.org> Reviewed-by: NDmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Brian Norris 提交于
The non-atomic test + set is a little awkward here, and it technically means we might double-schedule work unnecessarily. AFAICT, this is not really a problem, since the extra "work" will be a no-op (the flag(s) will be cleared by then), but it's still an anti-pattern. Rewrite this to use the atomic test_and_set_bit() helper instead. Signed-off-by: NBrian Norris <briannorris@chromium.org> Reviewed-by: NDmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
- 20 4月, 2017 4 次提交
-
-
由 Brian Norris 提交于
When we shut down the device (i.e., during 'reset'), we cancel any outstanding work, but we don't clear any work-related flags. This can cause problems if, e.g., we begin to queue a new firmware dump or card reset while the other one is in progress. That might leave work_flags with a stale value, and we might begin one of these *after* we've completely reset the device. That doesn't make sense, because all firmware context will have been lost by then. This fixes some forms of cascading failures, where I: (a) force a firmware dump (cat /sys/kernel/debug/mwifiex/mlan0/device_dump) (b) run a Wifi scan in parallel (iw mlan0 scan) (c) the scan times out due to (a) hogging the interface (d) the command timeout triggers another firmware dump and a reset [*] (e) the 2nd firmware dump flag persists across the reset (f) as soon as the interface comes back up, we trigger the pending firmware dump (g) subsequent commands time out again, while we are processing the firmware dump; return to (d) [*] Note that automatic card_reset() support is not yet implemented for the mwifiex PCIe driver, so we won't hit *exactly* this behavior yet. But we can see similarly-confusing behaviors today. Signed-off-by: NBrian Norris <briannorris@chromium.org> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Brian Norris 提交于
Command buffers (skb's) are allocated by the main driver, and freed upon the last use. That last use is often in mwifiex_free_cmd_buffer(). In the meantime, if the command buffer gets used by the PCI driver, we map it as DMA-able, and store the mapping information in the 'cb' memory. However, if a command was in-flight when resetting the device (and therefore was still mapped), we don't get a chance to unmap this memory until after the core has cleaned up its command handling. Let's keep a refcount within the PCI driver, so we ensure the memory only gets freed after we've finished unmapping it. Noticed by KASAN when forcing a reset via: echo 1 > /sys/bus/pci/.../reset The same code path can presumably be exercised in remove() and shutdown(). [ 205.390377] mwifiex_pcie 0000:01:00.0: info: shutdown mwifiex... [ 205.400393] ================================================================== [ 205.407719] BUG: KASAN: use-after-free in mwifiex_unmap_pci_memory.isra.14+0x4c/0x100 [mwifiex_pcie] at addr ffffffc0ad471b28 [ 205.419040] Read of size 16 by task bash/1913 [ 205.423421] ============================================================================= [ 205.431625] BUG skbuff_head_cache (Tainted: G B ): kasan: bad access detected [ 205.439815] ----------------------------------------------------------------------------- [ 205.439815] [ 205.449534] INFO: Allocated in __build_skb+0x48/0x114 age=1311 cpu=4 pid=1913 [ 205.456709] alloc_debug_processing+0x124/0x178 [ 205.461282] ___slab_alloc.constprop.58+0x528/0x608 [ 205.466196] __slab_alloc.isra.54.constprop.57+0x44/0x54 [ 205.471542] kmem_cache_alloc+0xcc/0x278 [ 205.475497] __build_skb+0x48/0x114 [ 205.479019] __netdev_alloc_skb+0xe0/0x170 [ 205.483244] mwifiex_alloc_cmd_buffer+0x68/0xdc [mwifiex] [ 205.488759] mwifiex_init_fw+0x40/0x6cc [mwifiex] [ 205.493584] _mwifiex_fw_dpc+0x158/0x520 [mwifiex] [ 205.498491] mwifiex_reinit_sw+0x2c4/0x398 [mwifiex] [ 205.503510] mwifiex_pcie_reset_notify+0x114/0x15c [mwifiex_pcie] [ 205.509643] pci_reset_notify+0x5c/0x6c [ 205.513519] pci_reset_function+0x6c/0x7c [ 205.517567] reset_store+0x68/0x98 [ 205.521003] dev_attr_store+0x54/0x60 [ 205.524705] sysfs_kf_write+0x9c/0xb0 [ 205.528413] INFO: Freed in __kfree_skb+0xb0/0xbc age=131 cpu=4 pid=1913 [ 205.535064] free_debug_processing+0x264/0x370 [ 205.539550] __slab_free+0x84/0x40c [ 205.543075] kmem_cache_free+0x1c8/0x2a0 [ 205.547030] __kfree_skb+0xb0/0xbc [ 205.550465] consume_skb+0x164/0x178 [ 205.554079] __dev_kfree_skb_any+0x58/0x64 [ 205.558304] mwifiex_free_cmd_buffer+0xa0/0x158 [mwifiex] [ 205.563817] mwifiex_shutdown_drv+0x578/0x5c4 [mwifiex] [ 205.569164] mwifiex_shutdown_sw+0x178/0x310 [mwifiex] [ 205.574353] mwifiex_pcie_reset_notify+0xd4/0x15c [mwifiex_pcie] [ 205.580398] pci_reset_notify+0x5c/0x6c [ 205.584274] pci_dev_save_and_disable+0x24/0x6c [ 205.588837] pci_reset_function+0x30/0x7c [ 205.592885] reset_store+0x68/0x98 [ 205.596324] dev_attr_store+0x54/0x60 [ 205.600017] sysfs_kf_write+0x9c/0xb0 ... [ 205.800488] Call trace: [ 205.802980] [<ffffffc00020a69c>] dump_backtrace+0x0/0x190 [ 205.808415] [<ffffffc00020a96c>] show_stack+0x20/0x28 [ 205.813506] [<ffffffc0005d020c>] dump_stack+0xa4/0xcc [ 205.818598] [<ffffffc0003be44c>] print_trailer+0x158/0x168 [ 205.824120] [<ffffffc0003be5f0>] object_err+0x4c/0x5c [ 205.829210] [<ffffffc0003c45bc>] kasan_report+0x334/0x500 [ 205.834641] [<ffffffc0003c3994>] check_memory_region+0x20/0x14c [ 205.840593] [<ffffffc0003c3b14>] __asan_loadN+0x14/0x1c [ 205.845879] [<ffffffbffc46171c>] mwifiex_unmap_pci_memory.isra.14+0x4c/0x100 [mwifiex_pcie] [ 205.854282] [<ffffffbffc461864>] mwifiex_pcie_delete_cmdrsp_buf+0x94/0xa8 [mwifiex_pcie] [ 205.862421] [<ffffffbffc462028>] mwifiex_pcie_free_buffers+0x11c/0x158 [mwifiex_pcie] [ 205.870302] [<ffffffbffc4620d4>] mwifiex_pcie_down_dev+0x70/0x80 [mwifiex_pcie] [ 205.877736] [<ffffffbffc1397a8>] mwifiex_shutdown_sw+0x190/0x310 [mwifiex] [ 205.884658] [<ffffffbffc4606b4>] mwifiex_pcie_reset_notify+0xd4/0x15c [mwifiex_pcie] [ 205.892446] [<ffffffc000635f54>] pci_reset_notify+0x5c/0x6c [ 205.898048] [<ffffffc00063a044>] pci_dev_save_and_disable+0x24/0x6c [ 205.904350] [<ffffffc00063cf0c>] pci_reset_function+0x30/0x7c [ 205.910134] [<ffffffc000641118>] reset_store+0x68/0x98 [ 205.915312] [<ffffffc000771588>] dev_attr_store+0x54/0x60 [ 205.920750] [<ffffffc00046f53c>] sysfs_kf_write+0x9c/0xb0 [ 205.926182] [<ffffffc00046dfb0>] kernfs_fop_write+0x184/0x1f8 [ 205.931963] [<ffffffc0003d64f4>] __vfs_write+0x6c/0x17c [ 205.937221] [<ffffffc0003d7164>] vfs_write+0xf0/0x1c4 [ 205.942310] [<ffffffc0003d7da0>] SyS_write+0x78/0xd8 [ 205.947312] [<ffffffc000204634>] el0_svc_naked+0x24/0x28 ... [ 205.998268] ================================================================== This bug has been around in different forms for a while. It was sort of noticed in commit 955ab095 ("mwifiex: Do not kfree cmd buf while unregistering PCIe"), but it just fixed the double-free, without acknowledging the potential for use-after-free. Fixes: fc331460 ("mwifiex: use pci_alloc/free_consistent APIs for PCIe") Cc: <stable@vger.kernel.org> Signed-off-by: NBrian Norris <briannorris@chromium.org> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Xinming Hu 提交于
A separate wifi-only firmware was download during pcie function level reset. It is in fact the tail part of wifi/bt combo firmware. Per Brian's and Dmitry's suggestion, this patch extract the wifi part from combo firmware. After that, the mrvl/pcie8997_wlan_v4.bin image in linux-firmware repo is redundant (though I guess we keep it around to support older kernels). Signed-off-by: NXinming Hu <huxm@marvell.com> Signed-off-by: NGanapathi Bhat <gbhat@marvell.com> Signed-off-by: NCathy Luo <cluo@marvell.com> Signed-off-by: NBrian Norris <briannorris@chromium.org> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Xinming Hu 提交于
This patch correct pcie scratch register name, to keep the same with chipset side definition. Signed-off-by: NXinming Hu <huxm@marvell.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
- 05 4月, 2017 1 次提交
-
-
由 Brian Norris 提交于
When resetting the device, we take a synchronous firmware-loading code path, which borrows a lot from the asynchronous path used at probe time. We don't catch errors correctly though, which means that in the PCIe driver, we may try to dereference the 'adapter' struct after mwifiex_fw_dpc() has freed it. See this (erronous) print in mwifiex_pcie_reset_notify(): mwifiex_dbg(adapter, INFO, "%s, successful\n", __func__); Let's instead refactor the synchronous (or "!req_fw_nowait") path so that we propagate errors and handle them properly. This fixes a use-after-free issue in the PCIe driver, as well as a misleading debug message ("successful"). It looks like the SDIO driver doesn't have these problems, since it doesn't do anything after mwifiex_reinit_sw(). Fixes: 4c5dae59 ("mwifiex: add PCIe function level reset support") Signed-off-by: NBrian Norris <briannorris@chromium.org> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
- 21 3月, 2017 3 次提交
-
-
由 Brian Norris 提交于
We observed a SHUTDOWN command timeout during reboot stress test due to a corner case firmware bug. It can lead to either a use-after-free + OOPS (on either the adapter structure, or the 'card' structure) or an abort (where, e.g., the PCI device is "disabled" before we're done dumping the FW). We can avoid this by canceling/flushing the FW dump work: (a) after we've terminated all other work queues (e.g., for processing commands which could time out) (b) after we've disabled all interrupts (which could also queue more work for us) (c) after we've unregistered the netdev and wiphy structures (and implicitly, and debugfs entries which could manually trigger FW dumps) (d) before we've actually disabled the device (e.g., pci_device_disable()) Altogether, this means no card->work will be scheduled if we sync at a point that satisfies the above. This can be done at the beginning of the .cleanup_if() callback. Signed-off-by: NBrian Norris <briannorris@chromium.org> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Devidas Puranik 提交于
Using the accessor function e.g. get_unaligned_le32 instead of le32_to_cpu to avoid the unaligned access. This is for the architectures that don't handle the unaligned memory access Signed-off-by: NDevidas Puranik <devidas@marvell.com> Signed-off-by: NGanapathi Bhat <gbhat@marvell.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Brian Norris 提交于
We shouldn't be printing a kernel pointer as a decimal integer. But we really shouldn't be printing this case at all; we should never get here with NULL drvdata. We've eliminated this unnecessary conditional in several other places, so kill it here too. Similarly, there's no need to check for '!pdev'; we are guaranteed to have a real device here. And finally, use dev_err() instead of pr_err(). This yields (for failed PCIe resets): [ 68.286586] mwifiex_pcie 0000:01:00.0: mwifiex_pcie_reset_notify: adapter structure is not valid instead of: [ 82.932658] mwifiex_pcie: mwifiex_pcie_reset_notify: Card or adapter structure is not valid (-270880688088) Signed-off-by: NBrian Norris <briannorris@chromium.org> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
- 16 3月, 2017 1 次提交
-
-
由 Brian Norris 提交于
When PCIe FLR support was added, much of the remove/release code for PCIe was migrated to ->down_dev(), but ->down_dev() is never called for device removal. Let's refactor the cleanup to be done in both cases. Also, drop the comments above mwifiex_cleanup_pcie(), because they were clearly wrong, and it's better to have clear and obvious code than to detail the code steps in comments anyway. Fixes: 4c5dae59 ("mwifiex: add PCIe function level reset support") Cc: <stable@vger.kernel.org> Signed-off-by: NBrian Norris <briannorris@chromium.org> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
- 28 1月, 2017 2 次提交
-
-
由 Amitkumar Karwar 提交于
On some platforms, driver is unable read sleep cookie signature even if firmware has written it through DMA. The problem is fixed by using pci_dma_sync_single* APIs while reading DMA buffer shared with firmware. Signed-off-by: NAmitkumar Karwar <akarwar@marvell.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Amitkumar Karwar 提交于
Sleep confirm is a special command for which "adapter->cur_cmd" pointer is not set. When it's response is received, host writes SLEEP confirm done to a register. Firmware will perform DMA for writing sleep cookie signature on same buffer after this. Let's not immediately call mwifiex_unmap_pci_memory() for this special command. Unmapping will be done when firmware completes writing sleep cookie signature. Signed-off-by: NAmitkumar Karwar <akarwar@marvell.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
- 20 1月, 2017 3 次提交
-
-
由 Brian Norris 提交于
In mwifiex_delay_for_sleep_cookie(), we're looping and waiting for the PCIe endpoint to write a magic value back to memory, to signal that it has finished going to sleep. We're not letting the compiler know that this might change underneath our feet though. Let's do that, for good hygiene. I'm not aware of this fixing any concrete problems. I also give no guarantee that this loop is actually correct in any other way, but at least this looks like an improvement to me. Signed-off-by: NBrian Norris <briannorris@chromium.org> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Brian Norris 提交于
The following sequence occurs when using IEEE power-save on 8997: (a) driver sees SLEEP event (b) driver issues SLEEP CONFIRM (c) driver recevies CMD interrupt; within the interrupt processing loop, we do (d) and (e): (d) wait for FW sleep cookie (and often time out; it takes a while), FW is putting card into low power mode (e) re-check PCIE_HOST_INT_STATUS register; quit loop with 0 value But at (e), no one actually signaled an interrupt (i.e., we didn't check adapter->int_status). And what's more, because the card is going to sleep, this register read appears to take a very long time in some cases -- 3 milliseconds in my case! Now, I propose that (e) is completely unnecessary. If there were any additional interrupts signaled after the start of this loop, then the interrupt handler would have set adapter->int_status to non-zero and queued more work for the main loop -- and we'd catch it on the next iteration of the main loop. So this patch drops all the looping/re-reading of PCIE_HOST_INT_STATUS, which avoids the problematic (and slow) register read in step (e). Incidentally, this is a very similar issue to the one fixed in commit ec815dd2 ("mwifiex: prevent register accesses after host is sleeping"), except that the register read is just very slow instead of fatal in this case. Tested on 8997 in both MSI and (though not technically supported at the moment) MSI-X mode. Signed-off-by: NBrian Norris <briannorris@chromium.org> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Brian Norris 提交于
Depending on system factors (e.g., the PCIe link PM state), the first read to wake up the Wifi firmware can take a long time. There is no reason to use a (blocking, non-posted) read at this point, so let's just use a write instead. Write vs. read doesn't matter functionality-wise -- it's just a dummy operation. But let's make sure to re-write with the correct "ready" signature, since we check for that in other parts of the driver. This has been shown to decrease the time spent blocking in this function on RK3399. Signed-off-by: NBrian Norris <briannorris@chromium.org> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
- 17 1月, 2017 1 次提交
-
-
由 Arnd Bergmann 提交于
Checking the firmware status from PCIe register only works if the register is available, otherwise we end up with random behavior: drivers/net/wireless/marvell/mwifiex/pcie.c: In function 'mwifiex_pcie_remove': drivers/net/wireless/marvell/mwifiex/pcie.c:585:5: error: 'fw_status' may be used uninitialized in this function [-Werror=maybe-uninitialized] This makes sure we treat the absence of the register as a failure. Fixes: 045f0c1b ("mwifiex: get rid of global user_rmmod flag") Signed-off-by: NArnd Bergmann <arnd@arndb.de> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
- 12 1月, 2017 8 次提交
-
-
由 Xinming Hu 提交于
adapter and card variables don't get freed during PCIe function level reset. "adapter->ext_scan" variable need not be re-initialized. fw_name and tx_buf_size initialization is moved to pcie specific code so that mwifiex_reinit_sw() can be used by SDIO. Signed-off-by: NXinming Hu <huxm@marvell.com> Signed-off-by: NAmitkumar Karwar <akarwar@marvell.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Xinming Hu 提交于
This patch gets rid of mwifiex_do_flr. We will call mwifiex_shutdown_sw() and mwifiex_reinit_sw() directly. These two general purpose functions will be useful for sdio card reset handler. Signed-off-by: NXinming Hu <huxm@marvell.com> Signed-off-by: NAmitkumar Karwar <akarwar@marvell.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Amitkumar Karwar 提交于
After user_rmmod global flag removal, *_init_module() and *_cleanup_module() have become just a wrapper functions. We will get rid of them with the help of module_*_driver() macros. For pcie, existing ".init_if" handler has same name as what module_pcie_driver() macro will create. Let's rename it to avoid conflict. Signed-off-by: NAmitkumar Karwar <akarwar@marvell.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Xinming Hu 提交于
bus.remove() callback function is called when user removes this module from kernel space or ejects the card from the slot. The driver handles these 2 cases differently. Few commands (FUNC_SHUTDOWN etc.) are sent to the firmware only for module unload case. The variable 'user_rmmod' is used to distinguish between these two scenarios. This patch checks hardware status and get rid of global variable user_rmmod. Signed-off-by: NXinming Hu <huxm@marvell.com> Signed-off-by: NAmitkumar Karwar <akarwar@marvell.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Xinming Hu 提交于
Next patch in this series is going to use mwifiex_read_reg() in remove handlers. The changes here are prerequisites to avoid forward declarations. Signed-off-by: NXinming Hu <huxm@marvell.com> Signed-off-by: NAmitkumar Karwar <akarwar@marvell.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Ganapathi Bhat 提交于
Currently pcie_work and related variables are global. It may create problem while supporting multiple devices simultaneously. Let's move it inside card structure so that separate instance will be created/ cancelled in init/teardown threads of each connected devices. Signed-off-by: NGanapathi Bhat <gbhat@marvell.com> Signed-off-by: NAmitkumar Karwar <akarwar@marvell.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Xinming Hu 提交于
Wait for firmware dump complete in card remove function. For sdio interface, there are two diffenrent cases, card reset trigger sdio_work and firmware dump trigger sdio_work. Do code rearrangement for distinguish between these two cases. Signed-off-by: NXinming Hu <huxm@marvell.com> Signed-off-by: NAmitkumar Karwar <akarwar@marvell.com> Reviewed-by: NBrian Norris <briannorris@chromium.org> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Xinming Hu 提交于
We can avoid drv_info_dump and drv_info_size adapter variables. This info can be passed to mwifiex_upload_device_dump() as parameters Signed-off-by: NXinming Hu <huxm@marvell.com> Signed-off-by: NAmitkumar Karwar <akarwar@marvell.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
- 29 11月, 2016 1 次提交
-
-
由 Brian Norris 提交于
Marvell Wifi PCIe modules don't always behave nicely for PCIe power management when their firmware hasn't been loaded, particularly after suspending the PCIe link one or more times. When this happens, we might end up spinning forever in this status-polling tight loop. Let's make this less tight by adding a timeout and by sleeping a bit in between reads, as we do with the other similar loops. This prevents us from hogging a CPU even in such pathological cases, and allows the FW initialization to just fail gracefully instead. I chose the same polling parameters as the earlier loop in this function, and empirically, I found that this loop never makes it more than about 12 cycles in a sane FW init sequence. I had no official information on the actual intended latency for this portion of the download. Signed-off-by: NBrian Norris <briannorris@chromium.org> Acked-by: NAmitkumar Karwar <akarwar@marvell.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
- 25 11月, 2016 1 次提交
-
-
由 Brian Norris 提交于
We don't want to leave the wake IRQ enabled. Signed-off-by: NBrian Norris <briannorris@chromium.org> Signed-off-by: NAmitkumar Karwar <akarwar@marvell.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
- 19 11月, 2016 7 次提交
-
-
由 Brian Norris 提交于
It should never be NULL here, and to think otherwise makes things confusing. Signed-off-by: NBrian Norris <briannorris@chromium.org> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Brian Norris 提交于
These are never NULL, so stop making people think they might be. I don't change this for SDIO because SDIO has a racy card-reset handler that reallocates this struct. I'd rather not touch that mess right now. Signed-off-by: NBrian Norris <briannorris@chromium.org> Tested-by: NXinming Hu <huxm@marvell.com> Signed-off-by: NAmitkumar Karwar <akarwar@marvell.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Xinming Hu 提交于
card->adapter gets initialized in mwifiex_register_dev(). As it's not cleared in mwifiex_unregister_dev(), we may end up accessing the memory which is already free in below scenario. Scenario: Driver initialization is failed due to incorrect firmware or some other reason. Meanwhile device reboot/unload occurs. This is safe, now that we've properly synchronized suspend() and remove() with the FW initialization thread; now that code can simply check for 'card->adapter == NULL' and exit safely. Signed-off-by: NXinming Hu <huxm@marvell.com> Tested-by: NXinming Hu <huxm@marvell.com> Signed-off-by: NAmitkumar Karwar <akarwar@marvell.com> Signed-off-by: NBrian Norris <briannorris@chromium.org> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Brian Norris 提交于
Signed-off-by: NBrian Norris <briannorris@chromium.org> Tested-by: NXinming Hu <huxm@marvell.com> Signed-off-by: NAmitkumar Karwar <akarwar@marvell.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Brian Norris 提交于
The device core will not allow suspend() to race with remove(). Signed-off-by: NBrian Norris <briannorris@chromium.org> Tested-by: NXinming Hu <huxm@marvell.com> Signed-off-by: NAmitkumar Karwar <akarwar@marvell.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Amitkumar Karwar 提交于
to_pci_dev() would just do struct offset arithmetic on struct device to get 'pdev' pointer. We never get NULL pdev pointer. Signed-off-by: NAmitkumar Karwar <akarwar@marvell.com> Tested-by: NXinming Hu <huxm@marvell.com> Signed-off-by: NBrian Norris <briannorris@chromium.org> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Brian Norris 提交于
It's possible for the FW init sequence to fail, which will trigger a device cleanup sequence in mwifiex_fw_dpc(). This sequence can race with device suspend() or remove() (e.g., reboot or unbind), and can trigger use-after-free issues. Currently, this driver attempts (poorly) to synchronize remove() using a semaphore, but it doesn't protect some of the critical sections properly. Particularly, we grab a pointer to the adapter struct (card->adapter) without checking if it's being freed or not. We later do a NULL check on the adapter, but that doesn't work if the adapter was freed. Also note that the PCIe interface driver doesn't ever set card->adapter to NULL, so even if we get the synchronization right, we still might try to redo the cleanup in ->remove(), even if the FW init failure sequence already did it. This patch replaces the static semaphore with a per-device completion struct, and uses that completion to synchronize the remove() thread with the mwifiex_fw_dpc(). A future patch will utilize this completion to synchronize the suspend() thread as well. Signed-off-by: NBrian Norris <briannorris@chromium.org> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-