- 28 7月, 2017 40 次提交
-
-
由 Brian Norris 提交于
In reading through _mwifiex_fw_dpc(), I noticed that after we've registered our wiphy, we still have error paths that don't free it back up. Let's do that. Signed-off-by: NBrian Norris <briannorris@chromium.org> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Brian Norris 提交于
When we leave the delete interface function, there are still netdev hooks that might try to process the device. We're short-circuiting some of that by changing the interface type and clearing ieee80211_ptr. This means we skip NETDEV_UNREGISTER_FINAL in cfg80211. Fortunately, that is currently a no-op. We don't need most of the cleanup here anyway: * the connection state will get (un)set as part of the disconnect process (which cfg80211 already initiates for us) * the interface type doesn't actually need to be cleared at all (it'll trigger a WARN_ON() in cfg80211 if we do) * the iee80211_ptr isn't really "ours" to clear anyway So stop resetting those 3 things. Signed-off-by: NBrian Norris <briannorris@chromium.org> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Brian Norris 提交于
It's possible for some control interfaces (e.g., scans, set freq) to be active after we've stopped our main work queue and the netif TX queues. These don't get completely shut out until we've unregistered the wdevs and wiphy. So let's only free command buffers and poison our lists after wiphy_unregister(). This resolves various use-after-free issues seen when resetting the device. Cc: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: NBrian Norris <briannorris@chromium.org> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Brian Norris 提交于
In general, it's helpful to use the same code for device removal as for device reset, as this tends to have fewer bugs. Let's move the wiphy unregistration code into the common reset and removal code. In particular, it's very hard to properly handle the reset sequence when something fails. Currently, if mwifiex_reinit_sw() fails, we've failed to unregister the associated wiphy, and so running something as simple as "iw phy" can trigger an OOPS, as the wiphy still has hooks back into freed mwifiex data structures. For example, KASAN complained: [... see reset fail for other reasons ...] [ 1184.821158] mwifiex_pcie 0000:01:00.0: info: dnld wifi firmware from 174948 bytes [ 1186.870914] mwifiex_pcie 0000:01:00.0: info: FW download over, size 608396 bytes [ 1187.685990] mwifiex_pcie 0000:01:00.0: WLAN FW is active [ 1187.692673] mwifiex_pcie 0000:01:00.0: cmd_wait_q terminated: -512 [ 1187.699075] mwifiex_pcie 0000:01:00.0: info: _mwifiex_fw_dpc: unregister device [ 1187.713476] mwifiex: Failed to bring up adapter: -5 [ 1187.718644] mwifiex_pcie 0000:01:00.0: reinit failed: -5 [... run `iw phy` ...] [ 1212.902419] ================================================================== [ 1212.909806] BUG: KASAN: use-after-free in mwifiex_cfg80211_get_antenna+0x54/0xfc [mwifiex] at addr ffffffc0ad1a8028 [ 1212.920246] Read of size 1 by task iw/3127 [...] [ 1212.934946] page dumped because: kasan: bad access detected [...] [ 1212.950665] Call trace: [ 1212.953148] [<ffffffc00020a69c>] dump_backtrace+0x0/0x190 [ 1212.958572] [<ffffffc00020a96c>] show_stack+0x20/0x28 [ 1212.963648] [<ffffffc0005ce18c>] dump_stack+0xa4/0xcc [ 1212.968723] [<ffffffc0003c4430>] kasan_report+0x378/0x500 [ 1212.974140] [<ffffffc0003c3358>] __asan_load1+0x44/0x4c [ 1212.979462] [<ffffffbffc2e8360>] mwifiex_cfg80211_get_antenna+0x54/0xfc [mwifiex] [ 1212.987131] [<ffffffbffc084fc4>] nl80211_send_wiphy+0x75c/0x2de0 [cfg80211] [ 1212.994246] [<ffffffbffc094f60>] nl80211_dump_wiphy+0x32c/0x438 [cfg80211] [ 1213.001149] [<ffffffc000ab6404>] genl_lock_dumpit+0x48/0x64 [ 1213.006746] [<ffffffc000ab3474>] netlink_dump+0x178/0x398 [ 1213.012171] [<ffffffc000ab3d18>] __netlink_dump_start+0x1bc/0x260 [...] This all goes away if we just tear down the wiphy on the way down, and set it back up if/when we bring the device back up. Signed-off-by: NBrian Norris <briannorris@chromium.org> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Brian Norris 提交于
In rogue cases (due to other bugs) it's possible we try to process an old command response *after* resetting the device. This could trigger a double-free (or the SKB can get reallocated elsewhere...causing other memory corruptions) in mwifiex_pcie_process_cmd_complete(). For safety (and symmetry) let's always NULL out the command buffer as we free it up. We're already doing this for the command response buffer. Signed-off-by: NBrian Norris <briannorris@chromium.org> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Brian Norris 提交于
When resetting the device, we might have queued up interrupts that didn't get a chance to finish processing. We really don't need to handle them at this point; we just want to make sure they don't cause us to try to process old commands from before the device was reset. Signed-off-by: NBrian Norris <briannorris@chromium.org> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Brian Norris 提交于
When PCIe FLR code was added, it explicitly copy-and-pasted much of mwifiex_remove_card() into mwifiex_shutdown_sw(). This is unnecessary, as almost all of the code should be reused. Let's reunite what we can for now. The only functional changes for now: * call netif_device_detach() in the remove() code path -- this wasn't done before, but it really should be a no-op, when the device is getting totally unregistered soon anyway * call the ->down_dev() driver callback only after we've finished all SW teardown -- this should have no significant effect, since the only user (pcie.c) does very minimal work there, and it doesn't matter that we reorder this Signed-off-by: NBrian Norris <briannorris@chromium.org> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Amitkumar Karwar 提交于
u32 pointer is changed to u16 and filled the value. Problem is solved by using local temporary variable. Below static checker warning was reported. drivers/net/wireless/rsi/rsi_91x_usb.c:400 rsi_usb_master_reg_read() warn: passing casted pointer 'value' to 'rsi_usb_reg_read()' 32 vs 16. Fixes: b97e9b94 ("rsi: Add new host interface operations") Signed-off-by: NAmitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Amitkumar Karwar 提交于
These checks are required. Otherwise we may end up getting memory corruption if invalid length is passed. Fixes: b97e9b94 ("rsi: Add new host interface operations") Signed-off-by: NAmitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Amitkumar Karwar 提交于
4 bytes is fixed size for reading or writing USB register. We will use a macro instead of hardcoding this. Fixes: b97e9b94 ("rsi: Add new host interface operations") Signed-off-by: NAmitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Prameela Rani Garnepudi 提交于
Below regulatory changes are included this patch * Country code is saved as it will be used in bgscan. * Region codes are mapped according to RSI region codes. * Radar flag settings are moved under the check if 5GHZ band is enabled. Signed-off-by: NPrameela Rani Garnepudi <prameela.j04cs@gmail.com> Signed-off-by: NAmitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Prameela Rani Garnepudi 提交于
When interface is down it is better to stop all RX packets to host. 0xffff will block all packets to host. Signed-off-by: NPrameela Rani Garnepudi <prameela.j04cs@gmail.com> Signed-off-by: NAmitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Prameela Rani Garnepudi 提交于
Device specific descriptor for each TX packet is prepared on top of skb data address. This descriptor should be pulled out before indicating the TX status to mac80211. Signed-off-by: NPrameela Rani Garnepudi <prameela.j04cs@gmail.com> Signed-off-by: NAmitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Prameela Rani Garnepudi 提交于
TX command frame block/unblock data is modified to use common descriptor structure. Signed-off-by: NPrameela Rani Garnepudi <prameela.j04cs@gmail.com> Signed-off-by: NAmitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Prameela Rani Garnepudi 提交于
Data queues should be unblocked after station add notify frame is sent and should be blocked after station delete notify is sent. Signed-off-by: NPrameela Rani Garnepudi <prameela.j04cs@gmail.com> Signed-off-by: NAmitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Prameela Rani Garnepudi 提交于
When Short Gaurd Interval is enabled bit 9 is set in rate. Otherwise it should not be set. Added missing 'else' case in this patch. Signed-off-by: NPrameela Rani Garnepudi <prameela.j04cs@gmail.com> Signed-off-by: NAmitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Prameela Rani Garnepudi 提交于
Broadcast bit to be set for broadcast and multicast packets. For remove_key, tx and rx mic need not be filled. Signed-off-by: NPrameela Rani Garnepudi <prameela.j04cs@gmail.com> Signed-off-by: NAmitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Prameela Rani Garnepudi 提交于
TX command frame set_key is modified to use common descriptor structure. Signed-off-by: NPrameela Rani Garnepudi <prameela.j04cs@gmail.com> Signed-off-by: NAmitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Prameela Rani Garnepudi 提交于
VAP capablities frame configured to device is modified to use common descriptor structure. Signed-off-by: NPrameela Rani Garnepudi <prameela.j04cs@gmail.com> Signed-off-by: NAmitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Prameela Rani Garnepudi 提交于
TX command frame set_channel is modified to use common descriptor structure. Also DFS channel indication to firmware is added in the descriptor for dfs channels configuration. Signed-off-by: NPrameela Rani Garnepudi <prameela.j04cs@gmail.com> Signed-off-by: NAmitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Prameela Rani Garnepudi 提交于
Baseband RF programming frame configured to device is modified to use common descriptor structure. Signed-off-by: NPrameela Rani Garnepudi <prameela.j04cs@gmail.com> Signed-off-by: NAmitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Prameela Rani Garnepudi 提交于
AMPDU aggregation parameters frame configured to device is modified to use common descriptor structure. Signed-off-by: NPrameela Rani Garnepudi <prameela.j04cs@gmail.com> Signed-off-by: NAmitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Prameela Rani Garnepudi 提交于
TX command frame peer notify is updated to use common descriptor structure. MPDU density value added to the frame. Signed-off-by: NPrameela Rani Garnepudi <prameela.j04cs@gmail.com> Signed-off-by: NAmitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Prameela Rani Garnepudi 提交于
The function rsi_mgmt_pkt_to_core() is for passing the 802.11 management frames to mac80211. So, it is unnecessary to check again for the frame type 802.11 management in this function. It can be checked before passing to this function. Signed-off-by: NPrameela Rani Garnepudi <prameela.j04cs@gmail.com> Signed-off-by: NAmitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Prameela Rani Garnepudi 提交于
Radio capabilities frame is updated to use common descriptor structure. Also, few changes to this frame is done like hardware queues are increase to 12 from 8, default channel number is included. Signed-off-by: NPrameela Rani Garnepudi <prameela.j04cs@gmail.com> Signed-off-by: NAmitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Prameela Rani Garnepudi 提交于
For all TX command packets immediate wakeup bit needs to be set in descriptor. This will make sure device will wakeup if it is in any sleep state. Priority of the packet is also set. Signed-off-by: NPrameela Rani Garnepudi <prameela.j04cs@gmail.com> Signed-off-by: NAmitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Prameela Rani Garnepudi 提交于
All internal management packets (command packets) use some common fields and some packet specific fields for packet descriptors. This patch adds some common structures which are needed for all command packets. Signed-off-by: NPrameela Rani Garnepudi <prameela.j04cs@gmail.com> Signed-off-by: NAmitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Karun Eagalapati 提交于
We have now added separate lock for Rx. This lock is used to protect tx path only Signed-off-by: NKarun Eagalapati <karun256@gmail.com> Signed-off-by: NAmitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: NPrameela Rani Garnepudi <prameela.j04cs@gmail.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Karun Eagalapati 提交于
Deadlock issue is observed during our stress tests. The root cause for the issue is same lock is used between tx and rx threads. This patch adds a separate mutex lock for rx thread to resolve the problem. Signed-off-by: NKarun Eagalapati <karun256@gmail.com> Signed-off-by: NAmitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: NPrameela Rani Garnepudi <prameela.j04cs@gmail.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Karun Eagalapati 提交于
Newer firmware sends information about number of blocks through interrupt only. We don't need to read extra register for this. This patch adds needed driver changes for this enhancment. The change here is backward compatible Signed-off-by: NKarun Eagalapati <karun256@gmail.com> Signed-off-by: NAmitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: NPrameela Rani Garnepudi <prameela.j04cs@gmail.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Karun Eagalapati 提交于
SDIO host is already claimed in our interrupt handler. Some lower level APIs claims host while performing SDIO read or write operations. Let's use sdio_irq_task variable to check if we are in interrupt context and claim/release the host accordingly. Signed-off-by: NKarun Eagalapati <karun256@gmail.com> Signed-off-by: NAmitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: NPrameela Rani Garnepudi <prameela.j04cs@gmail.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Karun Eagalapati 提交于
The variable in_sdio_litefi_irq is renamed to sdio_irq_task, as it is more relevant here. Signed-off-by: NKarun Eagalapati <karun256@gmail.com> Signed-off-by: NAmitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: NPrameela Rani Garnepudi <prameela.j04cs@gmail.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Pavani Muthyala 提交于
Data packet descriptor preparation code is moved a separate function. Signed-off-by: NPavani Muthyala <pavani.muthyala@redpinesignals.com> Signed-off-by: NAmitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: NPrameela Rani Garnepudi <prameela.j04cs@gmail.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Pavani Muthyala 提交于
This patch covers some enhancements in data packet descriptor preparation especially for EAPOL, multicast/broadcast packets. Signed-off-by: NPavani Muthyala <pavani.muthyala@redpinesignals.com> Signed-off-by: NAmitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: NPrameela Rani Garnepudi <prameela.j04cs@gmail.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Pavani Muthyala 提交于
Currently this descriptor is prepared with the help of __le16 pointer. This patch makes use of a structure to prepare the descriptor in a cleaner way. Signed-off-by: NPavani Muthyala <pavani.muthyala@redpinesignals.com> Signed-off-by: NAmitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Prameela Rani Garnepudi 提交于
Management descriptor preparation is move to a separate function as it will be called from a different context in upcoming patches. Signed-off-by: NPrameela Rani Garnepudi <prameela.j04cs@gmail.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Pavani Muthyala 提交于
Currently this descriptor is prepared with the help of __le16 pointer. This patch makes use of a structure to prepare the descriptor in a cleaner way. Signed-off-by: NPavani Muthyala <pavani.muthyala@redpinesignals.com> Signed-off-by: NAmitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Karun Eagalapati 提交于
immediate wakeup bit is set while sending internal management frame to the firmware. Signed-off-by: NKarun Eagalapati <karun256@gmail.com> Signed-off-by: NAmitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Karun Eagalapati 提交于
Till now only management packets were handled. Let's enhance the logic for choosing endpoint to accommodate other packets. Signed-off-by: NKarun Eagalapati <karun256@gmail.com> Signed-off-by: NAmitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-
由 Karun Eagalapati 提交于
These endpoints are for WLAN and BT protocols. Signed-off-by: NKarun Eagalapati <karun256@gmail.com> Signed-off-by: NAmitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
-