- 20 Oct, 2021 3 commits
-
-
Zheyu Ma authored
When the driver fails to request the firmware, it calls its error handler. In the error handler, the driver detaches device from driver first before releasing the firmware, which can cause a use-after-free bug. Fix this by releasing firmware first. The following log reveals it: [ 9.007301 ] BUG: KASAN: use-after-free in mwl8k_fw_state_machine+0x320/0xba0 [ 9.010143 ] Workqueue: events request_firmware_work_func [ 9.010830 ] Call Trace: [ 9.010830 ] dump_stack_lvl+0xa8/0xd1 [ 9.010830 ] print_address_description+0x87/0x3b0 [ 9.010830 ] kasan_report+0x172/0x1c0 [ 9.010830 ] ? mutex_unlock+0xd/0x10 [ 9.010830 ] ? mwl8k_fw_state_machine+0x320/0xba0 [ 9.010830 ] ? mwl8k_fw_state_machine+0x320/0xba0 [ 9.010830 ] __asan_report_load8_noabort+0x14/0x20 [ 9.010830 ] mwl8k_fw_state_machine+0x320/0xba0 [ 9.010830 ] ? mwl8k_load_firmware+0x5f0/0x5f0 [ 9.010830 ] request_firmware_work_func+0x172/0x250 [ 9.010830 ] ? read_lock_is_recursive+0x20/0x20 [ 9.010830 ] ? process_one_work+0x7a1/0x1100 [ 9.010830 ] ? request_firmware_nowait+0x460/0x460 [ 9.010830 ] ? __this_cpu_preempt_check+0x13/0x20 [ 9.010830 ] process_one_work+0x9bb/0x1100 Signed-off-by:
Zheyu Ma <zheyuma97@gmail.com> Signed-off-by:
Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1634356979-6211-1-git-send-email-zheyuma97@gmail.com
-
Ziyang Xuan authored
When fail to init coex module, free 'common' and 'adapter' directly, but common->tx_thread which will access 'common' and 'adapter' is running at the same time. That will trigger the UAF bug. ================================================================== BUG: KASAN: use-after-free in rsi_tx_scheduler_thread+0x50f/0x520 [rsi_91x] Read of size 8 at addr ffff8880076dc000 by task Tx-Thread/124777 CPU: 0 PID: 124777 Comm: Tx-Thread Not tainted 5.15.0-rc5+ #19 Call Trace: dump_stack_lvl+0xe2/0x152 print_address_description.constprop.0+0x21/0x140 ? rsi_tx_scheduler_thread+0x50f/0x520 kasan_report.cold+0x7f/0x11b ? rsi_tx_scheduler_thread+0x50f/0x520 rsi_tx_scheduler_thread+0x50f/0x520 ... Freed by task 111873: kasan_save_stack+0x1b/0x40 kasan_set_track+0x1c/0x30 kasan_set_free_info+0x20/0x30 __kasan_slab_free+0x109/0x140 kfree+0x117/0x4c0 rsi_91x_init+0x741/0x8a0 [rsi_91x] rsi_probe+0x9f/0x1750 [rsi_usb] Stop thread before free 'common' and 'adapter' to fix it. Fixes: 2108df3c ("rsi: add coex support") Signed-off-by:
Ziyang Xuan <william.xuanziyang@huawei.com> Signed-off-by:
-
Ryder Lee authored
Add more MTK folks to actively maintain the wireless chipsets across segments. The work is becoming increasingly complicated and various and we can provides hardware related perspectives to offload Felix's workload, especially for the 11ax and upcoming 11be devices Signed-off-by:
Ryder Lee <ryder.lee@mediatek.com> Acked-by:
Felix Fietkau <nbd@nbd.name> Signed-off-by:
-
- 18 Oct, 2021 5 commits
-
-
Colin Ian King authored
The function rtw89_mac_enable_bb_rf is a void return type, so there is no return error code to ret, so the following check for an error in ret is redundant dead code and can be removed. Addresses-Coverity: ("Logically dead code") Fixes: e3ec7017 ("rtw89: add Realtek 802.11ax driver") Signed-off-by:Colin Ian King <colin.king@canonical.com> Acked-by:
Ping-Ke Shih <pkshih@realtek.com> Signed-off-by:
-
Colin Ian King authored
There are two spelling mistakes in rtw89_debug messages. Fix them. Signed-off-by:
-
Ping-Ke Shih authored
Add maintainer and email to MAINTAINERS file. Signed-off-by:
-
Jonas Dreßler authored
It seems that the PCIe+USB firmware (latest version 15.68.19.p21) of the 88W8897 card sometimes ignores or misses when we try to wake it up by writing to the firmware status register. This leads to the firmware wakeup timeout expiring and the driver resetting the card because we assume the firmware has hung up or crashed. Turns out that the firmware actually didn't hang up, but simply "missed" our wakeup request and didn't send us an interrupt with an AWAKE event. Trying again to read the firmware status register after a short timeout usually makes the firmware wake up as expected, so add a small retry loop to mwifiex_pm_wakeup_card() that looks at the interrupt status to check whether the card woke up. The number of tries and timeout lengths for this were determined experimentally: The firmware usually takes about 500 us to wake up after we attempt to read the status register. In some cases where the firmware is very busy (for example while doing a bluetooth scan) it might even miss our requests for multiple milliseconds, which is why after 15 tries the waiting time gets increased to 10 ms. The maximum number of tries it took to wake the firmware when testing this was around 20, so a maximum number of 50 tries should give us plenty of safety margin. Here's a reproducer for those firmware wakeup failures I've found: 1) Make sure wifi powersaving is enabled (iw dev wlp1s0 set power_save on) 2) Connect to any wifi network (makes firmware go into wifi powersaving mode, not deep sleep) 3) Make sure bluetooth is turned off (to ensure the firmware actually enters powersave mode and doesn't keep the radio active doing bluetooth stuff) 4) To confirm that wifi powersaving is entered ping a device on the LAN, pings should be a few ms higher than without powersaving 5) Run "while true; do iwconfig; sleep 0.0001; done", this wakes and suspends the firmware extremely often 6) Wait until things explode, for me it consistently takes <5 minutes BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=109681 Cc: stable@vger.kernel.org Signed-off-by:
Jonas Dreßler <verdre@v0yd.nl> Signed-off-by:
-
Jonas Dreßler authored
On the 88W8897 PCIe+USB card the firmware randomly crashes after setting the TX ring write pointer. The issue is present in the latest firmware version 15.68.19.p21 of the PCIe+USB card. Those firmware crashes can be worked around by reading any PCI register of the card after setting that register, so read the PCI_VENDOR_ID register here. The reason this works is probably because we keep the bus from entering an ASPM state for a bit longer, because that's what causes the cards firmware to crash. This fixes a bug where during RX/TX traffic and with ASPM L1 substates enabled (the specific substates where the issue happens appear to be platform dependent), the firmware crashes and eventually a command timeout appears in the logs. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=109681 Cc: stable@vger.kernel.org Signed-off-by:
-
- 13 Oct, 2021 4 commits
-
-
Christophe JAILLET authored
'destroy_workqueue()' already drains the queue before destroying it, so there is no need to flush it explicitly. Remove the redundant 'flush_workqueue()' calls. This was generated with coccinelle: @@ expression E; @@ - flush_workqueue(E); destroy_workqueue(E); Signed-off-by:
Christophe JAILLET <christophe.jaillet@wanadoo.fr> Signed-off-by:
-
Colin Ian King authored
The variable ret is being initialized with a value that is never read, it is assigned later on with a different value. The initialization is redundant and can be removed. Addresses-Coverity: ("Unused value") Signed-off-by:Jakub Kicinski <kubakici@wp.pl> Signed-off-by:
-
Colin Ian King authored
The variable version is being initialized with a value that is never read, it is being updated afterwards in both branches of an if statement. The assignment is redundant and can be removed. Addresses-Coverity: ("Unused value") Signed-off-by: -
Ping-Ke Shih authored
This driver named rtw89, which is the next generation of rtw88, supports Realtek 8852AE 802.11ax 2x2 chip whose new features are OFDMA, DBCC, Spatial reuse, TWT and BSS coloring; now some of them aren't implemented though. The chip architecture is entirely different from the chips supported by rtw88 like RTL8822CE 802.11ac chip. First of all, register address ranges are totally redefined, so it's impossible to reuse register definition. To communicate with firmware, new H2C/C2H format is proposed. In order to have better utilization, TX DMA flow is changed to two stages DMA. To provide rich RX status information, additional RX PPDU packets are added. Since there are so many differences mentioned above, we decide to propose a new driver. It has many authors, they are listed in alphabetic order: Chin-Yen Lee <timlee@realtek.com> Ping-Ke Shih <pkshih@realtek.com> Po Hao Huang <phhuang@realtek.com> Tzu-En Huang <tehuang@realtek.com> Vincent Fann <vincent_fann@realtek.com> Yan-Hsuan Chuang <tony0620emma@gmail.com> Zong-Zhe Yang <kevin_yang@realtek.com> Tested-by:
Aaron Ma <aaron.ma@canonical.com> Tested-by:
Brian Norris <briannorris@chromium.org> Signed-off-by:
-
- 11 Oct, 2021 2 commits
-
-
Dan Carpenter authored
The problem is that "channel" is an unsigned int, when it's less 5 the value of "channel - 5" is not a negative number as one would expect but is very high positive value instead. This means that "start" becomes a very high positive value. The result of that is that we never enter the "for (i = start; i <= end; i++) {" loop. Instead of storing the result from b43legacy_radio_aci_detect() it just uses zero. Fixes: ef1a628d ("b43: Implement dynamic PHY API") Signed-off-by:Dan Carpenter <dan.carpenter@oracle.com> Acked-by:
Michael Büsch <m@bues.ch> Signed-off-by:
-
Dan Carpenter authored
The problem is that "channel" is an unsigned int, when it's less 5 the value of "channel - 5" is not a negative number as one would expect but is very high positive value instead. This means that "start" becomes a very high positive value. The result of that is that we never enter the "for (i = start; i <= end; i++) {" loop. Instead of storing the result from b43legacy_radio_aci_detect() it just uses zero. Fixes: 75388acd ("[B43LEGACY]: add mac80211-based driver for legacy BCM43xx devices") Signed-off-by:
-
- 10 Oct, 2021 22 commits
-
-
Subbaraya Sundeep authored
This patch separates the logic of configuring hardware maximum transmit frame size and receive frame size. This simplifies the logic to calculate receive buffer size and using cqe descriptor of different size. Also additional size of skb_shared_info structure is allocated for each receive buffer pointer given to hardware which is not necessary. Hence change the size calculation to remove the size of skb_shared_info. Add a check for array out of bounds while adding fragments to the network stack. Signed-off-by:
Subbaraya Sundeep <sbhatta@marvell.com> Signed-off-by:
Hariprasad Kelam <hkelam@marvell.com> Signed-off-by:
Sunil Goutham <sgoutham@marvell.com> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
Christophe JAILLET authored
'destroy_workqueue()' already drains the queue before destroying it, so there is no need to flush it explicitly. Remove the redundant 'flush_workqueue()' calls. This was generated with coccinelle: @@ expression E; @@ - flush_workqueue(E); destroy_workqueue(E); Signed-off-by:
-
Li RongQing authored
networking benchmark shows that __rcu_read_lock and __rcu_read_unlock takes some cpu cycles, and we can avoid calling them partially in virtio rx path by check xdp_enabled of vi, and xdp is disabled most of time Signed-off-by:
Li RongQing <lirongqing@baidu.com> Signed-off-by:
-
Antoine Tenart authored
Cosmetic commit making dev_get_port_parent_id slightly more readable. There is no need to split the condition to return after calling devlink_compat_switch_id_get and after that 'recurse' is always true. Signed-off-by:
Antoine Tenart <atenart@kernel.org> Signed-off-by:
-
Ansuel Smith authored
Give a name to known debug regs from Documentation instead of using unknown hex values. Signed-off-by:
Ansuel Smith <ansuelsmth@gmail.com> Reviewed-by:
Andrew Lunn <andrew@lunn.ch> Signed-off-by:
-
Ansuel Smith authored
From original QCA source code the port was set to prefer master as port type in 1000BASE-T mode. Apply the same settings also here. Signed-off-by:
-
Ansuel Smith authored
QCA8327 internal phy require DAC amplitude adjustement set to +6% with 100m speed. Also add additional define to report a change of the same reg in QCA8337. (different scope it does set 1000m voltage) Add link_change_notify function to set the proper amplitude adjustement on PHY_RUNNING state and disable on any other state. Fixes: b4df02b5 ("net: phy: at803x: add support for qca 8327 A variant internal phy") Signed-off-by:
-
Ansuel Smith authored
From Documentation phy resume triggers phy reset and restart auto-negotiation. Add a dedicated function to wait reset to finish as it was notice a regression where port sometime are not reliable after a suspend/resume session. The reset wait logic is copied from phy_poll_reset. Add dedicated suspend function to use genphy_suspend only with QCA8337 phy and set only additional debug settings for QCA8327. With more test it was reported that QCA8327 doesn't proprely support this mode and using this cause the unreliability of the switch ports, especially the malfunction of the port0. Fixes: 15b9df4e ("net: phy: at803x: add resume/suspend function to qca83xx phy") Signed-off-by:
-
David S. Miller authored
Juhee Kang says: ==================== net-next: replace open code with helper functions Currently, there are many helper functions on netdevice.h. However, some code doesn't use the helper functions and remains open code. So this patchset replaces open code with an appropriate helper function. First patch modifies to use netif_is_rxfh_configured instead of dev->priv_flags & IFF_RXFH_CONFIGURED. Second patch replaces open code with netif_is_bond_master. Last patch substitutes netif_is_macsec() for dev->priv_flags & IFF_MACSEC. ==================== Signed-off-by: -
Juhee Kang authored
Open code which is dev->priv_flags & IFF_MACSEC has already defined as netif_is_macsec(). So use netif_is_macsec() instead of open code. This patch doesn't change logic. Signed-off-by:
Juhee Kang <claudiajkang@gmail.com> Signed-off-by:
-
Juhee Kang authored
Use netif_is_bond_master() function instead of open code, which is ((event_dev->priv_flags & IFF_BONDING) && (event_dev->flags & IFF_MASTER)). This patch doesn't change logic. Signed-off-by:
-
Juhee Kang authored
The open code which is dev->priv_flags & IFF_RXFH_CONFIGURED is defined as a helper function on netdevice.h. So use netif_is_rxfh_configured() function instead of open code. This patch doesn't change logic. Signed-off-by:
-
David S. Miller authored
Shannon Nelson says: ==================== ionic: add vlanid overflow management Add vlans to the existing rx_filter_sync mechanics currently used for managing mac filters. Older versions of our firmware had no enforced limits on the number of vlans that the driver could request, but requesting large numbers of vlans caused issues in FW memory management, so an arbitrary limit was added in the FW. The FW now returns -ENOSPC when it hits that limit, which the driver needs to handle. Unfortunately, the FW doesn't advertise the vlan id limit, as it does with mac filters, so the driver won't know the limit until it bumps into it. We'll grab the current vlan id count and use that as the limit from there on and thus prevent getting any more -ENOSPC errors. Just as is done for the mac filters, the device puts the device into promiscuous mode when -ENOSPC is seen for vlan ids, and the driver will track the vlans that aren't synced to the FW. When vlans are removed, the driver will retry the un-synced vlans. If all outstanding vlans are synced, the promiscuous mode will be disabled. The first 6 patches rework the existing filter management to make it flexible enough for additional filter types. Next we add the vlan ids into the management. The last 2 patches allow us to catch the max vlan -ENOSPC error without adding an unnecessary error message to the kernel log. ==================== Signed-off-by: -
Shannon Nelson authored
Override the automatic AdminQ error message in order to capture the potential No Space message when we hit the max vlan limit, and add additional messaging to detail what filter failed. Signed-off-by:
Shannon Nelson <snelson@pensando.io> Signed-off-by:
-
Shannon Nelson authored
The AdminQ handler has an error handler that automatically prints an error message when the request has failed. However, there are situations where the caller can expect that it might fail and has an alternative strategy, thus may not want the error message sent to the log, such as hitting -ENOSPC when adding a new vlan id. We add a new interface to the AdminQ API to allow for override of the default behavior, and an interface to the use standard error message formatting. Signed-off-by:
-
Shannon Nelson authored
Add vlans to the existing rx_filter_sync mechanics currently used for managing mac filters. Older versions of our firmware had no enforced limits on the number of vlans that the LIF could request, but requesting large numbers of vlans caused issues in FW memory management, so an arbitrary limit was added in the FW. The FW now returns -ENOSPC when it hits that limit, which the driver needs to handle. Unfortunately, the FW doesn't advertise the vlan id limit, as it does with mac filters, so the driver won't know the limit until it bumps into it. We'll grab the current vlan id count and use that as the limit from there on and thus prevent getting any more -ENOSPC errors. Just as is done for the mac filters, the device puts the device into promiscuous mode when -ENOSPC is seen for vlan ids, and the driver will track the vlans that aren't synced to the FW. When vlans are removed, the driver will retry the un-synced vlans. If all outstanding vlans are synced, the promiscuous mode will be disabled. Signed-off-by:
-
Shannon Nelson authored
Similar to the filter add, make a generic filter delete. Signed-off-by:
-
Shannon Nelson authored
In preparation for adding vlan overflow management, rework the ionic_lif_addr_add() function to something a little more generic that can be used for other filter types. Signed-off-by:
-
Shannon Nelson authored
In preparation for enhancing vlan filter management, add a filter search routine that can figure out for itself which type of filter search is needed. Signed-off-by:
-
Shannon Nelson authored
The overflow flags really aren't useful and we don't need lif struct elements to track them. Signed-off-by:
-
Shannon Nelson authored
The routines that add and delete mac addresses from the firmware really should be in the file with the rest of the filter management. This simply moves the functions with no logic changes. Signed-off-by:
-
Shannon Nelson authored
Dump the filter list to debugfs - includes the device-assigned filter id and the sync'd-to-hardware status. Signed-off-by:
-
- 09 Oct, 2021 4 commits
-
-
Vladimir Oltean authored
The Vitesse/Microsemi/Microchip family of switches supported by the Felix DSA driver is capable of selecting between the native tagging protocol and ocelot-8021q. This is necessary to enable flow control on the CPU port. Certain systems where these switches are integrated use the switch as a port multiplexer, so the termination throughput is paramount. Changing the tagging protocol at runtime is possible for these systems, but since it is known beforehand that one tagging protocol will provide strictly better performance than the other, just allow them to specify the preference in the device tree. Signed-off-by:
Vladimir Oltean <vladimir.oltean@nxp.com> Signed-off-by:
-
Vladimir Oltean authored
There is a trivial typo when spelling "protocol", fix it. Signed-off-by:
-
Jakub Kicinski authored
Use dev_addr_set() instead of writing directly to netdev->dev_addr in various misc and old drivers. Signed-off-by:
Jakub Kicinski <kuba@kernel.org> Signed-off-by:
-
David S. Miller authored
Jakub Kicinski says: ==================== net: remove direct netdev->dev_addr writes Commit 406f42fa ("net-next: When a bond have a massive amount of VLANs...") introduced a rbtree for faster Ethernet address look up. To maintain netdev->dev_addr in this tree we need to make all the writes to it got through appropriate helpers. This series contains top 5 conversions in terms of LoC required to bring the driver into compliance. ==================== Signed-off-by:
-
