- 07 Dec, 2021 26 commits
-
-
Miri Korenblit authored
The exact size of WGDS revision 3 was calculated using the wrong parameters. Fix it. Signed-off-by:
Miri Korenblit <miriam.rachel.korenblit@intel.com> Signed-off-by:
Luca Coelho <luciano.coelho@intel.com> Link: https://lore.kernel.org/r/iwlwifi.20211204130722.12c5b0cffe52.I7f342502f628f43a7e000189a699484bcef0f562@changeidSigned-off-by:
-
Mukesh Sisodiya authored
Add DBGC4 memory for debug handling in driver which will be created, freed and collected from the FW in case of crash. Signed-off-by:
Mukesh Sisodiya <mukesh.sisodiya@intel.com> Signed-off-by:
-
Mordechay Goodstein authored
In assoc state we only use narrow bandwidth, due to phy/radio not configured to max bandwidth. Signed-off-by:
Mordechay Goodstein <mordechay.goodstein@intel.com> Signed-off-by:
-
Shaul Triebitz authored
When scheduling a session protection the id is saved but then it may be cleared when calling iwl_mvm_te_clear_data (if a previous session protection is currently active). Fix it by saving the id after calling iwl_mvm_te_clear_data. Signed-off-by:
Shaul Triebitz <shaul.triebitz@intel.com> Signed-off-by:
-
Mordechay Goodstein authored
The main changes are remove the respond from STATISTICS_CMD and sending it with STATISTICS_NOTIFICATION, and updating for all mac id's and phy id's in one notification. Signed-off-by:
-
Ilan Peer authored
The scan request command is identical in binary format to the previous scan request command and the only change is now a previously reserved octet is used to indicate new flags introduced in the command. Align the code to support the new version and the previous one. Later patches would add the specific handling for the new flags. Signed-off-by:
Ilan Peer <ilan.peer@intel.com> Signed-off-by:
-
Ilan Peer authored
Signed-off-by:
-
Luca Coelho authored
We need to support platforms with So and SoF together with Gf4 radio modules. The difference is that these devices support CDB, so add the entries accordingly. Signed-off-by:
-
Emmanuel Grumbach authored
When the station is removed we need to remove the session protection that may be still running. Note that we need also to remove the session protection upon unassoc in case the station is kept in the AUTH state. Signed-off-by:
Emmanuel Grumbach <emmanuel.grumbach@intel.com> Signed-off-by:
-
Luca Coelho authored
We don't use this structure anymore, except for a check that will never match, so we can remove this structure entirely. Signed-off-by:
-
Johannes Berg authored
A new version of this command deprecates the rxchain_info field but is otherwise the same, so treat it the same way. We already leave the rxchain_info zeroed since the RLC command is supported. Signed-off-by:
Johannes Berg <johannes.berg@intel.com> Signed-off-by:
-
Johannes Berg authored
There are two possible versions of this command in use today, add a link to v1 as well in the documentation. Signed-off-by:
-
Johannes Berg authored
There's an RLC configuration command in the firmware that's going to replace the chain information in the PHY context. Add support for this command, while leaving the PHY context fields unset when we know the RLC command will be used. Also add support to send only the RLC configuration command if only the # of chains used on the PHY context changes. Signed-off-by:
-
Johannes Berg authored
Newer firmware versions are going to come with a new version of the wowlan status API, which gives us replay counters for both GTKs that might still be in use, as well as unifying the layout of the counters to just be 64-bit quantities. Extend our code to handle this case and be able to install replay counters for both keys, if they're sent up from the firmware. Signed-off-by:
-
Johannes Berg authored
There's a new version with some addition, we'll need to do something with the additional data later, but for now just parse it so we don't fail with the newer firmware. Signed-off-by:
-
Haim Dreyfuss authored
Instead of using two bits in the doorbell interrupt, the new Bz devices have a new CSR_IPC_SLEEP_CONTROL register to let drivers indicate the desired transition before triggering the doorbell interrupt. Signed-off-by:
Haim Dreyfuss <haim.dreyfuss@intel.com> Signed-off-by:
-
Johannes Berg authored
Move the GTK rekeying condition into iwl_mvm_set_key_rx_seq() so we can modify it in the next patch. In the next firmware API revision we'll properly get data for both active GTKs and will have to install it accordingly. Signed-off-by:
-
Mike Golant authored
Add support for Bz Z step HW with GF RF. Signed-off-by:
Mike Golant <michael.golant@intel.com> Signed-off-by:
-
Mike Golant authored
We have a MAC component (which is inside the SoC) and it has several different HW steps. 3 bits used to be enough but now we need 4-bits to represent all the different steps. Properly support 4-bits in the MAC step value by refactoring all the current handling of the MAC step/dash. Already from family 8000 and up the dash (bits 0-1) no longer exists and the step (until 8000 bits 2-3) consists of the dash bits as well. To do this remove the CSR_HW_REV_STEP and the CSR_HW_REV_DASH macros, replace them with CSR_HW_REV_STEP_DASH and add hw_rev_step into the trans struct. In addition remove the CSR_HW_IF_CONFIG_REG_MSK_MAC_STEP and CSR_HW_IF_CONFIG_REG_MSK_MAC_DASH macros and create a new macro combining the 2 (this way we don't need shifting or anything else.) Signed-off-by:
Matti Gottlieb <matti.gottlieb@intel.com> Signed-off-by:
-
Johannes Berg authored
If userspace installs a lot of multicast groups very quickly, then we may run out of command queue space as we send the updates in an asynchronous fashion (due to locking concerns), and the CPU can create them faster than the firmware can process them. This is true even when mac80211 has a work struct that gets scheduled. Fix this by synchronizing with the firmware after sending all those commands - outside of the iteration we can send a synchronous echo command that just has the effect of the CPU waiting for the prior asynchronous commands to finish. This also will cause fewer of the commands to be sent to the firmware overall, because the work will only run once when rescheduled multiple times while it's running. Link: https://bugzilla.kernel.org/show_bug.cgi?id=213649Suggested-by:
Maximilian Ernestus <maximilian@ernestus.de> Signed-off-by:
-
Johannes Berg authored
If we happen to decide an NSSN queue sync (IWL_MVM_RXQ_NSSN_SYNC) for some remaining packets that are still on the queue, but just after we've decided to do a delBA (which causes its own queues sync with IWL_MVM_RXQ_NOTIF_DEL_BA) we can end up with a sequence of events like this: CPU 1 CPU 2 remove BA session with baid N send IWL_MVM_RXQ_NOTIF_DEL_BA send IWL_MVM_RXQ_NSSN_SYNC get IWL_MVM_RXQ_NOTIF_DEL_BA get IWL_MVM_RXQ_NOTIF_DEL_BA get IWL_MVM_RXQ_NSSN_SYNC complete IWL_MVM_RXQ_NOTIF_DEL_BA remove N from baid_map[] get IWL_MVM_RXQ_NSSN_SYNC WARN_ON(!baid_map[N]) Thus, there's a race that leads in hitting the WARN_ON, but more importantly, it's a race that potentially even results in a new aggregation session getting assigned to baid N. To fix this, remove the WARN_ON() in the NSSN_SYNC case, we can't completely protect against hitting this case, so we shouldn't be warning. However, guard ourselves against BAID reuse by doing yet another round of queue synchronization after the entry is removed from the baid_map, so that it cannot be reused with any in-flight IWL_MVM_RXQ_NSSN_SYNC messages. Signed-off-by: -
Yang Shen authored
Fixes the following W=1 kernel build warning: drivers/net/wireless/intel/iwlwifi/mvm/rfi.c:11: warning: This comment starts with '/**', but isn't a kernel-doc comment. Refer Documentation/doc-guide/kernel-doc.rst Cc: Stanislav Yakovlev <stas.yakovlev@gmail.com> Signed-off-by:
Yang Shen <shenyang39@huawei.com> [removed the static const fix, since it's already done and updated the commit message accordingly.] Link: https://lore.kernel.org/r/20210517050141.61488-7-shenyang39@huawei.comSigned-off-by:
-
Lv Yunlong authored
In iwl_txq_dyn_alloc_dma, txq->tfds is freed at first time by: iwl_txq_alloc()->goto err_free_tfds->dma_free_coherent(). But it forgot to set txq->tfds to NULL. Then the txq->tfds is freed again in iwl_txq_dyn_alloc_dma by: goto error->iwl_txq_gen2_free_memory()->dma_free_coherent(). My patch sets txq->tfds to NULL after the first free to avoid the double free. Fixes: 0cd1ad2d ("iwlwifi: move all bus-independent TX functions to common code") Signed-off-by:
Lv Yunlong <lyl2019@mail.ustc.edu.cn> Link: https://lore.kernel.org/r/20210403054755.4781-1-lyl2019@mail.ustc.edu.cnSigned-off-by:
-
Emmanuel Grumbach authored
Smatch spot a possible NULL pointer dereference. Fix it. __iwl_mvm_mac_set_key can be called with sta = NULL Also add a NULL pointer check after memory allocation. Reported-by:
Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by:
-
Colin Ian King authored
There is a spelling mistake in a debugfs filename. Fix it. Signed-off-by:
Colin Ian King <colin.i.king@gmail.com> Link: https://lore.kernel.org/r/20211129124921.11817-1-colin.i.king@gmail.comSigned-off-by:
-
Emmanuel Grumbach authored
If CSME is compromised, it could report a bigger queue size in the share area and make the host perform an out of bound access. Instead of reading the size of the queue from the shared area, store it in the regular context which is not accessible by CSME. While at it, fix a small typo in an error print. Signed-off-by:
-
- 05 Dec, 2021 1 commit
-
-
Emmanuel Grumbach authored
I forgot to add stubs in case tracing is disabled which caused linking errors: ERROR: modpost: "__SCT__tp_func_iwlmei_sap_data" [drivers/net/wireless/intel/iwlwifi/mei/iwlmei.ko] undefined! ERROR: modpost: "__SCT__tp_func_iwlmei_me_msg" [drivers/net/wireless/intel/iwlwifi/mei/iwlmei.ko] undefined! ERROR: modpost: "__tracepoint_iwlmei_sap_cmd" [drivers/net/wireless/intel/iwlwifi/mei/iwlmei.ko] undefined! ERROR: modpost: "__tracepoint_iwlmei_me_msg" [drivers/net/wireless/intel/iwlwifi/mei/iwlmei.ko] undefined! ERROR: modpost: "__SCK__tp_func_iwlmei_me_msg" [drivers/net/wireless/intel/iwlwifi/mei/iwlmei.ko] undefined! ERROR: modpost: "__SCK__tp_func_iwlmei_sap_data" [drivers/net/wireless/intel/iwlwifi/mei/iwlmei.ko] undefined! ERROR: modpost: "__tracepoint_iwlmei_sap_data" [drivers/net/wireless/intel/iwlwifi/mei/iwlmei.ko] undefined! ERROR: modpost: "__SCT__tp_func_iwlmei_sap_cmd" [drivers/net/wireless/intel/iwlwifi/mei/iwlmei.ko] undefined! ERROR: modpost: "__SCK__tp_func_iwlmei_sap_cmd" [drivers/net/wireless/intel/iwlwifi/mei/iwlmei.ko] undefined! Fixes: 2da4366f ("iwlwifi: mei: add the driver to allow cooperation with CSME") Reported-by:
Jiri Slaby <jirislaby@kernel.org> Signed-off-by:
Kalle Valo <kvalo@kernel.org> Link: https://lore.kernel.org/r/20211201113411.130409-1-emmanuel.grumbach@intel.com
-
- 29 Nov, 2021 9 commits
-
-
Kees Cook authored
Clean up some style issues: - Use ARRAY_SIZE() even though it's a u8 array. - Remove redundant CHANNEL_MAX_NUMBER_2G define. Additionally fix some dead code WARNs. Acked-by:
Ping-Ke Shih <pkshih@realtek.com> Link: https://lore.kernel.org/lkml/57d0d1b6064342309f680f692192556c@realtek.com/Signed-off-by:
Kees Cook <keescook@chromium.org> Signed-off-by:
Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20211119192233.1021063-1-keescook@chromium.org
-
Kees Cook authored
In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memcpy(), memmove(), and memset(), avoid intentionally writing across neighboring fields. Use named struct in struct mwl8k_cmd_set_key around members key_material, tkip_tx_mic_key, and tkip_rx_mic_key so they can be referenced together. This will allow memcpy() and sizeof() to more easily reason about sizes, improve readability, and avoid future warnings about writing beyond the end of key_material. "pahole" shows no size nor member offset changes to struct mwl8k_cmd_set_key. "objdump -d" shows no object code changes. Signed-off-by:
-
Kees Cook authored
In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memcpy(), memmove(), and memset(), avoid intentionally writing across neighboring fields. Use struct_group() in struct hfa384x_tx_frame around members frame_control, duration_id, addr1, addr2, addr3, and seq_ctrl, so they can be referenced together. This will allow memcpy() and sizeof() to more easily reason about sizes, improve readability, and avoid future warnings about writing beyond the end of frame_control. "pahole" shows no size nor member offset changes to struct hfa384x_tx_frame. "objdump -d" shows no object code changes. Signed-off-by:
-
Kees Cook authored
In preparation for FORTIFY_SOURCE performing compile-time and run-time field array bounds checking for memcpy(), memmove(), and memset(), avoid intentionally writing across neighboring fields. Use struct_group() in struct txpd around members tx_dest_addr_high and tx_dest_addr_low so they can be referenced together. This will allow memcpy() and sizeof() to more easily reason about sizes, improve readability, and avoid future warnings about writing beyond the end of tx_dest_addr_high. "pahole" shows no size nor member offset changes to struct txpd. "objdump -d" shows no object code changes. Signed-off-by:
-
Kees Cook authored
In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memcpy(), memmove(), and memset(), avoid intentionally writing across neighboring fields. Use struct_group() in struct txpd around members tx_dest_addr_high and tx_dest_addr_low so they can be referenced together. This will allow memcpy() and sizeof() to more easily reason about sizes, improve readability, and avoid future warnings about writing beyond the end of queue_id. "pahole" shows no size nor member offset changes to struct txpd. "objdump -d" shows no object code changes. Signed-off-by:
-
Jason Wang authored
Static variables do not need to be initialized to false. The compiler will do that. Signed-off-by:
Jason Wang <wangborong@cdjrlc.com> Signed-off-by:
-
Zekun Shen authored
rsi_get_* functions rely on an offset variable from usb input. The size of usb input is RSI_MAX_RX_USB_PKT_SIZE(3000), while 2-byte offset can be up to 0xFFFF. Thus a large offset can cause out-of-bounds read. The patch adds a bound checking condition when rcv_pkt_len is 0, indicating it's USB. It's unclear whether this is triggerable from other type of bus. The following check might help in that case. offset > rcv_pkt_len - FRAME_DESC_SZ The bug is trigerrable with conpromised/malfunctioning USB devices. I tested the patch with the crashing input and got no more bug report. Attached is the KASAN report from fuzzing. BUG: KASAN: slab-out-of-bounds in rsi_read_pkt+0x42e/0x500 [rsi_91x] Read of size 2 at addr ffff888019439fdb by task RX-Thread/227 CPU: 0 PID: 227 Comm: RX-Thread Not tainted 5.6.0 #66 Call Trace: dump_stack+0x76/0xa0 print_address_description.constprop.0+0x16/0x200 ? rsi_read_pkt+0x42e/0x500 [rsi_91x] ? rsi_read_pkt+0x42e/0x500 [rsi_91x] __kasan_report.cold+0x37/0x7c ? rsi_read_pkt+0x42e/0x500 [rsi_91x] kasan_report+0xe/0x20 rsi_read_pkt+0x42e/0x500 [rsi_91x] rsi_usb_rx_thread+0x1b1/0x2fc [rsi_usb] ? rsi_probe+0x16a0/0x16a0 [rsi_usb] ? _raw_spin_lock_irqsave+0x7b/0xd0 ? _raw_spin_trylock_bh+0x120/0x120 ? __wake_up_common+0x10b/0x520 ? rsi_probe+0x16a0/0x16a0 [rsi_usb] kthread+0x2b5/0x3b0 ? kthread_create_on_node+0xd0/0xd0 ret_from_fork+0x22/0x40 Reported-by:
Brendan Dolan-Gavitt <brendandg@nyu.edu> Signed-off-by:
Zekun Shen <bruceshenzk@gmail.com> Signed-off-by:
-
Zekun Shen authored
When freeing rx_cb->rx_skb, the pointer is not set to NULL, a later rsi_rx_done_handler call will try to read the freed address. This bug will very likley lead to double free, although detected early as use-after-free bug. The bug is triggerable with a compromised/malfunctional usb device. After applying the patch, the same input no longer triggers the use-after-free. Attached is the kasan report from fuzzing. BUG: KASAN: use-after-free in rsi_rx_done_handler+0x354/0x430 [rsi_usb] Read of size 4 at addr ffff8880188e5930 by task modprobe/231 Call Trace: <IRQ> dump_stack+0x76/0xa0 print_address_description.constprop.0+0x16/0x200 ? rsi_rx_done_handler+0x354/0x430 [rsi_usb] ? rsi_rx_done_handler+0x354/0x430 [rsi_usb] __kasan_report.cold+0x37/0x7c ? dma_direct_unmap_page+0x90/0x110 ? rsi_rx_done_handler+0x354/0x430 [rsi_usb] kasan_report+0xe/0x20 rsi_rx_done_handler+0x354/0x430 [rsi_usb] __usb_hcd_giveback_urb+0x1e4/0x380 usb_giveback_urb_bh+0x241/0x4f0 ? __usb_hcd_giveback_urb+0x380/0x380 ? apic_timer_interrupt+0xa/0x20 tasklet_action_common.isra.0+0x135/0x330 __do_softirq+0x18c/0x634 ? handle_irq_event+0xcd/0x157 ? handle_edge_irq+0x1eb/0x7b0 irq_exit+0x114/0x140 do_IRQ+0x91/0x1e0 common_interrupt+0xf/0xf </IRQ> Reported-by:
-
Loic Poulain authored
When entering suspend as a client station with wowlan enabled, the Wi-Fi link is supposed to be maintained. In that state, no more data is generated from client side, and the link stays idle as long the station is suspended and as long the AP as no data to transmit. However, most of the APs kick-off such 'inactive' stations after few minutes, causing unexpected disconnect (reconnect, etc...). The usual way to prevent this is to submit a Null function frame periodically as a keep-alive. This is something that can be host /software generated (e.g. wpa_supplicant), but that needs to be offloaded to the Wi-Fi controller in case of suspended host. This change enables firmware generated keep-alive frames when entering wowlan suspend, using the 'mkeep_alive' IOVAR. Signed-off-by:
Loic Poulain <loic.poulain@linaro.org> Signed-off-by:
-
- 26 Nov, 2021 4 commits
-
-
Ajay Singh authored
Remove unused variables to avoid the below warnings: drivers/net/wireless/microchip/wilc1000/wlan.c: In function 'chip_wakeup': >> drivers/net/wireless/microchip/wilc1000/wlan.c:620:34: warning: variable 'to_host_from_fw_bit' set but not used [-Wunused-but-set-variable] 620 | u32 to_host_from_fw_reg, to_host_from_fw_bit; | ^~~~~~~~~~~~~~~~~~~ >> drivers/net/wireless/microchip/wilc1000/wlan.c:620:13: warning: variable 'to_host_from_fw_reg' set but not used [-Wunused-but-set-variable] 620 | u32 to_host_from_fw_reg, to_host_from_fw_bit; | ^~~~~~~~~~~~~~~~~~~ Reported-by:kernel test robot <lkp@intel.com> Signed-off-by:
Ajay Singh <ajay.kathat@microchip.com> Signed-off-by:
-
Emmanuel Grumbach authored
Read the rfkill state upon boot, mac start and mac stop. Reviewed-by:
-
Emmanuel Grumbach authored
Add the vendor commands that must be used by the network manager to allow proper operation of iwlmei. * Send information on the AP CSME is connected to * Notify the userspace when roaming is forbidden * Allow the userspace to require ownership Co-Developed-by:
Ayala Beker <ayala.beker@intel.com> Signed-off-by:
-
Emmanuel Grumbach authored
iwlmei needs to know about the follwing events: * Association * De-association * Country Code change * SW Rfkill change * SAR table changes iwlmei can take the device away from us, so report the new rfkill type when this happens. Advertise the required data from the CSME firmware to the usersapce: mostly, the AP that the CSME firmware is currently associated to in case there is an active link protection session. Generate the HOST_ASSOC / HOST_DISSASSOC messages. Don't support WPA1 (non-RSNA) for now. Don't support shared wep either. We can then determine the AUTH parameter by checking the AKM. Feed the cipher from the key installation. SW Rfkill will be implemented later when cfg80211 will allow us to read the SW Rfkill state. Co-Developed-by:
-
