- 31 Aug, 2017 9 commits
-
-
Lior David authored
Connect can take longer than current timeout in some scenarios, for example with long-range antenna array. Increase the timeout to support these scenarios. Signed-off-by: Lior David <qca_liord@qca.qualcomm.com> Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
-
Dedy Lansky authored
When FW starts running it can get D0 to D3 interrupt that is a leftover from previous system suspend while FW was not running. As this interrupt is not relevant anymore, clear it part of device reset procedure. Signed-off-by: Dedy Lansky <qca_dlansky@qca.qualcomm.com> Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
-
Dedy Lansky authored
Re-arrange the code to have dedicated function for device configuration which takes place before FW starts running. Signed-off-by: Dedy Lansky <qca_dlansky@qca.qualcomm.com> Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
-
Lazar Alexei authored
Align to latest version of the auto generated wmi file describing the interface with FW. Signed-off-by: Lazar Alexei <qca_ailizaro@qca.qualcomm.com> Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
-
Gidon Studinski authored
Since debugfs is a kernel configuration option, enable the driver to compile without debugfs. Signed-off-by: Gidon Studinski <qca_gidons@qca.qualcomm.com> Signed-off-by: Hamad Kadmany <qca_hkadmany@qca.qualcomm.com> Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
-
Lior David authored
Sometimes there is a firmware crash but the hardware is not fully stopped and continue to send TX/RX interrupts. This can cause an overload of messages which can bring the host down. Add ratelimit to these error messages to fix this. Signed-off-by: Lior David <qca_liord@qca.qualcomm.com> Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
-
Hauke Mehrtens authored
In commit 9f5bcfe9 ("ath10k: silence firmware file probing warnings") the firmware loading was changed from request_firmware() to request_firmware_direct() to silence some warnings in case it fails. request_firmware_direct() directly searches in the file system only and does not send a hotplug event to user space in case it could not find the firmware directly. In LEDE we use a user space script to extract the calibration data from the flash memory which gets triggered by the hotplug event. This way the firmware gets extracted from some vendor specific partition when the driver requests this firmware. This mechanism does not work any more after this change. Fixes: 9f5bcfe9 ("ath10k: silence firmware file probing warnings") Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> Cc: Michal Kazior <michal.kazior@tieto.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
-
Erik Stromdahl authored
irq_wq in struct ath10k_sdio is a remnant from an earlier version of the sdio patchset. Its use was removed as a result of Kalle's review, but somehow the struct member survived. It is not used and can therefore safely be removed. Signed-off-by: Erik Stromdahl <erik.stromdahl@gmail.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
-
Ryan Hsu authored
In napi_poll, the budget number is used to control the amount of packets we should handle per poll to balance the resource in the system. In the list of the amsdu packets reception, we check if there is budget count left and handle the complete list of the packets, that it will have chances the very last list will over the budget leftover. So adding one more parameter - budget_left, this would help while traversing the list to avoid handling more than the budget given. Reported-by: Andrey Ryabinin <aryabinin@virtuozzo.com> Fix-suggested-by: Igor Mitsyanko <igor.mitsyanko.os@quantenna.com> Link: https://lkml.kernel.org/r/26670dce-4dd2-f8e4-0e14-90d74257e739@virtuozzo.comSigned-off-by: Ryan Hsu <ryanhsu@qti.qualcomm.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
-
- 11 Aug, 2017 2 commits
-
-
Arvind Yadav authored
usb_device_id are not supposed to change at runtime. All functions working with usb_device_id provided by <linux/usb.h> work with const usb_device_id. So mark the non-const structs as const. Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
-
Arvind Yadav authored
usb_device_id are not supposed to change at runtime. All functions working with usb_device_id provided by <linux/usb.h> work with const usb_device_id. So mark the non-const structs as const. Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com> Reviewed-by: Steve deRosier <derosier@gmail.com> Tested-by: Steve deRosier <derosier@gmail.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
-
- 08 Aug, 2017 13 commits
-
-
Gidon Studinski authored
vring_idle_trsh is used in the operational driver, hence should not be defined as a debugfs variable. Signed-off-by: Gidon Studinski <qca_gidons@qca.qualcomm.com> Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
-
Dedy Lansky authored
Store initial FW RF calibration result in driver. Set this calibration result back to FW after each FW reset in order to avoid future calibration procedures. Signed-off-by: Dedy Lansky <qca_dlansky@qca.qualcomm.com> Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
-
Hamad Kadmany authored
While wil_open is executed, any call to netif_running would return a success. In case there are failures within wil_open, should not treat the device as if it is already opened in relevant functions (like FW recovery and runtime suspend check). Fix that by checking the device up flag instead. Signed-off-by: Hamad Kadmany <qca_hkadmany@qca.qualcomm.com> Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
-
Maya Erez authored
Set wowlan to indicate that 11ad device can wake-up on any trigger and disconnect. Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
-
Maya Erez authored
Add statistics for total, min and max suspend time, that calculates the time the 11ad device was in suspend. Those statistics will help to estimate the power impact of d3hot feature. Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
-
Maya Erez authored
Reset 11ad device on resume failure only if no_fw_recovery is not set. Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
-
Dedy Lansky authored
New FW supports reporting RSSI signal in dBm. Report RSSI to kernel in case FW has this capability. Signed-off-by: Dedy Lansky <qca_dlansky@qca.qualcomm.com> Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
-
Hamad Kadmany authored
Validate buffer length has the minimum needed size when sending management frame to protect against possible buffer overrun. Signed-off-by: Hamad Kadmany <qca_hkadmany@qca.qualcomm.com> Signed-off-by: Lior David <qca_liord@qca.qualcomm.com> Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
-
Bhumika Goyal authored
ath_ps_ops structures are only stored as a reference in the ps_ops field of a ath_common structure. This field is of type const, so make the structures as const. Signed-off-by: Bhumika Goyal <bhumirks@gmail.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
-
Bjorn Andersson authored
As the association status changes the driver needs to configure the hardware. This is done based on information in the "sta" acquired by ieee80211_find_sta(), which requires the caller to ensure that the "sta" is valid while its being used; generally by entering an rcu read section. But the operations acting on the "sta" has to communicate with the firmware and may therefor sleep, resulting in the following report: [ 31.418190] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:238 [ 31.425919] in_atomic(): 0, irqs_disabled(): 0, pid: 34, name: kworker/u8:1 [ 31.434609] CPU: 0 PID: 34 Comm: kworker/u8:1 Tainted: G W 4.12.0-rc4-next-20170607+ #993 [ 31.441002] Hardware name: Qualcomm Technologies, Inc. APQ 8016 SBC (DT) [ 31.450380] Workqueue: phy0 ieee80211_iface_work [ 31.457226] Call trace: [ 31.461830] [<ffffff8008088c58>] dump_backtrace+0x0/0x260 [ 31.464004] [<ffffff8008088f7c>] show_stack+0x14/0x20 [ 31.469557] [<ffffff8008392e70>] dump_stack+0x98/0xb8 [ 31.474592] [<ffffff80080e4330>] ___might_sleep+0xf0/0x118 [ 31.479626] [<ffffff80080e43a8>] __might_sleep+0x50/0x88 [ 31.485010] [<ffffff80088ff9a4>] mutex_lock+0x24/0x60 [ 31.490479] [<ffffff8008595c38>] wcn36xx_smd_set_link_st+0x30/0x130 [ 31.495428] [<ffffff8008591ed8>] wcn36xx_bss_info_changed+0x148/0x448 [ 31.501504] [<ffffff80088ab3c4>] ieee80211_bss_info_change_notify+0xbc/0x118 [ 31.508102] [<ffffff80088f841c>] ieee80211_assoc_success+0x664/0x7f8 [ 31.515220] [<ffffff80088e13d4>] ieee80211_rx_mgmt_assoc_resp+0x144/0x2d8 [ 31.521555] [<ffffff80088e1e20>] ieee80211_sta_rx_queued_mgmt+0x190/0x698 [ 31.528239] [<ffffff80088bc44c>] ieee80211_iface_work+0x234/0x368 [ 31.535011] [<ffffff80080d81ac>] process_one_work+0x1cc/0x340 [ 31.541086] [<ffffff80080d8368>] worker_thread+0x48/0x430 [ 31.546814] [<ffffff80080de448>] kthread+0x108/0x138 [ 31.552195] [<ffffff8008082ec0>] ret_from_fork+0x10/0x50 In order to ensure that the "sta" remains alive (and consistent) for the duration of bss_info_changed() mutual exclusion has to be ensured with sta_remove(). This is done by introducing a mutex to cover firmware configuration changes, which is made to also ensure mutual exclusion between other operations changing the state or configuration of the firmware. With this we can drop the rcu read lock. Cc: stable@vger.kernel.org Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
-
Andy Shevchenko authored
There are new types and helpers that are supposed to be used in new code. As a preparation to get rid of legacy types and API functions do the conversion here. Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
-
Rakesh Pillai authored
The rx ring buffers are added to a hash table if firmware support full rx reorder. If the full rx reorder support flag is not set before allocating the rx ring buffers, none of the buffers are added to the hash table. There is a race condition between rx ring refill and rx buffer replenish from napi poll. The interrupts are enabled in hif start, before the rx ring is refilled during init. We replenish buffers from napi poll due to the interrupts which get enabled after hif start. Hence before the entire rx ring is refilled during the init, the napi poll replenishes a few buffers in steps of 100 buffers per attempt. During this rx ring replenish from napi poll, the rx reorder flag has not been set due to which the replenished buffers are not added to the hash table Set the rx full reorder support flag before we allocate the rx ring buffer to avoid the memory leak. Signed-off-by: Rakesh Pillai <pillair@qti.qualcomm.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
-
Gabriel Craciunescu authored
Each time we get disconnected from AP we get flooded with messages like: ... ath10k_pci 0000:03:00.0: no channel configured; ignoring frame(s)! <until ratelimit kicks in> ath10k_warn: 155 callbacks suppressed ... Use ath10k_dbg() here too. Signed-off-by: Gabriel Craciunescu <nix.or.die@gmail.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
-
- 03 Aug, 2017 11 commits
-
-
Rob Clark authored
Fixes splat: wcn36xx a204000.wcnss:smd-edge:wcnss:wifi: DMA-API: device driver failed to check map error[device address=0x00000000b45ba000] [size=3872 bytes] [mapped as single] ------------[ cut here ]------------ WARNING: CPU: 0 PID: 0 at ../lib/dma-debug.c:1167 check_unmap+0x474/0x8d0 Modules linked in: bnep(E) arc4(E) wcn36xx(E) mac80211(E) btqcomsmd(E) btqca(E) bluetooth(E) cfg80211(E) ecdh_generic(E) rfkill(E) vfat(E) fat(E) wcnss_ctrl qcom_wcnss_pil(E) mdt_loader(E) qcom_common(E) remoteproc(E) crc32_ce(E) virtio_ring(E) snd_soc_lpass_apq8016(E) snd_soc_lpass_cpu(E) virtio(E) snd_soc_lpass_platform(E) leds_gpio(E) snd_soc_hdmi_codec(E) snd_soc_apq8016_sbc(E) snd_soc_msm8916_digital(E) snd_soc_core(E) qcom_spmi_temp_alarm(E) ac97_bus(E) snd_pcm_dmaengine(E) snd_seq(E) snd_seq_device(E) snd_pcm(E) spi_qup(E) nvmem_qfprom(E) snd_timer(E) snd(E) soundcore(E) msm_rng(E) qcom_tsens(E) nvmem_core(E) uas(E) usb_storage(E) dm9601(E) cdc_ether(E) usbnet(E) mii(E) mmc_block(E) sdhci_msm(E) sdhci_pltfm(E) qcom_spmi_vadc(E) qcom_vadc_common(PE) clk_smd_rpm(E) industrialio(E) qcom_smd_regulator(E) pinctrl_spmi_mpp(E) pinctrl_spmi_gpio(E) rtc_pm8xxx(E) adv7511(E) smd_rpm(E) qcom_spmi_pmic(E) regmap_spmi(E) phy_msm_usb(E) usb3503(E) extcon_usb_gpio(E) ci_hdrc_msm(E) ci_hdrc(E) qcom_hwspinlock(E) udc_core(E) extcon_core(E) ehci_msm(E) i2c_qup(E) sdhci(E) msm(E) mmc_core(E) drm_kms_helper(E) syscopyarea(E) sysfillrect(E) sysimgblt(E) fb_sys_fops(E) spmi_pmic_arb(E) drm(E) spmi(E) qcom_smd(E) rpmsg_core smsm(E) gpio_keys(E) smp2p(E) smem(E) hwspinlock_core(E) sunrpc(E) scsi_transport_iscsi(E) CPU: 0 PID: 0 Comm: swapper/0 Tainted: P E 4.12.0-rc7+ #1476 Hardware name: qualcomm dragonboard410c/dragonboard410c, BIOS 2017.07-rc1-00234-g22fa70a-dirty 06/26/2017 task: ffff000009049780 task.stack: ffff000009030000 PC is at check_unmap+0x474/0x8d0 LR is at check_unmap+0x474/0x8d0 ... Mapped at: dma_entry_alloc+0x68/0xa8 debug_dma_map_page+0x94/0x148 wcn36xx_dxe_fill_skb.isra.1+0xbc/0xf8 [wcn36xx] wcn36xx_dxe_init+0x244/0x398 [wcn36xx] wcn36xx_start+0xf4/0x298 [wcn36xx] Signed-off-by: Rob Clark <robdclark@gmail.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
-
Rosen Penev authored
Add the Dell Wireless 1802 card as an AR9462 in the ath9k pci list. Note that the wowlan feature is supported and has been tested successfully. Signed-off by: Rosen Penev <rosenp@gmail.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
-
Christoph Fritz authored
This patch fixes a trivial debugfs file permission issue. Debugfs file ack_to has no write function, so S_IWUSR gets purged. Signed-off-by: Christoph Fritz <chf.fritz@googlemail.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
-
Philipp Zabel authored
Commit a53e35db ("reset: Ensure drivers are explicit when requesting reset lines") started to transition the reset control request API calls to explicitly state whether the driver needs exclusive or shared reset control behavior. Convert all drivers requesting exclusive resets to the explicit API call so the temporary transition helpers can be removed. No functional changes. Cc: Kalle Valo <kvalo@qca.qualcomm.com> Cc: ath10k@lists.infradead.org Cc: linux-wireless@vger.kernel.org Cc: netdev@vger.kernel.org Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
-
Manikanta Pubbisetty authored
WMI interface for all the firmwares(except QCA6174) does not include the type of peer(default/bss/tdls) requested during peer creation, therefore target creates a default peer. TDLS implementation on 10.4 firmware requires host to configure the peer type(tdls) for TDLS peers. This patch adds peer type parameter to the existing WMI interface for peer creation to accommodate this requirement. Tested this change on QCA9888(10.4-3.5.1-00018) and QCA988x(10.2.4.70.9-2) with ping tests for AP/STA modes. Signed-off-by: Manikanta Pubbisetty <mpubbise@qti.qualcomm.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
-
Manikanta Pubbisetty authored
This patch adds the support of TDLS feature for 10.4 firmware versions. A new WMI service is added to advertise the support of TDLS for 10.4 firmwares. Signed-off-by: Manikanta Pubbisetty <mpubbise@qti.qualcomm.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
-
Manikanta Pubbisetty authored
Though there is room to accommodate 512 services in wmi service ready event, target uses only first 4-bits of each 32-bit word for advertising wmi services thereby limiting max wmi services to 64. TDLS implementation for 10.4 firmwares introduces new wmi services by making use of remaining unused bits of each 32-bit word, therefore the wmi service mapping in host needs to be extended. This patch adds the logic to extend the wmi SVCMAP to accommodate new wmi services. Signed-off-by: Manikanta Pubbisetty <mpubbise@qti.qualcomm.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
-
Erik Stromdahl authored
As suggested by Arnd Bergmann, replace "while (time_before_...) {}" with "do {} while (time_before_...)" This fixes the following warnings detected by gcc 4.1.2: drivers/net/wireless/ath/ath10k/sdio.c: In function ‘ath10k_sdio_mbox_rxmsg_pending_handler’: drivers/net/wireless/ath/ath10k/sdio.c:676: warning: ‘ret’ may be used uninitialized in this function ... drivers/net/wireless/ath/ath10k/sdio.c: In function ‘ath10k_sdio_irq_handler’: drivers/net/wireless/ath/ath10k/sdio.c:1331: warning: ‘ret’ may be used uninitialized in this function Signed-off-by: Erik Stromdahl <erik.stromdahl@gmail.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
-
Erik Stromdahl authored
Chipsets like QCA9377 have support for USB so add initial USB bus support to ath10k. With this patch we have the low level HIF and HTC protocol working and it's possible to boot the firmware, but it's still not possible to connect or anything like. More changes are needed for full functionality. For that reason we print during initialisation: WARNING: ath10k USB support is incomplete, don't expect anything to work! Signed-off-by: Erik Stromdahl <erik.stromdahl@gmail.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
-
Erik Stromdahl authored
Definitions for USB based chipsets Signed-off-by: Erik Stromdahl <erik.stromdahl@gmail.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
-
Matthias Frei authored
Set the a-mpdu reference number in ath10k to make it accessible in the receivers radiotap header. Implemented as in ath9k. The reference number is needed for troubleshooting and research at the receivers site (e.g. to identify mpdu's that were aggregated in an a-mpdu) Signed-off-by: Matthias Frei <mf@frei.media> [kvalo@qca.qualcomm.com: fix checkpatch warning, commit log cleanup] Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
-
- 28 Jul, 2017 1 commit
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.gitKalle Valo authored
ath.git patches for 4.14. Major changes: ath10k * preparation for wcn3990 support
-
- 27 Jul, 2017 4 commits
-
-
Cong Wang authored
This fixes the following kernel warning: [ 5668.771453] BUG: spinlock bad magic on CPU#0, kworker/u2:3/9745 [ 5668.771850] lock: 0xce63ef20, .magic: 00000000, .owner: <none>/-1, .owner_cpu: 0 [ 5668.772277] CPU: 0 PID: 9745 Comm: kworker/u2:3 Tainted: G W 4.12.0-03002-gec979a4-dirty #40 [ 5668.772796] Hardware name: Nokia RX-51 board [ 5668.773071] Workqueue: phy1 wl1251_irq_work [ 5668.773345] [<c010c9e4>] (unwind_backtrace) from [<c010a274>] (show_stack+0x10/0x14) [ 5668.773803] [<c010a274>] (show_stack) from [<c01545a4>] (do_raw_spin_lock+0x6c/0xa0) [ 5668.774230] [<c01545a4>] (do_raw_spin_lock) from [<c06ca578>] (_raw_spin_lock_irqsave+0x10/0x18) [ 5668.774658] [<c06ca578>] (_raw_spin_lock_irqsave) from [<c048c010>] (wl1251_op_tx+0x38/0x5c) [ 5668.775115] [<c048c010>] (wl1251_op_tx) from [<c06a12e8>] (ieee80211_tx_frags+0x188/0x1c0) [ 5668.775543] [<c06a12e8>] (ieee80211_tx_frags) from [<c06a138c>] (__ieee80211_tx+0x6c/0x130) [ 5668.775970] [<c06a138c>] (__ieee80211_tx) from [<c06a3dbc>] (ieee80211_tx+0xdc/0x104) [ 5668.776367] [<c06a3dbc>] (ieee80211_tx) from [<c06a4af0>] (__ieee80211_subif_start_xmit+0x454/0x8c8) [ 5668.776824] [<c06a4af0>] (__ieee80211_subif_start_xmit) from [<c06a4f94>] (ieee80211_subif_start_xmit+0x30/0x2fc) [ 5668.777343] [<c06a4f94>] (ieee80211_subif_start_xmit) from [<c0578848>] (dev_hard_start_xmit+0x80/0x118) ... by adding the missing spin_lock_init(). Reported-by: Pavel Machek <pavel@ucw.cz> Cc: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Acked-by: Pavel Machek <pavel@ucw.cz> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Florian Fainelli authored
Broadcom BCM53573 SoCs actually have 32 GPIOs, and not 16. Fixes: 3f37ec79 ("bcma: support BCM53573 series of wireless SoCs") Signed-off-by: Florian Fainelli <f.fainelli@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Colin Ian King authored
The current code kfree's entry and then dereferences it by accessing entry->bssid. Avoid the dereference-after-free by moving the kfree after the access to entry->bssid. Detected by CoverityScan, CID#1448600 ("Read from pointer after free") Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-
Brian Norris authored
mwifiex records information about various channels as it receives scan information. It does this by appending to a buffer that was sized to the max number of supported channels on any band, but there are numerous problems: (a) scans can return info from more than one band (e.g., both 2.4 and 5 GHz), so the determined "max" is not large enough (b) some firmware appears to return multiple results for a given channel, so the max *really* isn't large enough (c) there is no bounds checking when stashing these stats, so problems (a) and (b) can easily lead to buffer overflows Let's patch this by setting a slightly-more-correct max (that accounts for a combination of both 2.4G and 5G bands) and adding a bounds check when writing to our statistics buffer. Due to problem (b), we still might not properly report all known survey information (e.g., with "iw <dev> survey dump"), since duplicate results (or otherwise "larger than expected" results) will cause some truncation. But that's a problem for a future bugfix. (And because of this known deficiency, only log the excess at the WARN level, since that isn't visible by default in this driver and would otherwise be a bit too noisy.) Fixes: bf354433 ("mwifiex: channel statistics support for mwifiex") Cc: <stable@vger.kernel.org> Cc: Avinash Patil <patila@marvell.com> Cc: Xinming Hu <huxm@marvell.com> Signed-off-by: Brian Norris <briannorris@chromium.org> Reviewed-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Reviewed-by: Ganapathi Bhat <gbhat@marvell.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-