During testing in ARM32 platforms, observed below kernel panic, as driver
accessing data beyond the allocated memory while submitting URB to USB.
Fix: Resolved this by specifying correct length by considering 64 bit
alignment. so that, USB bus driver will access only allocated memory.
Unit-test: Tested and confirm that driver bring up and scanning,
connection and data transfer works fine with this fix.
...skipping...
[ 25.389450] Unable to handle kernel paging request at virtual
address 5aa11422
[ 25.403078] Internal error: Oops: 5 [#1] SMP ARM
[ 25.407703] Modules linked in: rsi_usb
[ 25.411473] CPU: 1 PID: 317 Comm: RX-Thread Not tainted 4.18.0-rc7 #1
[ 25.419221] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
[ 25.425764] PC is at skb_release_data+0x90/0x168
[ 25.430393] LR is at skb_release_all+0x28/0x2c
[ 25.434842] pc : [<807435b0>] lr : [<80742ba0>] psr: 200e0013 5aa1141e
[ 25.464633] Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
[ 25.477524] Process RX-Thread (pid: 317, stack limit = 0x(ptrval))
[ 25.483709] Stack: (0xedf69ed8 to 0xedf6a000)
[ 25.569907] Backtrace:
[ 25.572368] [<80743520>] (skb_release_data) from [<80742ba0>]
(skb_release_all+0x28/0x2c)
[ 25.580555] r9:7f00258c r8:00000001 r7:ee355000 r6:eddab0d0
r5:eddab000 r4:eddbb840
[ 25.588308] [<80742b78>] (skb_release_all) from [<807432cc>]
(consume_skb+0x30/0x50)
[ 25.596055] r5:eddab000 r4:eddbb840
[ 25.599648] [<8074329c>] (consume_skb) from [<7f00117c>]
(rsi_usb_rx_thread+0x64/0x12c [rsi_usb])
[ 25.608524] r5:eddab000 r4:eddbb840
[ 25.612116] [<7f001118>] (rsi_usb_rx_thread [rsi_usb]) from
[<80142750>] (kthread+0x11c/0x15c)
[ 25.620735] r10:ee9ff9e0 r9:edcde3b8 r8:ee355000 r7:edf68000
r6:edd3a780 r5:00000000
[ 25.628567] r4:edcde380
[ 25.631110] [<80142634>] (kthread) from [<801010e8>]
(ret_from_fork+0x14/0x2c)
[ 25.638336] Exception stack(0xedf69fb0 to 0xedf69ff8)
[ 25.682929] ---[ end trace 8236a5496f5b5d3b ]---
Signed-off-by: Siva Rebbagondla <siva.rebbagondla@redpinesignals.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
strnchr takes arguments in the order of its name: string, max bytes to
read, character to search for. Here we're passing '\n' aka 10 as the
buffer size, and searching for sizeof(buf) aka BRCMF_DCMD_SMLEN aka
256 (aka '\0', since it's implicitly converted to char) within those 10
bytes.
Just interchanging the last two arguments would still leave a bug,
because if we've been successful once, there are not sizeof(buf)
characters left after the new value of p.
Since clmver is immediately afterwards passed as a %s argument, I assume
that it is actually a properly nul-terminated string. For that case, we
have strreplace().
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
The problem with this copy_to_user() calls is that they don't ensure
that "size" is less than the "length" which the user provided.
Obviously, this is debugfs and "size" is normally going to be very small
so it probably doesn't matter, but this is the correct thing to do.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
USB suspend handler will kill the presubmitted rx_cmd URB. This
triggers a call to the corresponding URB complete handler, which
will free the rx_cmd skb, associated with rx_cmd URB. Due to a
possible race betwen suspend handler and main thread, depicted in
'commit bfcacac6c84b ("mwifiex: do no submit URB in suspended
state")', it is possible that the rx_cmd skb will fail to get
freed. This causes a memory leak, since the resume handler will
always allocate a new rx_cmd skb.
To fix this, free the rx_cmd skb in mwifiex_usb_submit_rx_urb, if
the device is in suspended state.
Signed-off-by: Vidya Dharmaraju <vidyad@marvell.com>
Signed-off-by: Cathy Luo <cluo@marvell.com>
Signed-off-by: Ganapathi Bhat <gbhat@marvell.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
There is a possible race between USB suspend and main thread:
1. After processing the command response, main thread will submit
rx_cmd URB back so as to process next command response, by
calling mwifiex_usb_submit_rx_urb.
2. During USB suspend, the suspend handler will check if rx_cmd
URB is pending(submitted) and if true, kill this URB.
There is a possible race between #1 and #2, where rx_cmd URB will
be submitted by main thread(#1) after the suspend handler check
in #2.
To fix this, check if device is already suspended in
mwifiex_usb_submit_rx_urb, in which case do not submit the URB.
Signed-off-by: Vidya Dharmaraju <vidyad@marvell.com>
Signed-off-by: Cathy Luo <cluo@marvell.com>
Signed-off-by: Ganapathi Bhat <gbhat@marvell.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
In gcc8, when the 3rd argument (size) of a call to strncpy() matches the
length of the first argument, the compiler warns of the possibility of an
unterminated string. Using strlcpy() forces a null at the end.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Array encaps_hdr and macro ENCAPS_OVERHEAD are declared but are
not being used, hence they are redundant and can be removed.
Cleans up clang warning:
warning: 'encaps_hdr' defined but not used [-Wunused-const-variable=]
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Add 4-way handshake offload detection for FT with EAP authentication.
Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Add WLAN_AKM_SUITE_FT_8021X and WLAN_AKM_SUITE_FT_PSK in
brcmf_set_key_mgmt() for FT support.
Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com>
Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
CYW89342 is a 2x2 MIMO, 802.11a/b/g/n/ac for WLAN. It is a member of
4355/4359 family.
Signed-off-by: Jia-Shyr Chuang <saint.chuang@cypress.com>
Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
If recvlength is less than MESSAGE_HEADER_LEN (4) we would end up
corrupting memory.
Fixes: c305a19a0d ("libertas_tf: usb specific functions")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
A 2x2 unit with a USB dock for optimal placement.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Acked-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Remove unnecessary parentheses to fix the extraneous parentheses clang
warning.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Remove the unnecessary parentheses to fix the clang warning of
extraneous parentheses.
Signed-off-by: Varsha Rao <rvarsha016@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
* One fix for channel-switch handling;
* Some improvements in the HE code;
* New FW API handling;
* Improvements in the debugging code;
* Some improvements in the PCI recovery mechanism;
* Support for a few FW API changes;
* Enable a new scanning feature;
* Continued work on HE (mostly radiotap);
* Some fixes in the FW rate-scaling implementation;
* Other clean-ups and small fixes and improvements;
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEF3LNfgb2BPWm68smoUecoho8xfoFAluI/0QACgkQoUecoho8
xfpq1g/9GXjQprSzVI0YPClmiT7mHTJSG2qNcQv2D3Hsguf1j6IQ9LUuusyqCQWH
oTrXFhonETWU6ZSodd5SRG5HqxgndDx39dEjoBLh7oogHCpYlShlB1Np/Nnl4Ior
lMrLULrHY5I8DqjwdHN27KfbBI2gu25kuwPXxolAs1Vb0uf51VHoUDzu+HDik5w3
7oaYqJnGA6H1oAuTVkY53kQ1lPAFS7TqZbvJfNAQcDvQQ71H36x95hKa9a47oJGh
/WT9qAp8QHWeM0cN7BtJOWSgJPcQ4UmWKNp2vky2sozd+mS1e2iSQmiJ7poSejkn
7yef/vKO86KF7B0tOQie0jDzok1VkRj92Dw5gwSmpJbHI0RtoLGvyrE4LzErSFi9
SEKpC5dS/dLtWc+wytiO/k3XAh7vSOQsOCfsoqoU5l7XTehiCRfUI2p1wPXc7Xo+
z+Q4vo7a1S5903aVFZWs9FVm/3hEu2FNG8xcIUwcuWO+Ma5X/c3xzkhvB8nIy1mx
2Z8TjSgQjpVfVZagKQc/GHHTundnp0sdQi1qUZ7WGY0wj831tWxHKJ3K3knGsMmU
UHG0+kegHQ09ieSH/0yArHohf77u7viLnzgDIJhOpcfC79Lx45HVP08K4iET+/k0
saq2JUT22Cx/vEo7dioLhJvaMk6auFLpjZJ5ZUMSEbqQqmhLRwA=
=4JQU
-----END PGP SIGNATURE-----
Merge tag 'iwlwifi-next-for-kalle-2018-08-31' of git://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/iwlwifi-next
iwlwifi patches for 4.20
* One fix for channel-switch handling;
* Some improvements in the HE code;
* New FW API handling;
* Improvements in the debugging code;
* Some improvements in the PCI recovery mechanism;
* Support for a few FW API changes;
* Enable a new scanning feature;
* Continued work on HE (mostly radiotap);
* Some fixes in the FW rate-scaling implementation;
* Other clean-ups and small fixes and improvements;
The devices with PCI device ID 0x34F0 are part of the SoC and can be
combined with some different external RF modules. The configuration
for these devices should reflect that, but are currently mixed up. To
avoid confusion with discrete devices, add part of the firmware to be
used and the official name of the device to the cfg structs.
This is least reorganization possible (without messing things even
more) that could be done as a bugfix for this SoC. Further
reorganization of this code will be done separately.
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
This reverts the addition of memory type in the memory debug TLV
as the firmware never ended up implementing it, and now the PRPH
dump is added as a different TLV.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
In case of fragmented scan on the HB channels, configure EBS to be
fragmented as well.
Signed-off-by: Ayala Beker <ayala.beker@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Support more txq_alloc command types by moving the command declaration
to the gen specific area. While at it, move some of the code segments
to a common place for re-use.
Signed-off-by: Golan Ben Ami <golan.ben.ami@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Decode the HE TB PPDU data that we get in sniffer mode
and use it to populate the HE radiotap information.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Add flags to the tlc_cfg_cmd for signaling peer support for receiving
Dual Carrier Modulation at BPSK (MCS 0), and set them according to peer
capabilities.
Signed-off-by: Naftali Goldstein <naftali.goldstein@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
In the HE phy capabilities IE there are 2 bits to signal support for
STBC in bandwidths of 80Mhz or less, and of 160Mhz.
Use these bits to determine STBC support if this IE exists.
Signed-off-by: Naftali Goldstein <naftali.goldstein@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Make all FW debug data stop recording flows to use
iwl_fw_dbg_stop_recording function instead of writing to FW
registers directly.
Signed-off-by: Shahar S Matityahu <shahar.s.matityahu@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Allow access to the memory by the host and the device simultaneously.
This will be needed in some future patches.
Signed-off-by: Shahar S Matityahu <shahar.s.matityahu@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
As with the non-offloaded rs case, during assoc on the ap side the phy
context is set to 20MHz until authorization of a client that supports
wider channel-widths. Support this by sending the initial
tlc_config_cmd with max supported channel width of 20MHz until
authorization succeeds.
Fixes: 6b7a5aea71 ("iwlwifi: mvm: always init rs with 20mhz bandwidth rates")
Signed-off-by: Naftali Goldstein <naftali.goldstein@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Probe responses were sent to the multicast station while
they should be routed to the broadcast station.
This has no negative effect since the frame was still
routed to the right queue, but it looked very fishy
to send a frame to a (queue, station) tuple where
'queue' is not mapped to 'station'.
Fixes: 7c305de2b9 ("iwlwifi: mvm: Direct multicast frames to the correct station")
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
In the new method of parsing the NVM the disable_11n module parameter
isn't consulted when setting up HT capabilities. Fix this.
Signed-off-by: Ido Yariv <idox.yariv@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
If the bandwidth is only 20 MHz, then the second channel doesn't
exist, but the hardware reports the CRC was OK. Suppress the data
of the second channel in the HE radiotap in this case, by marking
it as not known.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
This is the same as for SU PPDUs, so it's easy to do.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
The GI duration depends on the frame type in some cases,
take that into account when decoding for radiotap.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
I evidently completely confused "number of LTF symbols" and "LTF size".
Radiotap was reporting the former, while I thought it was the latter,
and we really need both.
Add the LTF symbol size into the newly defined field in radiotap.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Implement the extended HE-MU info type decoding to show the HE-SIG-B
common contents in the HE-MU radiotap field.
The DW4 data is partially overwritten by the hardware in all cases, so
only the higher 16 bits can be used. To be able to use it for the HE
SIG-B common data anyway, move the bits around in the following way:
SIG-B common 0: DW 4 -> DW 7
SIG-B common 1: DW 7 -> DW 8
SIG-B common 2: DW 8 -> DW 4 (upper half)
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
The Free Software Foundation address is superfluous and causes
checkpatch to issue a warning when present. Remove all paragraphs
with FSF's address to prevent that.
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
We offloaded all the RX configuration of init to firmware. However,
the configuration of interrupt coalescing was left hanging - it wasn't
offloaded nor was it written by host.
This write to the CSR is allowed in gen2, so the host can do it.
Without it we have various issues with RX fullness.
Signed-off-by: Sara Sharon <sara.sharon@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
The parameter that indicated whether the LQ command should be sent
as sync or async was removed, causing the LQ command to be sent as
sync from interrupt context (e.g. from the RX path). This resulted
in a kernel warning: "scheduling while atomic" and failing to send
the LQ command, which ultimately leads to a queue hang.
Fix it by adding back the required parameter to send the command as
sync only when it is allowed.
Fixes: d94c5a820d ("iwlwifi: mvm: open BA session only when sta is authorized")
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
When we receive TX response, we may release a few packets
due to a hole that was closed in the transmission window.
However, if that frame failed, we will mark all the released
frames as failed and will send multiple BARs.
This affects statistics badly, and cause unnecessary frames
transmission.
Instead, mark all the following packets as success, with the
desired result of sending a bar for the failed frame only.
Signed-off-by: Sara Sharon <sara.sharon@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
There is a bug in FW where the sequence control may be
incorrect, and the driver overrides it with the value
of the ieee80211 header.
However, in BAR there is no sequence control in the header,
which result with arbitrary sequence.
This access to an unknown location is bad and it makes the
logs very confusing - so fix it.
Signed-off-by: Sara Sharon <sara.sharon@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
When the NIC is disconnected, we just can't do anything
besides seeking for help from the bus driver. Dumping the
device's memory is not necessary and just bloats the logs
with unusable data. Moreover, asking mac80211 to restart
the hardware is also useless. Bypass all this.
Also, use the STATUS_TRANS_DEAD status bit instead of a
bool inside the transport layer. The advantage of this is
that now, the transport and the op_mode can know what is the
situation and bypass the useless recovery steps mentioned
above.
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
The new coex schema requires moving to SISO only when BT AG is 4.
Adjust the SISO criteria according to the coex schema version reported
by firmware.
Signed-off-by: Erel Geron <erelx.geron@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
When the NIC is disconnected from PCI bus, we are not
able to access it anymore. Check the status to avoid
some unnecessary work so can improve the performance.
It will help to make PCI bus rescan to bring back the
device much faster.
The real test is able to improve 7 seconds.
[w/o patch] It takes around 9 seconds
..
2018-04-20T01:22:39.691929-07:00 WARNING kernel:
[ 66.335881] Timeout waiting for hardware access (CSR_GP_CNTRL 0xffffffff)
..
2018-04-20T01:22:48.101094-07:00 INFO kernel:
[ 74.747364] iwlwifi 0000:01:00.0: loaded firmware version 29.610311.0 op_mode iwlmvm
[w/a patch] It takes about 2 seconds.
..
2018-04-20T01:18:16.454087-07:00 WARNING kernel:
[ 75.966860] Timeout waiting for hardware access (CSR_GP_CNTRL 0xffffffff)
..
2018-04-20T01:18:18.602717-07:00 INFO kernel:
[ 78.116132] iwlwifi 0000:01:00.0: loaded firmware version 29.610311.0 op_mode iwlmvm
..
Fixes: 49564a806f ("iwlwifi: pcie: remove non-responsive device")
Signed-off-by: Matt Chen <matt.chen@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
There's no point in warning here, the user will just get an
error back to the debugfs file write, and warning just makes
it seem like there's an internal consistency problem when in
reality the user just happened to hit this at a bad time.
Remove the warning.
Fixes: f45f979dc2 ("iwlwifi: mvm: disable dbg data collect when fw isn't alive")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Every rx mpdu cmd is built from cmd_hdr | 80211_hdr. The problem is
that the size of cmd_hdr changes with API changes and we don't know
where the 80211_hdr starts.
By adding the size of cmd_hdr dynamically, we can ensure that we always
know how to parse mpdu frames, without dependending on the API changes.
Signed-off-by: Mordechay Goodstein <mordechay.goodstein@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
This will allow using the same init in future generations.
Signed-off-by: Golan Ben Ami <golan.ben.ami@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Store the default rxq number in a variable, so we won't need
to use the actual number in the code.
Signed-off-by: Golan Ben Ami <golan.ben.ami@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Update reduce tx power command API to be compatible with new FW API.
Signed-off-by: Haim Dreyfuss <haim.dreyfuss@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
While associated in low latency mode, or when traffic load is high,
don't enable EBS in scan request if fragmented EBS is not supported
by the FW.
Signed-off-by: Ayala Beker <ayala.beker@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
The Free Software Foundation's address shouldn't be in the license
notice anymore, and some of our check scripts complain about it
(via checkpatch.pl). Remove the address to silence it.
Signed-off-by: Golan Ben Ami <golan.ben.ami@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
This is used only within PCIe, and there's no reason to go through
the transport methods for a function call within PCIe itself.
Remove the dump_regs() method and call the function directly.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Allow other device generations to use the utilities that
are used to send and reclaim host commands and to allocate
rx, by making it non-static.
Signed-off-by: Golan Ben Ami <golan.ben.ami@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
We would like to allow using tx init code for other queues but
the command queue - for newer devices.
Signed-off-by: Golan Ben Ami <golan.ben.ami@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>