Lorenzo Bianconi [Fri, 24 Aug 2018 08:17:49 +0000 (10:17 +0200)]
mt76x2u: run device cleanup routine if resume fails
Cleanup {tx,rx} and mcu queues if resume operation fails
Fixes: ee676cd5017c ("mt76: add driver code for MT76x2u based devices") Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
mt76: Fix comparisons with invalid hardware key index
With gcc 4.1.2:
drivers/net/wireless/mediatek/mt76/mt76x0/tx.c: In function ‘mt76x0_tx’:
drivers/net/wireless/mediatek/mt76/mt76x0/tx.c:169: warning: comparison is always true due to limited range of data type
drivers/net/wireless/mediatek/mt76/mt76x2_tx_common.c: In function ‘mt76x2_tx’:
drivers/net/wireless/mediatek/mt76/mt76x2_tx_common.c:35: warning: comparison is always true due to limited range of data type
While assigning -1 to a u8 works fine, comparing with -1 does not work
as expected.
Fix this by comparing with 0xff, like is already done in some other
places.
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Siva Rebbagondla [Mon, 27 Aug 2018 11:35:15 +0000 (17:05 +0530)]
rsi: improve kernel thread handling to fix kernel panic
While running regressions, observed below kernel panic when sdio disconnect
called. This is because of, kthread_stop() is taking care of
wait_for_completion() by default. When wait_for_completion triggered
in kthread_stop and as it was done already, giving kernel panic.
Hence, removing redundant wait_for_completion() from rsi_kill_thread().
Rasmus Villemoes [Wed, 22 Aug 2018 13:22:15 +0000 (15:22 +0200)]
brcmfmac: fix wrong strnchr usage
strnchr takes arguments in the order of its name: string, max bytes to
read, character to search for. Here we're passing '\n' aka 10 as the
buffer size, and searching for sizeof(buf) aka BRCMF_DCMD_SMLEN aka
256 (aka '\0', since it's implicitly converted to char) within those 10
bytes.
Just interchanging the last two arguments would still leave a bug,
because if we've been successful once, there are not sizeof(buf)
characters left after the new value of p.
Since clmver is immediately afterwards passed as a %s argument, I assume
that it is actually a properly nul-terminated string. For that case, we
have strreplace().
Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Dan Carpenter [Wed, 22 Aug 2018 10:41:26 +0000 (13:41 +0300)]
rt2x00: use simple_read_from_buffer()
The problem with this copy_to_user() calls is that they don't ensure
that "size" is less than the "length" which the user provided.
Obviously, this is debugfs and "size" is normally going to be very small
so it probably doesn't matter, but this is the correct thing to do.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Acked-by: Stanislaw Gruszka <sgruszka@redhat.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Ganapathi Bhat [Tue, 21 Aug 2018 07:53:02 +0000 (13:23 +0530)]
mwifex: free rx_cmd skb in suspended state
USB suspend handler will kill the presubmitted rx_cmd URB. This
triggers a call to the corresponding URB complete handler, which
will free the rx_cmd skb, associated with rx_cmd URB. Due to a
possible race betwen suspend handler and main thread, depicted in
'commit bfcacac6c84b ("mwifiex: do no submit URB in suspended
state")', it is possible that the rx_cmd skb will fail to get
freed. This causes a memory leak, since the resume handler will
always allocate a new rx_cmd skb.
To fix this, free the rx_cmd skb in mwifiex_usb_submit_rx_urb, if
the device is in suspended state.
Signed-off-by: Vidya Dharmaraju <vidyad@marvell.com> Signed-off-by: Cathy Luo <cluo@marvell.com> Signed-off-by: Ganapathi Bhat <gbhat@marvell.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Ganapathi Bhat [Tue, 21 Aug 2018 07:53:01 +0000 (13:23 +0530)]
mwifiex: do no submit URB in suspended state
There is a possible race between USB suspend and main thread:
1. After processing the command response, main thread will submit
rx_cmd URB back so as to process next command response, by
calling mwifiex_usb_submit_rx_urb.
2. During USB suspend, the suspend handler will check if rx_cmd
URB is pending(submitted) and if true, kill this URB.
There is a possible race between #1 and #2, where rx_cmd URB will
be submitted by main thread(#1) after the suspend handler check
in #2.
To fix this, check if device is already suspended in
mwifiex_usb_submit_rx_urb, in which case do not submit the URB.
Signed-off-by: Vidya Dharmaraju <vidyad@marvell.com> Signed-off-by: Cathy Luo <cluo@marvell.com> Signed-off-by: Ganapathi Bhat <gbhat@marvell.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Larry Finger [Mon, 20 Aug 2018 18:48:31 +0000 (13:48 -0500)]
rtl8187: Fix warning generated when strncpy() destination length matches the sixe argument
In gcc8, when the 3rd argument (size) of a call to strncpy() matches the
length of the first argument, the compiler warns of the possibility of an
unterminated string. Using strlcpy() forces a null at the end.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Chung-Hsien Hsu [Wed, 15 Aug 2018 10:32:40 +0000 (05:32 -0500)]
brcmfmac: add 4-way handshake offload detection for FT-802.1X
Add 4-way handshake offload detection for FT with EAP authentication.
Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com> Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Chung-Hsien Hsu [Wed, 15 Aug 2018 10:32:39 +0000 (05:32 -0500)]
brcmfmac: add FT-based AKMs in brcmf_set_key_mgmt() for FT support
Add WLAN_AKM_SUITE_FT_8021X and WLAN_AKM_SUITE_FT_PSK in
brcmf_set_key_mgmt() for FT support.
Signed-off-by: Chung-Hsien Hsu <stanley.hsu@cypress.com> Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Jia-Shyr Chuang [Wed, 15 Aug 2018 09:23:09 +0000 (04:23 -0500)]
brcmfmac: add CYW89342 mini-PCIe device
CYW89342 is a 2x2 MIMO, 802.11a/b/g/n/ac for WLAN. It is a member of
4355/4359 family.
Signed-off-by: Jia-Shyr Chuang <saint.chuang@cypress.com> Signed-off-by: Chi-Hsien Lin <chi-hsien.lin@cypress.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Dan Carpenter [Tue, 14 Aug 2018 09:07:48 +0000 (12:07 +0300)]
libertas_tf: prevent underflow in process_cmdrequest()
If recvlength is less than MESSAGE_HEADER_LEN (4) we would end up
corrupting memory.
Fixes: c305a19a0d0a ("libertas_tf: usb specific functions") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Rosen Penev [Sat, 11 Aug 2018 23:33:52 +0000 (16:33 -0700)]
mt76x2u: Add support for Alfa AWUS036ACM
A 2x2 unit with a USB dock for optimal placement.
Signed-off-by: Rosen Penev <rosenp@gmail.com> Acked-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Kalle Valo [Fri, 31 Aug 2018 15:05:12 +0000 (18:05 +0300)]
Merge tag 'iwlwifi-next-for-kalle-2018-08-31' of git://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/iwlwifi-next
iwlwifi patches for 4.20
* One fix for channel-switch handling;
* Some improvements in the HE code;
* New FW API handling;
* Improvements in the debugging code;
* Some improvements in the PCI recovery mechanism;
* Support for a few FW API changes;
* Enable a new scanning feature;
* Continued work on HE (mostly radiotap);
* Some fixes in the FW rate-scaling implementation;
* Other clean-ups and small fixes and improvements;
Luca Coelho [Wed, 15 Aug 2018 19:07:25 +0000 (22:07 +0300)]
iwlwifi: fix devices with PCI Device ID 0x34F0 and 11ac RF modules
The devices with PCI device ID 0x34F0 are part of the SoC and can be
combined with some different external RF modules. The configuration
for these devices should reflect that, but are currently mixed up. To
avoid confusion with discrete devices, add part of the firmware to be
used and the official name of the device to the cfg structs.
This is least reorganization possible (without messing things even
more) that could be done as a bugfix for this SoC. Further
reorganization of this code will be done separately.
Johannes Berg [Thu, 17 May 2018 14:02:36 +0000 (16:02 +0200)]
Revert "iwlwifi: allow memory debug TLV to specify the memory type"
This reverts the addition of memory type in the memory debug TLV
as the firmware never ended up implementing it, and now the PRPH
dump is added as a different TLV.
Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Golan Ben Ami [Tue, 3 Apr 2018 15:37:51 +0000 (18:37 +0300)]
iwlwifi: refactor txq_alloc for supporting more command type
Support more txq_alloc command types by moving the command declaration
to the gen specific area. While at it, move some of the code segments
to a common place for re-use.
Signed-off-by: Golan Ben Ami <golan.ben.ami@intel.com> Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Add flags to the tlc_cfg_cmd for signaling peer support for receiving
Dual Carrier Modulation at BPSK (MCS 0), and set them according to peer
capabilities.
In the HE phy capabilities IE there are 2 bits to signal support for
STBC in bandwidths of 80Mhz or less, and of 160Mhz.
Use these bits to determine STBC support if this IE exists.
iwlwifi: mvm: always init rs_fw with 20MHz bandwidth rates
As with the non-offloaded rs case, during assoc on the ap side the phy
context is set to 20MHz until authorization of a client that supports
wider channel-widths. Support this by sending the initial
tlc_config_cmd with max supported channel width of 20MHz until
authorization succeeds.
iwlwifi: mvm: send BCAST management frames to the right station
Probe responses were sent to the multicast station while
they should be routed to the broadcast station.
This has no negative effect since the frame was still
routed to the right queue, but it looked very fishy
to send a frame to a (queue, station) tuple where
'queue' is not mapped to 'station'.
Fixes: 7c305de2b954 ("iwlwifi: mvm: Direct multicast frames to the correct station") Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com> Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Johannes Berg [Thu, 3 May 2018 11:35:08 +0000 (13:35 +0200)]
iwlwifi: mvm: remove channel 2 from HE radiotap if not applicable
If the bandwidth is only 20 MHz, then the second channel doesn't
exist, but the hardware reports the CRC was OK. Suppress the data
of the second channel in the HE radiotap in this case, by marking
it as not known.
Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Johannes Berg [Wed, 2 May 2018 09:20:00 +0000 (11:20 +0200)]
iwlwifi: mvm: put LTF symbol size into HE radiotap
I evidently completely confused "number of LTF symbols" and "LTF size".
Radiotap was reporting the former, while I thought it was the latter,
and we really need both.
Add the LTF symbol size into the newly defined field in radiotap.
Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Johannes Berg [Thu, 26 Apr 2018 11:14:26 +0000 (13:14 +0200)]
iwlwifi: mvm: implement extended HE-MU sniffer API
Implement the extended HE-MU info type decoding to show the HE-SIG-B
common contents in the HE-MU radiotap field.
The DW4 data is partially overwritten by the hardware in all cases, so
only the higher 16 bits can be used. To be able to use it for the HE
SIG-B common data anyway, move the bits around in the following way:
SIG-B common 0: DW 4 -> DW 7
SIG-B common 1: DW 7 -> DW 8
SIG-B common 2: DW 8 -> DW 4 (upper half)
Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Luca Coelho [Fri, 24 Aug 2018 07:50:45 +0000 (10:50 +0300)]
iwlwifi: remove all occurrences of the FSF address paragraph
The Free Software Foundation address is superfluous and causes
checkpatch to issue a warning when present. Remove all paragraphs
with FSF's address to prevent that.
Sara Sharon [Mon, 23 Apr 2018 06:38:41 +0000 (09:38 +0300)]
iwlwifi: pcie: set interrupt coalescing also for gen2
We offloaded all the RX configuration of init to firmware. However,
the configuration of interrupt coalescing was left hanging - it wasn't
offloaded nor was it written by host.
This write to the CSR is allowed in gen2, so the host can do it.
Without it we have various issues with RX fullness.
Signed-off-by: Sara Sharon <sara.sharon@intel.com> Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Avraham Stern [Thu, 3 May 2018 12:02:16 +0000 (15:02 +0300)]
iwlwifi: mvm: Send LQ command as async when necessary
The parameter that indicated whether the LQ command should be sent
as sync or async was removed, causing the LQ command to be sent as
sync from interrupt context (e.g. from the RX path). This resulted
in a kernel warning: "scheduling while atomic" and failing to send
the LQ command, which ultimately leads to a queue hang.
Fix it by adding back the required parameter to send the command as
sync only when it is allowed.
Fixes: d94c5a820d10 ("iwlwifi: mvm: open BA session only when sta is authorized") Signed-off-by: Avraham Stern <avraham.stern@intel.com> Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
iwlwifi: improve the flow when a NIC is disconnected
When the NIC is disconnected, we just can't do anything
besides seeking for help from the bus driver. Dumping the
device's memory is not necessary and just bloats the logs
with unusable data. Moreover, asking mac80211 to restart
the hardware is also useless. Bypass all this.
Also, use the STATUS_TRANS_DEAD status bit instead of a
bool inside the transport layer. The advantage of this is
that now, the transport and the op_mode can know what is the
situation and bypass the useless recovery steps mentioned
above.
Matt Chen [Thu, 19 Apr 2018 07:18:00 +0000 (15:18 +0800)]
iwlwifi: pcie: avoid unnecessary work if NIC is disconnected
When the NIC is disconnected from PCI bus, we are not
able to access it anymore. Check the status to avoid
some unnecessary work so can improve the performance.
It will help to make PCI bus rescan to bring back the
device much faster.
The real test is able to improve 7 seconds.
[w/o patch] It takes around 9 seconds
..
2018-04-20T01:22:39.691929-07:00 WARNING kernel:
[ 66.335881] Timeout waiting for hardware access (CSR_GP_CNTRL 0xffffffff)
..
2018-04-20T01:22:48.101094-07:00 INFO kernel:
[ 74.747364] iwlwifi 0000:01:00.0: loaded firmware version 29.610311.0 op_mode iwlmvm
[w/a patch] It takes about 2 seconds.
..
2018-04-20T01:18:16.454087-07:00 WARNING kernel:
[ 75.966860] Timeout waiting for hardware access (CSR_GP_CNTRL 0xffffffff)
..
2018-04-20T01:18:18.602717-07:00 INFO kernel:
[ 78.116132] iwlwifi 0000:01:00.0: loaded firmware version 29.610311.0 op_mode iwlmvm
..
Johannes Berg [Thu, 19 Apr 2018 08:57:08 +0000 (10:57 +0200)]
iwlwifi: don't WARN on trying to dump dead firmware
There's no point in warning here, the user will just get an
error back to the debugfs file write, and warning just makes
it seem like there's an internal consistency problem when in
reality the user just happened to hit this at a bad time.
Remove the warning.
Fixes: f45f979dc208 ("iwlwifi: mvm: disable dbg data collect when fw isn't alive") Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Every rx mpdu cmd is built from cmd_hdr | 80211_hdr. The problem is
that the size of cmd_hdr changes with API changes and we don't know
where the 80211_hdr starts.
By adding the size of cmd_hdr dynamically, we can ensure that we always
know how to parse mpdu frames, without dependending on the API changes.
Golan Ben Ami [Wed, 4 Apr 2018 05:56:05 +0000 (08:56 +0300)]
iwlwifi: remove FSF's address from the license notice
The Free Software Foundation's address shouldn't be in the license
notice anymore, and some of our check scripts complain about it
(via checkpatch.pl). Remove the address to silence it.
Signed-off-by: Golan Ben Ami <golan.ben.ami@intel.com> Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Johannes Berg [Wed, 11 Apr 2018 14:17:00 +0000 (16:17 +0200)]
iwlwifi: remove dump_regs() from transport ops
This is used only within PCIe, and there's no reason to go through
the transport methods for a function call within PCIe itself.
Remove the dump_regs() method and call the function directly.
Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Golan Ben Ami [Tue, 3 Apr 2018 13:39:18 +0000 (16:39 +0300)]
iwlwifi: add required include to iwl-fh.h
Some variables are used in iwl-fh.h, but their type's definition
isn't included. This may break compilation when using the file
without including the necessary dependencies first.
Add the required include to iwl-fh.h.
Signed-off-by: Golan Ben Ami <golan.ben.ami@intel.com> Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Gregory Greenman [Mon, 22 Jan 2018 05:38:12 +0000 (07:38 +0200)]
iwlwifi: mvm: add NOA and CSA to a probe response
A probe response built by a P2P GO should contain:
1. CSA/eCSA IE when relevant
2. If the corresponding probe request had P2P IE, then
need to add P2P IE with NOA attributes.
However, the NOA attributes and the updated channel switch
counter are known only to the FW. The solution is that FW
will send a notification with the relevant probe response
data and the driver will save it and update the probe
response accordingly.
Luca Coelho [Mon, 26 Mar 2018 07:24:18 +0000 (10:24 +0300)]
iwlwifi: mvm: support new WoWLAN status FW API
A new FW API has been added for WOWLAN_GET_STATUSES to support
multiple GTK keys and IGTK keys. Check the respective TLV and use the
new API when it is set.
Let most of the code use the new version (v7) and convert the old
version (v6) to the new one when needed.
Also refactor some functions a bit so that they can be reused more
easily. Particularly the part that calls WOWLAN_GET_STATUSES which is
reused in D3 and D0i3.
Avraham Stern [Tue, 20 Mar 2018 15:05:06 +0000 (17:05 +0200)]
iwlwifi: set the tid for non-QOS frames to zero
The tid for Non-QOS frames is set to IWL_MAX_TID_COUNT. This value
is also used for configuring the queue for non-QOS data. However, this
tid is used by the FW for management queues. As a result, the FW
does not encrypt non-QOS data frames.
Fix this by setting the tid for non-QOS data frames to zero, which
is a valid value for data frames in the FW.
This also fixes a bug in sending multicast frames, where the queues
are allocated with tid == 0, but are sent with tid == 8, which may
lead to unexpected behavior.
iwlwifi: runtime: avoid calling debugfs read functions more than once
Upon first calling read() on a debugfs file, invoke
iwl_dbgfs_##name##_read and store the response buffer on the heap, so
subsequent read() calls don't need to invoke said function again.
This is done because cat etc will call read() repeatedly until EOF is
reached (or read() returns 0), which in the current implementation will
cause said function to be invoked multiple times.
With the current implementation this can also cause buggy behavior in
some weird edge cases where the first invocation returns a string of
length n, and the second of length m>n: The last m-n characters of
the second invocation will be printed to screen.
Sven Eckelmann [Fri, 24 Aug 2018 12:04:59 +0000 (15:04 +0300)]
ath10k: limit available channels via DT ieee80211-freq-limit
Tri-band devices (1x 2.4GHz + 2x 5GHz) often incorporate special filters in
the RX and TX path. These filtered channel can in theory still be used by
the hardware but the signal strength is reduced so much that it makes no
sense.
There is already a DT property to limit the available channels but ath10k
has to manually call this functionality to limit the currrently set wiphy
channels further.
Signed-off-by: Sven Eckelmann <sven.eckelmann@openmesh.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Maya Erez [Thu, 23 Aug 2018 11:47:11 +0000 (14:47 +0300)]
wil6210: fix RX buffers release and unmap
RX SKBs are released in both wil6210 rmmod and RX handle.
As there is no lock to protect the buffers DMA unmap,
the SKB pointer in buff_arr is used to check if the buffer
memory was already released.
Setting wil->rx_buff_mgmt.buff_arr[buff_id].skb to NULL before the DMA
memory unmap will prevent duplicate unmapping of the same memory.
Move the buffer ID to the free list also in case the SKB is NULL.
Signed-off-by: Maya Erez <merez@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Maya Erez [Thu, 23 Aug 2018 11:47:10 +0000 (14:47 +0300)]
wil6210: prevent usage of tx ring 0 for eDMA
In enhanced DMA ring 0 is used for RX ring, hence TX ring 0
is an unused element in ring_tx and ring2cid_tid arrays.
Initialize ring2cid_tid CID to WIL6210_MAX_CID to prevent a false
match of CID 0.
Go over the ring_tx and ring2cid_tid from wil_get_min_tx_ring_id
and on to prevent access to index 0 in eDMA.
Signed-off-by: Maya Erez <merez@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Maya Erez [Thu, 23 Aug 2018 11:47:09 +0000 (14:47 +0300)]
wil6210: allocate rx reorder buffer only if rx reorder is enabled
wil_addba_rx_request allocates the rx reorder buffer regardless
of use_rx_hw_reordering settings.
Fix this by checking wil->use_rx_hw_reordering before allocating
the reorder buffer.
Signed-off-by: Maya Erez <merez@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Maya Erez [Thu, 23 Aug 2018 11:47:08 +0000 (14:47 +0300)]
wil6210: set edma variables only for Talyn-MB devices
use_rx_hw_reordering is already set to true in wil_set_capabilities
for Talyn-MB devices. Remove its setting from wil_priv_init to
prevent its activation for older chips.
Similarly, move the setting of use_compressed_rx_status to
wil_set_capabilities.
Signed-off-by: Maya Erez <merez@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Dedy Lansky [Thu, 23 Aug 2018 11:47:07 +0000 (14:47 +0300)]
wil6210: drop Rx multicast packets that are looped-back to STA
Delivering a looped-back multicast packet to network stack can cause
higher layer protocols to fail like for example IPv6 DAD.
In STA mode, upon receiving Rx multicast packet, check if the source
MAC address is equal to our own MAC address and if so drop the packet.
Signed-off-by: Dedy Lansky <dlansky@codeaurora.org> Signed-off-by: Maya Erez <merez@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Felix Fietkau [Mon, 20 Aug 2018 09:37:51 +0000 (11:37 +0200)]
ath9k: fix tx99 with monitor mode interface
Tx99 is typically configured via a monitor mode interface, which does
not get added to the driver as a vif. Since the code currently expects
a configured virtual interface for tx99, enabling tx99 via debugfs fails.
Since the vif is not needed anyway, remove all checks for it.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
[kvalo@codeaurora.org: s/CPTCFG/CONFIG/] Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
One of the more common cases of allocation size calculations is finding
the size of a structure that has a zero-sized array at the end, along
with memory for some number of elements for that array. For example:
This issue was detected with the help of Coccinelle.
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Martin Willi [Wed, 22 Aug 2018 07:39:52 +0000 (09:39 +0200)]
ath10k: schedule hardware restart if WMI command times out
When running in AP mode, ath10k sometimes suffers from TX credit
starvation. The issue is hard to reproduce and shows up once in a
few days, but has been repeatedly seen with QCA9882 and a large
range of firmwares, including 10.2.4.70.67.
Once the module is in this state, TX credits are never replenished,
which results in "SWBA overrun" errors, as no beacons can be sent.
Even worse, WMI commands run in a timeout while holding the conf
mutex for three seconds each, making any further operations slow
and the whole system unresponsive.
The firmware/driver never recovers from that state automatically,
and triggering TX flush or warm restarts won't work over WMI. So
issue a hardware restart if a WMI command times out due to missing
TX credits. This implies a connectivity outage of about 1.4s in AP
mode, but brings back the interface and the whole system to a usable
state. WMI command timeouts have not been seen in absent of this
specific issue, so taking such drastic actions seems legitimate.
Signed-off-by: Martin Willi <martin@strongswan.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Rakesh Pillai [Mon, 6 Aug 2018 14:48:08 +0000 (20:18 +0530)]
ath10k: skip resetting rx filter for WCN3990
WCN3990 has the MAC_PCU_ADDR1 configured properly
and hence it will not send spurious ack frames
during boot up.
Hence the reset_rx_filter workaround is not needed
for WCN3990. Add a hw_param to indicate if hardware rx
filter reset is needed and skip the reset_rx_filter for
WCN3990.
1) ICE, E1000, IGB, IXGBE, and I40E bug fixes from the Intel folks.
2) Better fix for AB-BA deadlock in packet scheduler code, from Cong
Wang.
3) bpf sockmap fixes (zero sized key handling, etc.) from Daniel
Borkmann.
4) Send zero IPID in TCP resets and SYN-RECV state ACKs, to prevent
attackers using it as a side-channel. From Eric Dumazet.
5) Memory leak in mediatek bluetooth driver, from Gustavo A. R. Silva.
6) Hook up rt->dst.input of ipv6 anycast routes properly, from Hangbin
Liu.
7) hns and hns3 bug fixes from Huazhong Tan.
8) Fix RIF leak in mlxsw driver, from Ido Schimmel.
9) iova range check fix in vhost, from Jason Wang.
10) Fix hang in do_tcp_sendpages() with tls, from John Fastabend.
11) More r8152 chips need to disable RX aggregation, from Kai-Heng Feng.
12) Memory exposure in TCA_U32_SEL handling, from Kees Cook.
13) TCP BBR congestion control fixes from Kevin Yang.
14) hv_netvsc, ignore non-PCI devices, from Stephen Hemminger.
15) qed driver fixes from Tomer Tayar.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (77 commits)
net: sched: Fix memory exposure from short TCA_U32_SEL
qed: fix spelling mistake "comparsion" -> "comparison"
vhost: correctly check the iova range when waking virtqueue
qlge: Fix netdev features configuration.
net: macb: do not disable MDIO bus at open/close time
Revert "net: stmmac: fix build failure due to missing COMMON_CLK dependency"
net: macb: Fix regression breaking non-MDIO fixed-link PHYs
mlxsw: spectrum_switchdev: Do not leak RIFs when removing bridge
i40e: fix condition of WARN_ONCE for stat strings
i40e: Fix for Tx timeouts when interface is brought up if DCB is enabled
ixgbe: fix driver behaviour after issuing VFLR
ixgbe: Prevent unsupported configurations with XDP
ixgbe: Replace GFP_ATOMIC with GFP_KERNEL
igb: Replace mdelay() with msleep() in igb_integrated_phy_loopback()
igb: Replace GFP_ATOMIC with GFP_KERNEL in igb_sw_init()
igb: Use an advanced ctx descriptor for launchtime
e1000: ensure to free old tx/rx rings in set_ringparam()
e1000: check on netif_running() before calling e1000_up()
ixgb: use dma_zalloc_coherent instead of allocator/memset
ice: Trivial formatting fixes
...
Jens Axboe [Mon, 27 Aug 2018 14:37:46 +0000 (08:37 -0600)]
Fix up libata MAINTAINERS entry
The email was botched in one entry, and I also forgot to update the
location of the git tree. It'll be under the linux-block umbrella, just
with different branches.
Kees Cook [Sun, 26 Aug 2018 05:58:01 +0000 (22:58 -0700)]
net: sched: Fix memory exposure from short TCA_U32_SEL
Via u32_change(), TCA_U32_SEL has an unspecified type in the netlink
policy, so max length isn't enforced, only minimum. This means nkeys
(from userspace) was being trusted without checking the actual size of
nla_len(), which could lead to a memory over-read, and ultimately an
exposure via a call to u32_dump(). Reachability is CAP_NET_ADMIN within
a namespace.
Reported-by: Al Viro <viro@zeniv.linux.org.uk> Cc: Jamal Hadi Salim <jhs@mojatatu.com> Cc: Cong Wang <xiyou.wangcong@gmail.com> Cc: Jiri Pirko <jiri@resnulli.us> Cc: "David S. Miller" <davem@davemloft.net> Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Jamal Hadi Salim <jhs@mojatatu.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Sun, 26 Aug 2018 20:39:05 +0000 (13:39 -0700)]
Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull timer update from Thomas Gleixner:
"New defines for the compat time* types so they can be shared between
32bit and 64bit builds. Not used yet, but merging them now allows the
actual conversions to be merged through different maintainer trees
without dependencies
We still have compat interfaces for 32bit on 64bit even with the new
2038 safe timespec/val variants because pointer size is different. And
for the old style timespec/val interfaces we need yet another 'compat'
interface for both 32bit native and 32bit on 64bit"
* 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
y2038: Provide aliases for compat helpers
Linus Torvalds [Sun, 26 Aug 2018 18:48:42 +0000 (11:48 -0700)]
Merge branch 'ida-4.19' of git://git.infradead.org/users/willy/linux-dax
Pull IDA updates from Matthew Wilcox:
"A better IDA API:
id = ida_alloc(ida, GFP_xxx);
ida_free(ida, id);
rather than the cumbersome ida_simple_get(), ida_simple_remove().
The new IDA API is similar to ida_simple_get() but better named. The
internal restructuring of the IDA code removes the bitmap
preallocation nonsense.
I hope the net -200 lines of code is convincing"
* 'ida-4.19' of git://git.infradead.org/users/willy/linux-dax: (29 commits)
ida: Change ida_get_new_above to return the id
ida: Remove old API
test_ida: check_ida_destroy and check_ida_alloc
test_ida: Convert check_ida_conv to new API
test_ida: Move ida_check_max
test_ida: Move ida_check_leaf
idr-test: Convert ida_check_nomem to new API
ida: Start new test_ida module
target/iscsi: Allocate session IDs from an IDA
iscsi target: fix session creation failure handling
drm/vmwgfx: Convert to new IDA API
dmaengine: Convert to new IDA API
ppc: Convert vas ID allocation to new IDA API
media: Convert entity ID allocation to new IDA API
ppc: Convert mmu context allocation to new IDA API
Convert net_namespace to new IDA API
cb710: Convert to new IDA API
rsxx: Convert to new IDA API
osd: Convert to new IDA API
sd: Convert to new IDA API
...
Linus Torvalds [Sun, 26 Aug 2018 18:41:08 +0000 (11:41 -0700)]
Merge tag 'gcc-plugins-v4.19-rc1-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux
Pull gcc plugin fix from Kees Cook:
"Lift gcc test into Kconfig. This is for better behavior when the
kernel is built with Clang, reported by Stefan Agner"
* tag 'gcc-plugins-v4.19-rc1-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
gcc-plugins: Disable when building under Clang
Linus Torvalds [Sun, 26 Aug 2018 18:25:21 +0000 (11:25 -0700)]
Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull perf updates from Thomas Gleixner:
"Kernel:
- Improve kallsyms coverage
- Add x86 entry trampolines to kcore
- Fix ARM SPE handling
- Correct PPC event post processing
Tools:
- Make the build system more robust
- Small fixes and enhancements all over the place
- Update kernel ABI header copies
- Preparatory work for converting libtraceevnt to a shared library
- License cleanups"
* 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (100 commits)
tools arch: Update arch/x86/lib/memcpy_64.S copy used in 'perf bench mem memcpy'
tools arch x86: Update tools's copy of cpufeatures.h
perf python: Fix pyrf_evlist__read_on_cpu() interface
perf mmap: Store real cpu number in 'struct perf_mmap'
perf tools: Remove ext from struct kmod_path
perf tools: Add gzip_is_compressed function
perf tools: Add lzma_is_compressed function
perf tools: Add is_compressed callback to compressions array
perf tools: Move the temp file processing into decompress_kmodule
perf tools: Use compression id in decompress_kmodule()
perf tools: Store compression id into struct dso
perf tools: Add compression id into 'struct kmod_path'
perf tools: Make is_supported_compression() static
perf tools: Make decompress_to_file() function static
perf tools: Get rid of dso__needs_decompress() call in __open_dso()
perf tools: Get rid of dso__needs_decompress() call in symbol__disassemble()
perf tools: Get rid of dso__needs_decompress() call in read_object_code()
tools lib traceevent: Change to SPDX License format
perf llvm: Allow passing options to llc in addition to clang
perf parser: Improve error message for PMU address filters
...
Linus Torvalds [Sun, 26 Aug 2018 17:13:21 +0000 (10:13 -0700)]
Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull x86 fixes from Thomas Gleixner:
- Correct the L1TF fallout on 32bit and the off by one in the 'too much
RAM for protection' calculation.
- Add a helpful kernel message for the 'too much RAM' case
- Unbreak the VDSO in case that the compiler desides to use indirect
jumps/calls and emits retpolines which cannot be resolved because the
kernel uses its own thunks, which does not work for the VDSO. Make it
use the builtin thunks.
- Re-export start_thread() which was unexported when the 32/64bit
implementation was unified. start_thread() is required by modular
binfmt handlers.
- Trivial cleanups
* 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
x86/speculation/l1tf: Suggest what to do on systems with too much RAM
x86/speculation/l1tf: Fix off-by-one error when warning that system has too much RAM
x86/kvm/vmx: Remove duplicate l1d flush definitions
x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit
x86/process: Re-export start_thread()
x86/mce: Add notifier_block forward declaration
x86/vdso: Fix vDSO build if a retpoline is emitted
Linus Torvalds [Sun, 26 Aug 2018 16:55:28 +0000 (09:55 -0700)]
Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull irq update from Thomas Gleixner:
"A small set of updats/fixes for the irq subsystem:
- Allow GICv3 interrupts to be configured as wake-up sources to
enable wakeup from suspend
- Make the error handling of the STM32 irqchip init function work
- A set of small cleanups and improvements"
* 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
irqchip/gic-v3: Allow interrupt to be configured as wake-up sources
irqchip/tango: Set irq handler and data in one go
dt-bindings: irqchip: renesas-irqc: Document r8a774a1 support
irqchip/s3c24xx: Remove unneeded comparison of unsigned long to 0
irqchip/stm32: Fix init error handling
irqchip/bcm7038-l1: Hide cpu offline callback when building for !SMP
Linus Torvalds [Sun, 26 Aug 2018 16:47:00 +0000 (09:47 -0700)]
Merge branch 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull licking update from Thomas Gleixner:
"Mark the switch cases which fall through to the next case with the
proper comment so the fallthrough compiler checks can be enabled"
* 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
futex: Mark expected switch fall-throughs
Linus Torvalds [Sun, 26 Aug 2018 01:43:59 +0000 (18:43 -0700)]
Merge tag 'libnvdimm-for-4.19_dax-memory-failure' of gitolite.kernel.org:pub/scm/linux/kernel/git/nvdimm/nvdimm
Pull libnvdimm memory-failure update from Dave Jiang:
"As it stands, memory_failure() gets thoroughly confused by dev_pagemap
backed mappings. The recovery code has specific enabling for several
possible page states and needs new enabling to handle poison in dax
mappings.
In order to support reliable reverse mapping of user space addresses:
1/ Add new locking in the memory_failure() rmap path to prevent races
that would typically be handled by the page lock.
2/ Since dev_pagemap pages are hidden from the page allocator and the
"compound page" accounting machinery, add a mechanism to determine
the size of the mapping that encompasses a given poisoned pfn.
3/ Given pmem errors can be repaired, change the speculatively
accessed poison protection, mce_unmap_kpfn(), to be reversible and
otherwise allow ongoing access from the kernel.
A side effect of this enabling is that MADV_HWPOISON becomes usable
for dax mappings, however the primary motivation is to allow the
system to survive userspace consumption of hardware-poison via dax.
Specifically the current behavior is:
mce: Uncorrected hardware memory error in user-access at af34214200
{1}[Hardware Error]: It has been corrected by h/w and requires no further action
mce: [Hardware Error]: Machine check events logged
{1}[Hardware Error]: event severity: corrected
Memory failure: 0xaf34214: reserved kernel page still referenced by 1 users
[..]
Memory failure: 0xaf34214: recovery action for reserved kernel page: Failed
mce: Memory error not recovered
<reboot>
...and with these changes:
Injecting memory failure for pfn 0x20cb00 at process virtual address 0x7f763dd00000
Memory failure: 0x20cb00: Killing dax-pmd:5421 due to hardware memory corruption
Memory failure: 0x20cb00: recovery action for dax page: Recovered
Given all the cross dependencies I propose taking this through
nvdimm.git with acks from Naoya, x86/core, x86/RAS, and of course dax
folks"
* tag 'libnvdimm-for-4.19_dax-memory-failure' of gitolite.kernel.org:pub/scm/linux/kernel/git/nvdimm/nvdimm:
libnvdimm, pmem: Restore page attributes when clearing errors
x86/memory_failure: Introduce {set, clear}_mce_nospec()
x86/mm/pat: Prepare {reserve, free}_memtype() for "decoy" addresses
mm, memory_failure: Teach memory_failure() about dev_pagemap pages
filesystem-dax: Introduce dax_lock_mapping_entry()
mm, memory_failure: Collect mapping size in collect_procs()
mm, madvise_inject_error: Let memory_failure() optionally take a page reference
mm, dev_pagemap: Do not clear ->mapping on final put
mm, madvise_inject_error: Disable MADV_SOFT_OFFLINE for ZONE_DEVICE pages
filesystem-dax: Set page->index
device-dax: Set page->index
device-dax: Enable page_mapping()
device-dax: Convert to vmf_insert_mixed and vm_fault_t
Linus Torvalds [Sun, 26 Aug 2018 01:13:10 +0000 (18:13 -0700)]
Merge tag 'libnvdimm-for-4.19_misc' of gitolite.kernel.org:pub/scm/linux/kernel/git/nvdimm/nvdimm
Pull libnvdimm updates from Dave Jiang:
"Collection of misc libnvdimm patches for 4.19 submission:
- Adding support to read locked nvdimm capacity.
- Change test code to make DSM failure code injection an override.
- Add support for calculate maximum contiguous area for namespace.
- Add support for queueing a short ARS when there is on going ARS for
nvdimm.
- Allow NULL to be passed in to ->direct_access() for kaddr and pfn
params.
- Improve smart injection support for nvdimm emulation testing.
- Fix test code that supports for emulating controller temperature.
- Fix hang on error before devm_memremap_pages()
- Fix a bug that causes user memory corruption when data returned to
user for ars_status.
- Maintainer updates for Ross Zwisler emails and adding Jan Kara to
fsdax"
* tag 'libnvdimm-for-4.19_misc' of gitolite.kernel.org:pub/scm/linux/kernel/git/nvdimm/nvdimm:
libnvdimm: fix ars_status output length calculation
device-dax: avoid hang on error before devm_memremap_pages()
tools/testing/nvdimm: improve emulation of smart injection
filesystem-dax: Do not request kaddr and pfn when not required
md/dm-writecache: Don't request pointer dummy_addr when not required
dax/super: Do not request a pointer kaddr when not required
tools/testing/nvdimm: kaddr and pfn can be NULL to ->direct_access()
s390, dcssblk: kaddr and pfn can be NULL to ->direct_access()
libnvdimm, pmem: kaddr and pfn can be NULL to ->direct_access()
acpi/nfit: queue issuing of ars when an uc error notification comes in
libnvdimm: Export max available extent
libnvdimm: Use max contiguous area for namespace size
MAINTAINERS: Add Jan Kara for filesystem DAX
MAINTAINERS: update Ross Zwisler's email address
tools/testing/nvdimm: Fix support for emulating controller temperature
tools/testing/nvdimm: Make DSM failure code injection an override
acpi, nfit: Prefer _DSM over _LSR for namespace label reads
libnvdimm: Introduce locked DIMM capacity support