It is too bad to do a tight loop every adding pkt. When the hotspot is turned on, I notice that the
htt_htc_misc_pkt_list_trim() function consumes at least 5% of CPU time. By caching the head of pkt
queue and freeing multiple pkts at once to reduce CPU consumption.
Signed-off-by: Julian Liu <wlootlxt123@gmail.com>
Signed-off-by: Alexander Winkowski <dereference23@outlook.com>
*For somehow Samsung shipped the A72 S kernel for A52 too, but only renamed the defconfig without even changing device-specific stuff like Tele-camera, panel or fingerprint drivers in defconfig
*Manually correct these to as they were on R
Change-Id: I9d69c9f8db3ff1d2dbc5246673fb4ab8f0463946
Check that for a given multicast amsdu frame, all its sub frames are
multicast also, if not, means if found a unicast sub frame, drop it
and all the next sub frames for the same multicast amsdu.
Change-Id: Ib9bcc45d9fcafec11c9c2a786fcabf278a666cb4
Signed-off-by: Ahmad Masri <amasri@codeaurora.org>
Check integrity of received AMSDU packet, 802.11ad QoS spec requires
that AMSDU frame contains only MSDUs whose destination address (DA)
and sender address (SA) parameter values map to the same receiver
address (RA) and transmitter address (TA) values.
wil6210 Talyn HW does not check this before it cuts the AMSDU frame
into multiple received MSDU packets.
Adding checks to wil6210 driver to enforce spec compliance behavior
by checking all AMSDU sub frames if it complies with the following:
1- On AP, check packet SA is its client mac address, and on Client
check that the DA is the local mac address. If not drop the packet
2- if AMSDU sub frame was dropped on item 1, drop all next sub frame
of the AMSDU by checking it has same sn/tid.
This patch drops all WDS frames before it checks valid AMSDU, WDS
includes supporting MAC header with 4 addresses which is not supported
yet, moreover, WDS implies different validity checks on AMSDU frame.
Change-Id: I71a39f95c034f05023e0e7ae3ffb5d2b4f8c6b24
Signed-off-by: Ahmad Masri <amasri@codeaurora.org>
On secure network, only eap frames are valid unencrypted frames and
allowed to be indicated to the local network, any other unencrypted
frame should be dropped immediately.
Change-Id: Id9d97a4c0984f7bf2d7d6941c4c61e87bc2354cd
Signed-off-by: Ahmad Masri <amasri@codeaurora.org>
In AP mode, the driver checks each received frame, in case it is
multicast or unicast packet targeted to one of the AP clients, the
driver does the routing in L2 level. EAPOL packet is plaintext frame
and it should not follow the above role.
When AP receives an EAPOL packet that is multicast or targeted to
a client in the AP network, the driver should not forward this packet
immediately in L2. EAPOL packet should be indicated to the network
stack which will check the packet validity and will decide if to forward
the packet to its client or not.
Change-Id: I0edf339c3be5a2300e7b8168866286e71045c0d5
Signed-off-by: Ahmad Masri <amasri@codeaurora.org>
Ignore MHI wake vote after device error and let MHI driver to
take care the usage count internally.
This change is enabled once again because the dev_vote will
be mismatch if the synchronized wake request is used. After
this change, the cnss_pci_force_wake_release() will also
decrease the dev_vote.
Change-Id: I0b411ea052155809d816c74f44e85ac9e1ea3e4b
CRs-Fixed: 2777435
Signed-off-by: Guisen Yang <guiseny@codeaurora.org>
Since PCIE Genoa has separate wlan fw patch for
mission mode(amss.bin) and ftm mode(genoaftm.bin),
but cnss2 platform driver always try to load amss.bin,
which is not feasible. So add this new interface for
cnss2 to get correct driver mode and update the fw
patch name.
Change-Id: I7c17ca5f96b9d5717fbe65e0b177249cd9424dec
Signed-off-by: Chaoli Zhou <zchaoli@codeaurora.org>
Current implementation only collect shadow register when host
force triggered RDDM.
Extend it to any RDDM scenario.
Change-Id: I8a14950b9b4cd42df016ecbb2eac6dc7d8ae115c
Signed-off-by: Lin Bai <lbai@codeaurora.org>
Currently, the cnss2 platform driver just can support
one wlan device attached, so do the following change
to cover dual wlan card attach case. Firstly, delay
the second device go to pcie link suspend and power
off state to make sure it really finished the pcie
enumeration. Then pcie enumeration succeed with
multi-devices. Secondly, supporting to write the qrtr
node instance id to PCIE register for wlan fw reading,
which can fix qmi message exchange failure if active
two Hastings devices. Thirdly, change the usage of
plat_env to support dual Hastings.
Change-Id: Ica41a23d4e983b91c0ff1b4e76b380803fb877ab
Signed-off-by: Chaoli Zhou <zchaoli@codeaurora.org>
mhi_device_get_sync() can sleep while waiting for MHI M0 event.
When timeout passed in is 0 for CNSS force wake API, call it
instead of mhi_device_get_sync_atomic() which will only do busy
wait.
Change-Id: I8ba5a3382b4104eb7324c9e7f3fc1ce3c21065f4
Signed-off-by: Yue Ma <yuem@codeaurora.org>
Add cnss_smmu_unmap API so that wlan function driver
could unmap IOVA addresses that are IOMMU mapped.
Change-Id: I1e3aa287589f73a609cc51fe8c826d1edf2fefd1
Signed-off-by: Jia Ding <jiad@codeaurora.org>
Add support for PCIE gen switch request from wlan driver using
QMI message to FW.
Change-Id: I6ea4ee234a38162cb9093d36d580c872b4d62644
Signed-off-by: Manikandan Mohan <manikand@codeaurora.org>
If EP is 32bit MSI capable, then MSI address is 4 bytes. Platform
driver check MSI capability before read MSI address.
Change-Id: I8157b7ba2c9ed2a8d93f168f893cf1a2e6bb50b6
Signed-off-by: Kai Liu <kaliu@codeaurora.org>
2G+5G+6G, total channel num is 157 until now, increase unsafe channel max
num to avoid out of buffer.
Change-Id: I1e433c0bd88290bb5493b2c4b0bda86e17b04a01
CRs-Fixed: 2752689
Signed-off-by: Jianmin Zhu <jianminz@codeaurora.org>
Currently WCN3990 supports 3 concurrent VAP creation. This leads
to failure of mesh interface creation in concurrent cases.
Add creation of mesh point interface in interface combination
if CONFIG_MAC80211_MESH is enabled.
Change-Id: I06e1f4c488208e80ab7dd622e35228001d026395
Signed-off-by: Surabhi Vishnoi <svishnoi@codeaurora.org>
Signed-off-by: Balaji Pothunoori <bpothuno@codeaurora.org>
Tune the way station and AP interface limits.
Tested HW: WCN3990.
Change-Id: Iddbdc6d33fe6d22d5cf45e287790424d9541b277
Signed-off-by: Zhonglin Zhang <zhonglin@codeaurora.org>
Signed-off-by: Rakesh Pillai <pillair@codeaurora.org>
Signed-off-by: Balaji Pothunoori <bpothuno@codeaurora.org>
commit 92f53e2fda8bb9a559ad61d57bfb397ce67ed0ab upstream.
This fix allows ath9k_htc modules to connect to WLAN once again.
Fixes: 2bbcaaee1fcb ("ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb")
Link: https://bugzilla.kernel.org/show_bug.cgi?id=208251
Signed-off-by: Mark O'Donovan <shiftee@posteo.net>
Reported-by: Roman Mamedov <rm@romanrm.net>
Tested-by: Viktor Jägersküpper <viktor_jaegerskuepper@freenet.de>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20200711043324.8079-1-shiftee@posteo.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2bbcaaee1fcbd83272e29f31e2bb7e70d8c49e05 upstream.
In ath9k_hif_usb_rx_cb interface number is assumed to be 0.
usb_ifnum_to_if(urb->dev, 0)
But it isn't always true.
The case reported by syzbot:
https://lore.kernel.org/linux-usb/000000000000666c9c05a1c05d12@google.com
usb 2-1: new high-speed USB device number 2 using dummy_hcd
usb 2-1: config 1 has an invalid interface number: 2 but max is 0
usb 2-1: config 1 has no interface number 0
usb 2-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice=
1.08
usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
general protection fault, probably for non-canonical address
0xdffffc0000000015: 0000 [#1] SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000000a8-0x00000000000000af]
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0-rc5-syzkaller #0
Call Trace
__usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650
usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716
dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
__do_softirq+0x21e/0x950 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x178/0x1a0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:546 [inline]
smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
Reported-and-tested-by: syzbot+40d5d2e8a4680952f042@syzkaller.appspotmail.com
Signed-off-by: Qiujun Huang <hqjagain@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20200404041838.10426-6-hqjagain@gmail.com
Cc: Viktor Jägersküpper <viktor_jaegerskuepper@freenet.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This reverts commit 97efdabe90 which is
commit 2bbcaaee1fcbd83272e29f31e2bb7e70d8c49e05 upstream.
It is being reverted upstream, just hasn't made it there yet and is
causing lots of problems.
Reported-by: Hans de Goede <hdegoede@redhat.com>
Cc: Qiujun Huang <hqjagain@gmail.com>
Cc: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Currently the protected management frames are
not appended with the MIC_LEN which results in
the protected management frames being encoded
incorrectly.
Add the extra space at the end of the protected
management frames to fix this encoding error for
the protected management frames.
Tested HW: WCN3990
Tested FW: WLAN.HL.3.1-00784-QCAHLSWMTPLZ-1
Fixes: 1807da49733e ("ath10k: wmi: add management tx by reference support over wmi")
Signed-off-by: Rakesh Pillai <pillair@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Change-Id: Iea5367f7664399c178b5749f7f9f46d7730ee789
Git-commit: 42f1bc43e6a97b9ddbe976eba9bd05306c990c75
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git
Signed-off-by: Balaji Pothunoori <bpothuno@codeaurora.org>
The length of wmi tlv command for management tx send is calculated
incorrectly in case of protected management frames as there is addition
of IEEE80211_CCMP_MIC_LEN twice. This leads to improper behaviour of
firmware as the wmi tlv mgmt tx send command for protected mgmt frames
is formed wrongly.
Fix the length calculation of wmi tlv command for mgmt tx send in case
of protected management frames by adding the IEEE80211_CCMP_MIC_LEN only
once.
Tested HW: WCN3990
Tested FW: WLAN.HL.3.1-00784-QCAHLSWMTPLZ-1
Fixes: 1807da49733e "ath10k: wmi: add management tx by reference support over wmi"
Signed-off-by: Surabhi Vishnoi <svishnoi@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Change-Id: Iea5367f7664399c178b5749f7f9f46d7730ee788
Git-commit: 761156ff573d1002983416e4fd1fe8d3489c4bd8
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git
Signed-off-by: Balaji Pothunoori <bpothuno@codeaurora.org>
Peer creation in firmware fails if last peer deletion is still
in progress.
The firmware sends a peer delete response event if it advertises
the service WMI_SERVICE_SYNC_DELETE_CMDS. This peer delete response
event is used to synchronize the peer deletion.
Add peer delete response event and wait for the event after
deleting every peer from host driver to synchronize with firmware.
Tested HW: WCN3990
Tested FW: WLAN.HL.2.0-01188-QCAHLSWMTPLZ-1
Signed-off-by: Dundi Raviteja <dundi@codeaurora.org>
Signed-off-by: Rakesh Pillai <pillair@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Change-Id: Iea5367f7664399c178b5749f7f9f46d7730ee787
Git-commit: c6f537a11b812c50decb8d5fa470e5e2a0ce354f
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git
[bpothuno@codeaurora.org: fix trivial merge conflicts]
Signed-off-by: Balaji Pothunoori <bpothuno@codeaurora.org>
When we add an interface immediately after removing
the interface the vdev deletion in firmware might not
have been completed. We need to synchronize the vdev creation
with the firmware.
Wait for vdev delete response from firmware when we
remove an interface.
Tested HW: WCN3990
Tested FW: WLAN.HL.2.0-01188-QCAHLSWMTPLZ-1
Signed-off-by: Rakesh Pillai <pillair@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Change-Id: Iea5367f7664399c178b5749f7f9f46d7730ee786
Git-commit: fe36e70f766ed99c5a140f8e265e81dd39897bb6
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git
[bpothuno@codeaurora.org: fix trivial merge conflicts]
Signed-off-by: Balaji Pothunoori <bpothuno@codeaurora.org>
WCN3990 firmware advertises the service WMI_TLV_SERVICE_MESH_11S
for mesh 11s. Map this wmi tlv service to enable mesh 11s
for WCN3990.
Tested HW: WCN3990
Signed-off-by: Surabhi Vishnoi <svishnoi@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Change-Id: Iea5367f7664399c178b5749f7f9f46d7730ee785
Git-commit: 7835d8f8792dab0e3704951d5009c2b832d4513d
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git
Signed-off-by: Balaji Pothunoori <bpothuno@codeaurora.org>
TLV based firmware ex. QCA6174, WCN3990 expects key cipher value
set to 9 while non-TLV firmware expects key cipher value set to 8
for enabling GCMP and GCMP-256 cipher suites.
To fix this problem, attach the key cipher suite values based on
wmi version.
Tested HW: WCN3990
Tested FW: WLAN.HL.2.0-01188-QCAHLSWMTPLZ-1
Signed-off-by: Abhishek Ambure <aambure@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Change-Id: Iea5367f7664399c178b5749f7f9f46d7730ee784
Git-commit: 7d94f862d6482e1159ccca669cbf21c724d159e1
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git
[bpothuno@codeaurora.org: fix trivial merge conflicts]
Signed-off-by: Balaji Pothunoori <bpothuno@codeaurora.org>
Commit 2ea9f12cefe4 ("ath10k: add new cipher suite support") added a new
n_cipher_suites HW param with a fallback value and a warning log. Commit
03a72288c546 ("ath10k: wmi: add hw params entry for wcn3990") later
added WCN3990 HW entries, but it missed the n_cipher_suites.
Rather than seeing this warning every boot
ath10k_snoc 18800000.wifi: invalid hw_params.n_cipher_suites 0
let's provide the appropriate value.
Cc: Rakesh Pillai <pillair@qti.qualcomm.com>
Cc: Govind Singh <govinds@qti.qualcomm.com>
Signed-off-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Change-Id: Iea5367f7664399c178b5749f7f9f46d7730ee782
Git-commit: 2bd345cd2bfc0bd44528896313c0b45f087bdf67
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git
Signed-off-by: Balaji Pothunoori <bpothuno@codeaurora.org>
There is a disparity in wmi and wmi tlv vdev subtype
enum for WMI_VDEV_SUBTYPE_MESH_11S.
Add different enum for wmi tlv vdev subtype to support
vdev of subtype mesh 11s for WCN3990.
Tested HW: WCN3990
Signed-off-by: Surabhi Vishnoi <svishnoi@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Change-Id: Iea5367f7664399c178b5749f7f9f46d7730ee781
Git-commit: a7368c395fc3ebd544cf6ceaca715adb4e85eff1
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git
Signed-off-by: Balaji Pothunoori <bpothuno@codeaurora.org>
commit 6a29d134c04a8acebb7a95251acea7ad7abba106 upstream.
Since the driver was first introduced into the kernel, it has only
handled the ciphers associated with WEP, WPA, and WPA2. It fails with
WPA3 even though mac80211 can handle those additional ciphers in software,
b43legacy did not report that it could handle them. By setting MFP_CAPABLE using
ieee80211_set_hw(), the problem is fixed.
With this change, b43legacy will handle the ciphers it knows in hardware,
and let mac80211 handle the others in software. It is not necessary to
use the module parameter NOHWCRYPT to turn hardware encryption off.
Although this change essentially eliminates that module parameter,
I am choosing to keep it for cases where the hardware is broken,
and software encryption is required for all ciphers.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Stable <stable@vger.kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20200526155909.5807-3-Larry.Finger@lwfinger.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 75d057bda1fbca6ade21378aa45db712e5f7d962 upstream.
Since the driver was first introduced into the kernel, it has only
handled the ciphers associated with WEP, WPA, and WPA2. It fails with
WPA3 even though mac80211 can handle those additional ciphers in software,
b43 did not report that it could handle them. By setting MFP_CAPABLE using
ieee80211_set_hw(), the problem is fixed.
With this change, b43 will handle the ciphers it knows in hardware,
and let mac80211 handle the others in software. It is not necessary to
use the module parameter NOHWCRYPT to turn hardware encryption off.
Although this change essentially eliminates that module parameter,
I am choosing to keep it for cases where the hardware is broken,
and software encryption is required for all ciphers.
Reported-and-tested-by: Rui Salvaterra <rsalvaterra@gmail.com>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Stable <stable@vger.kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20200526155909.5807-2-Larry.Finger@lwfinger.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit ec4d3e3a054578de34cd0b587ab8a1ac36f629d9 upstream.
This patch fixes commit 75388acd0c ("add mac80211-based driver for
legacy BCM43xx devices")
In https://bugzilla.kernel.org/show_bug.cgi?id=207093, a defect in
b43legacy is reported. Upon testing, thus problem exists on PPC and
X86 platforms, is present in the oldest kernel tested (3.2), and
has been present in the driver since it was first added to the kernel.
The problem is a corrupted channel status received from the device.
Both the internal card in a PowerBook G4 and the PCMCIA version
(Broadcom BCM4306 with PCI ID 14e4:4320) have the problem. Only Rev, 2
(revision 4 of the 802.11 core) of the chip has been tested. No other
devices using b43legacy are available for testing.
Various sources of the problem were considered. Buffer overrun and
other sources of corruption within the driver were rejected because
the faulty channel status is always the same, not a random value.
It was concluded that the faulty data is coming from the device, probably
due to a firmware bug. As that source is not available, the driver
must take appropriate action to recover.
At present, the driver reports the error, and them continues to process
the bad packet. This is believed that to be a mistake, and the correct
action is to drop the correpted packet.
Fixes: 75388acd0c ("add mac80211-based driver for legacy BCM43xx devices")
Cc: Stable <stable@vger.kernel.org>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Reported-and-tested by: F. Erhard <erhard_f@mailbox.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20200407190043.1686-1-Larry.Finger@lwfinger.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b14fba7ebd04082f7767a11daea7f12f3593de22 upstream.
This patch follows up on a bug-report by Frank Schäfer that
discovered P2P GO wasn't working with wpa_supplicant.
This patch removes part of the broken P2P GO support but
keeps the vif switchover code in place.
Cc: <stable@vger.kernel.org>
Link: <https://lkml.kernel.org/r/3a9d86b6-744f-e670-8792-9167257edef8@googlemail.com>
Reported-by: Frank Schäfer <fschaefer.oss@googlemail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20200425092811.9494-1-chunkeey@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 3aa42bae9c4d1641aeb36f1a8585cd1d506cf471 ]
The mwifiex_cfg80211_dump_station() uses static variable for iterating
over a linked list of all associated stations (when the driver is in UAP
role). This has a race condition if .dump_station is called in parallel
for multiple interfaces. This corruption can be triggered by registering
multiple SSIDs and calling, in parallel for multiple interfaces
iw dev <iface> station dump
[16750.719775] Unable to handle kernel paging request at virtual address dead000000000110
...
[16750.899173] Call trace:
[16750.901696] mwifiex_cfg80211_dump_station+0x94/0x100 [mwifiex]
[16750.907824] nl80211_dump_station+0xbc/0x278 [cfg80211]
[16750.913160] netlink_dump+0xe8/0x320
[16750.916827] netlink_recvmsg+0x1b4/0x338
[16750.920861] ____sys_recvmsg+0x7c/0x2b0
[16750.924801] ___sys_recvmsg+0x70/0x98
[16750.928564] __sys_recvmsg+0x58/0xa0
[16750.932238] __arm64_sys_recvmsg+0x28/0x30
[16750.936453] el0_svc_common.constprop.3+0x90/0x158
[16750.941378] do_el0_svc+0x74/0x90
[16750.944784] el0_sync_handler+0x12c/0x1a8
[16750.948903] el0_sync+0x114/0x140
[16750.952312] Code: f9400003 f907f423 eb02007f 54fffd60 (b9401060)
[16750.958583] ---[ end trace c8ad181c2f4b8576 ]---
This patch drops the use of the static iterator, and instead every time
the function is called iterates to the idx-th position of the
linked-list.
It would be better to convert the code not to use linked list for
associated stations storage (since the chip has a limited number of
associated stations anyway - it could just be an array). Such a change
may be proposed in the future. In the meantime this patch can backported
into stable kernels in this simple form.
Fixes: 8baca1a34d ("mwifiex: dump station support in uap mode")
Signed-off-by: Pali Rohár <pali@kernel.org>
Acked-by: Ganapathi Bhat <ganapathi.bhat@nxp.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20200515075924.13841-1-pali@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit beb12813bc75d4a23de43b85ad1c7cb28d27631e ]
Seven years ago we tried to fix a leak but actually introduced a double
free instead. It was an understandable mistake because the code was a
bit confusing and the free was done in the wrong place. The "skb"
pointer is freed in both _rtl_usb_tx_urb_setup() and _rtl_usb_transmit().
The free belongs _rtl_usb_transmit() instead of _rtl_usb_tx_urb_setup()
and I've cleaned the code up a bit to hopefully make it more clear.
Fixes: 36ef0b473f ("rtlwifi: usb: add missing freeing of skbuff")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20200513093951.GD347693@mwanda
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit a86308fc534edeceaf64670c691e17485436a4f4 ]
In case of error, 'qcom_wcnss_open_channel()' must be undone by a call to
'rpmsg_destroy_ept()', as already done in the remove function.
Fixes: 5052de8def ("soc: qcom: smd: Transition client drivers from smd to rpmsg")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20200507043619.200051-1-christophe.jaillet@wanadoo.fr
Signed-off-by: Sasha Levin <sashal@kernel.org>
commit 2bbcaaee1fcbd83272e29f31e2bb7e70d8c49e05 upstream.
In ath9k_hif_usb_rx_cb interface number is assumed to be 0.
usb_ifnum_to_if(urb->dev, 0)
But it isn't always true.
The case reported by syzbot:
https://lore.kernel.org/linux-usb/000000000000666c9c05a1c05d12@google.com
usb 2-1: new high-speed USB device number 2 using dummy_hcd
usb 2-1: config 1 has an invalid interface number: 2 but max is 0
usb 2-1: config 1 has no interface number 0
usb 2-1: New USB device found, idVendor=0cf3, idProduct=9271, bcdDevice=
1.08
usb 2-1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
general protection fault, probably for non-canonical address
0xdffffc0000000015: 0000 [#1] SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000000a8-0x00000000000000af]
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0-rc5-syzkaller #0
Call Trace
__usb_hcd_giveback_urb+0x29a/0x550 drivers/usb/core/hcd.c:1650
usb_hcd_giveback_urb+0x368/0x420 drivers/usb/core/hcd.c:1716
dummy_timer+0x1258/0x32ae drivers/usb/gadget/udc/dummy_hcd.c:1966
call_timer_fn+0x195/0x6f0 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x5f9/0x1500 kernel/time/timer.c:1786
__do_softirq+0x21e/0x950 kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x178/0x1a0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:546 [inline]
smp_apic_timer_interrupt+0x141/0x540 arch/x86/kernel/apic/apic.c:1146
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
Reported-and-tested-by: syzbot+40d5d2e8a4680952f042@syzkaller.appspotmail.com
Signed-off-by: Qiujun Huang <hqjagain@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20200404041838.10426-6-hqjagain@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Julian Liu