1. 11 Jun, 2019 10 commits
    • Hante Meuleman's avatar
      brcmfmac: Add length checks on firmware events · 6da841e9
      Hante Meuleman authored
      commit 0aedbcaf
      Add additional length checks on firmware events to create more
      robust code.
      Reviewed-by: default avatarArend Van Spriel <arend@broadcom.com>
      Reviewed-by: default avatarFranky (Zhenhui) Lin <frankyl@broadcom.com>
      Reviewed-by: default avatarPieter-Paul Giesberts <pieterpg@broadcom.com>
      Reviewed-by: default avatarLei Zhang <leizh@broadcom.com>
      Signed-off-by: default avatarHante Meuleman <meuleman@broadcom.com>
      Signed-off-by: default avatarArend van Spriel <arend@broadcom.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      [bwh: Backported to 4.4:
       - Drop changes to brcmf_wowl_nd_results()
       - Adjust filenames]
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    • Piotr Figiel's avatar
      brcmfmac: fix race during disconnect when USB completion is in progress · 0a597d2b
      Piotr Figiel authored
      [ Upstream commit db3b9e2e1d58080d0754bdf9293dabf8c6491b67 ]
      It was observed that rarely during USB disconnect happening shortly after
      connect (before full initialization completes) usb_hub_wq would wait
      forever for the dev_init_lock to be unlocked. dev_init_lock would remain
      locked though because of infinite wait during usb_kill_urb:
      [ 2730.656472] kworker/0:2     D    0   260      2 0x00000000
      [ 2730.660700] Workqueue: events request_firmware_work_func
      [ 2730.664807] [<809dca20>] (__schedule) from [<809dd164>] (schedule+0x4c/0xac)
      [ 2730.670587] [<809dd164>] (schedule) from [<8069af44>] (usb_kill_urb+0xdc/0x114)
      [ 2730.676815] [<8069af44>] (usb_kill_urb) from [<7f258b50>] (brcmf_usb_free_q+0x34/0xa8 [brcmfmac])
      [ 2730.684833] [<7f258b50>] (brcmf_usb_free_q [brcmfmac]) from [<7f2517d4>] (brcmf_detach+0xa0/0xb8 [brcmfmac])
      [ 2730.693557] [<7f2517d4>] (brcmf_detach [brcmfmac]) from [<7f251a34>] (brcmf_attach+0xac/0x3d8 [brcmfmac])
      [ 2730.702094] [<7f251a34>] (brcmf_attach [brcmfmac]) from [<7f2587ac>] (brcmf_usb_probe_phase2+0x468/0x4a0 [brcmfmac])
      [ 2730.711601] [<7f2587ac>] (brcmf_usb_probe_phase2 [brcmfmac]) from [<7f252888>] (brcmf_fw_request_done+0x194/0x220 [brcmfmac])
      [ 2730.721795] [<7f252888>] (brcmf_fw_request_done [brcmfmac]) from [<805748e4>] (request_firmware_work_func+0x4c/0x88)
      [ 2730.731125] [<805748e4>] (request_firmware_work_func) from [<80141474>] (process_one_work+0x228/0x808)
      [ 2730.739223] [<80141474>] (process_one_work) from [<80141a80>] (worker_thread+0x2c/0x564)
      [ 2730.746105] [<80141a80>] (worker_thread) from [<80147bcc>] (kthread+0x13c/0x16c)
      [ 2730.752227] [<80147bcc>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20)
      [ 2733.099695] kworker/0:3     D    0  1065      2 0x00000000
      [ 2733.103926] Workqueue: usb_hub_wq hub_event
      [ 2733.106914] [<809dca20>] (__schedule) from [<809dd164>] (schedule+0x4c/0xac)
      [ 2733.112693] [<809dd164>] (schedule) from [<809e2a8c>] (schedule_timeout+0x214/0x3e4)
      [ 2733.119621] [<809e2a8c>] (schedule_timeout) from [<809dde2c>] (wait_for_common+0xc4/0x1c0)
      [ 2733.126810] [<809dde2c>] (wait_for_common) from [<7f258d00>] (brcmf_usb_disconnect+0x1c/0x4c [brcmfmac])
      [ 2733.135206] [<7f258d00>] (brcmf_usb_disconnect [brcmfmac]) from [<8069e0c8>] (usb_unbind_interface+0x5c/0x1e4)
      [ 2733.143943] [<8069e0c8>] (usb_unbind_interface) from [<8056d3e8>] (device_release_driver_internal+0x164/0x1fc)
      [ 2733.152769] [<8056d3e8>] (device_release_driver_internal) from [<8056c078>] (bus_remove_device+0xd0/0xfc)
      [ 2733.161138] [<8056c078>] (bus_remove_device) from [<8056977c>] (device_del+0x11c/0x310)
      [ 2733.167939] [<8056977c>] (device_del) from [<8069cba8>] (usb_disable_device+0xa0/0x1cc)
      [ 2733.174743] [<8069cba8>] (usb_disable_device) from [<8069507c>] (usb_disconnect+0x74/0x1dc)
      [ 2733.181823] [<8069507c>] (usb_disconnect) from [<80695e88>] (hub_event+0x478/0xf88)
      [ 2733.188278] [<80695e88>] (hub_event) from [<80141474>] (process_one_work+0x228/0x808)
      [ 2733.194905] [<80141474>] (process_one_work) from [<80141a80>] (worker_thread+0x2c/0x564)
      [ 2733.201724] [<80141a80>] (worker_thread) from [<80147bcc>] (kthread+0x13c/0x16c)
      [ 2733.207913] [<80147bcc>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20)
      It was traced down to a case where usb_kill_urb would be called on an URB
      structure containing more or less random data, including large number in
      its use_count. During the debugging it appeared that in brcmf_usb_free_q()
      the traversal over URBs' lists is not synchronized with operations on those
      lists in brcmf_usb_rx_complete() leading to handling
      brcmf_usbdev_info structure (holding lists' head) as lists' element and in
      result causing above problem.
      Fix it by walking through all URBs during brcmf_cancel_all_urbs using the
      arrays of requests instead of linked lists.
      Signed-off-by: default avatarPiotr Figiel <p.figiel@camlintechnologies.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
    • Piotr Figiel's avatar
      brcmfmac: convert dev_init_lock mutex to completion · f95ab00a
      Piotr Figiel authored
      [ Upstream commit a9fd0953fa4a62887306be28641b4b0809f3b2fd ]
      Leaving dev_init_lock mutex locked in probe causes BUG and a WARNING when
      kernel is compiled with CONFIG_PROVE_LOCKING. Convert mutex to completion
      which silences those warnings and improves code readability.
      Fix below errors when connecting the USB WiFi dongle:
      brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43143 for chip BCM43143/2
      BUG: workqueue leaked lock or atomic: kworker/0:2/0x00000000/434
           last function: hub_event
      1 lock held by kworker/0:2/434:
       #0: 18d5dcdf (&devinfo->dev_init_lock){+.+.}, at: brcmf_usb_probe+0x78/0x550 [brcmfmac]
      CPU: 0 PID: 434 Comm: kworker/0:2 Not tainted 4.19.23-00084-g454a789-dirty #123
      Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
      Workqueue: usb_hub_wq hub_event
      [<8011237c>] (unwind_backtrace) from [<8010d74c>] (show_stack+0x10/0x14)
      [<8010d74c>] (show_stack) from [<809c4324>] (dump_stack+0xa8/0xd4)
      [<809c4324>] (dump_stack) from [<8014195c>] (process_one_work+0x710/0x808)
      [<8014195c>] (process_one_work) from [<80141a80>] (worker_thread+0x2c/0x564)
      [<80141a80>] (worker_thread) from [<80147bcc>] (kthread+0x13c/0x16c)
      [<80147bcc>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20)
      Exception stack(0xed1d9fb0 to 0xed1d9ff8)
      9fa0:                                     00000000 00000000 00000000 00000000
      9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      9fe0: 00000000 00000000 00000000 00000000 00000013 00000000
      WARNING: possible circular locking dependency detected
      4.19.23-00084-g454a789-dirty #123 Not tainted
      kworker/0:2/434 is trying to acquire lock:
      e29cf799 ((wq_completion)"events"){+.+.}, at: process_one_work+0x174/0x808
      but task is already holding lock:
      18d5dcdf (&devinfo->dev_init_lock){+.+.}, at: brcmf_usb_probe+0x78/0x550 [brcmfmac]
      which lock already depends on the new lock.
      the existing dependency chain (in reverse order) is:
      -> #2 (&devinfo->dev_init_lock){+.+.}:
             brcmf_usb_probe+0x78/0x550 [brcmfmac]
      -> #1 (brcmf_driver_work){+.+.}:
      -> #0 ((wq_completion)"events"){+.+.}:
      other info that might help us debug this:
      Chain exists of:
        (wq_completion)"events" --> brcmf_driver_work --> &devinfo->dev_init_lock
       Possible unsafe locking scenario:
             CPU0                    CPU1
             ----                    ----
       *** DEADLOCK ***
      1 lock held by kworker/0:2/434:
       #0: 18d5dcdf (&devinfo->dev_init_lock){+.+.}, at: brcmf_usb_probe+0x78/0x550 [brcmfmac]
      stack backtrace:
      CPU: 0 PID: 434 Comm: kworker/0:2 Not tainted 4.19.23-00084-g454a789-dirty #123
      Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
      Workqueue: events request_firmware_work_func
      [<8011237c>] (unwind_backtrace) from [<8010d74c>] (show_stack+0x10/0x14)
      [<8010d74c>] (show_stack) from [<809c4324>] (dump_stack+0xa8/0xd4)
      [<809c4324>] (dump_stack) from [<80172838>] (print_circular_bug+0x210/0x330)
      [<80172838>] (print_circular_bug) from [<80175940>] (__lock_acquire+0x160c/0x1a30)
      [<80175940>] (__lock_acquire) from [<8017671c>] (lock_acquire+0xe0/0x268)
      [<8017671c>] (lock_acquire) from [<80141404>] (process_one_work+0x1b8/0x808)
      [<80141404>] (process_one_work) from [<80141a80>] (worker_thread+0x2c/0x564)
      [<80141a80>] (worker_thread) from [<80147bcc>] (kthread+0x13c/0x16c)
      [<80147bcc>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20)
      Exception stack(0xed1d9fb0 to 0xed1d9ff8)
      9fa0:                                     00000000 00000000 00000000 00000000
      9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      9fe0: 00000000 00000000 00000000 00000000 00000013 00000000
      Signed-off-by: default avatarPiotr Figiel <p.figiel@camlintechnologies.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
    • Arnd Bergmann's avatar
      b43: shut up clang -Wuninitialized variable warning · db74ef82
      Arnd Bergmann authored
      [ Upstream commit d825db346270dbceef83b7b750dbc29f1d7dcc0e ]
      Clang warns about what is clearly a case of passing an uninitalized
      variable into a static function:
      drivers/net/wireless/broadcom/b43/phy_lp.c:1852:23: error: variable 'gains' is uninitialized when used here
                      lpphy_papd_cal(dev, gains, 0, 1, 30);
      drivers/net/wireless/broadcom/b43/phy_lp.c:1838:2: note: variable 'gains' is declared here
              struct lpphy_tx_gains gains, oldgains;
      1 error generated.
      However, this function is empty, and its arguments are never evaluated,
      so gcc in contrast does not warn here. Both compilers behave in a
      reasonable way as far as I can tell, so we should change the code
      to avoid the warning everywhere.
      We could just eliminate the lpphy_papd_cal() function entirely,
      given that it has had the TODO comment in it for 10 years now
      and is rather unlikely to ever get done. I'm doing a simpler
      change here, and just pass the 'oldgains' variable in that has
      been initialized, based on the guess that this is what was
      originally meant.
      Fixes: 2c0d6100
       ("b43: LP-PHY: Begin implementing calibration & software RFKILL support")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Acked-by: default avatarLarry Finger <Larry.Finger@lwfinger.net>
      Reviewed-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
    • Kangjie Lu's avatar
      brcmfmac: fix missing checks for kmemdup · 951fbf92
      Kangjie Lu authored
      [ Upstream commit 46953f97224d56a12ccbe9c6acaa84ca0dab2780 ]
      In case kmemdup fails, the fix sets conn_info->req_ie_len and
      conn_info->resp_ie_len to zero to avoid buffer overflows.
      Signed-off-by: default avatarKangjie Lu <kjlu@umn.edu>
      Acked-by: default avatarArend van Spriel <arend.vanspriel@broadcom.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
    • Kangjie Lu's avatar
      rtlwifi: fix a potential NULL pointer dereference · 1d3ee4d7
      Kangjie Lu authored
      [ Upstream commit 765976285a8c8db3f0eb7f033829a899d0c2786e ]
      In case alloc_workqueue fails, the fix reports the error and
      returns to avoid NULL pointer dereference.
      Signed-off-by: default avatarKangjie Lu <kjlu@umn.edu>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
    • Kangjie Lu's avatar
      net: cw1200: fix a NULL pointer dereference · 50d25ca8
      Kangjie Lu authored
      [ Upstream commit 0ed2a005347400500a39ea7c7318f1fea57fb3ca ]
      In case create_singlethread_workqueue fails, the fix free the
      hardware and returns NULL to avoid NULL pointer dereference.
      Signed-off-by: default avatarKangjie Lu <kjlu@umn.edu>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
    • Dan Carpenter's avatar
      mwifiex: prevent an array overflow · af2fb022
      Dan Carpenter authored
      [ Upstream commit b4c35c17227fe437ded17ce683a6927845f8c4a4 ]
      The "rate_index" is only used as an index into the phist_data->rx_rate[]
      array in the mwifiex_hist_data_set() function.  That array has
      MWIFIEX_MAX_AC_RX_RATES (74) elements and it's used to generate some
      debugfs information.  The "rate_index" variable comes from the network
      skb->data[] and it is a u8 so it's in the 0-255 range.  We need to cap
      it to prevent an array overflow.
      Fixes: cbf6e055
       ("mwifiex: add rx histogram statistics support")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
    • Dan Carpenter's avatar
      brcm80211: potential NULL dereference in brcmf_cfg80211_vndr_cmds_dcmd_handler() · a898d150
      Dan Carpenter authored
      [ Upstream commit e025da3d7aa4770bb1d1b3b0aa7cc4da1744852d ]
      If "ret_len" is negative then it could lead to a NULL dereference.
      The "ret_len" value comes from nl80211_vendor_cmd(), if it's negative
      then we don't allocate the "dcmd_buf" buffer.  Then we pass "ret_len" to
      brcmf_fil_cmd_data_set() where it is cast to a very high u32 value.
      Most of the functions in that call tree check whether the buffer we pass
      is NULL but there are at least a couple places which don't such as
      brcmf_dbg_hex_dump() and brcmf_msgbuf_query_dcmd().  We memcpy() to and
      from the buffer so it would result in a NULL dereference.
      The fix is to change the types so that "ret_len" can't be negative.  (If
      we memcpy() zero bytes to NULL, that's a no-op and doesn't cause an
      Fixes: 1bacb048
       ("brcmfmac: replace cfg80211 testmode with vendor command")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
    • YueHaibing's avatar
      at76c50x-usb: Don't register led_trigger if usb_register_driver failed · a1f254dc
      YueHaibing authored
      commit 09ac2694b0475f96be895848687ebcbba97eeecf upstream.
      Syzkaller report this:
      [ 1213.468581] BUG: unable to handle kernel paging request at fffffbfff83bf338
      [ 1213.469530] #PF error: [normal kernel read fault]
      [ 1213.469530] PGD 237fe4067 P4D 237fe4067 PUD 237e60067 PMD 1c868b067 PTE 0
      [ 1213.473514] Oops: 0000 [#1] SMP KASAN PTI
      [ 1213.473514] CPU: 0 PID: 6321 Comm: syz-executor.0 Tainted: G         C        5.1.0-rc3+ #8
      [ 1213.473514] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
      [ 1213.473514] RIP: 0010:strcmp+0x31/0xa0
      [ 1213.473514] Code: 00 00 00 00 fc ff df 55 53 48 83 ec 08 eb 0a 84 db 48 89 ef 74 5a 4c 89 e6 48 89 f8 48 89 fa 48 8d 6f 01 48 c1 e8 03 83 e2 07 <42> 0f b6 04 28 38 d0 7f 04 84 c0 75 50 48 89 f0 48 89 f2 0f b6 5d
      [ 1213.473514] RSP: 0018:ffff8881f2b7f950 EFLAGS: 00010246
      [ 1213.473514] RAX: 1ffffffff83bf338 RBX: ffff8881ea6f7240 RCX: ffffffff825350c6
      [ 1213.473514] RDX: 0000000000000000 RSI: ffffffffc1ee19c0 RDI: ffffffffc1df99c0
      [ 1213.473514] RBP: ffffffffc1df99c1 R08: 0000000000000001 R09: 0000000000000004
      [ 1213.473514] R10: 0000000000000000 R11: ffff8881de353f00 R12: ffff8881ee727900
      [ 1213.473514] R13: dffffc0000000000 R14: 0000000000000001 R15: ffffffffc1eeaaf0
      [ 1213.473514] FS:  00007fa66fa01700(0000) GS:ffff8881f7200000(0000) knlGS:0000000000000000
      [ 1213.473514] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 1213.473514] CR2: fffffbfff83bf338 CR3: 00000001ebb9e005 CR4: 00000000007606f0
      [ 1213.473514] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [ 1213.473514] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [ 1213.473514] PKRU: 55555554
      [ 1213.473514] Call Trace:
      [ 1213.473514]  led_trigger_register+0x112/0x3f0
      [ 1213.473514]  led_trigger_register_simple+0x7a/0x110
      [ 1213.473514]  ? 0xffffffffc1c10000
      [ 1213.473514]  at76_mod_init+0x77/0x1000 [at76c50x_usb]
      [ 1213.473514]  do_one_initcall+0xbc/0x47d
      [ 1213.473514]  ? perf_trace_initcall_level+0x3a0/0x3a0
      [ 1213.473514]  ? kasan_unpoison_shadow+0x30/0x40
      [ 1213.473514]  ? kasan_unpoison_shadow+0x30/0x40
      [ 1213.473514]  do_init_module+0x1b5/0x547
      [ 1213.473514]  load_module+0x6405/0x8c10
      [ 1213.473514]  ? module_frob_arch_sections+0x20/0x20
      [ 1213.473514]  ? kernel_read_file+0x1e6/0x5d0
      [ 1213.473514]  ? find_held_lock+0x32/0x1c0
      [ 1213.473514]  ? cap_capable+0x1ae/0x210
      [ 1213.473514]  ? __do_sys_finit_module+0x162/0x190
      [ 1213.473514]  __do_sys_finit_module+0x162/0x190
      [ 1213.473514]  ? __ia32_sys_init_module+0xa0/0xa0
      [ 1213.473514]  ? __mutex_unlock_slowpath+0xdc/0x690
      [ 1213.473514]  ? wait_for_completion+0x370/0x370
      [ 1213.473514]  ? vfs_write+0x204/0x4a0
      [ 1213.473514]  ? do_syscall_64+0x18/0x450
      [ 1213.473514]  do_syscall_64+0x9f/0x450
      [ 1213.473514]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [ 1213.473514] RIP: 0033:0x462e99
      [ 1213.473514] Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
      [ 1213.473514] RSP: 002b:00007fa66fa00c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
      [ 1213.473514] RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
      [ 1213.473514] RDX: 0000000000000000 RSI: 0000000020000300 RDI: 0000000000000003
      [ 1213.473514] RBP: 00007fa66fa00c70 R08: 0000000000000000 R09: 0000000000000000
      [ 1213.473514] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fa66fa016bc
      [ 1213.473514] R13: 00000000004bcefa R14: 00000000006f6fb0 R15: 0000000000000004
      If usb_register failed, no need to call led_trigger_register_simple.
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Fixes: 1264b951
       ("at76c50x-usb: add driver")
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
  2. 16 May, 2019 1 commit
  3. 27 Apr, 2019 3 commits
    • Siva Rebbagondla's avatar
      rsi: improve kernel thread handling to fix kernel panic · ec759c00
      Siva Rebbagondla authored
      [ Upstream commit 4c62764d0fc21a34ffc44eec1210038c3a2e4473 ]
      While running regressions, observed below kernel panic when sdio disconnect
      called. This is because of, kthread_stop() is taking care of
      wait_for_completion() by default. When wait_for_completion triggered
      in kthread_stop and as it was done already, giving kernel panic.
      Hence, removing redundant wait_for_completion() from rsi_kill_thread().
      ... skipping ...
      BUG: unable to handle kernel NULL pointer dereference at           (null)
      IP: [<ffffffff810a63df>] exit_creds+0x1f/0x50
      PGD 0
      Oops: 0002 [#1] SMP
      CPU: 0 PID: 6502 Comm: rmmod Tainted: G  OE   4.15.9-Generic #154-Ubuntu
      Hardware name: Dell Inc. Edge Gateway 3003/ , BIOS 01.00.00 04/17/2017
      ffff88007392e600 ffff880075847dc0 ffffffff8108160a 0000000000000000
      ffff88007392e600 ffff880075847de8 ffffffff810a484b ffff880076127000
      ffff88003cd3a800 ffff880074f12a00 ffff880075847e28 ffffffffc09bed15
      Call Trace:
      [<ffffffff8108160a>] __put_task_struct+0x5a/0x140
      [<ffffffff810a484b>] kthread_stop+0x10b/0x110
      [<ffffffffc09bed15>] rsi_disconnect+0x2f5/0x300 [ven_rsi_sdio]
      [<ffffffff81578bcb>] ? __pm_runtime_resume+0x5b/0x80
      [<ffffffff816f0918>] sdio_bus_remove+0x38/0x100
      [<ffffffff8156cc64>] __device_release_driver+0xa4/0x150
      [<ffffffff8156d7a5>] driver_detach+0xb5/0xc0
      [<ffffffff8156c6c5>] bus_remove_driver+0x55/0xd0
      [<ffffffff8156dfbc>] driver_unregister+0x2c/0x50
      [<ffffffff816f0b8a>] sdio_unregister_driver+0x1a/0x20
      [<ffffffffc09bf0f5>] rsi_module_exit+0x15/0x30 [ven_rsi_sdio]
      [<ffffffff8110cad8>] SyS_delete_module+0x1b8/0x210
      [<ffffffff81851dc8>] entry_SYSCALL_64_fastpath+0x1c/0xbb
      Signed-off-by: default avatarSiva Rebbagondla <siva.rebbagondla@redpinesignals.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
    • Zumeng Chen's avatar
      wlcore: Fix memory leak in case wl12xx_fetch_firmware failure · 517fbf72
      Zumeng Chen authored
      [ Upstream commit ba2ffc96321c8433606ceeb85c9e722b8113e5a7 ]
      Release fw_status, raw_fw_status, and tx_res_if when wl12xx_fetch_firmware
      failed instead of meaningless goto out to avoid the following memory leak
      reports(Only the last one listed):
      unreferenced object 0xc28a9a00 (size 512):
        comm "kworker/0:4", pid 31298, jiffies 2783204 (age 203.290s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
          [<6624adab>] kmemleak_alloc+0x40/0x74
          [<500ddb31>] kmem_cache_alloc_trace+0x1ac/0x270
          [<db4d731d>] wl12xx_chip_wakeup+0xc4/0x1fc [wlcore]
          [<76c5db53>] wl1271_op_add_interface+0x4a4/0x8f4 [wlcore]
          [<cbf30777>] drv_add_interface+0xa4/0x1a0 [mac80211]
          [<65bac325>] ieee80211_reconfig+0x9c0/0x1644 [mac80211]
          [<2817c80e>] ieee80211_restart_work+0x90/0xc8 [mac80211]
          [<7e1d425a>] process_one_work+0x284/0x42c
          [<55f9432e>] worker_thread+0x2fc/0x48c
          [<abb582c6>] kthread+0x148/0x160
          [<63144b13>] ret_from_fork+0x14/0x2c
          [< (null)>] (null)
          [<1f6e7715>] 0xffffffff
      Signed-off-by: default avatarZumeng Chen <zumeng.chen@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
    • Stanislaw Gruszka's avatar
      mt7601u: bump supported EEPROM version · c627e297
      Stanislaw Gruszka authored
      [ Upstream commit 3bd1505fed71d834f45e87b32ff07157fdda47e0 ]
      As reported by Michael eeprom 0d is supported and work with the driver.
      Dump of /sys/kernel/debug/ieee80211/phy1/mt7601u/eeprom_param
      with 0d EEPORM looks like this:
      RSSI offset: 0 0
      Reference temp: f9
      LNA gain: 8
      Reg channels: 1-14
      Per rate power:
      	 raw:05 bw20:05 bw40:05
      	 raw:05 bw20:05 bw40:05
      	 raw:03 bw20:03 bw40:03
      	 raw:03 bw20:03 bw40:03
      	 raw:04 bw20:04 bw40:04
      	 raw:00 bw20:00 bw40:00
      	 raw:00 bw20:00 bw40:00
      	 raw:00 bw20:00 bw40:00
      	 raw:02 bw20:02 bw40:02
      	 raw:00 bw20:00 bw40:00
      Per channel power:
      	 tx_power  ch1:09 ch2:09
      	 tx_power  ch3:0a ch4:0a
      	 tx_power  ch5:0a ch6:0a
      	 tx_power  ch7:0b ch8:0b
      	 tx_power  ch9:0b ch10:0b
      	 tx_power  ch11:0b ch12:0b
      	 tx_power  ch13:0b ch14:0b
      Reported-and-tested-by: default avatarMichael <ZeroBeat@gmx.de>
      Signed-off-by: default avatarStanislaw Gruszka <sgruszka@redhat.com>
      Acked-by: default avatarJakub Kicinski <kubakici@wp.pl>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
  4. 03 Apr, 2019 1 commit
    • Arnd Bergmann's avatar
      ath10k: avoid possible string overflow · a1402232
      Arnd Bergmann authored
      commit 6707ba0105a2d350710bc0a537a98f49eb4b895d upstream.
      The way that 'strncat' is used here raised a warning in gcc-8:
      drivers/net/wireless/ath/ath10k/wmi.c: In function 'ath10k_wmi_tpc_stats_final_disp_tables':
      drivers/net/wireless/ath/ath10k/wmi.c:4649:4: error: 'strncat' output truncated before terminating nul copying as many bytes from a string as its length [-Werror=stringop-truncation]
      Effectively, this is simply a strcat() but the use of strncat() suggests
      some form of overflow check. Regardless of whether this might actually
      overflow, using strlcat() instead of strncat() avoids the warning and
      makes the code more robust.
      Fixes: bc64d05220f3 ("ath10k: debugfs support to get final TPC stats for 10.4 variants")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
  5. 23 Mar, 2019 1 commit
  6. 20 Feb, 2019 1 commit
    • Jia-Ju Bai's avatar
      cw1200: Fix concurrency use-after-free bugs in cw1200_hw_scan() · 8b79471d
      Jia-Ju Bai authored
      [ Upstream commit 4f68ef64cd7feb1220232bd8f501d8aad340a099 ]
      The function cw1200_bss_info_changed() and cw1200_hw_scan() can be
      concurrently executed.
      The two functions both access a possible shared variable "frame.skb".
      This shared variable is freed by dev_kfree_skb() in cw1200_upload_beacon(),
      which is called by cw1200_bss_info_changed(). The free operation is
      protected by a mutex lock "priv->conf_mutex" in cw1200_bss_info_changed().
      In cw1200_hw_scan(), this shared variable is accessed without the
      protection of the mutex lock "priv->conf_mutex".
      Thus, concurrency use-after-free bugs may occur.
      To fix these bugs, the original calls to mutex_lock(&priv->conf_mutex) and
      mutex_unlock(&priv->conf_mutex) are moved to the places, which can
      protect the accesses to the shared variable.
      Signed-off-by: default avatarJia-Ju Bai <baijiaju1990@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
  7. 13 Jan, 2019 1 commit
  8. 21 Dec, 2018 1 commit
  9. 17 Dec, 2018 1 commit
  10. 13 Dec, 2018 2 commits
    • Vasyl Vavrychuk's avatar
      mac80211_hwsim: Timer should be initialized before device registered · 71a8069f
      Vasyl Vavrychuk authored
      commit a1881c9b8a1edef0a5ae1d5c1b61406fe3402114 upstream.
      Otherwise if network manager starts configuring Wi-Fi interface
      immidiatelly after getting notification of its creation, we will get
      NULL pointer dereference:
        BUG: unable to handle kernel NULL pointer dereference at           (null)
        IP: [<ffffffff95ae94c8>] hrtimer_active+0x28/0x50
        Call Trace:
         [<ffffffff95ae9997>] ? hrtimer_try_to_cancel+0x27/0x110
         [<ffffffff95ae9a95>] ? hrtimer_cancel+0x15/0x20
         [<ffffffffc0803bf0>] ? mac80211_hwsim_config+0x140/0x1c0 [mac80211_hwsim]
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarVasyl Vavrychuk <vasyl.vavrychuk@globallogic.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    • Sasha Levin's avatar
      Revert "wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout()" · 494fedde
      Sasha Levin authored
      This reverts commit 3fdd3464 which was
      upstream commit 4ec7cece87b3ed21ffcd407c62fb2f151a366bc1.
      From Dietmar May's report on the stable mailing list
      > I've run into some problems which appear due to (a) recent patch(es) on
      > the wlcore wifi driver.
      > 4.4.160 - commit 3fdd3464
      > 4.9.131 - commit afeeecc7
      > Earlier versions (4.9.130 and 4.4.159 - tested back to 4.4.49) do not
      > exhibit this problem. It is still present in 4.9.141.
      > master as of 4.20.0-rc4 does not exhibit this problem.
      > Basically, during client association when in AP mode (running hostapd),
      > handshake may or may not complete following a noticeable delay. If
      > successful, then the driver fails consistently in warn_slowpath_null
      > during disassociation. If unsuccessful, the wifi client attempts multiple
      > times, sometimes failing repeatedly. I've had clients unable to connect
      > for 3-5 minutes during testing, with the syslog filled with dozens of
      > backtraces. syslog details are below.
      > I'm working on an embedded device with a TI 3352 ARM processor and a
      > murata wl1271 module in sdio mode. We're running a fully patched ubuntu
      > 18.04 ARM build, with a kernel built from kernel.org's stable/linux repo <https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=afeeecc764436f31d4447575bb9007732333818c
      > Relevant parts of the kernel config are included below.
      > The commit message states:
      > > /I've only seen this few times with the runtime PM patches enabled so
      > > this one is probably not needed before that. This seems to work
      > > currently based on the current PM implementation timer. Let's apply
      > > this separately though in case others are hitting this issue./
      > We're not doing anything explicit with power management. The device is an
      > IoT edge gateway with battery backup, normally running on wall power. The
      > battery is currently used solely to shut down the system cleanly to avoid
      > filesystem corruption.
      > The device tree is configured to keep power in suspend; but the device
      > should never suspend, so in our case, there is no need to call
      > wl1271_ps_elp_wakeup() or wl1271_ps_elp_sleep(), as occurs in the patch.
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
  11. 01 Dec, 2018 6 commits
  12. 21 Nov, 2018 1 commit
    • Martin Willi's avatar
      ath10k: schedule hardware restart if WMI command times out · 93ceb8dc
      Martin Willi authored
      [ Upstream commit a9911937e7d332761e8c4fcbc7ba0426bdc3956f ]
      When running in AP mode, ath10k sometimes suffers from TX credit
      starvation. The issue is hard to reproduce and shows up once in a
      few days, but has been repeatedly seen with QCA9882 and a large
      range of firmwares, including
      Once the module is in this state, TX credits are never replenished,
      which results in "SWBA overrun" errors, as no beacons can be sent.
      Even worse, WMI commands run in a timeout while holding the conf
      mutex for three seconds each, making any further operations slow
      and the whole system unresponsive.
      The firmware/driver never recovers from that state automatically,
      and triggering TX flush or warm restarts won't work over WMI. So
      issue a hardware restart if a WMI command times out due to missing
      TX credits. This implies a connectivity outage of about 1.4s in AP
      mode, but brings back the interface and the whole system to a usable
      state. WMI command timeouts have not been seen in absent of this
      specific issue, so taking such drastic actions seems legitimate.
      Signed-off-by: default avatarMartin Willi <martin@strongswan.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
  13. 10 Nov, 2018 2 commits
  14. 13 Oct, 2018 2 commits
    • Zhi Chen's avatar
      ath10k: fix scan crash due to incorrect length calculation · 367222df
      Zhi Chen authored
      commit c8291988806407e02a01b4b15b4504eafbcc04e0 upstream.
      Length of WMI scan message was not calculated correctly. The allocated
      buffer was smaller than what we expected. So WMI message corrupted
      skb_info, which is at the end of skb->data. This fix takes TLV header
      into account even if the element is zero-length.
      Crash log:
        [49.629986] Unhandled kernel unaligned access[#1]:
        [49.634932] CPU: 0 PID: 1176 Comm: logd Not tainted 4.4.60 #180
        [49.641040] task: 83051460 ti: 8329c000 task.ti: 8329c000
        [49.646608] $ 0   : 00000000 00000001 80984a80 00000000
        [49.652038] $ 4   : 45259e89 8046d484 8046df30 8024ba70
        [49.657468] $ 8   : 00000000 804cc4c0 00000001 20306320
        [49.662898] $12   : 33322037 000110f2 00000000 31203930
        [49.668327] $16   : 82792b40 80984a80 00000001 804207fc
        [49.673757] $20   : 00000000 0000012c 00000040 80470000
        [49.679186] $24   : 00000000 8024af7c
        [49.684617] $28   : 8329c000 8329db88 00000001 802c58d0
        [49.690046] Hi    : 00000000
        [49.693022] Lo    : 453c0000
        [49.696013] epc   : 800efae4 put_page+0x0/0x58
        [49.700615] ra    : 802c58d0 skb_release_data+0x148/0x1d4
        [49.706184] Status: 1000fc03 KERNEL EXL IE
        [49.710531] Cause : 00800010 (ExcCode 04)
        [49.714669] BadVA : 45259e89
        [49.717644] PrId  : 00019374 (MIPS 24Kc)
      Signed-off-by: default avatarZhi Chen <zhichen@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Cc: Brian Norris <briannorris@chromium.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    • Carl Huang's avatar
      ath10k: fix use-after-free in ath10k_wmi_cmd_send_nowait · 023fdb64
      Carl Huang authored
      commit 9ef0f58ed7b4a55da4a64641d538e0d9e46579ac upstream.
      The skb may be freed in tx completion context before
      trace_ath10k_wmi_cmd is called. This can be easily captured when
      KASAN(Kernel Address Sanitizer) is enabled. The fix is to move
      trace_ath10k_wmi_cmd before the send operation. As the ret has no
      meaning in trace_ath10k_wmi_cmd then, so remove this parameter too.
      Signed-off-by: default avatarCarl Huang <cjhuang@codeaurora.org>
      Tested-by: default avatarBrian Norris <briannorris@chromium.org>
      Reviewed-by: default avatarBrian Norris <briannorris@chromium.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarAmit Pundir <amit.pundir@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
  15. 10 Oct, 2018 4 commits
  16. 19 Sep, 2018 2 commits
    • Surabhi Vishnoi's avatar
      ath10k: disable bundle mgmt tx completion event support · a820e770
      Surabhi Vishnoi authored
      [ Upstream commit 673bc519c55843c68c3aecff71a4101e79d28d2b ]
      The tx completion of multiple mgmt frames can be bundled
      in a single event and sent by the firmware to host, if this
      capability is not disabled explicitly by the host. If the host
      cannot handle the bundled mgmt tx completion, this capability
      support needs to be disabled in the wmi init cmd, sent to the firmware.
      Add the host capability indication flag in the wmi ready command,
      to let firmware know the features supported by the host driver.
      This field is ignored if it is not supported by firmware.
      Set the host capability indication flag(i.e. host_capab) to zero,
      for disabling the support of bundle mgmt tx completion. This will
      indicate the firmware to send completion event for every mgmt tx
      completion, instead of bundling them together and sending in a single
      Tested HW: WCN3990
      Tested FW: WLAN.HL.2.0-01188-QCAHLSWMTPLZ-1
      Signed-off-by: default avatarSurabhi Vishnoi <svishnoi@codeaurora.org>
      Signed-off-by: default avatarRakesh Pillai <pillair@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    • Sven Eckelmann's avatar
      ath10k: prevent active scans on potential unusable channels · 2071bd1c
      Sven Eckelmann authored
      [ Upstream commit 3f259111583801013cb605bb4414aa529adccf1c ]
      The QCA4019 hw1.0 firmware 10.4-3.2.1-00050 and 10.4-3.5.3-00053 (and most
      likely all other) seem to ignore the WMI_CHAN_FLAG_DFS flag during the
      scan. This results in transmission (probe requests) on channels which are
      not "available" for transmissions.
      Since the firmware is closed source and nothing can be done from our side
      to fix the problem in it, the driver has to work around this problem. The
      WMI_CHAN_FLAG_PASSIVE seems to be interpreted by the firmware to not
      scan actively on a channel unless an AP was detected on it. Simple probe
      requests will then be transmitted by the STA on the channel.
      ath10k must therefore also use this flag when it queues a radar channel for
      scanning. This should reduce the chance of an active scan when the channel
      might be "unusable" for transmissions.
      Fixes: e8a50f8b
       ("ath10k: introduce DFS implementation")
      Signed-off-by: default avatarSven Eckelmann <sven.eckelmann@openmesh.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
  17. 24 Aug, 2018 1 commit
    • Michael Trimarchi's avatar
      brcmfmac: stop watchdog before detach and free everything · 852f7cdb
      Michael Trimarchi authored
      [ Upstream commit 373c83a801f15b1e3d02d855fad89112bd4ccbe0 ]
      Using built-in in kernel image without a firmware in filesystem
      or in the kernel image can lead to a kernel NULL pointer deference.
      Watchdog need to be stopped in brcmf_sdio_remove
      The system is going down NOW!
      [ 1348.110759] Unable to handle kernel NULL pointer dereference at virtual address 000002f8
      Sent SIGTERM to all processes
      [ 1348.121412] Mem abort info:
      [ 1348.126962]   ESR = 0x96000004
      [ 1348.130023]   Exception class = DABT (current EL), IL = 32 bits
      [ 1348.135948]   SET = 0, FnV = 0
      [ 1348.138997]   EA = 0, S1PTW = 0
      [ 1348.142154] Data abort info:
      [ 1348.145045]   ISV = 0, ISS = 0x00000004
      [ 1348.148884]   CM = 0, WnR = 0
      [ 1348.151861] user pgtable: 4k pages, 48-bit VAs, pgdp = (____ptrval____)
      [ 1348.158475] [00000000000002f8] pgd=0000000000000000
      [ 1348.163364] Internal error: Oops: 96000004 [#1] PREEMPT SMP
      [ 1348.168927] Modules linked in: ipv6
      [ 1348.172421] CPU: 3 PID: 1421 Comm: brcmf_wdog/mmc0 Not tainted 4.17.0-rc5-next-20180517 #18
      [ 1348.180757] Hardware name: Amarula A64-Relic (DT)
      [ 1348.185455] pstate: 60000005 (nZCv daif -PAN -UAO)
      [ 1348.190251] pc : brcmf_sdiod_freezer_count+0x0/0x20
      [ 1348.195124] lr : brcmf_sdio_watchdog_thread+0x64/0x290
      [ 1348.200253] sp : ffff00000b85be30
      [ 1348.203561] x29: ffff00000b85be30 x28: 0000000000000000
      [ 1348.208868] x27: ffff00000b6cb918 x26: ffff80003b990638
      [ 1348.214176] x25: ffff0000087b1a20 x24: ffff80003b94f800
      [ 1348.219483] x23: ffff000008e620c8 x22: ffff000008f0b660
      [ 1348.224790] x21: ffff000008c6a858 x20: 00000000fffffe00
      [ 1348.230097] x19: ffff80003b94f800 x18: 0000000000000001
      [ 1348.235404] x17: 0000ffffab2e8a74 x16: ffff0000080d7de8
      [ 1348.240711] x15: 0000000000000000 x14: 0000000000000400
      [ 1348.246018] x13: 0000000000000400 x12: 0000000000000001
      [ 1348.251324] x11: 00000000000002c4 x10: 0000000000000a10
      [ 1348.256631] x9 : ffff00000b85bc40 x8 : ffff80003be11870
      [ 1348.261937] x7 : ffff80003dfc7308 x6 : 000000078ff08b55
      [ 1348.267243] x5 : 00000139e1058400 x4 : 0000000000000000
      [ 1348.272550] x3 : dead000000000100 x2 : 958f2788d6618100
      [ 1348.277856] x1 : 00000000fffffe00 x0 : 0000000000000000
      Signed-off-by: default avatarMichael Trimarchi <michael@amarulasolutions.com>
      Acked-by: default avatarArend van Spriel <arend.vanspriel@broadcom.com>
      Tested-by: default avatarAndy Shevchenko <andy.shevchenko@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>