1. 11 Jun, 2019 5 commits
    • Hante Meuleman's avatar
      brcmfmac: Add length checks on firmware events · 6da841e9
      Hante Meuleman authored
      commit 0aedbcaf
      
       upstream.
      
      Add additional length checks on firmware events to create more
      robust code.
      Reviewed-by: default avatarArend Van Spriel <arend@broadcom.com>
      Reviewed-by: default avatarFranky (Zhenhui) Lin <frankyl@broadcom.com>
      Reviewed-by: default avatarPieter-Paul Giesberts <pieterpg@broadcom.com>
      Reviewed-by: default avatarLei Zhang <leizh@broadcom.com>
      Signed-off-by: default avatarHante Meuleman <meuleman@broadcom.com>
      Signed-off-by: default avatarArend van Spriel <arend@broadcom.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      [bwh: Backported to 4.4:
       - Drop changes to brcmf_wowl_nd_results()
       - Adjust filenames]
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6da841e9
    • Piotr Figiel's avatar
      brcmfmac: fix race during disconnect when USB completion is in progress · 0a597d2b
      Piotr Figiel authored
      
      
      [ Upstream commit db3b9e2e1d58080d0754bdf9293dabf8c6491b67 ]
      
      It was observed that rarely during USB disconnect happening shortly after
      connect (before full initialization completes) usb_hub_wq would wait
      forever for the dev_init_lock to be unlocked. dev_init_lock would remain
      locked though because of infinite wait during usb_kill_urb:
      
      [ 2730.656472] kworker/0:2     D    0   260      2 0x00000000
      [ 2730.660700] Workqueue: events request_firmware_work_func
      [ 2730.664807] [<809dca20>] (__schedule) from [<809dd164>] (schedule+0x4c/0xac)
      [ 2730.670587] [<809dd164>] (schedule) from [<8069af44>] (usb_kill_urb+0xdc/0x114)
      [ 2730.676815] [<8069af44>] (usb_kill_urb) from [<7f258b50>] (brcmf_usb_free_q+0x34/0xa8 [brcmfmac])
      [ 2730.684833] [<7f258b50>] (brcmf_usb_free_q [brcmfmac]) from [<7f2517d4>] (brcmf_detach+0xa0/0xb8 [brcmfmac])
      [ 2730.693557] [<7f2517d4>] (brcmf_detach [brcmfmac]) from [<7f251a34>] (brcmf_attach+0xac/0x3d8 [brcmfmac])
      [ 2730.702094] [<7f251a34>] (brcmf_attach [brcmfmac]) from [<7f2587ac>] (brcmf_usb_probe_phase2+0x468/0x4a0 [brcmfmac])
      [ 2730.711601] [<7f2587ac>] (brcmf_usb_probe_phase2 [brcmfmac]) from [<7f252888>] (brcmf_fw_request_done+0x194/0x220 [brcmfmac])
      [ 2730.721795] [<7f252888>] (brcmf_fw_request_done [brcmfmac]) from [<805748e4>] (request_firmware_work_func+0x4c/0x88)
      [ 2730.731125] [<805748e4>] (request_firmware_work_func) from [<80141474>] (process_one_work+0x228/0x808)
      [ 2730.739223] [<80141474>] (process_one_work) from [<80141a80>] (worker_thread+0x2c/0x564)
      [ 2730.746105] [<80141a80>] (worker_thread) from [<80147bcc>] (kthread+0x13c/0x16c)
      [ 2730.752227] [<80147bcc>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20)
      
      [ 2733.099695] kworker/0:3     D    0  1065      2 0x00000000
      [ 2733.103926] Workqueue: usb_hub_wq hub_event
      [ 2733.106914] [<809dca20>] (__schedule) from [<809dd164>] (schedule+0x4c/0xac)
      [ 2733.112693] [<809dd164>] (schedule) from [<809e2a8c>] (schedule_timeout+0x214/0x3e4)
      [ 2733.119621] [<809e2a8c>] (schedule_timeout) from [<809dde2c>] (wait_for_common+0xc4/0x1c0)
      [ 2733.126810] [<809dde2c>] (wait_for_common) from [<7f258d00>] (brcmf_usb_disconnect+0x1c/0x4c [brcmfmac])
      [ 2733.135206] [<7f258d00>] (brcmf_usb_disconnect [brcmfmac]) from [<8069e0c8>] (usb_unbind_interface+0x5c/0x1e4)
      [ 2733.143943] [<8069e0c8>] (usb_unbind_interface) from [<8056d3e8>] (device_release_driver_internal+0x164/0x1fc)
      [ 2733.152769] [<8056d3e8>] (device_release_driver_internal) from [<8056c078>] (bus_remove_device+0xd0/0xfc)
      [ 2733.161138] [<8056c078>] (bus_remove_device) from [<8056977c>] (device_del+0x11c/0x310)
      [ 2733.167939] [<8056977c>] (device_del) from [<8069cba8>] (usb_disable_device+0xa0/0x1cc)
      [ 2733.174743] [<8069cba8>] (usb_disable_device) from [<8069507c>] (usb_disconnect+0x74/0x1dc)
      [ 2733.181823] [<8069507c>] (usb_disconnect) from [<80695e88>] (hub_event+0x478/0xf88)
      [ 2733.188278] [<80695e88>] (hub_event) from [<80141474>] (process_one_work+0x228/0x808)
      [ 2733.194905] [<80141474>] (process_one_work) from [<80141a80>] (worker_thread+0x2c/0x564)
      [ 2733.201724] [<80141a80>] (worker_thread) from [<80147bcc>] (kthread+0x13c/0x16c)
      [ 2733.207913] [<80147bcc>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20)
      
      It was traced down to a case where usb_kill_urb would be called on an URB
      structure containing more or less random data, including large number in
      its use_count. During the debugging it appeared that in brcmf_usb_free_q()
      the traversal over URBs' lists is not synchronized with operations on those
      lists in brcmf_usb_rx_complete() leading to handling
      brcmf_usbdev_info structure (holding lists' head) as lists' element and in
      result causing above problem.
      
      Fix it by walking through all URBs during brcmf_cancel_all_urbs using the
      arrays of requests instead of linked lists.
      Signed-off-by: default avatarPiotr Figiel <p.figiel@camlintechnologies.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      0a597d2b
    • Piotr Figiel's avatar
      brcmfmac: convert dev_init_lock mutex to completion · f95ab00a
      Piotr Figiel authored
      
      
      [ Upstream commit a9fd0953fa4a62887306be28641b4b0809f3b2fd ]
      
      Leaving dev_init_lock mutex locked in probe causes BUG and a WARNING when
      kernel is compiled with CONFIG_PROVE_LOCKING. Convert mutex to completion
      which silences those warnings and improves code readability.
      
      Fix below errors when connecting the USB WiFi dongle:
      
      brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43143 for chip BCM43143/2
      BUG: workqueue leaked lock or atomic: kworker/0:2/0x00000000/434
           last function: hub_event
      1 lock held by kworker/0:2/434:
       #0: 18d5dcdf (&devinfo->dev_init_lock){+.+.}, at: brcmf_usb_probe+0x78/0x550 [brcmfmac]
      CPU: 0 PID: 434 Comm: kworker/0:2 Not tainted 4.19.23-00084-g454a789-dirty #123
      Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
      Workqueue: usb_hub_wq hub_event
      [<8011237c>] (unwind_backtrace) from [<8010d74c>] (show_stack+0x10/0x14)
      [<8010d74c>] (show_stack) from [<809c4324>] (dump_stack+0xa8/0xd4)
      [<809c4324>] (dump_stack) from [<8014195c>] (process_one_work+0x710/0x808)
      [<8014195c>] (process_one_work) from [<80141a80>] (worker_thread+0x2c/0x564)
      [<80141a80>] (worker_thread) from [<80147bcc>] (kthread+0x13c/0x16c)
      [<80147bcc>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20)
      Exception stack(0xed1d9fb0 to 0xed1d9ff8)
      9fa0:                                     00000000 00000000 00000000 00000000
      9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      9fe0: 00000000 00000000 00000000 00000000 00000013 00000000
      
      ======================================================
      WARNING: possible circular locking dependency detected
      4.19.23-00084-g454a789-dirty #123 Not tainted
      ------------------------------------------------------
      kworker/0:2/434 is trying to acquire lock:
      e29cf799 ((wq_completion)"events"){+.+.}, at: process_one_work+0x174/0x808
      
      but task is already holding lock:
      18d5dcdf (&devinfo->dev_init_lock){+.+.}, at: brcmf_usb_probe+0x78/0x550 [brcmfmac]
      
      which lock already depends on the new lock.
      
      the existing dependency chain (in reverse order) is:
      
      -> #2 (&devinfo->dev_init_lock){+.+.}:
             mutex_lock_nested+0x1c/0x24
             brcmf_usb_probe+0x78/0x550 [brcmfmac]
             usb_probe_interface+0xc0/0x1bc
             really_probe+0x228/0x2c0
             __driver_attach+0xe4/0xe8
             bus_for_each_dev+0x68/0xb4
             bus_add_driver+0x19c/0x214
             driver_register+0x78/0x110
             usb_register_driver+0x84/0x148
             process_one_work+0x228/0x808
             worker_thread+0x2c/0x564
             kthread+0x13c/0x16c
             ret_from_fork+0x14/0x20
               (null)
      
      -> #1 (brcmf_driver_work){+.+.}:
             worker_thread+0x2c/0x564
             kthread+0x13c/0x16c
             ret_from_fork+0x14/0x20
               (null)
      
      -> #0 ((wq_completion)"events"){+.+.}:
             process_one_work+0x1b8/0x808
             worker_thread+0x2c/0x564
             kthread+0x13c/0x16c
             ret_from_fork+0x14/0x20
               (null)
      
      other info that might help us debug this:
      
      Chain exists of:
        (wq_completion)"events" --> brcmf_driver_work --> &devinfo->dev_init_lock
      
       Possible unsafe locking scenario:
      
             CPU0                    CPU1
             ----                    ----
        lock(&devinfo->dev_init_lock);
                                     lock(brcmf_driver_work);
                                     lock(&devinfo->dev_init_lock);
        lock((wq_completion)"events");
      
       *** DEADLOCK ***
      
      1 lock held by kworker/0:2/434:
       #0: 18d5dcdf (&devinfo->dev_init_lock){+.+.}, at: brcmf_usb_probe+0x78/0x550 [brcmfmac]
      
      stack backtrace:
      CPU: 0 PID: 434 Comm: kworker/0:2 Not tainted 4.19.23-00084-g454a789-dirty #123
      Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
      Workqueue: events request_firmware_work_func
      [<8011237c>] (unwind_backtrace) from [<8010d74c>] (show_stack+0x10/0x14)
      [<8010d74c>] (show_stack) from [<809c4324>] (dump_stack+0xa8/0xd4)
      [<809c4324>] (dump_stack) from [<80172838>] (print_circular_bug+0x210/0x330)
      [<80172838>] (print_circular_bug) from [<80175940>] (__lock_acquire+0x160c/0x1a30)
      [<80175940>] (__lock_acquire) from [<8017671c>] (lock_acquire+0xe0/0x268)
      [<8017671c>] (lock_acquire) from [<80141404>] (process_one_work+0x1b8/0x808)
      [<80141404>] (process_one_work) from [<80141a80>] (worker_thread+0x2c/0x564)
      [<80141a80>] (worker_thread) from [<80147bcc>] (kthread+0x13c/0x16c)
      [<80147bcc>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20)
      Exception stack(0xed1d9fb0 to 0xed1d9ff8)
      9fa0:                                     00000000 00000000 00000000 00000000
      9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      9fe0: 00000000 00000000 00000000 00000000 00000013 00000000
      Signed-off-by: default avatarPiotr Figiel <p.figiel@camlintechnologies.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f95ab00a
    • Kangjie Lu's avatar
      brcmfmac: fix missing checks for kmemdup · 951fbf92
      Kangjie Lu authored
      
      
      [ Upstream commit 46953f97224d56a12ccbe9c6acaa84ca0dab2780 ]
      
      In case kmemdup fails, the fix sets conn_info->req_ie_len and
      conn_info->resp_ie_len to zero to avoid buffer overflows.
      Signed-off-by: default avatarKangjie Lu <kjlu@umn.edu>
      Acked-by: default avatarArend van Spriel <arend.vanspriel@broadcom.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      951fbf92
    • Dan Carpenter's avatar
      brcm80211: potential NULL dereference in brcmf_cfg80211_vndr_cmds_dcmd_handler() · a898d150
      Dan Carpenter authored
      [ Upstream commit e025da3d7aa4770bb1d1b3b0aa7cc4da1744852d ]
      
      If "ret_len" is negative then it could lead to a NULL dereference.
      
      The "ret_len" value comes from nl80211_vendor_cmd(), if it's negative
      then we don't allocate the "dcmd_buf" buffer.  Then we pass "ret_len" to
      brcmf_fil_cmd_data_set() where it is cast to a very high u32 value.
      Most of the functions in that call tree check whether the buffer we pass
      is NULL but there are at least a couple places which don't such as
      brcmf_dbg_hex_dump() and brcmf_msgbuf_query_dcmd().  We memcpy() to and
      from the buffer so it would result in a NULL dereference.
      
      The fix is to change the types so that "ret_len" can't be negative.  (If
      we memcpy() zero bytes to NULL, that's a no-op and doesn't cause an
      issue).
      
      Fixes: 1bacb048
      
       ("brcmfmac: replace cfg80211 testmode with vendor command")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      a898d150
  2. 10 Nov, 2018 1 commit
  3. 24 Aug, 2018 1 commit
    • Michael Trimarchi's avatar
      brcmfmac: stop watchdog before detach and free everything · 852f7cdb
      Michael Trimarchi authored
      
      
      [ Upstream commit 373c83a801f15b1e3d02d855fad89112bd4ccbe0 ]
      
      Using built-in in kernel image without a firmware in filesystem
      or in the kernel image can lead to a kernel NULL pointer deference.
      Watchdog need to be stopped in brcmf_sdio_remove
      
      The system is going down NOW!
      [ 1348.110759] Unable to handle kernel NULL pointer dereference at virtual address 000002f8
      Sent SIGTERM to all processes
      [ 1348.121412] Mem abort info:
      [ 1348.126962]   ESR = 0x96000004
      [ 1348.130023]   Exception class = DABT (current EL), IL = 32 bits
      [ 1348.135948]   SET = 0, FnV = 0
      [ 1348.138997]   EA = 0, S1PTW = 0
      [ 1348.142154] Data abort info:
      [ 1348.145045]   ISV = 0, ISS = 0x00000004
      [ 1348.148884]   CM = 0, WnR = 0
      [ 1348.151861] user pgtable: 4k pages, 48-bit VAs, pgdp = (____ptrval____)
      [ 1348.158475] [00000000000002f8] pgd=0000000000000000
      [ 1348.163364] Internal error: Oops: 96000004 [#1] PREEMPT SMP
      [ 1348.168927] Modules linked in: ipv6
      [ 1348.172421] CPU: 3 PID: 1421 Comm: brcmf_wdog/mmc0 Not tainted 4.17.0-rc5-next-20180517 #18
      [ 1348.180757] Hardware name: Amarula A64-Relic (DT)
      [ 1348.185455] pstate: 60000005 (nZCv daif -PAN -UAO)
      [ 1348.190251] pc : brcmf_sdiod_freezer_count+0x0/0x20
      [ 1348.195124] lr : brcmf_sdio_watchdog_thread+0x64/0x290
      [ 1348.200253] sp : ffff00000b85be30
      [ 1348.203561] x29: ffff00000b85be30 x28: 0000000000000000
      [ 1348.208868] x27: ffff00000b6cb918 x26: ffff80003b990638
      [ 1348.214176] x25: ffff0000087b1a20 x24: ffff80003b94f800
      [ 1348.219483] x23: ffff000008e620c8 x22: ffff000008f0b660
      [ 1348.224790] x21: ffff000008c6a858 x20: 00000000fffffe00
      [ 1348.230097] x19: ffff80003b94f800 x18: 0000000000000001
      [ 1348.235404] x17: 0000ffffab2e8a74 x16: ffff0000080d7de8
      [ 1348.240711] x15: 0000000000000000 x14: 0000000000000400
      [ 1348.246018] x13: 0000000000000400 x12: 0000000000000001
      [ 1348.251324] x11: 00000000000002c4 x10: 0000000000000a10
      [ 1348.256631] x9 : ffff00000b85bc40 x8 : ffff80003be11870
      [ 1348.261937] x7 : ffff80003dfc7308 x6 : 000000078ff08b55
      [ 1348.267243] x5 : 00000139e1058400 x4 : 0000000000000000
      [ 1348.272550] x3 : dead000000000100 x2 : 958f2788d6618100
      [ 1348.277856] x1 : 00000000fffffe00 x0 : 0000000000000000
      Signed-off-by: default avatarMichael Trimarchi <michael@amarulasolutions.com>
      Acked-by: default avatarArend van Spriel <arend.vanspriel@broadcom.com>
      Tested-by: default avatarAndy Shevchenko <andy.shevchenko@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      852f7cdb
  4. 06 Aug, 2018 1 commit
  5. 13 Jun, 2018 1 commit
  6. 28 Mar, 2018 1 commit
  7. 18 Nov, 2017 1 commit
  8. 27 Oct, 2017 1 commit
    • Arnd Bergmann's avatar
      brcmsmac: make some local variables 'static const' to reduce stack size · 260b6739
      Arnd Bergmann authored
      commit c503dd38
      
       upstream.
      
      With KASAN and a couple of other patches applied, this driver is one
      of the few remaining ones that actually use more than 2048 bytes of
      kernel stack:
      
      broadcom/brcm80211/brcmsmac/phy/phy_n.c: In function 'wlc_phy_workarounds_nphy_gainctrl':
      broadcom/brcm80211/brcmsmac/phy/phy_n.c:16065:1: warning: the frame size of 3264 bytes is larger than 2048 bytes [-Wframe-larger-than=]
      broadcom/brcm80211/brcmsmac/phy/phy_n.c: In function 'wlc_phy_workarounds_nphy':
      broadcom/brcm80211/brcmsmac/phy/phy_n.c:17138:1: warning: the frame size of 2864 bytes is larger than 2048 bytes [-Wframe-larger-than=]
      
      Here, I'm reducing the stack size by marking as many local variables as
      'static const' as I can without changing the actual code.
      
      This is the first of three patches to improve the stack usage in this
      driver. It would be good to have this backported to stabl kernels
      to get all drivers in 'allmodconfig' below the 2048 byte limit so
      we can turn on the frame warning again globally, but I realize that
      the patch is larger than the normal limit for stable backports.
      
      The other two patches do not need to be backported.
      Acked-by: default avatarArend van Spriel <arend.vanspriel@broadcom.com>
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      260b6739
  9. 18 Oct, 2017 1 commit
  10. 12 Oct, 2017 1 commit
  11. 21 Jul, 2017 1 commit
  12. 20 May, 2017 1 commit
  13. 14 May, 2017 2 commits
  14. 31 Oct, 2016 1 commit
  15. 22 Oct, 2016 1 commit
  16. 07 Oct, 2016 3 commits
  17. 21 Oct, 2015 12 commits
  18. 29 Sep, 2015 5 commits