]> git.baikalelectronics.ru Git - kernel.git/log
kernel.git
5 years agomt76: mt7603: stop mac80211 queues before setting the channel
Lorenzo Bianconi [Sun, 5 May 2019 00:53:32 +0000 (02:53 +0200)]
mt76: mt7603: stop mac80211 queues before setting the channel

Suspend data transmission during channel switch

Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
5 years agomt7615: mcu: run __mt76_mcu_send_msg in mt7615_mcu_send_firmware
Lorenzo Bianconi [Sat, 4 May 2019 15:29:09 +0000 (17:29 +0200)]
mt7615: mcu: run __mt76_mcu_send_msg in mt7615_mcu_send_firmware

Run __mt76_mcu_send_msg instead of __mt7615_mcu_msg_send and remove
duplicated code.

Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
5 years agomt7615: mcu: init mcu_restart function pointer
Lorenzo Bianconi [Sat, 4 May 2019 15:29:08 +0000 (17:29 +0200)]
mt7615: mcu: init mcu_restart function pointer

Use common function wrapper in mt7615_mcu_exit since the code is shared
with m7603 driver

Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
5 years agomt7615: initialize mt76_mcu_ops data structure
Lorenzo Bianconi [Sat, 4 May 2019 15:29:07 +0000 (17:29 +0200)]
mt7615: initialize mt76_mcu_ops data structure

Use __mt76_mcu_send_msg wrapper instead of mt7615_mcu_msg_send.
This is a preliminary patch for mt7615-mt7603 mcu code unification

Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
5 years agomt7615: mcu: use standard signature for mt7615_mcu_msg_send
Lorenzo Bianconi [Sat, 4 May 2019 15:29:06 +0000 (17:29 +0200)]
mt7615: mcu: use standard signature for mt7615_mcu_msg_send

Use mt76 common signature for mt7615_mcu_msg_send. Move skb allocation
in mt7615_mcu_msg_send and remove duplicated code. Remove
__mt7615_mcu_set_wtbl and __mt7615_mcu_set_sta_rec since now are used
just to send mcu msgs.  This is a preliminary patch for mt7615-mt7603 mcu
code unification

Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
5 years agomt7615: mcu: remove unused structure in mcu.h
Lorenzo Bianconi [Sat, 4 May 2019 15:29:05 +0000 (17:29 +0200)]
mt7615: mcu: remove unused structure in mcu.h

Remove following struct no longer used:
- dev_info
- bss_info
- bss_info_tag_handler

Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
5 years agomt7615: mcu: do not use function pointers whenever possible
Lorenzo Bianconi [Thu, 9 May 2019 07:54:00 +0000 (09:54 +0200)]
mt7615: mcu: do not use function pointers whenever possible

Remove function pointers in mt7615_mcu_set_bss_info and run function
directly. Moreover remove __mt7615_mcu_set_bss_info since it is run just
by mt7615_mcu_set_bss_info and remove duplicated istructions

Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
5 years agomt7615: mcu: unify __mt7615_mcu_set_dev_info and mt7615_mcu_set_dev_info
Lorenzo Bianconi [Sat, 4 May 2019 15:29:03 +0000 (17:29 +0200)]
mt7615: mcu: unify __mt7615_mcu_set_dev_info and mt7615_mcu_set_dev_info

Unify mt7615_mcu_set_dev_info and __mt7615_mcu_set_dev_info since the
latter is run just by mt7615_mcu_set_dev_info

Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
5 years agomt7615: mcu: remove skb_ret from mt7615_mcu_msg_send
Lorenzo Bianconi [Sat, 4 May 2019 15:29:02 +0000 (17:29 +0200)]
mt7615: mcu: remove skb_ret from mt7615_mcu_msg_send

Remove skb_ret parameter from mt7615_mcu_msg_send signature since it is
actually used just by mt7615_mcu_patch_sem_ctrl. This is a prelimanry
patch to use mt76 common mcu API

Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
5 years agomt7615: remove dest from mt7615_mcu_msg_send signature
Lorenzo Bianconi [Sat, 4 May 2019 15:29:01 +0000 (17:29 +0200)]
mt7615: remove dest from mt7615_mcu_msg_send signature

Remove dest parameter from mt7615_mcu_msg_send/__mt7615_mcu_msg_send
routine signature since it can is always set to MCU_S2D_H2N

Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
5 years agomt7615: remove query from mt7615_mcu_msg_send signature
Lorenzo Bianconi [Sat, 4 May 2019 15:29:00 +0000 (17:29 +0200)]
mt7615: remove query from mt7615_mcu_msg_send signature

Remove query parameter from mt7615_mcu_msg_send routine signature since
it can be obtained from cmd value

Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
5 years agomt7615: mcu: remove unused parameter in mt7615_mcu_del_wtbl
Lorenzo Bianconi [Sat, 4 May 2019 15:28:59 +0000 (17:28 +0200)]
mt7615: mcu: remove unused parameter in mt7615_mcu_del_wtbl

Remove unused vif parameter in mt7615_mcu_del_wtbl signature

Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
5 years agomt7615: mcu: unify mt7615_mcu_add_wtbl_bmc and mt7615_mcu_del_wtbl_bmc
Lorenzo Bianconi [Sat, 4 May 2019 15:28:58 +0000 (17:28 +0200)]
mt7615: mcu: unify mt7615_mcu_add_wtbl_bmc and mt7615_mcu_del_wtbl_bmc

Remove duplicated code in mt7615_bss_info_changed

Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
5 years agomt7615: mcu: use proper msg size in mt7615_mcu_add_wtbl
Lorenzo Bianconi [Sat, 4 May 2019 15:28:57 +0000 (17:28 +0200)]
mt7615: mcu: use proper msg size in mt7615_mcu_add_wtbl

Use proper mcu message size in mt7615_mcu_add_wtbl and do not
allocate a huge buffer. Moreover use stack memory instead of heap one

Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
5 years agomt7615: mcu: use proper msg size in mt7615_mcu_add_wtbl_bmc
Lorenzo Bianconi [Sat, 4 May 2019 15:28:56 +0000 (17:28 +0200)]
mt7615: mcu: use proper msg size in mt7615_mcu_add_wtbl_bmc

Use proper mcu message size in mt7615_mcu_add_wtbl_bmc and do not
allocate a huge buffer. Moreover use stack memory instead of heap one

Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
5 years agomt7615: mcu: remove bss_info_convert_vif_type routine
Lorenzo Bianconi [Sat, 4 May 2019 15:28:55 +0000 (17:28 +0200)]
mt7615: mcu: remove bss_info_convert_vif_type routine

Remove bss_info_convert_vif_type routine since it is run just in
mt7615_mcu_set_bss_info and the switch over vif->type is already there.
Simplify mt7615_mcu_set_bss_info routine

Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
5 years agomt7615: mcu: simplify __mt7615_mcu_set_sta_rec
Lorenzo Bianconi [Sat, 4 May 2019 15:28:54 +0000 (17:28 +0200)]
mt7615: mcu: simplify __mt7615_mcu_set_sta_rec

Do not loop over cmd payload in __mt7615_mcu_set_sta_rec since it is
already done in before running __mt7615_mcu_set_sta_rec (e.g.
mt7615_mcu_set_sta_rec)

Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
5 years agomt7615: mcu: simplify __mt7615_mcu_set_wtbl
Lorenzo Bianconi [Sat, 4 May 2019 15:28:53 +0000 (17:28 +0200)]
mt7615: mcu: simplify __mt7615_mcu_set_wtbl

Do not loop over cmd payload in __mt7615_mcu_set_wtbl since it is
already done in before running __mt7615_mcu_set_wtbl (e.g.
mt7615_mcu_set_wtbl_key)

Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
5 years agomt76: mt7615: Make mt7615_irq_handler static
YueHaibing [Sat, 4 May 2019 10:22:47 +0000 (18:22 +0800)]
mt76: mt7615: Make mt7615_irq_handler static

Fix sparse warning:

drivers/net/wireless/mediatek/mt76/mt7615/pci.c:37:13:
 warning: symbol 'mt7615_irq_handler' was not declared. Should it be static?

Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
5 years agomt76: mt7615: Use after free in mt7615_mcu_set_bcn()
Dan Carpenter [Fri, 3 May 2019 13:09:13 +0000 (16:09 +0300)]
mt76: mt7615: Use after free in mt7615_mcu_set_bcn()

We dereference "skb" when we assign:

req.pkt_len = cpu_to_le16(MT_TXD_SIZE + skb->len);
                                                ^^^^^^^^
So this patch just moves the dev_kfree_skb() down a bit to avoid the
use after free.

Fixes: 09301c7b1225 ("mt76: add mac80211 driver for MT7615 PCIe-based chipsets")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
5 years agomt76: Fix a signedness bug in mt7615_add_interface()
Dan Carpenter [Fri, 3 May 2019 12:54:36 +0000 (15:54 +0300)]
mt76: Fix a signedness bug in mt7615_add_interface()

The problem is that "mvif->omac_idx" is a u8 so it can't be negative
and the error handling won't work.  The get_omac_idx() function returns
-1 on error.

Fixes: 09301c7b1225 ("mt76: add mac80211 driver for MT7615 PCIe-based chipsets")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
5 years agomt76: move netif_napi_del in mt76_dma_cleanup
Lorenzo Bianconi [Wed, 1 May 2019 14:06:23 +0000 (16:06 +0200)]
mt76: move netif_napi_del in mt76_dma_cleanup

Move netif_napi_del in mt76_dma_cleanup routine since it is done
by all drivers

Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
5 years agomt76: mt7615: use napi polling for tx cleanup
Lorenzo Bianconi [Wed, 1 May 2019 14:06:22 +0000 (16:06 +0200)]
mt76: mt7615: use napi polling for tx cleanup

This allows tx scheduling and tx cleanup to run concurrently

Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
5 years agomt76: mt7603: use napi polling for tx cleanup
Lorenzo Bianconi [Wed, 1 May 2019 14:06:21 +0000 (16:06 +0200)]
mt76: mt7603: use napi polling for tx cleanup

This allows tx scheduling and tx cleanup to run concurrently

Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
5 years agomt76: move tx_napi in mt76_dev
Lorenzo Bianconi [Wed, 1 May 2019 14:06:20 +0000 (16:06 +0200)]
mt76: move tx_napi in mt76_dev

Move tx_napi in mt76_dev data structure in order to implement
concurrency between tx scheduling and tx cleanup in mt7603 and mt7615
drivers

Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
5 years agomt76: mt76x02: remove useless return in mt76x02_resync_beacon_timer
Lorenzo Bianconi [Wed, 1 May 2019 13:44:25 +0000 (15:44 +0200)]
mt76: mt76x02: remove useless return in mt76x02_resync_beacon_timer

Remove useless return statment in mt76x02_resync_beacon_timer routine

Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
5 years agoairo: switch to skcipher interface
Ard Biesheuvel [Mon, 17 Jun 2019 08:43:38 +0000 (10:43 +0200)]
airo: switch to skcipher interface

The AIRO driver applies a ctr(aes) on a buffer of considerable size
(2400 bytes), and instead of invoking the crypto API to handle this
in its entirety, it open codes the counter manipulation and invokes
the AES block cipher directly.

Let's fix this, by switching to the sync skcipher API instead.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agort2800: do not enable watchdog by default
Stanislaw Gruszka [Sat, 15 Jun 2019 10:01:00 +0000 (12:01 +0200)]
rt2800: do not enable watchdog by default

Make watchdog disabled by default and add module parameter to enable it.

User will have to create file in /etc/modprobe.d/ with

options rt2800lib watchdog=1

to enable the watchdog or load "rt2800lib watchdog=1" module manually
before loading rt2800{soc,pci,usb} module.

Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agort2x00: add restart hw
Stanislaw Gruszka [Sat, 15 Jun 2019 10:00:59 +0000 (12:00 +0200)]
rt2x00: add restart hw

Add ieee80211_restart_hw() to watchdog and debugfs file for testing
if restart works as expected.

Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agort2800: do not nullify initialization vector data
Stanislaw Gruszka [Sat, 15 Jun 2019 10:00:58 +0000 (12:00 +0200)]
rt2800: do not nullify initialization vector data

If we restart hw we should keep existing IV (initialization vector)
otherwise HW encryption will be broken after restart.

Also fix some coding style issues on the way.

Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agort2800: add pre_reset_hw callback
Stanislaw Gruszka [Sat, 15 Jun 2019 10:00:57 +0000 (12:00 +0200)]
rt2800: add pre_reset_hw callback

Add routine to cleanup interfaces data before hw reset as
ieee80211_restart_hw() will do setup interfaces again.

Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agort2800: initial watchdog implementation
Stanislaw Gruszka [Sat, 15 Jun 2019 10:00:56 +0000 (12:00 +0200)]
rt2800: initial watchdog implementation

Add watchdog for rt2800 devices. For now it only detect hung
and print error.

[Note: I verified that printing messages from process context is
fine on MT7620 (WT3020) platform that have problem when printk
is called from interrupt context].

Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agort2800: add helpers for reading dma done index
Stanislaw Gruszka [Sat, 15 Jun 2019 10:00:55 +0000 (12:00 +0200)]
rt2800: add helpers for reading dma done index

For mmio we do not properlly trace dma done Q_INDEX_DMA_DONE index
for TX queues. That would require implementing INT_SOURCE_CSR_*_DMA_DONE
interrupts, what is rather not worth to do due to adding extra
CPU load (small but still somewhat not necessary otherwise).

We can just read TX DMA done indexes from registers directly. What
will be used by watchdog.

Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agort2x00: allow to specify watchdog interval
Stanislaw Gruszka [Sat, 15 Jun 2019 10:00:54 +0000 (12:00 +0200)]
rt2x00: allow to specify watchdog interval

Allow subdriver to change watchdog interval by intialize
link->watchdog_interval value before rt2x00link_register().

Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agop54: remove dead branch in op_conf_tx callback
Christian Lamparter [Sat, 15 Jun 2019 10:00:09 +0000 (12:00 +0200)]
p54: remove dead branch in op_conf_tx callback

This patch removes the error branch for (queue > dev->queues).
It is no longer needed anymore as the "queue" value is validated by
cfg80211's parse_txq_params() before the driver code gets called.

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agortw88: fix typo rtw_writ16_set
Tzu-En Huang [Fri, 14 Jun 2019 07:24:15 +0000 (15:24 +0800)]
rtw88: fix typo rtw_writ16_set

rtw_writ16_set should be rtw_write16_set

Signed-off-by: Tzu-En Huang <tehuang@realtek.com>
Signed-off-by: Yan-Hsuan Chuang <yhchuang@realtek.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agortw88: rsvd page should go though management queue
Yan-Hsuan Chuang [Fri, 14 Jun 2019 07:24:14 +0000 (15:24 +0800)]
rtw88: rsvd page should go though management queue

The hardware default uses management queue to transmit frames that are
downloaded into reserved page, so we need to clearly assign the frames
to use qsel in TX_DESC_QSEL_MGMT to avoid using wrong queue.

Signed-off-by: Yan-Hsuan Chuang <yhchuang@realtek.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agortw88: restore DACK results to save time
Yan-Hsuan Chuang [Fri, 14 Jun 2019 07:24:13 +0000 (15:24 +0800)]
rtw88: restore DACK results to save time

DACK is done right after the hardware has been turned on, which
means it will be done every time we leave the IDLE state.
But it takes ~2 seconds to finish DACK.

We can back up the results and restore them. And it only takes a few
milliseconds to restore the results to the hardware, saving a lot of
time.

Signed-off-by: Yan-Hsuan Chuang <yhchuang@realtek.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agortw88: power on again if it was already on
Yan-Hsuan Chuang [Fri, 14 Jun 2019 07:24:12 +0000 (15:24 +0800)]
rtw88: power on again if it was already on

We could fail to power on because it was already on. If the return
value is -EALREADY, power off and then power on again to turn on the
hardware as expected.

Signed-off-by: Yan-Hsuan Chuang <yhchuang@realtek.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agortw88: 8822c: use more accurate ofdm fa counting
Yan-Hsuan Chuang [Fri, 14 Jun 2019 07:24:11 +0000 (15:24 +0800)]
rtw88: 8822c: use more accurate ofdm fa counting

8822c used to count OFDM FA count by subtracting tx count from FA count.
But it need to substract more counters to be accurate.

However, we can count it by adding up all of the FA counters we want.
And it is simpler to add than list all of the components to substract.

Signed-off-by: Yan-Hsuan Chuang <yhchuang@realtek.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agortw88: 8822c: disable rx clock gating before counter reset
Yan-Hsuan Chuang [Fri, 14 Jun 2019 07:24:10 +0000 (15:24 +0800)]
rtw88: 8822c: disable rx clock gating before counter reset

Driver Could fail to reset counter if rx clock gating is not disabled.
So we need to disable rx clock gating before resetting counters.
Otherwise counters may increase unexpected.

Signed-off-by: Yan-Hsuan Chuang <yhchuang@realtek.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agortw88: 8822c: update channel and bandwidth BB setting
Chien-Hsun Liao [Fri, 14 Jun 2019 07:24:09 +0000 (15:24 +0800)]
rtw88: 8822c: update channel and bandwidth BB setting

In 2G channels, the cck source and rxagc should be set to different
values based on different bandwidth to increase the performance of rx
sensitivity.

To improve rx throughput performance, the values of sbd subtune and
pt_opt should be changed in different bandwidth.

Signed-off-by: Chien-Hsun Liao <ben.liao@realtek.com>
Signed-off-by: Yan-Hsuan Chuang <yhchuang@realtek.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agortw88: 8822c: add rf write protection when switching channel
Chien-Hsun Liao [Fri, 14 Jun 2019 07:24:08 +0000 (15:24 +0800)]
rtw88: 8822c: add rf write protection when switching channel

Collision of writing rf registers could occur if the driver writes
rf registers by direct write while the hardware is writing other rf
registers by pi write simultaneously.

Hardware pi write can be triggered by rf calibrations sometimes, so
the driver can not always write rf registers by direct write
protection. Direct write protection can make sure that there is no
hardware pi write during the direct write.

According to some experiments, if we add direct write protection
when switching channel, the performance of rf calibration will not
be affected.

Signed-off-by: Chien-Hsun Liao <ben.liao@realtek.com>
Signed-off-by: Yan-Hsuan Chuang <yhchuang@realtek.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agortw88: add beacon function setting
Chin-Yen Lee [Fri, 14 Jun 2019 07:24:07 +0000 (15:24 +0800)]
rtw88: add beacon function setting

Add beacon function setting routines for each hardware port.
If beacon function is not enabled, the hardware is not able
to synchronize with AP's beacon and can miss the beacons
under some scenarios such as PS mode.

For AP and Adhoc modes that require to send beacons, do not
update the TSF, otherwise the beacon interval may be affected.

Signed-off-by: Chin-Yen Lee <timlee@realtek.com>
Signed-off-by: Yan-Hsuan Chuang <yhchuang@realtek.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agortw88: add support for random mac scan
Yan-Hsuan Chuang [Fri, 14 Jun 2019 07:24:06 +0000 (15:24 +0800)]
rtw88: add support for random mac scan

When driver uses random mac address to scan, the unicast probe response
will not be received because the addr1 is not matched. Configure port
address by requested mac address to receive probe response from AP.

To support random mac scan, we need to configure the mac address during
scan period to receive unicast prop_resp. After scan is completed,
configure the mac address back to the original one that the port used.

Signed-off-by: Yan-Hsuan Chuang <yhchuang@realtek.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agortw88: add fast xmit support
Yan-Hsuan Chuang [Fri, 14 Jun 2019 07:24:05 +0000 (15:24 +0800)]
rtw88: add fast xmit support

With dynamic power save support, rtw88 is able to support fast tx
path, claim it to mac80211.

Signed-off-by: Yan-Hsuan Chuang <yhchuang@realtek.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agoiwlegacy: 4965: no need to check return value of debugfs_create functions
Greg Kroah-Hartman [Wed, 12 Jun 2019 14:26:55 +0000 (16:26 +0200)]
iwlegacy: 4965: no need to check return value of debugfs_create functions

When calling debugfs functions, there is no need to ever check the
return value.  This driver was saving the debugfs file away to be
removed at a later time.  However, the 80211 core would delete the whole
directory that the debugfs files are created in, after it asks the
driver to do the deletion, so just rely on the 80211 core to do all of
the cleanup for us, making us not need to keep a pointer to the dentries
around at all.

This cleans up the structure of the driver data a bit and makes the code
a tiny bit smaller.

Cc: Stanislaw Gruszka <sgruszka@redhat.com>
Cc: Kalle Valo <kvalo@codeaurora.org>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: linux-wireless@vger.kernel.org
Cc: netdev@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agoiwlegacy: 3945: no need to check return value of debugfs_create functions
Greg Kroah-Hartman [Wed, 12 Jun 2019 14:26:54 +0000 (16:26 +0200)]
iwlegacy: 3945: no need to check return value of debugfs_create functions

When calling debugfs functions, there is no need to ever check the
return value.  This driver was saving the debugfs file away to be
removed at a later time.  However, the 80211 core would delete the whole
directory that the debugfs files are created in, after it asks the
driver to do the deletion, so just rely on the 80211 core to do all of
the cleanup for us, making us not need to keep a pointer to the dentries
around at all.

This cleans up the structure of the driver data a bit and makes the code
a tiny bit smaller.

Cc: Stanislaw Gruszka <sgruszka@redhat.com>
Cc: Kalle Valo <kvalo@codeaurora.org>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: linux-wireless@vger.kernel.org
Cc: netdev@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agossb/gpio: Remove unnecessary WARN_ON from driver_gpio
Michael Büsch [Mon, 10 Jun 2019 18:49:27 +0000 (20:49 +0200)]
ssb/gpio: Remove unnecessary WARN_ON from driver_gpio

The WARN_ON triggers on older BCM4401-B0 100Base-TX ethernet controllers.
The warning serves no purpose. So let's just remove it.

Reported-by: H Buus <ubuntu@hbuus.com>
Signed-off-by: Michael Büsch <m@bues.ch>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agortlwifi: rtl8188ee: remove redundant assignment to rtstatus
Colin Ian King [Sat, 8 Jun 2019 10:58:00 +0000 (11:58 +0100)]
rtlwifi: rtl8188ee: remove redundant assignment to rtstatus

Variable rtstatus is being initialized with a value that is never read
as rtstatus is being re-assigned a little later on. The assignment is
redundant and hence can be removed.

Addresses-Coverity: ("Unused value")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agoqtnfmac: Use struct_size() in kzalloc()
Gustavo A. R. Silva [Fri, 7 Jun 2019 19:17:45 +0000 (14:17 -0500)]
qtnfmac: Use struct_size() in kzalloc()

One of the more common cases of allocation size calculations is finding
the size of a structure that has a zero-sized array at the end, along
with memory for some number of elements for that array. For example:

struct ieee80211_regdomain {
...
        struct ieee80211_reg_rule reg_rules[];
};

instance = kzalloc(sizeof(*mac->rd) +
                          sizeof(struct ieee80211_reg_rule) *
                          count, GFP_KERNEL);

Instead of leaving these open-coded and prone to type mistakes, we can
now use the new struct_size() helper:

instance = kzalloc(struct_size(instance, reg_rules, count), GFP_KERNEL);

This code was detected with the help of Coccinelle.

Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Reviewed-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agomt7601u: fix possible memory leak when the device is disconnected
Lorenzo Bianconi [Fri, 7 Jun 2019 11:48:10 +0000 (13:48 +0200)]
mt7601u: fix possible memory leak when the device is disconnected

When the device is disconnected while passing traffic it is possible
to receive out of order urbs causing a memory leak since the skb linked
to the current tx urb is not removed. Fix the issue deallocating the skb
cleaning up the tx ring. Moreover this patch fixes the following kernel
warning

[   57.480771] usb 1-1: USB disconnect, device number 2
[   57.483451] ------------[ cut here ]------------
[   57.483462] TX urb mismatch
[   57.483481] WARNING: CPU: 1 PID: 32 at drivers/net/wireless/mediatek/mt7601u/dma.c:245 mt7601u_complete_tx+0x165/00
[   57.483483] Modules linked in:
[   57.483496] CPU: 1 PID: 32 Comm: kworker/1:1 Not tainted 5.2.0-rc1+ #72
[   57.483498] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.12.0-2.fc30 04/01/2014
[   57.483502] Workqueue: usb_hub_wq hub_event
[   57.483507] RIP: 0010:mt7601u_complete_tx+0x165/0x1e0
[   57.483510] Code: 8b b5 10 04 00 00 8b 8d 14 04 00 00 eb 8b 80 3d b1 cb e1 00 00 75 9e 48 c7 c7 a4 ea 05 82 c6 05 f
[   57.483513] RSP: 0000:ffffc900000a0d28 EFLAGS: 00010092
[   57.483516] RAX: 000000000000000f RBX: ffff88802c0a62c0 RCX: ffffc900000a0c2c
[   57.483518] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff810a8371
[   57.483520] RBP: ffff88803ced6858 R08: 0000000000000000 R09: 0000000000000001
[   57.483540] R10: 0000000000000002 R11: 0000000000000000 R12: 0000000000000046
[   57.483542] R13: ffff88802c0a6c88 R14: ffff88803baab540 R15: ffff88803a0cc078
[   57.483548] FS:  0000000000000000(0000) GS:ffff88803eb00000(0000) knlGS:0000000000000000
[   57.483550] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   57.483552] CR2: 000055e7f6780100 CR3: 0000000028c86000 CR4: 00000000000006a0
[   57.483554] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   57.483556] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[   57.483559] Call Trace:
[   57.483561]  <IRQ>
[   57.483565]  __usb_hcd_giveback_urb+0x77/0xe0
[   57.483570]  xhci_giveback_urb_in_irq.isra.0+0x8b/0x140
[   57.483574]  handle_cmd_completion+0xf5b/0x12c0
[   57.483577]  xhci_irq+0x1f6/0x1810
[   57.483581]  ? lockdep_hardirqs_on+0x9e/0x180
[   57.483584]  ? _raw_spin_unlock_irq+0x24/0x30
[   57.483588]  __handle_irq_event_percpu+0x3a/0x260
[   57.483592]  handle_irq_event_percpu+0x1c/0x60
[   57.483595]  handle_irq_event+0x2f/0x4c
[   57.483599]  handle_edge_irq+0x7e/0x1a0
[   57.483603]  handle_irq+0x17/0x20
[   57.483607]  do_IRQ+0x54/0x110
[   57.483610]  common_interrupt+0xf/0xf
[   57.483612]  </IRQ>

Acked-by: Jakub Kicinski <kubakici@wp.pl>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agomt7601u: do not schedule rx_tasklet when the device has been disconnected
Lorenzo Bianconi [Fri, 7 Jun 2019 11:48:09 +0000 (13:48 +0200)]
mt7601u: do not schedule rx_tasklet when the device has been disconnected

Do not schedule rx_tasklet when the usb dongle is disconnected.
Moreover do not grub rx_lock in mt7601u_kill_rx since usb_poison_urb
can run concurrently with urb completion and we can unlink urbs from rx
ring in any order.
This patch fixes the common kernel warning reported when
the device is removed.

[   24.921354] usb 3-14: USB disconnect, device number 7
[   24.921593] ------------[ cut here ]------------
[   24.921594] RX urb mismatch
[   24.921675] WARNING: CPU: 4 PID: 163 at drivers/net/wireless/mediatek/mt7601u/dma.c:200 mt7601u_complete_rx+0xcb/0xd0 [mt7601u]
[   24.921769] CPU: 4 PID: 163 Comm: kworker/4:2 Tainted: G           OE     4.19.31-041931-generic #201903231635
[   24.921770] Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./Z97 Extreme4, BIOS P1.30 05/23/2014
[   24.921782] Workqueue: usb_hub_wq hub_event
[   24.921797] RIP: 0010:mt7601u_complete_rx+0xcb/0xd0 [mt7601u]
[   24.921800] RSP: 0018:ffff9bd9cfd03d08 EFLAGS: 00010086
[   24.921802] RAX: 0000000000000000 RBX: ffff9bd9bf043540 RCX: 0000000000000006
[   24.921803] RDX: 0000000000000007 RSI: 0000000000000096 RDI: ffff9bd9cfd16420
[   24.921804] RBP: ffff9bd9cfd03d28 R08: 0000000000000002 R09: 00000000000003a8
[   24.921805] R10: 0000002f485fca34 R11: 0000000000000000 R12: ffff9bd9bf043c1c
[   24.921806] R13: ffff9bd9c62fa3c0 R14: 0000000000000082 R15: 0000000000000000
[   24.921807] FS:  0000000000000000(0000) GS:ffff9bd9cfd00000(0000) knlGS:0000000000000000
[   24.921808] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   24.921808] CR2: 00007fb2648b0000 CR3: 0000000142c0a004 CR4: 00000000001606e0
[   24.921809] Call Trace:
[   24.921812]  <IRQ>
[   24.921819]  __usb_hcd_giveback_urb+0x8b/0x140
[   24.921821]  usb_hcd_giveback_urb+0xca/0xe0
[   24.921828]  xhci_giveback_urb_in_irq.isra.42+0x82/0xf0
[   24.921834]  handle_cmd_completion+0xe02/0x10d0
[   24.921837]  xhci_irq+0x274/0x4a0
[   24.921838]  xhci_msi_irq+0x11/0x20
[   24.921851]  __handle_irq_event_percpu+0x44/0x190
[   24.921856]  handle_irq_event_percpu+0x32/0x80
[   24.921861]  handle_irq_event+0x3b/0x5a
[   24.921867]  handle_edge_irq+0x80/0x190
[   24.921874]  handle_irq+0x20/0x30
[   24.921889]  do_IRQ+0x4e/0xe0
[   24.921891]  common_interrupt+0xf/0xf
[   24.921892]  </IRQ>
[   24.921900] RIP: 0010:usb_hcd_flush_endpoint+0x78/0x180
[   24.921354] usb 3-14: USB disconnect, device number 7

Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agortlwifi: remove redundant assignment to variable k
Colin Ian King [Fri, 31 May 2019 14:14:12 +0000 (15:14 +0100)]
rtlwifi: remove redundant assignment to variable k

The assignment of 0 to variable k is never read once we break out of
the loop, so the assignment is redundant and can be removed.

Addresses-Coverity: ("Unused value")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agortlwifi: remove redundant assignment to variable badworden
Colin Ian King [Thu, 30 May 2019 18:40:44 +0000 (19:40 +0100)]
rtlwifi: remove redundant assignment to variable badworden

The variable badworden is assigned with a value that is never read and
it is re-assigned a new value immediately afterwards.  The assignment is
redundant and can be removed.

Addresses-Coverity: ("Unused value")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agortlwifi: rtl8192cu: fix error handle when usb probe failed
Ping-Ke Shih [Wed, 29 May 2019 06:57:30 +0000 (14:57 +0800)]
rtlwifi: rtl8192cu: fix error handle when usb probe failed

rtl_usb_probe() must do error handle rtl_deinit_core() only if
rtl_init_core() is done, otherwise goto error_out2.

| usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
| rtl_usb: reg 0xf0, usbctrl_vendorreq TimeOut! status:0xffffffb9 value=0x0
| rtl8192cu: Chip version 0x10
| rtl_usb: reg 0xa, usbctrl_vendorreq TimeOut! status:0xffffffb9 value=0x0
| rtl_usb: Too few input end points found
| INFO: trying to register non-static key.
| the code is fine but needs lockdep annotation.
| turning off the locking correctness validator.
| CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.1.0-rc4-319354-g9a33b36 #3
| Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
| Google 01/01/2011
| Workqueue: usb_hub_wq hub_event
| Call Trace:
|   __dump_stack lib/dump_stack.c:77 [inline]
|   dump_stack+0xe8/0x16e lib/dump_stack.c:113
|   assign_lock_key kernel/locking/lockdep.c:786 [inline]
|   register_lock_class+0x11b8/0x1250 kernel/locking/lockdep.c:1095
|   __lock_acquire+0xfb/0x37c0 kernel/locking/lockdep.c:3582
|   lock_acquire+0x10d/0x2f0 kernel/locking/lockdep.c:4211
|   __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
|   _raw_spin_lock_irqsave+0x44/0x60 kernel/locking/spinlock.c:152
|   rtl_c2hcmd_launcher+0xd1/0x390
| drivers/net/wireless/realtek/rtlwifi/base.c:2344
|   rtl_deinit_core+0x25/0x2d0 drivers/net/wireless/realtek/rtlwifi/base.c:574
|   rtl_usb_probe.cold+0x861/0xa70
| drivers/net/wireless/realtek/rtlwifi/usb.c:1093
|   usb_probe_interface+0x31d/0x820 drivers/usb/core/driver.c:361
|   really_probe+0x2da/0xb10 drivers/base/dd.c:509
|   driver_probe_device+0x21d/0x350 drivers/base/dd.c:671
|   __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778
|   bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454
|   __device_attach+0x223/0x3a0 drivers/base/dd.c:844
|   bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514
|   device_add+0xad2/0x16e0 drivers/base/core.c:2106
|   usb_set_configuration+0xdf7/0x1740 drivers/usb/core/message.c:2021
|   generic_probe+0xa2/0xda drivers/usb/core/generic.c:210
|   usb_probe_device+0xc0/0x150 drivers/usb/core/driver.c:266
|   really_probe+0x2da/0xb10 drivers/base/dd.c:509
|   driver_probe_device+0x21d/0x350 drivers/base/dd.c:671
|   __device_attach_driver+0x1d8/0x290 drivers/base/dd.c:778
|   bus_for_each_drv+0x163/0x1e0 drivers/base/bus.c:454
|   __device_attach+0x223/0x3a0 drivers/base/dd.c:844
|   bus_probe_device+0x1f1/0x2a0 drivers/base/bus.c:514
|   device_add+0xad2/0x16e0 drivers/base/core.c:2106
|   usb_new_device.cold+0x537/0xccf drivers/usb/core/hub.c:2534
|   hub_port_connect drivers/usb/core/hub.c:5089 [inline]
|   hub_port_connect_change drivers/usb/core/hub.c:5204 [inline]
|   port_event drivers/usb/core/hub.c:5350 [inline]
|   hub_event+0x138e/0x3b00 drivers/usb/core/hub.c:5432
|   process_one_work+0x90f/0x1580 kernel/workqueue.c:2269
|   worker_thread+0x9b/0xe20 kernel/workqueue.c:2415
|   kthread+0x313/0x420 kernel/kthread.c:253
|   ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

Reported-by: syzbot+1fcc5ef45175fc774231@syzkaller.appspotmail.com
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agomwifiex: ignore processing invalid command response
Swati Kushwaha [Fri, 21 Jun 2019 14:14:44 +0000 (19:44 +0530)]
mwifiex: ignore processing invalid command response

Firmware can send invalid command response, the processing of
which can attempt to modify unexpected context and cause issues.
To fix this, driver should check that the command response ID is
same as the one it downloaded, and ignore processing of invalid
response.

Signed-off-by: Swati Kushwaha <swatiuma@marvell.com>
Signed-off-by: Ganapathi Bhat <gbhat@marvell.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agomwifiex: update set_mac_address logic
Sharvari Harisangam [Wed, 12 Jun 2019 15:12:11 +0000 (20:42 +0530)]
mwifiex: update set_mac_address logic

In set_mac_address, driver check for interfaces with same bss_type
For first STA entry, this would return 3 interfaces since all priv's have
bss_type as 0 due to kzalloc. Thus mac address gets changed for STA
unexpected. This patch adds check for first STA and avoids mac address
change. This patch also adds mac_address change for p2p based on bss_num
type.

Signed-off-by: Sharvari Harisangam <sharvari@marvell.com>
Signed-off-by: Ganapathi Bhat <gbhat@marvell.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agomwifiex: print PCI mmap with %pK
Brian Norris [Tue, 4 Jun 2019 17:31:44 +0000 (10:31 -0700)]
mwifiex: print PCI mmap with %pK

Unadorned '%p' has restrictive policies these days, such that it usually
just prints garbage at early boot (see
Documentation/core-api/printk-formats.rst, "kernel will print
``(ptrval)`` until it gathers enough entropy"). Annotating with %pK
(for "kernel pointer") allows the kptr_restrict sysctl to control
printing policy better.

We might just as well drop this message entirely, but this fix was easy
enough for now.

Signed-off-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agomwifiex: drop 'set_consistent_dma_mask' log message
Brian Norris [Tue, 4 Jun 2019 17:28:58 +0000 (10:28 -0700)]
mwifiex: drop 'set_consistent_dma_mask' log message

This message is pointless.

While we're at it, include the error code in the error message, which is
not pointless.

Signed-off-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agop54usb: Fix race between disconnect and firmware loading
Alan Stern [Mon, 20 May 2019 14:44:21 +0000 (10:44 -0400)]
p54usb: Fix race between disconnect and firmware loading

The syzbot fuzzer found a bug in the p54 USB wireless driver.  The
issue involves a race between disconnect and the firmware-loader
callback routine, and it has several aspects.

One big problem is that when the firmware can't be loaded, the
callback routine tries to unbind the driver from the USB _device_ (by
calling device_release_driver) instead of from the USB _interface_ to
which it is actually bound (by calling usb_driver_release_interface).

The race involves access to the private data structure.  The driver's
disconnect handler waits for a completion that is signalled by the
firmware-loader callback routine.  As soon as the completion is
signalled, you have to assume that the private data structure may have
been deallocated by the disconnect handler -- even if the firmware was
loaded without errors.  However, the callback routine does access the
private data several times after that point.

Another problem is that, in order to ensure that the USB device
structure hasn't been freed when the callback routine runs, the driver
takes a reference to it.  This isn't good enough any more, because now
that the callback routine calls usb_driver_release_interface, it has
to ensure that the interface structure hasn't been freed.

Finally, the driver takes an unnecessary reference to the USB device
structure in the probe function and drops the reference in the
disconnect handler.  This extra reference doesn't accomplish anything,
because the USB core already guarantees that a device structure won't
be deallocated while a driver is still bound to any of its interfaces.

To fix these problems, this patch makes the following changes:

Call usb_driver_release_interface() rather than
device_release_driver().

Don't signal the completion until after the important
information has been copied out of the private data structure,
and don't refer to the private data at all thereafter.

Lock udev (the interface's parent) before unbinding the driver
instead of locking udev->parent.

During the firmware loading process, take a reference to the
USB interface instead of the USB device.

Don't take an unnecessary reference to the device during probe
(and then don't drop it during disconnect).

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-and-tested-by: syzbot+200d4bb11b23d929335f@syzkaller.appspotmail.com
CC: <stable@vger.kernel.org>
Acked-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agob43: Avoid possible double calls to b43_one_core_detach()
Jia-Ju Bai [Sat, 4 May 2019 09:10:00 +0000 (17:10 +0800)]
b43: Avoid possible double calls to b43_one_core_detach()

In b43_request_firmware(), when ieee80211_register_hw() fails,
b43_one_core_detach() is called. In b43_bcma_remove() and
b43_ssb_remove(), b43_one_core_detach() is called again. In this case,
null-pointer dereferences and double-free problems can occur when
the driver is removed.

To fix this bug, the call to b43_one_core_detach() in
b43_request_firmware() is deleted.

This bug is found by a runtime fuzzing tool named FIZZER written by us.

Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agolibertas: fix spelling mistake "Donwloading" -> "Downloading"
Colin Ian King [Tue, 14 May 2019 21:14:06 +0000 (22:14 +0100)]
libertas: fix spelling mistake "Donwloading" -> "Downloading"

There is are two spelling mistakes in lbtf_deb_usb2 messages, fix these.

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agortlwifi: btcoex: remove unused function exhalbtc_stack_operation_notify
YueHaibing [Sat, 25 May 2019 14:48:44 +0000 (22:48 +0800)]
rtlwifi: btcoex: remove unused function exhalbtc_stack_operation_notify

There is no callers in tree, so can be removed.

Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agortlwifi: btcoex: Remove set but not used variable 'len' and 'asso_type_v2'
YueHaibing [Sat, 25 May 2019 14:46:34 +0000 (22:46 +0800)]
rtlwifi: btcoex: Remove set but not used variable 'len' and 'asso_type_v2'

Fixes gcc '-Wunused-but-set-variable' warning:

drivers/net/wireless/realtek/rtlwifi/btcoexist/rtl_btc.c: In function rtl_btc_btmpinfo_notify:
drivers/net/wireless/realtek/rtlwifi/btcoexist/rtl_btc.c:319:17: warning: variable len set but not used [-Wunused-but-set-variable]
drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtcoutsrc.c: In function exhalbtc_connect_notify:
drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtcoutsrc.c:1581:16: warning: variable asso_type_v2 set but not used [-Wunused-but-set-variable]

'len' is never used since commit 624ad5a97cfe ("rtlwifi:
Add BT_MP_INFO to c2h handler.") so can be removed.

'asso_type_v2' is not used since introduction in
commit 0561ca5dd7d5 ("rtlwifi: btcoex: add assoc
type v2 to connection notify")

Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agortlwifi: rtl8821ae: Remove set but not used variables 'cur_txokcnt' and 'b_last_is_cu...
YueHaibing [Sat, 25 May 2019 14:43:32 +0000 (22:43 +0800)]
rtlwifi: rtl8821ae: Remove set but not used variables 'cur_txokcnt' and 'b_last_is_cur_rdl_state'

Fixes gcc '-Wunused-but-set-variable' warning:

drivers/net/wireless/realtek/rtlwifi/rtl8821ae/dm.c: In function rtl8821ae_dm_check_rssi_monitor:
drivers/net/wireless/realtek/rtlwifi/rtl8821ae/dm.c:658:6: warning: variable cur_txokcnt set but not used [-Wunused-but-set-variable]
drivers/net/wireless/realtek/rtlwifi/rtl8821ae/dm.c: In function rtl8821ae_dm_check_edca_turbo:
drivers/net/wireless/realtek/rtlwifi/rtl8821ae/dm.c:2657:7: warning: variable b_last_is_cur_rdl_state set but not used [-Wunused-but-set-variable]

They are never used so can be removed.

Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agortlwifi: rtl8821ae: Convert inline routines to little-endian words
Larry Finger [Mon, 20 May 2019 17:23:59 +0000 (12:23 -0500)]
rtlwifi: rtl8821ae: Convert inline routines to little-endian words

In this step, the read/write routines for the descriptors are converted
to use __le32 quantities, thus a lot of casts can be removed. Callback
routines still use the 8-bit arrays, but these are changed within the
specified routine.

The macro that cleared a descriptor has now been converted into an inline
routine.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agortlwifi: rtl8821ae: Convert macros that set descriptor
Larry Finger [Mon, 20 May 2019 17:23:58 +0000 (12:23 -0500)]
rtlwifi: rtl8821ae: Convert macros that set descriptor

As a first step in the conversion, the macros that set the RX and TX
descriptors are converted to static inline routines, and the names are
changed from upper to lower case. To minimize the changes in a given
step, the input descriptor information is left as as a byte array
(u8 *), even though it should be a little-endian word array (__le32 *).
That will be changed later.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agortlwifi: rtl8821ae: Replace local bit manipulation macros
Larry Finger [Mon, 20 May 2019 17:23:57 +0000 (12:23 -0500)]
rtlwifi: rtl8821ae: Replace local bit manipulation macros

This driver uses a set of local macros to manipulate the RX and TX
descriptors, which are all little-endian quantities. These macros
are replaced by the bitfield macros le32p_replace_bits() and
le32_get_bits(). In several places, the macros operated on an entire
32-bit word. In these cases, a direct read or replacement is used.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agortlwifi: rtl8821ae: Remove unused GET_XXX and SET_XXX descriptor macros
Larry Finger [Mon, 20 May 2019 17:23:56 +0000 (12:23 -0500)]
rtlwifi: rtl8821ae: Remove unused GET_XXX and SET_XXX descriptor macros

As the first step in converting from macros that get/set information
in the RX and TX descriptors, unused macros are being removed.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agortlwifi: 8192de: use le32 to access cckswing tables
Ping-Ke Shih [Fri, 10 May 2019 08:03:33 +0000 (16:03 +0800)]
rtlwifi: 8192de: use le32 to access cckswing tables

The cckswing tables cckswing_table_ch1ch13 and cckswing_table_ch14 are
u8 array in little-endian order. To compare four u8 value with register
u32 value, cast the value to cpu order.

Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agortlwifi: 8192de: Fix used uninitialized variables in power tracking
Ping-Ke Shih [Fri, 10 May 2019 08:03:32 +0000 (16:03 +0800)]
rtlwifi: 8192de: Fix used uninitialized variables in power tracking

ofdm_index_old[] is the index of ofdmswing_table[], and used to indicate
initial value of ROFDM0_X{A,B}TXIQIMBALANCE in rtl8192de_phy_reg_2tarray[]
table, and the initial value is corresponding to calibration thermal value
written in efuse, namely rtlefuse->eeprom_thermalmeter. Then, local
variable ofdm_index_old[] save to rtlpriv->dm.ofdm_index[] for operational
use.

If thermal value (temperature) is increasing, output TX power is lower.
So, we calculate the delta between current and calibration thermal value,
then add power to yield expected and the same output TX power.

Thus, ofdm_index[] should be initialized as rtlpriv->dm.ofdm_index[], and
shift to proper index depends on delta of thermal value. Then, new power
value ofdmswing_table[ofdm_index[]] is written to register.

Reported-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agortlwifi: 8192de: make tables to be 'static const'
Ping-Ke Shih [Fri, 10 May 2019 08:03:31 +0000 (16:03 +0800)]
rtlwifi: 8192de: make tables to be 'static const'

This can reduce code size 264 bytes, and make code more readable.

         text    data     bss     dec     hex filename
Before: 13586       0      16   13602    3522 rtl8192de/dm.o
After:  13322       0      16   13338    341a rtl8192de/dm.o

Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agortlwifi: 8192de: Reduce indentation and fix coding style
Ping-Ke Shih [Fri, 10 May 2019 08:03:30 +0000 (16:03 +0800)]
rtlwifi: 8192de: Reduce indentation and fix coding style

This commit doesn't change logic at all. Since indentation is lower, the
wrapped statements can be put in single line that will become more
readable.

Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agop54: Support boottime in scan results
Christian Lamparter [Fri, 24 May 2019 21:33:08 +0000 (23:33 +0200)]
p54: Support boottime in scan results

This patch fixes an issue with wpa_supplicant dropping all scan
results because their where considered to be "too old" (e.g.:
"skip - scan result not recent enough (121056.086325 seconds too old)")
which is very weird because this looks like that the scan results have
been received before a scan started. This is due to the inaccuracy of
the default timing mechanism for calculating the BSS entry age.

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agop54: fix crash during initialization
Christian Lamparter [Sat, 18 May 2019 20:05:48 +0000 (22:05 +0200)]
p54: fix crash during initialization

This patch fixes a crash that got introduced when the
mentioned patch replaced  the direct list_head access
with skb_peek_tail(). When the device is starting up,
there are  no entries in  the queue, so previously to
"Use skb_peek_tail() instead..." the target_skb would
end up as the  tail and head pointer which then could
be used by __skb_queue_after to fill the empty queue.

With skb_peek_tail() in its place will instead just
return NULL which then causes a crash in the
__skb_queue_after().

| BUG: unable to handle kernel NULL pointer dereference at 000000
| #PF error: [normal kernel read fault]
| PGD 0 P4D 0
| Oops: 0000 [#1] SMP PTI
| CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: GO   5.1.0-rc7-wt+ #218
| Hardware name: MSI MS-7816/Z87-G43 (MS-7816), BIOS V1.11 05/09/2015
| Workqueue: events request_firmware_work_func
| RIP: 0010:p54_tx_pending+0x10f/0x1b0 [p54common]
| Code: 78 06 80 78 28 00 74 6d <48> 8b 07 49 89 7c 24 08 49 89 04 24 4
| RSP: 0018:ffffa81c81927d90 EFLAGS: 00010086
| RAX: ffff9bbaaf131048 RBX: 0000000000020670 RCX: 0000000000020264
| RDX: ffff9bbaa976d660 RSI: 0000000000000202 RDI: 0000000000000000
| RBP: ffff9bbaa976d620 R08: 00000000000006c0 R09: ffff9bbaa976d660
| R10: 0000000000000000 R11: ffffe8480dbc5900 R12: ffff9bbb45e87700
| R13: ffff9bbaa976d648 R14: ffff9bbaa976d674 R15: ffff9bbaaf131048
| FS:  0000000000000000(0000) GS:ffff9bbb5ec00000(0000) knlGS:00000
| CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
| CR2: 0000000000000000 CR3: 00000003695fc003 CR4: 00000000001606f0
| Call Trace:
|  p54_download_eeprom+0xbe/0x120 [p54common]
|  p54_read_eeprom+0x7f/0xc0 [p54common]
|  p54u_load_firmware_cb+0xe0/0x160 [p54usb]
|  request_firmware_work_func+0x42/0x80
|  process_one_work+0x1f5/0x3f0
|  worker_thread+0x28/0x3c0

Cc: stable@vger.kernel.org
Fixes: 33c0f3b47c7d ("p54: Use skb_peek_tail() instead of direct head pointer accesses.")
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agobrcmfmac: use strlcpy() instead of strcpy()
Neo Jou [Tue, 21 May 2019 09:12:20 +0000 (17:12 +0800)]
brcmfmac: use strlcpy() instead of strcpy()

The function strcpy() is inherently not safe. Though the function
works without problems here, it would be better to use other safer
function, e.g. strlcpy(), to replace strcpy() still.

Signed-off-by: Neo Jou <neojou@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agobrcmfmac: fix typos in code comments
Weitao Hou [Mon, 20 May 2019 12:28:25 +0000 (20:28 +0800)]
brcmfmac: fix typos in code comments

fix lengh to length

Signed-off-by: Weitao Hou <houweitaoo@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agobrcm80211: select WANT_DEV_COREDUMP conditionally for brcmfmac
Arend van Spriel [Thu, 16 May 2019 12:04:11 +0000 (14:04 +0200)]
brcm80211: select WANT_DEV_COREDUMP conditionally for brcmfmac

CONFIG_BRCMDBG selects WANT_DEV_COREDUMP but is only used by
brcmfmac so reflect that in the Kconfig.

Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agobrcmfmac: use separate Kconfig file for brcmfmac
Arend van Spriel [Thu, 16 May 2019 12:04:10 +0000 (14:04 +0200)]
brcmfmac: use separate Kconfig file for brcmfmac

The number of Kconfig items related to brcmfmac is considerable and
upcoming changes will add some more so it seems good idea to have
a separate Kconfig file for brcmfmac.

Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agobrcmfmac: switch source files to using SPDX license identifier
Arend van Spriel [Thu, 16 May 2019 12:04:09 +0000 (14:04 +0200)]
brcmfmac: switch source files to using SPDX license identifier

With ISC license text in place under the LICENSES folder switch
to using the SPDX license identifier to refer to the ISC license.

Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agobrcmsmac: switch phy source files to using SPDX license identifier
Arend van Spriel [Thu, 16 May 2019 12:04:08 +0000 (14:04 +0200)]
brcmsmac: switch phy source files to using SPDX license identifier

With ISC license text in place under the LICENSES folder switch
to using the SPDX license identifier to refer to the ISC license.

Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agobrcmutil: switch source files to using SPDX license identifier
Arend van Spriel [Thu, 16 May 2019 12:04:06 +0000 (14:04 +0200)]
brcmutil: switch source files to using SPDX license identifier

With ISC license text in place under the LICENSES folder switch
to using the SPDX license identifier to refer to the ISC license.

Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agobrcm80211: switch common header files to using SPDX license identifier
Arend van Spriel [Thu, 16 May 2019 12:04:05 +0000 (14:04 +0200)]
brcm80211: switch common header files to using SPDX license identifier

With ISC license text in place under the LICENSES folder switch
to using the SPDX license identifier to refer to the ISC license.

Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agortw88: more descriptions about LPS
Yan-Hsuan Chuang [Fri, 3 May 2019 11:53:35 +0000 (19:53 +0800)]
rtw88: more descriptions about LPS

The LPS represents Leisure Power Save. When enabled, firmware will be in
charge of turning radio off between beacons. Also firmware should turn
on the radio when beacon is coming, and the data queued should be
transmitted in TBTT period.

Signed-off-by: Yan-Hsuan Chuang <yhchuang@realtek.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agortw88: pci: check if queue mapping exceeds size of ac_to_hwq
Yan-Hsuan Chuang [Fri, 3 May 2019 11:53:33 +0000 (19:53 +0800)]
rtw88: pci: check if queue mapping exceeds size of ac_to_hwq

Dump warning messages when we get a q_mapping larger than the AC
numbers. And pick BE queue as default.

Signed-off-by: Yan-Hsuan Chuang <yhchuang@realtek.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agortw88: pci: use ieee80211_ac_numbers instead of 0-3
Yan-Hsuan Chuang [Fri, 3 May 2019 11:53:32 +0000 (19:53 +0800)]
rtw88: pci: use ieee80211_ac_numbers instead of 0-3

AC numbers are defined as enum in mac80211, use them instead of bare
0-3 indexing.

Signed-off-by: Yan-Hsuan Chuang <yhchuang@realtek.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
5 years agoMerge ath-next from git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git
Kalle Valo [Mon, 27 May 2019 12:15:29 +0000 (15:15 +0300)]
Merge ath-next from git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git

ath.git patches for 5.3. Major changes:

ath10k

* enable SDIO support, first one being QCA6174 hw3.2

5 years agocxgb4: Make t4_get_tp_e2c_map static
YueHaibing [Sat, 25 May 2019 12:45:10 +0000 (20:45 +0800)]
cxgb4: Make t4_get_tp_e2c_map static

Fix sparse warning:

drivers/net/ethernet/chelsio/cxgb4/t4_hw.c:6216:14:
 warning: symbol 't4_get_tp_e2c_map' was not declared. Should it be static?

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
5 years agoselftest: Fixes for icmp_redirect test
David Ahern [Fri, 24 May 2019 23:37:07 +0000 (16:37 -0700)]
selftest: Fixes for icmp_redirect test

I was really surprised that the IPv6 mtu exception followed by redirect
test was passing as nothing about the code suggests it should. The problem
is actually with the logic in the test script.

Fix the test cases as follows:
1. add debug function to dump the initial and redirect gateway addresses
   for ipv6. This is shown only in verbose mode. It helps verify the
   output of 'route get'.

2. fix the check_exception logic for the reset case to make sure that
   for IPv4 neither mtu nor redirect appears in the 'route get' output.
   For IPv6, make sure mtu is not present and the gateway is the initial
   R1 lladdr.

3. fix the reset logic by using a function to delete the routes added by
   initial_route_*. This format works better for the nexthop version of
   the tests.

While improving the test cases, go ahead and ensure that forwarding is
disabled since IPv6 redirect requires it.

Also, runs with kernel debugging enabled sometimes show a failure with
one of the ipv4 tests, so spread the pings over longer time interval.

The end result is that 2 tests now show failures:

TEST: IPv6: mtu exception plus redirect                    [FAIL]

and the VRF version.

This is a bug in the IPv6 logic that will need to be fixed
separately. Redirect followed by MTU works because __ip6_rt_update_pmtu
hits the 'if (!rt6_cache_allowed_for_pmtu(rt6))' path and updates the
mtu on the exception rt6_info.

MTU followed by redirect does not have this logic. rt6_do_redirect
creates a new exception and then rt6_insert_exception removes the old
one which has the MTU exception.

Fixes: 6985dbf5fdb9 ("selftests: Add redirect tests")
Signed-off-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
5 years agoipv4: remove redundant assignment to n
Colin Ian King [Fri, 24 May 2019 21:56:58 +0000 (22:56 +0100)]
ipv4: remove redundant assignment to n

The pointer n is being assigned a value however this value is
never read in the code block and the end of the code block
continues to the next loop iteration. Clean up the code by
removing the redundant assignment.

Fixes: 89b5a161243e4 ("ipv4: Add function to send route updates")
Addresses-Coverity: ("Unused value")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Reviewed-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
5 years agonet: phy: bcm87xx: improve bcm87xx_config_init and feature detection
Heiner Kallweit [Fri, 24 May 2019 20:24:19 +0000 (22:24 +0200)]
net: phy: bcm87xx: improve bcm87xx_config_init and feature detection

PHY drivers don't have to and shouldn't fiddle with phylib internals.
Most of the code in bcm87xx_config_init() can be removed because
phylib takes care.

In addition I replaced usage of PHY_10GBIT_FEC_FEATURES with an
implementation of the get_features callback. PHY_10GBIT_FEC_FEATURES
is used by this driver only and it's questionable whether there
will be any other PHY supporting this mode only. Having said that
in one of the next kernel versions we may decide to remove it.

Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
5 years agoMerge branch 'inet-frags-avoid-possible-races-at-netns-dismantle'
David S. Miller [Sun, 26 May 2019 21:08:05 +0000 (14:08 -0700)]
Merge branch 'inet-frags-avoid-possible-races-at-netns-dismantle'

Eric Dumazet says:

====================
inet: frags: avoid possible races at netns dismantle

This patch series fixes a race happening on netns dismantle with
frag queues. While rhashtable_free_and_destroy() is running,
concurrent timers might run inet_frag_kill() and attempt
rhashtable_remove_fast() calls. This is not allowed by
rhashtable logic.

Since I do not want to add expensive synchronize_rcu() calls
in the netns dismantle path, I had to no longer inline
netns_frags structures, but dynamically allocate them.

The ten first patches make this preparation, so that
the last patch clearly shows the fix.

As this patch series is not exactly trivial, I chose to
target 5.3. We will backport it once soaked a bit.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
5 years agoinet: frags: rework rhashtable dismantle
Eric Dumazet [Fri, 24 May 2019 16:03:40 +0000 (09:03 -0700)]
inet: frags: rework rhashtable dismantle

syszbot found an interesting use-after-free [1] happening
while IPv4 fragment rhashtable was destroyed at netns dismantle.

While no insertions can possibly happen at the time a dismantling
netns is destroying this rhashtable, timers can still fire and
attempt to remove elements from this rhashtable.

This is forbidden, since rhashtable_free_and_destroy() has
no synchronization against concurrent inserts and deletes.

Add a new fqdir->dead flag so that timers do not attempt
a rhashtable_remove_fast() operation.

We also have to respect an RCU grace period before starting
the rhashtable_free_and_destroy() from process context,
thus we use rcu_work infrastructure.

This is a refinement of a prior rough attempt to fix this bug :
https://marc.info/?l=linux-netdev&m=153845936820900&w=2

Since the rhashtable cleanup is now deferred to a work queue,
netns dismantles should be slightly faster.

[1]
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:194 [inline]
BUG: KASAN: use-after-free in rhashtable_last_table+0x162/0x180 lib/rhashtable.c:212
Read of size 8 at addr ffff8880a6497b70 by task kworker/0:0/5

CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.2.0-rc1+ #2
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events rht_deferred_worker
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:188
 __kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
 kasan_report+0x12/0x20 mm/kasan/common.c:614
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
 __read_once_size include/linux/compiler.h:194 [inline]
 rhashtable_last_table+0x162/0x180 lib/rhashtable.c:212
 rht_deferred_worker+0x111/0x2030 lib/rhashtable.c:411
 process_one_work+0x989/0x1790 kernel/workqueue.c:2269
 worker_thread+0x98/0xe40 kernel/workqueue.c:2415
 kthread+0x354/0x420 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

Allocated by task 32687:
 save_stack+0x23/0x90 mm/kasan/common.c:71
 set_track mm/kasan/common.c:79 [inline]
 __kasan_kmalloc mm/kasan/common.c:489 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:462
 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:503
 __do_kmalloc_node mm/slab.c:3620 [inline]
 __kmalloc_node+0x4e/0x70 mm/slab.c:3627
 kmalloc_node include/linux/slab.h:590 [inline]
 kvmalloc_node+0x68/0x100 mm/util.c:431
 kvmalloc include/linux/mm.h:637 [inline]
 kvzalloc include/linux/mm.h:645 [inline]
 bucket_table_alloc+0x90/0x480 lib/rhashtable.c:178
 rhashtable_init+0x3f4/0x7b0 lib/rhashtable.c:1057
 inet_frags_init_net include/net/inet_frag.h:109 [inline]
 ipv4_frags_init_net+0x182/0x410 net/ipv4/ip_fragment.c:683
 ops_init+0xb3/0x410 net/core/net_namespace.c:130
 setup_net+0x2d3/0x740 net/core/net_namespace.c:316
 copy_net_ns+0x1df/0x340 net/core/net_namespace.c:439
 create_new_namespaces+0x400/0x7b0 kernel/nsproxy.c:107
 unshare_nsproxy_namespaces+0xc2/0x200 kernel/nsproxy.c:206
 ksys_unshare+0x440/0x980 kernel/fork.c:2692
 __do_sys_unshare kernel/fork.c:2760 [inline]
 __se_sys_unshare kernel/fork.c:2758 [inline]
 __x64_sys_unshare+0x31/0x40 kernel/fork.c:2758
 do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 7:
 save_stack+0x23/0x90 mm/kasan/common.c:71
 set_track mm/kasan/common.c:79 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:451
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:459
 __cache_free mm/slab.c:3432 [inline]
 kfree+0xcf/0x220 mm/slab.c:3755
 kvfree+0x61/0x70 mm/util.c:460
 bucket_table_free+0x69/0x150 lib/rhashtable.c:108
 rhashtable_free_and_destroy+0x165/0x8b0 lib/rhashtable.c:1155
 inet_frags_exit_net+0x3d/0x50 net/ipv4/inet_fragment.c:152
 ipv4_frags_exit_net+0x73/0x90 net/ipv4/ip_fragment.c:695
 ops_exit_list.isra.0+0xaa/0x150 net/core/net_namespace.c:154
 cleanup_net+0x3fb/0x960 net/core/net_namespace.c:553
 process_one_work+0x989/0x1790 kernel/workqueue.c:2269
 worker_thread+0x98/0xe40 kernel/workqueue.c:2415
 kthread+0x354/0x420 kernel/kthread.c:255
 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352

The buggy address belongs to the object at ffff8880a6497b40
 which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 48 bytes inside of
 1024-byte region [ffff8880a6497b40ffff8880a6497f40)
The buggy address belongs to the page:
page:ffffea0002992580 refcount:1 mapcount:0 mapping:ffff8880aa400ac0 index:0xffff8880a64964c0 compound_mapcount: 0
flags: 0x1fffc0000010200(slab|head)
raw: 01fffc0000010200 ffffea0002916e88 ffffea000218fe08 ffff8880aa400ac0
raw: ffff8880a64964c0 ffff8880a6496040 0000000100000005 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a6497a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880a6497a80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff8880a6497b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                                             ^
 ffff8880a6497b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880a6497c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

Fixes: 19be61be198e ("inet: frags: use rhashtables for reassembly units")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
5 years agonet: dynamically allocate fqdir structures
Eric Dumazet [Fri, 24 May 2019 16:03:39 +0000 (09:03 -0700)]
net: dynamically allocate fqdir structures

Following patch will add rcu grace period before fqdir
rhashtable destruction, so we need to dynamically allocate
fqdir structures to not force expensive synchronize_rcu() calls
in netns dismantle path.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
5 years agonet: add a net pointer to struct fqdir
Eric Dumazet [Fri, 24 May 2019 16:03:38 +0000 (09:03 -0700)]
net: add a net pointer to struct fqdir

fqdir will soon be dynamically allocated.

We need to reach the struct net pointer from fqdir,
so add it, and replace the various container_of() constructs
by direct access to the new field.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
5 years agonet: rename inet_frags_init_net() to fdir_init()
Eric Dumazet [Fri, 24 May 2019 16:03:37 +0000 (09:03 -0700)]
net: rename inet_frags_init_net() to fdir_init()

And pass an extra parameter, since we will soon
dynamically allocate fqdir structures.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
5 years agoieee820154: 6lowpan: no longer reference init_net in lowpan_frags_ns_ctl_table
Eric Dumazet [Fri, 24 May 2019 16:03:36 +0000 (09:03 -0700)]
ieee820154: 6lowpan: no longer reference init_net in lowpan_frags_ns_ctl_table

(struct net *)->ieee802154_lowpan.fqdir will soon be a pointer, so make
sure lowpan_frags_ns_ctl_table[] does not reference init_net.

lowpan_frags_ns_sysctl_register() can perform the needed initialization
for all netns.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
5 years agonetfilter: ipv6: nf_defrag: no longer reference init_net in nf_ct_frag6_sysctl_table
Eric Dumazet [Fri, 24 May 2019 16:03:35 +0000 (09:03 -0700)]
netfilter: ipv6: nf_defrag: no longer reference init_net in nf_ct_frag6_sysctl_table

(struct net *)->nf_frag.fqdir will soon be a pointer, so make
sure nf_ct_frag6_sysctl_table[] does not reference init_net.

nf_ct_frag6_sysctl_register() can perform the needed initialization
for all netns.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
5 years agoipv6: no longer reference init_net in ip6_frags_ns_ctl_table[]
Eric Dumazet [Fri, 24 May 2019 16:03:34 +0000 (09:03 -0700)]
ipv6: no longer reference init_net in ip6_frags_ns_ctl_table[]

(struct net *)->ipv6.fqdir will soon be a pointer, so make
sure ip6_frags_ns_ctl_table[] does not reference init_net.

ip6_frags_ns_ctl_register() can perform the needed initialization
for all netns.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>