#
35a7a1ce |
|
13-Aug-2023 |
Dmitry Antipov <dmantipov@yandex.ru> |
wifi: mwifiex: avoid possible NULL skb pointer dereference In 'mwifiex_handle_uap_rx_forward()', always check the value returned by 'skb_copy()' to avoid potential NULL pointer dereference in 'mwifiex_uap_queue_bridged_pkt()', and drop original skb in case of copying failure. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 838e4f449297 ("mwifiex: improve uAP RX handling") Acked-by: Brian Norris <briannorris@chromium.org> Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru> Signed-off-by: Kalle Valo <kvalo@kernel.org> Link: https://lore.kernel.org/r/20230814095041.16416-1-dmantipov@yandex.ru
|
#
2785851c |
|
10-Aug-2023 |
Polaris Pi <pinkperfect2021@gmail.com> |
wifi: mwifiex: Fix missed return in oob checks failed path Add missed return in mwifiex_uap_queue_bridged_pkt() and mwifiex_process_rx_packet(). Fixes: 119585281617 ("wifi: mwifiex: Fix OOB and integer underflow when rx packets") Signed-off-by: Polaris Pi <pinkperfect2021@gmail.com> Reported-by: Dmitry Antipov <dmantipov@yandex.ru> Acked-by: Brian Norris <briannorris@chromium.org> Signed-off-by: Kalle Valo <kvalo@kernel.org> Link: https://lore.kernel.org/r/20230810083911.3725248-1-pinkperfect2021@gmail.com
|
#
35983875 |
|
02-Aug-2023 |
Dmitry Antipov <dmantipov@yandex.ru> |
wifi: mwifiex: drop BUG_ON from TX paths In 'mwifiex_process_sta_txpd()' and 'mwifiex_process_uap_txpd()', replace 'BUG_ON()' with runtime check, and move all these checks to 'mwifiex_process_tx()'. This way, both callees may be converted to 'void', and the caller may be simplified as well. Suggested-by: Brian Norris <briannorris@chromium.org> Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru> Acked-by: Brian Norris <briannorris@chromium.org> Signed-off-by: Kalle Valo <kvalo@kernel.org> Link: https://lore.kernel.org/r/20230802160726.85545-5-dmantipov@yandex.ru
|
#
9b1cd826 |
|
02-Aug-2023 |
Dmitry Antipov <dmantipov@yandex.ru> |
wifi: mwifiex: cleanup private data structures Drop unused fields 'status_code' of 'struct mwifiex_txinfo', 'dfs_chan_switch_timer', 'sleep_params' (including related data type 'struct mwifiex_sleep_params') of 'struct mwifiex_adapter', adjust related code. Acked-by: Brian Norris <briannorris@chromium.org> Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru> Signed-off-by: Kalle Valo <kvalo@kernel.org> Link: https://lore.kernel.org/r/20230802160726.85545-2-dmantipov@yandex.ru
|
#
11958528 |
|
23-Jul-2023 |
Polaris Pi <pinkperfect2021@gmail.com> |
wifi: mwifiex: Fix OOB and integer underflow when rx packets Make sure mwifiex_process_mgmt_packet, mwifiex_process_sta_rx_packet and mwifiex_process_uap_rx_packet, mwifiex_uap_queue_bridged_pkt and mwifiex_process_rx_packet not out-of-bounds access the skb->data buffer. Fixes: 2dbaf751b1de ("mwifiex: report received management frames to cfg80211") Signed-off-by: Polaris Pi <pinkperfect2021@gmail.com> Reviewed-by: Matthew Wang <matthewmwang@chromium.org> Reviewed-by: Brian Norris <briannorris@chromium.org> Signed-off-by: Kalle Valo <kvalo@kernel.org> Link: https://lore.kernel.org/r/20230723070741.1544662-1-pinkperfect2021@gmail.com
|
#
828c91f7 |
|
07-Jun-2022 |
Thomas Gleixner <tglx@linutronix.de> |
treewide: Replace GPLv2 boilerplate/reference with SPDX - gpl-2.0_391.RULE Based on the normalized pattern: this software file (the file ) is distributed by nxp under the terms of the gnu general public license version 2 june 1991 (the license ) you may use redistribute and/or modify this file in accordance with the terms and conditions of the license a copy of which is available by writing to the free software foundation inc 51 franklin street fifth floor boston ma 02110-1301 usa or on the worldwide web at http://www gnu org/licenses/old-licenses/gpl-2 0 txt the file is distributed as-is without warranty of any kind and the implied warranties of merchantability or fitness for a particular purpose are expressly disclaimed the license provides additional details about this warranty disclaimer extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference. Reviewed-by: Allison Randal <allison@lohutok.net> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
#
afb6d39f |
|
05-Mar-2022 |
Sebastian Andrzej Siewior <bigeasy@linutronix.de> |
wireless: Marvell: Use netif_rx(). Since commit baebdf48c3600 ("net: dev: Makes sure netif_rx() can be invoked in any context.") the function netif_rx() can be used in preemptible/thread context as well as in interrupt context. Use netif_rx(). Cc: Amitkumar Karwar <amitkarwar@gmail.com> Cc: Ganapathi Bhat <ganapathi017@gmail.com> Cc: Kalle Valo <kvalo@kernel.org> Cc: Sharvari Harisangam <sharvari.harisangam@nxp.com> Cc: Xinming Hu <huxinming820@gmail.com> Cc: libertas-dev@lists.infradead.org Cc: linux-wireless@vger.kernel.org Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
603a1621 |
|
27-Sep-2021 |
Arnd Bergmann <arnd@arndb.de> |
mwifiex: avoid null-pointer-subtraction warning clang complains about some NULL pointer arithmetic in this driver: drivers/net/wireless/marvell/mwifiex/sta_tx.c:65:59: error: performing pointer subtraction with a null pointer has undefined behavior [-Werror,-Wnull-pointer-subtraction] pad = ((void *)skb->data - (sizeof(*local_tx_pd) + hroom)- ^ drivers/net/wireless/marvell/mwifiex/uap_txrx.c:478:53: error: performing pointer subtraction with a null pointer has undefined behavior [-Werror,-Wnull-pointer-subtraction] pad = ((void *)skb->data - (sizeof(*txpd) + hroom) - NULL) & Rework that expression to do the same thing using a uintptr_t. Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20210927121656.940304-1-arnd@kernel.org
|
#
d36981e0 |
|
29-Sep-2020 |
Sebastian Andrzej Siewior <bigeasy@linutronix.de> |
net: mwifiex: Use netif_rx_any_context(). The usage of in_interrupt() in non-core code is phased out. Ideally the information of the calling context should be passed by the callers or the functions be split as appropriate. mwifiex uses in_interupt() to select the netif_rx*() variant which matches the calling context. The attempt to consolidate the code by passing an arguemnt or by distangling it failed due lack of knowledge about this driver and because the call chains are hard to follow. As a stop gap use netif_rx_any_context() which invokes the correct code path depending on context and confines the in_interrupt() usage to core code. Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Acked-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: David S. Miller <davem@davemloft.net>
|
#
932183aa |
|
12-Feb-2020 |
Ganapathi Bhat <ganapathi.bhat@nxp.com> |
mwifiex: change license text from MARVELL to NXP As of 6-DEC-2019, NXP has acquired Marvell’s Wireless business unit. This change is to update the license text accordingly. Signed-off-by: James Cao <zheng.cao@nxp.com> Signed-off-by: Cathy Luo <xiaohua.luo@nxp.com> Signed-off-by: Ganapathi Bhat <ganapathi.bhat@nxp.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
|
#
8a7f9fd8 |
|
25-Jun-2019 |
Brian Norris <briannorris@chromium.org> |
mwifiex: don't disable hardirqs; just softirqs main_proc_lock and int_lock (in mwifiex_adapter) are the only spinlocks used in hardirq contexts. The rest are only in task or softirq contexts. Convert every other lock from *_irq{save,restore}() variants to _bh() variants. This is a mechanical transformation of all spinlock usage in mwifiex using the following: Step 1: I ran this nasty sed script: sed -i -E '/spin_lock_irqsave|spin_unlock_irqrestore/ { /main_proc_lock|int_lock/! { s:(spin_(un|)lock)_irq(save|restore):\1_bh: ; # Join broken lines. :a /;$/! { N; s/\s*\n\s*//; ba } /,.*\);$/ s:,.*\):\): } }' drivers/net/wireless/marvell/mwifiex/* Step 2: Manually delete the flags / ra_list_flags args from: mwifiex_send_single_packet() mwifiex_11n_aggregate_pkt() mwifiex_send_processed_packet() which are now unused. Step 3: Apply this semantic patch (coccinelle) to remove the unused 'flags' variables: // <smpl> @@ type T; identifier i; @@ ( extern T i; | - T i; ... when != i ) // </smpl> (Usage is something like this: make coccicheck COCCI=./patch.cocci MODE=patch M=drivers/net/wireless/marvell/mwifiex/ although this skips *.h files for some reasons, so I had to massage stuff.) Testing: I've played with a variety of stress tests, including download stress tests on the same APs which caught regressions with commit 5188d5453bc9 ("mwifiex: restructure rx_reorder_tbl_lock usage"). I've primarily tested on Marvell 8997 / PCIe, although I've given 8897 / SDIO a quick spin as well. Signed-off-by: Brian Norris <briannorris@chromium.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
|
#
1aa48f08 |
|
30-Nov-2018 |
Brian Norris <briannorris@chromium.org> |
Revert "mwifiex: restructure rx_reorder_tbl_lock usage" This reverts commit 5188d5453bc9380ccd4ae1086138dd485d13aef2, because it introduced lock recursion: BUG: spinlock recursion on CPU#2, kworker/u13:1/395 lock: 0xffffffc0e28a47f0, .magic: dead4ead, .owner: kworker/u13:1/395, .owner_cpu: 2 CPU: 2 PID: 395 Comm: kworker/u13:1 Not tainted 4.20.0-rc4+ #2 Hardware name: Google Kevin (DT) Workqueue: MWIFIEX_RX_WORK_QUEUE mwifiex_rx_work_queue [mwifiex] Call trace: dump_backtrace+0x0/0x140 show_stack+0x20/0x28 dump_stack+0x84/0xa4 spin_bug+0x98/0xa4 do_raw_spin_lock+0x5c/0xdc _raw_spin_lock_irqsave+0x38/0x48 mwifiex_flush_data+0x2c/0xa4 [mwifiex] call_timer_fn+0xcc/0x1c4 run_timer_softirq+0x264/0x4f0 __do_softirq+0x1a8/0x35c do_softirq+0x54/0x64 netif_rx_ni+0xe8/0x120 mwifiex_recv_packet+0xfc/0x10c [mwifiex] mwifiex_process_rx_packet+0x1d4/0x238 [mwifiex] mwifiex_11n_dispatch_pkt+0x190/0x1ac [mwifiex] mwifiex_11n_rx_reorder_pkt+0x28c/0x354 [mwifiex] mwifiex_process_sta_rx_packet+0x204/0x26c [mwifiex] mwifiex_handle_rx_packet+0x15c/0x16c [mwifiex] mwifiex_rx_work_queue+0x104/0x134 [mwifiex] worker_thread+0x4cc/0x72c kthread+0x134/0x13c ret_from_fork+0x10/0x18 This was clearly not tested well at all. I simply performed 'wget' in a loop and it fell over within a few seconds. Fixes: 5188d5453bc9 ("mwifiex: restructure rx_reorder_tbl_lock usage") Cc: <stable@vger.kernel.org> Cc: Ganapathi Bhat <gbhat@marvell.com> Signed-off-by: Brian Norris <briannorris@chromium.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
|
#
5188d545 |
|
27-Jun-2018 |
Ganapathi Bhat <gbhat@marvell.com> |
mwifiex: restructure rx_reorder_tbl_lock usage Driver must ensure that whenever it holds a pointer to the list entry mwifiex_rx_reorder_tbl, it must protect the same with rx_reorder_tbl_lock. At present there are many places where driver does not ensure this. To cover all cases, spinlocks in below funcions are moved out and made sure that the caller will hold the spinlock: mwifiex_11n_dispatch_pkt_until_start_win() mwifiex_11n_scan_and_dispatch() mwifiex_del_rx_reorder_entry() mwifiex_11n_get_rx_reorder_tbl() mwifiex_11n_find_last_seq_num() Signed-off-by: Ganapathi Bhat <gbhat@marvell.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
|
#
38013eef |
|
01-Jun-2018 |
Xinming Hu <huxm@marvell.com> |
mwifiex: uap: do not chok ethernet header in bridge path Do not chock ethernet header for uap bridge data path, as it is still needed to send skb to dest station. Signed-off-by: Xinming Hu <huxm@marvell.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
|
#
f4c5d59915 |
|
23-May-2017 |
Xinming Hu <huxm@marvell.com> |
mwifiex: use variable interface header length Usb tx aggregation feature will utilize 4-bytes bus interface header, otherwise it will be set to zero in default case. Signed-off-by: Xinming Hu <huxm@marvell.com> Signed-off-by: Cathy Luo <cluo@marvell.com> Signed-off-by: Ganapathi Bhat <gbhat@marvell.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
|
#
3fdbda44 |
|
17-May-2016 |
Heinrich Schuchardt <xypron.glpk@gmx.de> |
mwifiex: illegal assignment Variable adapter is incorrectly initialized. Fixes: bf00dc22bc7a ("mwifiex: AMSDU Rx frame handling in AP mode") Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Acked-by: Amitkumar Karwar <akarwar@marvell.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
|
#
bb28c28e |
|
19-Apr-2016 |
Marty Faltesek <mfaltesek@google.com> |
mwifiex: bridged packets cause wmm_tx_pending counter to go negative When a packet is queued from the bridge, wmm_tx_pending is not incremented, but when the packet is dequeued the counter is decremented. Signed-off-by: Marty Faltesek <mfaltesek@google.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
|
#
bf00dc22 |
|
05-Apr-2016 |
Xinming Hu <huxm@marvell.com> |
mwifiex: AMSDU Rx frame handling in AP mode This patch processes sub AMSDU frame received in AP mode. If a packet is multicast/broadcast, it is sent to kernel/upper layer as well as queued back to AP TX queue so that it can be sent to other associated stations. If a packet is unicast and RA is present in associated station list, it is again requeued into AP TX queue. If a packet is unicast and RA is not in associated station list, packet is forwarded to kernel to handle routing logic. Signed-off-by: Xinming Hu <huxm@marvell.com> Signed-off-by: Cathy Luo <cluo@marvell.com> Signed-off-by: Amitkumar Karwar <akarwar@marvell.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
|
#
ad5ca845 |
|
05-Apr-2016 |
Xinming Hu <huxm@marvell.com> |
mwifiex: schedule main workqueue for transmitting bridge packets Bridge packets are enqueued to wmm tx queue, but will not be sent until main workqeue is scheduled for new interrupt or other reason. This adds unnecessary delay during traffic. We will schedule main workqueue when bridge packet is queued. Signed-off-by: Xinming Hu <huxm@marvell.com> Signed-off-by: Amitkumar Karwar <akarwar@marvell.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
|
#
bd642acf |
|
14-Dec-2015 |
Amitkumar Karwar <akarwar@marvell.com> |
mwifiex: suppress "Rx of mgmt packet failed" message Block ACK action frames are dropped in driver. This error is expected in this case. Let's lower the priority of this message. Signed-off-by: Amitkumar Karwar <akarwar@marvell.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
|
#
277b024e |
|
17-Nov-2015 |
Kalle Valo <kvalo@codeaurora.org> |
mwifiex: move under marvell vendor directory Part of reorganising wireless drivers directory and Kconfig. Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
|