| #
aec4cf2e |
|
01-Dec-2022 |
Deren Wu <deren.wu@mediatek.com> |
wifi: mt76: mt7921s: fix slab-out-of-bounds access in sdio host
SDIO may need addtional 511 bytes to align bus operation. If the tailroom
of this skb is not big enough, we would access invalid memory region.
For low level operation, increase skb size to keep valid memory access in
SDIO host.
Error message:
[69.951] BUG: KASAN: slab-out-of-bounds in sg_copy_buffer+0xe9/0x1a0
[69.951] Read of size 64 at addr ffff88811c9cf000 by task kworker/u16:7/451
[69.951] CPU: 4 PID: 451 Comm: kworker/u16:7 Tainted: G W OE 6.1.0-rc5 #1
[69.951] Workqueue: kvub300c vub300_cmndwork_thread [vub300]
[69.951] Call Trace:
[69.951] <TASK>
[69.952] dump_stack_lvl+0x49/0x63
[69.952] print_report+0x171/0x4a8
[69.952] kasan_report+0xb4/0x130
[69.952] kasan_check_range+0x149/0x1e0
[69.952] memcpy+0x24/0x70
[69.952] sg_copy_buffer+0xe9/0x1a0
[69.952] sg_copy_to_buffer+0x12/0x20
[69.952] __command_write_data.isra.0+0x23c/0xbf0 [vub300]
[69.952] vub300_cmndwork_thread+0x17f3/0x58b0 [vub300]
[69.952] process_one_work+0x7ee/0x1320
[69.952] worker_thread+0x53c/0x1240
[69.952] kthread+0x2b8/0x370
[69.952] ret_from_fork+0x1f/0x30
[69.952] </TASK>
[69.952] Allocated by task 854:
[69.952] kasan_save_stack+0x26/0x50
[69.952] kasan_set_track+0x25/0x30
[69.952] kasan_save_alloc_info+0x1b/0x30
[69.952] __kasan_kmalloc+0x87/0xa0
[69.952] __kmalloc_node_track_caller+0x63/0x150
[69.952] kmalloc_reserve+0x31/0xd0
[69.952] __alloc_skb+0xfc/0x2b0
[69.952] __mt76_mcu_msg_alloc+0xbf/0x230 [mt76]
[69.952] mt76_mcu_send_and_get_msg+0xab/0x110 [mt76]
[69.952] __mt76_mcu_send_firmware.cold+0x94/0x15d [mt76]
[69.952] mt76_connac_mcu_send_ram_firmware+0x415/0x54d [mt76_connac_lib]
[69.952] mt76_connac2_load_ram.cold+0x118/0x4bc [mt76_connac_lib]
[69.952] mt7921_run_firmware.cold+0x2e9/0x405 [mt7921_common]
[69.952] mt7921s_mcu_init+0x45/0x80 [mt7921s]
[69.953] mt7921_init_work+0xe1/0x2a0 [mt7921_common]
[69.953] process_one_work+0x7ee/0x1320
[69.953] worker_thread+0x53c/0x1240
[69.953] kthread+0x2b8/0x370
[69.953] ret_from_fork+0x1f/0x30
[69.953] The buggy address belongs to the object at ffff88811c9ce800
which belongs to the cache kmalloc-2k of size 2048
[69.953] The buggy address is located 0 bytes to the right of
2048-byte region [ffff88811c9ce800, ffff88811c9cf000)
[69.953] Memory state around the buggy address:
[69.953] ffff88811c9cef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[69.953] ffff88811c9cef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[69.953] >ffff88811c9cf000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[69.953] ^
[69.953] ffff88811c9cf080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[69.953] ffff88811c9cf100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Fixes: 764dee47e2c1 ("mt76: sdio: move common code in mt76_sdio module")
Suggested-by: Lorenzo Bianconi <lorenzo@kernel.org>
Tested-by: YN Chen <YN.Chen@mediatek.com>
Signed-off-by: Deren Wu <deren.wu@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| #
35e37a2b |
|
22-Jul-2022 |
Lorenzo Bianconi <lorenzo@kernel.org> |
wifi: mt76: sdio: add rx_check callback for sdio devices
Introduce rx_check callback support for mt7921s driver.
Tested-by: Sean Wang <sean.wang@mediatek.com>
Co-developed-by: Sean Wang <sean.wang@mediatek.com>
Signed-off-by: Sean Wang <sean.wang@mediatek.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| #
f1fe8eef |
|
08-Mar-2022 |
Ryder Lee <ryder.lee@mediatek.com> |
mt76: use le32/16_get_bits() whenever possible
Switch to use le32/16_get_bits() to simplfy codes and specify
the size explicitly to avoid potential issues.
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| #
bf08d585 |
|
14-Jan-2022 |
Sean Wang <sean.wang@mediatek.com> |
mt76: sdio: honor the largest Tx buffer the hardware can support
We don't have to create a separate sdio.xmit_buf buffer for each queue.
Instead, we just need to create one, reuse it across all queues to reduce
memory consumption further.
And then we should take it into account the actual the host and the device
MMC capability to determine what the appropriate xmit_buf_size can be.
Both MT7921S and MT7663 can support up to Tx FIFO size of 0x3fe00 which
means the device can receive 511 blocks of block size 512 in a row from
the host. So if the driver aggregates the frames as many as possible the
the device can support, we can merge multiple MMC requests into a single
one to get rid of the overhead of the handling and synchronizing in those
unnecessary MMC requests and reduce the SDIO lock contention with the
Bluetooth concurrent traffic and finally to have the higher bus
utilization with less idle cycle.
With the patch, it is helpful for WiFi to have steady throughput
performance especially while running Bluetooth concurrently.
Co-developed-by: Deren Wu <deren.wu@mediatek.com>
Signed-off-by: Deren Wu <deren.wu@mediatek.com>
Signed-off-by: Sean Wang <sean.wang@mediatek.com>
Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| #
4090d43a |
|
09-Jan-2022 |
Sean Wang <sean.wang@mediatek.com> |
mt76: sdio: disable interrupt in mt76s_sdio_irq
It is unnecessary to keep the interrupt enabled in mt76s_sdio_irq because
the driver is already aware of the interrupt, schedules the
mt76s_txrx_worker to handle the corresponding actions, and eventually,
the interrupt would be enabled again when mt76s_txrx_worker finishes its
work.
So we can safely disable the interrupt in mt76s_sdio_irq as soon as
possible to increase the CPU productivity by dropping the redundant
interrupt triggers.
Note that sdio lock acquired/released would be handled in sdio_irq_work
at mmc driver so we don't take care in mt76s_sdio_irq at function driver.
Co-developed-by: Leon Yen <leon.yen@mediatek.com>
Signed-off-by: Leon Yen <leon.yen@mediatek.com>
Co-developed-by: Deren Wu <deren.wu@mediatek.com>
Signed-off-by: Deren Wu <deren.wu@mediatek.com>
Signed-off-by: Sean Wang <sean.wang@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| #
491e3731 |
|
21-Dec-2021 |
Sean Wang <sean.wang@mediatek.com> |
mt76: sdio: lock sdio when it is needed
Acquire the SDIO as needed as possible because either MT7663S or MT7921S
is a multiple-function device that always includes Bluetooth that would
share with the same SDIO bus. So not to avoid breaking Bluetooth pairing,
audio, and HID such kind of time critical application on that, we only
lock sdio bus when it is necessary in WiFi driver.
Signed-off-by: Sean Wang <sean.wang@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| #
5ad4faca |
|
19-Nov-2021 |
Sean Wang <sean.wang@mediatek.com> |
mt76: mt7921s: fix the device cannot sleep deeply in suspend
According to the MT7921S firmware, the cmd MCU_UNI_CMD_HIF_CTRL have to
be last MCU command to execute in suspend handler and all data traffic
have to be stopped before the cmd MCU_UNI_CMD_HIF_CTRL starts as well
in order that mt7921 can successfully fall into the deep sleep mode.
Where we reuse the flag MT76_STATE_SUSPEND and avoid creating
another global flag to stop all of the traffic onto the SDIO bus.
Fixes: 48fab5bbef40 ("mt76: mt7921: introduce mt7921s support")
Reported-by: Leon Yen <leon.yen@mediatek.com>
Signed-off-by: Sean Wang <sean.wang@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| #
ca74b9b9 |
|
18-Oct-2021 |
Sean Wang <sean.wang@mediatek.com> |
mt76: mt7921s: add reset support
Introduce wifi chip reset support for mt7921 device to recover
mcu hangs or abnormal wifi system.
Tested-by: Deren Wu <deren.wu@mediatek.com>
Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
Co-developed-by: Deren Wu <deren.wu@mediatek.com>
Signed-off-by: Deren Wu <deren.wu@mediatek.com>
Signed-off-by: Sean Wang <sean.wang@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| #
16d98b54 |
|
18-Oct-2021 |
Sean Wang <sean.wang@mediatek.com> |
mt76: mt7921: rely on mcu_get_nic_capability
Rely on mcu_get_nic_capability to obtain Tx quota information
for the SDIO device, get PHY capability, MAC address and then we can
totally drop mt7921/eeprom.c and any unnecessary code.
Noting that mt76_connac_mcu_get_nic_capability should be run before set
flag MT76_STATE_MCU_RUNNING being set to setup the proper parameters
like Tx quota control before the device is started to running.
Tested-by: Deren Wu <deren.wu@mediatek.com>
Acked-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Sean Wang <sean.wang@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| #
dacf0acf |
|
18-Oct-2021 |
Sean Wang <sean.wang@mediatek.com> |
mt76: sdio: extend sdio module to support CONNAC2
Extend sdio module to support CONNAC2 hw that mt7921s rely on.
Tested-by: Deren Wu <deren.wu@mediatek.com>
Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Co-developed-by: Deren Wu <deren.wu@mediatek.com>
Signed-off-by: Deren Wu <deren.wu@mediatek.com>
Signed-off-by: Sean Wang <sean.wang@mediatek.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| #
3ad08509 |
|
18-Oct-2021 |
Lorenzo Bianconi <lorenzo@kernel.org> |
mt76: sdio: introduce parse_irq callback
Add parse_irq to handle that interrupt status structure is
different between mt7663s and mt7921s.
This is a preliminary patch to introduce mt7921s driver
Tested-by: Sean Wang <sean.wang@mediatek.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
| #
764dee47 |
|
18-Oct-2021 |
Lorenzo Bianconi <lorenzo@kernel.org> |
mt76: sdio: move common code in mt76_sdio module
Move sdio common code in mt76_sdio module.
This is a preliminary patch to support mt7921s devices.
Co-developed-by: Sean Wang <sean.wang@mediatek.com>
Signed-off-by: Sean Wang <sean.wang@mediatek.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|