Kees Cook [Thu, 17 Jun 2021 17:10:58 +0000 (10:10 -0700)]
wcn36xx: Avoid memset() beyond end of struct field
In preparation for FORTIFY_SOURCE performing compile-time and run-time
field bounds checking for memset(), avoid intentionally writing across
neighboring array fields.
Instead of writing past the end of the header to reach the rest of
the body, replace the redundant function with existing macro to wipe
struct contents and set field values. Additionally adjusts macro to add
missing parens.
Kees Cook [Wed, 16 Jun 2021 19:54:10 +0000 (12:54 -0700)]
ath11k: Avoid memcpy() over-reading of he_cap
In preparation for FORTIFY_SOURCE performing compile-time and run-time
field bounds checking for memcpy(), memmove(), and memset(), avoid
intentionally writing across neighboring array fields.
Since peer_he_cap_{mac,phy}info and he_cap_elem.{mac,phy}_cap_info are not
the same sizes, memcpy() was reading beyond field boundaries. Instead,
correctly cap the copy length and pad out any difference in size
(peer_he_cap_macinfo is 8 bytes whereas mac_cap_info is 6, and
peer_he_cap_phyinfo is 12 bytes whereas phy_cap_info is 11).
Kees Cook [Thu, 17 Jun 2021 17:15:22 +0000 (10:15 -0700)]
mwifiex: Avoid memset() over-write of WEP key_material
In preparation for FORTIFY_SOURCE performing compile-time and run-time
field bounds checking for memset(), avoid intentionally writing across
neighboring array fields.
When preparing to call mwifiex_set_keyparamset_wep(), key_material is
treated very differently from its structure layout (which has only a
single struct mwifiex_ie_type_key_param_set). Instead, add a new type to
the union so memset() can correctly reason about the size of the
structure.
Note that the union ("params", 196 bytes) containing key_material was
not large enough to hold the target of this memset(): sizeof(struct
mwifiex_ie_type_key_param_set) == 60, NUM_WEP_KEYS = 4, so 240
bytes, or 44 bytes past the end of "params". The good news is that
it appears that the command buffer, as allocated, is 2048 bytes
(MWIFIEX_SIZE_OF_CMD_BUFFER), so no neighboring memory appears to be
getting clobbered.
In preparation for FORTIFY_SOURCE performing compile-time and run-time
field bounds checking for memcpy(), memmove(), and memset(), avoid
intentionally writing across neighboring array fields.
The size argument to memset() is bytes, but the array element size
of curvecount_val is u32, so "CV_CURVE_CNT * 2" was only 1/4th of the
contents of curvecount_val. Adjust memset() to wipe full buffer size.
Kees Cook [Thu, 17 Jun 2021 04:14:31 +0000 (21:14 -0700)]
mwl8k: Avoid memcpy() over-reading of mcs.rx_mask
In preparation for FORTIFY_SOURCE performing compile-time and run-time
field bounds checking for memcpy(), memmove(), and memset(), avoid
intentionally reading across neighboring array fields. Use the
sub-structure address directly.
Kees Cook [Wed, 16 Jun 2021 20:39:51 +0000 (13:39 -0700)]
orinoco: Avoid field-overflowing memcpy()
In preparation for FORTIFY_SOURCE performing compile-time and run-time
field bounds checking for memcpy(), memmove(), and memset(), avoid
intentionally writing across neighboring array fields.
Validate the expected key size and introduce a wrapping structure
to use as the multi-field memcpy() destination so that overflows
can be correctly detected.
wengjianfeng [Thu, 20 May 2021 00:55:45 +0000 (08:55 +0800)]
rtw88: coex: remove unnecessary variable and label
In some funciton, the variable ret just used as return value,and
out label just return ret,so ret and out label are unnecessary,
we should delete these and use return true/false to replace.
Ping-Ke Shih [Mon, 7 Jun 2021 01:22:54 +0000 (09:22 +0800)]
rtw88: add quirks to disable pci capabilities
8821CE with ASPM cannot work properly on Protempo Ltd L116HTN6SPW. Add a
quirk to disable the cap.
The reporter describes the symptom is that this module (driver) causes
frequent freezes, randomly but usually within a few minutes of running
(thus very soon after boot): screen display remains frozen, no response
to either keyboard or mouse input. All I can do is to hold the power
button to power off, then reboot.
Zong-Zhe Yang [Fri, 28 May 2021 03:29:00 +0000 (11:29 +0800)]
rtw88: dump FW crash via devcoredump
Use device coredump framework instead of print_hex_dump to support
FW crash dump. Pass data to the framework if preparing and dumping
are successful. The framework will take the ownership of the data.
The data will be freed after the framework determines its lifetime
is over. A new coredump will not work if the previous one still
exists.
Chin-Yen Lee [Fri, 14 May 2021 07:55:17 +0000 (15:55 +0800)]
rtw88: notify fw when driver in scan-period to avoid potential problem
It is found that driver scan could be affected by dynamic mechanism
of firmware, so we notify firmware to stop it in the scan period.
Another, firmware will detect the background noise and report to
driver for further use.
Wan Jiabing [Fri, 30 Apr 2021 02:49:50 +0000 (10:49 +0800)]
rtw88: Remove duplicate include of coex.h
In commit fb8517f4fade4 ("rtw88: 8822c: add CFO tracking"),
"coex.h" was added here which caused the duplicate include.
Remove the later duplicate include.
Before this patch, we use value from 2 seconds ago to decide
whether we should do lc calibration.
Although this don't happen frequently, fix flow to the way it should be.
Fixes: 7ae7784ec2a8 ("rtw88: 8822c: add LC calibration for RTL8822C") Signed-off-by: Po-Hao Huang <phhuang@realtek.com> Signed-off-by: Ping-Ke Shih <pkshih@realtek.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20210426013252.5665-3-pkshih@realtek.com
This feature chooses to transmit with antenna that has better signal
strength periodically under 1ss rate.
It can benefit connection quality in the following cases:
1. User is far away from the AP.
2. The far-field pattern of the antenna showed significant signal
strength difference.
Adding this supports beacon filter and CQM.
Let firmware perform connection quality monitor and beacon processing.
This make host CPU wakeup less under power save mode.
To make mechanisms work as usual, fw will notify driver events such as
signal change and beacon loss.
This feature needs firmware 9.9.8 or newer to support it, and driver is
compatible with older firmware.
Caleb Connolly [Thu, 17 Jun 2021 08:29:40 +0000 (11:29 +0300)]
ath10k: demote chan info without scan request warning
Some devices/firmwares cause this to be printed every 5-15 seconds,
though it has no impact on functionality. Demote this to a debug
message.
I see this on SDM845 and MSM8998 platforms, specifically the OnePlus 6 devices,
PocoPhone F1 and OnePlus 5. On the OnePlus 6 (SDM845) we are stuck with the
following signed vendor fw:
Íñigo Huguet [Tue, 11 May 2021 07:19:27 +0000 (09:19 +0200)]
rtl8xxxu: avoid parsing short RX packet
One USB data buffer can contain multiple received network
packets. If that's the case, they're processed this way:
1. Original buffer is cloned
2. Original buffer is trimmed to contain only the first
network packet
3. This first network packet is passed to network stack
4. Cloned buffer is trimmed to eliminate the first network
packet
5. Repeat with the cloned buffer until there are no more
network packets inside
However, if the space remaining in original buffer after
the first network packet is not enough to contain at least
another network packet descriptor, it is not cloned.
The loop parsing this packets ended if remaining space == 0.
But if the remaining space was > 0 but < packet descriptor
size, another iteration of the loop was done, processing again
the previous packet because cloning didn't happen. Moreover,
the ownership of this packet had been passed to network
stack in the previous iteration.
This patch ensures that no extra iteration is done if the
remaining size is not enough for one packet, and also avoid
the first iteration for the same reason.
Probably this doesn't happen in practice, but can happen
theoretically.
Based on 2001:3319 and 2357:0109 which I used to test the fix and
0bda:818b and 2357:0108 for which I found efuse dumps online.
== 2357:0109 ==
=== Before ===
Vendor: Realtek
Product: \x03802.11n NI
Serial:
=== After ===
Vendor: Realtek
Product: 802.11n NIC
Serial not available.
== 2001:3319 ==
=== Before ===
Vendor: Realtek
Product: Wireless N
Serial: no USB Adap
=== After ===
Vendor: Realtek
Product: Wireless N Nano USB Adapter
Serial not available.
Ryder Lee [Thu, 17 Jun 2021 07:17:49 +0000 (15:17 +0800)]
mt76: fix iv and CCMP header insertion
The iv from RXD is only for TKIP_RSC/CCMP_PN/GCMP_PN, and it needs a
check for CCMP header insertion. Move mt76_cipher_type to mt76.h to
reduce duplicated code.
Signed-off-by: Xing Song <xing.song@mediatek.com> Signed-off-by: Ryder Lee <ryder.lee@mediatek.com> Signed-off-by: Felix Fietkau <nbd@nbd.name>
Sean Wang [Thu, 17 Jun 2021 01:39:19 +0000 (09:39 +0800)]
mt76: mt7921: fix the coredump is being truncated
Fix the maximum size of the coredump generated with current mt7921
firmware. Otherwise, a truncated coredump would be reported to userland
via dev_coredumpv.
Also, there is an additional error handling enhanced in the patch to avoid
the possible invalid buffer access when the system failed to create the
buffer to hold the coredump.
Fixes: 0da3c795d07b ("mt76: mt7921: add coredump support") Co-developed-by: YN Chen <YN.Chen@mediatek.com> Signed-off-by: YN Chen <YN.Chen@mediatek.com> Signed-off-by: Sean Wang <sean.wang@mediatek.com> Signed-off-by: Felix Fietkau <nbd@nbd.name>
Sean Wang [Mon, 10 May 2021 15:14:53 +0000 (23:14 +0800)]
mt76: mt7921: add deep sleep control to runtime-pm knob
Add addtional the deep sleep control to runtime-pm knob to
allow us to control driver switching between the full power
mode and the deep sleep mode the firmware is able to support.
Reviewed-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Sean Wang <sean.wang@mediatek.com> Signed-off-by: Felix Fietkau <nbd@nbd.name>
Sean Wang [Mon, 10 May 2021 15:14:52 +0000 (23:14 +0800)]
mt76: mt7921: enable deep sleep at runtime
Enable the deep sleep mode with that firmware is able to trap into
the doze state at runtime to reduce the power consumption further.
The deep sleep mode is not allowed in the STA state transition with
the firmware to have the fast connection experience as we've done in
the full power mode
Reviewed-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Sean Wang <sean.wang@mediatek.com> Signed-off-by: Felix Fietkau <nbd@nbd.name>
Shayne Chen [Tue, 8 Jun 2021 06:55:58 +0000 (14:55 +0800)]
mt76: mt7915: fix rx fcs error count in testmode
FCS error packets are filtered by default and won't be reported to
driver, so that RX fcs error and PER in testmode always show zero.
Fix this issue by reading fcs error count from hw counter.
We did't fix this issue by disabling fcs error rx filter since it may
let HW suffer some SER errors.
Introduce mt76_connac_mcu_get_nic_capability utility routine to poll
device capabilities returned by mcu fw for CE devices (mt7663/mt7921).
This is a preliminary patch to introduce 6GHz support.
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Felix Fietkau <nbd@nbd.name>
Lorenzo Bianconi [Wed, 2 Jun 2021 16:00:14 +0000 (18:00 +0200)]
mt76: connac: fix UC entry is being overwritten
Fix UC entry is being overwritten by BC entry
Tested-by: Deren Wu <deren.wu@mediatek.com> Co-developed-by: Deren Wu <deren.wu@mediatek.com> Signed-off-by: Deren Wu <deren.wu@mediatek.com> Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Felix Fietkau <nbd@nbd.name>
Ryder Lee [Mon, 17 May 2021 04:45:58 +0000 (12:45 +0800)]
mt76: mt7915: fix MT_EE_CAL_GROUP_SIZE
Fix wrong offset for pre-calibration data.
Fixes: 495184ac91bb ("mt76: mt7915: add support for applying pre-calibration data") Signed-off-by: Ryder Lee <ryder.lee@mediatek.com> Signed-off-by: Felix Fietkau <nbd@nbd.name>
Deren Wu [Mon, 31 May 2021 17:01:22 +0000 (01:01 +0800)]
mt76: mt7921: enable random mac address during sched_scan
Enable src address randomization during scheduled scanning
Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Deren Wu <deren.wu@mediatek.com> Signed-off-by: Felix Fietkau <nbd@nbd.name>
Ryder Lee [Sat, 15 May 2021 04:17:29 +0000 (12:17 +0800)]
mt76: mt7915: use mt7915_mcu_get_mib_info() to get survey data
Firmware functions (SCS, MU ...) also require read-clear phy counters,
hence firmware prepares a global task to read shared fields out to a
shared pool to avoid concurrency. Switch to event format accordingly.
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com> Signed-off-by: Felix Fietkau <nbd@nbd.name>
Felix Fietkau [Tue, 1 Jun 2021 20:26:31 +0000 (22:26 +0200)]
mt76: mt7915: improve error recovery reliability
- Remove no-op code for queue lock/unlock, which is no longer needed
- Set a missing DMA flag
- Wait for full completion of error recovery before restarting tx
- Schedule IRQ tasklet to ensure that IRQ mask gets written
Lorenzo Bianconi [Fri, 28 May 2021 11:02:24 +0000 (13:02 +0200)]
mt76: allow hw driver code to overwrite wiphy interface_modes
Move wiphy interface_modes configuration in mt76_alloc_device and
mt76_alloc_phy in order to be overwritten by hw specific code
since some drivers do not support all operating modes (mt7921
supports sta only in the current codebase)
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Felix Fietkau <nbd@nbd.name>
Lorenzo Bianconi [Thu, 27 May 2021 11:35:30 +0000 (13:35 +0200)]
mt76: testmode: remove undefined behaviour in mt76_testmode_alloc_skb
Get rid of an undefined behaviour in mt76_testmode_alloc_skb routine
allocating skb frames
Fixes: 2601dda8faa76 ("mt76: testmode: add support to send larger packet") Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Felix Fietkau <nbd@nbd.name>
Lorenzo Bianconi [Thu, 27 May 2021 11:35:28 +0000 (13:35 +0200)]
mt76: testmode: fix memory leak in mt76_testmode_alloc_skb
Free all pending frames in case of failure in mt76_testmode_alloc_skb
routine
Fixes: 2601dda8faa76 ("mt76: testmode: add support to send larger packet") Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Felix Fietkau <nbd@nbd.name>
Shayne Chen [Tue, 25 May 2021 10:34:09 +0000 (18:34 +0800)]
mt76: mt7915: use mt7915_mcu_get_txpower_sku() to get per-rate txpower
Get per-rate txpower with mcu command. This is the preparation of
co-driver for the next chipset, which has different tmac power registers
but can share this same command.
Signed-off-by: Shayne Chen <shayne.chen@mediatek.com> Signed-off-by: Felix Fietkau <nbd@nbd.name>
Lorenzo Bianconi [Sun, 23 May 2021 21:08:05 +0000 (23:08 +0200)]
mt76: mt7921: do not schedule hw reset if the device is not running
Do not schedule hw full reset if the device is not fully initialized
(e.g if the channel has not been configured yet). This patch fixes
the kernel crash reported below
YN Chen [Thu, 20 May 2021 03:46:35 +0000 (11:46 +0800)]
mt76: connac: add bss color support for sta mode
Add bss color support for sta mode
Signed-off-by: Jayden.Kuo <jayden.kuo@mediatek.com> Signed-off-by: YN Chen <yn.chen@mediatek.com> Signed-off-by: Sean Wang <sean.wang@mediatek.com> Signed-off-by: Felix Fietkau <nbd@nbd.name>
Sean Wang [Thu, 20 May 2021 03:46:40 +0000 (11:46 +0800)]
mt76: mt7921: fix OMAC idx usage
OMAC idx have to be same with BSS idx according to firmware usage.
Fixes: e0f9fdda81bd ("mt76: mt7921: add ieee80211_ops") Reviewed-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Deren Wu <deren.wu@mediatek.com> Signed-off-by: YN Chen <yn.chen@mediatek.com> Signed-off-by: Sean Wang <sean.wang@mediatek.com> Signed-off-by: Felix Fietkau <nbd@nbd.name>
Fixes: 1d8efc741df80 ("mt76: mt7921: introduce Runtime PM support") Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Sean Wang <sean.wang@mediatek.com> Signed-off-by: Felix Fietkau <nbd@nbd.name>
Avoid unnecessary consecutive WiFi resets by dropping reset
request when reset work is working.
Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Sean Wang <sean.wang@mediatek.com> Signed-off-by: Felix Fietkau <nbd@nbd.name>
Deren Wu [Thu, 20 May 2021 03:46:36 +0000 (11:46 +0800)]
mt76: connac: update BA win size in Rx direction
Update BA size used data transimission in the Rx direction to improve Rx
throughput.
Reviewed-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Deren Wu <deren.wu@mediatek.com> Signed-off-by: Leon Yen <leon.yen@mediatek.com> Signed-off-by: YN Chen <yn.chen@mediatek.com> Signed-off-by: Sean Wang <sean.wang@mediatek.com> Signed-off-by: Felix Fietkau <nbd@nbd.name>
Ryder Lee [Fri, 23 Apr 2021 22:02:05 +0000 (06:02 +0800)]
mt76: mt7915: add thermal cooling device support
Thermal cooling device support is added to control the temperature by
throttling the data transmission for the given duration. Throttling is
done by adjusting Tx period by given percentage of time. The thermal
device allows user to configure duty cycle.
Throttling can be disabled by setting the duty cycle to 0. The cooling
device can be found under /sys/class/thermal/cooling_deviceX/.
Corresponding soft link to this device can be found under phy folder
To set duty cycle as 80%,
echo 80 > /sys/class/ieee80211/phy*/cooling_device/cur_state
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com> Signed-off-by: Felix Fietkau <nbd@nbd.name>
Sean Wang [Mon, 10 May 2021 15:14:57 +0000 (23:14 +0800)]
mt76: mt7921: add back connection monitor support
Hw beacon cmd to the mt7921 firmware doesn't only filter out the beacon,
but also performs its own connection monitoring, including periodic
keep-alives to the AP and probing the AP on beacon loss. Will indicate
the host with the event when the firmware detects the connection is lost.
Fixes: 1d8efc741df8 ("mt76: mt7921: introduce Runtime PM support") Reviewed-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Deren Wu <deren.wu@mediatek.com> Signed-off-by: YN Chen <yn.chen@mediatek.com> Signed-off-by: Sean Wang <sean.wang@mediatek.com> Signed-off-by: Felix Fietkau <nbd@nbd.name>
Sean Wang [Mon, 10 May 2021 15:14:55 +0000 (23:14 +0800)]
mt76: mt7921: consider the invalid value for to_rssi
It is possible the RCPI from the certain antenna is an invalid value,
especially packets are receiving while the system is frequently entering
deep sleep mode, so consider calculating RSSI with the reasonable upper
bound to avoid report the wrong value to the mac80211 layer.
Fixes: 163f4d22c118 ("mt76: mt7921: add MAC support") Reviewed-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Sean Wang <sean.wang@mediatek.com> Signed-off-by: Felix Fietkau <nbd@nbd.name>
YN Chen [Mon, 10 May 2021 15:14:54 +0000 (23:14 +0800)]
mt76: connac: fix WoW with disconnetion and bitmap pattern
Update MCU command usage to fix WoW configuration with disconnection
and bitmap pattern and to avoid magic number.
Fixes: ffa1bf97425b ("mt76: mt7921: introduce PM support") Reviewed-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: YN Chen <yn.chen@mediatek.com> Signed-off-by: Sean Wang <sean.wang@mediatek.com> Signed-off-by: Felix Fietkau <nbd@nbd.name>
Sean Wang [Thu, 20 May 2021 03:46:37 +0000 (11:46 +0800)]
mt76: mt7921: fix reset under the deep sleep is enabled
To fix possibly the race to access register between the WiFi reset
and the other context that is caused by explicitly cancelling ps_work
and wake_work to break PM_STATE consistency.
Deep sleep would cause the hardware into the inactive state,
so we forcely put device drv_own state before we start to reset.
The patch also ignore the reset request when the procedure is in
progress to avoid the consecutive WiFi resets.
Co-developed-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Sean Wang <sean.wang@mediatek.com> Signed-off-by: Felix Fietkau <nbd@nbd.name>
Sean Wang [Mon, 10 May 2021 15:14:51 +0000 (23:14 +0800)]
mt76: connac: fw_own rely on all packet memory all being free
If the device is MMIO-based, we must ensure all TxD/TxP on the host
memory all being consumed by the device prior to safely switching to
fw_own state.
Fixes: ec7bd7b4a9c0 ("mt76: connac: check wake refcount in mcu_fw_pmctrl") Reviewed-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Sean Wang <sean.wang@mediatek.com> Signed-off-by: Felix Fietkau <nbd@nbd.name>
Sean Wang [Mon, 10 May 2021 15:14:50 +0000 (23:14 +0800)]
mt76: mt7921: Don't alter Rx path classifier
Keep Rx path classifier the mt7921 firmware prefers to allow frames pass
through MCU.
Fixes: 5c14a5f944b9 ("mt76: mt7921: introduce mt7921e support") Reviewed-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Sean Wang <sean.wang@mediatek.com> Signed-off-by: Felix Fietkau <nbd@nbd.name>
Sean Wang [Mon, 10 May 2021 15:14:49 +0000 (23:14 +0800)]
mt76: mt7921: fix mt7921_wfsys_reset sequence
WiFi subsytem reset should control MT_WFSYS_SW_RST_B and then poll the
same register until the bit WFSYS_SW_INIT_DONE bit is set.
Fixes: 0c1ce9884607 ("mt76: mt7921: add wifi reset support") Reviewed-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Sean Wang <sean.wang@mediatek.com> Signed-off-by: Felix Fietkau <nbd@nbd.name>
projects / users / willy / xarray.git / log