Talos™ II Linux sources for OpenBMC https://git.raptorcs.com/git/talos-obmc-linux/atom?h=dev-4.13 2017-10-27T08:39:14+00:00 2017-10-27T08:39:14+00:00 Larry Finger Larry.Finger@lwfinger.net 2017-09-20T21:15:05+00:00 urn:sha1:510e27f884d1912682231f443b0e110e5d1ab1a9 commit b8b8b16352cd90c6083033fd4487f04fae935c18 upstream. In commit 40b368af4b75 ("rtlwifi: Fix alignment issues"), the read of REG_DBI_READ was changed from 16 to 8 bits. For unknown reasonsi this change results in reduced stability for the wireless connection. This regression was located using bisection. Fixes: 40b368af4b75 ("rtlwifi: Fix alignment issues") Reported-and-tested-by: James Cameron <quozl@laptop.org> Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> Cc: Ping-Ke Shih <pkshih@realtek.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-10-27T08:39:14+00:00 Arnd Bergmann arnd@arndb.de 2017-09-22T21:29:12+00:00 urn:sha1:d26c0a8723f859c0a87ad989fb977f798fddc50f commit c503dd38f850be28867ef7a42d9abe5ade81a9bd upstream. With KASAN and a couple of other patches applied, this driver is one of the few remaining ones that actually use more than 2048 bytes of kernel stack: broadcom/brcm80211/brcmsmac/phy/phy_n.c: In function 'wlc_phy_workarounds_nphy_gainctrl': broadcom/brcm80211/brcmsmac/phy/phy_n.c:16065:1: warning: the frame size of 3264 bytes is larger than 2048 bytes [-Wframe-larger-than=] broadcom/brcm80211/brcmsmac/phy/phy_n.c: In function 'wlc_phy_workarounds_nphy': broadcom/brcm80211/brcmsmac/phy/phy_n.c:17138:1: warning: the frame size of 2864 bytes is larger than 2048 bytes [-Wframe-larger-than=] Here, I'm reducing the stack size by marking as many local variables as 'static const' as I can without changing the actual code. This is the first of three patches to improve the stack usage in this driver. It would be good to have this backported to stabl kernels to get all drivers in 'allmodconfig' below the 2048 byte limit so we can turn on the frame warning again globally, but I realize that the patch is larger than the normal limit for stable backports. The other two patches do not need to be backported. Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com> Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-10-27T08:39:13+00:00 Kevin Cernekee cernekee@chromium.org 2017-09-17T04:08:24+00:00 urn:sha1:afc62a9460f24eab1c91752b3fb08ffbe16ffcb0 commit dd2349121bb1b8ff688c3ca6a2a0bea9d8c142ca upstream. The length of the data in the received skb is currently passed into brcmf_fweh_process_event() as packet_len, but this value is not checked. event_packet should be followed by DATALEN bytes of additional event data. Ensure that the received packet actually contains at least DATALEN bytes of additional data, to avoid copying uninitialized memory into event->data. Suggested-by: Mattias Nissler <mnissler@chromium.org> Signed-off-by: Kevin Cernekee <cernekee@chromium.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-10-12T09:56:18+00:00 Arend Van Spriel arend.vanspriel@broadcom.com 2017-09-12T08:47:54+00:00 urn:sha1:01b1674227333b22b9d5dc9e96508401c0a1aa93 commit 35f62727df0ed8e5e4857e162d94fd46d861f1cf upstream. The driver was not properly configuring firmware with regard to the type of scan. It always performed an active scan even when user-space was requesting for passive scan, ie. the scan request was done without any SSIDs specified. Reported-by: Huang, Jiangyang <Jiangyang.Huang@itron.com> Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com> Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com> Reviewed-by: Franky Lin <franky.lin@broadcom.com> Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-10-12T09:56:18+00:00 Arend Van Spriel arend.vanspriel@broadcom.com 2017-09-12T08:47:53+00:00 urn:sha1:1b9fff6661fe217d56c6257515c0effbe41d9ab7 commit 17df6453d4be17910456e99c5a85025aa1b7a246 upstream. Upon handling the firmware notification for scans the length was checked properly and may result in corrupting kernel heap memory due to buffer overruns. This fix addresses CVE-2017-0786. Cc: Kevin Cernekee <cernekee@chromium.org> Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com> Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com> Reviewed-by: Franky Lin <franky.lin@broadcom.com> Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-10-12T09:56:18+00:00 Luca Coelho luciano.coelho@intel.com 2017-09-01T14:59:15+00:00 urn:sha1:2aca0b55d304a82d9742c7de12c1f12fba77f7b3 commit 97bce57bd7f96e1218751996f549a6e61f18cc8c upstream. The MCAST_FILTER_CMD can get quite large when we have many mcast addresses to set (we support up to 255). So the command should be send as NOCOPY to prevent a warning caused by too-long commands: WARNING: CPU: 0 PID: 9700 at /root/iwlwifi/stack-dev/drivers/net/wireless/intel/iwlwifi/pcie/tx.c:1550 iwl_pcie_enqueue_hcmd+0x8c7/0xb40 [iwlwifi] Command MCAST_FILTER_CMD (0x1d0) is too large (328 bytes) This fixes: https://bugzilla.kernel.org/show_bug.cgi?id=196743 Signed-off-by: Luca Coelho <luciano.coelho@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-10-05T07:47:25+00:00 Beni Lev beni.lev@intel.com 2017-07-25T08:25:25+00:00 urn:sha1:1181978d7a56ccad9c9cad8f92daace6ec8183fa commit 9de981f507474f326e42117858dc9a9321331ae5 upstream. In struct ieee80211_tx_info, control.vif pointer and rate_driver_data[0] falls on the same place, depending on the union usage. During the whole TX process, the union is referred to as a control struct, which holds the vif that is later used in the tx flow, especially in order to derive the used tx power. Referring direcly to rate_driver_data[0] and assigning a value to it, overwrites the vif pointer, hence making all later references irrelevant. Moreover, rate_driver_data[0] isn't used later in the flow in order to retrieve the channel that it is pointing to. Signed-off-by: Beni Lev <beni.lev@intel.com> Signed-off-by: Luca Coelho <luciano.coelho@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-09-27T12:43:21+00:00 Luca Coelho luciano.coelho@intel.com 2017-08-15T17:48:41+00:00 urn:sha1:858cac284533652b55184579adaf07256057dc3d commit 01a9c948a09348950515bf2abb6113ed83e696d8 upstream. The OTP in some SKUs have erroneously allowed 40MHz and 80MHz channels in the 5.2GHz band. The firmware has been modified to not allow this in those SKUs, so the driver needs to do the same otherwise the firmware will assert when we try to use it. Signed-off-by: Luca Coelho <luciano.coelho@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-09-27T12:43:14+00:00 Bjorn Andersson bjorn.andersson@linaro.org 2017-08-03T01:28:00+00:00 urn:sha1:fb224b572f90cd79233872a2afba1077cef26150 commit 39efc7cc7ccf82d1cd946580cdb70760f347305a upstream. As the association status changes the driver needs to configure the hardware. This is done based on information in the "sta" acquired by ieee80211_find_sta(), which requires the caller to ensure that the "sta" is valid while its being used; generally by entering an rcu read section. But the operations acting on the "sta" has to communicate with the firmware and may therefor sleep, resulting in the following report: [ 31.418190] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:238 [ 31.425919] in_atomic(): 0, irqs_disabled(): 0, pid: 34, name: kworker/u8:1 [ 31.434609] CPU: 0 PID: 34 Comm: kworker/u8:1 Tainted: G W 4.12.0-rc4-next-20170607+ #993 [ 31.441002] Hardware name: Qualcomm Technologies, Inc. APQ 8016 SBC (DT) [ 31.450380] Workqueue: phy0 ieee80211_iface_work [ 31.457226] Call trace: [ 31.461830] [<ffffff8008088c58>] dump_backtrace+0x0/0x260 [ 31.464004] [<ffffff8008088f7c>] show_stack+0x14/0x20 [ 31.469557] [<ffffff8008392e70>] dump_stack+0x98/0xb8 [ 31.474592] [<ffffff80080e4330>] ___might_sleep+0xf0/0x118 [ 31.479626] [<ffffff80080e43a8>] __might_sleep+0x50/0x88 [ 31.485010] [<ffffff80088ff9a4>] mutex_lock+0x24/0x60 [ 31.490479] [<ffffff8008595c38>] wcn36xx_smd_set_link_st+0x30/0x130 [ 31.495428] [<ffffff8008591ed8>] wcn36xx_bss_info_changed+0x148/0x448 [ 31.501504] [<ffffff80088ab3c4>] ieee80211_bss_info_change_notify+0xbc/0x118 [ 31.508102] [<ffffff80088f841c>] ieee80211_assoc_success+0x664/0x7f8 [ 31.515220] [<ffffff80088e13d4>] ieee80211_rx_mgmt_assoc_resp+0x144/0x2d8 [ 31.521555] [<ffffff80088e1e20>] ieee80211_sta_rx_queued_mgmt+0x190/0x698 [ 31.528239] [<ffffff80088bc44c>] ieee80211_iface_work+0x234/0x368 [ 31.535011] [<ffffff80080d81ac>] process_one_work+0x1cc/0x340 [ 31.541086] [<ffffff80080d8368>] worker_thread+0x48/0x430 [ 31.546814] [<ffffff80080de448>] kthread+0x108/0x138 [ 31.552195] [<ffffff8008082ec0>] ret_from_fork+0x10/0x50 In order to ensure that the "sta" remains alive (and consistent) for the duration of bss_info_changed() mutual exclusion has to be ensured with sta_remove(). This is done by introducing a mutex to cover firmware configuration changes, which is made to also ensure mutual exclusion between other operations changing the state or configuration of the firmware. With this we can drop the rcu read lock. Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-09-13T21:20:54+00:00 Stanislaw Gruszka sgruszka@redhat.com 2017-08-25T15:04:15+00:00 urn:sha1:ef96511782dd5ad18f000bc88f1f69c34373b8ac commit 83ec489193894e52bd395eec470f4f7c4286d4a5 upstream. Since commit 41977e86c984 ("rt2x00: add support for MT7620") we do not initialize TX_PIN_CFG setting. This cause breakage at least on some RT3573 devices. To fix the problem patch restores previous behaviour for non MT7620 chips. Fixes: 41977e86c984 ("rt2x00: add support for MT7620") Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1480829 Reported-and-tested-by: Jussi Eloranta <jussi.eloranta@csun.edu> Cc: Daniel Golle <daniel@makrotopia.org> Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com> Acked-by: Daniel Golle <daniel@makrotopia.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>