Commit Graph

501 Commits

Author SHA1 Message Date
Daniel Drake
6390d88529 mwifiex: fix memory corruption when unsetting multicast list
When trying to unset a previously-set multicast list (i.e. the new list
has 0 entries), mwifiex_set_multicast_list() was calling down to
mwifiex_request_set_multicast_list() while leaving
mcast_list.num_multicast_addr as an uninitialized value.

We were arriving at mwifiex_cmd_mac_multicast_adr() which would then
proceed to do an often huge memcpy of
mcast_list.num_multicast_addr*ETH_ALEN bytes, causing memory corruption
and hard to debug crashes.

Fix this by setting mcast_list.num_multicast_addr to 0 when no multicast
list is provided. Similarly, fix up the logic in
mwifiex_request_set_multicast_list() to unset the multicast list that
was previously sent to the hardware in such cases.

Signed-off-by: Daniel Drake <dsd@laptop.org>
Acked-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-06-17 14:38:51 -04:00
Avinash Patil
3c68ef5b22 mwifiex: Add module parameter for regdomain
Allow a regulatory domain country code to be specified at boot
using a module argument.  This overrides the firmware regulatory
mode.

This patch also enables uAP to operate in 11a mode with hostapd.

Signed-off-by: Avinash Patil <patila@marvell.com>
Signed-off-by: Paul Stewart <pstew@chromium.org>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-06-17 14:38:51 -04:00
John W. Linville
812fd64596 Merge branch 'for-john' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next
Conflicts:
	drivers/net/wireless/iwlwifi/mvm/mac80211.c
2013-06-12 15:39:05 -04:00
Avinash Patil
c9e2404c9f mwifiex: enable/disable tx_amsdu support via module parameter
This patch disables tx_amsdu support in mwifiex by default.
tx_amdsu support can be enabled via module parameter at load time.

Signed-off-by: Avinash Patil <patila@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-06-12 14:59:39 -04:00
Amitkumar Karwar
df8100836e mwifiex: fix regression issue for usb interface
PATCH "mwifiex: scan delay timer cleanup in unload path" adds code
to cancel scan delay timer in unload path. It causes a regression
for USB interface.

USB8797 card gets enumerated twice. First enumeration is for
firmware download and second enumeration expects firmware
initialization.

It was observed that we are trying del_timer_sync() without setting
up the timer when remove handler is called after first enumeration.

This patch moves setup_timer() call to appropriate place so that
timer is setup for both the enumerations.

Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-06-12 14:59:38 -04:00
John W. Linville
861bca265e Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless
Conflicts:
	drivers/net/wireless/ath/ath9k/Kconfig
	net/mac80211/iface.c
2013-06-12 14:35:23 -04:00
Mark A. Greer
f873ded213 mwifiex: debugfs: Fix out of bounds array access
When reading the contents of '/sys/kernel/debug/mwifiex/p2p0/info',
the following panic occurs:

$ cat /sys/kernel/debug/mwifiex/p2p0/info
Unable to handle kernel paging request at virtual address 74706164
pgd = de530000
[74706164] *pgd=00000000
Internal error: Oops: 5 [#1] SMP ARM
Modules linked in: phy_twl4030_usb omap2430 musb_hdrc mwifiex_sdio mwifiex
CPU: 0 PID: 1635 Comm: cat Not tainted 3.10.0-rc1-00010-g1268390 #1
task: de16b6c0 ti: de048000 task.ti: de048000
PC is at strnlen+0xc/0x4c
LR is at string+0x3c/0xf8
pc : [<c02c123c>]    lr : [<c02c2d1c>]    psr: a0000013
sp : de049e10  ip : c06efba0  fp : de6d2092
r10: bf01a260  r9 : ffffffff  r8 : 74706164
r7 : 0000ffff  r6 : ffffffff  r5 : de6d209c  r4 : 00000000
r3 : ff0a0004  r2 : 74706164  r1 : ffffffff  r0 : 74706164
Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
Control: 10c5387d  Table: 9e530019  DAC: 00000015
Process cat (pid: 1635, stack limit = 0xde048240)
Stack: (0xde049e10 to 0xde04a000)
9e00:                                     de6d2092 00000002 bf01a25e de6d209c
9e20: de049e80 c02c438c 0000000a ff0a0004 ffffffff 00000000 00000000 de049e48
9e40: 00000000 2192df6d ff0a0004 ffffffff 00000000 de6d2092 de049ef8 bef3cc00
9e60: de6b0000 dc358000 de6d2000 00000000 00000003 c02c45a4 bf01790c bf01a254
9e80: 74706164 bf018698 00000000 de59c3c0 de048000 de049f80 00001000 bef3cc00
9ea0: 00000008 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
9ee0: 00000000 00000000 00000000 00000001 00000000 00000000 6669776d 20786569
9f00: 20302e31 2e343128 392e3636 3231702e 00202933 00000000 00000003 c0294898
9f20: 00000000 00000000 00000000 00000000 de59c3c0 c0107c04 de554000 de59c3c0
9f40: 00001000 bef3cc00 de049f80 bef3cc00 de049f80 00000000 00000003 c0108a00
9f60: de048000 de59c3c0 00000000 00000000 de59c3c0 00001000 bef3cc00 c0108b60
9f80: 00000000 00000000 00001000 bef3cc00 00000003 00000003 c0014128 de048000
9fa0: 00000000 c0013f80 00001000 bef3cc00 00000003 bef3cc00 00001000 00000000
9fc0: 00001000 bef3cc00 00000003 00000003 00000001 00000001 00000001 00000003
9fe0: 00000000 bef3cbdc 00011984 b6f1127c 60000010 00000003 18dbdd2c 7f7bfffd
[<c02c123c>] (strnlen+0xc/0x4c) from [<c02c2d1c>] (string+0x3c/0xf8)
[<c02c2d1c>] (string+0x3c/0xf8) from [<c02c438c>] (vsnprintf+0x1e8/0x3e8)
[<c02c438c>] (vsnprintf+0x1e8/0x3e8) from [<c02c45a4>] (sprintf+0x18/0x24)
[<c02c45a4>] (sprintf+0x18/0x24) from [<bf01790c>] (mwifiex_info_read+0xfc/0x3e8 [mwifiex])
[<bf01790c>] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) from [<c0108a00>] (vfs_read+0xb0/0x144)
[<c0108a00>] (vfs_read+0xb0/0x144) from [<c0108b60>] (SyS_read+0x44/0x70)
[<c0108b60>] (SyS_read+0x44/0x70) from [<c0013f80>] (ret_fast_syscall+0x0/0x30)
Code: e12fff1e e3510000 e1a02000 0a00000d (e5d03000)
---[ end trace ca98273dc605a04f ]---

The panic is caused by the mwifiex_info_read() routine assuming that
there can only be four modes (0-3) which is an invalid assumption.
For example, when testing P2P, the mode is '8' (P2P_CLIENT) so the
code accesses data beyond the bounds of the bss_modes[] array which
causes the panic.  Fix this by updating bss_modes[] to support the
current list of modes and adding a check to prevent the out-of-bounds
access from occuring in the future when more modes are added.

Signed-off-by: Mark A. Greer <mgreer@animalcreek.com>
Acked-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-06-12 10:20:55 -04:00
Johannes Berg
51217cee3a Merge remote-tracking branch 'wireless-next/master' into HEAD
Merge to get the wil6210 changes that a cfg80211 change needs.
A conflict in drivers/net/wireless/ath/ath9k/init.c was just
whitespace changes.

Also fix a semantic conflict due to cw1200 using WoWLAN which
I had modified in my tree.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2013-06-04 13:02:42 +02:00
Johannes Berg
964dc9e2c3 cfg80211: take WoWLAN support information out of wiphy struct
There's no need to take up the space for devices that don't
support WoWLAN, and most drivers can even make the support
data static const (except where it's modified at runtime.)

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2013-06-03 18:43:34 +02:00
Andy Shevchenko
5f07d15a77 mwifiex: dump small buffers with help of %*ph
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-05-29 15:22:48 -04:00
John W. Linville
531efffc3e Merge branch 'for-john' of git://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/iwlwifi-next 2013-05-29 14:50:45 -04:00
Yogesh Ashok Powar
b60186f824 mwifiex: add support for Marvell SD8897 chipset
Some of the key differences between SD8897 and older chipsets
are as follows:

a) sdio mpa_rx and mpa_tx ports have been increased from 16 to 32
b) Same is the case with read/write bitmap that one receives from
   mpa_reg read
c) aggregation packet count doubled from 8 to 16
d) Most of key reg addresses are changed
e) There is a separate command or control port
f) Now command rx/tx_done have new interrupts

1. 'supports_sdio_new_mode' flag is added to handle (a) and (b).
2. (c) and (d) are taken care of by filling chip specific
   information in global structurei (mwifiex_sdio_sd8897).
3. For older chipsets, port 0 was cmd port and port 1->15 were
   data port. Therefore we had CTRL_PORT_MASK to differentiate
   port type. Now these changes are under 'has_control_mask' flag.

Signed-off-by: Yogesh Ashok Powar <yogeshp@marvell.com>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Nishant Sarmukadam <nishants@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: Frank Huang <frankh@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-05-22 15:09:14 -04:00
Amitkumar Karwar
c23b7c8f71 mwifiex: code rearrangement in multiport aggregation path
There are some macros defined for multiport aggregation
calculations. As we may need to add some more code to
accomodate new chipsets, we will change them to inline
functions. Also, use dynamic allocation for Rx buffer array.

Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-05-22 15:09:12 -04:00
Amitkumar Karwar
dc468e3d42 mwifiex: remove unnecessary macros in sdio.h
They are not used in the code.

Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-05-22 15:09:10 -04:00
Amitkumar Karwar
248eb4c653 mwifiex: define a macro for MPA base address
As Multiple-Port Aggregation base address value is fixed, we can
have a macro for it.

Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-05-22 15:09:08 -04:00
Amitkumar Karwar
0fc0d43b97 mwifiex: do port calculations separately
This patch rearranges the code for better readability

Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Yogesh Ashok Powar <yogeshp@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-05-22 15:09:07 -04:00
Amitkumar Karwar
e6a520304f mwifiex: code rearrangement in mwifiex_get_rd_port()
Get rid of 'if else' usage by returning in 'if' block.
This improves readability by removing indentations.

Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-05-22 15:09:05 -04:00
Amitkumar Karwar
ab93d4ff36 mwifiex: replace unnecessary u32 variables with u8 in sdio.c
Some u32 variables in sdio.c are used to store/pass u8 values.
Replace them with u8 variables.

Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-05-22 15:09:03 -04:00
Amitkumar Karwar
05889f8253 mwifiex: store SDIO chip specific information in separate structure
Register addresses, firmware name and some macros are specific to
a chip. They are stored in a new structure.

Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-05-22 15:09:01 -04:00
Amitkumar Karwar
5ac253d50b mwifiex: use u32 variables for SDIO read/write port bitmap
Currently supported SDIO chipsets (SD87XX) have 16 ports.
This change is a prerequisite for new chipset.

Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Yogesh Ashok Powar <yogeshp@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-05-22 15:09:00 -04:00
Amitkumar Karwar
388ec385d5 mwifiex: add calibration data download feature
User can provide a text file containing calibration data in hex
format while loading mwifiex module. It will be downloaded to
firmware.
eg. insmod mwifiex.ko cal_data_cfg=cal_data.conf

Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-05-22 15:08:58 -04:00
Avinash Patil
013a492ecf mwifiex: replace spin_lock_irqsave with spin_lock and fix warn_on
We see this WARN_ON during PCIe unload:
WARNING: at kernel/smp.c:382 smp_call_function_many+0x66/0x1e1()

This happens because we are doing PCI iounmap operations while
holding spinlock via spin_lock_irqsave(). Holding spinlock this
way causes disabling IRQs and hence PCI iounmap shows warning on
irqs_disabled() check.

Use non-irq variant of spin_lock i.e. spin_lock() instead.

Signed-off-by: Avinash Patil <patila@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-05-22 15:08:56 -04:00
Avinash Patil
0f9e9b8ba7 mwifiex: add del_station handler
This patch adds cfg80211 del_station handler for mwifiex.
If bss is not started or there are no stations in associated
stations list, no action is taken. If argument received is
null/broadcast mac, all stations in associated station list are
deauthenticated.

Patch also deletes related RxReorder stream and TxBA stream tables
for related station.

Signed-off-by: Avinash Patil <patila@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-05-22 15:08:54 -04:00
Avinash Patil
bdd4d6bf59 mwifiex: avoid deleting all stations during mwifiex_del_sta_entry()
During deleting a station entry from associated sta_list, we are
supposed to delete entry only for this particular mac address.
This patch is a bug fix wherein we were deleting all entries from
list; fix this by removing list_for_each_entry_safe() call.

Signed-off-by: Avinash Patil <patila@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-05-22 15:08:53 -04:00
Bing Zhao
4c1079e158 mwifiex: abort remaining scan commands when association started
A full-channel scan is split to multiple scan commands in driver
before they are sent to firmware. When each scan result is back
the SSID entries are parsed and informed to cfg80211 directly.

It's observed that sometimes userspace may initiate association
as soon as the target AP is found. During the 4-way handshake
firmware may go off-channel to scan the remaining channels.
This causes the 4-way handshake to fail.

Fix it by checking 'scan_block' flag and aborting the remaining
scan in this case. 'scan_block' flag is set after association
and before 4-way handshake. It gets cleared after 4-way handshake
is completed.

Tested-by: Jason Abele <jabele@chromium.org>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-05-22 15:08:51 -04:00
Amitkumar Karwar
75ab753d77 mwifiex: remove global user_scan_cfg variable
As the variable is used only for preparation of internal scan
commands, we don't need to keep it allocated until the entire
scan completes. We will define it as a local variable and free
immediately after it's use.

New flag 'scan_aborting' is added to handle race between
mwifiex_close() and scan handler. Previously user_scan_cfg
pointer used to take care of this.

This patch fixes a memory leak in mwifiex_cfg80211_scan after
running "iwlist mlan0 scan & sleep 1; rmmod mwifiex_sdio".

Reported-by: Daniel Drake <dsd@laptop.org>
Tested-by: Daniel Drake <dsd@laptop.org>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-05-22 15:08:49 -04:00
Amitkumar Karwar
06041118ef mwifiex: scan delay timer cleanup in unload path
Return from scan delay timer routine if surprise_removed flag
is true. Also, cancel the timer in unload path.

This fixes a crash when scan delay timer accesses structures
that have been freed already.

Tested with "iwlist mlan0 scan & sleep 1; rmmod mwifiex_sdio"

Reported-by: Daniel Drake <dsd@laptop.org>
Tested-by: Daniel Drake <dsd@laptop.org>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-05-22 15:08:47 -04:00
Amitkumar Karwar
c56ecf5a7f mwifiex: rename mwifiex_free_adapter() routine in init.c
We have two different static routines with name
mwifiex_free_adapter(). The routine in main.c actually frees the
adapter structure.

We will rename other routine in init.c to mwifiex_adapter_cleanup()
to avoid confusion.

Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-05-22 15:08:46 -04:00
John W. Linville
4f81d715b9 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless into for-davem 2013-05-10 10:29:24 -04:00
Daniel Drake
ccd384b104 mwifiex: fix setting of multicast filter
A small bug in this code was causing the ALLMULTI filter to be set
when in fact we were just wanting to program a selective multicast list
to the hardware.

Fix that bug and remove a redundant if condition in the code that
follows.

This fixes wakeup behaviour when multicast WOL is enabled. Previously,
all multicast packets would wake up the system. Now, only those that the
host intended to receive trigger wakeups.

Signed-off-by: Daniel Drake <dsd@laptop.org>
Cc: <stable@vger.kernel.org>
Acked-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-05-08 17:15:09 -04:00
Amitkumar Karwar
f16fdc9d2d mwifiex: fix memory leak issue when driver unload
After unregister_netdevice() call the request is queued and
reg_state is changed to NETREG_UNREGISTERING.
As we check for NETREG_UNREGISTERED state, free_netdev() never
gets executed causing memory leak.

Initialize "dev->destructor" to free_netdev() to free device
data after unregistration.

Cc: <stable@vger.kernel.org>
Reported-by: Daniel Drake <dsd@laptop.org>
Tested-by: Daniel Drake <dsd@laptop.org>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-05-08 17:15:08 -04:00
Bing Zhao
48795424ac mwifiex: clear is_suspended flag when interrupt is received early
When the XO-4 with 8787 wireless is woken up due to wake-on-WLAN
mwifiex is often flooded with "not allowed while suspended" messages
and the interface is unusable.

[  202.171609] int: sdio_ireg = 0x1
[  202.180700] info: mwifiex_process_hs_config: auto cancelling host
               sleep since there is interrupt from the firmware
[  202.201880] event: wakeup device...
[  202.211452] event: hs_deactivated
[  202.514638] info: --- Rx: Data packet ---
[  202.514753] data: 4294957544 BSS(0-0): Data <= kernel
[  202.514825] PREP_CMD: device in suspended state
[  202.514839] data: dequeuing the packet ec7248c0 ec4869c0
[  202.514886] mwifiex_write_data_sync: not allowed while suspended
[  202.514886] host_to_card, write iomem (1) failed: -1
[  202.514917] mwifiex_write_data_sync: not allowed while suspended
[  202.514936] host_to_card, write iomem (2) failed: -1
[  202.514949] mwifiex_write_data_sync: not allowed while suspended
[  202.514965] host_to_card, write iomem (3) failed: -1
[  202.514976] mwifiex_write_data_async failed: 0xFFFFFFFF

This can be readily reproduced when putting the XO-4 in a loop where
it goes to sleep due to inactivity, but then wakes up due to an
incoming ping. The error is hit within an hour or two.

This issue happens when an interrupt comes in early while host sleep
is still activated. Driver handles this case by auto cancelling host
sleep. However is_suspended flag is still set which prevents any cmd
or data from being sent to firmware. Fix it by clearing is_suspended
flag in this path.

Cc: <stable@vger.kernel.org>
Reported-by: Daniel Drake <dsd@laptop.org>
Tested-by: Daniel Drake <dsd@laptop.org>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-05-08 17:15:08 -04:00
Akinobu Mita
e00adf3913 drivers/net: rename random32() to prandom_u32()
Use preferable function name which implies using a pseudo-random number
generator.

[akpm@linux-foundation.org: convert team_mode_random.c]
Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
Acked-by: Thomas Sailer <t.sailer@alumni.ethz.ch>
Acked-by: Bing Zhao <bzhao@marvell.com> [mwifiex]
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Michael Chan <mchan@broadcom.com>
Cc: Thomas Sailer <t.sailer@alumni.ethz.ch>
Cc: Jean-Paul Roubelat <jpr@f6fbb.org>
Cc: Bing Zhao <bzhao@marvell.com>
Cc: Brett Rudley <brudley@broadcom.com>
Cc: Arend van Spriel <arend@broadcom.com>
Cc: "Franky (Zhenhui) Lin" <frankyl@broadcom.com>
Cc: Hante Meuleman <meuleman@broadcom.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-05-07 18:38:27 -07:00
Yogesh Ashok Powar
7af1ce0e0d mwifiex: Correct pci_unmap_single's size
There exist mismatch between the size used for pci_map and
pci_unmap on command skb. Correcting it.

Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Avinash Patil <patila@marvell.com>
Signed-off-by: Yogesh Ashok Powar <yogeshp@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-04-26 08:42:22 -04:00
Yogesh Ashok Powar
955ab095c5 mwifiex: Do not kfree cmd buf while unregistering PCIe
All the command buffers are freed in mwifiex_free_cmd_buffer()
and hence there is no need to kfree the current command buffer
again. This might ends up freeing memory allocated by some other
kernel code.

Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Avinash Patil <patila@marvell.com>
Signed-off-by: Yogesh Ashok Powar <yogeshp@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-04-26 08:42:21 -04:00
Yogesh Ashok Powar
5b0d9b218b mwifiex: Call pci_release_region after calling pci_disable_device
"drivers should call pci_release_region() AFTER
calling pci_disable_device()"

Please refer section 3.2 Request MMIO/IOP resources
in Documentation/PCI/pci.txt

Cc: <stable@vger.kernel.org> # 3.2+
Signed-off-by: Avinash Patil <patila@marvell.com>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Yogesh Ashok Powar <yogeshp@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-04-26 08:42:21 -04:00
Yogesh Ashok Powar
c380aafb77 mwifiex: Use pci_release_region() instead of a pci_release_regions()
PCI regions are associated with the device using
pci_request_region() call. Hence use pci_release_region()
instead of pci_release_regions().

Cc: <stable@vger.kernel.org> # 3.2+
Signed-off-by: Yogesh Ashok Powar <yogeshp@marvell.com>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Avinash Patil <patila@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-04-26 08:42:20 -04:00
Andreas Fenkart
b006ed545c mwifiex: rework round robin scheduling of bss nodes.
Rotate bss prio list, so the bss next to the one served, will come first
in the list of bss' with equal priority. This way we pick bss nodes in a
round robin fashion. Using list rotation instead of a cur ptr simplifies
iteration to calling list_for_each_entry. List rotation is done via
list_move, where the head itself is temporarily removed and then
re-inserted after the bss just served.

Signed-off-by: Andreas Fenkart <andreas.fenkart@streamunlimited.com>
Acked-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-04-23 15:18:40 -04:00
Andreas Fenkart
2e23731954 mwifiex: replace ra_list_curr by list rotation.
After a packet is successfully transmitted, ra list is rotated, so the ra
next to the one transmitted, will be the first in the list. This way we
pick the ra' in a round robin fashion. This significantly simplifies
iteration in  mwifiex_wmm_get_highest_priolist_ptr to a call to
list_for_each_entry.
List rotation is done via list_move, where the head itself is temporarily
removed and then re-inserted after the item just transferred.

Signed-off-by: Andreas Fenkart <andreas.fenkart@streamunlimited.com>
Acked-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-04-23 15:18:40 -04:00
Bing Zhao
c43933e61e mwifiex: remove redundant initialization for bss_descriptor
Initialization of bss_descriptor is unnecessary as the entire
structure will be overwritten by a memcpy followed by.

Initialize disable_11ac flag properly by setting it to true in
mwifiex_fill_new_bss_desc().

Reported-by: Doug Anderson <dianders@chromium.org>
Reviewed-by: Doug Anderson <dianders@chromium.org>
Reviewed-by: Paul Stewart <pstew@chromium.org>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: Yogesh Ashok Powar <yogeshp@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-04-22 15:38:36 -04:00
Bing Zhao
d837a2ae40 mwifiex: fix use-after-free in beacon_ie processing
beacon_ie buffer is allocated in mwifiex_fill_new_bss_desc()
and the buffer pointer is saved in bss_desc->beacon_buf.
beacon_ie is freed before the function returns. However,
bss_desc->beacon_buf is still being accessed afterwards.

Fix it by freeing beacon_ie (bss_desc->beacon_buf) in
caller's scope.

Reviewed-by: Doug Anderson <dianders@chromium.org>
Reviewed-by: Paul Stewart <pstew@chromium.org>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-04-22 15:38:35 -04:00
Bing Zhao
8bc77a4d2c mwifiex: don't try to associate when bss_mode is not STA
We have blocked association attempts on interfaces configured in
AP and AD-HOC modes. P2P mode should be blocked too.

Furthermore, an error code must be returned if we are unable to
associate.

Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-04-22 15:20:28 -04:00
Bing Zhao
4587eea5b7 mwifiex: make use of msecs_to_jiffies()
Use msecs_to_jiffies() wherever possible.

Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: Yogesh Ashok Powar <yogeshp@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-04-22 15:20:28 -04:00
Bing Zhao
0648f3a4b0 mwifiex: correct bss_mode check while appending vht operation IE
priv->bss_mode uses NL80211_IFTYPE_* definitions.
HostCmd_BSS_MODE_IBSS is used in ad-hoc start/join command between
driver and firmware.

Coincidentally both HostCmd_BSS_MODE_IBSS and NL80211_IFTYPE_STATION
are defined as 2. That explains why nobody complained.

Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-04-22 15:20:28 -04:00
Avinash Patil
d033d3a6b1 mwifiex: use PCI_DMA_FROMDEVICE for RX queue de-init
There is a typo in mwifiex_cleanup_rxq_ring() which uses
PCI_DMA_TODEVICE while unmapping PCI memory.
We should actually use PCI_DMA_FROMDEVICE.

Signed-off-by: Avinash Patil <patila@marvell.com>
Signed-off-by: Yogesh Ashok Powar <yogeshp@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-04-22 15:20:27 -04:00
Bing Zhao
66aa1ae2e7 mwifiex: configure p2p interface during initialization
Send P2P_MODE_CFG cmd to firmware when p2p interface is created.
Without proper p2p configuration firmware may behave incorrectly
while handling commands sent through this interface.

Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: Stone Piao <piaoyun@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-04-22 15:20:27 -04:00
Paul Stewart
5586d3e2f2 mwifiex: Start P2P devices in P2P mode
p2p devices should identify themselves as such to userspace at
startup, so the connection manager can decide which interface
to start wpa_supplicant instances on.

Signed-off-by: Paul Stewart <pstew@chromium.org>
Reviewed-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-04-22 15:20:27 -04:00
John W. Linville
6fe5468f45 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless
Conflicts:
	drivers/net/wireless/rt2x00/rt2x00pci.c
2013-04-10 09:31:39 -04:00
Andreas Fenkart
2716fd7d45 mwifiex: hold proper locks when accessing ra_list / bss_prio lists
Not locking ra_list when dequeuing packets creates race conditions.
When adding a packet 'tx_pkts_queued' is modified before setting
highest_priority_queue. If in-between the main loop starts, it will
see a packet queued (tx_pkts_queued > 0) but will not find it, since
max prio is not set yet. Depending on the scheduling, the thread
trying to add the packet could complete and restore the situation.
But this is not something to rely on.

Another race condition exists, if a new packet, exceeding current
max prio is added. If concurrently a packet is dequeued, the newly
set max prio will be overwritten with the value of the dequeued
packet. This can occur, because selecting a packet and modifying
the max prio is not atomic. The result in an infinite loop unless,
a new packet is added that has at least the priority of the hidden
packet.

Same applies to bss_prio_tbl. Forward iteration is no proper
lock-free technique and provides no protection from calls to
list_del. Although BSS are currently not added/removed dynamically,
this must not be the case in the future. Hence always hold proper
locks when accessing those lists.

Signed-off-by: Andreas Fenkart <andreas.fenkart@streamunlimited.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-04-08 15:28:40 -04:00
Andreas Fenkart
333f6b22c5 mwifiex: fix infinite loop by removing NO_PKT_PRIO_TID
Using NO_PKT_PRIO_TID and tx_pkts_queued to check for an empty
state, can lead to a contradictory state, resulting in an
infinite loop. Currently queueing and dequeuing of packets is
not synchronized, and can happen concurrently. While tx_pkts_queued
is incremented when adding a packet, max prio is set to NO_PKT when
the WMM list is empty. If a packet is added right after the check
for empty, but before setting max prio to NO_PKT, that packet is
trapped and creates an infinite loop.

Because of the new packet, tx_pkts_queued is at least 1, indicating
wmm lists are not empty. Opposing that max prio is NO_PKT, which
means "skip this wmm queue, it has no packets". The infinite loop
results, because the main loop checks the wmm lists for not empty
via tx_pkts_queued, but for dequeing it uses max_prio to see if it
can skip current list. This will never end, unless a new packet is
added which will restore max prio to the level of the trapped packet.

The solution here is to rely on tx_pkts_queued solely for checking
wmm queue to be empty, and drop the NO_PKT define. It does not
address the locking issue.

Signed-off-by: Andreas Fenkart <andreas.fenkart@streamunlimited.com>
Signed-off-by: Avinash Patil <patila@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2013-04-08 15:28:39 -04:00