forked from Minki/linux
f873ded213
When reading the contents of '/sys/kernel/debug/mwifiex/p2p0/info', the following panic occurs: $ cat /sys/kernel/debug/mwifiex/p2p0/info Unable to handle kernel paging request at virtual address 74706164 pgd = de530000 [74706164] *pgd=00000000 Internal error: Oops: 5 [#1] SMP ARM Modules linked in: phy_twl4030_usb omap2430 musb_hdrc mwifiex_sdio mwifiex CPU: 0 PID: 1635 Comm: cat Not tainted 3.10.0-rc1-00010-g1268390 #1 task: de16b6c0 ti: de048000 task.ti: de048000 PC is at strnlen+0xc/0x4c LR is at string+0x3c/0xf8 pc : [<c02c123c>] lr : [<c02c2d1c>] psr: a0000013 sp : de049e10 ip : c06efba0 fp : de6d2092 r10: bf01a260 r9 : ffffffff r8 : 74706164 r7 : 0000ffff r6 : ffffffff r5 : de6d209c r4 : 00000000 r3 : ff0a0004 r2 : 74706164 r1 : ffffffff r0 : 74706164 Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 10c5387d Table: 9e530019 DAC: 00000015 Process cat (pid: 1635, stack limit = 0xde048240) Stack: (0xde049e10 to 0xde04a000) 9e00: de6d2092 00000002 bf01a25e de6d209c 9e20: de049e80 c02c438c 0000000a ff0a0004 ffffffff 00000000 00000000 de049e48 9e40: 00000000 2192df6d ff0a0004 ffffffff 00000000 de6d2092 de049ef8 bef3cc00 9e60: de6b0000 dc358000 de6d2000 00000000 00000003 c02c45a4 bf01790c bf01a254 9e80: 74706164 bf018698 00000000 de59c3c0 de048000 de049f80 00001000 bef3cc00 9ea0: 00000008 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9ec0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 9ee0: 00000000 00000000 00000000 00000001 00000000 00000000 6669776d 20786569 9f00: 20302e31 2e343128 392e3636 3231702e 00202933 00000000 00000003 c0294898 9f20: 00000000 00000000 00000000 00000000 de59c3c0 c0107c04 de554000 de59c3c0 9f40: 00001000 bef3cc00 de049f80 bef3cc00 de049f80 00000000 00000003 c0108a00 9f60: de048000 de59c3c0 00000000 00000000 de59c3c0 00001000 bef3cc00 c0108b60 9f80: 00000000 00000000 00001000 bef3cc00 00000003 00000003 c0014128 de048000 9fa0: 00000000 c0013f80 00001000 bef3cc00 00000003 bef3cc00 00001000 00000000 9fc0: 00001000 bef3cc00 00000003 00000003 00000001 00000001 00000001 00000003 9fe0: 00000000 bef3cbdc 00011984 b6f1127c 60000010 00000003 18dbdd2c 7f7bfffd [<c02c123c>] (strnlen+0xc/0x4c) from [<c02c2d1c>] (string+0x3c/0xf8) [<c02c2d1c>] (string+0x3c/0xf8) from [<c02c438c>] (vsnprintf+0x1e8/0x3e8) [<c02c438c>] (vsnprintf+0x1e8/0x3e8) from [<c02c45a4>] (sprintf+0x18/0x24) [<c02c45a4>] (sprintf+0x18/0x24) from [<bf01790c>] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) [<bf01790c>] (mwifiex_info_read+0xfc/0x3e8 [mwifiex]) from [<c0108a00>] (vfs_read+0xb0/0x144) [<c0108a00>] (vfs_read+0xb0/0x144) from [<c0108b60>] (SyS_read+0x44/0x70) [<c0108b60>] (SyS_read+0x44/0x70) from [<c0013f80>] (ret_fast_syscall+0x0/0x30) Code: e12fff1e e3510000 e1a02000 0a00000d (e5d03000) ---[ end trace ca98273dc605a04f ]--- The panic is caused by the mwifiex_info_read() routine assuming that there can only be four modes (0-3) which is an invalid assumption. For example, when testing P2P, the mode is '8' (P2P_CLIENT) so the code accesses data beyond the bounds of the bss_modes[] array which causes the panic. Fix this by updating bss_modes[] to support the current list of modes and adding a check to prevent the out-of-bounds access from occuring in the future when more modes are added. Signed-off-by: Mark A. Greer <mgreer@animalcreek.com> Acked-by: Bing Zhao <bzhao@marvell.com> Signed-off-by: John W. Linville <linville@tuxdriver.com> |
||
---|---|---|
.. | ||
11ac.c | ||
11ac.h | ||
11n_aggr.c | ||
11n_aggr.h | ||
11n_rxreorder.c | ||
11n_rxreorder.h | ||
11n.c | ||
11n.h | ||
cfg80211.c | ||
cfg80211.h | ||
cfp.c | ||
cmdevt.c | ||
debugfs.c | ||
decl.h | ||
ethtool.c | ||
fw.h | ||
ie.c | ||
init.c | ||
ioctl.h | ||
join.c | ||
Kconfig | ||
main.c | ||
main.h | ||
Makefile | ||
pcie.c | ||
pcie.h | ||
README | ||
scan.c | ||
sdio.c | ||
sdio.h | ||
sta_cmd.c | ||
sta_cmdresp.c | ||
sta_event.c | ||
sta_ioctl.c | ||
sta_rx.c | ||
sta_tx.c | ||
txrx.c | ||
uap_cmd.c | ||
uap_event.c | ||
uap_txrx.c | ||
usb.c | ||
usb.h | ||
util.c | ||
util.h | ||
wmm.c | ||
wmm.h |
# Copyright (C) 2011, Marvell International Ltd. # # This software file (the "File") is distributed by Marvell International # Ltd. under the terms of the GNU General Public License Version 2, June 1991 # (the "License"). You may use, redistribute and/or modify this File in # accordance with the terms and conditions of the License, a copy of which # is available by writing to the Free Software Foundation, Inc., # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA or on the # worldwide web at http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt. # # THE FILE IS DISTRIBUTED AS-IS, WITHOUT WARRANTY OF ANY KIND, AND THE # IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE # ARE EXPRESSLY DISCLAIMED. The License provides additional details about # this warranty disclaimer. =============================================================================== U S E R M A N U A L 1) FOR DRIVER INSTALL a) Copy sd8787.bin to /lib/firmware/mrvl/ directory, create the directory if it doesn't exist. b) Install WLAN driver, insmod mwifiex.ko c) Uninstall WLAN driver, ifconfig mlanX down rmmod mwifiex 2) FOR DRIVER CONFIGURATION AND INFO The configurations can be done either using the 'iw' user space utility or debugfs. a) 'iw' utility commands Following are some useful iw commands:- iw dev mlan0 scan This command will trigger a scan. The command will then display the scan table entries iw dev mlan0 connect -w <SSID> [<freq in MHz>] [<bssid>] [key 0:abcde d:1123456789a] The above command can be used to connect to an AP with a particular SSID. Ap's operating frequency can be specified or even the bssid. If the AP is using WEP encryption, wep keys can be specified in the command. Note: Every time before connecting to an AP scan command (iw dev mlan0 scan) should be used by user. iw dev mlan0 disconnect This command will be used to disconnect from an AP. iw dev mlan0 ibss join <SSID> <freq in MHz> [fixed-freq] [fixed-bssid] [key 0:abcde] The command will be used to join or create an ibss. Optionally, operating frequency, bssid and the security related parameters can be specified while joining/creating and ibss. iw dev mlan0 ibss leave The command will be used to leave an ibss network. iw dev mlan0 link The command will be used to get the connection status. The command will return parameters such as SSID, operating frequency, rx/tx packets, signal strength, tx bitrate. Apart from the iw utility all standard configurations using the 'iwconfig' utility are also supported. b) Debugfs interface The debugfs interface can be used for configurations and for getting some useful information from the driver. The section below explains the configurations that can be done. Mount debugfs to /debugfs mount point: mkdir /debugfs mount -t debugfs debugfs /debugfs The information is provided in /debugfs/mwifiex/mlanX/: iw reg set <country code> The command will be used to change the regulatory domain. iw reg get The command will be used to get current regulatory domain. info This command is used to get driver info. Usage: cat info driver_name = "mwifiex" driver_version = <driver_name, driver_version, (firmware_version)> interface_name = "mlanX" bss_mode = "Ad-hoc" | "Managed" | "Auto" | "Unknown" media_state = "Disconnected" | "Connected" mac_address = <6-byte adapter MAC address> multicase_count = <multicast address count> essid = <current SSID> bssid = <current BSSID> channel = <current channel> region_code = <current region code> multicasr_address[n] = <multicast address> num_tx_bytes = <number of bytes sent to device> num_rx_bytes = <number of bytes received from device and sent to kernel> num_tx_pkts = <number of packets sent to device> num_rx_pkts = <number of packets received from device and sent to kernel> num_tx_pkts_dropped = <number of Tx packets dropped by driver> num_rx_pkts_dropped = <number of Rx packets dropped by driver> num_tx_pkts_err = <number of Tx packets failed to send to device> num_rx_pkts_err = <number of Rx packets failed to receive from device> carrier "on" | "off" tx queue "stopped" | "started" The following debug info are provided in /debugfs/mwifiex/mlanX/debug: int_counter = <interrupt count, cleared when interrupt handled> wmm_ac_vo = <number of packets sent to device from WMM AcVo queue> wmm_ac_vi = <number of packets sent to device from WMM AcVi queue> wmm_ac_be = <number of packets sent to device from WMM AcBE queue> wmm_ac_bk = <number of packets sent to device from WMM AcBK queue> tx_buf_size = <current Tx buffer size> curr_tx_buf_size = <current Tx buffer size> ps_mode = <0/1, CAM mode/PS mode> ps_state = <0/1/2/3, full power state/awake state/pre-sleep state/sleep state> is_deep_sleep = <0/1, not deep sleep state/deep sleep state> wakeup_dev_req = <0/1, wakeup device not required/required> wakeup_tries = <wakeup device count, cleared when device awake> hs_configured = <0/1, host sleep not configured/configured> hs_activated = <0/1, extended host sleep not activated/activated> num_tx_timeout = <number of Tx timeout> num_cmd_timeout = <number of timeout commands> timeout_cmd_id = <command id of the last timeout command> timeout_cmd_act = <command action of the last timeout command> last_cmd_id = <command id of the last several commands sent to device> last_cmd_act = <command action of the last several commands sent to device> last_cmd_index = <0 based last command index> last_cmd_resp_id = <command id of the last several command responses received from device> last_cmd_resp_index = <0 based last command response index> last_event = <event id of the last several events received from device> last_event_index = <0 based last event index> num_cmd_h2c_fail = <number of commands failed to send to device> num_cmd_sleep_cfm_fail = <number of sleep confirm failed to send to device> num_tx_h2c_fail = <number of data packets failed to send to device> num_evt_deauth = <number of deauthenticated events received from device> num_evt_disassoc = <number of disassociated events received from device> num_evt_link_lost = <number of link lost events received from device> num_cmd_deauth = <number of deauthenticate commands sent to device> num_cmd_assoc_ok = <number of associate commands with success return> num_cmd_assoc_fail = <number of associate commands with failure return> cmd_sent = <0/1, send command resources available/sending command to device> data_sent = <0/1, send data resources available/sending data to device> mp_rd_bitmap = <SDIO multi-port read bitmap> mp_wr_bitmap = <SDIO multi-port write bitmap> cmd_resp_received = <0/1, no cmd response to process/response received and yet to process> event_received = <0/1, no event to process/event received and yet to process> cmd_pending = <number of cmd pending> tx_pending = <number of Tx packet pending> rx_pending = <number of Rx packet pending> 3) FOR DRIVER CONFIGURATION regrdwr This command is used to read/write the adapter register. Usage: echo " <type> <offset> [value]" > regrdwr cat regrdwr where the parameters are, <type>: 1:MAC/SOC, 2:BBP, 3:RF, 4:PMIC, 5:CAU <offset>: offset of register [value]: value to be written Examples: echo "1 0xa060" > regrdwr : Read the MAC register echo "1 0xa060 0x12" > regrdwr : Write the MAC register echo "1 0xa794 0x80000000" > regrdwr : Write 0x80000000 to MAC register rdeeprom This command is used to read the EEPROM contents of the card. Usage: echo "<offset> <length>" > rdeeprom cat rdeeprom where the parameters are, <offset>: multiples of 4 <length>: 4-20, multiples of 4 Example: echo "0 20" > rdeeprom : Read 20 bytes of EEPROM data from offset 0 getlog This command is used to get the statistics available in the station. Usage: cat getlog ===============================================================================