2
0
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2025-09-04 20:19:47 +08:00
Commit Graph

27 Commits

Author SHA1 Message Date
Hui Peng
39d170b3cb ath6kl: fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe()
The `ar_usb` field of `ath6kl_usb_pipe_usb_pipe` objects
are initialized to point to the containing `ath6kl_usb` object
according to endpoint descriptors read from the device side, as shown
below in `ath6kl_usb_setup_pipe_resources`:

for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
	endpoint = &iface_desc->endpoint[i].desc;

	// get the address from endpoint descriptor
	pipe_num = ath6kl_usb_get_logical_pipe_num(ar_usb,
						endpoint->bEndpointAddress,
						&urbcount);
	......
	// select the pipe object
	pipe = &ar_usb->pipes[pipe_num];

	// initialize the ar_usb field
	pipe->ar_usb = ar_usb;
}

The driver assumes that the addresses reported in endpoint
descriptors from device side  to be complete. If a device is
malicious and does not report complete addresses, it may trigger
NULL-ptr-deref `ath6kl_usb_alloc_urb_from_pipe` and
`ath6kl_usb_free_urb_to_pipe`.

This patch fixes the bug by preventing potential NULL-ptr-deref
(CVE-2019-15098).

Signed-off-by: Hui Peng <benquike@gmail.com>
Reported-by: Hui Peng <benquike@gmail.com>
Reported-by: Mathias Payer <mathias.payer@nebelwelt.net>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-09-04 09:23:26 +03:00
Arvind Yadav
e881a65849 ath6kl: constify usb_device_id
usb_device_id are not supposed to change at runtime. All functions
working with usb_device_id provided by <linux/usb.h> work with
const usb_device_id. So mark the non-const structs as const.

Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
Reviewed-by: Steve deRosier <derosier@gmail.com>
Tested-by: Steve deRosier <derosier@gmail.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
2017-08-11 16:59:01 +03:00
Alexey Khoroshilov
aa292fa409 ath6kl: remove incorrect reset_resume handler
Existing implementation of reset_resume handler just calls
ath6kl_usb_remove() that deallocates all resources.
It can lead to double free, etc. on disconnect.

The patch removes reset_resume handler,
so usb core could conservatively reset the driver.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
2014-11-04 00:59:05 +02:00
Himangi Saraogi
17dc0b8068 ath6kl: convert a driver to use module_usb_driver()
This converts a driver in drivers/net/* to use the
module_usb_driver() macro which makes the code smaller and a
bit simpler.

Signed-off-by: Himangi Saraogi <himangi774@gmail.com>
Acked-by: Julia Lawall <julia.lawall@lip6.fr>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
2014-08-04 09:10:53 +03:00
Jessica Wu
7880377012 ath6kl: add support for ar6004 hw3.0
This change enables ath6kl driver to support ar6004 hw3.0. At the same time do
some fixes in firmware initialisation which applies to ar6004 hw1.3 as well.

Signed-off-by: Jessica Wu <wjessica@qca.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
2014-07-14 16:03:38 +03:00
Kalle Valo
eba95bceb4 ath6kl: convert ar6004 hardware flags to firmware feature flags
The functionality defined through these flags were actually firmware features
which can change between firmware versions. To make it possible to support
different firmware versions with the same driver, convert the flags to firmware
feature flags.

For backwards compatibility support for old ar6004 firmware FW
API 3 or smaller images we forcefully set the feature bits in the driver.
Starting from FW API 5 the firmware image needs to set them.

Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
2014-07-14 16:02:52 +03:00
Kalle Valo
3629fa1438 ath6kl: fix blank lines before and after braces
Fixes checkpatch warnings:

CHECK: Blank lines aren't necessary after an open brace '{'
CHECK: Blank lines aren't necessary before a close brace '}'

Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
2014-03-13 07:46:31 +02:00
Julien Massot
61118fbf5b ath6kl: set rx urb count threshold to 1
Reduce the Rx count threshold to make sure we read
the available credits for Tx.

Signed-off-by: Julien Massot <jmassot@aldebaran-robotics.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
2014-01-18 11:40:25 +02:00
Julien Massot
987cdcba62 ath6kl: increase usb rx buffer size to 4096
With the previous value (1700), some urb are dropped
with a babble error (urb status equal -EOVERFLOW).

These error seems to only happen when urb length is a
multiple of packet size (512).

Signed-off-by: Julien Massot <jmassot@aldebaran-robotics.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
2014-01-18 11:40:11 +02:00
Mohammed Shafi Shajakhan
8c40e4e0e1 ath6kl: Fix a suspend/resume crash in AR6004 USB
cfg80211 suspend/resume callbacks are not yet implemented
for AR6004 USB. Introduce dummy handlers for these to avoid
NULL pointer dereference.

Cc: Sivanesan Rajapupathi <c_srajap@qualcomm.com>
Signed-off-by: Mohammed Shafi Shajakhan <mohammed@qca.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
2013-06-01 15:14:41 +03:00
Mohammed Shafi Shajakhan
0b3d3ff15f ath6kl: Rename USB driver's suspend/resume/reset_resume
Rename USB driver's suspend/resume/reset_resume callbacks
with 'pm' prefix. This is necessary to differentiate it from
cfg80211/hif suspend/resume/reset_resume callbacks.

Cc: Sivanesan Rajapupathi <c_srajap@qualcomm.com>
Signed-off-by: Mohammed Shafi Shajakhan <mohammed@qca.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
2013-06-01 15:14:40 +03:00
Andrei Epure
a41d9a91e3 ath: changed kmalloc to kmemdup
Signed-off-by: Andrei Epure <epure.andrei@gmail.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
2013-03-18 14:08:20 +02:00
Kalle Valo
4e1609c9ee ath6kl: fix usb related error handling and warnings
It was annoying to debug usb warm reboot initialisation problems as many usb
related functions just ignored errors and it wasn't obvious from the kernel
logs what was failing. Fix all that so that error messages are printed and
errors are handled properly.

Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
2013-03-18 13:37:46 +02:00
Mohammed Shafi Shajakhan
e16ccfeefb ath6kl: remove unnecessary check for NULL skb
dev_kfree_skb kernel API itself takes for checking for NULL
skb, so an explicit check is not required.

Signed-off-by: Mohammed Shafi Shajakhan <mohammed@qca.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
2012-11-27 21:44:27 +02:00
Mohammed Shafi Shajakhan
171fe76877 ath6kl: Fix mapping uplink endpoint for AR6004
AR6004(UB134) firmware supports only LP Endpoint, So map
all Access Categories to Low Priority endpoints. This fixes a WPA2
connection issue as the uplink(tx) endpoint is appropriately
mapped in sync with the firmware.

Tested-by: Ben Gray <ben.r.gray@gmail.com>
Reported-by: Ben Gray <ben.r.gray@gmail.com>
Signed-off-by: Mohammed Shafi Shajakhan <mohammed@qca.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
2012-10-24 11:49:57 +03:00
Mohammed Shafi Shajakhan
5dbdf6feec ath6kl: Return error case when ath6kl_usb_alloc_pipe_resources fails
Incase the resource allocation for the struct ath6kl_urb_context in the
function ath6kl_usb_alloc_pipe_resources fails, return this error
case so that ath6kl_usb_probe is aware of this error case.

Signed-off-by: Mohammed Shafi Shajakhan <mohammed@qca.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
2012-10-24 11:49:56 +03:00
Marina Makienko
a3b3842c2e ath6kl: check usb_register() return value
ath6kl_usb_init() does not check usb_register() return value.
As a result it may incorrectly report success of driver initialization.

Found by Linux Driver Verification project (linuxtesting.org).

kvalo: fix commit title and make cosmetic changes to the code to follow
more the style used in the driver

Signed-off-by: Marina Makienko <makienko@ispras.ru>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
2012-10-24 11:49:46 +03:00
Bala Shanmugam
bf744f1178 ath6kl: Add support for AR6004 hardware version 1.3
Add support for AR6004 hardware with version 1.3 and has
id 0x31c8088a.

Signed-off-by: Bala Shanmugam <bkamatch@qca.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
2012-10-24 11:49:32 +03:00
Linus Torvalds
28f3d71761 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull more networking updates from David Miller:
 "Ok, everything from here on out will be bug fixes."

1) One final sync of wireless and bluetooth stuff from John Linville.
   These changes have all been in his tree for more than a week, and
   therefore have had the necessary -next exposure.  John was just away
   on a trip and didn't have a change to send the pull request until a
   day or two ago.

2) Put back some defines in user exposed header file areas that were
   removed during the tokenring purge.  From Stephen Hemminger and Paul
   Gortmaker.

3) A bug fix for UDP hash table allocation got lost in the pile due to
   one of those "you got it..  no I've got it.." situations.  :-)

   From Tim Bird.

4) SKB coalescing in TCP needs to have stricter checks, otherwise we'll
   try to coalesce overlapping frags and crash.  Fix from Eric Dumazet.

5) RCU routing table lookups can race with free_fib_info(), causing
   crashes when we deref the device pointers in the route.  Fix by
   releasing the net device in the RCU callback.  From Yanmin Zhang.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (293 commits)
  tcp: take care of overlaps in tcp_try_coalesce()
  ipv4: fix the rcu race between free_fib_info and ip_route_output_slow
  mm: add a low limit to alloc_large_system_hash
  ipx: restore token ring define to include/linux/ipx.h
  if: restore token ring ARP type to header
  xen: do not disable netfront in dom0
  phy/micrel: Fix ID of KSZ9021
  mISDN: Add X-Tensions USB ISDN TA XC-525
  gianfar:don't add FCB length to hard_header_len
  Bluetooth: Report proper error number in disconnection
  Bluetooth: Create flags for bt_sk()
  Bluetooth: report the right security level in getsockopt
  Bluetooth: Lock the L2CAP channel when sending
  Bluetooth: Restore locking semantics when looking up L2CAP channels
  Bluetooth: Fix a redundant and problematic incoming MTU check
  Bluetooth: Add support for Foxconn/Hon Hai AR5BBU22 0489:E03C
  Bluetooth: Fix EIR data generation for mgmt_device_found
  Bluetooth: Fix Inquiry with RSSI event mask
  Bluetooth: improve readability of l2cap_seq_list code
  Bluetooth: Fix skb length calculation
  ...
2012-05-24 11:54:29 -07:00
Linus Torvalds
a481991467 USB 3.5-rc1 pull request
Here is the big USB 3.5-rc1 pull request for the 3.5-rc1 merge window.
 
 It's touches a lot of different parts of the kernel, all USB drivers,
 due to some API cleanups (getting rid of the ancient err() macro) and
 some changes that are needed for USB 3.0 power management updates.
 
 There are also lots of new drivers, pimarily gadget, but others as well.
 We deleted a staging driver, which was nice, and finally dropped the
 obsolete usbfs code, which will make Al happy to never have to touch
 that again.
 
 There were some build errors in the tree that linux-next found a few
 days ago, but those were fixed by the most recent changes (all were due
 to us not building with CONFIG_PM disabled.)
 
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.18 (GNU/Linux)
 
 iEYEABECAAYFAk+7qs0ACgkQMUfUDdst+ymjOgCfeoWqWk1bsKKt6SZULvQois5i
 3csAn1Uapcm8Uswwpnj2v1/2Zh4rBHLA
 =4jM1
 -----END PGP SIGNATURE-----

Merge tag 'usb-3.5-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb

Pull USB 3.5-rc1 changes from Greg Kroah-Hartman:
 "Here is the big USB 3.5-rc1 pull request for the 3.5-rc1 merge window.

  It's touches a lot of different parts of the kernel, all USB drivers,
  due to some API cleanups (getting rid of the ancient err() macro) and
  some changes that are needed for USB 3.0 power management updates.

  There are also lots of new drivers, pimarily gadget, but others as
  well.  We deleted a staging driver, which was nice, and finally
  dropped the obsolete usbfs code, which will make Al happy to never
  have to touch that again.

  There were some build errors in the tree that linux-next found a few
  days ago, but those were fixed by the most recent changes (all were
  due to us not building with CONFIG_PM disabled.)

  Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>"

* tag 'usb-3.5-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (477 commits)
  xhci: Fix DIV_ROUND_UP compile error.
  xhci: Fix compile with CONFIG_USB_SUSPEND=n
  USB: Fix core compile with CONFIG_USB_SUSPEND=n
  brcm80211: Fix compile error for .disable_hub_initiated_lpm.
  Revert "USB: EHCI: work around bug in the Philips ISP1562 controller"
  MAINTAINERS: Add myself as maintainer to the USB PHY Layer
  USB: EHCI: fix command register configuration lost problem
  USB: Remove races in devio.c
  USB: ehci-platform: remove update_device
  USB: Disable hub-initiated LPM for comms devices.
  xhci: Add Intel U1/U2 timeout policy.
  xhci: Add infrastructure for host-specific LPM policies.
  USB: Add macros for interrupt endpoint types.
  xhci: Reserve one command for USB3 LPM disable.
  xhci: Some Evaluate Context commands must succeed.
  USB: Disable USB 3.0 LPM in critical sections.
  USB: Add support to enable/disable USB3 link states.
  USB: Allow drivers to disable hub-initiated LPM.
  USB: Calculate USB 3.0 exit latencies for LPM.
  USB: Refactor code to set LPM support flag.
  ...

Conflicts:
	arch/arm/mach-exynos/mach-nuri.c
	arch/arm/mach-exynos/mach-universal_c210.c
	drivers/net/wireless/ath/ath6kl/usb.c
2012-05-22 15:50:46 -07:00
Sarah Sharp
e1f12eb6ba USB: Disable hub-initiated LPM for comms devices.
Hub-initiated LPM is not good for USB communications devices.  Comms
devices should be able to tell when their link can go into a lower power
state, because they know when an incoming transmission is finished.
Ideally, these devices would slam their links into a lower power state,
using the device-initiated LPM, after finishing the last packet of their
data transfer.

If we enable the idle timeouts for the parent hubs to enable
hub-initiated LPM, we will get a lot of useless LPM packets on the bus
as the devices reject LPM transitions when they're in the middle of
receiving data.  Worse, some devices might blindly accept the
hub-initiated LPM and power down their radios while they're in the
middle of receiving a transmission.

The Intel Windows folks are disabling hub-initiated LPM for all USB
communications devices under a xHCI USB 3.0 host.  In order to keep
the Linux behavior as close as possible to Windows, we need to do the
same in Linux.

Set the disable_hub_initiated_lpm flag for for all USB communications
drivers.  I know there aren't currently any USB 3.0 devices that
implement these class specifications, but we should be ready if they do.

Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Gustavo Padovan <gustavo@padovan.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
Cc: Hansjoerg Lipp <hjlipp@web.de>
Cc: Tilman Schmidt <tilman@imap.cc>
Cc: Karsten Keil <isdn@linux-pingi.de>
Cc: Peter Korsgaard <jacmet@sunsite.dk>
Cc: Jan Dumon <j.dumon@option.com>
Cc: Petko Manolov <petkan@users.sourceforge.net>
Cc: Steve Glendinning <steve.glendinning@smsc.com>
Cc: "John W. Linville" <linville@tuxdriver.com>
Cc: Kalle Valo <kvalo@qca.qualcomm.com>
Cc: "Luis R. Rodriguez" <mcgrof@qca.qualcomm.com>
Cc: Jouni Malinen <jouni@qca.qualcomm.com>
Cc: Vasanthakumar Thiagarajan <vthiagar@qca.qualcomm.com>
Cc: Senthil Balasubramanian <senthilb@qca.qualcomm.com>
Cc: Christian Lamparter <chunkeey@googlemail.com>
Cc: Brett Rudley <brudley@broadcom.com>
Cc: Roland Vossen <rvossen@broadcom.com>
Cc: Arend van Spriel <arend@broadcom.com>
Cc: "Franky (Zhenhui) Lin" <frankyl@broadcom.com>
Cc: Kan Yan <kanyan@broadcom.com>
Cc: Dan Williams <dcbw@redhat.com>
Cc: Jussi Kivilinna <jussi.kivilinna@mbnet.fi>
Cc: Ivo van Doorn <IvDoorn@gmail.com>
Cc: Gertjan van Wingerde <gwingerde@gmail.com>
Cc: Helmut Schaa <helmut.schaa@googlemail.com>
Cc: Herton Ronaldo Krzesinski <herton@canonical.com>
Cc: Hin-Tak Leung <htl10@users.sourceforge.net>
Cc: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Chaoming Li <chaoming_li@realsil.com.cn>
Cc: Daniel Drake <dsd@gentoo.org>
Cc: Ulrich Kunitz <kune@deine-taler.de>
Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
2012-05-18 15:42:55 -07:00
Ray Chen
08c6100967 ath6kl: Fix system crash sometimes for USB hotplug
System crash because of NULL pointer reference due to
cleanup_scatter is not implemented for USB.

Signed-off-by: Ray Chen <raychen@qca.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
2012-04-16 09:12:21 +03:00
Ray Chen
6146ca6903 ath6kl: Add AR6004 1.2 support for USB and SDIO
Add the necessary change for AR6004 1.2 chip support

Signed-off-by: Ray Chen <raychen@qca.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
2012-04-12 11:04:03 +03:00
Kalle Valo
9cbee35868 ath6kl: add full USB support
Now, with HTC pipe, it's possible to fully support USB version of AR6004.

Based on code by Kevin Fang.

Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
2012-03-26 16:36:46 +03:00
Kalle Valo
e76ac2bf63 ath6kl: add htc ops
In preparation for adding HTC pipe implementation add htc-ops.h to make
it possible dynamically choose which HTC type is used.

Needed for full USB support.

Based on the code by Ray Chen <raychen@qca.qualcomm.com>.

Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Signed-off-by: Ray Chen <raychen@qca.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
2012-03-26 16:36:46 +03:00
Vasanthakumar Thiagarajan
1b2df40734 ath6kl: Update license header
Update license header with the copyright to Qualcomm Atheros, Inc.
for the year 2011-2012.

Signed-off-by: Vasanthakumar Thiagarajan <vthiagar@qca.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
2012-02-08 11:31:31 +02:00
Kalle Valo
241b128b6b ath6kl: add back beginnings of USB support
John Linville had to revert the part of USB support which was already
in ath6kl due to build problems in commit cb00ec382b ("ath6kl: revert
USB support"). Now that I fixed the build problems properly by adding
ath6kl_core.ko kernel module it's possible to add back the
(incomplete) USB support. This patch is a revert of John's patch and
adds back the USB code which as already in ath6kl, only difference
being minor changes in Makefile and adapting usb.c to new core
function names.

Note that USB support in ath6kl is not complete yet. This code only
makes it possible to boot firmware but as HTC layer does not yet
support USB it's not possible to send any WMI commands nor data
packets to the firmware. That will be added soon.

Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
2012-01-18 13:59:51 +02:00