+++ /dev/null
-From 1cfd3426ef989b83fa6176490a38777057e57f6c Mon Sep 17 00:00:00 2001
-From: Hauke Mehrtens <hauke@hauke-m.de>
-Date: Tue, 14 Jul 2020 22:58:02 +0200
-Subject: [PATCH] ath10k: Fix NULL pointer dereference in AHB device probe
-
-This fixes a NULL pointer dereference in the probe path for AHB devices.
-There attr parameter in the ath10k_ce_alloc_pipe() function is not
-initialized, but accessed. This function is called by
-ath10k_pci_setup_resource() which is called by ath10k_ahb_probe().
-
-The struct ath10k_pci is also used for AHB devices and not only for PCI
-devices.
-
-The initialization of the new members of struct ath10k_pci is moved to
-ath10k_pci_setup_resource() which is used by the PCI and the AHB code.
-
-This also fixes a use after free bug in ath10k_pci_remove() when ar_pci
-is accessed after ath10k_core_destroy() was called, which calls
-ieee80211_free_hw() and frees this memory.
-
-This fixes the following bug seen with backports-5.8-rc2 on OpenWrt on a
-IPQ4019 device:
-
-[ 11.117462] 8<--- cut here ---
-[ 11.117494] Unable to handle kernel NULL pointer dereference at virtual address 00000000
-[ 11.119510] pgd = f377fd58
-[ 11.127657] [00000000] *pgd=8e9a0835, *pte=00000000, *ppte=00000000
-[ 11.130206] Internal error: Oops: 17 [#1] SMP ARM
-[ 11.136339] Modules linked in: ath10k_pci(+) ath10k_core ath xt_state xt_nat xt_conntrack xt_REDIRECT xt_MASQUERADE xt_FLOWOFFLOAD pppox ppp_generic nf_nat nf_flow_table_hw nf_flow_table nf_conntrack_rtcache nf_conntrack mac80211 ipt_REJECT cfg80211 xt_time xt_tcpudp xt_multiport xt_mark xt_mac xt_limit xt_comment xt_TCPMSS xt_LOG slhc nf_reject_ipv4 nf_log_ipv4 nf_defrag_ipv6 nf_defrag_ipv4 iptable_mangle iptable_filter ip_tables crc_ccitt compat nf_log_ipv6 nf_log_common ip6table_mangle ip6table_filter ip6_tables ip6t_REJECT x_tables nf_reject_ipv6 leds_gpio xhci_plat_hcd xhci_pci xhci_hcd dwc3 dwc3_qcom gpio_button_hotplug
-[ 11.174355] CPU: 2 PID: 257 Comm: kmodloader Not tainted 5.4.51 #0
-[ 11.196585] Hardware name: Generic DT based system
-[ 11.202746] PC is at ath10k_ce_alloc_pipe+0x58/0x180 [ath10k_core]
-[ 11.207459] LR is at ath10k_pci_alloc_pipes+0x94/0xc8 [ath10k_pci]
-[ 11.213600] pc : [<bf2c96cc>] lr : [<bf2fbf98>] psr: 80000013
-[ 11.219760] sp : cea0dc90 ip : cf4001f0 fp : 00000001
-[ 11.225923] r10: 00000000 r9 : 00000018 r8 : ce4963b4
-[ 11.231133] r7 : 00000000 r6 : ce491ea0 r5 : 00000000 r4 : ce4963b4
-[ 11.236342] r3 : 0004a000 r2 : 0004a000 r1 : bf2d0d70 r0 : 00000006
-[ 11.242942] Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
-[ 11.249452] Control: 10c5387d Table: 8e9c006a DAC: 00000051
-[ 11.256656] Process kmodloader (pid: 257, stack limit = 0xaba286ca)
-[ 11.262386] Stack: (0xcea0dc90 to 0xcea0e000)
-[ 11.268462] dc80: 00000000 ce49629c ce491ea0 ce4963bc
-[ 11.272984] dca0: ce495ea0 bf2fbf98 00000002 ce4963a8 ce495ea0 00000000 ce491ea0 cf95d800
-[ 11.281142] dcc0: cf95d810 cf95d810 00000001 bf2fc854 00000000 cf95d800 bf300748 ce495ea0
-[ 11.289304] dce0: ce491ea0 d1300000 cf95d800 bf2fde8c 00000000 00000001 ce49cea0 00000000
-[ 11.297462] dd00: 00000000 00000000 bf3010a0 cf95d810 bf3010a0 c0b61580 00000000 00000000
-[ 11.305624] dd20: bf3010a0 0000000b c0b04e48 c06110c8 c0b61588 cf95d810 c0b61580 c060f740
-[ 11.313781] dd40: cf95d810 00000000 bf3010a0 00000000 00000000 ce49d2a4 bf301100 c060fc90
-[ 11.321943] dd60: 00000000 bf3010a0 cf95d810 c060fcf0 cf95d810 bf3010a0 c060fc98 c060dca4
-[ 11.330101] dd80: cf809d58 cf952cb4 bf3010a0 ce967900 c0b1f2c8 c060ec28 bf3007b8 bf301038
-[ 11.338263] dda0: bf3010a0 bf3010a0 c0b2d4d4 ffffe000 bf304000 c0610278 c0b04e48 c0b2d4d4
-[ 11.346422] ddc0: ffffe000 bf2fe2b4 c0b04e48 bf30403c c0b04e48 c0302764 8040003f 00000001
-[ 11.354582] dde0: 38e38e39 ce513580 c0b2cb50 cf801e00 cffbc6ac ce513600 cf801e00 cffbc6ac
-[ 11.362740] de00: 8040003e ce49d280 00000001 c0428d54 00000001 cf801e00 cffbc6ac ce513580
-[ 11.370900] de20: ce49d280 0e391998 bf301100 ce49d340 d12d2000 ce49d280 00000001 c0398c2c
-[ 11.379061] de40: 00000001 cea0df34 cea0df34 00000001 d12d2000 c039ae48 bf30110c 00007fff
-[ 11.387221] de60: bf301100 c0398044 cf804028 bf301148 c0397674 bf30126c c08ee5c0 c08ee70c
-[ 11.395380] de80: bf30110c c0b04e48 c08ee518 00000000 c08ee570 c0b04e48 ce513600 fffff000
-[ 11.403540] dea0: 00000001 ce513580 0000000d 0000000d 00000000 00000000 00000000 00000000
-[ 11.411698] dec0: 00000000 00000000 6e72656b 00006c65 00000000 00000000 00000000 00000000
-[ 11.419858] dee0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
-[ 11.428018] df00: 00000000 0e391998 00000000 0000c610 d12de610 00000000 0062c620 ffffe000
-[ 11.436180] df20: 000129d1 00000051 00000000 c039b228 00000000 d12d7afd d12d8e80 d12d2000
-[ 11.444337] df40: 0000c610 d12de0e8 d12ddfa8 d12dab74 00009000 00009570 00003a2c 00009cae
-[ 11.452498] df60: 00000000 00000000 00000000 00003a1c 0000001e 0000001f 00000018 00000000
-[ 11.460656] df80: 00000010 00000000 00000000 00000000 00000003 00000080 c0301204 cea0c000
-[ 11.468817] dfa0: 00000080 c0301000 00000000 00000000 00620010 0000c610 000129d1 00000014
-[ 11.476975] dfc0: 00000000 00000000 00000003 00000080 0000c610 00000000 b6fc1d20 00000000
-[ 11.485137] dfe0: bef0ad14 bef0acf8 00011e14 b6f74c94 60000010 00620010 00000000 00000000
-[ 11.493390] [<bf2c96cc>] (ath10k_ce_alloc_pipe [ath10k_core]) from [<bf2fbf98>] (ath10k_pci_alloc_pipes+0x94/0xc8 [ath10k_pci])
-[ 11.501498] [<bf2fbf98>] (ath10k_pci_alloc_pipes [ath10k_pci]) from [<bf2fc854>] (ath10k_pci_setup_resource+0xb8/0xf0 [ath10k_pci])
-[ 11.512773] [<bf2fc854>] (ath10k_pci_setup_resource [ath10k_pci]) from [<bf2fde8c>] (ath10k_ahb_probe+0x32c/0x670 [ath10k_pci])
-[ 11.524566] [<bf2fde8c>] (ath10k_ahb_probe [ath10k_pci]) from [<c06110c8>] (platform_drv_probe+0x34/0x70)
-[ 11.536016] [<c06110c8>] (platform_drv_probe) from [<c060f740>] (really_probe+0x1f0/0x358)
-[ 11.545729] [<c060f740>] (really_probe) from [<c060fc90>] (device_driver_attach+0x58/0x60)
-[ 11.553886] [<c060fc90>] (device_driver_attach) from [<c060fcf0>] (__driver_attach+0x58/0xcc)
-[ 11.562134] [<c060fcf0>] (__driver_attach) from [<c060dca4>] (bus_for_each_dev+0x68/0x8c)
-[ 11.570731] [<c060dca4>] (bus_for_each_dev) from [<c060ec28>] (bus_add_driver+0x1c8/0x1d8)
-[ 11.578886] [<c060ec28>] (bus_add_driver) from [<c0610278>] (driver_register+0x74/0x108)
-[ 11.587060] [<c0610278>] (driver_register) from [<bf2fe2b4>] (ath10k_ahb_init+0x18/0x38 [ath10k_pci])
-[ 11.595320] [<bf2fe2b4>] (ath10k_ahb_init [ath10k_pci]) from [<bf30403c>] (init_module+0x3c/0x1000 [ath10k_pci])
-[ 11.604432] [<bf30403c>] (init_module [ath10k_pci]) from [<c0302764>] (do_one_initcall+0x84/0x1d8)
-[ 11.614657] [<c0302764>] (do_one_initcall) from [<c0398c2c>] (do_init_module+0x5c/0x228)
-[ 11.623421] [<c0398c2c>] (do_init_module) from [<c039ae48>] (load_module+0x1fc8/0x224c)
-[ 11.631663] [<c039ae48>] (load_module) from [<c039b228>] (sys_init_module+0x15c/0x17c)
-[ 11.639390] [<c039b228>] (sys_init_module) from [<c0301000>] (ret_fast_syscall+0x0/0x54)
-[ 11.647370] Exception stack(0xcea0dfa8 to 0xcea0dff0)
-[ 11.655615] dfa0: 00000000 00000000 00620010 0000c610 000129d1 00000014
-[ 11.660569] dfc0: 00000000 00000000 00000003 00000080 0000c610 00000000 b6fc1d20 00000000
-[ 11.668725] dfe0: bef0ad14 bef0acf8 00011e14 b6f74c94
-[ 11.676886] Code: e1c321d4 e0433002 e0232397 e5843014 (e5953000)
-[ 11.681958] ---[ end trace 8f35917de2e76854 ]---
-
-Fixes: 521fc37be3d8 ("ath10k: Avoid override CE5 configuration for QCA99X0 chipsets")
-Reported-by: Stefan Lippers-Hollmann <s.l-h@gmx.de> [ipq40xx/ map-ac2200]
-Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
-Link: https://lore.kernel.org/r/20200714205802.17688-1-hauke@hauke-m.de
----
- drivers/net/wireless/ath/ath10k/ahb.c | 2 +-
- drivers/net/wireless/ath/ath10k/pci.c | 78 +++++++++++++--------------
- 2 files changed, 38 insertions(+), 42 deletions(-)
-
---- a/drivers/net/wireless/ath/ath10k/ahb.c
-+++ b/drivers/net/wireless/ath/ath10k/ahb.c
-@@ -820,7 +820,7 @@ err_free_irq:
- ath10k_ahb_release_irq_legacy(ar);
-
- err_free_pipes:
-- ath10k_pci_free_pipes(ar);
-+ ath10k_pci_release_resource(ar);
-
- err_resource_deinit:
- ath10k_ahb_resource_deinit(ar);
---- a/drivers/net/wireless/ath/ath10k/pci.c
-+++ b/drivers/net/wireless/ath/ath10k/pci.c
-@@ -3473,6 +3473,28 @@ int ath10k_pci_setup_resource(struct ath
-
- timer_setup(&ar_pci->rx_post_retry, ath10k_pci_rx_replenish_retry, 0);
-
-+ ar_pci->attr = kmemdup(pci_host_ce_config_wlan,
-+ sizeof(pci_host_ce_config_wlan),
-+ GFP_KERNEL);
-+ if (!ar_pci->attr)
-+ return -ENOMEM;
-+
-+ ar_pci->pipe_config = kmemdup(pci_target_ce_config_wlan,
-+ sizeof(pci_target_ce_config_wlan),
-+ GFP_KERNEL);
-+ if (!ar_pci->pipe_config) {
-+ ret = -ENOMEM;
-+ goto err_free_attr;
-+ }
-+
-+ ar_pci->serv_to_pipe = kmemdup(pci_target_service_to_ce_map_wlan,
-+ sizeof(pci_target_service_to_ce_map_wlan),
-+ GFP_KERNEL);
-+ if (!ar_pci->serv_to_pipe) {
-+ ret = -ENOMEM;
-+ goto err_free_pipe_config;
-+ }
-+
- if (QCA_REV_6174(ar) || QCA_REV_9377(ar))
- ath10k_pci_override_ce_config(ar);
-
-@@ -3480,18 +3502,31 @@ int ath10k_pci_setup_resource(struct ath
- if (ret) {
- ath10k_err(ar, "failed to allocate copy engine pipes: %d\n",
- ret);
-- return ret;
-+ goto err_free_serv_to_pipe;
- }
-
- return 0;
-+
-+err_free_serv_to_pipe:
-+ kfree(ar_pci->serv_to_pipe);
-+err_free_pipe_config:
-+ kfree(ar_pci->pipe_config);
-+err_free_attr:
-+ kfree(ar_pci->attr);
-+ return ret;
- }
-
- void ath10k_pci_release_resource(struct ath10k *ar)
- {
-+ struct ath10k_pci *ar_pci = ath10k_pci_priv(ar);
-+
- ath10k_pci_rx_retry_sync(ar);
- netif_napi_del(&ar->napi);
- ath10k_pci_ce_deinit(ar);
- ath10k_pci_free_pipes(ar);
-+ kfree(ar_pci->attr);
-+ kfree(ar_pci->pipe_config);
-+ kfree(ar_pci->serv_to_pipe);
- }
-
- static const struct ath10k_bus_ops ath10k_pci_bus_ops = {
-@@ -3601,30 +3636,6 @@ static int ath10k_pci_probe(struct pci_d
-
- timer_setup(&ar_pci->ps_timer, ath10k_pci_ps_timer, 0);
-
-- ar_pci->attr = kmemdup(pci_host_ce_config_wlan,
-- sizeof(pci_host_ce_config_wlan),
-- GFP_KERNEL);
-- if (!ar_pci->attr) {
-- ret = -ENOMEM;
-- goto err_free;
-- }
--
-- ar_pci->pipe_config = kmemdup(pci_target_ce_config_wlan,
-- sizeof(pci_target_ce_config_wlan),
-- GFP_KERNEL);
-- if (!ar_pci->pipe_config) {
-- ret = -ENOMEM;
-- goto err_free;
-- }
--
-- ar_pci->serv_to_pipe = kmemdup(pci_target_service_to_ce_map_wlan,
-- sizeof(pci_target_service_to_ce_map_wlan),
-- GFP_KERNEL);
-- if (!ar_pci->serv_to_pipe) {
-- ret = -ENOMEM;
-- goto err_free;
-- }
--
- ret = ath10k_pci_setup_resource(ar);
- if (ret) {
- ath10k_err(ar, "failed to setup resource: %d\n", ret);
-@@ -3705,10 +3716,9 @@ err_unsupported:
-
- err_free_irq:
- ath10k_pci_free_irq(ar);
-- ath10k_pci_rx_retry_sync(ar);
-
- err_deinit_irq:
-- ath10k_pci_deinit_irq(ar);
-+ ath10k_pci_release_resource(ar);
-
- err_sleep:
- ath10k_pci_sleep_sync(ar);
-@@ -3720,29 +3730,18 @@ err_free_pipes:
- err_core_destroy:
- ath10k_core_destroy(ar);
-
--err_free:
-- kfree(ar_pci->attr);
-- kfree(ar_pci->pipe_config);
-- kfree(ar_pci->serv_to_pipe);
--
- return ret;
- }
-
- static void ath10k_pci_remove(struct pci_dev *pdev)
- {
- struct ath10k *ar = pci_get_drvdata(pdev);
-- struct ath10k_pci *ar_pci;
-
- ath10k_dbg(ar, ATH10K_DBG_PCI, "pci remove\n");
-
- if (!ar)
- return;
-
-- ar_pci = ath10k_pci_priv(ar);
--
-- if (!ar_pci)
-- return;
--
- ath10k_core_unregister(ar);
- ath10k_pci_free_irq(ar);
- ath10k_pci_deinit_irq(ar);
-@@ -3750,9 +3749,6 @@ static void ath10k_pci_remove(struct pci
- ath10k_pci_sleep_sync(ar);
- ath10k_pci_release(ar);
- ath10k_core_destroy(ar);
-- kfree(ar_pci->attr);
-- kfree(ar_pci->pipe_config);
-- kfree(ar_pci->serv_to_pipe);
- }
-
- MODULE_DEVICE_TABLE(pci, ath10k_pci_id_table);
struct ieee80211_sub_if_data *sdata;
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
-@@ -2552,8 +2552,8 @@ static void ieee80211_deliver_skb_to_loc
+@@ -2578,8 +2578,8 @@ static void ieee80211_deliver_skb_to_loc
memset(skb->cb, 0, sizeof(skb->cb));
/* deliver to local stack */
else
netif_receive_skb(skb);
}
-@@ -3843,7 +3843,6 @@ void ieee80211_release_reorder_timeout(s
+@@ -3869,7 +3869,6 @@ void ieee80211_release_reorder_timeout(s
/* This is OK -- must be QoS data frame */
.security_idx = tid,
.seqno_idx = tid,
};
struct tid_ampdu_rx *tid_agg_rx;
-@@ -4453,8 +4452,8 @@ static bool ieee80211_invoke_fast_rx(str
+@@ -4479,8 +4478,8 @@ static bool ieee80211_invoke_fast_rx(str
/* deliver to local stack */
skb->protocol = eth_type_trans(skb, fast_rx->dev);
memset(skb->cb, 0, sizeof(skb->cb));
else
netif_receive_skb(skb);
-@@ -4521,7 +4520,7 @@ static bool ieee80211_prepare_and_rx_han
+@@ -4547,7 +4546,7 @@ static bool ieee80211_prepare_and_rx_han
static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw,
struct ieee80211_sta *pubsta,
struct sk_buff *skb,
{
struct ieee80211_local *local = hw_to_local(hw);
struct ieee80211_sub_if_data *sdata;
-@@ -4536,7 +4535,7 @@ static void __ieee80211_rx_handle_packet
+@@ -4562,7 +4561,7 @@ static void __ieee80211_rx_handle_packet
memset(&rx, 0, sizeof(rx));
rx.skb = skb;
rx.local = local;
if (ieee80211_is_data(fc) || ieee80211_is_mgmt(fc))
I802_DEBUG_INC(local->dot11ReceivedFragmentCount);
-@@ -4644,8 +4643,8 @@ static void __ieee80211_rx_handle_packet
+@@ -4670,8 +4669,8 @@ static void __ieee80211_rx_handle_packet
* This is the receive path handler. It is called by a low level driver when an
* 802.11 MPDU is received from the hardware.
*/
{
struct ieee80211_local *local = hw_to_local(hw);
struct ieee80211_rate *rate = NULL;
-@@ -4737,36 +4736,53 @@ void ieee80211_rx_napi(struct ieee80211_
+@@ -4763,36 +4762,53 @@ void ieee80211_rx_napi(struct ieee80211_
status->rx_flags = 0;
/*
+++ /dev/null
-From 65ad3ef9fced4062dfd74e2f89443fb5ce184321 Mon Sep 17 00:00:00 2001
-From: Rajkumar Manoharan <rmanohar@codeaurora.org>
-Date: Wed, 1 Jul 2020 19:20:24 -0700
-Subject: mac80211: fix warning in 6 GHz IE addition in mesh mode
-
-The commit 24a2042cb22f ("mac80211: add HE 6 GHz Band Capability
-element") failed to check device capability before adding HE 6 GHz
-capability element. Below warning is reported in 11ac device in mesh.
-Fix that by checking device capability at HE 6 GHz cap IE addition
-in mesh beacon and association request.
-
-WARNING: CPU: 1 PID: 1897 at net/mac80211/util.c:2878
-ieee80211_ie_build_he_6ghz_cap+0x149/0x150 [mac80211]
-[ 3138.720358] Call Trace:
-[ 3138.720361] ieee80211_mesh_build_beacon+0x462/0x530 [mac80211]
-[ 3138.720363] ieee80211_start_mesh+0xa8/0xf0 [mac80211]
-[ 3138.720365] __cfg80211_join_mesh+0x122/0x3e0 [cfg80211]
-[ 3138.720368] nl80211_join_mesh+0x3d3/0x510 [cfg80211]
-
-Fixes: 24a2042cb22f ("mac80211: add HE 6 GHz Band Capability element")
-Reported-by: Markus Theil <markus.theil@tu-ilmenau.de>
-Signed-off-by: Rajkumar Manoharan <rmanohar@codeaurora.org>
-Link: https://lore.kernel.org/r/1593656424-18240-1-git-send-email-rmanohar@codeaurora.org
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
----
- net/mac80211/mesh.c | 13 +++++++++++++
- net/mac80211/util.c | 4 ++++
- 2 files changed, 17 insertions(+)
-
---- a/net/mac80211/mesh.c
-+++ b/net/mac80211/mesh.c
-@@ -617,6 +617,19 @@ int mesh_add_he_oper_ie(struct ieee80211
- int mesh_add_he_6ghz_cap_ie(struct ieee80211_sub_if_data *sdata,
- struct sk_buff *skb)
- {
-+ struct ieee80211_supported_band *sband;
-+ const struct ieee80211_sband_iftype_data *iftd;
-+
-+ sband = ieee80211_get_sband(sdata);
-+ if (!sband)
-+ return -EINVAL;
-+
-+ iftd = ieee80211_get_sband_iftype_data(sband,
-+ NL80211_IFTYPE_MESH_POINT);
-+ /* The device doesn't support HE in mesh mode or at all */
-+ if (!iftd)
-+ return 0;
-+
- ieee80211_ie_build_he_6ghz_cap(sdata, skb);
- return 0;
- }
---- a/net/mac80211/util.c
-+++ b/net/mac80211/util.c
-@@ -2878,6 +2878,10 @@ void ieee80211_ie_build_he_6ghz_cap(stru
- if (WARN_ON(!iftd))
- return;
-
-+ /* Check for device HE 6 GHz capability before adding element */
-+ if (!iftd->he_6ghz_capa.capa)
-+ return;
-+
- cap = le16_to_cpu(iftd->he_6ghz_capa.capa);
- cap &= ~IEEE80211_HE_6GHZ_CAP_SM_PS;
-