Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v4.9.147 2018-12-21T13:11:35Z 2018-12-21T13:11:35Z Alexey Khoroshilov khoroshilov@ispras.ru 2018-10-05T20:22:06Z urn:sha1:3e5d4c14a7427dc2a24737c8dcc61688870d737a [ Upstream commit 05cc09de4c017663a217630682041066f2f9a5cd ] There is no unregister netlink notifier and family on error paths in init_mac80211_hwsim(). Also there is an error path where hwsim_class is not destroyed. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru> Fixes: 62759361eb49 ("mac80211-hwsim: Provide multicast event for HWSIM_CMD_NEW_RADIO") Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2018-12-13T08:20:30Z Vasyl Vavrychuk vasyl.vavrychuk@globallogic.com 2018-10-17T22:02:12Z urn:sha1:3a492ce1b6d540e1bd218db681f10a1ea46254ff commit a1881c9b8a1edef0a5ae1d5c1b61406fe3402114 upstream. Otherwise if network manager starts configuring Wi-Fi interface immidiatelly after getting notification of its creation, we will get NULL pointer dereference: BUG: unable to handle kernel NULL pointer dereference at (null) IP: [<ffffffff95ae94c8>] hrtimer_active+0x28/0x50 ... Call Trace: [<ffffffff95ae9997>] ? hrtimer_try_to_cancel+0x27/0x110 [<ffffffff95ae9a95>] ? hrtimer_cancel+0x15/0x20 [<ffffffffc0803bf0>] ? mac80211_hwsim_config+0x140/0x1c0 [mac80211_hwsim] Cc: stable@vger.kernel.org Signed-off-by: Vasyl Vavrychuk <vasyl.vavrychuk@globallogic.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-12-13T08:20:25Z Rafał Miłecki rafal@milecki.pl 2018-10-26T10:50:39Z urn:sha1:04e7ceeea56e208618d26db67038690a78510272 [ Upstream commit 3401d42c7ea2d064d15c66698ff8eb96553179ce ] Previous commit /adding/ support for 160 MHz chanspecs was incomplete. It didn't set bandwidth info and didn't extract control channel info. As the result it was also using uninitialized "sb" var. This change has been tested for two chanspecs found to be reported by some devices/firmwares: 1) 60/160 (0xee32) Before: chnum:50 control_ch_num:36 After: chnum:50 control_ch_num:60 2) 120/160 (0xed72) Before: chnum:114 control_ch_num:100 After: chnum:114 control_ch_num:120 Fixes: 330994e8e8ec ("brcmfmac: fix for proper support of 160MHz bandwidth") Signed-off-by: Rafał Miłecki <rafal@milecki.pl> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2018-12-08T12:05:10Z Lior David qca_liord@qca.qualcomm.com 2017-11-14T13:25:39Z urn:sha1:35db4d1ed8a344899a87887fa7bf11be5b057bec commit b5a8ffcae4103a9d823ea3aa3a761f65779fbe2a upstream. Add a length check in wmi_set_ie to detect unsigned integer overflow. Signed-off-by: Lior David <qca_liord@qca.qualcomm.com> Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com> Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-12-05T18:42:38Z Sasha Levin sashal@kernel.org 2018-12-02T15:03:24Z urn:sha1:ad0ee4f58533dec7c49269864055f30d4dd2bdd7 This reverts commit afeeecc764436f31d4447575bb9007732333818c which was upstream commit 4ec7cece87b3ed21ffcd407c62fb2f151a366bc1. From Dietmar May's report on the stable mailing list (https://www.spinics.net/lists/stable/msg272201.html): > I've run into some problems which appear due to (a) recent patch(es) on > the wlcore wifi driver. > > 4.4.160 - commit 3fdd34643ffc378b5924941fad40352c04610294 > 4.9.131 - commit afeeecc764436f31d4447575bb9007732333818c > > Earlier versions (4.9.130 and 4.4.159 - tested back to 4.4.49) do not > exhibit this problem. It is still present in 4.9.141. > > master as of 4.20.0-rc4 does not exhibit this problem. > > Basically, during client association when in AP mode (running hostapd), > handshake may or may not complete following a noticeable delay. If > successful, then the driver fails consistently in warn_slowpath_null > during disassociation. If unsuccessful, the wifi client attempts multiple > times, sometimes failing repeatedly. I've had clients unable to connect > for 3-5 minutes during testing, with the syslog filled with dozens of > backtraces. syslog details are below. > > I'm working on an embedded device with a TI 3352 ARM processor and a > murata wl1271 module in sdio mode. We're running a fully patched ubuntu > 18.04 ARM build, with a kernel built from kernel.org's stable/linux repo <https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.9.y&id=afeeecc764436f31d4447575bb9007732333818c>. > Relevant parts of the kernel config are included below. > > The commit message states: > > > /I've only seen this few times with the runtime PM patches enabled so > > this one is probably not needed before that. This seems to work > > currently based on the current PM implementation timer. Let's apply > > this separately though in case others are hitting this issue./ > We're not doing anything explicit with power management. The device is an > IoT edge gateway with battery backup, normally running on wall power. The > battery is currently used solely to shut down the system cleanly to avoid > filesystem corruption. > > The device tree is configured to keep power in suspend; but the device > should never suspend, so in our case, there is no need to call > wl1271_ps_elp_wakeup() or wl1271_ps_elp_sleep(), as occurs in the patch. Signed-off-by: Sasha Levin <sashal@kernel.org> 2018-12-01T08:44:24Z Karthik D A karthida@marvell.com 2016-09-28T12:48:28Z urn:sha1:6bea268e0c3c6807db4c67f37a883aeabebef12a commit 3d8bd85c2c9e47ed2c82348aa5b6029ed48376ae upstream. Marvell p2p device disappears from the list of p2p peers on the other p2p device after disconnection. It happens due to a bug in driver. When interface is changed from p2p to station, certain variables(bss_type, bss_role etc.) aren't correctly updated. This patch corrects them to fix the issue. Signed-off-by: Karthik D A <karthida@marvell.com> Signed-off-by: Amitkumar Karwar <akarwar@marvell.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Amit Pundir <amit.pundir@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-12-01T08:44:24Z Amitkumar Karwar akarwar@marvell.com 2016-09-28T12:48:23Z urn:sha1:c8144277c0ad48c5633e91f979874632a0032084 commit c44c040300d7afd79294710313a4989683e2afb1 upstream. At couple of places in cleanup path, we are just going through the skb queue and freeing them without unlinking. This leads to a crash when other thread tries to do skb_dequeue() and use already freed node. The problem is freed by unlinking skb before freeing it. Signed-off-by: Amitkumar Karwar <akarwar@marvell.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Amit Pundir <amit.pundir@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-12-01T08:44:24Z Amitkumar Karwar akarwar@marvell.com 2016-09-28T12:48:22Z urn:sha1:c34774ea1bc322560d401e55f5cc1438c2c3cf30 commit 5190f2e405919cd30ba2f12c58129fb2d71cd6b6 upstream. When host_sleep_config command fails, we should return an error to PCIe, instead of continuing (and possibly panicking, when we try to keep processing a timed-out ioctl after we return "successfully" from suspend). Signed-off-by: Amitkumar Karwar <akarwar@marvell.com> Reviewed-by: Brian Norris <briannorris@chromium.org> Tested-by: Brian Norris <briannorris@chromium.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Amit Pundir <amit.pundir@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-12-01T08:44:24Z Amitkumar Karwar akarwar@marvell.com 2016-09-28T12:48:21Z urn:sha1:b4f8e4c870b73f3f48a2951584c739cc40ccf366 commit ec815dd2a5f110f627d7955e0027a3a008f68166 upstream. Following is mwifiex driver-firmware host sleep handshake. It involves three threads. suspend handler, interrupt handler, interrupt processing in main work queue. 1) Enter suspend handler 2) Download HS_CFG command 3) Response from firmware for HS_CFG 4) Suspend thread waits until handshake completes(i.e hs_activate becomes true) 5) SLEEP from firmware 6) SLEEP confirm downloaded to firmware. 7) SLEEP confirm response from firmware 8) Driver processes SLEEP confirm response and set hs_activate to wake up suspend thread 9) Exit suspend handler 10) Read sleep cookie in loop and wait until it indicates firmware is sleep. 11) After processing SLEEP confirm response, we are at the end of interrupt processing routine. Recheck if there are interrupts received while we were processing them. During suspend-resume stress test, it's been observed that we may end up acessing PCIe hardware(in 10 and 11) when PCIe bus is closed which leads to a kernel crash. This patch solves the problem with below changes. a) action 10 above can be done before 8 b) Skip 11 if hs_activated is true. SLEEP confirm response is the last interrupt from firmware. No need to recheck for pending interrupts. c) Add flush_workqueue() in suspend handler. Signed-off-by: Amitkumar Karwar <akarwar@marvell.com> Reviewed-by: Brian Norris <briannorris@chromium.org> Tested-by: Brian Norris <briannorris@chromium.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Amit Pundir <amit.pundir@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-12-01T08:44:24Z Johannes Thumshirn jthumshirn@suse.de 2016-09-30T12:39:17Z urn:sha1:2091b8cd4b4b702b7057e2eeb64e73ce3706cc58 commit 9afdd6128c39f42398041bb2e017d8df0dcebcd1 upstream. The call to krealloc() in wsm_buf_reserve() directly assigns the newly returned memory to buf->begin. This is all fine except when krealloc() failes we loose the ability to free the old memory pointed to by buf->begin. If we just create a temporary variable to assign memory to and assign the memory to it we can mitigate the memory leak. Signed-off-by: Johannes Thumshirn <jthumshirn@suse.de> Cc: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Amit Pundir <amit.pundir@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>