Andrea Merello [Fri, 28 Mar 2014 17:14:28 +0000 (18:14 +0100)]
rtl8180: don't use weird trick to access "far" registers
In rtl8180/rtl8185/rtl8187se the register space is represented
using packed structure type. Register are thus accessed using a
pointer of this type.
All registers are packed toghether, and only small gaps are present.
However Rtl8187se has also some "sparse" registers, very far from
the "main register block".
It could be possible to access them by simply declare huge reserved
blocks inside the register struct (and this causes NO memory waste).
However, for various reasons, access to those "far" registers is
done with special dedicated macros, without declaring them in the
register struct.
This is done in an intricate manner, that makes code less readable
and caused static analisys tool to produce warnings.
This patch keeps the "macro" mechanism, but it changes its
implementation in a simplier and more straightforward way.
Signed-off-by: Andrea Merello <andrea.merello@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Amitkumar Karwar [Fri, 28 Mar 2014 04:05:26 +0000 (21:05 -0700)]
mwifiex: fix spinlock bad magic bug
[ 6630.450908] BUG: spinlock bad magic on CPU#1,
ksdioirqd/mmc1/355
[ 6630.450914] Unable to handle kernel NULL pointer dereference
at virtual address 0000004f
[ 6630.450919] pgd = ecbd8000
[ 6630.450926] [0000004f] *pgd=00000000
[ 6630.450936] lock: 0xeea4ab08, .magic: 00000000,
.owner: <none>/-1, .owner_cpu: 0
[ 6630.450939] Backtrace:
[ 6630.450956] [<c010d354>] (unwind_backtrace+0x0/0x118) from
[<c060c238>] (dump_stack+0x28/0x30)
[ 6630.450960] Internal error: Oops: 5 [#1] SMP ARM
[ 6630.450964] Modules linked in: uvcvideo videobuf2_vmalloc
[ 6630.450980] [<c060c238>] (dump_stack+0x28/0x30) from
[<c0315ab4>] (spin_dump+0x80/0x94)
[ 6630.450988] [<c0315ab4>] (spin_dump+0x80/0x94) from
[<c0315af4>] (spin_bug+0x2c/0x30)
[ 6630.450996] [<c0315af4>] (spin_bug+0x2c/0x30) from
[<c0315b80>] (do_raw_spin_lock+0x28/0x15c)
[ 6630.451004] [<c0315b80>] (do_raw_spin_lock+0x28/0x15c) from
[<c0610c24>] (_raw_spin_lock_irqsave+0x20/0x28)
[ 6630.451016] [<c0610c24>] (_raw_spin_lock_irqsave+0x20/0x28)
from [<bf07a7f4>] (mwifiex_exec_next_cmd
+0x6c/0x45c [mwifiex])
[ 6630.451030] [<bf07a7f4>] (mwifiex_exec_next_cmd+0x6c/0x45c
[mwifiex]) from [<bf07834c>]
(mwifiex_main_process+0x2c8/0x464 [mwifiex])
[ 6630.451047] [<bf07834c>] (mwifiex_main_process+0x2c8/0x464
[mwifiex]) from [<bf0a093c>]
(mwifiex_sdio_interrupt+0xc8/0x1cc [mwifiex_sdio]
[ 6630.451064] [<bf0a093c>] (mwifiex_sdio_interrupt+0xc8/0x1cc
[mwifiex_sdio]) from [<c04bbde0>]
(sdio_irq_thread+0x178/0x31c)
[ 6630.451079] [<c04bbde0>] (sdio_irq_thread+0x178/0x31c) from
[<c0145514>] (kthread+0xc8/0xd8)
[ 6630.451095] [<c0145514>] (kthread+0xc8/0xd8) from
[<c0106118>] (ret_from_fork+0x14/0x20)
This bug has introduced/exposed due to recent patch in which we
cancel pending commands before suspend (using hs_enabling flag).
The NULL pointer is dereferenced when both
mwifiex_cancel_all_pending_cmd() and mwifiex_exec_next_cmd()
try to access cmd pending queue simultaneously.
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com> Signed-off-by: Bing Zhao <bzhao@marvell.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Andrea Merello [Fri, 28 Mar 2014 17:12:08 +0000 (18:12 +0100)]
rtl8187: fix compile warning
ANAPARAM3 register, defined in the rtl818x common register
struct, is accessed as 16bit by rtl8187se and as 8bit by rtl8187b.
Since I have no documentation about this, I can only stick to
the reference code and to what is known to work.
This issue has been addressed by a patch from Larry Finger
that introduces an "union", in the register struct.
In my last patch-set I applied it on the register struct, but
I forget to update rtl8187 driver too.
This patch does it.
Suggested-by: Larry Finger <Larry.Finger@lwfinger.net> [ Original patch ] Signed-off-by: Andrea Merello <andrea.merello@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Adam Lee [Fri, 28 Mar 2014 03:36:19 +0000 (11:36 +0800)]
rtlwifi: rtl8188ee: enable MSI interrupts mode
Some HP notebooks using this rtl8188ee hardware module can't get
AP scan results with pin-based interrupts mode, enabling MSI interrupts
mode could fix it.
As RealTek's testing results, RTL8188EE works well with both MSI mode
and pin-based mode fallback.
Signed-off-by: Adam Lee <adam.lee@canonical.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Adam Lee [Fri, 28 Mar 2014 03:36:18 +0000 (11:36 +0800)]
rtlwifi: add MSI interrupts mode support
Add MSI interrupts mode support, enable it when submodules' msi_support
flag is true, also could fallback to pin-based interrupts mode if MSI
interrupts mode fails.
RealTek's policy(on modules which work well with MSI interrupts mode) is:
> If the platform supports both MSI and pin-based, use MSI.
> If the platform supports MSI only, use MSI.
> If the platform supports pin-based only, use pin-based.
Also as RealTek's testing results, RTL8188EE and RTL8723BE work well
with both MSI mode and pin-based mode fallback.
Signed-off-by: Adam Lee <adam.lee@canonical.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Amitkumar Karwar [Thu, 20 Mar 2014 23:23:50 +0000 (16:23 -0700)]
mwifiex: use timeout variant for wait_event_interruptible
It has been observed that system hangs during suspend, if host
sleep activation fails due to a missing interrupt from firmware.
Use timeout variant, so that the thread will be woken up when
timer expires.
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com> Signed-off-by: Bing Zhao <bzhao@marvell.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Amitkumar Karwar [Thu, 20 Mar 2014 23:23:49 +0000 (16:23 -0700)]
mwifiex: cancel pending commands for signal
When a thread is interrupted by signal, all
wait_event_interruptible calls after queueing commands return
an error. Numbers of commands in pending queue are increased
in this case. Sometimes all commands nodes in pool are filled.
We will cancel pending commands when signal is received.
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com> Signed-off-by: Bing Zhao <bzhao@marvell.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
When scan request is received, scan commands are prepared and
queued into scan pending queue. There is a corner case when
command nodes are full. So we stop queueing further scan
commands and return an error. This patch makes sure that
currently queued commands in scan pending queue are also freed
in this case.
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com> Signed-off-by: Bing Zhao <bzhao@marvell.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Andrea Merello [Wed, 26 Mar 2014 20:03:03 +0000 (21:03 +0100)]
rtl8180: add ERP configuration for rtl8187se
This patch adds ERP configuration support for rtl8187se to the
existing ERP configuration function.
It needs a different register offset and it must not apply
rtl8185 workaround.
Signed-off-by: Andrea Merello <andrea.merello@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Andrea Merello [Wed, 26 Mar 2014 20:02:46 +0000 (21:02 +0100)]
rtl8180: add rtl8187se HW initialization
This patch adds few functions that initializes extra stuff that
is present only in rtl8187se HW, and it modify the existing
HW initialization function where necessary
Signed-off-by: Andrea Merello <andrea.merello@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Andrea Merello [Wed, 26 Mar 2014 20:02:05 +0000 (21:02 +0100)]
rtl8180: introduce functions for setting ANAPARAM 2 and 3 params
rtl8180 has one register for analog converters setting ,rtl8185 has
two and rtl8187se has three.
Setting those registers require more than a simple write, and for
one of them a function is already provided.
This patch introduces functions for the other two.
rtl8187se will use them. rtl8185 doesen't yet, but should
Signed-off-by: Andrea Merello <andrea.merello@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Andrea Merello [Wed, 26 Mar 2014 20:00:57 +0000 (21:00 +0100)]
rtl8180: add TX queue mapping and support for rtl8187se
This patch adds tx queue mapping for rtl8187se and a long comment
block about their usages.
It adapts the TX function to use that map and it sets properly
the TX descriptor rtl8187se-only fields
Signed-off-by: Andrea Merello <andrea.merello@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Andrea Merello [Wed, 26 Mar 2014 19:59:52 +0000 (20:59 +0100)]
rtl8180: support for rtl8187se RX descriptors
Currently RX status descriptor and RX command descriptor are
represented using the same struct type.
This patch splits this by introducing different types for
rx status and command descriptor.
Doing this make it possible to handle rtl8187se RX descriptors
easier.
This patch do also this by adding specific cases where needed.
Signed-off-by: Andrea Merello <andrea.merello@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Andrea Merello [Wed, 26 Mar 2014 19:59:25 +0000 (20:59 +0100)]
rtl8180: add basic rate configuration support for rtl8187se
Basic rate configuration is a bit different for rtl8187se.
Adding this also fixes the gcc warning introduced in last patch
about unhandled case in switch.
Signed-off-by: Andrea Merello <andrea.merello@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Amitkumar Karwar [Wed, 26 Mar 2014 02:01:20 +0000 (19:01 -0700)]
mwifiex: cancel pending commands during host sleep
Sometimes we may end up downloading other commands when host
sleep is configured. This patch makes sure that pending
commands are cancelled and we stop queueing further commands
during host sleep.
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com> Signed-off-by: Bing Zhao <bzhao@marvell.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Amitkumar Karwar [Wed, 26 Mar 2014 02:01:18 +0000 (19:01 -0700)]
mwifiex: corner case NULL pointer dereference fix
When next scan command is delayed due to Tx traffic and
meanwhile synchronous command is received followed by a signal,
we cance all pending commands. NULL pointer dereference is seen
in this case while queueing next command in scan delay timer.
This patch adds a check to fix this issue.
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com> Signed-off-by: Bing Zhao <bzhao@marvell.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Daniel Kim [Tue, 25 Mar 2014 20:45:09 +0000 (21:45 +0100)]
brcmfmac: use mfp if required from user-space
The struct cfg80211_connect_params indicate whether the connection
should use management frame protection (mfp). If required set the
MFP_CAPABLE flag in the firmware command. This is supported from
user-space by wpa_supplicant since v2.1.
Reviewed-by: Daniel (Deognyoun) Kim <dekim@broadcom.com> Reviewed-by: Hante Meuleman <meuleman@broadcom.com> Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com> Signed-off-by: Arend van Spriel <arend@broadcom.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Andrea Merello [Sat, 22 Mar 2014 17:51:20 +0000 (18:51 +0100)]
rtl8180: rationalize TX queues
On currently supported HW there are four TX queues (three for normal
packets and one for beacons).
The driver uses just one TX queue, and declare to mac80211 to
support just one queue, but it allocates coherent memory for all
queues.
Furthermore the TX is code is written assumimg four queues exists,
and even if we decide to enable more queues in future, its mapping
rule to mac80211 is fixed.
This means we have memory waste on rtl8180/rtl8185, and we have also
not enough flexibility to add support for boards (rtl8187se) that
will use more queues.
This patch changes things in order to allocate coherent memory only
for the queues effectively used and it make it possible to specify
how to map hardware queues on mac80211 queues, that will be used
by rtl8187se code as soon it will be merged.
Note: even if the beacon queue is currently unused, this should
change, so I kept it.
Signed-off-by: Andrea Merello <andrea.merello@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Andrea Merello [Sat, 22 Mar 2014 17:49:08 +0000 (18:49 +0100)]
rtl8180: fix DMA register are written two times
Hw DMA registers are written in rtl8180_init_hw function.
They are also written again just after calling rtl8180_init_hw.
There is no point in doing this twice.
Remove those redundant register writes from rtl8180_start.
Signed-off-by: Andrea Merello <andrea.merello@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Rafał Miłecki [Thu, 20 Mar 2014 20:09:07 +0000 (21:09 +0100)]
bcma: gpio: register 32 GPIOs on BCM5357
Some Broadcom boards have more GPIOs available. For example Linksys
E3200 home router is based on SoC id 0x5357, package 0x0A and uses GPIO
23 to reset internal USB WiFi (gpio23=wombo_reset).
Signed-off-by: Rafał Miłecki <zajec5@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Johan Hedberg [Wed, 26 Mar 2014 13:49:18 +0000 (15:49 +0200)]
Bluetooth: Fix returning peer address in pending connect state
We should let user space request the peer address also in the pending
connect states, i.e. BT_CONNECT and BT_CONNECT2. There is existing user
space code that tries to do this and will fail without extending the set
of allowed states for the peer address information.
This patch adds the two states to the allowed ones in the L2CAP and
RFCOMM sock_getname functions, thereby preventing ENOTCONN from being
returned.
Reported-by: Andrzej Kaczmarek <andrzej.kaczmarek@tieto.com> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Tested-by: Andrzej Kaczmarek <andrzej.kaczmarek@tieto.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Johan Hedberg [Mon, 24 Mar 2014 14:59:14 +0000 (16:59 +0200)]
Bluetooth: Remove unnecessary assignment in SMP
The smp variable in smp_conn_security is not used anywhere before the
smp = smp_chan_create() call in the smp_conn_security function so it
makes no sense to assign any other value to it before that.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Johan Hedberg [Mon, 24 Mar 2014 15:36:25 +0000 (17:36 +0200)]
Bluetooth: Fix potential NULL pointer dereference in smp_conn_security
The smp pointer might not be initialized for jumps to the "done" label
in the smp_conn_security function. Furthermore doing the set_bit after
done might "overwrite" a previous value of the flag in case pairing was
already in progress. This patch moves the call to set_bit before the
label so that it is only done for a newly created smp context (as
returned by smp_chan_create).
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Johan Hedberg [Mon, 24 Mar 2014 12:39:08 +0000 (14:39 +0200)]
Bluetooth: Remove LTK re-encryption procedure
Due to several devices being unable to handle this procedure reliably
(resulting in forced disconnections before pairing completes) it's
better to remove it altogether.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Johan Hedberg [Mon, 24 Mar 2014 12:39:07 +0000 (14:39 +0200)]
Bluetooth: Don't try to confirm locally initiated SMP pairing
In the case that the just-works model would be triggered we only want to
confirm remotely initiated pairings (i.e. those triggered by a Security
Request or Pairing Request). This patch adds the necessary check to the
tk_request function to fall back to the JUST_WORKS method in the case of
a locally initiated pairing.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Johan Hedberg [Mon, 24 Mar 2014 13:54:11 +0000 (15:54 +0200)]
Bluetooth: Add SMP flag to track which side is the initiator
For remotely initiated just-works pairings we want to show the user a
confirmation dialog for the pairing. However, we can only know which
side was the initiator by tracking which side sends the first Security
Request or Pairing Request PDU. This patch adds a new SMP flag to
indicate whether our side was the initiator for the pairing.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Johan Hedberg [Mon, 24 Mar 2014 12:39:05 +0000 (14:39 +0200)]
Bluetooth: Fix SMP confirmation callback handling
In the case that a local pairing confirmation (JUST_CFM) has been
selected as the method we need to use the user confirm request mgmt
event for it with the confirm_hint set to 1 (to indicate confirmation
without any specific passkey value). Without this (if passkey_notify was
used) the pairing would never proceed. This patch adds the necessary
call to mgmt_user_confirm_request in this scenario.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Johan Hedberg [Mon, 24 Mar 2014 12:39:04 +0000 (14:39 +0200)]
Bluetooth: Add missing cmd_status handler for LE_Start_Encryption
It is possible that the HCI_LE_Start_Encryption command fails in an
early stage and triggers a command status event with the failure code.
In such a case we need to properly notify the hci_conn object and
cleanly bring the connection down. This patch adds the missing command
status handler for this HCI command.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Johan Hedberg [Mon, 24 Mar 2014 12:39:03 +0000 (14:39 +0200)]
Bluetooth: Fix potential NULL pointer dereference in SMP
If a sudden disconnection happens the l2cap_conn pointer may already
have been cleaned up by the time hci_conn_security gets called,
resulting in the following oops if we don't have a proper NULL check:
Marcel Holtmann [Fri, 21 Mar 2014 19:18:10 +0000 (12:18 -0700)]
Bluetooth: Track current configured LE scan type parameter
The LE scan type paramter defines if active scanning or passive scanning
is in use. Track the currently set value so it can be used for decision
making from other pieces in the core.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Amitkumar Karwar [Fri, 21 Mar 2014 03:05:44 +0000 (20:05 -0700)]
Bluetooth: btmrvl: don't consume all vendor specific events
If vendor specific HCI commands are received from application,
we should send corresponding events to stack.
These events should be consumed in driver, only if they are for
the internal HCI commands generated by driver.
This patch fixes the vendor command 0x3f stuck problem with
above mentioned change. For example,
Johan Hedberg [Thu, 20 Mar 2014 10:54:16 +0000 (12:54 +0200)]
Bluetooth: Fix address value for early disconnection events
We need to ensure that we do not send events to user space with the
identity address if we have not yet notified user space of the IRK. The
code was previously trying to handle this for the mgmt_pair_device
response (which worked well enough) but this is not the only connection
related event that might be sent to user space before pairing is
successful: another important event is Device Disconnected.
The issue can actually be solved more simply than the solution
previously used for mgmt_pair_device. Since we do have the identity
address tracked as part of the remote IRK struct we can just copy it
over from there to the hci_conn struct once we've for real sent the mgmt
event for the new IRK.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
brcmfmac: Enable 40MHz bandwidth in 2GHz band and OBSS scanning
in devices that do not support bwcap firmware command a fallback
is added.
Reviewed-by: Daniel (Deognyoun) Kim <dekim@broadcom.com> Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com> Signed-off-by: Arend van Spriel <arend@broadcom.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Arend van Spriel [Thu, 20 Mar 2014 09:18:02 +0000 (10:18 +0100)]
brcmfmac: only show error message when brcmf_sdiod_regrw_helper() fails
In the function brcmf_sdiod_request_data() an error message is logged,
but the calling function retries it. This patch will only log an error
message when retry limit is reached. The low-level error is still
logged by a SDIO debug message.
Reviewed-by: Daniel (Deognyoun) Kim <dekim@broadcom.com> Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com> Signed-off-by: Arend van Spriel <arend@broadcom.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Arend van Spriel [Thu, 20 Mar 2014 09:18:01 +0000 (10:18 +0100)]
brcmfmac: reinit watchdog completion after handling watchdog
The watchdog thread waits on completion that is set from a timer. As
the completion is count based this could mean that on a busy system
the watchdog is handled multiple times with a very short interval.
This is not the intended behaviour. After handling the watchdog it
should wait for the next timer expiry. This is accomplished by
reinitializing the completion.
Reviewed-by: Hante Meuleman <meuleman@broadcom.com> Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com> Signed-off-by: Arend van Spriel <arend@broadcom.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Daniel Kim [Thu, 20 Mar 2014 09:18:00 +0000 (10:18 +0100)]
brcmfmac: Enable 40MHz bandwidth in 2GHz band and OBSS scanning operations
This patch enables 40MHz bandwidth in 2GHz band after checking whether
cfg80211 allows it or not, and enables OBSS scanning operations to
to support 20/40 BSS coexistence.
Reviewed-by: Arend Van Spriel <arend@broadcom.com> Reviewed-by: Hante Meuleman <meuleman@broadcom.com> Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com> Signed-off-by: Daniel Kim <dekim@broadcom.com> Signed-off-by: Arend van Spriel <arend@broadcom.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Johan Hedberg [Thu, 20 Mar 2014 06:18:14 +0000 (08:18 +0200)]
Bluetooth: Fix passkey endianess in user_confirm and notify_passkey
The passkey_notify and user_confirm functions in mgmt.c were expecting
different endianess for the passkey, leading to a big endian bug and
sparse warning in recently added SMP code. This patch converts both
functions to expect host endianess and do the conversion to little
endian only when assigning to the mgmt event struct.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Marcel Holtmann [Wed, 19 Mar 2014 21:10:25 +0000 (14:10 -0700)]
Bluetooth: Enforce strict Secure Connections Only mode security
In Secure Connections Only mode, it is required that Secure Connections
is used for pairing and that the link key is encrypted with AES-CCM using
a P-256 authenticated combination key. If this is not the case, then new
connection shall be refused or existing connections shall be dropped.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Johan Hedberg [Wed, 19 Mar 2014 15:00:49 +0000 (17:00 +0200)]
Bluetooth: Fix Pair Device response parameters for pairing failure
It is possible that pairing fails after we've already received remote
identity information. One example of such a situation is when
re-encryption using the LTK fails. In this case the hci_conn object has
already been updated with the identity address but user space does not
yet know about it (since we didn't notify it of the new IRK yet).
To ensure user space doesn't get a Pair Device command response with an
unknown address always use the same address in the response as was used
for the original command.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Johan Hedberg [Wed, 19 Mar 2014 12:14:53 +0000 (14:14 +0200)]
Bluetooth: Fix SMP user passkey notification mgmt event
When performing SMP pairing with MITM protection one side needs to
enter the passkey while the other side displays to the user what needs
to be entered. Nowhere in the SMP specification does it say that the
displaying side needs to any kind of confirmation of the passkey, even
though a code comment in smp.c implies this.
This patch removes the misleading comment and converts the code to use
the passkey notification mgmt event instead of the passkey confirmation
mgmt event.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Johan Hedberg [Wed, 19 Mar 2014 12:14:52 +0000 (14:14 +0200)]
Bluetooth: Increase SMP re-encryption delay to 500ms
In some cases the current 250ms delay is not enough for the remote to
receive the keys, as can be witnessed by the following log:
> ACL Data RX: Handle 64 flags 0x02 dlen 21 [hci1] 231.414217
SMP: Signing Information (0x0a) len 16
Signature key: 555bb66b7ab3abc9d5c287c97fe6eb29
< ACL Data TX: Handle 64 flags 0x00 dlen 21 [hci1] 231.414414
SMP: Encryption Information (0x06) len 16
Long term key: 2a7cdc233c9a4b1f3ed31dd9843fea29
< ACL Data TX: Handle 64 flags 0x00 dlen 15 [hci1] 231.414466
SMP: Master Identification (0x07) len 10
EDIV: 0xeccc
Rand: 0x322e0ef50bd9308a
< ACL Data TX: Handle 64 flags 0x00 dlen 21 [hci1] 231.414505
SMP: Signing Information (0x0a) len 16
Signature key: bbda1b2076e2325aa66fbcdd5388f745
> HCI Event: Number of Completed Packets (0x13) plen 5 [hci1] 231.483130
Num handles: 1
Handle: 64
Count: 2
< HCI Command: LE Start Encryption (0x08|0x0019) plen 28 [hci1] 231.664211
Handle: 64
Random number: 0x5052ad2b75fed54b
Encrypted diversifier: 0xb7c2
Long term key: a336ede66711b49a84bde9b41426692e
> HCI Event: Command Status (0x0f) plen 4 [hci1] 231.666937
LE Start Encryption (0x08|0x0019) ncmd 1
Status: Success (0x00)
> HCI Event: Number of Completed Packets (0x13) plen 5 [hci1] 231.712646
Num handles: 1
Handle: 64
Count: 1
> HCI Event: Disconnect Complete (0x05) plen 4 [hci1] 232.562587
Status: Success (0x00)
Handle: 64
Reason: Remote User Terminated Connection (0x13)
As can be seen, the last key (Signing Information) is sent at 231.414505
but the completed packets event for it comes only at 231.712646,
i.e. roughly 298ms later.
To have a better margin of error this patch increases the delay to
500ms.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Johan Hedberg [Wed, 19 Mar 2014 12:14:51 +0000 (14:14 +0200)]
Bluetooth: Simplify logic when checking SMP_FLAG_TK_VALID
This is a trivial coding style simplification by instead of having an
extra early return to instead revert the if condition and do the single
needed queue_work() call there.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
cfg80211/mac80211: ignore signal if the frame was heard on wrong channel
On 2.4Ghz band, the channels overlap since the delta
between different channels is 5Mhz while the width of the
receiver is 20Mhz (at least).
This means that we can hear beacons or probe responses from
adjacent channels. These frames will have a significant
lower RSSI which will feed all kinds of logic with inaccurate
data. An obvious example is the roaming algorithm that will
think our AP is getting weak and will try to move to another
AP.
In order to avoid this, update the signal only if the frame
has been heard on the same channel as the one advertised by
the AP in its DS / HT IEs.
We refrain from updating the values only if the AP is
already in the BSS list so that we will still have a valid
(but inaccurate) value if the AP was heard on an adjacent
channel only.
To achieve this, stop taking the channel from DS / HT IEs
in mac80211. The DS / HT IEs is taken into account to
discard the frame if it was received on a disabled channel.
This can happen due to the same phenomenon: the frame is
sent on channel 12, but heard on channel 11 while channel
12 can be disabled on certain devices. Since this check
is done in cfg80211, stop even checking this in mac80211.
Alexander Bondar [Sun, 16 Mar 2014 08:49:54 +0000 (10:49 +0200)]
mac80211: release sched_scan_sdata when stopping sched scan
Assuming sched_scan_stop operation is synchronous the driver may not
necessary call ieee80211_sched_scan_stopped_work. Since this work is
the only place where sched_scan_sdata is released we can possibly run
into situation when it is never released. Fix this by releasing it
just after calling drv_sched_scan_stop.
Signed-off-by: Alexander Bondar <alexander.bondar@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Michael Braun [Thu, 6 Mar 2014 14:08:43 +0000 (15:08 +0100)]
mac80211: fix WPA with VLAN on AP side with ps-sta again
commit de74a1d9032f4d37ea453ad2a647e1aff4cd2591
"mac80211: fix WPA with VLAN on AP side with ps-sta"
fixed an issue where queued multicast packets would
be sent out encrypted with the key of an other bss.
commit "7cbf9d017dbb5e3276de7d527925d42d4c11e732"
"mac80211: fix oops on mesh PS broadcast forwarding"
essentially reverted it, because vif.type cannot be AP_VLAN
due to the check to vif.type in ieee80211_get_buffered_bc before.
As the later commit intended to fix the MESH case, fix it
by checking for IFTYPE_AP instead of IFTYPE_AP_VLAN.
Cc: stable@vger.kernel.org Fixes: 7cbf9d017dbb ("mac80211: fix oops on mesh PS broadcast forwarding") Signed-off-by: Michael Braun <michael-dev@fami-braun.de> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Johannes Berg [Wed, 19 Mar 2014 08:55:55 +0000 (09:55 +0100)]
mac80211: fix suspend vs. authentication race
Since Stanislaw's patch removing the quiescing code, mac80211 had
a race regarding suspend vs. authentication: as cfg80211 doesn't
track authentication attempts, it can't abort them. Therefore the
attempts may be kept running while suspending, which can lead to
all kinds of issues, in at least some cases causing an error in
iwlmvm firmware.
Fix this by aborting the authentication attempt when suspending.
Johannes Berg [Wed, 19 Mar 2014 08:11:19 +0000 (09:11 +0100)]
mac80211: verify deauthentication and return error on failure
When still authenticating the mac80211 code handling a deauthentication
requests from userspace doesn't verify that the request is valid in any
way, fix that. Additionally, it never returns an error, even if there's
no connection or authentication attempt, fix that as well.
While at it, move the message to not print a message in the error case
and to distinguish between the two cases.
Also simplify the code by duplicating the cfg80211 call.
Reviewed-by: Luciano Coelho <luciano.coelho@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Johannes Berg [Tue, 4 Mar 2014 10:43:28 +0000 (11:43 +0100)]
mac80211: fix potential use-after-free
The bss struct might be freed in ieee80211_rx_bss_put(),
so we shouldn't use it afterwards.
Cc: stable@vger.kernel.org (3.10+) Fixes: 817cee7675237 ("mac80211: track AP's beacon rate and give it to the driver") Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Maithili Hinge [Wed, 19 Mar 2014 05:24:10 +0000 (22:24 -0700)]
mwifiex: update MCS set as per RX-STBC bit from hostapd
To set AP in 1X1 or 2X2 mode through hostapd, we need to set
RX-STBC* in hostapd.conf file. Depending upon RX-STBC bit in
ht_cap IE received from hostapd, we need to update mcs set in
bss_cfg appropriately before starting AP.
Signed-off-by: Maithili Hinge <maithili@marvell.com> Signed-off-by: Bing Zhao <bzhao@marvell.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Avinash Patil [Wed, 19 Mar 2014 05:19:16 +0000 (22:19 -0700)]
mwifiex: handle extended scan event for AP interface
Stations associated to mwifiex AP would not be able to ping AP
after scan was issued on AP interface. This happened because
there was no handling of extended scan event in AP. This patch
adds this handling and fixes ping failure issue.
Signed-off-by: Avinash Patil <patila@marvell.com> Signed-off-by: Amitkumar Karwar <akarwar@marvell.com> Signed-off-by: Bing Zhao <bzhao@marvell.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
After merging the final tree, today's linux-next build (powerpc allyesconfig)
failed like this:
drivers/net/wireless/iwlwifi/mvm/debugfs.c: In function 'iwl_dbgfs_fw_error_dump_release':
drivers/net/wireless/iwlwifi/mvm/debugfs.c:161:2: error: implicit declaration of function 'vfree' [-Werror=implicit-function-declaration]
vfree(file->private_data);
^
John W. Linville [Tue, 18 Mar 2014 20:35:45 +0000 (16:35 -0400)]
rsi: make rsi_dbg a regular function
This is to address reports of this:
In file included from drivers/net/wireless/rsi/rsi_mgmt.h:22:0,
from drivers/net/wireless/rsi/rsi_91x_core.c:17:
drivers/net/wireless/rsi/rsi_91x_core.c: In function 'rsi_dbg':
drivers/net/wireless/rsi/rsi_main.h:44:20: error: function 'rsi_dbg' can never be inlined because it uses variable argument lists
static inline void rsi_dbg(u32 zone, const char *fmt, ...)
Signed-off-by: John W. Linville <linville@tuxdriver.com>
iwlwifi: mvm: disable uAPSD due to bugs in the firmware
The current firmware advertises support for uAPSD, but
critical bugs force us to disable the feature.
When a fixed firmware will be available, we will be able to
re-enable uAPSD.
In case of system low latency configure passive scan to be fragmented.
Set the following scan parameters for both immediate and scheduled scan:
- passive scan fragment duration = 20ms
- out-of-channel time = 70ms
- suspend time = 105ms
Restructure channel's active/passive dwell time configuration to better
suit the above change.
The idea is that under low latency traffic passive scan is fragmented,
i.e. that dwell on a particular channel will be fragmented. Each
fragment dwell time is 20ms and fragments period is 105ms. Skipping to
next channel will be delayed by the same period (105ms). So suspend_time
parameter describing both fragments and channels skipping periods is set
to 105ms. This value is chosen so that overall passive scan duration
will not be too long. Max_out_time in this case is set to 70ms, so for
active scanning operating channel will be left for 70ms while for
passive still for 20ms (fragment dwell).
Signed-off-by: Alexander Bondar <alexander.bondar@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Some scan parameters should be dependent on traffic conditions.
Centralize conditions verification in one function and obtain
scan max out-of-channel and suspend time in that new function.
Rely on bound interfaces indication instead of association state
to calculate scan parameters. If no bound interfaces use default
values for out-of-channel and suspend time parameters.
Additionally, get rid of NL80211_SCAN_FLAG_LOW_PRIORITY checks
since no use case for this exists so far.
Signed-off-by: Alexander Bondar <alexander.bondar@intel.com>
[reword commit log a bit] Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Johannes Berg [Mon, 17 Mar 2014 08:34:29 +0000 (09:34 +0100)]
iwlwifi: mvm: remove using max_duration in firmware API
The firmware decided to not implement this API in this way,
so for now remove setting the field completely. This will
allow the firmware to change how to use this field later.
Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
iwlwifi: mvm: BT Coex - add debugfs hook to set BT Tx priority
In order to debug the firmware, we need to be able to set
the BT priority of WiFi packets. This priority is set based
on the type of the packet (control frames, EAPOL etc...).
For debugging purposes, allow to override this priority by
a debugfs controlled value.
Enable this feature that needs this priority to be able to
test it.
iwlwifi: mvm: send udev event upon firmware error to dump logs
When the firmware asserts, the driver will dump the firmware
state to an internal buffer. This buffer is kept aside until
it is dumped through debugfs. Once an external application
fetched the data, the buffer is freed and a new buffer can
be allocated in case another assert occurs.
A udev event is sent to trigger an external application.
A simple rule like:
DRIVER=="iwlwifi", ACTION=="change", RUN+="/sbin/dump_sram.sh"
The current SRAM size is 80KB so, currently:
$ ls -lh iwl-sram-phy0-2014-03-16_13_14.bin
-rw-r--r-- 1 emmanuel emmanuel 81K Mar 16 13:15 iwl-sram-phy0-2014-03-16_13_14.bin
and after compression:
$ ls -lh iwl-sram-phy0-2014-03-16_13_14.bin.xz
-rw-r--r-- 1 emmanuel emmanuel 13K Mar 16 13:15 iwl-sram-phy0-2014-03-16_13_14.bin.xz
Johan Hedberg [Tue, 18 Mar 2014 13:42:30 +0000 (15:42 +0200)]
Bluetooth: Fix MITM flag when initiating SMP pairing
The pairing process initiated through mgmt sets the conn->auth_type
value regardless of BR/EDR or LE pairing. This value will contain the
MITM flag if the local IO capability allows it. When sending the SMP
pairing request we should check the value and ensure that the MITM bit
gets correctly set in the bonding flags.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Johan Hedberg [Tue, 18 Mar 2014 10:58:24 +0000 (12:58 +0200)]
Bluetooth: Fix smp_e byte order to be consistent with SMP specification
The SMP specification is written with the assumption that both key
information, plaintextData and encryptedData follow the same little
endian byte ordering as the rest of SMP.
Since the kernel crypto routines expect big endian data the code has had
to do various byte swapping tricks to make the behavior as expected,
however the swapping has been scattered all around the place.
This patch centralizes the byte order swapping into the smp_e function
by making its public interface match what the other SMP functions expect
as per specification. The benefit is vastly simplified calls to smp_e.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Johan Hedberg [Tue, 18 Mar 2014 10:58:23 +0000 (12:58 +0200)]
Bluetooth: Fix const declaration for swap function src parameter
To make it possible to (correctly) pass data declared as const as the
src parameter to the swap56 and swap128 functions declare this parameter
also as const.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>