Yan-Hsuan Chuang [Sat, 20 May 2017 15:49:07 +0000 (10:49 -0500)]
rtlwifi: btcoex: 23b 1ant: turn off ps and tdma mechanism when concurrent mode
When wifi is under concurrent mode, we can not distinguish if it is the
real PS or just a fake one by sending null data, so we turn it off
in case of miracast scenario.
Signed-off-by: Yan-Hsuan Chuang <yhchuang@realtek.com> Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> Cc: Yan-Hsuan Chuang <yhchuang@realtek.com> Cc: Birming Chiu <birming@realtek.com> Cc: Shaofu <shaofu@realtek.com> Cc: Steven Ting <steventing@realtek.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Ping-Ke Shih [Sat, 20 May 2017 15:49:00 +0000 (10:49 -0500)]
rtlwifi: btcoex: 23b 1ant: check more cases when bt is queing
If bt is queing, we need to set the packet priority properly.
Originally we only consider if wifi was connected or not, but now we
also consider if bt is under abnormal scan or wifi is scanning, roaming
or linking, and set the coex table.
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com> Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> Cc: Yan-Hsuan Chuang <yhchuang@realtek.com> Cc: Birming Chiu <birming@realtek.com> Cc: Shaofu <shaofu@realtek.com> Cc: Steven Ting <steventing@realtek.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Ping-Ke Shih [Sat, 20 May 2017 15:48:59 +0000 (10:48 -0500)]
rtlwifi: btcoex: 23b 1ant: define wifi in high priority task.
Add the definition of wifi in high priority task for bt inquiry.
According to driver's notifications, btc will knows whether wifi is in high
priority tasks or not.
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com> Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> Cc: Yan-Hsuan Chuang <yhchuang@realtek.com> Cc: Birming Chiu <birming@realtek.com> Cc: Shaofu <shaofu@realtek.com> Cc: Steven Ting <steventing@realtek.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Ping-Ke Shih [Fri, 19 May 2017 15:59:30 +0000 (10:59 -0500)]
rtlwifi: btcoex: 23b 1ant: adjust wifi duration for bt a2dp
The larger the bt a2dp bit pool is, the more time bt needs to receive
them. If we do not adjust the wifi duration, the voice quality will be
low. Hence we reduce the time that wifi holds, to improve the a2dp
service.
If the bt is slave, it may receive a packet at any time, so we
need to mark them as high priority packets in case of packet loss
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com> Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> Cc: Yan-Hsuan Chuang <yhchuang@realtek.com> Cc: Birming Chiu <birming@realtek.com> Cc: Shaofu <shaofu@realtek.com> Cc: Steven Ting <steventing@realtek.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Arnd Bergmann [Wed, 17 May 2017 14:47:02 +0000 (16:47 +0200)]
rt2x00: convert rt2x00_desc_read return type
This is a semi-automated conversion to change rt2x00_desc_read to return
the register contents instead of passing them by value, resulting in
much better object code. The majority of the patch was done using:
Arnd Bergmann [Wed, 17 May 2017 14:47:01 +0000 (16:47 +0200)]
rt2x00: convert rt2800_eeprom_read return type
This is a semi-automated conversion to change rt2800_eeprom_read to return
the register contents instead of passing them by value, resulting in
much better object code. The majority of the patch was done using:
sed -i 's:\(\<rt2800_eeprom_read\(_from_array\|\)\>(.*, .*\), &\(.*\));:\3 = \1);:'
drivers/net/wireless/ralink/rt2x00/rt2800lib.c
Some manual tweaking was required here to work around the line wraps.
Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Arnd Bergmann [Wed, 17 May 2017 14:47:00 +0000 (16:47 +0200)]
rt2x00: convert rt2x00_eeprom_read return type
This is a semi-automated conversion to change rt2x00_eeprom_read()
to return the register contents instead of passing them by value,
resulting in much better object code. The majority of the patch
was done using:
Arnd Bergmann [Wed, 17 May 2017 14:46:59 +0000 (16:46 +0200)]
rt2x00: convert rt2*_bbp_read return type
This is a semi-automated conversion to change *_bbp_read()
to return the register contents instead of passing them by value,
resulting in much better object code. The majority of the patch
was done using:
Arnd Bergmann [Wed, 17 May 2017 14:46:58 +0000 (16:46 +0200)]
rt2x00: convert rt2800_register_read return type
This is a semi-automated conversion to change rt2800_register_read
to return the register contents instead of passing them by value,
resulting in much better object code. The majority of the patch
was done using:
The function itself was modified manually along with the one remaining
multi-line caller that was not covered automatically and the indirect
reference.
Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Arnd Bergmann [Wed, 17 May 2017 14:46:57 +0000 (16:46 +0200)]
rt2x00: convert rt2x00usb_register_read return type
This is a semi-automated conversion to change rt2x00usb_register_read
to return the register contents instead of passing them by value,
resulting in much better object code. The majority of the patch
was done using:
Arnd Bergmann [Wed, 17 May 2017 14:46:56 +0000 (16:46 +0200)]
rt2x00: convert rt2x00mmio_register_read return type
This is a semi-automated conversion to change rt2x00mmio_register_read
to return the register contents instead of passing them by value,
resulting in much better object code. The majority of the patch
was done using:
Arnd Bergmann [Wed, 17 May 2017 14:46:55 +0000 (16:46 +0200)]
rt2x00: convert rt2x00_rf_read return type
This is a semi-automated conversion to change rt2x00_rf_read()
to return the register contents instead of passing them by value,
resulting in much better object code. The majority of the patch
was done using:
sed -i 's:\(\<rt2x00_rf_read\>(.*, .*\), &\(.*\));:\2 = \1);:' \
drivers/net/wireless/ralink/rt2x00/rt*
Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Arnd Bergmann [Wed, 17 May 2017 14:46:54 +0000 (16:46 +0200)]
rt2x00: convert rt2800_rfcsr_read return type
With CONFIG_KASAN enabled and gcc-7, we get a warning about rather high
stack usage (with a private patch set I have to turn on this warning,
which I intend to get into the next kernel release):
wireless/ralink/rt2x00/rt2800lib.c: In function 'rt2800_bw_filter_calibration':
wireless/ralink/rt2x00/rt2800lib.c:7990:1: error: the frame size of 2144 bytes is larger than 1536 bytes [-Werror=frame-larger-than=]
The problem is that KASAN inserts a redzone around each local variable
that gets passed by reference, and the newly added function has a lot
of them.
This is a semi-automated conversion to change rt2800_rfcsr_read to return
the register contents instead of passing them by value, resulting in
much better object code. The majority of the patch was done using:
Arnd Bergmann [Wed, 17 May 2017 14:46:53 +0000 (16:46 +0200)]
rt2x00: change function pointers for register accessors
This prepares the driver for changing all the 'read' register accessors
to return the value instead of passing it by reference. Since a lot
of them are used in callbacks, this takes care of the callbacks first,
adding a couple of helpers that will be removed again one at a time.
Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Kees Cook [Mon, 15 May 2017 21:33:17 +0000 (14:33 -0700)]
libertas: Remove function entry/exit debugging
In at least one place, the enter/exit debugging was not being correctly
matched. Based on mailing list feedback, it was desired to drop all of
these in favor of using ftrace instead.
Suggested-by: Joe Perches <joe@perches.com> Suggested-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Kees Cook [Mon, 15 May 2017 21:26:40 +0000 (14:26 -0700)]
libertas: Avoid reading past end of buffer
Using memcpy() from a string that is shorter than the length copied means
the destination buffer is being filled with arbitrary data from the kernel
rodata segment. Instead, redefine the stat strings to be ETH_GSTRING_LEN
sizes, like other drivers. This lets us use a single memcpy that does not
leak rodata contents. Additionally adjust indentation to keep checkpatch.pl
happy.
This was found with the future CONFIG_FORTIFY_SOURCE feature.
Cc: Daniel Micay <danielmicay@gmail.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
iwlegacy firmware can crash when power save is configured. PS was
allowed in "dbdac2b iwlegacy: properly enable power saving" with belive
that user who enable PS is aware of that and can relate firmware crahes
with PS. However some distributions seems to enable PS without user
intervention, so warn about that.
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Arnd Bergmann [Thu, 11 May 2017 11:52:09 +0000 (13:52 +0200)]
wlcore: fix 64K page support
In the stable linux-3.16 branch, I ran into a warning in the
wlcore driver:
drivers/net/wireless/ti/wlcore/spi.c: In function 'wl12xx_spi_raw_write':
drivers/net/wireless/ti/wlcore/spi.c:315:1: error: the frame size of 12848 bytes is larger than 2048 bytes [-Werror=frame-larger-than=]
Newer kernels no longer show the warning, but the bug is still there,
as the allocation is based on the CPU page size rather than the
actual capabilities of the hardware.
This replaces the PAGE_SIZE macro with the SZ_4K macro, i.e. 4096 bytes
per buffer.
Cc: stable@vger.kernel.org Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
The older firmware loading method is not usable by any Redpine chipset.
Hence removing that part of the code. Older firmware image with
rsi_91x.fw name is deprecated
Signed-off-by: Prameela Rani Garnepudi <prameela.j04cs@gmail.com> Signed-off-by: Amitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
The older firmware loading method has been deprecated and not in use
for any chipets. New method is introduced which works based on soft
boot loader. In this method, complete RAM image and FLASH image are
present in the flash. Before loading the functional firmware, host
issues boot loader commands to verify whether firmware to load is
different from the current functional firmware. If not, firmware
upgrade progresses and boot loader will switch to the new functional
firmware.
"rs9113_wlan_qspi.rps" is the firmware filename used in this patch.
Signed-off-by: Prameela Rani Garnepudi <prameela.j04cs@gmail.com> Signed-off-by: Amitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Host interface opearation master_reg_read, master_reg_write and
load_data_master_write are added. These functions are needed for the
new firmware loading method. As part of this, the function
master_access_msword is moved from rsi_91x_sdio_ops.c to rsi_91x_sdio.c.
Signed-off-by: Prameela Rani Garnepudi <prameela.j04cs@gmail.com> Signed-off-by: Amitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
rsi: Add host interface operations as separate structure.
Host interface operations are currently function pointers in rsi_hw
structure. As more host interface operations are going to be introduced,
separate structure is added for these for convenience.
Signed-off-by: Prameela Rani Garnepudi <prameela.j04cs@gmail.com> Signed-off-by: Amitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
rsi: Handle usb multi-byte write failure case properly
In function usb_write_register_multiple, if any intermediate block transfer
is failed, further operations should be terminated. 'else' is removed, as
there is no significance for it after return.
Signed-off-by: Prameela Rani Garnepudi <prameela.j04cs@gmail.com> Signed-off-by: Amitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
For USB vendor read and write operations new macros added to avoid
redundant usage of long or'ed macros. Also for timeouts standard USB
macros are used.
Signed-off-by: Prameela Rani Garnepudi <prameela.j04cs@gmail.com> Signed-off-by: Amitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
The file rsi_91x_hal.c is going to contain device specific code i.e new
firmware loading method for RS9113 chipset. As the file rsi_91x_pkt.c
contains code to prepare device specific descriptors for transmit packet,
this file is renamed to rsi_91x_hal.c which is more relevant as per it's
functionality.
Signed-off-by: Prameela Rani Garnepudi <prameela.j04cs@gmail.com> Signed-off-by: Amitkumar Karwar <amit.karwar@redpinesignals.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Kees Cook [Fri, 5 May 2017 22:38:41 +0000 (15:38 -0700)]
ray_cs: Avoid reading past end of buffer
Using memcpy() from a buffer that is shorter than the length copied means
the destination buffer is being filled with arbitrary data from the kernel
rodata segment. In this case, the source was made longer, since it did not
match the destination structure size. Additionally removes a needless cast.
This was found with the future CONFIG_FORTIFY_SOURCE feature.
Cc: Daniel Micay <danielmicay@gmail.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Elena Reshetova [Tue, 28 Mar 2017 08:56:43 +0000 (11:56 +0300)]
orinoco_usb: convert request_context.refcount from atomic_t to refcount_t
refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: David Windsor <dwindsor@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Elena Reshetova [Tue, 28 Mar 2017 08:56:42 +0000 (11:56 +0300)]
hostap: convert hostap_cmd_queue.usecnt from atomic_t to refcount_t
refcount_t type and corresponding API should be
used instead of atomic_t when the variable is used as
a reference counter. This allows to avoid accidental
refcounter overflows that might lead to use-after-free
situations.
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Hans Liljestrand <ishkamiel@gmail.com> Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: David Windsor <dwindsor@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Chi-hsien Lin [Thu, 18 May 2017 09:22:19 +0000 (17:22 +0800)]
brcmfmac: remove setting IBSS mode when stopping AP
Upon stopping an AP interface the driver disable INFRA mode effectively
setting the interface in IBSS mode. However, this may affect other
interfaces running in INFRA mode. For instance, if user creates and stops
hostap daemon on virtual interface, then association cannot work on
primary interface because default BSS has been set to IBSS mode in
firmware side. The IBSS mode should be set when cfg80211 changes the
interface.
Reviewed-by: Wright Feng <wright.feng@cypress.com> Signed-off-by: Chi-hsien Lin <Chi-Hsien.Lin@cypress.com>
[kvalo@codeaurora.org: rephased commit log based on discussion] Signed-off-by: Wright Feng <wright.feng@cypress.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Xie Qirong [Fri, 12 May 2017 09:32:59 +0000 (17:32 +0800)]
brcmfmac: btcoex: replace init_timer with setup_timer
setup_timer.cocci suggested the following improvement:
drivers/net/wireless/broadcom/brcm80211/brcmfmac/btcoex.c:383:1-11: Use
setup_timer function for function on line 384.
The combination of init_timer and setting up the data and function field
manually is equivalent to calling setup_timer(). This is an api
consolidation only and improves readability.
Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com> Signed-off-by: Xie Qirong <cheerx1994@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Takashi Iwai [Thu, 4 May 2017 09:27:52 +0000 (11:27 +0200)]
b43: Add missing MODULE_FIRMWARE()
Some firmware entries were forgotten to be added via MODULE_FIRMWARE(), which
may result in the non-functional state when the driver is loaded in initrd.
When driver fail to reset card ah->curchan value stay NULL. When
later driver try to update tx power it oops by using ah->curchan
(calltrace is shown below).
This problem were reported at various places and for some it was
fixed by making ath9k_hw_chip_reset() do not fail. I have this bug
report on some oldish RHEL kernel with AR9285, however it's hard to
debug where reset fail when kernel OOPS, so I think this patch
should be applied. Hopefully ah->curchan is not used unconditionally
on other places until is initialized on ath9k_config().
The array field eeprom_data in struct th9k_platform_data
is a fixed size array so it can never be NULL.
Addresses-Coverity-ID: 1364903 Cc: Arend Van Spriel <arend.vanspriel@broadcom.com> Cc: Kalle Valo <kvalo@qca.qualcomm.com> Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Colin Ian King [Wed, 3 May 2017 14:26:00 +0000 (15:26 +0100)]
ath5k: fix memory leak on buf on failed eeprom read
The AR5K_EEPROM_READ macro returns with -EIO if a read error
occurs causing a memory leak on the allocated buffer buf. Fix
this by explicitly calling ath5k_hw_nvram_read and exiting on
the via the freebuf label that performs the necessary free'ing
of buf when a read error occurs.
Detected by CoverityScan, CID#1248782 ("Resource Leak")
Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
ath6kl: assure headroom of skbuff is writable in .start_xmit()
An issue was found brcmfmac driver in which a skbuff in .start_xmit()
callback was actually cloned. So instead of checking for sufficient
headroom it should also be writable. Hence use skb_cow_head() to
check and expand the headroom appropriately.
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com> Tested-by: Steve deRosier <derosier@gmail.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
These are already handled by mwifiex_shutdown_sw() and
mwifiex_reinit_sw(). Ideally, we'll kill the flag entirely eventually,
as I suspect it breeds race conditions.
Signed-off-by: Brian Norris <briannorris@chromium.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Brian Norris [Fri, 12 May 2017 16:42:03 +0000 (09:42 -0700)]
mwifiex: don't leak stashed beacon buffer on reset
When removing or resetting an mwifiex device, we don't remember to free
the saved beacon buffer. Use the (somewhat misleadingly-named)
mwifiex_free_priv() helper to handle this.
Brian Norris [Fri, 12 May 2017 16:42:02 +0000 (09:42 -0700)]
mwifiex: don't drop lock between list-retrieval / list-deletion
mwifiex_exec_next_cmd() seems to have a classic TOCTOU race, where we
drop the list lock in between retrieving the next command and deleting
it from the list. This potentially leaves room for someone else to also
retrieve / steal this node from the list (e.g.,
mwifiex_cancel_all_pending_cmd()).
Let's keep holding the lock while we do our 'ps_state' sanity checks.
There should be no harm in continuing to hold this lock for a bit more.
Noticed only by code inspection.
Signed-off-by: Brian Norris <briannorris@chromium.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Douglas Anderson [Fri, 12 May 2017 16:42:01 +0000 (09:42 -0700)]
mwifiex: Add locking to mwifiex_11n_delba
The mwifiex_11n_delba() function walked the rx_reorder_tbl_ptr without
holding the lock, which was an obvious violation.
Grab the lock.
NOTE: we hold the lock while calling mwifiex_send_delba(). There's also
several callers in 11n_rxreorder.c that hold the lock and the comments
in the struct sound just like very other list/lock pair -- as if the
lock should definitely be help for all operations like this.
Signed-off-by: Douglas Anderson <dianders@chromium.org> Signed-off-by: Brian Norris <briannorris@chromium.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Douglas Anderson [Fri, 12 May 2017 16:42:00 +0000 (09:42 -0700)]
mwifiex: Don't release cmd_pending_q_lock while iterating
Just like in the previous patch ("mwifiex: Don't release
tx_ba_stream_tbl_lock while iterating"), in
mwifiex_cancel_all_pending_cmd() we were itearting over a list protected
by a spinlock. Again, it is not safe to release the spinlock while
iterating. Don't do it.
Luckily in this case there should be no need to release the spinlock.
This is evidenced by:
1. The only function called while the spinlock was released was
mwifiex_recycle_cmd_node()
2. Aside from atomic functions (which are safe to call), the only
function called by mwifiex_recycle_cmd_node() was
mwifiex_insert_cmd_to_free_q().
3. It can be seen in mwifiex_cancel_pending_scan_cmd() that it's OK to
call mwifiex_insert_cmd_to_free_q() while holding a different
spinlock (scan_pending_q_lock), so in general holding a spinlock
should be OK.
4. It doesn't appear that mwifiex_insert_cmd_to_free_q() has any
interaction with the cmd_pending_q_lock
No known bugs are fixed with this change, but as with other similar
changes this could fix random list corruption.
Signed-off-by: Douglas Anderson <dianders@chromium.org> Signed-off-by: Brian Norris <briannorris@chromium.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Douglas Anderson [Fri, 12 May 2017 16:41:59 +0000 (09:41 -0700)]
mwifiex: Don't release tx_ba_stream_tbl_lock while iterating
Despite the macro list_for_each_entry_safe() having the word "safe" in
the name, it's still not actually safe to release the list spinlock
while iterating over the list. The "safe" in the macro name actually
only means that it's safe to delete the current entry while iterating
over the list.
Releasing the spinlock while iterating over the list means that someone
else could come in and adjust the list while we don't have the
spinlock. If they do that it can totally mix up our iteration and fully
corrupt the list. Later iterating over a corrupted list while holding a
spinlock and having IRQs off can cause all sorts of hard to debug
problems.
As evidenced by the other call to
mwifiex_11n_delete_tx_ba_stream_tbl_entry() in
mwifiex_11n_delete_all_tx_ba_stream_tbl(), it's actually safe to skip
the spinlock release. Let's do that.
No known problems are fixed by this patch, but it could fix all sorts of
weird problems and it should be very safe.
Signed-off-by: Douglas Anderson <dianders@chromium.org> Signed-off-by: Brian Norris <briannorris@chromium.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Brian Norris [Fri, 12 May 2017 16:41:58 +0000 (09:41 -0700)]
mwifiex: fixup error cases in mwifiex_add_virtual_intf()
If we fail to add an interface in mwifiex_add_virtual_intf(), we might
hit a BUG_ON() in the networking code, because we didn't tear things
down properly. Among the problems:
(a) when failing to allocate workqueues, we fail to unregister the
netdev before calling free_netdev()
(b) even if we do try to unregister the netdev, we're still holding the
rtnl lock, so the device never properly unregistered; we'll be at
state NETREG_UNREGISTERING, and then hit free_netdev()'s:
BUG_ON(dev->reg_state != NETREG_UNREGISTERED);
(c) we're allocating some dependent resources (e.g., DFS workqueues)
after we've registered the interface; this may or may not cause
problems, but it's good practice to allocate these before registering
(d) we're not even trying to unwind anything when mwifiex_send_cmd() or
mwifiex_sta_init_cmd() fail
To fix these issues, let's:
* add a stacked set of error handling labels, to keep error handling
consistent and properly ordered (resolving (a) and (d))
* move the workqueue allocations before the registration (to resolve
(c); also resolves (b) by avoiding error cases where we have to
unregister)
[Incidentally, it's pretty easy to interrupt the alloc_workqueue() in,
e.g., the following:
iw phy phy0 interface add mlan0 type station
by sending it SIGTERM.]
This bugfix covers commits like commit 7d652034d1a0 ("mwifiex: channel
switch support for mwifiex"), but parts of this bug exist all the way
back to the introduction of dynamic interface handling in commit 93a1df48d224 ("mwifiex: add cfg80211 handlers add/del_virtual_intf").
Cc: <stable@vger.kernel.org> Signed-off-by: Brian Norris <briannorris@chromium.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
This code was duplicated as part of the PCIe FLR code added to this
driver. Let's de-duplicate it to:
* make things easier to read (mwifiex_pcie_free_buffers() now has a
corresponding mwifiex_pcie_alloc_buffers())
* reduce likelihood of bugs
* make error logging equally verbose
* save lines of code!
Also drop some of the commentary that isn't really needed.
Signed-off-by: Brian Norris <briannorris@chromium.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Ping-Ke Shih [Tue, 16 May 2017 13:19:57 +0000 (08:19 -0500)]
rtlwifi: btcoex: 23b 1ant: check PS state before setting tdma duration
For time division multiple access, the wifi and bt take turns to
transmit, but we need to let AP know that wifi is under standby mode by
sending null data to "pretend" entering power saving state using lps
rpwm.
But, the fw does not know if it is the actual power saving mode or just a
fake one to cheat to the AP. Hence, before fw setting the tdma duration,
the fw needs the driver to check the power saving state first.
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com> Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> Cc: Yan-Hsuan Chuang <yhchuang@realtek.com> Cc: Birming Chiu <birming@realtek.com> Cc: Shaofu <shaofu@realtek.com> Cc: Steven Ting <steventing@realtek.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Ping-Ke Shih [Tue, 16 May 2017 13:19:56 +0000 (08:19 -0500)]
rtlwifi: btcoex: 23b 1ant: monitor bt is enabled or disabled
Check BT's status, and record it in field bt_disabled. When BT is disabled,
We do special action called wifi_only. Also, we move the field from
'struct btc_coexist' to 'struct coex_sta_8723b_1ant'.
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com> Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> Cc: Yan-Hsuan Chuang <yhchuang@realtek.com> Cc: Birming Chiu <birming@realtek.com> Cc: Shaofu <shaofu@realtek.com> Cc: Steven Ting <steventing@realtek.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Ping-Ke Shih [Tue, 16 May 2017 13:19:55 +0000 (08:19 -0500)]
rtlwifi: btcoex: 23b 1ant: check if BT high priority packet exist
If there are BT high priority packets, we arrange more time to BT.
To make user experience to be better, HID and SCO are also seen as
high priority packet exist.
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com> Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> Cc: Yan-Hsuan Chuang <yhchuang@realtek.com> Cc: Birming Chiu <birming@realtek.com> Cc: Shaofu <shaofu@realtek.com> Cc: Steven Ting <steventing@realtek.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Yan-Hsuan Chuang [Thu, 11 May 2017 23:24:38 +0000 (18:24 -0500)]
rtlwifi: btcoex: 21a 1ant: re-init coex after wifi leaves IPS
Before entering IPS, set the PTA control to default value and re-init it
after it leaves IPS to avoid running some redundant code in
run_coexist_mechanism.
Signed-off-by: Yan-Hsuan Chuang <yhchuang@realtek.com> Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> Cc: Pkshih <pkshih@realtek.com> Cc: Birming Chiu <birming@realtek.com> Cc: Shaofu <shaofu@realtek.com> Cc: Steven Ting <steventing@realtek.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Yan-Hsuan Chuang [Thu, 11 May 2017 23:24:32 +0000 (18:24 -0500)]
rtlwifi: btcoex: 21a 1ant: react to special packet when wifi is not scanning
If wifi is not scanning, there may have some special and important
packets such as DHCP or EAPOL or ARP packets. Set tdma and coex table to
take care of them.
Signed-off-by: Yan-Hsuan Chuang <yhchuang@realtek.com> Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> Cc: Pkshih <pkshih@realtek.com> Cc: Birming Chiu <birming@realtek.com> Cc: Shaofu <shaofu@realtek.com> Cc: Steven Ting <steventing@realtek.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>