* KASAN: use-after-free Read in p54u_load_firmware_cb
From: syzbot @ 2019-05-06 11:16 UTC (permalink / raw)
To: andreyknvl, chunkeey, davem, kvalo, linux-kernel, linux-usb,
linux-wireless, netdev, syzkaller-bugs
Hello,
syzbot found the following crash on:
HEAD commit: 43151d6c usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=142b312ca00000
kernel config: https://syzkaller.appspot.com/x/.config?x=4183eeef650d1234
dashboard link: https://syzkaller.appspot.com/bug?extid=200d4bb11b23d929335f
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+200d4bb11b23d929335f@syzkaller.appspotmail.com
usb 4-1: Direct firmware load for isl3887usb failed with error -2
usb 4-1: Firmware not found.
==================================================================
BUG: KASAN: use-after-free in p54u_load_firmware_cb.cold+0x97/0x13a
drivers/net/wireless/intersil/p54/p54usb.c:936
Read of size 8 at addr ffff888098bf3588 by task kworker/0:1/12
CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.1.0-rc3-319004-g43151d6 #6
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: events request_firmware_work_func
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xe8/0x16e lib/dump_stack.c:113
print_address_description+0x6c/0x236 mm/kasan/report.c:187
kasan_report.cold+0x1a/0x3c mm/kasan/report.c:317
p54u_load_firmware_cb.cold+0x97/0x13a
drivers/net/wireless/intersil/p54/p54usb.c:936
request_firmware_work_func+0x12d/0x249
drivers/base/firmware_loader/main.c:785
process_one_work+0x90f/0x1580 kernel/workqueue.c:2269
worker_thread+0x9b/0xe20 kernel/workqueue.c:2415
kthread+0x313/0x420 kernel/kthread.c:253
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
The buggy address belongs to the page:
page:ffffea000262fcc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0xfff00000000000()
raw: 00fff00000000000 0000000000000000 ffffffff02620101 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888098bf3480: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888098bf3500: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff888098bf3580: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888098bf3600: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888098bf3680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
^ permalink raw reply
* KASAN: slab-out-of-bounds Read in p54u_load_firmware_cb
From: syzbot @ 2019-05-06 11:16 UTC (permalink / raw)
To: andreyknvl, chunkeey, davem, kvalo, linux-kernel, linux-usb,
linux-wireless, netdev, syzkaller-bugs
Hello,
syzbot found the following crash on:
HEAD commit: 43151d6c usb-fuzzer: main usb gadget fuzzer driver
git tree: https://github.com/google/kasan.git usb-fuzzer
console output: https://syzkaller.appspot.com/x/log.txt?x=12c0112ca00000
kernel config: https://syzkaller.appspot.com/x/.config?x=4183eeef650d1234
dashboard link: https://syzkaller.appspot.com/bug?extid=6d237e74cdc13f036473
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
Unfortunately, I don't have any reproducer for this crash yet.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+6d237e74cdc13f036473@syzkaller.appspotmail.com
cx231xx 2-1:0.1: New device @ 480 Mbps (2040:b111) with 1 interfaces
cx231xx 2-1:0.1: Not found matching IAD interface
usb 6-1: Direct firmware load for isl3887usb failed with error -2
usb 6-1: Firmware not found.
==================================================================
BUG: KASAN: slab-out-of-bounds in p54u_load_firmware_cb.cold+0x97/0x13a
drivers/net/wireless/intersil/p54/p54usb.c:936
Read of size 8 at addr ffff888099763588 by task kworker/0:1/12
CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.1.0-rc3-319004-g43151d6 #6
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Workqueue: events request_firmware_work_func
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xe8/0x16e lib/dump_stack.c:113
print_address_description+0x6c/0x236 mm/kasan/report.c:187
kasan_report.cold+0x1a/0x3c mm/kasan/report.c:317
p54u_load_firmware_cb.cold+0x97/0x13a
drivers/net/wireless/intersil/p54/p54usb.c:936
request_firmware_work_func+0x12d/0x249
drivers/base/firmware_loader/main.c:785
process_one_work+0x90f/0x1580 kernel/workqueue.c:2269
worker_thread+0x9b/0xe20 kernel/workqueue.c:2415
kthread+0x313/0x420 kernel/kthread.c:253
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
Allocated by task 7931:
set_track mm/kasan/common.c:87 [inline]
__kasan_kmalloc mm/kasan/common.c:497 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:470
slab_post_alloc_hook mm/slab.h:437 [inline]
slab_alloc_node mm/slub.c:2756 [inline]
__kmalloc_node_track_caller+0xf3/0x320 mm/slub.c:4372
__kmalloc_reserve.isra.0+0x3e/0xf0 net/core/skbuff.c:140
__alloc_skb+0xf4/0x5a0 net/core/skbuff.c:208
alloc_skb include/linux/skbuff.h:1058 [inline]
alloc_uevent_skb+0x7b/0x210 lib/kobject_uevent.c:289
uevent_net_broadcast_untagged lib/kobject_uevent.c:325 [inline]
kobject_uevent_net_broadcast lib/kobject_uevent.c:408 [inline]
kobject_uevent_env+0x865/0x13d0 lib/kobject_uevent.c:589
udc_bind_to_driver+0x33e/0x5e0 drivers/usb/gadget/udc/core.c:1357
usb_gadget_probe_driver+0x23f/0x380 drivers/usb/gadget/udc/core.c:1408
fuzzer_ioctl_run drivers/usb/gadget/fuzzer/fuzzer.c:718 [inline]
fuzzer_ioctl+0x15be/0x1d90 drivers/usb/gadget/fuzzer/fuzzer.c:1130
full_proxy_unlocked_ioctl+0x11b/0x180 fs/debugfs/file.c:205
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:509 [inline]
do_vfs_ioctl+0xced/0x12f0 fs/ioctl.c:696
ksys_ioctl+0xa0/0xc0 fs/ioctl.c:713
__do_sys_ioctl fs/ioctl.c:720 [inline]
__se_sys_ioctl fs/ioctl.c:718 [inline]
__x64_sys_ioctl+0x74/0xb0 fs/ioctl.c:718
do_syscall_64+0xcf/0x4f0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 805:
set_track mm/kasan/common.c:87 [inline]
__kasan_slab_free+0x130/0x180 mm/kasan/common.c:459
slab_free_hook mm/slub.c:1429 [inline]
slab_free_freelist_hook+0x5e/0x140 mm/slub.c:1456
slab_free mm/slub.c:3003 [inline]
kfree+0xce/0x290 mm/slub.c:3958
skb_free_head+0x90/0xb0 net/core/skbuff.c:557
skb_release_data+0x543/0x8b0 net/core/skbuff.c:577
skb_release_all+0x4b/0x60 net/core/skbuff.c:631
__kfree_skb net/core/skbuff.c:645 [inline]
consume_skb net/core/skbuff.c:705 [inline]
consume_skb+0xc5/0x2f0 net/core/skbuff.c:699
skb_free_datagram+0x1b/0xf0 net/core/datagram.c:329
netlink_recvmsg+0x663/0xea0 net/netlink/af_netlink.c:2004
sock_recvmsg_nosec net/socket.c:881 [inline]
sock_recvmsg net/socket.c:888 [inline]
sock_recvmsg+0xd1/0x110 net/socket.c:884
___sys_recvmsg+0x278/0x5a0 net/socket.c:2422
__sys_recvmsg+0xee/0x1b0 net/socket.c:2471
do_syscall_64+0xcf/0x4f0 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff888099763180
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 8 bytes to the right of
1024-byte region [ffff888099763180, ffff888099763580)
The buggy address belongs to the page:
page:ffffea000265d800 count:1 mapcount:0 mapping:ffff88812c3f4a00 index:0x0
compound_mapcount: 0
flags: 0xfff00000010200(slab|head)
raw: 00fff00000010200 dead000000000100 dead000000000200 ffff88812c3f4a00
raw: 0000000000000000 00000000000e000e 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888099763480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888099763500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff888099763580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff888099763600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff888099763680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
^ permalink raw reply
* Re: [PATCH RFC] brcmfmac: sanitize DMI strings v2
From: Hans de Goede @ 2019-05-06 10:34 UTC (permalink / raw)
To: Victor Bravo
Cc: Arend Van Spriel, Franky Lin, Hante Meuleman, Chi-Hsien Lin,
Wright Feng, Kalle Valo, David S. Miller, linux-wireless,
brcm80211-dev-list.pdl, brcm80211-dev-list, linux-kernel
In-Reply-To: <20190506102032.3ximjecado4mz62j@localhost>
Hi,
On 06-05-19 12:20, Victor Bravo wrote:
> On Mon, May 06, 2019 at 11:33:20AM +0200, Hans de Goede wrote:
>> Hi,
>>
>> On 06-05-19 11:06, Victor Bravo wrote:
>>> On Mon, May 06, 2019 at 10:13:38AM +0200, Hans de Goede wrote:
>>>> Hi,
>>>
>>> Hi,
>>>
>>>> On 05-05-19 17:03, Victor Bravo wrote:
>>>>> Sanitize DMI strings in brcmfmac driver to make resulting filenames
>>>>> contain only safe characters. This version replaces all non-printable
>>>>> characters incl. delete (0-31, 127-255), spaces and slashes with
>>>>> underscores.
>>>>>
>>>>> This change breaks backward compatibility, but adds control over strings
>>>>> passed to firmware loader and compatibility with CONFIG_EXTRA_FIRMWARE
>>>>> which doesn't support spaces in filenames.
>>>>>
>>>>> Changes from v1: don't revert fresh commit by someone else
>>>>>
>>>>> Signed-off-by: Victor Bravo <1905@spmblk.com>
>>>>
>>>> Thank you for the patch, but I'm sorry to say this patch cannot go in as is,
>>>> because it will break existing systems.
>>>>
>>>> If you look here:
>>>>
>>>> https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/brcm
>>>>
>>>> You will see a file named: "brcmfmac43430a0-sdio.ONDA-V80 PLUS.txt" there, which
>>>> has a space in its name (and which works fine).
>>>
>>> Thanks for the updates. Spaces are actually a problem as files with spaces
>>> don't work when built-in with CONFIG_EXTRA_FIRMWARE (which is used with
>>> non-modular kernel containing brcmfmac driver).
>>>
>>> If the DMI string contains slashes, they will cause problems
>>> for obvious reasons too.
>>
>> Right, as said I'm fine with sanitizing the names, so dropping e.g. / chars,
>> but replacing space with _ will cause wifi to stop working on Onda V80 Plus devices and
>> we have a clear no regressions policy in the kernel.
>
> Please keep in mind that dropping slashes and non-printable characters
> might be a regression too, as some users may already be using
> intermediate directories or filenames with tabs etc. if their DMI
> strings contain these. If such users exist, they will have to rename
> their nvram files anyway.
I consider it very unlikely that such users exist OTOH the Onda V80 PLus
nvram file is actually in linux-firmware upstream, so that e.g. Fedora 30
has working wifi OOTB on the V80 Plus, if we go with your proposal to
also replace spaces, then users with a V80 Plus will all of a sudden have
their wifi stop working.
If Kalle and Arend are in favor of including space in the "bad character"
list then at a minimum we must first get a patch added to linux-firmware
adding an ONDA-V80_PLUS.txt symlink to the ONDA-V80 PLUS.txt file.
> On the other hand, removing just slashes and non-printable characters
> (i.e. (*dst < 0x20) || (dst == '/') || (dst == 0x7f)) would allow
> the sanitize function to the bit array and go with hardcoded conditions
> (especially if those are final and won't need further adjustments in
> set of allowed characters
If we're going to do some filtering, then I suggest we play it safe and also
disallow other chars which may be used as a separator somewhere, specifically
':' and ','.
Currently upstream linux-firmware has these files which rely on the DMI
matching:
brcmfmac4330-sdio.Prowise-PT301.txt
brcmfmac43430-sdio.Hampoo-D2D3_Vi8A1.txt
brcmfmac43430a0-sdio.ONDA-V80 PLUS.txt
The others are either part of the DMI override table for devices with unsuitable
DMI strings like "Default String"; or are device-tree based.
So as long as we don't break those 3 (or break the ONDA one but get a symlink
in place) we can sanitize a bit more then just non-printable and '/'.
Kalle, Arend, what is your opinion on this?
Note I do not expect the ONDA V80 Plus to have a lot of Linux users, but it definitely has some.
Regards,
Hans
>
>>>> I'm fine with doing some sanitizing of the strings, but replacing spaces with _
>>>> breaks existing use-cases (will cause a regression for them) and a space is absolutely
>>>> a valid character in a filename and the firmware-loader can deal with this just fine.
>>>>
>>>> If the code for building firmwares into the kernel cannot deal with spaces then IMHO
>>>> that code should be fixed instead. Have you looked into fixing that?
>>>
>>> Yes, but updating CONFIG_EXTRA_FIRMWARE to support spaces because of
>>> this looks much like
>>
>> <snip off-topic remark>
>>
>>> Do you really think it's a good idea to propose that in
>>> this case?
>>
>> I think expecting spaces in filenames to just work is quite reasonable, after all
>> its been a long time since we've left DOS-es 8.3 filename limitations.
>>
>> Have you actually looked at how hard it would be to make filenames with spaces work
>> with CONFIG_EXTRA_FIRMWARE ?
>>
>> No matter how you spin it, the space problem is a CONFIG_EXTRA_FIRMWARE bug, not an
>> issue with the brcmfmac code.
>
> Well CONFIG_EXTRA_FIRMWARE is defined to use space as filename
> separator, so I don't really dare to call that a bug. Also brcmfmac
> seems to be only driver requiring support for spaces etc. in firmware
> file names, and this requirement seems to be quite fresh.
>
> So to me the proper way to fix this via CONFIG_EXTRA_FIRMWARE seems to
> be
>
> 1) wait some time until brcfmac's fw filenames with spaces become
> de-facto standard and distros are literally full of these.
>
> 2) after this happens, propose update of CONFIG_EXTRA_FIRMWARE to
> support spaces in filenames, arguing with status quo which coming from 1)
>
> Unfortunately I feel more like a programmer and this seems more like
> politics, so I can promise participation in the wait part only right
> now.
>
>>>> As for your T100HA example from earlier in this thread, the brcmfmac driver now
>>>> also supports getting the firmware from a special EFI nvram variable, which the
>>>> T100HA sets, so you do not need to provide a nvram file on the T100HA and things
>>>> will still work.
>>>
>>> I don't really get this. Can you please suggest how do I make the driver
>>> use something different than "brcmfmac43340-sdio.txt" or
>>> "brcmfmac43340-sdio.ASUSTeK COMPUTER INC.-T100HAN.txt" on T100HAN?
>>
>> If you leave out either file, then with a recent kernel you should see this
>> brcm_info trigger:
>>
>> brcmf_info("Using nvram EFI variable\n");
>>
>> So you should see this message when you do:
>>
>> dmesg | grep "Using nvram EFI variable"
>>
>> And the wifi on the T100HAN should just work, without needing to do any
>> manual config / provide an nvram file in anyway.
>>
>> I always strive to make hardware just work with Linux and any UEFI x86 machine
>> using brcmfmac which provides the necessary nvram EFI variable in its firmware
>> should now just work when booting say a Fedora 30 livecd.
>>
>> The EFI nvram var support has been tested successfully on the following models:
>>
>> Acer Iconia Tab8 w1-8
>> Acer One 10
>> Asus T100CHI
>> Asus T100HA
>> Asus T100TA
>> Asus T200TA
>> Lenovo Mixx 2 8
>> Lenovo Yoga2 tablet 10
>
> Thanks! Wasn't aware of this, will try in the evening.
>
> Regards,
> v.
>
>> Regards,
>>
>> Hans
>>
>>
>>
>>>>> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c
>>>>> index 7535cb0d4ac0..84571e09b465 100644
>>>>> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c
>>>>> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c
>>>>> @@ -23,6 +23,14 @@
>>>>> /* The DMI data never changes so we can use a static buf for this */
>>>>> static char dmi_board_type[128];
>>>>> +/* Array of 128 bits representing 7-bit characters allowed in DMI strings. */
>>>>> +static unsigned char brcmf_dmi_allowed_chars[] = {
>>>>> + 0x00, 0x00, 0x00, 0x00, 0xfe, 0x7f, 0xff, 0xff,
>>>>> + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f
>>>>> +};
>>>>> +
>>>>> +#define BRCMF_DMI_SAFE_CHAR '_'
>>>>> +
>>>>> struct brcmf_dmi_data {
>>>>> u32 chip;
>>>>> u32 chiprev;
>>>>> @@ -99,6 +107,15 @@ static const struct dmi_system_id dmi_platform_data[] = {
>>>>> {}
>>>>> };
>>>>> +void brcmf_dmi_sanitize(char *dst, const unsigned char *allowed, char safe)
>>>>> +{
>>>>> + while (*dst) {
>>>>> + if ((*dst < 0) || !(allowed[*dst / 8] & (1 << (*dst % 8))))
>>>>
>>>> At a first look I have no clue what this code is doing and I honestly do not feel
>>>> like figuring it out, this is clever, but IMHO not readable.
>>>
>>> Understood. The cluless part actually checks corresponding bit
>>> in allowed array, which is a bit mask describing what characters
>>> are allowed or not.
>>>
>>>> Please just write this as if (*dst < 0x21 || (*dst > foo && < bar) || etc,
>>>> so that a human can actually see in one look what the code is doing.
>>>>
>>>> You may want to wait for Arend to give his opinion before changing this though,
>>>> maybe he likes the code as is.
>>>>
>>>> Also note that that should be < 0x20 of course, since we need to preserve spaces
>>>> as is to avoid a regression.
>>>
>>> This has been already discussed, spaces are a problem. There even was an
>>> opinion that adding the code that doesn't bother with spaces and slashes
>>> might be a regression as well.
>>>
>>> Regards,
>>>
>>> v.
>>>
>>>> Regards,
>>>>
>>>> Hans
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> + *dst = safe;
>>>>> + dst++;
>>>>> + }
>>>>> +}
>>>>> +
>>>>> void brcmf_dmi_probe(struct brcmf_mp_device *settings, u32 chip, u32 chiprev)
>>>>> {
>>>>> const struct dmi_system_id *match;
>>>>> @@ -126,6 +143,9 @@ void brcmf_dmi_probe(struct brcmf_mp_device *settings, u32 chip, u32 chiprev)
>>>>> if (sys_vendor && product_name) {
>>>>> snprintf(dmi_board_type, sizeof(dmi_board_type), "%s-%s",
>>>>> sys_vendor, product_name);
>>>>> + brcmf_dmi_sanitize(dmi_board_type,
>>>>> + brcmf_dmi_allowed_chars,
>>>>> + BRCMF_DMI_SAFE_CHAR);
>>>>> settings->board_type = dmi_board_type;
>>>>> }
>>>>> }
>>>>>
>>>>
>>
^ permalink raw reply
* Re: [PATCH RFC] brcmfmac: sanitize DMI strings v2
From: Victor Bravo @ 2019-05-06 10:20 UTC (permalink / raw)
To: Hans de Goede
Cc: Arend Van Spriel, Franky Lin, Hante Meuleman, Chi-Hsien Lin,
Wright Feng, Kalle Valo, David S. Miller, linux-wireless,
brcm80211-dev-list.pdl, brcm80211-dev-list, linux-kernel
In-Reply-To: <70677dff-4336-28d5-7ab9-7ba7c3d74ebc@redhat.com>
On Mon, May 06, 2019 at 11:33:20AM +0200, Hans de Goede wrote:
> Hi,
>
> On 06-05-19 11:06, Victor Bravo wrote:
> > On Mon, May 06, 2019 at 10:13:38AM +0200, Hans de Goede wrote:
> > > Hi,
> >
> > Hi,
> >
> > > On 05-05-19 17:03, Victor Bravo wrote:
> > > > Sanitize DMI strings in brcmfmac driver to make resulting filenames
> > > > contain only safe characters. This version replaces all non-printable
> > > > characters incl. delete (0-31, 127-255), spaces and slashes with
> > > > underscores.
> > > >
> > > > This change breaks backward compatibility, but adds control over strings
> > > > passed to firmware loader and compatibility with CONFIG_EXTRA_FIRMWARE
> > > > which doesn't support spaces in filenames.
> > > >
> > > > Changes from v1: don't revert fresh commit by someone else
> > > >
> > > > Signed-off-by: Victor Bravo <1905@spmblk.com>
> > >
> > > Thank you for the patch, but I'm sorry to say this patch cannot go in as is,
> > > because it will break existing systems.
> > >
> > > If you look here:
> > >
> > > https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/brcm
> > >
> > > You will see a file named: "brcmfmac43430a0-sdio.ONDA-V80 PLUS.txt" there, which
> > > has a space in its name (and which works fine).
> >
> > Thanks for the updates. Spaces are actually a problem as files with spaces
> > don't work when built-in with CONFIG_EXTRA_FIRMWARE (which is used with
> > non-modular kernel containing brcmfmac driver).
> >
> > If the DMI string contains slashes, they will cause problems
> > for obvious reasons too.
>
> Right, as said I'm fine with sanitizing the names, so dropping e.g. / chars,
> but replacing space with _ will cause wifi to stop working on Onda V80 Plus devices and
> we have a clear no regressions policy in the kernel.
Please keep in mind that dropping slashes and non-printable characters
might be a regression too, as some users may already be using
intermediate directories or filenames with tabs etc. if their DMI
strings contain these. If such users exist, they will have to rename
their nvram files anyway.
On the other hand, removing just slashes and non-printable characters
(i.e. (*dst < 0x20) || (dst == '/') || (dst == 0x7f)) would allow
the sanitize function to the bit array and go with hardcoded conditions
(especially if those are final and won't need further adjustments in
set of allowed characters
> > > I'm fine with doing some sanitizing of the strings, but replacing spaces with _
> > > breaks existing use-cases (will cause a regression for them) and a space is absolutely
> > > a valid character in a filename and the firmware-loader can deal with this just fine.
> > >
> > > If the code for building firmwares into the kernel cannot deal with spaces then IMHO
> > > that code should be fixed instead. Have you looked into fixing that?
> >
> > Yes, but updating CONFIG_EXTRA_FIRMWARE to support spaces because of
> > this looks much like
>
> <snip off-topic remark>
>
> > Do you really think it's a good idea to propose that in
> > this case?
>
> I think expecting spaces in filenames to just work is quite reasonable, after all
> its been a long time since we've left DOS-es 8.3 filename limitations.
>
> Have you actually looked at how hard it would be to make filenames with spaces work
> with CONFIG_EXTRA_FIRMWARE ?
>
> No matter how you spin it, the space problem is a CONFIG_EXTRA_FIRMWARE bug, not an
> issue with the brcmfmac code.
Well CONFIG_EXTRA_FIRMWARE is defined to use space as filename
separator, so I don't really dare to call that a bug. Also brcmfmac
seems to be only driver requiring support for spaces etc. in firmware
file names, and this requirement seems to be quite fresh.
So to me the proper way to fix this via CONFIG_EXTRA_FIRMWARE seems to
be
1) wait some time until brcfmac's fw filenames with spaces become
de-facto standard and distros are literally full of these.
2) after this happens, propose update of CONFIG_EXTRA_FIRMWARE to
support spaces in filenames, arguing with status quo which coming from 1)
Unfortunately I feel more like a programmer and this seems more like
politics, so I can promise participation in the wait part only right
now.
> > > As for your T100HA example from earlier in this thread, the brcmfmac driver now
> > > also supports getting the firmware from a special EFI nvram variable, which the
> > > T100HA sets, so you do not need to provide a nvram file on the T100HA and things
> > > will still work.
> >
> > I don't really get this. Can you please suggest how do I make the driver
> > use something different than "brcmfmac43340-sdio.txt" or
> > "brcmfmac43340-sdio.ASUSTeK COMPUTER INC.-T100HAN.txt" on T100HAN?
>
> If you leave out either file, then with a recent kernel you should see this
> brcm_info trigger:
>
> brcmf_info("Using nvram EFI variable\n");
>
> So you should see this message when you do:
>
> dmesg | grep "Using nvram EFI variable"
>
> And the wifi on the T100HAN should just work, without needing to do any
> manual config / provide an nvram file in anyway.
>
> I always strive to make hardware just work with Linux and any UEFI x86 machine
> using brcmfmac which provides the necessary nvram EFI variable in its firmware
> should now just work when booting say a Fedora 30 livecd.
>
> The EFI nvram var support has been tested successfully on the following models:
>
> Acer Iconia Tab8 w1-8
> Acer One 10
> Asus T100CHI
> Asus T100HA
> Asus T100TA
> Asus T200TA
> Lenovo Mixx 2 8
> Lenovo Yoga2 tablet 10
Thanks! Wasn't aware of this, will try in the evening.
Regards,
v.
> Regards,
>
> Hans
>
>
>
> > > > diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c
> > > > index 7535cb0d4ac0..84571e09b465 100644
> > > > --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c
> > > > +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c
> > > > @@ -23,6 +23,14 @@
> > > > /* The DMI data never changes so we can use a static buf for this */
> > > > static char dmi_board_type[128];
> > > > +/* Array of 128 bits representing 7-bit characters allowed in DMI strings. */
> > > > +static unsigned char brcmf_dmi_allowed_chars[] = {
> > > > + 0x00, 0x00, 0x00, 0x00, 0xfe, 0x7f, 0xff, 0xff,
> > > > + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f
> > > > +};
> > > > +
> > > > +#define BRCMF_DMI_SAFE_CHAR '_'
> > > > +
> > > > struct brcmf_dmi_data {
> > > > u32 chip;
> > > > u32 chiprev;
> > > > @@ -99,6 +107,15 @@ static const struct dmi_system_id dmi_platform_data[] = {
> > > > {}
> > > > };
> > > > +void brcmf_dmi_sanitize(char *dst, const unsigned char *allowed, char safe)
> > > > +{
> > > > + while (*dst) {
> > > > + if ((*dst < 0) || !(allowed[*dst / 8] & (1 << (*dst % 8))))
> > >
> > > At a first look I have no clue what this code is doing and I honestly do not feel
> > > like figuring it out, this is clever, but IMHO not readable.
> >
> > Understood. The cluless part actually checks corresponding bit
> > in allowed array, which is a bit mask describing what characters
> > are allowed or not.
> >
> > > Please just write this as if (*dst < 0x21 || (*dst > foo && < bar) || etc,
> > > so that a human can actually see in one look what the code is doing.
> > >
> > > You may want to wait for Arend to give his opinion before changing this though,
> > > maybe he likes the code as is.
> > >
> > > Also note that that should be < 0x20 of course, since we need to preserve spaces
> > > as is to avoid a regression.
> >
> > This has been already discussed, spaces are a problem. There even was an
> > opinion that adding the code that doesn't bother with spaces and slashes
> > might be a regression as well.
> >
> > Regards,
> >
> > v.
> >
> > > Regards,
> > >
> > > Hans
> > >
> > >
> > >
> > >
> > >
> > > > + *dst = safe;
> > > > + dst++;
> > > > + }
> > > > +}
> > > > +
> > > > void brcmf_dmi_probe(struct brcmf_mp_device *settings, u32 chip, u32 chiprev)
> > > > {
> > > > const struct dmi_system_id *match;
> > > > @@ -126,6 +143,9 @@ void brcmf_dmi_probe(struct brcmf_mp_device *settings, u32 chip, u32 chiprev)
> > > > if (sys_vendor && product_name) {
> > > > snprintf(dmi_board_type, sizeof(dmi_board_type), "%s-%s",
> > > > sys_vendor, product_name);
> > > > + brcmf_dmi_sanitize(dmi_board_type,
> > > > + brcmf_dmi_allowed_chars,
> > > > + BRCMF_DMI_SAFE_CHAR);
> > > > settings->board_type = dmi_board_type;
> > > > }
> > > > }
> > > >
> > >
>
^ permalink raw reply
* Re: [PATCH RFC] brcmfmac: sanitize DMI strings v2
From: Hans de Goede @ 2019-05-06 9:33 UTC (permalink / raw)
To: Victor Bravo
Cc: Arend Van Spriel, Franky Lin, Hante Meuleman, Chi-Hsien Lin,
Wright Feng, Kalle Valo, David S. Miller, linux-wireless,
brcm80211-dev-list.pdl, brcm80211-dev-list, linux-kernel
In-Reply-To: <20190506090609.msudhncj7e5vdtzw@localhost>
Hi,
On 06-05-19 11:06, Victor Bravo wrote:
> On Mon, May 06, 2019 at 10:13:38AM +0200, Hans de Goede wrote:
>> Hi,
>
> Hi,
>
>> On 05-05-19 17:03, Victor Bravo wrote:
>>> Sanitize DMI strings in brcmfmac driver to make resulting filenames
>>> contain only safe characters. This version replaces all non-printable
>>> characters incl. delete (0-31, 127-255), spaces and slashes with
>>> underscores.
>>>
>>> This change breaks backward compatibility, but adds control over strings
>>> passed to firmware loader and compatibility with CONFIG_EXTRA_FIRMWARE
>>> which doesn't support spaces in filenames.
>>>
>>> Changes from v1: don't revert fresh commit by someone else
>>>
>>> Signed-off-by: Victor Bravo <1905@spmblk.com>
>>
>> Thank you for the patch, but I'm sorry to say this patch cannot go in as is,
>> because it will break existing systems.
>>
>> If you look here:
>>
>> https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/brcm
>>
>> You will see a file named: "brcmfmac43430a0-sdio.ONDA-V80 PLUS.txt" there, which
>> has a space in its name (and which works fine).
>
> Thanks for the updates. Spaces are actually a problem as files with spaces
> don't work when built-in with CONFIG_EXTRA_FIRMWARE (which is used with
> non-modular kernel containing brcmfmac driver).
>
> If the DMI string contains slashes, they will cause problems
> for obvious reasons too.
Right, as said I'm fine with sanitizing the names, so dropping e.g. / chars,
but replacing space with _ will cause wifi to stop working on Onda V80 Plus devices and
we have a clear no regressions policy in the kernel.
>> I'm fine with doing some sanitizing of the strings, but replacing spaces with _
>> breaks existing use-cases (will cause a regression for them) and a space is absolutely
>> a valid character in a filename and the firmware-loader can deal with this just fine.
>>
>> If the code for building firmwares into the kernel cannot deal with spaces then IMHO
>> that code should be fixed instead. Have you looked into fixing that?
>
> Yes, but updating CONFIG_EXTRA_FIRMWARE to support spaces because of
> this looks much like
<snip off-topic remark>
> Do you really think it's a good idea to propose that in
> this case?
I think expecting spaces in filenames to just work is quite reasonable, after all
its been a long time since we've left DOS-es 8.3 filename limitations.
Have you actually looked at how hard it would be to make filenames with spaces work
with CONFIG_EXTRA_FIRMWARE ?
No matter how you spin it, the space problem is a CONFIG_EXTRA_FIRMWARE bug, not an
issue with the brcmfmac code.
>> As for your T100HA example from earlier in this thread, the brcmfmac driver now
>> also supports getting the firmware from a special EFI nvram variable, which the
>> T100HA sets, so you do not need to provide a nvram file on the T100HA and things
>> will still work.
>
> I don't really get this. Can you please suggest how do I make the driver
> use something different than "brcmfmac43340-sdio.txt" or
> "brcmfmac43340-sdio.ASUSTeK COMPUTER INC.-T100HAN.txt" on T100HAN?
If you leave out either file, then with a recent kernel you should see this
brcm_info trigger:
brcmf_info("Using nvram EFI variable\n");
So you should see this message when you do:
dmesg | grep "Using nvram EFI variable"
And the wifi on the T100HAN should just work, without needing to do any
manual config / provide an nvram file in anyway.
I always strive to make hardware just work with Linux and any UEFI x86 machine
using brcmfmac which provides the necessary nvram EFI variable in its firmware
should now just work when booting say a Fedora 30 livecd.
The EFI nvram var support has been tested successfully on the following models:
Acer Iconia Tab8 w1-8
Acer One 10
Asus T100CHI
Asus T100HA
Asus T100TA
Asus T200TA
Lenovo Mixx 2 8
Lenovo Yoga2 tablet 10
Regards,
Hans
>>> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c
>>> index 7535cb0d4ac0..84571e09b465 100644
>>> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c
>>> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c
>>> @@ -23,6 +23,14 @@
>>> /* The DMI data never changes so we can use a static buf for this */
>>> static char dmi_board_type[128];
>>> +/* Array of 128 bits representing 7-bit characters allowed in DMI strings. */
>>> +static unsigned char brcmf_dmi_allowed_chars[] = {
>>> + 0x00, 0x00, 0x00, 0x00, 0xfe, 0x7f, 0xff, 0xff,
>>> + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f
>>> +};
>>> +
>>> +#define BRCMF_DMI_SAFE_CHAR '_'
>>> +
>>> struct brcmf_dmi_data {
>>> u32 chip;
>>> u32 chiprev;
>>> @@ -99,6 +107,15 @@ static const struct dmi_system_id dmi_platform_data[] = {
>>> {}
>>> };
>>> +void brcmf_dmi_sanitize(char *dst, const unsigned char *allowed, char safe)
>>> +{
>>> + while (*dst) {
>>> + if ((*dst < 0) || !(allowed[*dst / 8] & (1 << (*dst % 8))))
>>
>> At a first look I have no clue what this code is doing and I honestly do not feel
>> like figuring it out, this is clever, but IMHO not readable.
>
> Understood. The cluless part actually checks corresponding bit
> in allowed array, which is a bit mask describing what characters
> are allowed or not.
>
>> Please just write this as if (*dst < 0x21 || (*dst > foo && < bar) || etc,
>> so that a human can actually see in one look what the code is doing.
>>
>> You may want to wait for Arend to give his opinion before changing this though,
>> maybe he likes the code as is.
>>
>> Also note that that should be < 0x20 of course, since we need to preserve spaces
>> as is to avoid a regression.
>
> This has been already discussed, spaces are a problem. There even was an
> opinion that adding the code that doesn't bother with spaces and slashes
> might be a regression as well.
>
> Regards,
>
> v.
>
>> Regards,
>>
>> Hans
>>
>>
>>
>>
>>
>>> + *dst = safe;
>>> + dst++;
>>> + }
>>> +}
>>> +
>>> void brcmf_dmi_probe(struct brcmf_mp_device *settings, u32 chip, u32 chiprev)
>>> {
>>> const struct dmi_system_id *match;
>>> @@ -126,6 +143,9 @@ void brcmf_dmi_probe(struct brcmf_mp_device *settings, u32 chip, u32 chiprev)
>>> if (sys_vendor && product_name) {
>>> snprintf(dmi_board_type, sizeof(dmi_board_type), "%s-%s",
>>> sys_vendor, product_name);
>>> + brcmf_dmi_sanitize(dmi_board_type,
>>> + brcmf_dmi_allowed_chars,
>>> + BRCMF_DMI_SAFE_CHAR);
>>> settings->board_type = dmi_board_type;
>>> }
>>> }
>>>
>>
^ permalink raw reply
* Re: [PATCH RFC] brcmfmac: sanitize DMI strings v2
From: Victor Bravo @ 2019-05-06 9:14 UTC (permalink / raw)
To: Kalle Valo
Cc: Hans de Goede, Arend Van Spriel, Franky Lin, Hante Meuleman,
Chi-Hsien Lin, Wright Feng, David S. Miller, linux-wireless,
brcm80211-dev-list.pdl, brcm80211-dev-list, linux-kernel
In-Reply-To: <87o94gug81.fsf@codeaurora.org>
On Mon, May 06, 2019 at 11:42:06AM +0300, Kalle Valo wrote:
> Hans de Goede <hdegoede@redhat.com> writes:
>
> >> @@ -99,6 +107,15 @@ static const struct dmi_system_id dmi_platform_data[] = {
> >> {}
> >> };
> >> +void brcmf_dmi_sanitize(char *dst, const unsigned char *allowed,
> >> char safe)
> >> +{
> >> + while (*dst) {
> >> + if ((*dst < 0) || !(allowed[*dst / 8] & (1 << (*dst % 8))))
> >
> > At a first look I have no clue what this code is doing and I honestly do not feel
> > like figuring it out, this is clever, but IMHO not readable.
> >
> > Please just write this as if (*dst < 0x21 || (*dst > foo && < bar) || etc,
> > so that a human can actually see in one look what the code is doing.
>
> Is there an existing function for sanitising filenames so that we don't
> need to reinvent the wheel, maybe something like isalnum()?
I would definitely prefer to use existing function, but I didn't find
any suitable one. Suggestions are welcome.
As for implementation details, the one I posted was optimized for both
speed and size, and at least in my opinion this bit array driven
parametric implementation is exactly what is needed here (using a string
of allowed characters with strchr-style lookups would bring much worse
complexity, and checking the characters using series of hardcoded if
conditions could quickly grow to more than those 16 bytes used by the
array).
Regards,
v.
^ permalink raw reply
* Re: [PATCH RFC] brcmfmac: sanitize DMI strings v2
From: Victor Bravo @ 2019-05-06 9:06 UTC (permalink / raw)
To: Hans de Goede
Cc: Arend Van Spriel, Franky Lin, Hante Meuleman, Chi-Hsien Lin,
Wright Feng, Kalle Valo, David S. Miller, linux-wireless,
brcm80211-dev-list.pdl, brcm80211-dev-list, linux-kernel
In-Reply-To: <0f75a3d4-94af-5503-94c3-e8af2364448d@redhat.com>
On Mon, May 06, 2019 at 10:13:38AM +0200, Hans de Goede wrote:
> Hi,
Hi,
> On 05-05-19 17:03, Victor Bravo wrote:
> > Sanitize DMI strings in brcmfmac driver to make resulting filenames
> > contain only safe characters. This version replaces all non-printable
> > characters incl. delete (0-31, 127-255), spaces and slashes with
> > underscores.
> >
> > This change breaks backward compatibility, but adds control over strings
> > passed to firmware loader and compatibility with CONFIG_EXTRA_FIRMWARE
> > which doesn't support spaces in filenames.
> >
> > Changes from v1: don't revert fresh commit by someone else
> >
> > Signed-off-by: Victor Bravo <1905@spmblk.com>
>
> Thank you for the patch, but I'm sorry to say this patch cannot go in as is,
> because it will break existing systems.
>
> If you look here:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/brcm
>
> You will see a file named: "brcmfmac43430a0-sdio.ONDA-V80 PLUS.txt" there, which
> has a space in its name (and which works fine).
Thanks for the updates. Spaces are actually a problem as files with spaces
don't work when built-in with CONFIG_EXTRA_FIRMWARE (which is used with
non-modular kernel containing brcmfmac driver).
If the DMI string contains slashes, they will cause problems
for obvious reasons too.
> I'm fine with doing some sanitizing of the strings, but replacing spaces with _
> breaks existing use-cases (will cause a regression for them) and a space is absolutely
> a valid character in a filename and the firmware-loader can deal with this just fine.
>
> If the code for building firmwares into the kernel cannot deal with spaces then IMHO
> that code should be fixed instead. Have you looked into fixing that?
Yes, but updating CONFIG_EXTRA_FIRMWARE to support spaces because of
this looks much like fixing systemd-caused unitialized urandom reads on
kernel side. Do you really think it's a good idea to propose that in
this case?
> As for your T100HA example from earlier in this thread, the brcmfmac driver now
> also supports getting the firmware from a special EFI nvram variable, which the
> T100HA sets, so you do not need to provide a nvram file on the T100HA and things
> will still work.
I don't really get this. Can you please suggest how do I make the driver
use something different than "brcmfmac43340-sdio.txt" or
"brcmfmac43340-sdio.ASUSTeK COMPUTER INC.-T100HAN.txt" on T100HAN?
> > diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c
> > index 7535cb0d4ac0..84571e09b465 100644
> > --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c
> > +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c
> > @@ -23,6 +23,14 @@
> > /* The DMI data never changes so we can use a static buf for this */
> > static char dmi_board_type[128];
> > +/* Array of 128 bits representing 7-bit characters allowed in DMI strings. */
> > +static unsigned char brcmf_dmi_allowed_chars[] = {
> > + 0x00, 0x00, 0x00, 0x00, 0xfe, 0x7f, 0xff, 0xff,
> > + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f
> > +};
> > +
> > +#define BRCMF_DMI_SAFE_CHAR '_'
> > +
> > struct brcmf_dmi_data {
> > u32 chip;
> > u32 chiprev;
> > @@ -99,6 +107,15 @@ static const struct dmi_system_id dmi_platform_data[] = {
> > {}
> > };
> > +void brcmf_dmi_sanitize(char *dst, const unsigned char *allowed, char safe)
> > +{
> > + while (*dst) {
> > + if ((*dst < 0) || !(allowed[*dst / 8] & (1 << (*dst % 8))))
>
> At a first look I have no clue what this code is doing and I honestly do not feel
> like figuring it out, this is clever, but IMHO not readable.
Understood. The cluless part actually checks corresponding bit
in allowed array, which is a bit mask describing what characters
are allowed or not.
> Please just write this as if (*dst < 0x21 || (*dst > foo && < bar) || etc,
> so that a human can actually see in one look what the code is doing.
>
> You may want to wait for Arend to give his opinion before changing this though,
> maybe he likes the code as is.
>
> Also note that that should be < 0x20 of course, since we need to preserve spaces
> as is to avoid a regression.
This has been already discussed, spaces are a problem. There even was an
opinion that adding the code that doesn't bother with spaces and slashes
might be a regression as well.
Regards,
v.
> Regards,
>
> Hans
>
>
>
>
>
> > + *dst = safe;
> > + dst++;
> > + }
> > +}
> > +
> > void brcmf_dmi_probe(struct brcmf_mp_device *settings, u32 chip, u32 chiprev)
> > {
> > const struct dmi_system_id *match;
> > @@ -126,6 +143,9 @@ void brcmf_dmi_probe(struct brcmf_mp_device *settings, u32 chip, u32 chiprev)
> > if (sys_vendor && product_name) {
> > snprintf(dmi_board_type, sizeof(dmi_board_type), "%s-%s",
> > sys_vendor, product_name);
> > + brcmf_dmi_sanitize(dmi_board_type,
> > + brcmf_dmi_allowed_chars,
> > + BRCMF_DMI_SAFE_CHAR);
> > settings->board_type = dmi_board_type;
> > }
> > }
> >
>
^ permalink raw reply
* RE: [PATCH v2 4/5] rtw88: fix unassigned rssi_level in rtw_sta_info
From: Tony Chuang @ 2019-05-06 8:54 UTC (permalink / raw)
To: Kalle Valo; +Cc: linux-wireless@vger.kernel.org
In-Reply-To: <874l68vuhi.fsf@purkki.adurom.net>
> -----Original Message-----
> From: Kalle Valo [mailto:kvalo@codeaurora.org]
> Sent: Monday, May 06, 2019 4:49 PM
> To: Tony Chuang
> Cc: linux-wireless@vger.kernel.org
> Subject: Re: [PATCH v2 4/5] rtw88: fix unassigned rssi_level in rtw_sta_info
>
> <yhchuang@realtek.com> writes:
>
> > From: Yan-Hsuan Chuang <yhchuang@realtek.com>
> >
> > The new rssi_level should be stored in si, otherwise the rssi_level will
> > never be updated and get a wrong RA mask, which is calculated by the
> > rssi level
> >
> > Signed-off-by: Yan-Hsuan Chuang <yhchuang@realtek.com>
>
> Stanislaw suggested that this should go to 5.2. So what breaks from
> user's point of view if this is not applied?
>
If the rssi level remains unchanged, then we could choose wrong ra_mask.
And some *bad rates* we be chosen by firmware.
The most hurtful scene would be *noisy environment* such as office, or public.
The latency would be high and overall throughput would be only half.
(This was tested, such as 4x Mbps -> 1x Mbps)
Yan-Hsuan
^ permalink raw reply
* Re: [PATCH v2 4/5] rtw88: fix unassigned rssi_level in rtw_sta_info
From: Kalle Valo @ 2019-05-06 8:48 UTC (permalink / raw)
To: yhchuang; +Cc: linux-wireless
In-Reply-To: <1556884415-23474-5-git-send-email-yhchuang@realtek.com>
<yhchuang@realtek.com> writes:
> From: Yan-Hsuan Chuang <yhchuang@realtek.com>
>
> The new rssi_level should be stored in si, otherwise the rssi_level will
> never be updated and get a wrong RA mask, which is calculated by the
> rssi level
>
> Signed-off-by: Yan-Hsuan Chuang <yhchuang@realtek.com>
Stanislaw suggested that this should go to 5.2. So what breaks from
user's point of view if this is not applied?
--
Kalle Valo
^ permalink raw reply
* Re: [PATCH RFC] brcmfmac: sanitize DMI strings v2
From: Kalle Valo @ 2019-05-06 8:44 UTC (permalink / raw)
To: Victor Bravo
Cc: Arend Van Spriel, Franky Lin, Hante Meuleman, Chi-Hsien Lin,
Wright Feng, David S. Miller, linux-wireless,
brcm80211-dev-list.pdl, brcm80211-dev-list, linux-kernel,
Hans de Goede
In-Reply-To: <20190505150355.3fbng4ny34x255vk@localhost>
Victor Bravo <1905@spmblk.com> writes:
> Sanitize DMI strings in brcmfmac driver to make resulting filenames
> contain only safe characters. This version replaces all non-printable
> characters incl. delete (0-31, 127-255), spaces and slashes with
> underscores.
>
> This change breaks backward compatibility, but adds control over strings
> passed to firmware loader and compatibility with CONFIG_EXTRA_FIRMWARE
> which doesn't support spaces in filenames.
>
> Changes from v1: don't revert fresh commit by someone else
>
> Signed-off-by: Victor Bravo <1905@spmblk.com>
The version should be in brackets "[PATCH RFC v2]" and the change log
after "---" line:
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
--
Kalle Valo
^ permalink raw reply
* Re: [PATCH 5.1] rtw88: fix subscript above array bounds compiler warning
From: Stanislaw Gruszka @ 2019-05-06 8:42 UTC (permalink / raw)
To: linux-wireless, Kalle Valo; +Cc: Yan-Hsuan Chuang
In-Reply-To: <20190506073917.10106-1-sgruszka@redhat.com>
This is for 5.2 and v2 obviously.
Stanislaw
On Mon, May 06, 2019 at 09:39:17AM +0200, Stanislaw Gruszka wrote:
> My compiler complains about:
>
> drivers/net/wireless/realtek/rtw88/phy.c: In function ???rtw_phy_rf_power_2_rssi???:
> drivers/net/wireless/realtek/rtw88/phy.c:430:26: warning: array subscript is above array bounds [-Warray-bounds]
> linear = db_invert_table[i][j];
>
> According to comment power_db should be in range 1 ~ 96 .
> To fix add check for boundaries before access the array.
>
> Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
> ---
> RFC -> v1
> - add check before accessing the array insted of
> rtw_phy_power_2_db() change.
> v1 -> v2:
> - return 1 for power_db < 1
>
> drivers/net/wireless/realtek/rtw88/phy.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/drivers/net/wireless/realtek/rtw88/phy.c b/drivers/net/wireless/realtek/rtw88/phy.c
> index 4381b360b5b5..9ca52a4d025a 100644
> --- a/drivers/net/wireless/realtek/rtw88/phy.c
> +++ b/drivers/net/wireless/realtek/rtw88/phy.c
> @@ -423,6 +423,11 @@ static u64 rtw_phy_db_2_linear(u8 power_db)
> u8 i, j;
> u64 linear;
>
> + if (power_db > 96)
> + power_db = 96;
> + else if (power_db < 1)
> + return 1;
> +
> /* 1dB ~ 96dB */
> i = (power_db - 1) >> 3;
> j = (power_db - 1) - (i << 3);
> --
> 2.20.1
>
^ permalink raw reply
* Re: [PATCH RFC] brcmfmac: sanitize DMI strings v2
From: Kalle Valo @ 2019-05-06 8:42 UTC (permalink / raw)
To: Hans de Goede
Cc: Victor Bravo, Arend Van Spriel, Franky Lin, Hante Meuleman,
Chi-Hsien Lin, Wright Feng, David S. Miller, linux-wireless,
brcm80211-dev-list.pdl, brcm80211-dev-list, linux-kernel
In-Reply-To: <0f75a3d4-94af-5503-94c3-e8af2364448d@redhat.com>
Hans de Goede <hdegoede@redhat.com> writes:
>> @@ -99,6 +107,15 @@ static const struct dmi_system_id dmi_platform_data[] = {
>> {}
>> };
>> +void brcmf_dmi_sanitize(char *dst, const unsigned char *allowed,
>> char safe)
>> +{
>> + while (*dst) {
>> + if ((*dst < 0) || !(allowed[*dst / 8] & (1 << (*dst % 8))))
>
> At a first look I have no clue what this code is doing and I honestly do not feel
> like figuring it out, this is clever, but IMHO not readable.
>
> Please just write this as if (*dst < 0x21 || (*dst > foo && < bar) || etc,
> so that a human can actually see in one look what the code is doing.
Is there an existing function for sanitising filenames so that we don't
need to reinvent the wheel, maybe something like isalnum()?
--
Kalle Valo
^ permalink raw reply
* Re: [PATCH v2 0/5] rtw88: minor fixes from suggestions during review
From: Stanislaw Gruszka @ 2019-05-06 8:40 UTC (permalink / raw)
To: Kalle Valo; +Cc: yhchuang, linux-wireless
In-Reply-To: <87ftpvkal1.fsf@kamboji.qca.qualcomm.com>
On Fri, May 03, 2019 at 03:04:58PM +0300, Kalle Valo wrote:
> <yhchuang@realtek.com> writes:
>
> > From: Yan-Hsuan Chuang <yhchuang@realtek.com>
> >
> > The series fix some small problems for rtw88, most of the suggestions
> > are from the review process.
> >
> >
> > v1 -> v2
> >
> > - modify description for LPS, ", turn off" -> ", to turn off"
> > - drop patch "rtw88: mac: remove dangerous while (1)",
> > should re-write the power sequence parsing code to make sense of avoiding
> > infinite loop
> > - unify Makefile license to Dual GPL/BSD
> >
> >
> > Yan-Hsuan Chuang (5):
> > rtw88: add license for Makefile
> > rtw88: pci: use ieee80211_ac_numbers instead of 0-3
> > rtw88: pci: check if queue mapping exceeds size of ac_to_hwq
> > rtw88: fix unassigned rssi_level in rtw_sta_info
> > rtw88: more descriptions about LPS
>
> I was just in the next few minutes about to tag the last -next pull for
> 5.2. I'll apply patch 1 now so that we have consistent licenses for 5.2
> but the rest have to wait for 5.3.
I think '[PATCH v2 4/5] rtw88: fix unassigned rssi_level in rtw_sta_inf'
should go to 5.2 .
Stanislaw
^ permalink raw reply
* Re: pull-request: wireless-drivers 2019-04-30
From: Kalle Valo @ 2019-05-06 8:29 UTC (permalink / raw)
To: David Miller; +Cc: linux-wireless, netdev, linux-kernel
In-Reply-To: <20190505.005130.1921658214241614481.davem@davemloft.net>
David Miller <davem@davemloft.net> writes:
> From: Kalle Valo <kvalo@codeaurora.org>
> Date: Tue, 30 Apr 2019 19:55:45 +0300
>
>> David Miller <davem@davemloft.net> writes:
>>
>>> Thanks for the conflict resolution information, it is very helpful.
>>>
>>> However, can you put it into the merge commit text next time as well?
>>> I cut and pasted it in there when I pulled this stuff in.
>>
>> A good idea, I'll do that. Just to be sure, do you mean that I should
>> add it only with conflicts between net and net-next (like in this case)?
>> Or should I add it everytime I see a conflict, for example between
>> wireless-drivers-next and net-next? I hope my question is not too
>> confusing...
>
> When there is a major conflict for me to resolve when I pull in your
> pull reqeust, please place the conflict resolution help text into the
> merge commit message.
>
> I hope this is now clear :-)
Got it now, thanks!
--
Kalle Valo
^ permalink raw reply
* RE: [PATCH 5.1] rtw88: fix subscript above array bounds compiler warning
From: Tony Chuang @ 2019-05-06 8:29 UTC (permalink / raw)
To: Stanislaw Gruszka, linux-wireless@vger.kernel.org
In-Reply-To: <20190506073917.10106-1-sgruszka@redhat.com>
> Subject: [PATCH 5.1] rtw88: fix subscript above array bounds compiler warning
>
> My compiler complains about:
>
> drivers/net/wireless/realtek/rtw88/phy.c: In function
> ‘rtw_phy_rf_power_2_rssi’:
> drivers/net/wireless/realtek/rtw88/phy.c:430:26: warning: array subscript is
> above array bounds [-Warray-bounds]
> linear = db_invert_table[i][j];
>
> According to comment power_db should be in range 1 ~ 96 .
> To fix add check for boundaries before access the array.
>
> Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
> ---
> RFC -> v1
> - add check before accessing the array insted of
> rtw_phy_power_2_db() change.
> v1 -> v2:
> - return 1 for power_db < 1
>
> drivers/net/wireless/realtek/rtw88/phy.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/drivers/net/wireless/realtek/rtw88/phy.c
> b/drivers/net/wireless/realtek/rtw88/phy.c
> index 4381b360b5b5..9ca52a4d025a 100644
> --- a/drivers/net/wireless/realtek/rtw88/phy.c
> +++ b/drivers/net/wireless/realtek/rtw88/phy.c
> @@ -423,6 +423,11 @@ static u64 rtw_phy_db_2_linear(u8 power_db)
> u8 i, j;
> u64 linear;
>
> + if (power_db > 96)
> + power_db = 96;
> + else if (power_db < 1)
> + return 1;
> +
> /* 1dB ~ 96dB */
> i = (power_db - 1) >> 3;
> j = (power_db - 1) - (i << 3);
> --
Thanks. For this patch.
Acked-by: Yan-Hsuan Chuang <yhchuang@realtek.com>
Yan-Hsuan
^ permalink raw reply
* Re: [PATCH] net: wireless: ath9k: Return an error when ath9k_hw_reset() fails
From: Kalle Valo @ 2019-05-06 8:24 UTC (permalink / raw)
To: Heiner Kallweit
Cc: Jia-Ju Bai, ath9k-devel, davem, linux-wireless, netdev,
linux-kernel
In-Reply-To: <e47117d6-f918-1dd0-834e-d056534bfead@gmail.com>
Heiner Kallweit <hkallweit1@gmail.com> writes:
> On 04.05.2019 12:08, Jia-Ju Bai wrote:
>> ath9k_hw_reset() in ath9k_start() can fail, and in this case,
>> ath9k_start() should return an error instead of executing the
>> subsequent code.
>>
> Such mechanical patches w/o understanding the code are always
> problematic. Do you have any proof that this error is fatal?
> I think it is not, else we wouldn't have this line:
> ah->reset_power_on = false;
> Also you should consider that a mutex and a spinlock are held.
> Maybe changing the error message to a warning would be more
> appropriate. But this I would leave to somebody being more
> familiar with this driver.
A very good point, thanks Heiner! I will drop this unless someone
familiar with ath9k says that this is ok.
--
Kalle Valo
^ permalink raw reply
* Re: [PATCH] net: wireless: b43: Avoid possible double calls to b43_one_core_detach()
From: Kalle Valo @ 2019-05-06 8:21 UTC (permalink / raw)
To: Jia-Ju Bai
Cc: davem, colin.king, yuehaibing, linux-wireless, b43-dev, netdev,
linux-kernel
In-Reply-To: <20190504091000.18665-1-baijiaju1990@gmail.com>
Jia-Ju Bai <baijiaju1990@gmail.com> writes:
> In b43_request_firmware(), when ieee80211_register_hw() fails,
> b43_one_core_detach() is called. In b43_bcma_remove() and
> b43_ssb_remove(), b43_one_core_detach() is called again. In this case,
> null-pointer dereferences and double-free problems can occur when
> the driver is removed.
>
> To fix this bug, the call to b43_one_core_detach() in
> b43_request_firmware() is deleted.
>
> This bug is found by a runtime fuzzing tool named FIZZER written by us.
>
> Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
> ---
> drivers/net/wireless/broadcom/b43/main.c | 7 +------
> 1 file changed, 1 insertion(+), 6 deletions(-)
You can use just "b43:" as prefix, no need to have "net:" nor
"wireless:" in the title. I'll fix it this time, but please use correct
style in the future.
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches#commit_title_is_wrong
--
Kalle Valo
^ permalink raw reply
* Re: [PATCH RFC] brcmfmac: sanitize DMI strings v2
From: Hans de Goede @ 2019-05-06 8:13 UTC (permalink / raw)
To: Victor Bravo, Arend Van Spriel
Cc: Franky Lin, Hante Meuleman, Chi-Hsien Lin, Wright Feng,
Kalle Valo, David S. Miller, linux-wireless,
brcm80211-dev-list.pdl, brcm80211-dev-list, linux-kernel
In-Reply-To: <20190505150355.3fbng4ny34x255vk@localhost>
Hi,
On 05-05-19 17:03, Victor Bravo wrote:
> Sanitize DMI strings in brcmfmac driver to make resulting filenames
> contain only safe characters. This version replaces all non-printable
> characters incl. delete (0-31, 127-255), spaces and slashes with
> underscores.
>
> This change breaks backward compatibility, but adds control over strings
> passed to firmware loader and compatibility with CONFIG_EXTRA_FIRMWARE
> which doesn't support spaces in filenames.
>
> Changes from v1: don't revert fresh commit by someone else
>
> Signed-off-by: Victor Bravo <1905@spmblk.com>
Thank you for the patch, but I'm sorry to say this patch cannot go in as is,
because it will break existing systems.
If you look here:
https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/brcm
You will see a file named: "brcmfmac43430a0-sdio.ONDA-V80 PLUS.txt" there, which
has a space in its name (and which works fine).
I'm fine with doing some sanitizing of the strings, but replacing spaces with _
breaks existing use-cases (will cause a regression for them) and a space is absolutely
a valid character in a filename and the firmware-loader can deal with this just fine.
If the code for building firmwares into the kernel cannot deal with spaces then IMHO
that code should be fixed instead. Have you looked into fixing that?
As for your T100HA example from earlier in this thread, the brcmfmac driver now
also supports getting the firmware from a special EFI nvram variable, which the
T100HA sets, so you do not need to provide a nvram file on the T100HA and things
will still work.
> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c
> index 7535cb0d4ac0..84571e09b465 100644
> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c
> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/dmi.c
> @@ -23,6 +23,14 @@
> /* The DMI data never changes so we can use a static buf for this */
> static char dmi_board_type[128];
>
> +/* Array of 128 bits representing 7-bit characters allowed in DMI strings. */
> +static unsigned char brcmf_dmi_allowed_chars[] = {
> + 0x00, 0x00, 0x00, 0x00, 0xfe, 0x7f, 0xff, 0xff,
> + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f
> +};
> +
> +#define BRCMF_DMI_SAFE_CHAR '_'
> +
> struct brcmf_dmi_data {
> u32 chip;
> u32 chiprev;
> @@ -99,6 +107,15 @@ static const struct dmi_system_id dmi_platform_data[] = {
> {}
> };
>
> +void brcmf_dmi_sanitize(char *dst, const unsigned char *allowed, char safe)
> +{
> + while (*dst) {
> + if ((*dst < 0) || !(allowed[*dst / 8] & (1 << (*dst % 8))))
At a first look I have no clue what this code is doing and I honestly do not feel
like figuring it out, this is clever, but IMHO not readable.
Please just write this as if (*dst < 0x21 || (*dst > foo && < bar) || etc,
so that a human can actually see in one look what the code is doing.
You may want to wait for Arend to give his opinion before changing this though,
maybe he likes the code as is.
Also note that that should be < 0x20 of course, since we need to preserve spaces
as is to avoid a regression.
Regards,
Hans
> + *dst = safe;
> + dst++;
> + }
> +}
> +
> void brcmf_dmi_probe(struct brcmf_mp_device *settings, u32 chip, u32 chiprev)
> {
> const struct dmi_system_id *match;
> @@ -126,6 +143,9 @@ void brcmf_dmi_probe(struct brcmf_mp_device *settings, u32 chip, u32 chiprev)
> if (sys_vendor && product_name) {
> snprintf(dmi_board_type, sizeof(dmi_board_type), "%s-%s",
> sys_vendor, product_name);
> + brcmf_dmi_sanitize(dmi_board_type,
> + brcmf_dmi_allowed_chars,
> + BRCMF_DMI_SAFE_CHAR);
> settings->board_type = dmi_board_type;
> }
> }
>
^ permalink raw reply
* Re: [PATCH v4 07/10] net: wireless: support of_get_mac_address new ERR_PTR error
From: Kalle Valo @ 2019-05-06 7:59 UTC (permalink / raw)
To: Petr Štetiar
Cc: netdev, devicetree, QCA ath9k Development, David S. Miller,
Felix Fietkau, Lorenzo Bianconi, Matthias Brugger,
Stanislaw Gruszka, Helmut Schaa, Andrew Lunn, Florian Fainelli,
Heiner Kallweit, Frank Rowand, Srinivas Kandagatla, Maxime Ripard,
linux-wireless, linux-kernel, linux-arm-kernel, linux-mediatek
In-Reply-To: <1556893635-18549-8-git-send-email-ynezz@true.cz>
Petr Štetiar <ynezz@true.cz> writes:
> There was NVMEM support added to of_get_mac_address, so it could now return
> ERR_PTR encoded error values, so we need to adjust all current users of
> of_get_mac_address to this new fact.
>
> Signed-off-by: Petr Štetiar <ynezz@true.cz>
> ---
>
> Changes since v3:
>
> * IS_ERR_OR_NULL -> IS_ERR
>
> drivers/net/wireless/ath/ath9k/init.c | 2 +-
> drivers/net/wireless/mediatek/mt76/eeprom.c | 2 +-
> drivers/net/wireless/ralink/rt2x00/rt2x00dev.c | 2 +-
> 3 files changed, 3 insertions(+), 3 deletions(-)
Via which tree is this supposed to go? In case something else than my
wireless-drivers-next:
Acked-by: Kalle Valo <kvalo@codeaurora.org>
--
Kalle Valo
^ permalink raw reply
* Re: static analysis issue in rtl8188de driver
From: Pkshih @ 2019-05-06 7:56 UTC (permalink / raw)
To: linux-wireless@vger.kernel.org, colin.king@canonical.com,
kvalo@codeaurora.org, Larry.Finger@lwfinger.net
Cc: linux-kernel@vger.kernel.org
In-Reply-To: <a1842b3e-f0af-d1a1-8609-a76c25dfd37b@canonical.com>
On Sat, 2019-05-04 at 21:50 +0000, Colin Ian King wrote:
> Hi,
>
> Static analysis with Coverity has found an issue in the rtl8188de
> wireless driver in drivers/net/wireless/realtek/rtlwifi/rtl8192de/dm.c
> in function tl92d_dm_txpower_tracking_callback_thermalmeter.
>
> The issue is that u8 array ofdm_index[3] is never initialized, however
> it is decremented and incremented in two places resulting in garbage
> value from the stack being updated in the following code:
>
> if (thermalvalue > rtlpriv->dm.thermalvalue) {
> for (i = 0; i < rf; i++)
> ofdm_index[i] -= delta;
> cck_index -= delta;
> } else {
> for (i = 0; i < rf; i++)
> ofdm_index[i] += index;
> cck_index += index;
> }
>
> At my first look at the code I believe ofdm_index should be just
> zero-initialized at declaration time, but I suspect that I'm overlooking
> something maybe a bit deeper. Any ideas?
>
Hi Colin,
Thanks for your report.
After my quick look, there are at least two obvious problems.
One is array size of ofdm_index[] should be two instead. Another is the value
of ofdm_index[] should be obtained from rtlpriv->dm.ofdm_index[].
Since the logic is quite complex, I need some time to fix it.
PK
^ permalink raw reply
* [PATCH 5.1] rtw88: fix subscript above array bounds compiler warning
From: Stanislaw Gruszka @ 2019-05-06 7:39 UTC (permalink / raw)
To: linux-wireless; +Cc: Yan-Hsuan Chuang
My compiler complains about:
drivers/net/wireless/realtek/rtw88/phy.c: In function ‘rtw_phy_rf_power_2_rssi’:
drivers/net/wireless/realtek/rtw88/phy.c:430:26: warning: array subscript is above array bounds [-Warray-bounds]
linear = db_invert_table[i][j];
According to comment power_db should be in range 1 ~ 96 .
To fix add check for boundaries before access the array.
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
---
RFC -> v1
- add check before accessing the array insted of
rtw_phy_power_2_db() change.
v1 -> v2:
- return 1 for power_db < 1
drivers/net/wireless/realtek/rtw88/phy.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/net/wireless/realtek/rtw88/phy.c b/drivers/net/wireless/realtek/rtw88/phy.c
index 4381b360b5b5..9ca52a4d025a 100644
--- a/drivers/net/wireless/realtek/rtw88/phy.c
+++ b/drivers/net/wireless/realtek/rtw88/phy.c
@@ -423,6 +423,11 @@ static u64 rtw_phy_db_2_linear(u8 power_db)
u8 i, j;
u64 linear;
+ if (power_db > 96)
+ power_db = 96;
+ else if (power_db < 1)
+ return 1;
+
/* 1dB ~ 96dB */
i = (power_db - 1) >> 3;
j = (power_db - 1) - (i << 3);
--
2.20.1
^ permalink raw reply related
* [PATCH] ath10k: acquire lock to fix lockdep's warning
From: Claire Chang @ 2019-05-06 7:38 UTC (permalink / raw)
To: kvalo; +Cc: linux-wireless, ath10k, wgong, drinkcat, Claire Chang
Lockdep warns at lockdep_assert_held(&ar->data_lock) in
ath10k_htt_rx_pn_check_replay_hl(). Acquire ar->data_lock before calling
ath10k_htt_rx_pn_check_replay_hl() to fix it.
Call trace:
ath10k_htt_rx_pn_check_replay_hl+0x118/0x134 [ath10k_core]
ath10k_htt_rx_proc_rx_ind_hl+0xd8/0x250 [ath10k_core]
ath10k_htt_t2h_msg_handler+0x148/0xf30 [ath10k_core]
ath10k_htt_htc_t2h_msg_handler+0x24/0x40 [ath10k_core]
ath10k_sdio_irq_handler+0x374/0xaa4 [ath10k_sdio]
Fixes: 130c77495708 ("ath10k: add PN replay protection for high latency devices")
Signed-off-by: Claire Chang <tientzu@chromium.org>
---
drivers/net/wireless/ath/ath10k/htt_rx.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c
index 9eed1cb17fda..3e3be1e5bbaf 100644
--- a/drivers/net/wireless/ath/ath10k/htt_rx.c
+++ b/drivers/net/wireless/ath/ath10k/htt_rx.c
@@ -1952,6 +1952,7 @@ static bool ath10k_htt_rx_proc_rx_ind_hl(struct ath10k_htt *htt,
int num_mpdu_ranges;
size_t tot_hdr_len;
struct ieee80211_channel *ch;
+ bool pn_invalid;
peer_id = __le16_to_cpu(rx->hdr.peer_id);
@@ -1983,9 +1984,13 @@ static bool ath10k_htt_rx_proc_rx_ind_hl(struct ath10k_htt *htt,
goto err;
}
- if (check_pn_type == HTT_RX_PN_CHECK &&
- ath10k_htt_rx_pn_check_replay_hl(ar, peer, rx))
- goto err;
+ if (check_pn_type == HTT_RX_PN_CHECK) {
+ spin_lock_bh(&ar->data_lock);
+ pn_invalid = ath10k_htt_rx_pn_check_replay_hl(ar, peer, rx);
+ spin_unlock_bh(&ar->data_lock);
+ if (pn_invalid)
+ goto err;
+ }
/* Strip off all headers before the MAC header before delivery to
* mac80211
--
2.21.0.1020.gf2820cf01a-goog
^ permalink raw reply related
* RE: [PATCH 5.1] rtw88: fix subscript above array bounds compiler warning
From: Tony Chuang @ 2019-05-06 6:51 UTC (permalink / raw)
To: Stanislaw Gruszka; +Cc: linux-wireless@vger.kernel.org
In-Reply-To: <20190506064357.GB5115@redhat.com>
> Subject: Re: [PATCH 5.1] rtw88: fix subscript above array bounds compiler
> warning
>
> On Mon, May 06, 2019 at 06:32:01AM +0000, Tony Chuang wrote:
> > > Subject: [PATCH 5.1] rtw88: fix subscript above array bounds compiler
> warning
> > >
> > > My compiler complains about:
> > >
> > > drivers/net/wireless/realtek/rtw88/phy.c: In function
> > > ‘rtw_phy_rf_power_2_rssi’:
> > > drivers/net/wireless/realtek/rtw88/phy.c:430:26: warning: array subscript is
> > > above array bounds [-Warray-bounds]
> > > linear = db_invert_table[i][j];
> > >
> > > According to comment power_db should be in range 1 ~ 96 .
> > > To fix add check for boundaries before access the array.
> > >
> > > Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
> > > ---
> > > RFC -> v1
> > > - add check before accessing the array insted of
> > > rtw_phy_power_2_db() change.
> > >
> > > drivers/net/wireless/realtek/rtw88/phy.c | 5 +++++
> > > 1 file changed, 5 insertions(+)
> > >
> > > diff --git a/drivers/net/wireless/realtek/rtw88/phy.c
> > > b/drivers/net/wireless/realtek/rtw88/phy.c
> > > index 4381b360b5b5..9ca52a4d025a 100644
> > > --- a/drivers/net/wireless/realtek/rtw88/phy.c
> > > +++ b/drivers/net/wireless/realtek/rtw88/phy.c
> > > @@ -423,6 +423,11 @@ static u64 rtw_phy_db_2_linear(u8 power_db)
> > > u8 i, j;
> > > u64 linear;
> > >
> > > + if (power_db > 96)
> > > + power_db = 96;
> > > + else if (power_db < 1)
> > > + power_db = 1;
> >
> > I think it's "return 1" here.
>
> Ehh, I missed that in your comment. However 'return 1' change
> the output of rtw_phy_db_2_linear() quite substantially
> as the smallest value (for power_db = 1) from db_invert_table[][]
> is 10. I'll post v2 patch, but please double check it's indeed
> correct logic. Thanks.
>
I think "return 1" is correct because 0 is not in domain 1~96.
And indeed anything to the power of zero is 1.
Thanks.
Yan-Hsuan
^ permalink raw reply
* Re: [PATCH 5.1] rtw88: fix subscript above array bounds compiler warning
From: Stanislaw Gruszka @ 2019-05-06 6:43 UTC (permalink / raw)
To: Tony Chuang; +Cc: linux-wireless@vger.kernel.org
In-Reply-To: <F7CD281DE3E379468C6D07993EA72F84D17EB2B5@RTITMBSVM04.realtek.com.tw>
On Mon, May 06, 2019 at 06:32:01AM +0000, Tony Chuang wrote:
> > Subject: [PATCH 5.1] rtw88: fix subscript above array bounds compiler warning
> >
> > My compiler complains about:
> >
> > drivers/net/wireless/realtek/rtw88/phy.c: In function
> > ‘rtw_phy_rf_power_2_rssi’:
> > drivers/net/wireless/realtek/rtw88/phy.c:430:26: warning: array subscript is
> > above array bounds [-Warray-bounds]
> > linear = db_invert_table[i][j];
> >
> > According to comment power_db should be in range 1 ~ 96 .
> > To fix add check for boundaries before access the array.
> >
> > Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
> > ---
> > RFC -> v1
> > - add check before accessing the array insted of
> > rtw_phy_power_2_db() change.
> >
> > drivers/net/wireless/realtek/rtw88/phy.c | 5 +++++
> > 1 file changed, 5 insertions(+)
> >
> > diff --git a/drivers/net/wireless/realtek/rtw88/phy.c
> > b/drivers/net/wireless/realtek/rtw88/phy.c
> > index 4381b360b5b5..9ca52a4d025a 100644
> > --- a/drivers/net/wireless/realtek/rtw88/phy.c
> > +++ b/drivers/net/wireless/realtek/rtw88/phy.c
> > @@ -423,6 +423,11 @@ static u64 rtw_phy_db_2_linear(u8 power_db)
> > u8 i, j;
> > u64 linear;
> >
> > + if (power_db > 96)
> > + power_db = 96;
> > + else if (power_db < 1)
> > + power_db = 1;
>
> I think it's "return 1" here.
Ehh, I missed that in your comment. However 'return 1' change
the output of rtw_phy_db_2_linear() quite substantially
as the smallest value (for power_db = 1) from db_invert_table[][]
is 10. I'll post v2 patch, but please double check it's indeed
correct logic. Thanks.
Stanislaw
^ permalink raw reply
* RE: [PATCH 5.1] rtw88: fix subscript above array bounds compiler warning
From: Tony Chuang @ 2019-05-06 6:32 UTC (permalink / raw)
To: Stanislaw Gruszka, linux-wireless@vger.kernel.org
In-Reply-To: <20190506062358.8288-1-sgruszka@redhat.com>
> Subject: [PATCH 5.1] rtw88: fix subscript above array bounds compiler warning
>
> My compiler complains about:
>
> drivers/net/wireless/realtek/rtw88/phy.c: In function
> ‘rtw_phy_rf_power_2_rssi’:
> drivers/net/wireless/realtek/rtw88/phy.c:430:26: warning: array subscript is
> above array bounds [-Warray-bounds]
> linear = db_invert_table[i][j];
>
> According to comment power_db should be in range 1 ~ 96 .
> To fix add check for boundaries before access the array.
>
> Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
> ---
> RFC -> v1
> - add check before accessing the array insted of
> rtw_phy_power_2_db() change.
>
> drivers/net/wireless/realtek/rtw88/phy.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/drivers/net/wireless/realtek/rtw88/phy.c
> b/drivers/net/wireless/realtek/rtw88/phy.c
> index 4381b360b5b5..9ca52a4d025a 100644
> --- a/drivers/net/wireless/realtek/rtw88/phy.c
> +++ b/drivers/net/wireless/realtek/rtw88/phy.c
> @@ -423,6 +423,11 @@ static u64 rtw_phy_db_2_linear(u8 power_db)
> u8 i, j;
> u64 linear;
>
> + if (power_db > 96)
> + power_db = 96;
> + else if (power_db < 1)
> + power_db = 1;
I think it's "return 1" here.
> +
> /* 1dB ~ 96dB */
> i = (power_db - 1) >> 3;
> j = (power_db - 1) - (i << 3);
> --
Yan-Hsuan
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox