From 8a952a955de705724b715e4b595a89bee8c11b9f Mon Sep 17 00:00:00 2001 From: Caleb Connolly Date: Thu, 17 Jun 2021 11:29:40 +0300 Subject: [PATCH 1/4] ath10k: demote chan info without scan request warning Some devices/firmwares cause this to be printed every 5-15 seconds, though it has no impact on functionality. Demote this to a debug message. I see this on SDM845 and MSM8998 platforms, specifically the OnePlus 6 devices, PocoPhone F1 and OnePlus 5. On the OnePlus 6 (SDM845) we are stuck with the following signed vendor fw: [ 9.339873] ath10k_snoc 18800000.wifi: qmi chip_id 0x30214 chip_family 0x4001 board_id 0xff soc_id 0x40030001 [ 9.339897] ath10k_snoc 18800000.wifi: qmi fw_version 0x20060029 fw_build_timestamp 2019-07-12 02:14 fw_build_id QC_IMAGE_VERSION_STRING=WLAN.HL.2.0.c8-00041-QCAHLSWMTPLZ-1 The OnePlus 5 (MSM8998) is using firmware: [ 6096.956799] ath10k_snoc 18800000.wifi: qmi chip_id 0x30214 chip_family 0x4001 board_id 0xff soc_id 0x40010002 [ 6096.956824] ath10k_snoc 18800000.wifi: qmi fw_version 0x1007007e fw_build_timestamp 2020-04-14 22:45 fw_build_id QC_IMAGE_VERSION_STRING=WLAN.HL.1.0.c6-00126-QCAHLSWMTPLZ-1.211883.1.278648. Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.2.0.c8-00041-QCAHLSWMTPLZ-1 Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.1.0.c6-00126-QCAHLSWMTPLZ-1.211883.1.278648 Signed-off-by: Caleb Connolly Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210522171609.299611-1-caleb@connolly.tech --- drivers/net/wireless/ath/ath10k/wmi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/ath10k/wmi.c b/drivers/net/wireless/ath/ath10k/wmi.c index f42bf2c8f9e7..b8a4bbfe10b8 100644 --- a/drivers/net/wireless/ath/ath10k/wmi.c +++ b/drivers/net/wireless/ath/ath10k/wmi.c @@ -2795,7 +2795,7 @@ void ath10k_wmi_event_chan_info(struct ath10k *ar, struct sk_buff *skb) switch (ar->scan.state) { case ATH10K_SCAN_IDLE: case ATH10K_SCAN_STARTING: - ath10k_warn(ar, "received chan info event without a scan request, ignoring\n"); + ath10k_dbg(ar, ATH10K_DBG_WMI, "received chan info event without a scan request, ignoring\n"); goto exit; case ATH10K_SCAN_RUNNING: case ATH10K_SCAN_ABORTING: From 49f5b114e36ebc69318ab95f98b57df7458b0f42 Mon Sep 17 00:00:00 2001 From: Anilkumar Kolli Date: Thu, 17 Jun 2021 11:29:40 +0300 Subject: [PATCH 2/4] ath11k: Enable QCN9074 device The issues mentioned in commit 4e80946197a8 ("ath11k: add qcn9074 pci device support") are fixed in firmware. This patch enables QCN9074 device. Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.4.0.1-01838-QCAHKSWPL_SILICONZ-1 Signed-off-by: Anilkumar Kolli Signed-off-by: Jouni Malinen Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210615211348.92168-1-jouni@codeaurora.org --- drivers/net/wireless/ath/ath11k/pci.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/ath11k/pci.c b/drivers/net/wireless/ath/ath11k/pci.c index f8f6b2090dad..646ad79f309c 100644 --- a/drivers/net/wireless/ath/ath11k/pci.c +++ b/drivers/net/wireless/ath/ath11k/pci.c @@ -41,7 +41,7 @@ static const struct pci_device_id ath11k_pci_id_table[] = { { PCI_VDEVICE(QCOM, QCA6390_DEVICE_ID) }, { PCI_VDEVICE(QCOM, WCN6855_DEVICE_ID) }, - /* TODO: add QCN9074_DEVICE_ID) once firmware issues are resolved */ + { PCI_VDEVICE(QCOM, QCN9074_DEVICE_ID) }, {0} }; From c8bcd82a4efd053cdd5ce515a8b0003011a5f756 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Wed, 16 Jun 2021 12:54:10 -0700 Subject: [PATCH 3/4] ath11k: Avoid memcpy() over-reading of he_cap In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memcpy(), memmove(), and memset(), avoid intentionally writing across neighboring array fields. Since peer_he_cap_{mac,phy}info and he_cap_elem.{mac,phy}_cap_info are not the same sizes, memcpy() was reading beyond field boundaries. Instead, correctly cap the copy length and pad out any difference in size (peer_he_cap_macinfo is 8 bytes whereas mac_cap_info is 6, and peer_he_cap_phyinfo is 12 bytes whereas phy_cap_info is 11). Signed-off-by: Kees Cook Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210616195410.1232119-1-keescook@chromium.org --- drivers/net/wireless/ath/ath11k/mac.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c index eb52332dbe3f..e9b3689331ec 100644 --- a/drivers/net/wireless/ath/ath11k/mac.c +++ b/drivers/net/wireless/ath/ath11k/mac.c @@ -1314,10 +1314,16 @@ static void ath11k_peer_assoc_h_he(struct ath11k *ar, arg->he_flag = true; - memcpy(&arg->peer_he_cap_macinfo, he_cap->he_cap_elem.mac_cap_info, - sizeof(arg->peer_he_cap_macinfo)); - memcpy(&arg->peer_he_cap_phyinfo, he_cap->he_cap_elem.phy_cap_info, - sizeof(arg->peer_he_cap_phyinfo)); + memcpy_and_pad(&arg->peer_he_cap_macinfo, + sizeof(arg->peer_he_cap_macinfo), + he_cap->he_cap_elem.mac_cap_info, + sizeof(he_cap->he_cap_elem.mac_cap_info), + 0); + memcpy_and_pad(&arg->peer_he_cap_phyinfo, + sizeof(arg->peer_he_cap_phyinfo), + he_cap->he_cap_elem.phy_cap_info, + sizeof(he_cap->he_cap_elem.phy_cap_info), + 0); arg->peer_he_ops = vif->bss_conf.he_oper.params; /* the top most byte is used to indicate BSS color info */ From d3a1a18ab034fcbec575d10f016b4ae02358cbde Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Thu, 17 Jun 2021 10:10:58 -0700 Subject: [PATCH 4/4] wcn36xx: Avoid memset() beyond end of struct field In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memset(), avoid intentionally writing across neighboring array fields. Instead of writing past the end of the header to reach the rest of the body, replace the redundant function with existing macro to wipe struct contents and set field values. Additionally adjusts macro to add missing parens. Signed-off-by: Kees Cook Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210617171058.3410494-1-keescook@chromium.org --- drivers/net/wireless/ath/wcn36xx/smd.c | 21 +++++---------------- 1 file changed, 5 insertions(+), 16 deletions(-) diff --git a/drivers/net/wireless/ath/wcn36xx/smd.c b/drivers/net/wireless/ath/wcn36xx/smd.c index cf8e52cbdd9b..0e3be17d8cea 100644 --- a/drivers/net/wireless/ath/wcn36xx/smd.c +++ b/drivers/net/wireless/ath/wcn36xx/smd.c @@ -445,22 +445,12 @@ static int wcn36xx_smd_send_and_wait(struct wcn36xx *wcn, size_t len) return ret; } -static void init_hal_msg(struct wcn36xx_hal_msg_header *hdr, - enum wcn36xx_hal_host_msg_type msg_type, - size_t msg_size) -{ - memset(hdr, 0, msg_size + sizeof(*hdr)); - hdr->msg_type = msg_type; - hdr->msg_version = WCN36XX_HAL_MSG_VERSION0; - hdr->len = msg_size + sizeof(*hdr); -} - #define __INIT_HAL_MSG(msg_body, type, version) \ do { \ - memset(&msg_body, 0, sizeof(msg_body)); \ - msg_body.header.msg_type = type; \ - msg_body.header.msg_version = version; \ - msg_body.header.len = sizeof(msg_body); \ + memset(&(msg_body), 0, sizeof(msg_body)); \ + (msg_body).header.msg_type = type; \ + (msg_body).header.msg_version = version; \ + (msg_body).header.len = sizeof(msg_body); \ } while (0) \ #define INIT_HAL_MSG(msg_body, type) \ @@ -2729,8 +2719,7 @@ int wcn36xx_smd_set_mc_list(struct wcn36xx *wcn, msg_body = (struct wcn36xx_hal_rcv_flt_pkt_set_mc_list_req_msg *) wcn->hal_buf; - init_hal_msg(&msg_body->header, WCN36XX_HAL_8023_MULTICAST_LIST_REQ, - sizeof(msg_body->mc_addr_list)); + INIT_HAL_MSG(*msg_body, WCN36XX_HAL_8023_MULTICAST_LIST_REQ); /* An empty list means all mc traffic will be received */ if (fp)