<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/net/wireless/ath, branch linux-4.18.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>ath10k: schedule hardware restart if WMI command times out</title>
<updated>2018-11-13T19:12:27+00:00</updated>
<author>
<name>Martin Willi</name>
<email>martin@strongswan.org</email>
</author>
<published>2018-08-22T07:39:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=043b60105fc21182f8604c734a63ae6630834f8e'/>
<id>043b60105fc21182f8604c734a63ae6630834f8e</id>
<content type='text'>
[ Upstream commit a9911937e7d332761e8c4fcbc7ba0426bdc3956f ]

When running in AP mode, ath10k sometimes suffers from TX credit
starvation. The issue is hard to reproduce and shows up once in a
few days, but has been repeatedly seen with QCA9882 and a large
range of firmwares, including 10.2.4.70.67.

Once the module is in this state, TX credits are never replenished,
which results in "SWBA overrun" errors, as no beacons can be sent.
Even worse, WMI commands run in a timeout while holding the conf
mutex for three seconds each, making any further operations slow
and the whole system unresponsive.

The firmware/driver never recovers from that state automatically,
and triggering TX flush or warm restarts won't work over WMI. So
issue a hardware restart if a WMI command times out due to missing
TX credits. This implies a connectivity outage of about 1.4s in AP
mode, but brings back the interface and the whole system to a usable
state. WMI command timeouts have not been seen in absent of this
specific issue, so taking such drastic actions seems legitimate.

Signed-off-by: Martin Willi &lt;martin@strongswan.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit a9911937e7d332761e8c4fcbc7ba0426bdc3956f ]

When running in AP mode, ath10k sometimes suffers from TX credit
starvation. The issue is hard to reproduce and shows up once in a
few days, but has been repeatedly seen with QCA9882 and a large
range of firmwares, including 10.2.4.70.67.

Once the module is in this state, TX credits are never replenished,
which results in "SWBA overrun" errors, as no beacons can be sent.
Even worse, WMI commands run in a timeout while holding the conf
mutex for three seconds each, making any further operations slow
and the whole system unresponsive.

The firmware/driver never recovers from that state automatically,
and triggering TX flush or warm restarts won't work over WMI. So
issue a hardware restart if a WMI command times out due to missing
TX credits. This implies a connectivity outage of about 1.4s in AP
mode, but brings back the interface and the whole system to a usable
state. WMI command timeouts have not been seen in absent of this
specific issue, so taking such drastic actions seems legitimate.

Signed-off-by: Martin Willi &lt;martin@strongswan.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ath10k: fix scan crash due to incorrect length calculation</title>
<updated>2018-10-13T07:33:17+00:00</updated>
<author>
<name>Zhi Chen</name>
<email>zhichen@codeaurora.org</email>
</author>
<published>2018-06-18T14:00:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=91da9ba7bbbd361cb14d2b47cdbfbe68dee54768'/>
<id>91da9ba7bbbd361cb14d2b47cdbfbe68dee54768</id>
<content type='text'>
commit c8291988806407e02a01b4b15b4504eafbcc04e0 upstream.

Length of WMI scan message was not calculated correctly. The allocated
buffer was smaller than what we expected. So WMI message corrupted
skb_info, which is at the end of skb-&gt;data. This fix takes TLV header
into account even if the element is zero-length.

Crash log:
  [49.629986] Unhandled kernel unaligned access[#1]:
  [49.634932] CPU: 0 PID: 1176 Comm: logd Not tainted 4.4.60 #180
  [49.641040] task: 83051460 ti: 8329c000 task.ti: 8329c000
  [49.646608] $ 0   : 00000000 00000001 80984a80 00000000
  [49.652038] $ 4   : 45259e89 8046d484 8046df30 8024ba70
  [49.657468] $ 8   : 00000000 804cc4c0 00000001 20306320
  [49.662898] $12   : 33322037 000110f2 00000000 31203930
  [49.668327] $16   : 82792b40 80984a80 00000001 804207fc
  [49.673757] $20   : 00000000 0000012c 00000040 80470000
  [49.679186] $24   : 00000000 8024af7c
  [49.684617] $28   : 8329c000 8329db88 00000001 802c58d0
  [49.690046] Hi    : 00000000
  [49.693022] Lo    : 453c0000
  [49.696013] epc   : 800efae4 put_page+0x0/0x58
  [49.700615] ra    : 802c58d0 skb_release_data+0x148/0x1d4
  [49.706184] Status: 1000fc03 KERNEL EXL IE
  [49.710531] Cause : 00800010 (ExcCode 04)
  [49.714669] BadVA : 45259e89
  [49.717644] PrId  : 00019374 (MIPS 24Kc)

Signed-off-by: Zhi Chen &lt;zhichen@codeaurora.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Cc: Brian Norris &lt;briannorris@chromium.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit c8291988806407e02a01b4b15b4504eafbcc04e0 upstream.

Length of WMI scan message was not calculated correctly. The allocated
buffer was smaller than what we expected. So WMI message corrupted
skb_info, which is at the end of skb-&gt;data. This fix takes TLV header
into account even if the element is zero-length.

Crash log:
  [49.629986] Unhandled kernel unaligned access[#1]:
  [49.634932] CPU: 0 PID: 1176 Comm: logd Not tainted 4.4.60 #180
  [49.641040] task: 83051460 ti: 8329c000 task.ti: 8329c000
  [49.646608] $ 0   : 00000000 00000001 80984a80 00000000
  [49.652038] $ 4   : 45259e89 8046d484 8046df30 8024ba70
  [49.657468] $ 8   : 00000000 804cc4c0 00000001 20306320
  [49.662898] $12   : 33322037 000110f2 00000000 31203930
  [49.668327] $16   : 82792b40 80984a80 00000001 804207fc
  [49.673757] $20   : 00000000 0000012c 00000040 80470000
  [49.679186] $24   : 00000000 8024af7c
  [49.684617] $28   : 8329c000 8329db88 00000001 802c58d0
  [49.690046] Hi    : 00000000
  [49.693022] Lo    : 453c0000
  [49.696013] epc   : 800efae4 put_page+0x0/0x58
  [49.700615] ra    : 802c58d0 skb_release_data+0x148/0x1d4
  [49.706184] Status: 1000fc03 KERNEL EXL IE
  [49.710531] Cause : 00800010 (ExcCode 04)
  [49.714669] BadVA : 45259e89
  [49.717644] PrId  : 00019374 (MIPS 24Kc)

Signed-off-by: Zhi Chen &lt;zhichen@codeaurora.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Cc: Brian Norris &lt;briannorris@chromium.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>ath10k: fix memory leak of tpc_stats</title>
<updated>2018-10-03T23:59:16+00:00</updated>
<author>
<name>Colin Ian King</name>
<email>colin.king@canonical.com</email>
</author>
<published>2018-05-27T21:17:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=31a92226a5d59a8538de9fd9a804a75a7ec1d3bd'/>
<id>31a92226a5d59a8538de9fd9a804a75a7ec1d3bd</id>
<content type='text'>
[ Upstream commit 260e629bbf441585860e21d5e10d2e88437f47c8 ]

Currently tpc_stats is allocated and is leaked on the return
path if num_tx_chain is greater than WMI_TPC_TX_N_CHAIN. Avoid
this leak by performing the check on num_tx_chain before the
allocation of tpc_stats.

Detected by CoverityScan, CID#1469422 ("Resource Leak")
Fixes: 4b190675ad06 ("ath10k: fix kernel panic while reading tpc_stats")

Signed-off-by: Colin Ian King &lt;colin.king@canonical.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 260e629bbf441585860e21d5e10d2e88437f47c8 ]

Currently tpc_stats is allocated and is leaked on the return
path if num_tx_chain is greater than WMI_TPC_TX_N_CHAIN. Avoid
this leak by performing the check on num_tx_chain before the
allocation of tpc_stats.

Detected by CoverityScan, CID#1469422 ("Resource Leak")
Fixes: 4b190675ad06 ("ath10k: fix kernel panic while reading tpc_stats")

Signed-off-by: Colin Ian King &lt;colin.king@canonical.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ath10k: snoc: use correct bus-specific pointer in RX retry</title>
<updated>2018-10-03T23:59:16+00:00</updated>
<author>
<name>Brian Norris</name>
<email>briannorris@chromium.org</email>
</author>
<published>2018-06-11T21:09:43+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=00b438869cbe414d9a92419dcf702a0a74b679c5'/>
<id>00b438869cbe414d9a92419dcf702a0a74b679c5</id>
<content type='text'>
[ Upstream commit 426a0f0b5a2fe1df3496ba299ee3521159dba302 ]

We're 'ath10k_snoc', not 'ath10k_pci'. This probably means we're
accessing junk data in ath10k_snoc_rx_replenish_retry(), unless
'ath10k_snoc' and 'ath10k_pci' happen to have very similar struct
layouts.

Noticed by inspection.

Fixes: d915105231ca ("ath10k: add hif rx methods for wcn3990")
Signed-off-by: Brian Norris &lt;briannorris@chromium.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 426a0f0b5a2fe1df3496ba299ee3521159dba302 ]

We're 'ath10k_snoc', not 'ath10k_pci'. This probably means we're
accessing junk data in ath10k_snoc_rx_replenish_retry(), unless
'ath10k_snoc' and 'ath10k_pci' happen to have very similar struct
layouts.

Noticed by inspection.

Fixes: d915105231ca ("ath10k: add hif rx methods for wcn3990")
Signed-off-by: Brian Norris &lt;briannorris@chromium.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ath10k: fix incorrect size of dma_free_coherent in ath10k_ce_alloc_src_ring_64</title>
<updated>2018-10-03T23:59:16+00:00</updated>
<author>
<name>YueHaibing</name>
<email>yuehaibing@huawei.com</email>
</author>
<published>2018-06-01T11:25:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=06c21f7423e7eabbe85dd18d4de8e9f6bc69400d'/>
<id>06c21f7423e7eabbe85dd18d4de8e9f6bc69400d</id>
<content type='text'>
[ Upstream commit 5a211627004e2cddd0ab8b9df19e5fb0bbe97634 ]

sizeof(struct ce_desc) should be a copy-paste mistake
just use sizeof(struct ce_desc_64) to avoid mem leak

Fixes: b7ba83f7c414 ("ath10k: add support for shadow register for WNC3990")
Signed-off-by: YueHaibing &lt;yuehaibing@huawei.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 5a211627004e2cddd0ab8b9df19e5fb0bbe97634 ]

sizeof(struct ce_desc) should be a copy-paste mistake
just use sizeof(struct ce_desc_64) to avoid mem leak

Fixes: b7ba83f7c414 ("ath10k: add support for shadow register for WNC3990")
Signed-off-by: YueHaibing &lt;yuehaibing@huawei.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ath10k: transmit queued frames after processing rx packets</title>
<updated>2018-10-03T23:59:12+00:00</updated>
<author>
<name>Niklas Cassel</name>
<email>niklas.cassel@linaro.org</email>
</author>
<published>2018-06-18T14:00:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=882791abd11d3020694baa72b2782ad5a98da2e1'/>
<id>882791abd11d3020694baa72b2782ad5a98da2e1</id>
<content type='text'>
[ Upstream commit 3f04950f32d5d592ab4fcaecac2178558a6f7437 ]

When running iperf on ath10k SDIO, TX can stop working:

iperf -c 192.168.1.1 -i 1 -t 20 -w 10K
[  3]  0.0- 1.0 sec  2.00 MBytes  16.8 Mbits/sec
[  3]  1.0- 2.0 sec  3.12 MBytes  26.2 Mbits/sec
[  3]  2.0- 3.0 sec  3.25 MBytes  27.3 Mbits/sec
[  3]  3.0- 4.0 sec   655 KBytes  5.36 Mbits/sec
[  3]  4.0- 5.0 sec  0.00 Bytes  0.00 bits/sec
[  3]  5.0- 6.0 sec  0.00 Bytes  0.00 bits/sec
[  3]  6.0- 7.0 sec  0.00 Bytes  0.00 bits/sec
[  3]  7.0- 8.0 sec  0.00 Bytes  0.00 bits/sec
[  3]  8.0- 9.0 sec  0.00 Bytes  0.00 bits/sec
[  3]  9.0-10.0 sec  0.00 Bytes  0.00 bits/sec
[  3]  0.0-10.3 sec  9.01 MBytes  7.32 Mbits/sec

There are frames in the ieee80211_txq and there are frames that have
been removed from from this queue, but haven't yet been sent on the wire
(num_pending_tx).

When num_pending_tx reaches max_num_pending_tx, we will stop the queues
by calling ieee80211_stop_queues().

As frames that have previously been sent for transmission
(num_pending_tx) are completed, we will decrease num_pending_tx and wake
the queues by calling ieee80211_wake_queue(). ieee80211_wake_queue()
does not call wake_tx_queue, so we might still have frames in the
queue at this point.

While the queues were stopped, the socket buffer might have filled up,
and in order for user space to write more, we need to free the frames
in the queue, since they are accounted to the socket. In order to free
them, we first need to transmit them.

This problem cannot be reproduced on low-latency devices, e.g. pci,
since they call ath10k_mac_tx_push_pending() from
ath10k_htt_txrx_compl_task(). ath10k_htt_txrx_compl_task() is not called
on high-latency devices.
Fix the problem by calling ath10k_mac_tx_push_pending(), after
processing rx packets, just like for low-latency devices, also in the
SDIO case. Since we are calling ath10k_mac_tx_push_pending() directly,
we also need to export it.

Signed-off-by: Niklas Cassel &lt;niklas.cassel@linaro.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 3f04950f32d5d592ab4fcaecac2178558a6f7437 ]

When running iperf on ath10k SDIO, TX can stop working:

iperf -c 192.168.1.1 -i 1 -t 20 -w 10K
[  3]  0.0- 1.0 sec  2.00 MBytes  16.8 Mbits/sec
[  3]  1.0- 2.0 sec  3.12 MBytes  26.2 Mbits/sec
[  3]  2.0- 3.0 sec  3.25 MBytes  27.3 Mbits/sec
[  3]  3.0- 4.0 sec   655 KBytes  5.36 Mbits/sec
[  3]  4.0- 5.0 sec  0.00 Bytes  0.00 bits/sec
[  3]  5.0- 6.0 sec  0.00 Bytes  0.00 bits/sec
[  3]  6.0- 7.0 sec  0.00 Bytes  0.00 bits/sec
[  3]  7.0- 8.0 sec  0.00 Bytes  0.00 bits/sec
[  3]  8.0- 9.0 sec  0.00 Bytes  0.00 bits/sec
[  3]  9.0-10.0 sec  0.00 Bytes  0.00 bits/sec
[  3]  0.0-10.3 sec  9.01 MBytes  7.32 Mbits/sec

There are frames in the ieee80211_txq and there are frames that have
been removed from from this queue, but haven't yet been sent on the wire
(num_pending_tx).

When num_pending_tx reaches max_num_pending_tx, we will stop the queues
by calling ieee80211_stop_queues().

As frames that have previously been sent for transmission
(num_pending_tx) are completed, we will decrease num_pending_tx and wake
the queues by calling ieee80211_wake_queue(). ieee80211_wake_queue()
does not call wake_tx_queue, so we might still have frames in the
queue at this point.

While the queues were stopped, the socket buffer might have filled up,
and in order for user space to write more, we need to free the frames
in the queue, since they are accounted to the socket. In order to free
them, we first need to transmit them.

This problem cannot be reproduced on low-latency devices, e.g. pci,
since they call ath10k_mac_tx_push_pending() from
ath10k_htt_txrx_compl_task(). ath10k_htt_txrx_compl_task() is not called
on high-latency devices.
Fix the problem by calling ath10k_mac_tx_push_pending(), after
processing rx packets, just like for low-latency devices, also in the
SDIO case. Since we are calling ath10k_mac_tx_push_pending() directly,
we also need to export it.

Signed-off-by: Niklas Cassel &lt;niklas.cassel@linaro.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ath10k: protect ath10k_htt_rx_ring_free with rx_ring.lock</title>
<updated>2018-10-03T23:59:12+00:00</updated>
<author>
<name>Ben Greear</name>
<email>greearb@candelatech.com</email>
</author>
<published>2018-06-18T14:00:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c247a4bf53b6d70830f1a7190d404425fe8a806c'/>
<id>c247a4bf53b6d70830f1a7190d404425fe8a806c</id>
<content type='text'>
[ Upstream commit 168f75f11fe68455e0d058a818ebccfc329d8685 ]

While debugging driver crashes related to a buggy firmware
crashing under load, I noticed that ath10k_htt_rx_ring_free
could be called without being under lock.  I'm not sure if this
is the root cause of the crash or not, but it seems prudent to
protect it.

Originally tested on 4.16+ kernel with ath10k-ct 10.4 firmware
running on 9984 NIC.

Signed-off-by: Ben Greear &lt;greearb@candelatech.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 168f75f11fe68455e0d058a818ebccfc329d8685 ]

While debugging driver crashes related to a buggy firmware
crashing under load, I noticed that ath10k_htt_rx_ring_free
could be called without being under lock.  I'm not sure if this
is the root cause of the crash or not, but it seems prudent to
protect it.

Originally tested on 4.16+ kernel with ath10k-ct 10.4 firmware
running on 9984 NIC.

Signed-off-by: Ben Greear &lt;greearb@candelatech.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ath10k: use locked skb_dequeue for rx completions</title>
<updated>2018-10-03T23:59:10+00:00</updated>
<author>
<name>Bob Copeland</name>
<email>me@bobcopeland.com</email>
</author>
<published>2018-06-21T12:25:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=8086828bed84415f9e1caf5eef123c3cca8122a6'/>
<id>8086828bed84415f9e1caf5eef123c3cca8122a6</id>
<content type='text'>
[ Upstream commit 62652555c616cad23a572f76cb5e870ab5395191 ]

In our environment we are occasionally seeing the following stack trace
in ath10k:

Unable to handle kernel paging request at virtual address 0000a800
pgd = c0204000
[0000a800] *pgd=00000000
Internal error: Oops: 17 [#1] SMP ARM
Modules linked in: dwc3 dwc3_of_simple phy_qcom_dwc3 nf_nat xt_connmark
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.9.31 #2
Hardware name: Generic DT based system
task: c09f4f40 task.stack: c09ee000
PC is at kfree_skb_list+0x1c/0x2c
LR is at skb_release_data+0x6c/0x108
pc : [&lt;c065dcc4&gt;]    lr : [&lt;c065da5c&gt;]    psr: 200f0113
sp : c09efb68  ip : c09efb80  fp : c09efb7c
r10: 00000000  r9 : 00000000  r8 : 043fddd1
r7 : bf15d160  r6 : 00000000  r5 : d4ca2f00  r4 : ca7c6480
r3 : 000000a0  r2 : 01000000  r1 : c0a57470  r0 : 0000a800
Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
Control: 10c5787d  Table: 56e6006a  DAC: 00000051
Process swapper/0 (pid: 0, stack limit = 0xc09ee210)
Stack: (0xc09efb68 to 0xc09f0000)
fb60:                   ca7c6480 d4ca2f00 c09efb9c c09efb80 c065da5c c065dcb4
fb80: d4ca2f00 00000000 dcbf8400 bf15d160 c09efbb4 c09efba0 c065db28 c065d9fc
fba0: d4ca2f00 00000000 c09efbcc c09efbb8 c065db48 c065db04 d4ca2f00 00000000
fbc0: c09efbe4 c09efbd0 c065ddd0 c065db38 d4ca2f00 00000000 c09efc64 c09efbe8
fbe0: bf09bd00 c065dd10 00000003 7fffffff c09efc24 dcbfc9c0 01200000 00000000
fc00: 00000000 00000000 ddb7e440 c09e9440 c09efc48 1d195000 c09efc7c c09efc28
fc20: c027bb68 c028aa00 ddb7e4f8 bf13231c ddb7e454 0004091f bf154571 d4ca2f00
fc40: dcbf8d00 ca7c5df6 bf154538 01200000 00000000 bf154538 c09efd1c c09efc68
fc60: bf132458 bf09bbbc ca7c5dec 00000041 bf154538 bf154539 000007bf bf154545
fc80: bf154538 bf154538 bf154538 bf154538 bf154538 00000000 00000000 000016c1
fca0: 00000001 c09efcb0 01200000 00000000 00000000 00000000 00000000 00000001
fcc0: bf154539 00000041 00000000 00000007 00000000 000000d0 ffffffff 3160ffff
fce0: 9ad93e97 3e973160 7bf09ad9 0004091f d4ca2f00 c09efdb0 dcbf94e8 00000000
fd00: dcbf8d00 01200000 00000000 dcbf8d00 c09efd44 c09efd20 bf132544 bf132130
fd20: dcbf8d00 00000000 d4ca2f00 c09efdb0 00000001 d4ca2f00 c09efdec c09efd48
fd40: bf133630 bf1324d0 ca7c5cc0 000007c0 c09efd88 c09efd70 c0764230 c02277d8
fd60: 200f0113 ffffffff dcbf94c8 bf000000 dcbf93b0 dcbf8d00 00000040 dcbf945c
fd80: dcbf94e8 00000000 c09efdcc 00000000 c09efd90 c09efd90 00000000 00000024
fda0: dcbf8d00 00000000 00000005 dcbf8d00 c09efdb0 c09efdb0 00000000 00000040
fdc0: c09efdec dcbf8d00 dcbfc9c0 c09ed140 00000040 00000000 00000100 00000040
fde0: c09efe14 c09efdf0 bf1739b4 bf132840 dcbfc9c0 ddb82140 c09ed140 1d195000
fe00: 00000001 00000100 c09efe64 c09efe18 c067136c bf173958 ddb7fac8 c09f0d00
fe20: 001df678 0000012c c09efe28 c09efe28 c09efe30 c09efe30 c0a7fb28 ffffe000
fe40: c09f008c 00000003 00000008 c0a598c0 00000100 c09f0080 c09efeb4 c09efe68
fe60: c02096e0 c0671278 c0494584 00000080 dd5c3300 c09f0d00 00000004 001df677
fe80: 0000000a 00200100 dd5c3300 00000000 00000000 c09eaa70 00000060 dd410800
fea0: c09ee000 00000000 c09efecc c09efeb8 c0227944 c02094c4 00000000 00000000
fec0: c09efef4 c09efed0 c0268b64 c02278ac de802000 c09f1b1c c09eff20 c0a16cc0
fee0: de803000 c09ee000 c09eff1c c09efef8 c020947c c0268ae0 c02103dc 600f0013
ff00: ffffffff c09eff54 ffffe000 c09ee000 c09eff7c c09eff20 c021448c c0209424
ff20: 00000001 00000000 00000000 c021ddc0 00000000 00000000 c09f1024 00000001
ff40: ffffe000 c09f1078 00000000 c09eff7c c09eff80 c09eff70 c02103ec c02103dc
ff60: 600f0013 ffffffff 00000051 00000000 c09eff8c c09eff80 c0763cc4 c02103bc
ff80: c09effa4 c09eff90 c025f0e4 c0763c98 c0a59040 c09f1000 c09effb4 c09effa8
ffa0: c075efe0 c025efd4 c09efff4 c09effb8 c097dcac c075ef7c ffffffff ffffffff
ffc0: 00000000 c097d6c4 00000000 c09c1a28 c0a59294 c09f101c c09c1a24 c09f61c0
ffe0: 4220406a 512f04d0 00000000 c09efff8 4220807c c097d95c 00000000 00000000
[&lt;c065dcc4&gt;] (kfree_skb_list) from [&lt;c065da5c&gt;] (skb_release_data+0x6c/0x108)
[&lt;c065da5c&gt;] (skb_release_data) from [&lt;c065db28&gt;] (skb_release_all+0x30/0x34)
[&lt;c065db28&gt;] (skb_release_all) from [&lt;c065db48&gt;] (__kfree_skb+0x1c/0x9c)
[&lt;c065db48&gt;] (__kfree_skb) from [&lt;c065ddd0&gt;] (consume_skb+0xcc/0xd8)
[&lt;c065ddd0&gt;] (consume_skb) from [&lt;bf09bd00&gt;] (ieee80211_rx_napi+0x150/0x82c [mac80211])
[&lt;bf09bd00&gt;] (ieee80211_rx_napi [mac80211]) from [&lt;bf132458&gt;] (ath10k_htt_t2h_msg_handler+0x15e8/0x19c4 [ath10k_core])
[&lt;bf132458&gt;] (ath10k_htt_t2h_msg_handler [ath10k_core]) from [&lt;bf132544&gt;] (ath10k_htt_t2h_msg_handler+0x16d4/0x19c4 [ath10k_core])
[&lt;bf132544&gt;] (ath10k_htt_t2h_msg_handler [ath10k_core]) from [&lt;bf133630&gt;] (ath10k_htt_txrx_compl_task+0xdfc/0x12cc [ath10k_core])
[&lt;bf133630&gt;] (ath10k_htt_txrx_compl_task [ath10k_core]) from [&lt;bf1739b4&gt;] (ath10k_pci_napi_poll+0x68/0xf4 [ath10k_pci])
[&lt;bf1739b4&gt;] (ath10k_pci_napi_poll [ath10k_pci]) from [&lt;c067136c&gt;] (net_rx_action+0x100/0x33c)
[&lt;c067136c&gt;] (net_rx_action) from [&lt;c02096e0&gt;] (__do_softirq+0x228/0x31c)
[&lt;c02096e0&gt;] (__do_softirq) from [&lt;c0227944&gt;] (irq_exit+0xa4/0x114)

The trace points to a corrupt skb inside kfree_skb(), seemingly because
one of the shared skb queues is getting corrupted.  Most of the skb queues
ath10k uses are local to a single call stack, but three are shared among
multiple codepaths:

 - rx_msdus_q,
 - rx_in_ord_compl_q, and
 - tx_fetch_ind_q

Of the three, the first two are manipulated using the unlocked skb_queue
functions without any additional lock protecting them.  Use the locked
variants of skb_queue_* functions to protect these manipulations.

Signed-off-by: Bob Copeland &lt;bobcopeland@fb.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 62652555c616cad23a572f76cb5e870ab5395191 ]

In our environment we are occasionally seeing the following stack trace
in ath10k:

Unable to handle kernel paging request at virtual address 0000a800
pgd = c0204000
[0000a800] *pgd=00000000
Internal error: Oops: 17 [#1] SMP ARM
Modules linked in: dwc3 dwc3_of_simple phy_qcom_dwc3 nf_nat xt_connmark
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.9.31 #2
Hardware name: Generic DT based system
task: c09f4f40 task.stack: c09ee000
PC is at kfree_skb_list+0x1c/0x2c
LR is at skb_release_data+0x6c/0x108
pc : [&lt;c065dcc4&gt;]    lr : [&lt;c065da5c&gt;]    psr: 200f0113
sp : c09efb68  ip : c09efb80  fp : c09efb7c
r10: 00000000  r9 : 00000000  r8 : 043fddd1
r7 : bf15d160  r6 : 00000000  r5 : d4ca2f00  r4 : ca7c6480
r3 : 000000a0  r2 : 01000000  r1 : c0a57470  r0 : 0000a800
Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
Control: 10c5787d  Table: 56e6006a  DAC: 00000051
Process swapper/0 (pid: 0, stack limit = 0xc09ee210)
Stack: (0xc09efb68 to 0xc09f0000)
fb60:                   ca7c6480 d4ca2f00 c09efb9c c09efb80 c065da5c c065dcb4
fb80: d4ca2f00 00000000 dcbf8400 bf15d160 c09efbb4 c09efba0 c065db28 c065d9fc
fba0: d4ca2f00 00000000 c09efbcc c09efbb8 c065db48 c065db04 d4ca2f00 00000000
fbc0: c09efbe4 c09efbd0 c065ddd0 c065db38 d4ca2f00 00000000 c09efc64 c09efbe8
fbe0: bf09bd00 c065dd10 00000003 7fffffff c09efc24 dcbfc9c0 01200000 00000000
fc00: 00000000 00000000 ddb7e440 c09e9440 c09efc48 1d195000 c09efc7c c09efc28
fc20: c027bb68 c028aa00 ddb7e4f8 bf13231c ddb7e454 0004091f bf154571 d4ca2f00
fc40: dcbf8d00 ca7c5df6 bf154538 01200000 00000000 bf154538 c09efd1c c09efc68
fc60: bf132458 bf09bbbc ca7c5dec 00000041 bf154538 bf154539 000007bf bf154545
fc80: bf154538 bf154538 bf154538 bf154538 bf154538 00000000 00000000 000016c1
fca0: 00000001 c09efcb0 01200000 00000000 00000000 00000000 00000000 00000001
fcc0: bf154539 00000041 00000000 00000007 00000000 000000d0 ffffffff 3160ffff
fce0: 9ad93e97 3e973160 7bf09ad9 0004091f d4ca2f00 c09efdb0 dcbf94e8 00000000
fd00: dcbf8d00 01200000 00000000 dcbf8d00 c09efd44 c09efd20 bf132544 bf132130
fd20: dcbf8d00 00000000 d4ca2f00 c09efdb0 00000001 d4ca2f00 c09efdec c09efd48
fd40: bf133630 bf1324d0 ca7c5cc0 000007c0 c09efd88 c09efd70 c0764230 c02277d8
fd60: 200f0113 ffffffff dcbf94c8 bf000000 dcbf93b0 dcbf8d00 00000040 dcbf945c
fd80: dcbf94e8 00000000 c09efdcc 00000000 c09efd90 c09efd90 00000000 00000024
fda0: dcbf8d00 00000000 00000005 dcbf8d00 c09efdb0 c09efdb0 00000000 00000040
fdc0: c09efdec dcbf8d00 dcbfc9c0 c09ed140 00000040 00000000 00000100 00000040
fde0: c09efe14 c09efdf0 bf1739b4 bf132840 dcbfc9c0 ddb82140 c09ed140 1d195000
fe00: 00000001 00000100 c09efe64 c09efe18 c067136c bf173958 ddb7fac8 c09f0d00
fe20: 001df678 0000012c c09efe28 c09efe28 c09efe30 c09efe30 c0a7fb28 ffffe000
fe40: c09f008c 00000003 00000008 c0a598c0 00000100 c09f0080 c09efeb4 c09efe68
fe60: c02096e0 c0671278 c0494584 00000080 dd5c3300 c09f0d00 00000004 001df677
fe80: 0000000a 00200100 dd5c3300 00000000 00000000 c09eaa70 00000060 dd410800
fea0: c09ee000 00000000 c09efecc c09efeb8 c0227944 c02094c4 00000000 00000000
fec0: c09efef4 c09efed0 c0268b64 c02278ac de802000 c09f1b1c c09eff20 c0a16cc0
fee0: de803000 c09ee000 c09eff1c c09efef8 c020947c c0268ae0 c02103dc 600f0013
ff00: ffffffff c09eff54 ffffe000 c09ee000 c09eff7c c09eff20 c021448c c0209424
ff20: 00000001 00000000 00000000 c021ddc0 00000000 00000000 c09f1024 00000001
ff40: ffffe000 c09f1078 00000000 c09eff7c c09eff80 c09eff70 c02103ec c02103dc
ff60: 600f0013 ffffffff 00000051 00000000 c09eff8c c09eff80 c0763cc4 c02103bc
ff80: c09effa4 c09eff90 c025f0e4 c0763c98 c0a59040 c09f1000 c09effb4 c09effa8
ffa0: c075efe0 c025efd4 c09efff4 c09effb8 c097dcac c075ef7c ffffffff ffffffff
ffc0: 00000000 c097d6c4 00000000 c09c1a28 c0a59294 c09f101c c09c1a24 c09f61c0
ffe0: 4220406a 512f04d0 00000000 c09efff8 4220807c c097d95c 00000000 00000000
[&lt;c065dcc4&gt;] (kfree_skb_list) from [&lt;c065da5c&gt;] (skb_release_data+0x6c/0x108)
[&lt;c065da5c&gt;] (skb_release_data) from [&lt;c065db28&gt;] (skb_release_all+0x30/0x34)
[&lt;c065db28&gt;] (skb_release_all) from [&lt;c065db48&gt;] (__kfree_skb+0x1c/0x9c)
[&lt;c065db48&gt;] (__kfree_skb) from [&lt;c065ddd0&gt;] (consume_skb+0xcc/0xd8)
[&lt;c065ddd0&gt;] (consume_skb) from [&lt;bf09bd00&gt;] (ieee80211_rx_napi+0x150/0x82c [mac80211])
[&lt;bf09bd00&gt;] (ieee80211_rx_napi [mac80211]) from [&lt;bf132458&gt;] (ath10k_htt_t2h_msg_handler+0x15e8/0x19c4 [ath10k_core])
[&lt;bf132458&gt;] (ath10k_htt_t2h_msg_handler [ath10k_core]) from [&lt;bf132544&gt;] (ath10k_htt_t2h_msg_handler+0x16d4/0x19c4 [ath10k_core])
[&lt;bf132544&gt;] (ath10k_htt_t2h_msg_handler [ath10k_core]) from [&lt;bf133630&gt;] (ath10k_htt_txrx_compl_task+0xdfc/0x12cc [ath10k_core])
[&lt;bf133630&gt;] (ath10k_htt_txrx_compl_task [ath10k_core]) from [&lt;bf1739b4&gt;] (ath10k_pci_napi_poll+0x68/0xf4 [ath10k_pci])
[&lt;bf1739b4&gt;] (ath10k_pci_napi_poll [ath10k_pci]) from [&lt;c067136c&gt;] (net_rx_action+0x100/0x33c)
[&lt;c067136c&gt;] (net_rx_action) from [&lt;c02096e0&gt;] (__do_softirq+0x228/0x31c)
[&lt;c02096e0&gt;] (__do_softirq) from [&lt;c0227944&gt;] (irq_exit+0xa4/0x114)

The trace points to a corrupt skb inside kfree_skb(), seemingly because
one of the shared skb queues is getting corrupted.  Most of the skb queues
ath10k uses are local to a single call stack, but three are shared among
multiple codepaths:

 - rx_msdus_q,
 - rx_in_ord_compl_q, and
 - tx_fetch_ind_q

Of the three, the first two are manipulated using the unlocked skb_queue
functions without any additional lock protecting them.  Use the locked
variants of skb_queue_* functions to protect these manipulations.

Signed-off-by: Bob Copeland &lt;bobcopeland@fb.com&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ath10k: sdio: set skb len for all rx packets</title>
<updated>2018-10-03T23:59:09+00:00</updated>
<author>
<name>Alagu Sankar</name>
<email>alagusankar@silex-india.com</email>
</author>
<published>2018-06-29T13:28:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ee1df10ae020bfa35589722ace79cc565991919a'/>
<id>ee1df10ae020bfa35589722ace79cc565991919a</id>
<content type='text'>
[ Upstream commit 8530b4e7b22bc3bd8240579f3844c73947cd5f71 ]

Without this, packets larger than 1500 will silently be dropped.
Easily reproduced by sending a ping packet with a size larger
than 1500.

Co-Developed-by: Niklas Cassel &lt;niklas.cassel@linaro.org&gt;
Signed-off-by: Alagu Sankar &lt;alagusankar@silex-india.com&gt;
Signed-off-by: Niklas Cassel &lt;niklas.cassel@linaro.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 8530b4e7b22bc3bd8240579f3844c73947cd5f71 ]

Without this, packets larger than 1500 will silently be dropped.
Easily reproduced by sending a ping packet with a size larger
than 1500.

Co-Developed-by: Niklas Cassel &lt;niklas.cassel@linaro.org&gt;
Signed-off-by: Alagu Sankar &lt;alagusankar@silex-india.com&gt;
Signed-off-by: Niklas Cassel &lt;niklas.cassel@linaro.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ath10k: sdio: use same endpoint id for all packets in a bundle</title>
<updated>2018-10-03T23:59:09+00:00</updated>
<author>
<name>Alagu Sankar</name>
<email>alagusankar@silex-india.com</email>
</author>
<published>2018-06-29T13:27:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=bd9b4e60690281a2e2f555d7d6e7dc9afcaa3f44'/>
<id>bd9b4e60690281a2e2f555d7d6e7dc9afcaa3f44</id>
<content type='text'>
[ Upstream commit 679e1f07c86221b7183dd69df7068fd42d0041f6 ]

All packets in a bundle should use the same endpoint id as the
first lookahead.

This matches how things are done is ath6kl, however,
this patch can theoretically handle several bundles
in ath10k_sdio_mbox_rx_process_packets().

Without this patch we get lots of errors about invalid endpoint id:

ath10k_sdio mmc2:0001:1: invalid endpoint in look-ahead: 224
ath10k_sdio mmc2:0001:1: failed to get pending recv messages: -12
ath10k_sdio mmc2:0001:1: failed to process pending SDIO interrupts: -12

Co-Developed-by: Niklas Cassel &lt;niklas.cassel@linaro.org&gt;
Signed-off-by: Alagu Sankar &lt;alagusankar@silex-india.com&gt;
Signed-off-by: Niklas Cassel &lt;niklas.cassel@linaro.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 679e1f07c86221b7183dd69df7068fd42d0041f6 ]

All packets in a bundle should use the same endpoint id as the
first lookahead.

This matches how things are done is ath6kl, however,
this patch can theoretically handle several bundles
in ath10k_sdio_mbox_rx_process_packets().

Without this patch we get lots of errors about invalid endpoint id:

ath10k_sdio mmc2:0001:1: invalid endpoint in look-ahead: 224
ath10k_sdio mmc2:0001:1: failed to get pending recv messages: -12
ath10k_sdio mmc2:0001:1: failed to process pending SDIO interrupts: -12

Co-Developed-by: Niklas Cassel &lt;niklas.cassel@linaro.org&gt;
Signed-off-by: Alagu Sankar &lt;alagusankar@silex-india.com&gt;
Signed-off-by: Niklas Cassel &lt;niklas.cassel@linaro.org&gt;
Signed-off-by: Kalle Valo &lt;kvalo@codeaurora.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@microsoft.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
