Fix ltssm crashes on BPI-Rx boards.
Seems read32/write32 using wrong address which
is not a problem on x86/64 PCI controllers.
But have issues on BPI-Rx boards.
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/15945
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The support for assigning PCIe eeprom via device tree was
accidentally removed when adding NVMEM eeprom patches.
Fixes: bea4f50207 ("mac80211: rt2x00: improve EEPROM load patches")
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
Link: https://github.com/openwrt/openwrt/pull/16318
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
link: https://lore.kernel.org/all/2024091842-CVE-2024-46760-1eb3@gregkh
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
wifi: rtw88: usb: schedule rx work after everything is set up
Right now it's possible to hit NULL pointer dereference in
rtw_rx_fill_rx_status on hw object and/or its fields because
initialization routine can start getting USB replies before
rtw_dev is fully setup.
The stack trace looks like this:
rtw_rx_fill_rx_status
rtw8821c_query_rx_desc
rtw_usb_rx_handler
...
queue_work
rtw_usb_read_port_complete
...
usb_submit_urb
rtw_usb_rx_resubmit
rtw_usb_init_rx
rtw_usb_probe
So while we do the async stuff rtw_usb_probe continues and calls
rtw_register_hw, which does all kinds of initialization (e.g.
via ieee80211_register_hw) that rtw_rx_fill_rx_status relies on.
Fix this by moving the first usb_submit_urb after everything
is set up.
For me, this bug manifested as:
[ 8.893177] rtw_8821cu 1-1:1.2: band wrong, packet dropped
[ 8.910904] rtw_8821cu 1-1:1.2: hw->conf.chandef.chan NULL in rtw_rx_fill_rx_status
because I'm using Larry's backport of rtw88 driver with the NULL
checks in rtw_rx_fill_rx_status.
The Linux kernel CVE team has assigned CVE-2024-46760 to this issue.
Affected and fixed versions
===========================
Fixed in 6.6.51 with commit c83d464b82a8
Fixed in 6.10.10 with commit 25eaef533bf3
Fixed in 6.11 with commit adc539784c98
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2024-46760
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/net/wireless/realtek/rtw88/usb.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/c83d464b82a8ad62ec9077637f75d73fe955635ahttps://git.kernel.org/stable/c/25eaef533bf3ccc6fee5067aac16f41f280e343ehttps://git.kernel.org/stable/c/adc539784c98a7cc602cbf557debfc2e7b9be8b3
Signed-off-by: Antonio Flores <antflores627@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/16420
Signed-off-by: Robert Marko <robimarko@gmail.com>
This patch cleans up the following warnings during build:
"warning: format not a string literal"
```
conf.c: In function 'conf_askvalue':
conf.c:89:17: warning: format not a string literal and no format arguments [-Wformat-security]
89 | printf(_("(NEW) "));
| ^~~~~~
conf.c: In function 'conf_choice':
conf.c:285:33: warning: format not a string literal and no format arguments [-Wformat-security]
285 | printf(_(" (NEW)"));
| ^~~~~~
conf.c: In function 'check_conf':
conf.c:440:41: warning: format not a string literal and no format arguments [-Wformat-security]
440 | printf(_("*\n* Restart config...\n*\n"));
| ^~~~~~
conf.c: In function 'main':
conf.c:617:41: warning: format not a string literal and no format arguments [-Wformat-security]
617 | _("\n*** The configuration requires explicit update.\n\n"));
| ^
conf.c:669:25: warning: format not a string literal and no format arguments [-Wformat-security]
669 | fprintf(stderr, _("\n*** Error during writing of the configuration.\n\n"));
| ^~~~~~~
conf.c:673:25: warning: format not a string literal and no format arguments [-Wformat-security]
673 | fprintf(stderr, _("\n*** Error during update of the configuration.\n\n"));
| ^~~~~~~
conf.c:684:25: warning: format not a string literal and no format arguments [-Wformat-security]
684 | fprintf(stderr, _("\n*** Error during writing of the configuration.\n\n"));
| ^~~~~~~
```
And POSIX Yacc warnings
```
lex -ozconf.lex.c -L zconf.l
yacc -ozconf.tab.c -t -l zconf.y
zconf.y:34.1-7: warning: POSIX Yacc does not support %expect [-Wyacc]
34 | %expect 32
| ^~~~~~~
zconf.y:97.1-11: warning: POSIX Yacc does not support %destructor [-Wyacc]
97 | %destructor {
| ^~~~~~~~~~~
gcc -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -DKBUILD_NO_NLS -c -o zconf.tab.o zconf.tab.c
gcc conf.o zconf.tab.o -o conf
```
After:
gcc -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -DKBUILD_NO_NLS -c -o conf.o conf.c
yacc -Wno-yacc -ozconf.tab.c -t -l zconf.y
gcc -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -DKBUILD_NO_NLS -c -o zconf.tab.o zconf.tab.c
gcc conf.o zconf.tab.o -o conf
Signed-off-by: Sean Khan <datapronix@protonmail.com>
Link: https://github.com/openwrt/openwrt/pull/15953
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Brings lots of driver updates and API changes needed for mt76 updates.
Disable iwlwifi and ath11k on 5.15, since backport is too difficult,
and the only remaining targets won't need those drivers.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Backport upstream patch for tim->virtual_map flex array warning for
invalid write.
This has been notice with the bump of ath10k-ct to version 6.7.
Link: https://github.com/openwrt/openwrt/pull/15760
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Backport RX timestamp flags patch needed for ath10k-ct to compile with
newer versions.
Link: https://github.com/openwrt/openwrt/pull/15735
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
LEDs support for ath10k has finally merged upstream hence replace it
with the upstream version.
Link: https://github.com/openwrt/openwrt/pull/15735
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
This reverts commit dc9c5d1ee7.
Additional file for ath10k-ct slipped in, revert for a better version
pushed later.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
LEDs support for ath10k has finally merged upstream hence replace it
with the upstream version.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
All usages of mtd-cal-data have been removed. To avoid submissions that
rely on this deprecated behavior, remove it.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/15671
Signed-off-by: Robert Marko <robimarko@gmail.com>
It seems that move to kernel 6.6 somehow fixed the remoteproc restart so
now it properly restarts and thus coldboot calibration works as well.
ipq60xx still seems to be broken in a different way so keep it disabled.
Signed-off-by: Robert Marko <robimarko@gmail.com>
Limiting allowed channels per device may be required and is commonly
supported on other drivers, so include a pending patch to add support for
the same.
Signed-off-by: Robert Marko <robimarko@gmail.com>
The carl9170_tx_release() function sometimes triggers a fortified-memset
warning in my randconfig builds:
In file included from include/linux/string.h:254,
from drivers/net/wireless/ath/carl9170/tx.c:40:
In function 'fortify_memset_chk',
inlined from 'carl9170_tx_release' at drivers/net/wireless/ath/carl9170/tx.c:283:2,
inlined from 'kref_put' at include/linux/kref.h:65:3,
inlined from 'carl9170_tx_put_skb' at drivers/net/wireless/ath/carl9170/tx.c:342:9:
include/linux/fortify-string.h:493:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning]
493 | __write_overflow_field(p_size_field, size);
Kees previously tried to avoid this by using memset_after(), but it seems
this does not fully address the problem. I noticed that the memset_after()
here is done on a different part of the union (status) than the original
cast was from (rate_driver_data), which may confuse the compiler.
Unfortunately, the memset_after() trick does not work on driver_rates[]
because that is part of an anonymous struct, and I could not get
struct_group() to do this either. Using two separate memset() calls
on the two members does address the warning though.
Signed-off-by: Mieczyslaw Nalewaj <namiltd@yahoo.com>
Add a separate bit in struct ieee80211_tx_info to indicate airtime tracked
as broadcast/multicast. This avoids a race condition where airtime from
stations that were just removed wasn't getting subtracted from the total
PHY airtime.
Fixes: 95e633efbd ("mac80211: add AQL support for broadcast/multicast packets")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The AQL limit for buffered broadcast packets is higher than the maximum
total pending airtime limit. This can get unicast data stuck whenever there
is too much pending broadcast data. Fix this by excluding broadcast AQL from
the total limit.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Completely disable dump_survey code on ARCH_BCM2835 to fix defined but not
used warning.
512b762ddb (commitcomment-137899352)
Fixes: 512b762ddb ("mac80211: brcm: disable dump_survey on Raspberry Pi")
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Enabling this causes slow iwinfo calls on Raspberry Pi and LuCI slows down
when wireless is enabled.
Fixes: https://github.com/openwrt/openwrt/issues/14013
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
This patch has been reverted in the Raspberry Pi linux repository.
Also refresh the rest of the patches.
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Frequent crashes have been observed on MT7916 based platforms. While the
root of these crashes are currently unknown, they happen when decoding
rate information of connected STAs in AP mode. The rate-information is
associated with a band which is not available on the PHY.
Check for this condition in order to avoid crashing the whole system.
This patch should be removed once the roout cause has been found and
fixed.
Link: https://github.com/freifunk-gluon/gluon/issues/2980
Signed-off-by: David Bauer <mail@david-bauer.net>
fast-xmit must only be enabled after the sta has been uploaded to the driver,
otherwise it could end up passing the not-yet-uploaded sta via drv_tx calls
to the driver, leading to potential crashes because of uninitialized drv_priv
data.
Add a missing sta->uploaded check and re-check fast xmit after inserting a sta.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This fixes WARN_ONs when using AP_VLANs after station removal. The flush
call passed AP_VLAN vif to driver, but because these vifs are virtual and
not registered with drivers, we need to translate to the correct AP vif
first.
Fixes: openwrt#12420
Signed-off-by: Oldřich Jedlička <oldium.pro@gmail.com>
Some local patches have been sent to upstream and they are slightly
different from the upstream version. So it's better to replace them
to avoid conflicts with the new mac80211 backport driver. The
different parts have been merged into patch 996.
This commit also includes some additional fixes:
* Fix watchdog function.
* Improve MT7620 register initialization.
* Introduce DMA busy watchdog for rt2800.
P.S.
Sometimes rt2800 series chips may fall into a DMA busy state. The
tx queues become very slow and the client cannot connect to the AP.
Usually, We can see a lot of hostapd warnings at this point:
'hostapd: IEEE 802.11: did not acknowledge authentication response'
The DMA busy watchdog can help the driver automatically recover
from this abnormal state. By the way, setting higer 'cell_density'
and disabling 'disassoc_low_ack' can significantly reduce the
probability of the DMA busy.
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
ath9k-htc USB-based adapters also support 5/10MHz channel bandwidth.
Move the code handling the features in debugfs to common-debug.c,
and create proper registration functions to use in debug.c and
htc_drv_debug.c, leaving only debugfs registration there.
While at that, refresh one patch that would conflict otherwise.
Tested on TP-Link Archer C7v2 (ath79) and TP-Link WN722Nv1 (AR9287)
and WN822Nv2 (AR7010+AR9287).
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
ath9k-htc USB-based adapterssupport 5/10MHz channel bandwidth, the
same as standard ath9k ones.
Move the code handling the features in debugfs to common-debug.c,
and create proper registration functions to use in debug.c and
htc_drv_debug.c, leaving only debugfs registration there.
While at that, refresh one patch that would conflict otherwise.
Tested on TP-Link Archer C7v2 (ath79) and TP-Link WN722Nv1 (AR9287)
and WN822Nv2 (AR7010+AR9287).
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
Add a struct_group to around all members in struct ath_cycle_counters.
It can help the compiler detect the intended bounds of the memcpy() and
memset().
This patch fixes the following build warning:
In function 'fortify_memset_chk',
inlined from 'ath9k_ps_wakeup' at /home/db/openwrt/build_dir/target-mips_24kc_musl/linux-ath79_generic/backports-6.1.24/drivers/net/wireless/ath/ath9k/main.c:140:3:
./include/linux/fortify-string.h:314:25: error: call to '__write_overflow_field' declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning]
314 | __write_overflow_field(p_size_field, size);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
Fix the building issue setting CC to KERNEL_CC in kernel.mk. The
kernel backports by default uses CC to compile kconf. A new patch is
added to mac80211 to compile kconf with host gcc.
Signed-off-by: Zeyu Dong <dzy201415@gmail.com>
[ refresh patches ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Improve EEPROME load patches. Reorganize and rework them.
The current patch are bugged and with the case of MTD loading, leaks and
never free the EEPROM read values.
Also add support for loading EEPROM using NVMEM cells.
As a cleanup, change the binding to swap EEPROM read from mtd to
ralink,eeprom-swap and generilize it.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Synchronize the ath11k backports with the current ath-next tree.
All of the changes are various bugfixes, there is no new major feature.
Notable bugfixes are:
* WCN6855 board name fixes
* One MSI vector booting is working again
This is rather important for most of the older platforms.
* DFS CAC state in virtual interfaces was fixed
* TX power during CAC reporting
Signed-off-by: Robert Marko <robimarko@gmail.com>
DFS CAC time export is required for backport of a ath11k fix so lets
backport the required cfg80211 upstream commit as well.
Signed-off-by: Robert Marko <robimarko@gmail.com>
Synchronize the ath11k backports with the current ath-next tree.
All of the changes are various bugfixes, there is no new major feature.
Signed-off-by: Robert Marko <robimarko@gmail.com>
Commit ed3725e15a154ebebf44e0c34806c57525483f92
("wifi: ath11k: Fix qmi_msg_handler data structure initialization")
has been present upstream since 6.1.2 but it seems Quilt refreshed it
wrongly so it appeared like a completely different patch.
Commit 7c15430822e71e90203d87e6d0cfe83fa058b0dc
("wifi: ath11k: allow system suspend to survive ath11k")
has been present upstream since 6.1.16 but somehow quilt still happily
applied it.
So, drop both of them.
Signed-off-by: Robert Marko <robimarko@gmail.com>