kernel/drivers/net/wireless/mediatek/mt76/sdio_txrx.c, branch linux-6.2.y

wifi: mt76: mt7921s: fix slab-out-of-bounds access in sdio host

2023-03-10T08:27:58Z

[ Upstream commit aec4cf2ea0797e28f18f8dbe01943a56d987fe56 ] SDIO may need addtional 511 bytes to align bus operation. If the tailroom of this skb is not big enough, we would access invalid memory region. For low level operation, increase skb size to keep valid memory access in SDIO host. Error message: [69.951] BUG: KASAN: slab-out-of-bounds in sg_copy_buffer+0xe9/0x1a0 [69.951] Read of size 64 at addr ffff88811c9cf000 by task kworker/u16:7/451 [69.951] CPU: 4 PID: 451 Comm: kworker/u16:7 Tainted: G W OE 6.1.0-rc5 #1 [69.951] Workqueue: kvub300c vub300_cmndwork_thread [vub300] [69.951] Call Trace: [69.951] [69.952] dump_stack_lvl+0x49/0x63 [69.952] print_report+0x171/0x4a8 [69.952] kasan_report+0xb4/0x130 [69.952] kasan_check_range+0x149/0x1e0 [69.952] memcpy+0x24/0x70 [69.952] sg_copy_buffer+0xe9/0x1a0 [69.952] sg_copy_to_buffer+0x12/0x20 [69.952] __command_write_data.isra.0+0x23c/0xbf0 [vub300] [69.952] vub300_cmndwork_thread+0x17f3/0x58b0 [vub300] [69.952] process_one_work+0x7ee/0x1320 [69.952] worker_thread+0x53c/0x1240 [69.952] kthread+0x2b8/0x370 [69.952] ret_from_fork+0x1f/0x30 [69.952] [69.952] Allocated by task 854: [69.952] kasan_save_stack+0x26/0x50 [69.952] kasan_set_track+0x25/0x30 [69.952] kasan_save_alloc_info+0x1b/0x30 [69.952] __kasan_kmalloc+0x87/0xa0 [69.952] __kmalloc_node_track_caller+0x63/0x150 [69.952] kmalloc_reserve+0x31/0xd0 [69.952] __alloc_skb+0xfc/0x2b0 [69.952] __mt76_mcu_msg_alloc+0xbf/0x230 [mt76] [69.952] mt76_mcu_send_and_get_msg+0xab/0x110 [mt76] [69.952] __mt76_mcu_send_firmware.cold+0x94/0x15d [mt76] [69.952] mt76_connac_mcu_send_ram_firmware+0x415/0x54d [mt76_connac_lib] [69.952] mt76_connac2_load_ram.cold+0x118/0x4bc [mt76_connac_lib] [69.952] mt7921_run_firmware.cold+0x2e9/0x405 [mt7921_common] [69.952] mt7921s_mcu_init+0x45/0x80 [mt7921s] [69.953] mt7921_init_work+0xe1/0x2a0 [mt7921_common] [69.953] process_one_work+0x7ee/0x1320 [69.953] worker_thread+0x53c/0x1240 [69.953] kthread+0x2b8/0x370 [69.953] ret_from_fork+0x1f/0x30 [69.953] The buggy address belongs to the object at ffff88811c9ce800 which belongs to the cache kmalloc-2k of size 2048 [69.953] The buggy address is located 0 bytes to the right of 2048-byte region [ffff88811c9ce800, ffff88811c9cf000) [69.953] Memory state around the buggy address: [69.953] ffff88811c9cef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [69.953] ffff88811c9cef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [69.953] >ffff88811c9cf000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [69.953] ^ [69.953] ffff88811c9cf080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [69.953] ffff88811c9cf100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Fixes: 764dee47e2c1 ("mt76: sdio: move common code in mt76_sdio module") Suggested-by: Lorenzo Bianconi Tested-by: YN Chen Signed-off-by: Deren Wu Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin

wifi: mt76: sdio: add rx_check callback for sdio devices

2022-09-15T10:53:59Z

Introduce rx_check callback support for mt7921s driver. Tested-by: Sean Wang Co-developed-by: Sean Wang Signed-off-by: Sean Wang Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau

mt76: use le32/16_get_bits() whenever possible

2022-03-16T16:40:22Z

Switch to use le32/16_get_bits() to simplfy codes and specify the size explicitly to avoid potential issues. Signed-off-by: Ryder Lee Signed-off-by: Felix Fietkau

mt76: sdio: honor the largest Tx buffer the hardware can support

2022-02-03T12:58:00Z

We don't have to create a separate sdio.xmit_buf buffer for each queue. Instead, we just need to create one, reuse it across all queues to reduce memory consumption further. And then we should take it into account the actual the host and the device MMC capability to determine what the appropriate xmit_buf_size can be. Both MT7921S and MT7663 can support up to Tx FIFO size of 0x3fe00 which means the device can receive 511 blocks of block size 512 in a row from the host. So if the driver aggregates the frames as many as possible the the device can support, we can merge multiple MMC requests into a single one to get rid of the overhead of the handling and synchronizing in those unnecessary MMC requests and reduce the SDIO lock contention with the Bluetooth concurrent traffic and finally to have the higher bus utilization with less idle cycle. With the patch, it is helpful for WiFi to have steady throughput performance especially while running Bluetooth concurrently. Co-developed-by: Deren Wu Signed-off-by: Deren Wu Signed-off-by: Sean Wang Acked-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau

mt76: sdio: disable interrupt in mt76s_sdio_irq

2022-02-03T12:57:59Z

It is unnecessary to keep the interrupt enabled in mt76s_sdio_irq because the driver is already aware of the interrupt, schedules the mt76s_txrx_worker to handle the corresponding actions, and eventually, the interrupt would be enabled again when mt76s_txrx_worker finishes its work. So we can safely disable the interrupt in mt76s_sdio_irq as soon as possible to increase the CPU productivity by dropping the redundant interrupt triggers. Note that sdio lock acquired/released would be handled in sdio_irq_work at mmc driver so we don't take care in mt76s_sdio_irq at function driver. Co-developed-by: Leon Yen Signed-off-by: Leon Yen Co-developed-by: Deren Wu Signed-off-by: Deren Wu Signed-off-by: Sean Wang Signed-off-by: Felix Fietkau

mt76: sdio: lock sdio when it is needed

2022-02-03T12:57:57Z

Acquire the SDIO as needed as possible because either MT7663S or MT7921S is a multiple-function device that always includes Bluetooth that would share with the same SDIO bus. So not to avoid breaking Bluetooth pairing, audio, and HID such kind of time critical application on that, we only lock sdio bus when it is necessary in WiFi driver. Signed-off-by: Sean Wang Signed-off-by: Felix Fietkau

mt76: mt7921s: fix the device cannot sleep deeply in suspend

2021-12-19T14:24:00Z

According to the MT7921S firmware, the cmd MCU_UNI_CMD_HIF_CTRL have to be last MCU command to execute in suspend handler and all data traffic have to be stopped before the cmd MCU_UNI_CMD_HIF_CTRL starts as well in order that mt7921 can successfully fall into the deep sleep mode. Where we reuse the flag MT76_STATE_SUSPEND and avoid creating another global flag to stop all of the traffic onto the SDIO bus. Fixes: 48fab5bbef40 ("mt76: mt7921: introduce mt7921s support") Reported-by: Leon Yen Signed-off-by: Sean Wang Signed-off-by: Felix Fietkau

mt76: mt7921s: add reset support

2021-10-20T08:37:00Z

Introduce wifi chip reset support for mt7921 device to recover mcu hangs or abnormal wifi system. Tested-by: Deren Wu Acked-by: Lorenzo Bianconi Co-developed-by: Deren Wu Signed-off-by: Deren Wu Signed-off-by: Sean Wang Signed-off-by: Felix Fietkau

mt76: mt7921: rely on mcu_get_nic_capability

2021-10-20T08:36:59Z

Rely on mcu_get_nic_capability to obtain Tx quota information for the SDIO device, get PHY capability, MAC address and then we can totally drop mt7921/eeprom.c and any unnecessary code. Noting that mt76_connac_mcu_get_nic_capability should be run before set flag MT76_STATE_MCU_RUNNING being set to setup the proper parameters like Tx quota control before the device is started to running. Tested-by: Deren Wu Acked-by: Lorenzo Bianconi Signed-off-by: Sean Wang Signed-off-by: Felix Fietkau

mt76: sdio: extend sdio module to support CONNAC2

2021-10-20T08:36:59Z

Extend sdio module to support CONNAC2 hw that mt7921s rely on. Tested-by: Deren Wu Co-developed-by: Lorenzo Bianconi Signed-off-by: Lorenzo Bianconi Co-developed-by: Deren Wu Signed-off-by: Deren Wu Signed-off-by: Sean Wang Signed-off-by: Felix Fietkau