diff --git a/package/kernel/mac80211/patches/ath11k/009-ath11k-Avoid-memcpy-over-reading-of-he_cap.patch b/package/kernel/mac80211/patches/ath11k/009-ath11k-Avoid-memcpy-over-reading-of-he_cap.patch new file mode 100644 index 000000000..78ef0d680 --- /dev/null +++ b/package/kernel/mac80211/patches/ath11k/009-ath11k-Avoid-memcpy-over-reading-of-he_cap.patch @@ -0,0 +1,47 @@ +From c8bcd82a4efd053cdd5ce515a8b0003011a5f756 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 16 Jun 2021 12:54:10 -0700 +Subject: [PATCH] ath11k: Avoid memcpy() over-reading of he_cap + +In preparation for FORTIFY_SOURCE performing compile-time and run-time +field bounds checking for memcpy(), memmove(), and memset(), avoid +intentionally writing across neighboring array fields. + +Since peer_he_cap_{mac,phy}info and he_cap_elem.{mac,phy}_cap_info are not +the same sizes, memcpy() was reading beyond field boundaries. Instead, +correctly cap the copy length and pad out any difference in size +(peer_he_cap_macinfo is 8 bytes whereas mac_cap_info is 6, and +peer_he_cap_phyinfo is 12 bytes whereas phy_cap_info is 11). + +Signed-off-by: Kees Cook +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210616195410.1232119-1-keescook@chromium.org +--- + drivers/net/wireless/ath/ath11k/mac.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c +index eb52332dbe3f13..e9b3689331ec2a 100644 +--- a/drivers/net/wireless/ath/ath11k/mac.c ++++ b/drivers/net/wireless/ath/ath11k/mac.c +@@ -1314,10 +1314,16 @@ static void ath11k_peer_assoc_h_he(struct ath11k *ar, + + arg->he_flag = true; + +- memcpy(&arg->peer_he_cap_macinfo, he_cap->he_cap_elem.mac_cap_info, +- sizeof(arg->peer_he_cap_macinfo)); +- memcpy(&arg->peer_he_cap_phyinfo, he_cap->he_cap_elem.phy_cap_info, +- sizeof(arg->peer_he_cap_phyinfo)); ++ memcpy_and_pad(&arg->peer_he_cap_macinfo, ++ sizeof(arg->peer_he_cap_macinfo), ++ he_cap->he_cap_elem.mac_cap_info, ++ sizeof(he_cap->he_cap_elem.mac_cap_info), ++ 0); ++ memcpy_and_pad(&arg->peer_he_cap_phyinfo, ++ sizeof(arg->peer_he_cap_phyinfo), ++ he_cap->he_cap_elem.phy_cap_info, ++ sizeof(he_cap->he_cap_elem.phy_cap_info), ++ 0); + arg->peer_he_ops = vif->bss_conf.he_oper.params; + + /* the top most byte is used to indicate BSS color info */ \ No newline at end of file diff --git a/package/kernel/mac80211/patches/ath11k/009-ath11k-translate-HE-status-to-radiotap-format.patch b/package/kernel/mac80211/patches/ath11k/010-ath11k-translate-HE-status-to-radiotap-format.patch similarity index 100% rename from package/kernel/mac80211/patches/ath11k/009-ath11k-translate-HE-status-to-radiotap-format.patch rename to package/kernel/mac80211/patches/ath11k/010-ath11k-translate-HE-status-to-radiotap-format.patch diff --git a/package/kernel/mac80211/patches/ath11k/012-ath11k-set-register-access-length-for-MHI-driver.patch b/package/kernel/mac80211/patches/ath11k/012-ath11k-set-register-access-length-for-MHI-driver.patch new file mode 100644 index 000000000..40942e4bb --- /dev/null +++ b/package/kernel/mac80211/patches/ath11k/012-ath11k-set-register-access-length-for-MHI-driver.patch @@ -0,0 +1,31 @@ +From fb359946c3effad77a3ac8ebc943ea5cac22d335 Mon Sep 17 00:00:00 2001 +From: Bhaumik Bhatt +Date: Thu, 6 May 2021 12:51:43 -0700 +Subject: [PATCH] ath11k: set register access length for MHI driver + +MHI driver requires register space length to add range checks and +prevent memory region accesses outside of that for MMIO space. +Set it before registering the MHI controller. + +Signed-off-by: Bhaumik Bhatt +Reviewed-by: Hemant Kumar +Reviewed-by: Manivannan Sadhasivam +Acked-by: Kalle Valo +Link: https://lore.kernel.org/r/1620330705-40192-5-git-send-email-bbhatt@codeaurora.org +Signed-off-by: Manivannan Sadhasivam +--- + drivers/net/wireless/ath/ath11k/mhi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/ath/ath11k/mhi.c b/drivers/net/wireless/ath/ath11k/mhi.c +index 27b394d115e26a..e097ae52e25733 100644 +--- a/drivers/net/wireless/ath/ath11k/mhi.c ++++ b/drivers/net/wireless/ath/ath11k/mhi.c +@@ -330,6 +330,7 @@ int ath11k_mhi_register(struct ath11k_pci *ab_pci) + mhi_ctrl->cntrl_dev = ab->dev; + mhi_ctrl->fw_image = ab_pci->amss_path; + mhi_ctrl->regs = ab->mem; ++ mhi_ctrl->reg_len = ab->mem_len; + + ret = ath11k_mhi_get_msi(ab_pci); + if (ret) { diff --git a/package/kernel/mac80211/patches/ath11k/017-ath11k-Fix-an-error-handling-path-in-ath11k-core_fetch-board-data-api-n.patch b/package/kernel/mac80211/patches/ath11k/017-ath11k-Fix-an-error-handling-path-in-ath11k-core_fetch-board-data-api-n.patch new file mode 100644 index 000000000..67f43eeae --- /dev/null +++ b/package/kernel/mac80211/patches/ath11k/017-ath11k-Fix-an-error-handling-path-in-ath11k-core_fetch-board-data-api-n.patch @@ -0,0 +1,34 @@ +From 515bda1d1e51c64edf2a384a58801f85a80a3f2d Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Sat, 22 May 2021 11:50:54 +0200 +Subject: ath11k: Fix an error handling path in + ath11k_core_fetch_board_data_api_n() + +All error paths but this one 'goto err' in order to release some +resources. +Fix this. + +Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") +Signed-off-by: Christophe JAILLET +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/e959eb544f3cb04258507d8e25a6f12eab126bde.1621676864.git.christophe.jaillet@wanadoo.fr +--- + drivers/net/wireless/ath/ath11k/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c +index 4a1051418f33a..969bf1a590d99 100644 +--- a/drivers/net/wireless/ath/ath11k/core.c ++++ b/drivers/net/wireless/ath/ath11k/core.c +@@ -532,7 +532,8 @@ static int ath11k_core_fetch_board_data_api_n(struct ath11k_base *ab, + if (len < ALIGN(ie_len, 4)) { + ath11k_err(ab, "invalid length for board ie_id %d ie_len %zu len %zu\n", + ie_id, ie_len, len); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err; + } + + switch (ie_id) { +-- +cgit 1.2.3-1.el7 diff --git a/package/kernel/mac80211/patches/ath11k/018-ath11k-send-beacon-template-after-vdev-startrestart-during-csa.patch b/package/kernel/mac80211/patches/ath11k/018-ath11k-send-beacon-template-after-vdev-startrestart-during-csa.patch new file mode 100644 index 000000000..4b34eaa37 --- /dev/null +++ b/package/kernel/mac80211/patches/ath11k/018-ath11k-send-beacon-template-after-vdev-startrestart-during-csa.patch @@ -0,0 +1,57 @@ +From 979ebc54cf13bd1e3eb6e21766d208d5de984fb8 Mon Sep 17 00:00:00 2001 +From: Seevalamuthu Mariappan +Date: Tue, 25 May 2021 15:30:28 +0200 +Subject: ath11k: send beacon template after vdev_start/restart during csa + +Firmware has added assert if beacon template is received after +vdev_down. Firmware expects beacon template after vdev_start +and before vdev_up. This change is needed to support MBSSID EMA +cases in firmware. + +Hence, Change the sequence in ath11k as expected from firmware. +This new change is not causing any issues with older +firmware. + +Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1.r3-00011-QCAHKSWPL_SILICONZ-1 +Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1.r4-00008-QCAHKSWPL_SILICONZ-1 + +Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") +Signed-off-by: Seevalamuthu Mariappan +[sven@narfation.org: added tested-on/fixes information] +Signed-off-by: Sven Eckelmann +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210525133028.2805615-1-sven@narfation.org +--- + drivers/net/wireless/ath/ath11k/mac.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c +index 9d0ff150ec30f..eb52332dbe3f1 100644 +--- a/drivers/net/wireless/ath/ath11k/mac.c ++++ b/drivers/net/wireless/ath/ath11k/mac.c +@@ -5379,11 +5379,6 @@ ath11k_mac_update_vif_chan(struct ath11k *ar, + if (WARN_ON(!arvif->is_up)) + continue; + +- ret = ath11k_mac_setup_bcn_tmpl(arvif); +- if (ret) +- ath11k_warn(ab, "failed to update bcn tmpl during csa: %d\n", +- ret); +- + ret = ath11k_mac_vdev_restart(arvif, &vifs[i].new_ctx->def); + if (ret) { + ath11k_warn(ab, "failed to restart vdev %d: %d\n", +@@ -5391,6 +5386,11 @@ ath11k_mac_update_vif_chan(struct ath11k *ar, + continue; + } + ++ ret = ath11k_mac_setup_bcn_tmpl(arvif); ++ if (ret) ++ ath11k_warn(ab, "failed to update bcn tmpl during csa: %d\n", ++ ret); ++ + ret = ath11k_wmi_vdev_up(arvif->ar, arvif->vdev_id, arvif->aid, + arvif->bssid); + if (ret) { +-- +cgit 1.2.3-1.el7 diff --git a/package/kernel/mac80211/patches/ath11k/033-ath11k-fix-for-peer-memory-corruption.patch b/package/kernel/mac80211/patches/ath11k/033-ath11k-fix-for-peer-memory-corruption.patch new file mode 100644 index 000000000..af130a1c7 --- /dev/null +++ b/package/kernel/mac80211/patches/ath11k/033-ath11k-fix-for-peer-memory-corruption.patch @@ -0,0 +1,103 @@ +--- a/drivers/net/wireless/ath/ath11k/dp_rx.c ++++ b/drivers/net/wireless/ath/ath11k/dp_rx.c +@@ -1463,11 +1463,9 @@ struct htt_ppdu_stats_info *ath11k_dp_ht + { + struct htt_ppdu_stats_info *ppdu_info; + +- spin_lock_bh(&ar->data_lock); + if (!list_empty(&ar->ppdu_stats_info)) { + list_for_each_entry(ppdu_info, &ar->ppdu_stats_info, list) { + if (ppdu_info->ppdu_id == ppdu_id) { +- spin_unlock_bh(&ar->data_lock); + return ppdu_info; + } + } +@@ -1481,16 +1479,13 @@ struct htt_ppdu_stats_info *ath11k_dp_ht + kfree(ppdu_info); + } + } +- spin_unlock_bh(&ar->data_lock); + + ppdu_info = kzalloc(sizeof(*ppdu_info), GFP_ATOMIC); + if (!ppdu_info) + return NULL; + +- spin_lock_bh(&ar->data_lock); + list_add_tail(&ppdu_info->list, &ar->ppdu_stats_info); + ar->ppdu_stat_list_depth++; +- spin_unlock_bh(&ar->data_lock); + + return ppdu_info; + } +@@ -1522,8 +1517,10 @@ static int ath11k_htt_pull_ppdu_stats(st + ath11k_htt_ppdu_pktlog_process(ar, (u8 *)skb->data, DP_RX_BUFFER_SIZE); + } + ++ spin_lock_bh(&ar->data_lock); + ppdu_info = ath11k_dp_htt_get_ppdu_desc(ar, ppdu_id); + if (!ppdu_info) { ++ spin_unlock_bh(&ar->data_lock); + ret = -EINVAL; + goto exit; + } +@@ -1533,10 +1530,12 @@ static int ath11k_htt_pull_ppdu_stats(st + ath11k_htt_tlv_ppdu_stats_parse, + (void *)ppdu_info); + if (ret) { ++ spin_unlock_bh(&ar->data_lock); + ath11k_warn(ab, "Failed to parse tlv %d\n", ret); + goto exit; + } + ++ spin_unlock_bh(&ar->data_lock); + exit: + rcu_read_unlock(); + +--- a/drivers/net/wireless/ath/ath11k/mac.c ++++ b/drivers/net/wireless/ath/ath11k/mac.c +@@ -2755,22 +2755,28 @@ static int ath11k_clear_peer_keys(struct + int ret; + int i; + u32 flags = 0; ++ struct ieee80211_key_conf *keys[WMI_MAX_KEY_INDEX + 1]; + + lockdep_assert_held(&ar->conf_mutex); + + spin_lock_bh(&ab->base_lock); + peer = ath11k_peer_find(ab, arvif->vdev_id, addr); +- spin_unlock_bh(&ab->base_lock); +- +- if (!peer) ++ if (!peer) { ++ spin_unlock_bh(&ab->base_lock); + return -ENOENT; ++ } ++ for (i = 0; i < ARRAY_SIZE(keys); i++) { ++ keys[i]= peer->keys[i]; ++ peer->keys[i]= NULL; ++ } ++ spin_unlock_bh(&ab->base_lock); + +- for (i = 0; i < ARRAY_SIZE(peer->keys); i++) { +- if (!peer->keys[i]) ++ for (i = 0; i < ARRAY_SIZE(keys); i++) { ++ if (!keys[i]) + continue; + + /* key flags are not required to delete the key */ +- ret = ath11k_install_key(arvif, peer->keys[i], ++ ret = ath11k_install_key(arvif, keys[i], + DISABLE_KEY, addr, flags); + if (ret < 0 && first_errno == 0) + first_errno = ret; +@@ -2778,10 +2784,6 @@ static int ath11k_clear_peer_keys(struct + if (ret < 0) + ath11k_warn(ab, "failed to remove peer key %d: %d\n", + i, ret); +- +- spin_lock_bh(&ab->base_lock); +- peer->keys[i] = NULL; +- spin_unlock_bh(&ab->base_lock); + } + + return first_errno; \ No newline at end of file diff --git a/package/kernel/mac80211/patches/ath11k/999-ath11k-Enable-512MB-profile-in-ath11k.patch b/package/kernel/mac80211/patches/ath11k/998-ath11k-Enable-512MB-profile-in-ath11k.patch similarity index 100% rename from package/kernel/mac80211/patches/ath11k/999-ath11k-Enable-512MB-profile-in-ath11k.patch rename to package/kernel/mac80211/patches/ath11k/998-ath11k-Enable-512MB-profile-in-ath11k.patch diff --git a/target/linux/ipq806x/files/arch/arm/boot/dts/qcom-ipq8065-rt4230w-rev6.dts b/target/linux/ipq806x/files/arch/arm/boot/dts/qcom-ipq8065-rt4230w-rev6.dts index 9ed635fb9..84947166c 100644 --- a/target/linux/ipq806x/files/arch/arm/boot/dts/qcom-ipq8065-rt4230w-rev6.dts +++ b/target/linux/ipq806x/files/arch/arm/boot/dts/qcom-ipq8065-rt4230w-rev6.dts @@ -111,9 +111,9 @@ nand-ecc-strength = <4>; nand-bus-width = <8>; nand-ecc-step-size = <512>; - - nand-is-boot-medium; - qcom,boot_pages_size = <0x1180000>; + + nand-is-boot-medium; + qcom,boot_pages_size = <0x1180000>; partitions { compatible = "fixed-partitions"; @@ -326,12 +326,14 @@ &pcie0 { status = "okay"; reset-gpio = <&qcom_pinmux 3 GPIO_ACTIVE_HIGH>; - /delete-property/ perst-gpios; + pinctrl-0 = <&pcie0_pins>; + pinctrl-names = "default"; }; &pcie1 { status = "okay"; reset-gpio = <&qcom_pinmux 48 GPIO_ACTIVE_HIGH>; - /delete-property/ perst-gpios; - force_gen1 = <1>; + pinctrl-0 = <&pcie1_pins>; + pinctrl-names = "default"; + max-link-speed = <1>; };