strcpy() performs no bounds checking on the destination buffer. This
could result in linear overflows beyond the end of the buffer, leading
to all kinds of misbehaviors. The safe replacement is strscpy() but in
this case it is better to use the scnprintf to simplify the arithmetic.
This is a previous step in the path to remove the strcpy() function
entirely from the kernel.
Signed-off-by: Len Baker <len.baker@gmx.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
The continue statement in the for-loop has no effect,
remove it.
Addresses-Coverity: ("Continue has no effect")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
SD89xx devices use identical card register settings. Make sure a single common
instance is used to describe them.
Signed-off-by: Tamás Szűcs <tszucs@protonmail.ch>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Johan Hedberg says:
====================
pull request: bluetooth-next 2020-07-31
Here's the main bluetooth-next pull request for 5.9:
- Fix firmware filenames for Marvell chipsets
- Several suspend-related fixes
- Addedd mgmt commands for runtime configuration
- Multiple fixes for Qualcomm-based controllers
- Add new monitoring feature for mgmt
- Fix handling of legacy cipher (E4) together with security level 4
- Add support for Realtek 8822CE controller
- Fix issues with Chinese controllers using fake VID/PID values
- Multiple other smaller fixes & improvements
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Use device_init_wakeup to allow the Bluetooth dev to wake the system
from suspend. Currently, the device can wake the system but no
power/wakeup entry is created in sysfs to allow userspace to disable
wakeup.
Signed-off-by: Abhishek Pandit-Subedi <abhishekpandit@chromium.org>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Firmware for sd8997 chipset is distributed by Marvell package and also as
part of the linux-firmware repository in filename sdsd8997_combo_v4.bin.
This patch fixes mwifiex driver to load correct firmware file for sd8997.
Fixes: f0ef67485f ("Bluetooth: btmrvl: add sd8997 chipset support")
Signed-off-by: Pali Rohár <pali@kernel.org>
Acked-by: Ganapathi Bhat <ganapathi.bhat@nxp.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Firmware for sd8977 chipset is distributed by Marvell package and also as
part of the linux-firmware repository in filename sdsd8977_combo_v2.bin.
This patch fixes mwifiex driver to load correct firmware file for sd8977.
Fixes: 8c57983bf7 ("Bluetooth: btmrvl: add support for sd8977 chipset")
Signed-off-by: Pali Rohár <pali@kernel.org>
Acked-by: Ganapathi Bhat <ganapathi.bhat@nxp.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
This patch adds support for Marvell 88W8987 chipset with SDIO interface.
Register offsets and supported feature flags are updated. The corresponding
firmware image file shall be "mrvl/sd8987_uapsta.bin".
Signed-off-by: Tamás Szűcs <tszucs@protonmail.ch>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
This patch adds support for 8977 chipset to mwifiex with SDIO
interface. Register offsets and supported feature flags are
updated. Firmware image used will be mrvl/sd8977_uapsta.bin.
Signed-off-by: Hemantkumar Suthar <shemant@marvell.com>
Signed-off-by: Rakesh Parmar <rakeshp@marvell.com>
Signed-off-by: Cathy Luo <cluo@marvell.com>
Signed-off-by: Ganapathi Bhat <gbhat@marvell.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
The platform specific wake-up interrupt is optional. Don't print
an error message in case it is missing, merely inform the user in
this case.
Signed-off-by: Stefan Agner <stefan@agner.ch>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
btmrvl_sdio_card_to_host() is never called in atomic context.
It calls bt_skb_alloc() with GFP_ATOMIC, which is not necessary.
GFP_ATOMIC can be replaced with GFP_KERNEL.
This is found by a static analysis tool named DCNS written by myself.
I also manually check the kernel code before reporting it.
Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Since commit 3c47d19ff4 ("drivers: base: add coredump driver ops")
it is possible to initiate a device coredump from user-space. This
patch adds support for it in btmrvl_sdio adding the .coredump()
driver callback. This makes dump through debugfs obsolete so removing
it.
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
The variable "payload" will eventually be set to an appropriate pointer
a bit later. Thus omit the explicit initialisation at the beginning.
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
The local variable "ret" will be set to an appropriate value a bit later.
Thus omit the explicit initialisation at the beginning.
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
pr_err(), dev_err() and pr_info() messages should terminated with
a new-line to avoid other messages being concatenated onto the end.
Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Fixed alignment of all block comments.
Found using checkpatch
Signed-off-by: Derek Robson <robsonde@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Sanity check of interrupt number in interrupt handler is unnecessary and
confusion, remove it.
Reported-by: Guenter Roeck <groeck@chromium.org>
Signed-off-by: Xinming Hu <huxm@marvell.com>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Else is not generally useful after a break or return
Signed-off-by: Prasanna Karthik <pkarthik@outlook.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Currrently we are disabling this wake irq after receiving it. If this
happens before we finish suspend and the pm event check is disabled,
the system will continue suspending, and this irq would not work again.
We may need to abort system suspend to avoid that.
Signed-off-by: Jeffy Chen <jeffy.chen@rock-chips.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
trivial fix to spelling mistake in debug message
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
trivial fix to spelling mistake in error message
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
The irq_of_parse_and_map will return 0 as a invalid irq.
Set irq_bt to -1 in this case, so that the btmrvl resume/suspend code
would not try to enable/disable it.
Signed-off-by: Jeffy Chen <jeffy.chen@rock-chips.com>
Reviewed-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
It's much the same as what we did for mwifiex in:
b9da4d2 mwifiex: avoid double-disable_irq() race
"We have a race where the wakeup IRQ might be in flight while we're
calling mwifiex_disable_wake() from resume(). This can leave us
disabling the IRQ twice.
Let's disable the IRQ and enable it in case if we have double-disabled
it."
Signed-off-by: Jeffy Chen <jeffy.chen@rock-chips.com>
Reviewed-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
is_suspending flag remains on when host sleep fails to enable. Data
path is unnecessarily blocked after this. This patch ensures to
reset the flag in failure path.
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Kasan reported slab-out-of-bounds access in btmrvl_sdio:
[ 33.055400] ==================================================================
[ 33.062585] BUG: KASAN: slab-out-of-bounds in memcpy+0x24/0x50 at addr ffffffc0d89b4a00
[ 33.070529] Read of size 256 by task btmrvl_main_ser/3576
[ 33.075885] =============================================================================
[ 33.084002] BUG kmalloc-256 (Tainted: G B ): kasan: bad access detected
[ 33.091511] -----------------------------------------------------------------------------
<snip...>
[ 33.413498] Call trace:
[ 33.415928] [<ffffffc00020a440>] dump_backtrace+0x0/0x190
[ 33.421288] [<ffffffc00020a5ec>] show_stack+0x1c/0x28
[ 33.426305] [<ffffffc000b3288c>] dump_stack+0xa0/0xf8
[ 33.431320] [<ffffffc000396130>] print_trailer+0x158/0x16c
[ 33.436765] [<ffffffc0003962cc>] object_err+0x48/0x5c
[ 33.441780] [<ffffffc00039be24>] kasan_report+0x344/0x510
[ 33.447141] [<ffffffc00039afd8>] __asan_loadN+0x20/0x150
[ 33.452413] [<ffffffc00039b60c>] memcpy+0x20/0x50
[ 33.457084] [<ffffffc000595fcc>] swiotlb_tbl_map_single+0x2ec/0x310
[ 33.463305] [<ffffffc000596b54>] map_single+0x24/0x30
[ 33.468320] [<ffffffc0005970c8>] swiotlb_map_sg_attrs+0xec/0x21c
[ 33.474286] [<ffffffc000219d4c>] __swiotlb_map_sg_attrs+0x48/0xec
[ 33.480339] [<ffffffc0008ea610>] msdc_prepare_data.isra.11+0xf0/0x11c
[ 33.486733] [<ffffffc0008ecbd0>] msdc_ops_request+0x74/0xf0
[ 33.492266] [<ffffffc0008c6b38>] __mmc_start_request+0x78/0x8c
[ 33.498057] [<ffffffc0008c6d6c>] mmc_start_request+0x220/0x240
[ 33.503848] [<ffffffc0008c6e04>] mmc_wait_for_req+0x78/0x250
[ 33.509468] [<ffffffc0008d70fc>] mmc_io_rw_extended+0x2ec/0x388
[ 33.515347] [<ffffffc0008d8fc0>] sdio_io_rw_ext_helper+0x160/0x268
[ 33.521483] [<ffffffc0008d93fc>] sdio_writesb+0x40/0x50
[ 33.526677] [<ffffffbffc338b38>] btmrvl_sdio_host_to_card+0x124/0x1bc [btmrvl_sdio]
[ 33.534283] [<ffffffbffc3290a0>] btmrvl_service_main_thread+0x384/0x428 [btmrvl]
[ 33.541626] [<ffffffc0002518e8>] kthread+0x140/0x158
[ 33.546550] Memory state around the buggy address:
[ 33.551305] ffffffc0d89b4980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 33.558474] ffffffc0d89b4a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 33.565643] >ffffffc0d89b4a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc
[ 33.572809] ^
[ 33.579889] ffffffc0d89b4b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 33.587055] ffffffc0d89b4b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 33.594221] ==================================================================
The cause of this is that btmrvl_sdio_host_to_card can access memory region
out of its allocated space due to:
1. the requested block size is smaller than SDIO_BLOCK_SIZE, and/or
2. the allocated memory is not BTSDIO_DMA_ALIGN-aligned.
This patch fixes the issue by allocating a buffer which is big enough for
SDIO_BLOCK_SIZE transfer and/or BTSDIO_DMA_ALIGN address relocation.
Signed-off-by: Ricky Liang <jcliang@chromium.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
On some arm-based platforms, we need to configure platform specific
parameters by device tree node and also define our node as a child
node of parent SDIO host controller.
This patch parses these parameters from device tree. It includes
calibration data download to firmware, wakeup pin configured to firmware,
and soc specific wake up gpio, which will be set as wakeup interrupt pin.
Signed-off-by: Xinming Hu <huxm@marvell.com>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
In some case, the btmrvl_sdio firmware would fail to active within the
polling time. Increase the polling interval to 100 msec to fix the
issue.
Signed-off-by: Wei-Ning Huang <wnhuang@chromium.org>
Signed-off-by: Wei-Ning Huang <wnhuang@google.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Usually when driver sends data to firmware it receives TX_DONE
(DN_LD_HOST_INT_STATUS) interrupt from firmware right away.
It's also observed that some times the fireware could delay
sending DN_LD_HOST_INT_STATUS interrupt. If driver sends data to
firmware during suspend processing and the TX_DONE interrupt is
delayed, it may come back at wrong time when SDIO host driver is
in the middle of suspending.
Block any data from stack while suspending. Also skip sending
data that are already in driver tx_queue.
Don't purge the skb queue on suspend to avoid intermittent music
after system resumes from S3.
Signed-off-by: Chin-Ran Lo <crlo@marvell.com>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
The new hci_skb_pkt_* wrappers are mainly intented for drivers to
require less knowledge about bt_cb(sbk) handling. So after converting
the core packet handling, convert all drivers.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
NOT NULL comparison modified to be readable, reported
by checkpatch.
Signed-off-by: Prasanna Karthik <mkarthi3@visteon.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
This patch adds support for Marvell's new chipset SD8997.
Register offsets and supported feature flags are updated.
Signed-off-by: Zhaoyang Liu <liuzy@marvell.com>
Signed-off-by: Cathy Luo <cluo@marvell.com>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Coding style fix, extra spaces are removed to make casting
consistent.
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
First firmware dump attempt from user works fine, but firmware goes
into bad state after this. Subsequent attempts fails.
As required by the firmware dump implementation, this change writes
FW_DUMP_READ_DONE value to dump ctrl register to address this issue.
Signed-off-by: Nachiket Kukade <kukaden@marvell.com>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
This change ensures we will get driver name as 'btmrvl_sdio'
in udev event.
Signed-off-by: Shengzhen Li <szli@marvell.com>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
We will not release sdio bus until firmware is completely
downloaded and becomes ready. Our 8887 A2 chip can have
separate firmware images for WLAN and bluetooth. This
patch fixes an issue observed when both drivers
simultaneously try to download respective firmwares.
Signed-off-by: Aniket Nagarnaik <aniketn@marvell.com>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
This patch fixes a compile warnning "dump_num maybe used uninitialized in
this function".
Signed-off-by: Xinming Hu <huxm@marvell.com>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
When driver is loaded, it is important to know if FW was already
active or it is freshly downloaded. This patch increases the
priority of the message.
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
This flag will be set in unload path to make sure that we skip
sending further commands, ignore interrupts and stop main thread
when unload starts.
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
This patch adds firmware dump support for marvell
bluetooth chipset. Currently only SD8897 is supported.
This is implemented based on dev_coredump, a new mechnism
introduced in kernel 3.18rc3
Firmware dump can be trigger by
echo 1 > /sys/kernel/debug/bluetooth/hci*/config/fw_dump
and when the dump operation is completed, data can be read by
cat /sys/class/devcoredump/devcd*/data
We have prepared following script to divide fw memory
dump data into multiple files based on memory type.
[root]# cat btmrvl_split_dump_data.sh
#!/bin/bash
# usage: ./btmrvl_split_dump_data.sh dump_data
fw_dump_data=$1
mem_type="ITCM DTCM SQRAM APU CIU ICU MAC EXT7 EXT8 EXT9 EXT10 EXT11 EXT12 EXT13 EXTLAST"
for name in ${mem_type[@]}
do
sed -n "/Start dump $name/,/End dump/p" $fw_dump_data > tmp.$name.log
if [ ! -s tmp.$name.log ]
then
rm -rf tmp.$name.log
else
# Remove the describle info "Start dump" and "End dump"
sed '1d' tmp.$name.log | sed '$d' > /data/$name.log
if [ -s /data/$name.log ]
then
echo "generate /data/$name.log"
else
sed '1d' tmp.$name.log | sed '$d' > /var/$name.log
echo "generate /var/$name.log"
fi
rm -rf tmp.$name.log
fi
done
Signed-off-by: Xinming Hu <huxm@marvell.com>
Signed-off-by: Cathy Luo <cluo@marvell.com>
Signed-off-by: Avinash Patil <patila@marvell.com>
Reviewed-by: Johannes Berg <johannes@sipsolutions.net>
Reviewed-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
BT_INFO/BT_DBG etc. already takes care of adding a newline
An extra newline character inside message is removed in this
patch.
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
This patch adds driver support for marvell SD8887 chip.
Signed-off-by: Xinming Hu <huxm@marvell.com>
Signed-off-by: Kevin Gan <ganhy@marvell.com>
Signed-off-by: Cathy Luo <cluo@marvell.com>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Register offsets are different for SD8897 and newer chip SD8887.
We can not have common btmrvl_sdio_card_reg map for them.
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
We should suspend hci device and purge remaining data in tx queue
before enabling host sleep in firmware. If any data is sent to
firmware after host sleep is activated, firmware may end up
sending a TX_DONE interrupt to driver. If this interrupt gets
delivered to host while the SDIO host controller is suspending,
it may crash the system.
Conversely, in resume handler, we should resume hci device after
host sleep is de-activated.
Signed-off-by: Chin-Ran Lo <crlo@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
A vendor specific command is sent to firmware during
initialization to enable this feature. This command is for
SD8897 only.
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
For SD8897, CMD52 write_to_clear may have missing interrupts
under certain corner case condition. Use CMD53 read-to-clear
to fix the problem.
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>