Old USB API is prone to uninit value bugs if error handling is not
correct. Let's move atusb to use new USB API to
1) Make code more simple, since new API does not require memory
to be allocates via kmalloc()
2) Defend driver from usb-related uninit value bugs.
3) Make code more modern and simple
This patch removes atusb usb wrappers as Greg suggested [0], this will make
code more obvious and easier to understand over time, and replaces old
API calls with new ones.
Also this patch adds and updates usb related error handling to prevent
possible uninit value bugs in future
Link: https://lore.kernel.org/all/YdL0GPxy4TdGDzOO@kroah.com/ [0]
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
Alexander reported a use of uninitialized value in
atusb_set_extended_addr(), that is caused by reading 0 bytes via
usb_control_msg().
Fix it by validating if the number of bytes transferred is actually
correct, since usb_control_msg() may read less bytes, than was requested
by caller.
Fail log:
BUG: KASAN: uninit-cmp in ieee802154_is_valid_extended_unicast_addr include/linux/ieee802154.h:310 [inline]
BUG: KASAN: uninit-cmp in atusb_set_extended_addr drivers/net/ieee802154/atusb.c:1000 [inline]
BUG: KASAN: uninit-cmp in atusb_probe.cold+0x29f/0x14db drivers/net/ieee802154/atusb.c:1056
Uninit value used in comparison: 311daa649a2003bd stack handle: 000000009a2003bd
ieee802154_is_valid_extended_unicast_addr include/linux/ieee802154.h:310 [inline]
atusb_set_extended_addr drivers/net/ieee802154/atusb.c:1000 [inline]
atusb_probe.cold+0x29f/0x14db drivers/net/ieee802154/atusb.c:1056
usb_probe_interface+0x314/0x7f0 drivers/usb/core/driver.c:396
Fixes: 7490b008d1 ("ieee802154: add support for atusb transceiver")
Reported-by: Alexander Potapenko <glider@google.com>
Acked-by: Alexander Aring <aahringo@redhat.com>
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Link: https://lore.kernel.org/r/20220104182806.7188-1-paskripkin@gmail.com
Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
syzbot reported memory leak in atusb_probe()[1].
The problem was in atusb_alloc_urbs().
Since urb is anchored, we need to release the reference
to correctly free the urb
backtrace:
[<ffffffff82ba0466>] kmalloc include/linux/slab.h:559 [inline]
[<ffffffff82ba0466>] usb_alloc_urb+0x66/0xe0 drivers/usb/core/urb.c:74
[<ffffffff82ad3888>] atusb_alloc_urbs drivers/net/ieee802154/atusb.c:362 [inline][2]
[<ffffffff82ad3888>] atusb_probe+0x158/0x820 drivers/net/ieee802154/atusb.c:1038 [1]
Reported-by: syzbot+28a246747e0a465127f3@syzkaller.appspotmail.com
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The disconnect callback was accessing the hardware-descriptor private
data after having having freed it.
Fixes: 7490b008d1 ("ieee802154: add support for atusb transceiver")
Cc: stable <stable@vger.kernel.org> # 4.2
Cc: Alexander Aring <alex.aring@gmail.com>
Reported-by: syzbot+f4509a9138a1472e7e80@syzkaller.appspotmail.com
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
Based on 1 normalized pattern(s):
this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license as published by
the free software foundation version 2
extracted by the scancode license scanner the SPDX license identifier
GPL-2.0-only
has been chosen to replace the boilerplate/reference in 135 file(s).
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Allison Randal <allison@lohutok.net>
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190531081036.435762997@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
atusb_probe() is never called in atomic context.
This function is only set as ".probe" in struct usb_driver.
Despite never getting called from atomic context,
atusb_probe() calls usb_alloc_urb() with GFP_ATOMIC,
which does not sleep for allocation.
GFP_ATOMIC is not necessary and can be replaced with GFP_KERNEL,
which can sleep and improve the possibility of sucessful allocation.
This is found by a static analysis tool named DCNS written by myself.
And I also manually check it.
Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Signed-off-by: Stefan Schmidt <stefan@osg.samsung.com>
The check is valid but it does not warrant to crash the kernel. A
WARN_ON() is good enough here.
Found by checkpatch.
Signed-off-by: Stefan Schmidt <stefan@osg.samsung.com>
Instead of having the function name hard-coded (it might change and we
forgot to update them in the debug output) we can use __func__ instead
and also shorter the line so we do not need to break it.
Found by checkpatch.
Signed-off-by: Stefan Schmidt <stefan@osg.samsung.com>
The arrays atusb_chip_data and hulusb_chip_data are local to the source
and do not need to be in global scope, so make them static. Also
remove unnecessary forward declaration of atusb_chip_data.
Cleans up sparse warnings:
symbol 'atusb_chip_data' was not declared. Should it be static?
symbol 'hulusb_chip_data' was not declared. Should it be static?
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Stefan Schmidt <stefan@osg.samsung.com>
Geert reported: as fw_ver_maj is unsigned char, gcc 4.1.2 complains:
warning: comparison is always true due to limited range of data type
Besides the warning the old check would also fail for firmware versions
like 1.x with x < 3. These would support frame retries, but the driver
would not enable the feature.
Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Stefan Schmidt <stefan@osg.samsung.com>
Busware manufactured an USB dongle that is quite similar to
the atben and rzusb USB dongles. that are already supported.
This patch aims to support the Busware HUL dongle (called
hulusb) alongside atusb and rzusb. hulusb is using the
at86rf212 transceiver which is specifically designed to
support the 700/800/900 MHz wave band.
The source code is heavily inspired by the existing atusb
and at86rf2xx drivers.
Signed-off-by: Josef Filzmaier <j.filzmaier@gmx.at>
Signed-off-by: Stefan Schmidt <stefan@osg.samsung.com>
After the addition of the frame_retries callback we could run into cases where
a ATUSB device with an older firmware version would now longer be able to bring
the interface up.
We keep this functionality disabled now if the minimum firmware version for this
feature is not available.
Fixes: 5d82288b93 ("ieee802154: atusb: implement .set_frame_retries
ops callback")
Reported-by: Alexander Aring <aar@pengutronix.de>
Acked-by: Alexander Aring <aar@pengutronix.de>
Signed-off-by: Stefan Schmidt <stefan@osg.samsung.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
From 4.9 we should really avoid using the stack here as this will not be DMA
able on various platforms. This changes a buffer that was introduced in the
4.10 merge window.
Fixes: 6cc33eba23 ("ieee802154: atusb: try to read permanent extended
address from device")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Stefan Schmidt <stefan@osg.samsung.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
In the unlikely case were the firmware is new enough but the actual USB command
still fails make sure we set a random address and return.
Signed-off-by: Stefan Schmidt <stefan@osg.samsung.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
From 4.9 we should really avoid using the stack here as this will not be DMA
able on various platforms. This changes the buffers already being present in
time of 4.9 being released. This should go into stable as well.
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: stable@vger.kernel.org
Signed-off-by: Stefan Schmidt <stefan@osg.samsung.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
From firmware version 0.3 onwards we use the TX_ARET mode allowing for automatic
frame retransmissions. To actually make use of this feature we need to implement
the callback for setting the frame retries.
If the firmware version is to old print a warning and return with invalid value.
Signed-off-by: Stefan Schmidt <stefan@osg.samsung.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
With version 0.3 the atusb firmware offers an interface to read a permanent
EUI64 address from the devices EEPROM. This patch checks if the firmware is
new enough and tries to read out and use the address. If this does not work
we fall back to the original randomly generated address.
Signed-off-by: Stefan Schmidt <stefan@osg.samsung.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
The firmware versions will be used to enable selective features based on the
available firmware on the device. Make sure we do not need to fetch it for
every check but store it after the initial retrieval.
Signed-off-by: Stefan Schmidt <stefan@osg.samsung.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Declare the structure ieee802154_ops as const as it is only passed as an
argument to the function ieee802154_alloc_hw. This argument is of type
const struct ieee802154_ops *, so ieee80254_ops structures having this
property can be declared as const.
Done using Coccinelle:
@r1 disable optional_qualifier @
identifier i;
position p;
@@
static struct ieee802154_ops i@p = {...};
@ok1@
identifier r1.i;
position p;
expression e1;
@@
ieee802154_alloc_hw(e1,&i@p)
@bad@
position p!={r1.p,ok1.p};
identifier r1.i;
@@
i@p
@depends on !bad disable optional_qualifier@
identifier r1.i;
@@
static
+const
struct ieee802154_ops i={...};
@depends on !bad disable optional_qualifier@
identifier r1.i;
@@
+const
struct ieee802154_ops i;
The before and after size details of the affected files are:
text data bss dec hex filename
8669 1176 16 9861 2685 drivers/net/ieee802154/adf7242.o
8805 1048 16 9869 268d drivers/net/ieee802154/adf7242.o
text data bss dec hex filename
7211 2296 32 9539 2543 drivers/net/ieee802154/atusb.o
7339 2160 32 9531 253b drivers/net/ieee802154/atusb.o
Signed-off-by: Bhumika Goyal <bhumirks@gmail.com>
Acked-by: Stefan Schmidt <stefan@osg.samsung.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This patch fixes the behaviour to not overwrite csma settings when
set channel afterwards.
Cc: Stefan Schmidt <stefan@osg.samsung.com>
Acked-by: Stefan Schmidt <stefan@osg.samsung.com>
Signed-off-by: Alexander Aring <aar@pengutronix.de>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Catching up with the stack here and implement CCA mode setting.
Signed-off-by: Stefan Schmidt <stefan@osg.samsung.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Catching up with the stack here and implement CCA ED level setting.
Signed-off-by: Stefan Schmidt <stefan@osg.samsung.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Catching up with the stack here and implement CSMA parameter setting.
Signed-off-by: Stefan Schmidt <stefan@osg.samsung.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
The kfree_skb() function tests whether its argument is NULL and then
returns immediately. Thus the test around the call is not needed.
This issue was detected by using the Coccinelle software.
Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Acked-by: Stefan Schmidt <stefan@osg.samsung.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
This patch supports handling for printout different chipnames between
atusb and rzusb. The rzusb contains an at86rf230 and atusb an at86rf231
transceiver.
Cc: Stefan Schmidt <stefan@osg.samsung.com>
Signed-off-by: Alexander Aring <alex.aring@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
This patch removes the hardware auto acknowdledge flag which indicates
that the transceiver supports this handling. This flag is never
evaluated inside mac802154 and all transceivers should support this
handling by default per hardware.
Suggested-by: Lennert Buytenhek <buytenh@wantstofly.org>
Cc: Alan Ott <alan@signal11.us>
Signed-off-by: Alexander Aring <alex.aring@gmail.com>
Reviewed-by: Varka Bhadram <varkabhadram@gmail.com>
Acked-by: Stefan Schmidt <stefan@osg.samsung.com>
Acked-by: Varka Bhadram <varkabhadram@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Atusb uses the at86rf231 transceiver so we can use the same calculation
for txpower settings for it.
Signed-off-by: Stefan Schmidt <stefan@osg.samsung.com>
Reviewed-by: Varka Bhadram <varkabhadram@gmail.com>
Acked-by: Alexander Aring <alex.aring@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
With this function we can set individual bits in the registers if needed.
With the old SR_VALUE macro we could only set one bit in the register
which was ok for some scenarios but not for all. With this subreg write
function we can now set more bits defined by the mask while not touching
the rest.
We start using it for the current SR_VALUE use case and will use it more
in upcoming patches.
Signed-off-by: Stefan Schmidt <stefan@osg.samsung.com>
Reviewed-by: Varka Bhadram <varkabhadram@gmail.com>
Acked-by: Alexander Aring <alex.aring@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
This patch adds support for the at86rf230 version check which is used
by the rzusb stick.
Signed-off-by: Alexander Aring <alex.aring@gmail.com>
Reviewed-by: Stefan Schmidt <stefan@osg.samsung.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Since firmware version 0.2 we use AACK handling directly in the firmware.
Inform the stack that the hardware supports and uses it.
Signed-off-by: Stefan Schmidt <stefan@osg.samsung.com>
Acked-by: Alexander Aring <alex.aring@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Together with mainlining the driver we released a first public binary version
of the device firmware. This is version 0.2. With this change we warn users
who run outdated versions of the firmware. While we have not seen problems
with it yet (thus no error, but a warning only) it would be better to run the
released and tested firmware. You can find released versions here:
http://downloads.qi-hardware.com/people/werner/wpan/web/
Signed-off-by: Stefan Schmidt <stefan@osg.samsung.com>
Acked-by: Alexander Aring <alex.aring@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
This patch adds support for the atusb transceiver.
The current driver supports basic functionality only. Possible further
tasks would be to sync functionality with the at86rf230 driver, because
the atusb use internally an at86rf231 transceiver. Some of these
features need a firmware update like AACK and ARET handling.
I did small changes to this driver to work with xmit_async callback and
setting of a random extended perm address.
Signed-off-by: Alexander Aring <alex.aring@gmail.com>
Cc: Werner Almesberger <werner@almesberger.net>
Cc: Stefan Schmidt <s.schmidt@samsung.com>
Cc: Richard Sharpe <realrichardsharpe@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>