* [PATCH AUTOSEL 6.11 002/244] wifi: ath9k: fix possible integer overflow in ath9k_get_et_stats()
[not found] <20240925113641.1297102-1-sashal@kernel.org>
@ 2024-09-25 11:23 ` Sasha Levin
2024-09-25 11:23 ` [PATCH AUTOSEL 6.11 003/244] wifi: rtw89: avoid to add interface to list twice when SER Sasha Levin
` (19 subsequent siblings)
20 siblings, 0 replies; 21+ messages in thread
From: Sasha Levin @ 2024-09-25 11:23 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Dmitry Kandybka, Toke Høiland-Jørgensen, Kalle Valo,
Sasha Levin, kvalo, linux-wireless
From: Dmitry Kandybka <d.kandybka@gmail.com>
[ Upstream commit 3f66f26703093886db81f0610b97a6794511917c ]
In 'ath9k_get_et_stats()', promote TX stats counters to 'u64'
to avoid possible integer overflow. Compile tested only.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Dmitry Kandybka <d.kandybka@gmail.com>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://patch.msgid.link/20240725111743.14422-1-d.kandybka@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath9k/debug.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/ath/ath9k/debug.c b/drivers/net/wireless/ath/ath9k/debug.c
index d84e3ee7b5d90..886a102e5b025 100644
--- a/drivers/net/wireless/ath/ath9k/debug.c
+++ b/drivers/net/wireless/ath/ath9k/debug.c
@@ -1325,11 +1325,11 @@ void ath9k_get_et_stats(struct ieee80211_hw *hw,
struct ath_softc *sc = hw->priv;
int i = 0;
- data[i++] = (sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_BE)].tx_pkts_all +
+ data[i++] = ((u64)sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_BE)].tx_pkts_all +
sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_BK)].tx_pkts_all +
sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_VI)].tx_pkts_all +
sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_VO)].tx_pkts_all);
- data[i++] = (sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_BE)].tx_bytes_all +
+ data[i++] = ((u64)sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_BE)].tx_bytes_all +
sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_BK)].tx_bytes_all +
sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_VI)].tx_bytes_all +
sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_VO)].tx_bytes_all);
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH AUTOSEL 6.11 003/244] wifi: rtw89: avoid to add interface to list twice when SER
[not found] <20240925113641.1297102-1-sashal@kernel.org>
2024-09-25 11:23 ` [PATCH AUTOSEL 6.11 002/244] wifi: ath9k: fix possible integer overflow in ath9k_get_et_stats() Sasha Levin
@ 2024-09-25 11:23 ` Sasha Levin
2024-09-25 11:23 ` [PATCH AUTOSEL 6.11 004/244] wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit Sasha Levin
` (18 subsequent siblings)
20 siblings, 0 replies; 21+ messages in thread
From: Sasha Levin @ 2024-09-25 11:23 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Chih-Kang Chang, Ping-Ke Shih, Sasha Levin, kvalo, terrelln,
linux-wireless
From: Chih-Kang Chang <gary.chang@realtek.com>
[ Upstream commit 7dd5d2514a8ea58f12096e888b0bd050d7eae20a ]
If SER L2 occurs during the WoWLAN resume flow, the add interface flow
is triggered by ieee80211_reconfig(). However, due to
rtw89_wow_resume() return failure, it will cause the add interface flow
to be executed again, resulting in a double add list and causing a kernel
panic. Therefore, we have added a check to prevent double adding of the
list.
list_add double add: new=ffff99d6992e2010, prev=ffff99d6992e2010, next=ffff99d695302628.
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:37!
invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
CPU: 0 PID: 9 Comm: kworker/0:1 Tainted: G W O 6.6.30-02659-gc18865c4dfbd #1 770df2933251a0e3c888ba69d1053a817a6376a7
Hardware name: HP Grunt/Grunt, BIOS Google_Grunt.11031.169.0 06/24/2021
Workqueue: events_freezable ieee80211_restart_work [mac80211]
RIP: 0010:__list_add_valid_or_report+0x5e/0xb0
Code: c7 74 18 48 39 ce 74 13 b0 01 59 5a 5e 5f 41 58 41 59 41 5a 5d e9 e2 d6 03 00 cc 48 c7 c7 8d 4f 17 83 48 89 c2 e8 02 c0 00 00 <0f> 0b 48 c7 c7 aa 8c 1c 83 e8 f4 bf 00 00 0f 0b 48 c7 c7 c8 bc 12
RSP: 0018:ffffa91b8007bc50 EFLAGS: 00010246
RAX: 0000000000000058 RBX: ffff99d6992e0900 RCX: a014d76c70ef3900
RDX: ffffa91b8007bae8 RSI: 00000000ffffdfff RDI: 0000000000000001
RBP: ffffa91b8007bc88 R08: 0000000000000000 R09: ffffa91b8007bae0
R10: 00000000ffffdfff R11: ffffffff83a79800 R12: ffff99d695302060
R13: ffff99d695300900 R14: ffff99d6992e1be0 R15: ffff99d6992e2010
FS: 0000000000000000(0000) GS:ffff99d6aac00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000078fbdba43480 CR3: 000000010e464000 CR4: 00000000001506f0
Call Trace:
<TASK>
? __die_body+0x1f/0x70
? die+0x3d/0x60
? do_trap+0xa4/0x110
? __list_add_valid_or_report+0x5e/0xb0
? do_error_trap+0x6d/0x90
? __list_add_valid_or_report+0x5e/0xb0
? handle_invalid_op+0x30/0x40
? __list_add_valid_or_report+0x5e/0xb0
? exc_invalid_op+0x3c/0x50
? asm_exc_invalid_op+0x16/0x20
? __list_add_valid_or_report+0x5e/0xb0
rtw89_ops_add_interface+0x309/0x310 [rtw89_core 7c32b1ee6854761c0321027c8a58c5160e41f48f]
drv_add_interface+0x5c/0x130 [mac80211 83e989e6e616bd5b4b8a2b0a9f9352a2c385a3bc]
ieee80211_reconfig+0x241/0x13d0 [mac80211 83e989e6e616bd5b4b8a2b0a9f9352a2c385a3bc]
? finish_wait+0x3e/0x90
? synchronize_rcu_expedited+0x174/0x260
? sync_rcu_exp_done_unlocked+0x50/0x50
? wake_bit_function+0x40/0x40
ieee80211_restart_work+0xf0/0x140 [mac80211 83e989e6e616bd5b4b8a2b0a9f9352a2c385a3bc]
process_scheduled_works+0x1e5/0x480
worker_thread+0xea/0x1e0
kthread+0xdb/0x110
? move_linked_works+0x90/0x90
? kthread_associate_blkcg+0xa0/0xa0
ret_from_fork+0x3b/0x50
? kthread_associate_blkcg+0xa0/0xa0
ret_from_fork_asm+0x11/0x20
</TASK>
Modules linked in: dm_integrity async_xor xor async_tx lz4 lz4_compress zstd zstd_compress zram zsmalloc rfcomm cmac uinput algif_hash algif_skcipher af_alg btusb btrtl iio_trig_hrtimer industrialio_sw_trigger btmtk industrialio_configfs btbcm btintel uvcvideo videobuf2_vmalloc iio_trig_sysfs videobuf2_memops videobuf2_v4l2 videobuf2_common uvc snd_hda_codec_hdmi veth snd_hda_intel snd_intel_dspcfg acpi_als snd_hda_codec industrialio_triggered_buffer kfifo_buf snd_hwdep industrialio i2c_piix4 snd_hda_core designware_i2s ip6table_nat snd_soc_max98357a xt_MASQUERADE xt_cgroup snd_soc_acp_rt5682_mach fuse rtw89_8922ae(O) rtw89_8922a(O) rtw89_pci(O) rtw89_core(O) 8021q mac80211(O) bluetooth ecdh_generic ecc cfg80211 r8152 mii joydev
gsmi: Log Shutdown Reason 0x03
---[ end trace 0000000000000000 ]---
Signed-off-by: Chih-Kang Chang <gary.chang@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20240731070506.46100-4-pkshih@realtek.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtw89/mac80211.c | 4 +++-
drivers/net/wireless/realtek/rtw89/util.h | 18 ++++++++++++++++++
2 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/realtek/rtw89/mac80211.c b/drivers/net/wireless/realtek/rtw89/mac80211.c
index 1508693032cb2..de3e7e4c6e76b 100644
--- a/drivers/net/wireless/realtek/rtw89/mac80211.c
+++ b/drivers/net/wireless/realtek/rtw89/mac80211.c
@@ -126,7 +126,9 @@ static int rtw89_ops_add_interface(struct ieee80211_hw *hw,
rtwvif->rtwdev = rtwdev;
rtwvif->roc.state = RTW89_ROC_IDLE;
rtwvif->offchan = false;
- list_add_tail(&rtwvif->list, &rtwdev->rtwvifs_list);
+ if (!rtw89_rtwvif_in_list(rtwdev, rtwvif))
+ list_add_tail(&rtwvif->list, &rtwdev->rtwvifs_list);
+
INIT_WORK(&rtwvif->update_beacon_work, rtw89_core_update_beacon_work);
INIT_DELAYED_WORK(&rtwvif->roc.roc_work, rtw89_roc_work);
rtw89_leave_ps_mode(rtwdev);
diff --git a/drivers/net/wireless/realtek/rtw89/util.h b/drivers/net/wireless/realtek/rtw89/util.h
index e82e7df052d88..e669544cafd3f 100644
--- a/drivers/net/wireless/realtek/rtw89/util.h
+++ b/drivers/net/wireless/realtek/rtw89/util.h
@@ -16,6 +16,24 @@
#define rtw89_for_each_rtwvif(rtwdev, rtwvif) \
list_for_each_entry(rtwvif, &(rtwdev)->rtwvifs_list, list)
+/* Before adding rtwvif to list, we need to check if it already exist, beacase
+ * in some case such as SER L2 happen during WoWLAN flow, calling reconfig
+ * twice cause the list to be added twice.
+ */
+static inline bool rtw89_rtwvif_in_list(struct rtw89_dev *rtwdev,
+ struct rtw89_vif *new)
+{
+ struct rtw89_vif *rtwvif;
+
+ lockdep_assert_held(&rtwdev->mutex);
+
+ rtw89_for_each_rtwvif(rtwdev, rtwvif)
+ if (rtwvif == new)
+ return true;
+
+ return false;
+}
+
/* The result of negative dividend and positive divisor is undefined, but it
* should be one case of round-down or round-up. So, make it round-down if the
* result is round-up.
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH AUTOSEL 6.11 004/244] wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit
[not found] <20240925113641.1297102-1-sashal@kernel.org>
2024-09-25 11:23 ` [PATCH AUTOSEL 6.11 002/244] wifi: ath9k: fix possible integer overflow in ath9k_get_et_stats() Sasha Levin
2024-09-25 11:23 ` [PATCH AUTOSEL 6.11 003/244] wifi: rtw89: avoid to add interface to list twice when SER Sasha Levin
@ 2024-09-25 11:23 ` Sasha Levin
2024-09-25 11:23 ` [PATCH AUTOSEL 6.11 010/244] wifi: iwlwifi: mvm: Fix a race in scan abort flow Sasha Levin
` (17 subsequent siblings)
20 siblings, 0 replies; 21+ messages in thread
From: Sasha Levin @ 2024-09-25 11:23 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Toke Høiland-Jørgensen, syzbot+98afa303be379af6cdb2,
Kalle Valo, Sasha Levin, toke, kvalo, linux-wireless
From: Toke Høiland-Jørgensen <toke@redhat.com>
[ Upstream commit 94745807f3ebd379f23865e6dab196f220664179 ]
Syzbot points out that skb_trim() has a sanity check on the existing length of
the skb, which can be uninitialised in some error paths. The intent here is
clearly just to reset the length to zero before resubmitting, so switch to
calling __skb_set_length(skb, 0) directly. In addition, __skb_set_length()
already contains a call to skb_reset_tail_pointer(), so remove the redundant
call.
The syzbot report came from ath9k_hif_usb_reg_in_cb(), but there's a similar
usage of skb_trim() in ath9k_hif_usb_rx_cb(), change both while we're at it.
Reported-by: syzbot+98afa303be379af6cdb2@syzkaller.appspotmail.com
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://patch.msgid.link/20240812142447.12328-1-toke@toke.dk
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath9k/hif_usb.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c
index 0c7841f952287..a3733c9b484e4 100644
--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
@@ -716,8 +716,7 @@ static void ath9k_hif_usb_rx_cb(struct urb *urb)
}
resubmit:
- skb_reset_tail_pointer(skb);
- skb_trim(skb, 0);
+ __skb_set_length(skb, 0);
usb_anchor_urb(urb, &hif_dev->rx_submitted);
ret = usb_submit_urb(urb, GFP_ATOMIC);
@@ -754,8 +753,7 @@ static void ath9k_hif_usb_reg_in_cb(struct urb *urb)
case -ESHUTDOWN:
goto free_skb;
default:
- skb_reset_tail_pointer(skb);
- skb_trim(skb, 0);
+ __skb_set_length(skb, 0);
goto resubmit;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH AUTOSEL 6.11 010/244] wifi: iwlwifi: mvm: Fix a race in scan abort flow
[not found] <20240925113641.1297102-1-sashal@kernel.org>
` (2 preceding siblings ...)
2024-09-25 11:23 ` [PATCH AUTOSEL 6.11 004/244] wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit Sasha Levin
@ 2024-09-25 11:23 ` Sasha Levin
2024-09-25 11:23 ` [PATCH AUTOSEL 6.11 011/244] wifi: iwlwifi: mvm: drop wrong STA selection in TX Sasha Levin
` (16 subsequent siblings)
20 siblings, 0 replies; 21+ messages in thread
From: Sasha Levin @ 2024-09-25 11:23 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Ilan Peer, Miri Korenblit, Johannes Berg, Sasha Levin, kvalo,
benjamin.berg, daniel.gabay, ayala.beker, linux-wireless
From: Ilan Peer <ilan.peer@intel.com>
[ Upstream commit 87c1c28a9aa149489e1667f5754fc24f4973d2d0 ]
When the upper layer requests to cancel an ongoing scan, a race
is possible in which by the time the driver starts to handle the
upper layers scan cancel flow, the FW already completed handling
the scan request and the driver received the scan complete
notification but still did not handle the notification. In such a
case the FW will simply ignore the scan abort request coming from
the driver, no notification would arrive from the FW and the entire
abort flow would be considered a failure.
To better handle this, check the status code returned by the FW for
the scan abort command. In case the status indicates that
no scan was aborted, complete the scan abort flow with success, i.e.,
the scan was aborted, as the flow is expected to consume the scan
complete notification.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20240825085558.483989d3baef.I3340556a222388504c6330b333360bf77d10f9e2@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/wireless/intel/iwlwifi/fw/api/scan.h | 13 ++++++
drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 42 +++++++++++++++----
2 files changed, 47 insertions(+), 8 deletions(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/fw/api/scan.h b/drivers/net/wireless/intel/iwlwifi/fw/api/scan.h
index 8598031567bba..0aefdf353b214 100644
--- a/drivers/net/wireless/intel/iwlwifi/fw/api/scan.h
+++ b/drivers/net/wireless/intel/iwlwifi/fw/api/scan.h
@@ -1132,6 +1132,19 @@ struct iwl_umac_scan_abort {
__le32 flags;
} __packed; /* SCAN_ABORT_CMD_UMAC_API_S_VER_1 */
+/**
+ * enum iwl_umac_scan_abort_status
+ *
+ * @IWL_UMAC_SCAN_ABORT_STATUS_SUCCESS: scan was successfully aborted
+ * @IWL_UMAC_SCAN_ABORT_STATUS_IN_PROGRESS: scan abort is in progress
+ * @IWL_UMAC_SCAN_ABORT_STATUS_NOT_FOUND: nothing to abort
+ */
+enum iwl_umac_scan_abort_status {
+ IWL_UMAC_SCAN_ABORT_STATUS_SUCCESS = 0,
+ IWL_UMAC_SCAN_ABORT_STATUS_IN_PROGRESS,
+ IWL_UMAC_SCAN_ABORT_STATUS_NOT_FOUND,
+};
+
/**
* struct iwl_umac_scan_complete
* @uid: scan id, &enum iwl_umac_scan_uid_offsets
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
index 1cc9c426bb159..3a9018595ea90 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
@@ -3313,13 +3313,23 @@ void iwl_mvm_rx_umac_scan_iter_complete_notif(struct iwl_mvm *mvm,
mvm->scan_start);
}
-static int iwl_mvm_umac_scan_abort(struct iwl_mvm *mvm, int type)
+static int iwl_mvm_umac_scan_abort(struct iwl_mvm *mvm, int type, bool *wait)
{
- struct iwl_umac_scan_abort cmd = {};
+ struct iwl_umac_scan_abort abort_cmd = {};
+ struct iwl_host_cmd cmd = {
+ .id = WIDE_ID(IWL_ALWAYS_LONG_GROUP, SCAN_ABORT_UMAC),
+ .len = { sizeof(abort_cmd), },
+ .data = { &abort_cmd, },
+ .flags = CMD_SEND_IN_RFKILL,
+ };
+
int uid, ret;
+ u32 status = IWL_UMAC_SCAN_ABORT_STATUS_NOT_FOUND;
lockdep_assert_held(&mvm->mutex);
+ *wait = true;
+
/* We should always get a valid index here, because we already
* checked that this type of scan was running in the generic
* code.
@@ -3328,17 +3338,28 @@ static int iwl_mvm_umac_scan_abort(struct iwl_mvm *mvm, int type)
if (WARN_ON_ONCE(uid < 0))
return uid;
- cmd.uid = cpu_to_le32(uid);
+ abort_cmd.uid = cpu_to_le32(uid);
IWL_DEBUG_SCAN(mvm, "Sending scan abort, uid %u\n", uid);
- ret = iwl_mvm_send_cmd_pdu(mvm,
- WIDE_ID(IWL_ALWAYS_LONG_GROUP, SCAN_ABORT_UMAC),
- CMD_SEND_IN_RFKILL, sizeof(cmd), &cmd);
+ ret = iwl_mvm_send_cmd_status(mvm, &cmd, &status);
+
+ IWL_DEBUG_SCAN(mvm, "Scan abort: ret=%d, status=%u\n", ret, status);
if (!ret)
mvm->scan_uid_status[uid] = type << IWL_MVM_SCAN_STOPPING_SHIFT;
- IWL_DEBUG_SCAN(mvm, "Scan abort: ret=%d\n", ret);
+ /* Handle the case that the FW is no longer familiar with the scan that
+ * is to be stopped. In such a case, it is expected that the scan
+ * complete notification was already received but not yet processed.
+ * In such a case, there is no need to wait for a scan complete
+ * notification and the flow should continue similar to the case that
+ * the scan was really aborted.
+ */
+ if (status == IWL_UMAC_SCAN_ABORT_STATUS_NOT_FOUND) {
+ mvm->scan_uid_status[uid] = type << IWL_MVM_SCAN_STOPPING_SHIFT;
+ *wait = false;
+ }
+
return ret;
}
@@ -3348,6 +3369,7 @@ static int iwl_mvm_scan_stop_wait(struct iwl_mvm *mvm, int type)
static const u16 scan_done_notif[] = { SCAN_COMPLETE_UMAC,
SCAN_OFFLOAD_COMPLETE, };
int ret;
+ bool wait = true;
lockdep_assert_held(&mvm->mutex);
@@ -3359,7 +3381,7 @@ static int iwl_mvm_scan_stop_wait(struct iwl_mvm *mvm, int type)
IWL_DEBUG_SCAN(mvm, "Preparing to stop scan, type %x\n", type);
if (fw_has_capa(&mvm->fw->ucode_capa, IWL_UCODE_TLV_CAPA_UMAC_SCAN))
- ret = iwl_mvm_umac_scan_abort(mvm, type);
+ ret = iwl_mvm_umac_scan_abort(mvm, type, &wait);
else
ret = iwl_mvm_lmac_scan_abort(mvm);
@@ -3367,6 +3389,10 @@ static int iwl_mvm_scan_stop_wait(struct iwl_mvm *mvm, int type)
IWL_DEBUG_SCAN(mvm, "couldn't stop scan type %d\n", type);
iwl_remove_notification(&mvm->notif_wait, &wait_scan_done);
return ret;
+ } else if (!wait) {
+ IWL_DEBUG_SCAN(mvm, "no need to wait for scan type %d\n", type);
+ iwl_remove_notification(&mvm->notif_wait, &wait_scan_done);
+ return 0;
}
return iwl_wait_notification(&mvm->notif_wait, &wait_scan_done,
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH AUTOSEL 6.11 011/244] wifi: iwlwifi: mvm: drop wrong STA selection in TX
[not found] <20240925113641.1297102-1-sashal@kernel.org>
` (3 preceding siblings ...)
2024-09-25 11:23 ` [PATCH AUTOSEL 6.11 010/244] wifi: iwlwifi: mvm: Fix a race in scan abort flow Sasha Levin
@ 2024-09-25 11:23 ` Sasha Levin
2024-09-25 11:23 ` [PATCH AUTOSEL 6.11 012/244] wifi: cfg80211: Set correct chandef when starting CAC Sasha Levin
` (15 subsequent siblings)
20 siblings, 0 replies; 21+ messages in thread
From: Sasha Levin @ 2024-09-25 11:23 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Johannes Berg, Miri Korenblit, Sasha Levin, kvalo,
gregory.greenman, emmanuel.grumbach, ilan.peer, shaul.triebitz,
benjamin.berg, linux-wireless
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit 1c7e1068a7c9c39ed27636db93e71911e0045419 ]
This shouldn't happen at all, since in station mode all MMPDUs
go through the TXQ for the STA, and not this function. There
may or may not be a race in mac80211 through which this might
happen for some frames while a station is being added, but in
that case we can also just drop the frame and pretend the STA
didn't exist yet.
Also, the code is simply wrong since it uses deflink, and it's
not easy to fix it since the mvmvif->ap_sta pointer cannot be
used without the mutex, and perhaps the right link might not
even be known.
Just drop the frame at that point instead of trying to fix it
up.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20240808232017.45ad105dc7fe.I6d45c82e5758395d9afb8854057ded03c7dc81d7@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/wireless/intel/iwlwifi/mvm/mac80211.c | 16 +++-------------
1 file changed, 3 insertions(+), 13 deletions(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
index 625ccf566e1c2..1ebcc6417ecef 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
@@ -838,20 +838,10 @@ void iwl_mvm_mac_tx(struct ieee80211_hw *hw,
if (ieee80211_is_mgmt(hdr->frame_control))
sta = NULL;
- /* If there is no sta, and it's not offchannel - send through AP */
+ /* this shouldn't even happen: just drop */
if (!sta && info->control.vif->type == NL80211_IFTYPE_STATION &&
- !offchannel) {
- struct iwl_mvm_vif *mvmvif =
- iwl_mvm_vif_from_mac80211(info->control.vif);
- u8 ap_sta_id = READ_ONCE(mvmvif->deflink.ap_sta_id);
-
- if (ap_sta_id < mvm->fw->ucode_capa.num_stations) {
- /* mac80211 holds rcu read lock */
- sta = rcu_dereference(mvm->fw_id_to_mac_id[ap_sta_id]);
- if (IS_ERR_OR_NULL(sta))
- goto drop;
- }
- }
+ !offchannel)
+ goto drop;
if (tmp_sta && !sta && link_id != IEEE80211_LINK_UNSPECIFIED &&
!ieee80211_is_probe_resp(hdr->frame_control)) {
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH AUTOSEL 6.11 012/244] wifi: cfg80211: Set correct chandef when starting CAC
[not found] <20240925113641.1297102-1-sashal@kernel.org>
` (4 preceding siblings ...)
2024-09-25 11:23 ` [PATCH AUTOSEL 6.11 011/244] wifi: iwlwifi: mvm: drop wrong STA selection in TX Sasha Levin
@ 2024-09-25 11:23 ` Sasha Levin
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 024/244] wifi: mt76: mt7915: disable tx worker during tx BA session enable/disable Sasha Levin
` (14 subsequent siblings)
20 siblings, 0 replies; 21+ messages in thread
From: Sasha Levin @ 2024-09-25 11:23 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Issam Hamdi, Kretschmer Mathias, Johannes Berg, Sasha Levin,
johannes, davem, edumazet, kuba, pabeni, linux-wireless, netdev
From: Issam Hamdi <ih@simonwunderlich.de>
[ Upstream commit 20361712880396e44ce80aaeec2d93d182035651 ]
When starting CAC in a mode other than AP mode, it return a
"WARNING: CPU: 0 PID: 63 at cfg80211_chandef_dfs_usable+0x20/0xaf [cfg80211]"
caused by the chandef.chan being null at the end of CAC.
Solution: Ensure the channel definition is set for the different modes
when starting CAC to avoid getting a NULL 'chan' at the end of CAC.
Call Trace:
? show_regs.part.0+0x14/0x16
? __warn+0x67/0xc0
? cfg80211_chandef_dfs_usable+0x20/0xaf [cfg80211]
? report_bug+0xa7/0x130
? exc_overflow+0x30/0x30
? handle_bug+0x27/0x50
? exc_invalid_op+0x18/0x60
? handle_exception+0xf6/0xf6
? exc_overflow+0x30/0x30
? cfg80211_chandef_dfs_usable+0x20/0xaf [cfg80211]
? exc_overflow+0x30/0x30
? cfg80211_chandef_dfs_usable+0x20/0xaf [cfg80211]
? regulatory_propagate_dfs_state.cold+0x1b/0x4c [cfg80211]
? cfg80211_propagate_cac_done_wk+0x1a/0x30 [cfg80211]
? process_one_work+0x165/0x280
? worker_thread+0x120/0x3f0
? kthread+0xc2/0xf0
? process_one_work+0x280/0x280
? kthread_complete_and_exit+0x20/0x20
? ret_from_fork+0x19/0x24
Reported-by: Kretschmer Mathias <mathias.kretschmer@fit.fraunhofer.de>
Signed-off-by: Issam Hamdi <ih@simonwunderlich.de>
Link: https://patch.msgid.link/20240816142418.3381951-1-ih@simonwunderlich.de
[shorten subject, remove OCB, reorder cases to match previous list]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/wireless/nl80211.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 7397a372c78eb..b368e23847ddb 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -10143,7 +10143,20 @@ static int nl80211_start_radar_detection(struct sk_buff *skb,
err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms);
if (!err) {
- wdev->links[0].ap.chandef = chandef;
+ switch (wdev->iftype) {
+ case NL80211_IFTYPE_AP:
+ case NL80211_IFTYPE_P2P_GO:
+ wdev->links[0].ap.chandef = chandef;
+ break;
+ case NL80211_IFTYPE_ADHOC:
+ wdev->u.ibss.chandef = chandef;
+ break;
+ case NL80211_IFTYPE_MESH_POINT:
+ wdev->u.mesh.chandef = chandef;
+ break;
+ default:
+ break;
+ }
wdev->cac_started = true;
wdev->cac_start_time = jiffies;
wdev->cac_time_ms = cac_time_ms;
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH AUTOSEL 6.11 024/244] wifi: mt76: mt7915: disable tx worker during tx BA session enable/disable
[not found] <20240925113641.1297102-1-sashal@kernel.org>
` (5 preceding siblings ...)
2024-09-25 11:23 ` [PATCH AUTOSEL 6.11 012/244] wifi: cfg80211: Set correct chandef when starting CAC Sasha Levin
@ 2024-09-25 11:24 ` Sasha Levin
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 033/244] wifi: ath12k: fix array out-of-bound access in SoC stats Sasha Levin
` (13 subsequent siblings)
20 siblings, 0 replies; 21+ messages in thread
From: Sasha Levin @ 2024-09-25 11:24 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Felix Fietkau, Sasha Levin, lorenzo, ryder.lee, kvalo,
matthias.bgg, angelogioacchino.delregno, shayne.chen,
chui-hao.chiu, johannes.berg, meichia.chiu, quic_adisi, sean.wang,
linux-wireless, linux-arm-kernel, linux-mediatek
From: Felix Fietkau <nbd@nbd.name>
[ Upstream commit 256cbd26fbafb30ba3314339106e5c594e9bd5f9 ]
Avoids firmware race condition.
Link: https://patch.msgid.link/20240827093011.18621-7-nbd@nbd.name
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
index 2185cd24e2e1c..2f4755820b3cd 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
@@ -690,13 +690,17 @@ int mt7915_mcu_add_tx_ba(struct mt7915_dev *dev,
{
struct mt7915_sta *msta = (struct mt7915_sta *)params->sta->drv_priv;
struct mt7915_vif *mvif = msta->vif;
+ int ret;
+ mt76_worker_disable(&dev->mt76.tx_worker);
if (enable && !params->amsdu)
msta->wcid.amsdu = false;
+ ret = mt76_connac_mcu_sta_ba(&dev->mt76, &mvif->mt76, params,
+ MCU_EXT_CMD(STA_REC_UPDATE),
+ enable, true);
+ mt76_worker_enable(&dev->mt76.tx_worker);
- return mt76_connac_mcu_sta_ba(&dev->mt76, &mvif->mt76, params,
- MCU_EXT_CMD(STA_REC_UPDATE),
- enable, true);
+ return ret;
}
int mt7915_mcu_add_rx_ba(struct mt7915_dev *dev,
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH AUTOSEL 6.11 033/244] wifi: ath12k: fix array out-of-bound access in SoC stats
[not found] <20240925113641.1297102-1-sashal@kernel.org>
` (6 preceding siblings ...)
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 024/244] wifi: mt76: mt7915: disable tx worker during tx BA session enable/disable Sasha Levin
@ 2024-09-25 11:24 ` Sasha Levin
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 034/244] wifi: ath11k: " Sasha Levin
` (12 subsequent siblings)
20 siblings, 0 replies; 21+ messages in thread
From: Sasha Levin @ 2024-09-25 11:24 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Karthikeyan Periyasamy, Kalle Valo, Sasha Levin, kvalo, jjohnson,
linux-wireless, ath12k
From: Karthikeyan Periyasamy <quic_periyasa@quicinc.com>
[ Upstream commit e106b7ad13c1d246adaa57df73edb8f8b8acb240 ]
Currently, the ath12k_soc_dp_stats::hal_reo_error array is defined with a
maximum size of DP_REO_DST_RING_MAX. However, the ath12k_dp_rx_process()
function access ath12k_soc_dp_stats::hal_reo_error using the REO
destination SRNG ring ID, which is incorrect. SRNG ring ID differ from
normal ring ID, and this usage leads to out-of-bounds array access. To
fix this issue, modify ath12k_dp_rx_process() to use the normal ring ID
directly instead of the SRNG ring ID to avoid out-of-bounds array access.
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1
Signed-off-by: Karthikeyan Periyasamy <quic_periyasa@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://patch.msgid.link/20240704070811.4186543-2-quic_periyasa@quicinc.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath12k/dp_rx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/ath12k/dp_rx.c b/drivers/net/wireless/ath/ath12k/dp_rx.c
index 14236d0a0c89d..91e3393f7b5f4 100644
--- a/drivers/net/wireless/ath/ath12k/dp_rx.c
+++ b/drivers/net/wireless/ath/ath12k/dp_rx.c
@@ -2681,7 +2681,7 @@ int ath12k_dp_rx_process(struct ath12k_base *ab, int ring_id,
if (push_reason !=
HAL_REO_DEST_RING_PUSH_REASON_ROUTING_INSTRUCTION) {
dev_kfree_skb_any(msdu);
- ab->soc_stats.hal_reo_error[dp->reo_dst_ring[ring_id].ring_id]++;
+ ab->soc_stats.hal_reo_error[ring_id]++;
continue;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH AUTOSEL 6.11 034/244] wifi: ath11k: fix array out-of-bound access in SoC stats
[not found] <20240925113641.1297102-1-sashal@kernel.org>
` (7 preceding siblings ...)
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 033/244] wifi: ath12k: fix array out-of-bound access in SoC stats Sasha Levin
@ 2024-09-25 11:24 ` Sasha Levin
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 035/244] wifi: rtw88: select WANT_DEV_COREDUMP Sasha Levin
` (11 subsequent siblings)
20 siblings, 0 replies; 21+ messages in thread
From: Sasha Levin @ 2024-09-25 11:24 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Karthikeyan Periyasamy, Kalle Valo, Sasha Levin, kvalo, jjohnson,
linux-wireless, ath11k
From: Karthikeyan Periyasamy <quic_periyasa@quicinc.com>
[ Upstream commit 69f253e46af98af17e3efa3e5dfa72fcb7d1983d ]
Currently, the ath11k_soc_dp_stats::hal_reo_error array is defined with a
maximum size of DP_REO_DST_RING_MAX. However, the ath11k_dp_process_rx()
function access ath11k_soc_dp_stats::hal_reo_error using the REO
destination SRNG ring ID, which is incorrect. SRNG ring ID differ from
normal ring ID, and this usage leads to out-of-bounds array access. To fix
this issue, modify ath11k_dp_process_rx() to use the normal ring ID
directly instead of the SRNG ring ID to avoid out-of-bounds array access.
Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1
Signed-off-by: Karthikeyan Periyasamy <quic_periyasa@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://patch.msgid.link/20240704070811.4186543-3-quic_periyasa@quicinc.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/dp_rx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c
index 86485580dd895..c087d8a0f5b25 100644
--- a/drivers/net/wireless/ath/ath11k/dp_rx.c
+++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
@@ -2697,7 +2697,7 @@ int ath11k_dp_process_rx(struct ath11k_base *ab, int ring_id,
if (unlikely(push_reason !=
HAL_REO_DEST_RING_PUSH_REASON_ROUTING_INSTRUCTION)) {
dev_kfree_skb_any(msdu);
- ab->soc_stats.hal_reo_error[dp->reo_dst_ring[ring_id].ring_id]++;
+ ab->soc_stats.hal_reo_error[ring_id]++;
continue;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH AUTOSEL 6.11 035/244] wifi: rtw88: select WANT_DEV_COREDUMP
[not found] <20240925113641.1297102-1-sashal@kernel.org>
` (8 preceding siblings ...)
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 034/244] wifi: ath11k: " Sasha Levin
@ 2024-09-25 11:24 ` Sasha Levin
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 039/244] wifi: rtw89: 885xb: reset IDMEM mode to prevent download firmware failure Sasha Levin
` (10 subsequent siblings)
20 siblings, 0 replies; 21+ messages in thread
From: Sasha Levin @ 2024-09-25 11:24 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Zong-Zhe Yang, Ping-Ke Shih, Sasha Levin, kvalo, linux-wireless
From: Zong-Zhe Yang <kevin_yang@realtek.com>
[ Upstream commit 7e989b0c1e33210c07340bf5228aa83ea52515b5 ]
We have invoked device coredump when fw crash.
Should select WANT_DEV_COREDUMP by ourselves.
Signed-off-by: Zong-Zhe Yang <kevin_yang@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20240718070616.42217-1-pkshih@realtek.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtw88/Kconfig | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/realtek/rtw88/Kconfig b/drivers/net/wireless/realtek/rtw88/Kconfig
index 22838ede03cd8..02b0d698413be 100644
--- a/drivers/net/wireless/realtek/rtw88/Kconfig
+++ b/drivers/net/wireless/realtek/rtw88/Kconfig
@@ -12,6 +12,7 @@ if RTW88
config RTW88_CORE
tristate
+ select WANT_DEV_COREDUMP
config RTW88_PCI
tristate
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH AUTOSEL 6.11 039/244] wifi: rtw89: 885xb: reset IDMEM mode to prevent download firmware failure
[not found] <20240925113641.1297102-1-sashal@kernel.org>
` (9 preceding siblings ...)
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 035/244] wifi: rtw88: select WANT_DEV_COREDUMP Sasha Levin
@ 2024-09-25 11:24 ` Sasha Levin
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 047/244] wifi: rtw89: correct base HT rate mask for firmware Sasha Levin
` (9 subsequent siblings)
20 siblings, 0 replies; 21+ messages in thread
From: Sasha Levin @ 2024-09-25 11:24 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Ping-Ke Shih, Sasha Levin, kvalo, linux-wireless
From: Ping-Ke Shih <pkshih@realtek.com>
[ Upstream commit 80fb81bb46a57daedd5decbcc253ea48428a254e ]
For different firmware type, it could change IDMEM mode, so reset it to
default to avoid encountering error for RTL8851B/RTL8852B/RTL8852BT
if that kind of firmware was downloaded before.
rtw89_8851be 0000:02:00.0: Firmware version 0.29.41.3, cmd version 0, type 5
rtw89_8851be 0000:02:00.0: Firmware version 0.29.41.3, cmd version 0, type 3
rtw89_8851be 0000:02:00.0: MAC has already powered on
rtw89_8851be 0000:02:00.0: fw security fail
rtw89_8851be 0000:02:00.0: download firmware fail
rtw89_8851be 0000:02:00.0: [ERR]fwdl 0x1E0 = 0x62
rtw89_8851be 0000:02:00.0: [ERR]fwdl 0x83F2 = 0x8
rtw89_8851be 0000:02:00.0: [ERR]fw PC = 0xb892f51c
rtw89_8851be 0000:02:00.0: [ERR]fw PC = 0xb892f524
rtw89_8851be 0000:02:00.0: [ERR]fw PC = 0xb892f51c
rtw89_8851be 0000:02:00.0: [ERR]fw PC = 0xb892f500
rtw89_8851be 0000:02:00.0: [ERR]fw PC = 0xb892f51c
rtw89_8851be 0000:02:00.0: [ERR]fw PC = 0xb892f53c
rtw89_8851be 0000:02:00.0: [ERR]fw PC = 0xb892f520
rtw89_8851be 0000:02:00.0: [ERR]fw PC = 0xb892f520
rtw89_8851be 0000:02:00.0: [ERR]fw PC = 0xb892f508
rtw89_8851be 0000:02:00.0: [ERR]fw PC = 0xb892f534
rtw89_8851be 0000:02:00.0: [ERR]fw PC = 0xb892f520
rtw89_8851be 0000:02:00.0: [ERR]fw PC = 0xb892f534
rtw89_8851be 0000:02:00.0: [ERR]fw PC = 0xb892f508
rtw89_8851be 0000:02:00.0: [ERR]fw PC = 0xb892f53c
rtw89_8851be 0000:02:00.0: [ERR]fw PC = 0xb892f524
rtw89_8851be 0000:02:00.0: failed to setup chip information
rtw89_8851be: probe of 0000:02:00.0 failed with error -16
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20240724052626.12774-4-pkshih@realtek.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtw89/mac.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/realtek/rtw89/mac.c b/drivers/net/wireless/realtek/rtw89/mac.c
index e2399796aeb1e..297b1d98d2561 100644
--- a/drivers/net/wireless/realtek/rtw89/mac.c
+++ b/drivers/net/wireless/realtek/rtw89/mac.c
@@ -3781,7 +3781,7 @@ static int rtw89_mac_enable_cpu_ax(struct rtw89_dev *rtwdev, u8 boot_reason,
rtw89_write32(rtwdev, R_AX_WCPU_FW_CTRL, val);
- if (rtwdev->chip->chip_id == RTL8852B)
+ if (rtw89_is_rtl885xb(rtwdev))
rtw89_write32_mask(rtwdev, R_AX_SEC_CTRL,
B_AX_SEC_IDMEM_SIZE_CONFIG_MASK, 0x2);
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH AUTOSEL 6.11 047/244] wifi: rtw89: correct base HT rate mask for firmware
[not found] <20240925113641.1297102-1-sashal@kernel.org>
` (10 preceding siblings ...)
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 039/244] wifi: rtw89: 885xb: reset IDMEM mode to prevent download firmware failure Sasha Levin
@ 2024-09-25 11:24 ` Sasha Levin
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 058/244] wifi: iwlwifi: mvm: use correct key iteration Sasha Levin
` (8 subsequent siblings)
20 siblings, 0 replies; 21+ messages in thread
From: Sasha Levin @ 2024-09-25 11:24 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Ping-Ke Shih, Sasha Levin, kvalo, linux-wireless
From: Ping-Ke Shih <pkshih@realtek.com>
[ Upstream commit 45742881f9eee2a4daeb6008e648a460dd3742cd ]
Coverity reported that u8 rx_mask << 24 will become signed 32 bits, which
casting to unsigned 64 bits will do sign extension. For example,
putting 0x80000000 (signed 32 bits) to a u64 variable will become
0xFFFFFFFF_80000000.
The real case we meet is:
rx_mask[0...3] = ff ff 00 00
ra_mask = 0xffffffff_ff0ff000
After this fix:
rx_mask[0...3] = ff ff 00 00
ra_mask = 0x00000000_ff0ff000
Fortunately driver does bitwise-AND with incorrect ra_mask and supported
rates (1ss and 2ss rate only) afterward, so the final rate mask of
original code is still correct.
Addresses-Coverity-ID: 1504762 ("Unintended sign extension")
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20240809072012.84152-5-pkshih@realtek.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtw89/phy.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtw89/phy.c b/drivers/net/wireless/realtek/rtw89/phy.c
index ad11d1414874a..c038e5ca3e45a 100644
--- a/drivers/net/wireless/realtek/rtw89/phy.c
+++ b/drivers/net/wireless/realtek/rtw89/phy.c
@@ -353,8 +353,8 @@ static void rtw89_phy_ra_sta_update(struct rtw89_dev *rtwdev,
csi_mode = RTW89_RA_RPT_MODE_HT;
ra_mask |= ((u64)sta->deflink.ht_cap.mcs.rx_mask[3] << 48) |
((u64)sta->deflink.ht_cap.mcs.rx_mask[2] << 36) |
- (sta->deflink.ht_cap.mcs.rx_mask[1] << 24) |
- (sta->deflink.ht_cap.mcs.rx_mask[0] << 12);
+ ((u64)sta->deflink.ht_cap.mcs.rx_mask[1] << 24) |
+ ((u64)sta->deflink.ht_cap.mcs.rx_mask[0] << 12);
high_rate_masks = rtw89_ra_mask_ht_rates;
if (sta->deflink.ht_cap.cap & IEEE80211_HT_CAP_RX_STBC)
stbc_en = 1;
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH AUTOSEL 6.11 058/244] wifi: iwlwifi: mvm: use correct key iteration
[not found] <20240925113641.1297102-1-sashal@kernel.org>
` (11 preceding siblings ...)
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 047/244] wifi: rtw89: correct base HT rate mask for firmware Sasha Levin
@ 2024-09-25 11:24 ` Sasha Levin
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 059/244] wifi: iwlwifi: allow only CN mcc from WRDD Sasha Levin
` (7 subsequent siblings)
20 siblings, 0 replies; 21+ messages in thread
From: Sasha Levin @ 2024-09-25 11:24 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Johannes Berg, Miri Korenblit, Sasha Levin, kvalo,
gregory.greenman, ilan.peer, emmanuel.grumbach, linux-wireless
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit 4f1591d292277eec51d027405a92f0d4ef5e299e ]
In the cases changed here, key iteration isn't done from
an RCU critical section, but rather using the wiphy lock
as protection. Therefore, just use ieee80211_iter_keys().
The link switch case can therefore also use sync commands.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20240729201718.69a2d18580c1.I2148e04d4b467d0b100beac8f7e449bfaaf775a5@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c b/drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c
index 8a38fc4b0b0f9..455f5f4175064 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c
@@ -144,7 +144,7 @@ static void iwl_mvm_mld_update_sta_key(struct ieee80211_hw *hw,
if (sta != data->sta || key->link_id >= 0)
return;
- err = iwl_mvm_send_cmd_pdu(mvm, cmd_id, CMD_ASYNC, sizeof(cmd), &cmd);
+ err = iwl_mvm_send_cmd_pdu(mvm, cmd_id, 0, sizeof(cmd), &cmd);
if (err)
data->err = err;
@@ -162,8 +162,8 @@ int iwl_mvm_mld_update_sta_keys(struct iwl_mvm *mvm,
.new_sta_mask = new_sta_mask,
};
- ieee80211_iter_keys_rcu(mvm->hw, vif, iwl_mvm_mld_update_sta_key,
- &data);
+ ieee80211_iter_keys(mvm->hw, vif, iwl_mvm_mld_update_sta_key,
+ &data);
return data.err;
}
@@ -402,7 +402,7 @@ void iwl_mvm_sec_key_remove_ap(struct iwl_mvm *mvm,
if (!sec_key_ver)
return;
- ieee80211_iter_keys_rcu(mvm->hw, vif,
- iwl_mvm_sec_key_remove_ap_iter,
- (void *)(uintptr_t)link_id);
+ ieee80211_iter_keys(mvm->hw, vif,
+ iwl_mvm_sec_key_remove_ap_iter,
+ (void *)(uintptr_t)link_id);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH AUTOSEL 6.11 059/244] wifi: iwlwifi: allow only CN mcc from WRDD
[not found] <20240925113641.1297102-1-sashal@kernel.org>
` (12 preceding siblings ...)
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 058/244] wifi: iwlwifi: mvm: use correct key iteration Sasha Levin
@ 2024-09-25 11:24 ` Sasha Levin
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 060/244] wifi: iwlwifi: mvm: avoid NULL pointer dereference Sasha Levin
` (6 subsequent siblings)
20 siblings, 0 replies; 21+ messages in thread
From: Sasha Levin @ 2024-09-25 11:24 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Anjaneyulu, Miri Korenblit, Johannes Berg, Sasha Levin, kvalo,
gregory.greenman, dan.carpenter, daniel.gabay, mukesh.sisodiya,
arnd, linux-wireless
From: Anjaneyulu <pagadala.yesu.anjaneyulu@intel.com>
[ Upstream commit ff5aabe7c2a4a4b089a9ced0cb3d0e284963a7dd ]
Block other mcc expect CN from WRDD ACPI.
Signed-off-by: Anjaneyulu <pagadala.yesu.anjaneyulu@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20240808232017.fe6ea7aa4b39.I86004687a2963fe26f990770aca103e2f5cb1628@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/fw/acpi.c | 5 +++++
drivers/net/wireless/intel/iwlwifi/fw/regulatory.h | 2 ++
drivers/net/wireless/intel/iwlwifi/fw/uefi.c | 2 +-
drivers/net/wireless/intel/iwlwifi/fw/uefi.h | 2 --
4 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/fw/acpi.c b/drivers/net/wireless/intel/iwlwifi/fw/acpi.c
index 8c8880b448270..a7cea0a55b35a 100644
--- a/drivers/net/wireless/intel/iwlwifi/fw/acpi.c
+++ b/drivers/net/wireless/intel/iwlwifi/fw/acpi.c
@@ -357,6 +357,11 @@ int iwl_acpi_get_mcc(struct iwl_fw_runtime *fwrt, char *mcc)
}
mcc_val = wifi_pkg->package.elements[1].integer.value;
+ if (mcc_val != BIOS_MCC_CHINA) {
+ ret = -EINVAL;
+ IWL_DEBUG_RADIO(fwrt, "ACPI WRDD is supported only for CN\n");
+ goto out_free;
+ }
mcc[0] = (mcc_val >> 8) & 0xff;
mcc[1] = mcc_val & 0xff;
diff --git a/drivers/net/wireless/intel/iwlwifi/fw/regulatory.h b/drivers/net/wireless/intel/iwlwifi/fw/regulatory.h
index e2c056f483c1c..c5bd89e61d4a8 100644
--- a/drivers/net/wireless/intel/iwlwifi/fw/regulatory.h
+++ b/drivers/net/wireless/intel/iwlwifi/fw/regulatory.h
@@ -45,6 +45,8 @@
#define IWL_WTAS_ENABLE_IEC_MSK 0x4
#define IWL_WTAS_USA_UHB_MSK BIT(16)
+#define BIOS_MCC_CHINA 0x434e
+
/*
* The profile for revision 2 is a superset of revision 1, which is in
* turn a superset of revision 0. So we can store all revisions
diff --git a/drivers/net/wireless/intel/iwlwifi/fw/uefi.c b/drivers/net/wireless/intel/iwlwifi/fw/uefi.c
index fb982d4fe8510..2cf878f237ac6 100644
--- a/drivers/net/wireless/intel/iwlwifi/fw/uefi.c
+++ b/drivers/net/wireless/intel/iwlwifi/fw/uefi.c
@@ -638,7 +638,7 @@ int iwl_uefi_get_mcc(struct iwl_fw_runtime *fwrt, char *mcc)
goto out;
}
- if (data->mcc != UEFI_MCC_CHINA) {
+ if (data->mcc != BIOS_MCC_CHINA) {
ret = -EINVAL;
IWL_DEBUG_RADIO(fwrt, "UEFI WRDD is supported only for CN\n");
goto out;
diff --git a/drivers/net/wireless/intel/iwlwifi/fw/uefi.h b/drivers/net/wireless/intel/iwlwifi/fw/uefi.h
index 1f8884ca8997c..e0ef981cd8f28 100644
--- a/drivers/net/wireless/intel/iwlwifi/fw/uefi.h
+++ b/drivers/net/wireless/intel/iwlwifi/fw/uefi.h
@@ -149,8 +149,6 @@ struct uefi_cnv_var_splc {
u32 default_pwr_limit;
} __packed;
-#define UEFI_MCC_CHINA 0x434e
-
/* struct uefi_cnv_var_wrdd - WRDD table as defined in UEFI
* @revision: the revision of the table
* @mcc: country identifier as defined in ISO/IEC 3166-1 Alpha 2 code
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH AUTOSEL 6.11 060/244] wifi: iwlwifi: mvm: avoid NULL pointer dereference
[not found] <20240925113641.1297102-1-sashal@kernel.org>
` (13 preceding siblings ...)
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 059/244] wifi: iwlwifi: allow only CN mcc from WRDD Sasha Levin
@ 2024-09-25 11:24 ` Sasha Levin
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 062/244] wifi: mac80211: fix RCU list iterations Sasha Levin
` (5 subsequent siblings)
20 siblings, 0 replies; 21+ messages in thread
From: Sasha Levin @ 2024-09-25 11:24 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Miri Korenblit, Johannes Berg, Sasha Levin, kvalo,
gregory.greenman, davem, edumazet, emmanuel.grumbach,
daniel.gabay, shaul.triebitz, linux-wireless
From: Miri Korenblit <miriam.rachel.korenblit@intel.com>
[ Upstream commit 557a6cd847645e667f3b362560bd7e7c09aac284 ]
iwl_mvm_tx_skb_sta() and iwl_mvm_tx_mpdu() verify that the mvmvsta
pointer is not NULL.
It retrieves this pointer using iwl_mvm_sta_from_mac80211, which is
dereferencing the ieee80211_sta pointer.
If sta is NULL, iwl_mvm_sta_from_mac80211 will dereference a NULL
pointer.
Fix this by checking the sta pointer before retrieving the mvmsta
from it. If sta is not NULL, then mvmsta isn't either.
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Link: https://patch.msgid.link/20240825191257.880921ce23b7.I340052d70ab6d3410724ce955eb00da10e08188f@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
index 7ff5ea5e7aca5..db926b2f4d8d5 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
@@ -1203,6 +1203,9 @@ static int iwl_mvm_tx_mpdu(struct iwl_mvm *mvm, struct sk_buff *skb,
bool is_ampdu = false;
int hdrlen;
+ if (WARN_ON_ONCE(!sta))
+ return -1;
+
mvmsta = iwl_mvm_sta_from_mac80211(sta);
fc = hdr->frame_control;
hdrlen = ieee80211_hdrlen(fc);
@@ -1210,9 +1213,6 @@ static int iwl_mvm_tx_mpdu(struct iwl_mvm *mvm, struct sk_buff *skb,
if (IWL_MVM_NON_TRANSMITTING_AP && ieee80211_is_probe_resp(fc))
return -1;
- if (WARN_ON_ONCE(!mvmsta))
- return -1;
-
if (WARN_ON_ONCE(mvmsta->deflink.sta_id == IWL_MVM_INVALID_STA))
return -1;
@@ -1343,7 +1343,7 @@ static int iwl_mvm_tx_mpdu(struct iwl_mvm *mvm, struct sk_buff *skb,
int iwl_mvm_tx_skb_sta(struct iwl_mvm *mvm, struct sk_buff *skb,
struct ieee80211_sta *sta)
{
- struct iwl_mvm_sta *mvmsta = iwl_mvm_sta_from_mac80211(sta);
+ struct iwl_mvm_sta *mvmsta;
struct ieee80211_tx_info info;
struct sk_buff_head mpdus_skbs;
struct ieee80211_vif *vif;
@@ -1352,9 +1352,11 @@ int iwl_mvm_tx_skb_sta(struct iwl_mvm *mvm, struct sk_buff *skb,
struct sk_buff *orig_skb = skb;
const u8 *addr3;
- if (WARN_ON_ONCE(!mvmsta))
+ if (WARN_ON_ONCE(!sta))
return -1;
+ mvmsta = iwl_mvm_sta_from_mac80211(sta);
+
if (WARN_ON_ONCE(mvmsta->deflink.sta_id == IWL_MVM_INVALID_STA))
return -1;
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH AUTOSEL 6.11 062/244] wifi: mac80211: fix RCU list iterations
[not found] <20240925113641.1297102-1-sashal@kernel.org>
` (14 preceding siblings ...)
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 060/244] wifi: iwlwifi: mvm: avoid NULL pointer dereference Sasha Levin
@ 2024-09-25 11:24 ` Sasha Levin
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 070/244] wifi: wilc1000: Do not operate uninitialized hardware during suspend/resume Sasha Levin
` (4 subsequent siblings)
20 siblings, 0 replies; 21+ messages in thread
From: Sasha Levin @ 2024-09-25 11:24 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Johannes Berg, Miriam Rachel Korenblit, Sasha Levin, johannes,
davem, edumazet, kuba, pabeni, linux-wireless, netdev
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit ac35180032fbc5d80b29af00ba4881815ceefcb6 ]
There are a number of places where RCU list iteration is
used, but that aren't (always) called with RCU held. Use
just list_for_each_entry() in most, and annotate iface
iteration with the required locks.
Reviewed-by: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20240827094939.ed8ac0b2f897.I8443c9c3c0f8051841353491dae758021b53115e@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/chan.c | 4 +++-
net/mac80211/mlme.c | 2 +-
net/mac80211/scan.c | 2 +-
net/mac80211/util.c | 4 +++-
4 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c
index e8567723e94d5..b72e4036526bf 100644
--- a/net/mac80211/chan.c
+++ b/net/mac80211/chan.c
@@ -286,7 +286,9 @@ ieee80211_get_max_required_bw(struct ieee80211_link_data *link)
enum nl80211_chan_width max_bw = NL80211_CHAN_WIDTH_20_NOHT;
struct sta_info *sta;
- list_for_each_entry_rcu(sta, &sdata->local->sta_list, list) {
+ lockdep_assert_wiphy(sdata->local->hw.wiphy);
+
+ list_for_each_entry(sta, &sdata->local->sta_list, list) {
if (sdata != sta->sdata &&
!(sta->sdata->bss && sta->sdata->bss == sdata->bss))
continue;
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index f9526bbc36337..3a0433e088906 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -1231,7 +1231,7 @@ static bool ieee80211_add_vht_ie(struct ieee80211_sub_if_data *sdata,
bool disable_mu_mimo = false;
struct ieee80211_sub_if_data *other;
- list_for_each_entry_rcu(other, &local->interfaces, list) {
+ list_for_each_entry(other, &local->interfaces, list) {
if (other->vif.bss_conf.mu_mimo_owner) {
disable_mu_mimo = true;
break;
diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c
index b5f2df61c7f67..2dd84fc542b2a 100644
--- a/net/mac80211/scan.c
+++ b/net/mac80211/scan.c
@@ -504,7 +504,7 @@ static void __ieee80211_scan_completed(struct ieee80211_hw *hw, bool aborted)
* the scan was in progress; if there was none this will
* just be a no-op for the particular interface.
*/
- list_for_each_entry_rcu(sdata, &local->interfaces, list) {
+ list_for_each_entry(sdata, &local->interfaces, list) {
if (ieee80211_sdata_running(sdata))
wiphy_work_queue(sdata->local->hw.wiphy, &sdata->work);
}
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index c7ad9bc5973a0..aed72794d9fe3 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -751,7 +751,9 @@ static void __iterate_interfaces(struct ieee80211_local *local,
struct ieee80211_sub_if_data *sdata;
bool active_only = iter_flags & IEEE80211_IFACE_ITER_ACTIVE;
- list_for_each_entry_rcu(sdata, &local->interfaces, list) {
+ list_for_each_entry_rcu(sdata, &local->interfaces, list,
+ lockdep_is_held(&local->iflist_mtx) ||
+ lockdep_is_held(&local->hw.wiphy->mtx)) {
switch (sdata->vif.type) {
case NL80211_IFTYPE_MONITOR:
if (!(sdata->u.mntr.flags & MONITOR_FLAG_ACTIVE))
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH AUTOSEL 6.11 070/244] wifi: wilc1000: Do not operate uninitialized hardware during suspend/resume
[not found] <20240925113641.1297102-1-sashal@kernel.org>
` (15 preceding siblings ...)
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 062/244] wifi: mac80211: fix RCU list iterations Sasha Levin
@ 2024-09-25 11:24 ` Sasha Levin
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 076/244] wifi: rtw89: avoid reading out of bounds when loading TX power FW elements Sasha Levin
` (3 subsequent siblings)
20 siblings, 0 replies; 21+ messages in thread
From: Sasha Levin @ 2024-09-25 11:24 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Marek Vasut, Alexis Lothoré, Kalle Valo, Sasha Levin,
ajay.kathat, claudiu.beznea, linux-wireless
From: Marek Vasut <marex@denx.de>
[ Upstream commit b0dc7018477e8fbb7e40c908c29cf663d06b17a7 ]
In case the hardware is not initialized, do not operate it during
suspend/resume cycle, the hardware is already off so there is no
reason to access it.
In fact, wilc_sdio_enable_interrupt() in the resume callback does
interfere with the same call when initializing the hardware after
resume and makes such initialization after resume fail. Fix this
by not operating uninitialized hardware during suspend/resume.
Signed-off-by: Marek Vasut <marex@denx.de>
Reviewed-by: Alexis Lothoré <alexis.lothore@bootlin.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://patch.msgid.link/20240821183639.163187-1-marex@denx.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/microchip/wilc1000/sdio.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/net/wireless/microchip/wilc1000/sdio.c b/drivers/net/wireless/microchip/wilc1000/sdio.c
index 0043f7a0fdf97..7999aeb76901f 100644
--- a/drivers/net/wireless/microchip/wilc1000/sdio.c
+++ b/drivers/net/wireless/microchip/wilc1000/sdio.c
@@ -977,6 +977,9 @@ static int wilc_sdio_suspend(struct device *dev)
dev_info(dev, "sdio suspend\n");
+ if (!wilc->initialized)
+ return 0;
+
if (!IS_ERR(wilc->rtc_clk))
clk_disable_unprepare(wilc->rtc_clk);
@@ -999,6 +1002,10 @@ static int wilc_sdio_resume(struct device *dev)
struct wilc *wilc = sdio_get_drvdata(func);
dev_info(dev, "sdio resume\n");
+
+ if (!wilc->initialized)
+ return 0;
+
wilc_sdio_init(wilc, true);
wilc_sdio_enable_interrupt(wilc);
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH AUTOSEL 6.11 076/244] wifi: rtw89: avoid reading out of bounds when loading TX power FW elements
[not found] <20240925113641.1297102-1-sashal@kernel.org>
` (16 preceding siblings ...)
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 070/244] wifi: wilc1000: Do not operate uninitialized hardware during suspend/resume Sasha Levin
@ 2024-09-25 11:24 ` Sasha Levin
2024-09-25 11:25 ` [PATCH AUTOSEL 6.11 082/244] wifi: mt76: mt7915: add dummy HW offload of IEEE 802.11 fragmentation Sasha Levin
` (2 subsequent siblings)
20 siblings, 0 replies; 21+ messages in thread
From: Sasha Levin @ 2024-09-25 11:24 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Zong-Zhe Yang, Ping-Ke Shih, Sasha Levin, kvalo, linux-wireless
From: Zong-Zhe Yang <kevin_yang@realtek.com>
[ Upstream commit ed2e4bb17a4884cf29c3347353d8aabb7265b46c ]
Because the loop-expression will do one more time before getting false from
cond-expression, the original code copied one more entry size beyond valid
region.
Fix it by moving the entry copy to loop-body.
Signed-off-by: Zong-Zhe Yang <kevin_yang@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20240902015803.20420-1-pkshih@realtek.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtw89/core.h | 18 ++++++++++++------
1 file changed, 12 insertions(+), 6 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtw89/core.h b/drivers/net/wireless/realtek/rtw89/core.h
index 11fa003a9788c..a7ec7eed83812 100644
--- a/drivers/net/wireless/realtek/rtw89/core.h
+++ b/drivers/net/wireless/realtek/rtw89/core.h
@@ -3909,16 +3909,22 @@ struct rtw89_txpwr_conf {
const void *data;
};
+static inline bool rtw89_txpwr_entcpy(void *entry, const void *cursor, u8 size,
+ const struct rtw89_txpwr_conf *conf)
+{
+ u8 valid_size = min(size, conf->ent_sz);
+
+ memcpy(entry, cursor, valid_size);
+ return true;
+}
+
#define rtw89_txpwr_conf_valid(conf) (!!(conf)->data)
#define rtw89_for_each_in_txpwr_conf(entry, cursor, conf) \
- for (typecheck(const void *, cursor), (cursor) = (conf)->data, \
- memcpy(&(entry), cursor, \
- min_t(u8, sizeof(entry), (conf)->ent_sz)); \
+ for (typecheck(const void *, cursor), (cursor) = (conf)->data; \
(cursor) < (conf)->data + (conf)->num_ents * (conf)->ent_sz; \
- (cursor) += (conf)->ent_sz, \
- memcpy(&(entry), cursor, \
- min_t(u8, sizeof(entry), (conf)->ent_sz)))
+ (cursor) += (conf)->ent_sz) \
+ if (rtw89_txpwr_entcpy(&(entry), cursor, sizeof(entry), conf))
struct rtw89_txpwr_byrate_data {
struct rtw89_txpwr_conf conf;
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH AUTOSEL 6.11 082/244] wifi: mt76: mt7915: add dummy HW offload of IEEE 802.11 fragmentation
[not found] <20240925113641.1297102-1-sashal@kernel.org>
` (17 preceding siblings ...)
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 076/244] wifi: rtw89: avoid reading out of bounds when loading TX power FW elements Sasha Levin
@ 2024-09-25 11:25 ` Sasha Levin
2024-09-25 11:25 ` [PATCH AUTOSEL 6.11 083/244] wifi: mt76: mt7915: hold dev->mt76.mutex while disabling tx worker Sasha Levin
2024-09-25 11:25 ` [PATCH AUTOSEL 6.11 085/244] wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext() Sasha Levin
20 siblings, 0 replies; 21+ messages in thread
From: Sasha Levin @ 2024-09-25 11:25 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Benjamin Lin, Felix Fietkau, Sasha Levin, lorenzo, ryder.lee,
kvalo, matthias.bgg, angelogioacchino.delregno, shayne.chen,
chui-hao.chiu, howard-yh.hsu, ruanjinjie, greearb, dmantipov,
StanleyYP.Wang, meichia.chiu, linux-wireless, linux-arm-kernel,
linux-mediatek
From: Benjamin Lin <benjamin-jw.lin@mediatek.com>
[ Upstream commit f2cc859149240d910fdc6405717673e0b84bfda8 ]
Currently, CONNAC2 series do not support encryption for fragmented Tx frames.
Therefore, add dummy function mt7915_set_frag_threshold() to prevent SW
IEEE 802.11 fragmentation.
Signed-off-by: Benjamin Lin <benjamin-jw.lin@mediatek.com>
Link: https://patch.msgid.link/20240827093011.18621-16-nbd@nbd.name
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7915/init.c | 1 +
drivers/net/wireless/mediatek/mt76/mt7915/main.c | 7 +++++++
2 files changed, 8 insertions(+)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/init.c b/drivers/net/wireless/mediatek/mt76/mt7915/init.c
index a978f434dc5e6..511e0d04eb955 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/init.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/init.c
@@ -398,6 +398,7 @@ mt7915_init_wiphy(struct mt7915_phy *phy)
ieee80211_hw_set(hw, SUPPORTS_RX_DECAP_OFFLOAD);
ieee80211_hw_set(hw, SUPPORTS_MULTI_BSSID);
ieee80211_hw_set(hw, WANT_MONITOR_VIF);
+ ieee80211_hw_set(hw, SUPPORTS_TX_FRAG);
hw->max_tx_fragments = 4;
diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/main.c b/drivers/net/wireless/mediatek/mt76/mt7915/main.c
index 049223df9beb1..0da1807ad8f7d 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/main.c
@@ -1578,6 +1578,12 @@ mt7915_twt_teardown_request(struct ieee80211_hw *hw,
mutex_unlock(&dev->mt76.mutex);
}
+static int
+mt7915_set_frag_threshold(struct ieee80211_hw *hw, u32 val)
+{
+ return 0;
+}
+
static int
mt7915_set_radar_background(struct ieee80211_hw *hw,
struct cfg80211_chan_def *chandef)
@@ -1708,6 +1714,7 @@ const struct ieee80211_ops mt7915_ops = {
.sta_set_decap_offload = mt7915_sta_set_decap_offload,
.add_twt_setup = mt7915_mac_add_twt_setup,
.twt_teardown_request = mt7915_twt_teardown_request,
+ .set_frag_threshold = mt7915_set_frag_threshold,
CFG80211_TESTMODE_CMD(mt76_testmode_cmd)
CFG80211_TESTMODE_DUMP(mt76_testmode_dump)
#ifdef CONFIG_MAC80211_DEBUGFS
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH AUTOSEL 6.11 083/244] wifi: mt76: mt7915: hold dev->mt76.mutex while disabling tx worker
[not found] <20240925113641.1297102-1-sashal@kernel.org>
` (18 preceding siblings ...)
2024-09-25 11:25 ` [PATCH AUTOSEL 6.11 082/244] wifi: mt76: mt7915: add dummy HW offload of IEEE 802.11 fragmentation Sasha Levin
@ 2024-09-25 11:25 ` Sasha Levin
2024-09-25 11:25 ` [PATCH AUTOSEL 6.11 085/244] wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext() Sasha Levin
20 siblings, 0 replies; 21+ messages in thread
From: Sasha Levin @ 2024-09-25 11:25 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Felix Fietkau, Sasha Levin, lorenzo, ryder.lee, kvalo,
matthias.bgg, angelogioacchino.delregno, shayne.chen, henry.yen,
allen.ye, yunchuan, Bo.Jiao, linux-wireless, linux-arm-kernel,
linux-mediatek
From: Felix Fietkau <nbd@nbd.name>
[ Upstream commit 8f7152f10cb434f954aeff85ca1be9cd4d01912b ]
Prevent racing against other functions disabling the same worker
Link: https://patch.msgid.link/20240827093011.18621-17-nbd@nbd.name
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
index 8008ce3fa6c7e..387d47e9fcd38 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
@@ -1537,12 +1537,14 @@ void mt7915_mac_reset_work(struct work_struct *work)
set_bit(MT76_RESET, &phy2->mt76->state);
cancel_delayed_work_sync(&phy2->mt76->mac_work);
}
+
+ mutex_lock(&dev->mt76.mutex);
+
mt76_worker_disable(&dev->mt76.tx_worker);
mt76_for_each_q_rx(&dev->mt76, i)
napi_disable(&dev->mt76.napi[i]);
napi_disable(&dev->mt76.tx_napi);
- mutex_lock(&dev->mt76.mutex);
if (mtk_wed_device_active(&dev->mt76.mmio.wed))
mtk_wed_device_stop(&dev->mt76.mmio.wed);
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
* [PATCH AUTOSEL 6.11 085/244] wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext()
[not found] <20240925113641.1297102-1-sashal@kernel.org>
` (19 preceding siblings ...)
2024-09-25 11:25 ` [PATCH AUTOSEL 6.11 083/244] wifi: mt76: mt7915: hold dev->mt76.mutex while disabling tx worker Sasha Levin
@ 2024-09-25 11:25 ` Sasha Levin
20 siblings, 0 replies; 21+ messages in thread
From: Sasha Levin @ 2024-09-25 11:25 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Gustavo A. R. Silva, Andy Shevchenko, Brian Norris, Kalle Valo,
Sasha Levin, francesco.dolcini, kees, yu-hao.lin, dmantipov,
linux-wireless
From: "Gustavo A. R. Silva" <gustavoars@kernel.org>
[ Upstream commit 498365e52bebcbc36a93279fe7e9d6aec8479cee ]
Replace one-element array with a flexible-array member in
`struct host_cmd_ds_802_11_scan_ext`.
With this, fix the following warning:
elo 16 17:51:58 surfacebook kernel: ------------[ cut here ]------------
elo 16 17:51:58 surfacebook kernel: memcpy: detected field-spanning write (size 243) of single field "ext_scan->tlv_buffer" at drivers/net/wireless/marvell/mwifiex/scan.c:2239 (size 1)
elo 16 17:51:58 surfacebook kernel: WARNING: CPU: 0 PID: 498 at drivers/net/wireless/marvell/mwifiex/scan.c:2239 mwifiex_cmd_802_11_scan_ext+0x83/0x90 [mwifiex]
Reported-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Closes: https://lore.kernel.org/linux-hardening/ZsZNgfnEwOcPdCly@black.fi.intel.com/
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Acked-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://patch.msgid.link/ZsZa5xRcsLq9D+RX@elsanto
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/marvell/mwifiex/fw.h | 2 +-
drivers/net/wireless/marvell/mwifiex/scan.c | 3 +--
2 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/marvell/mwifiex/fw.h b/drivers/net/wireless/marvell/mwifiex/fw.h
index 3adc447b715f6..5b072120e3f21 100644
--- a/drivers/net/wireless/marvell/mwifiex/fw.h
+++ b/drivers/net/wireless/marvell/mwifiex/fw.h
@@ -1587,7 +1587,7 @@ struct host_cmd_ds_802_11_scan_rsp {
struct host_cmd_ds_802_11_scan_ext {
u32 reserved;
- u8 tlv_buffer[1];
+ u8 tlv_buffer[];
} __packed;
struct mwifiex_ie_types_bss_mode {
diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c
index 0326b121747cb..17ce84f5207e3 100644
--- a/drivers/net/wireless/marvell/mwifiex/scan.c
+++ b/drivers/net/wireless/marvell/mwifiex/scan.c
@@ -2530,8 +2530,7 @@ int mwifiex_ret_802_11_scan_ext(struct mwifiex_private *priv,
ext_scan_resp = &resp->params.ext_scan;
tlv = (void *)ext_scan_resp->tlv_buffer;
- buf_left = le16_to_cpu(resp->size) - (sizeof(*ext_scan_resp) + S_DS_GEN
- - 1);
+ buf_left = le16_to_cpu(resp->size) - (sizeof(*ext_scan_resp) + S_DS_GEN);
while (buf_left >= sizeof(struct mwifiex_ie_types_header)) {
type = le16_to_cpu(tlv->type);
--
2.43.0
^ permalink raw reply related [flat|nested] 21+ messages in thread
end of thread, other threads:[~2024-09-25 11:40 UTC | newest]
Thread overview: 21+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <20240925113641.1297102-1-sashal@kernel.org>
2024-09-25 11:23 ` [PATCH AUTOSEL 6.11 002/244] wifi: ath9k: fix possible integer overflow in ath9k_get_et_stats() Sasha Levin
2024-09-25 11:23 ` [PATCH AUTOSEL 6.11 003/244] wifi: rtw89: avoid to add interface to list twice when SER Sasha Levin
2024-09-25 11:23 ` [PATCH AUTOSEL 6.11 004/244] wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit Sasha Levin
2024-09-25 11:23 ` [PATCH AUTOSEL 6.11 010/244] wifi: iwlwifi: mvm: Fix a race in scan abort flow Sasha Levin
2024-09-25 11:23 ` [PATCH AUTOSEL 6.11 011/244] wifi: iwlwifi: mvm: drop wrong STA selection in TX Sasha Levin
2024-09-25 11:23 ` [PATCH AUTOSEL 6.11 012/244] wifi: cfg80211: Set correct chandef when starting CAC Sasha Levin
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 024/244] wifi: mt76: mt7915: disable tx worker during tx BA session enable/disable Sasha Levin
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 033/244] wifi: ath12k: fix array out-of-bound access in SoC stats Sasha Levin
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 034/244] wifi: ath11k: " Sasha Levin
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 035/244] wifi: rtw88: select WANT_DEV_COREDUMP Sasha Levin
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 039/244] wifi: rtw89: 885xb: reset IDMEM mode to prevent download firmware failure Sasha Levin
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 047/244] wifi: rtw89: correct base HT rate mask for firmware Sasha Levin
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 058/244] wifi: iwlwifi: mvm: use correct key iteration Sasha Levin
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 059/244] wifi: iwlwifi: allow only CN mcc from WRDD Sasha Levin
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 060/244] wifi: iwlwifi: mvm: avoid NULL pointer dereference Sasha Levin
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 062/244] wifi: mac80211: fix RCU list iterations Sasha Levin
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 070/244] wifi: wilc1000: Do not operate uninitialized hardware during suspend/resume Sasha Levin
2024-09-25 11:24 ` [PATCH AUTOSEL 6.11 076/244] wifi: rtw89: avoid reading out of bounds when loading TX power FW elements Sasha Levin
2024-09-25 11:25 ` [PATCH AUTOSEL 6.11 082/244] wifi: mt76: mt7915: add dummy HW offload of IEEE 802.11 fragmentation Sasha Levin
2024-09-25 11:25 ` [PATCH AUTOSEL 6.11 083/244] wifi: mt76: mt7915: hold dev->mt76.mutex while disabling tx worker Sasha Levin
2024-09-25 11:25 ` [PATCH AUTOSEL 6.11 085/244] wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext() Sasha Levin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).