* Re: [PATCH v6 00/16] firmware: qcom: Add OP-TEE PAS service support
From: Sumit Garg @ 2026-05-22 7:43 UTC (permalink / raw)
To: Jeff Johnson
Cc: andersson, linux-arm-msm, devicetree, dri-devel, freedreno,
linux-media, netdev, linux-wireless, ath12k, linux-remoteproc,
konradybcio, robh, krzk+dt, conor+dt, robin.clark, sean, akhilpo,
lumag, abhinav.kumar, jesszhan0024, marijn.suijten, airlied,
simona, vikash.garodia, dikshita.agarwal, bod, mchehab, elder,
andrew+netdev, davem, edumazet, kuba, pabeni, jjohnson,
mathieu.poirier, trilokkumar.soni, mukesh.ojha, pavan.kondeti,
jorge.ramirez, tonyh, vignesh.viswanathan, srinivas.kandagatla,
amirreza.zarrabi, jens.wiklander, op-tee, apurupa, skare,
linux-kernel, Sumit Garg
In-Reply-To: <bc3eb187-d0a4-40ce-b72c-1724b33e28ea@oss.qualcomm.com>
On Wed, May 20, 2026 at 09:27:05AM -0700, Jeff Johnson wrote:
> On 5/18/2026 12:28 AM, Sumit Garg wrote:
> > From: Sumit Garg <sumit.garg@oss.qualcomm.com>
> >
> > Qcom platforms has the legacy of using non-standard SCM calls
> > splintered over the various kernel drivers. These SCM calls aren't
> > compliant with the standard SMC calling conventions which is a
> > prerequisite to enable migration to the FF-A specifications from Arm.
> >
> > OP-TEE as an alternative trusted OS to Qualcomm TEE (QTEE) can't
> > support these non-standard SCM calls. And even for newer architectures
> > using S-EL2 with Hafnium support, QTEE won't be able to support SCM
> > calls either with FF-A requirements coming in. And with both OP-TEE
> > and QTEE drivers well integrated in the TEE subsystem, it makes further
> > sense to reuse the TEE bus client drivers infrastructure.
> >
> > The added benefit of TEE bus infrastructure is that there is support
> > for discoverable/enumerable services. With that client drivers don't
> > have to manually invoke a special SCM call to know the service status.
> >
> > So enable the generic Peripheral Authentication Service (PAS) provided
> > by the firmware. It acts as the common layer with different TZ
> > backends plugged in whether it's an SCM implementation or a proper
> > TEE bus based PAS service implementation.
> >
> > The TEE PAS service ABI is designed to be extensible with additional API
> > as PTA_QCOM_PAS_CAPABILITIES. This allows to accommodate any future
> > extensions of the PAS service needed while still maintaining backwards
> > compatibility.
> >
> > Currently OP-TEE support is being added to provide the backend PAS
> > service implementation which can be found as part of this PR [1].
> > This implementation has been tested on Kodiak/RB3Gen2 board with lemans
> > EVK board being the next target. In addition to that WIN/IPQ targets
> > planning to use OP-TEE will use this service too. Surely the backwards
> > compatibility is maintained and tested for SCM backend.
> >
> > Note that kernel PAS service support while running in EL2 is at parity
> > among OP-TEE vs QTEE. Especially the media (venus/iris) support depends
> > on proper IOMMU support being worked out on the PAS client end.
> >
> > Patch summary:
> > - Patch #1: adds Kodiak EL2 overlay since boot stack with TF-A/OP-TEE
> > only allow UEFI and Linux to boot in EL2.
> > - Patch #2: adds generic PAS service.
> > - Patch #3: migrates SCM backend to generic PAS service.
> > - Patch #4: adds TEE/OP-TEE backend for generic PAS service.
> > - Patch #5-#14: migrates all client drivers to generic PAS service.
> > - Patch #15: drops legacy PAS SCM exported APIs.
> >
> > The patch-set is based on v7.1-rc4 tag and can be found in git tree here
> > [2].
> >
> > Merge strategy:
> >
> > It is expected due to APIs dependency, the entire patch-set to go via
> > the Qcom tree. All other subsystem maintainers, it will be great if I
> > can get acks for the corresponding subsystem patches.
> >
> > [1] https://github.com/OP-TEE/optee_os/pull/7721 (already merged)
> > [2] https://git.kernel.org/pub/scm/linux/kernel/git/sumit.garg/linux.git/log/?h=qcom-pas-v6
> >
> > ---
> > Changes in v6:
> > - Rebased to v7.1-rc4 tag.
> > - Patch #14: fixed ret error print.
> > - Add Kconfig descriptions for PAS symbols such that they are visible
> > in menuconfig to update.
> >
> > Changes in v5:
> > - Incorporated misc. comments from Mukesh.
> > - Split up patch #11 into 2 to add an independent commit for passing
> > proper PAS ID to set_remote_state API.
> > - Picked up tags.
> >
> > Changes in v4:
> > - Incorporate misc. comments on patch #4.
> > - Picked up an ack for patch #10.
> > - Clarify in cover letter about state of media support.
> >
> > Changes in v3:
> > - Incorporated some style and misc. comments for patch #2, #3 and #4.
> > - Add QCOM_PAS Kconfig dependency for various subsystems.
> > - Switch from pseudo TA to proper TA invoke commands.
> >
> > Changes in v2:
> > - Fixed kernel doc warnings.
> > - Polish commit message and comments for patch #2.
> > - Pass proper PAS ID in set_remote_state API for media firmware drivers.
> > - Added Maintainer entry and dropped MODULE_AUTHOR.
> >
> > Mukesh Ojha (1):
> > arm64: dts: qcom: kodiak: Add EL2 overlay
> >
> > Sumit Garg (15):
> > firmware: qcom: Add a generic PAS service
> > firmware: qcom_scm: Migrate to generic PAS service
> > firmware: qcom: Add a PAS TEE service
> > remoteproc: qcom_q6v5_pas: Switch over to generic PAS TZ APIs
> > remoteproc: qcom_q6v5_mss: Switch to generic PAS TZ APIs
> > soc: qcom: mdtloader: Switch to generic PAS TZ APIs
> > remoteproc: qcom_wcnss: Switch to generic PAS TZ APIs
> > remoteproc: qcom: Select QCOM_PAS generic service
> > drm/msm: Switch to generic PAS TZ APIs
> > media: qcom: Switch to generic PAS TZ APIs
> > media: qcom: Pass proper PAS ID to set_remote_state API
> > net: ipa: Switch to generic PAS TZ APIs
> > wifi: ath12k: Switch to generic PAS TZ APIs
> > firmware: qcom_scm: Remove SCM PAS wrappers
> > MAINTAINERS: Add maintainer entry for Qualcomm PAS TZ service
> >
> > MAINTAINERS | 9 +
> > arch/arm64/boot/dts/qcom/Makefile | 2 +
> > arch/arm64/boot/dts/qcom/kodiak-el2.dtso | 35 ++
> > drivers/firmware/qcom/Kconfig | 21 +-
> > drivers/firmware/qcom/Makefile | 2 +
> > drivers/firmware/qcom/qcom_pas.c | 291 +++++++++++
> > drivers/firmware/qcom/qcom_pas.h | 50 ++
> > drivers/firmware/qcom/qcom_pas_tee.c | 476 ++++++++++++++++++
> > drivers/firmware/qcom/qcom_scm.c | 302 ++++-------
> > drivers/gpu/drm/msm/Kconfig | 1 +
> > drivers/gpu/drm/msm/adreno/a5xx_gpu.c | 4 +-
> > drivers/gpu/drm/msm/adreno/adreno_gpu.c | 11 +-
> > drivers/media/platform/qcom/iris/Kconfig | 25 +-
> > .../media/platform/qcom/iris/iris_firmware.c | 9 +-
> > drivers/media/platform/qcom/venus/Kconfig | 1 +
> > drivers/media/platform/qcom/venus/firmware.c | 11 +-
> > drivers/net/ipa/Kconfig | 2 +-
> > drivers/net/ipa/ipa_main.c | 13 +-
> > drivers/net/wireless/ath/ath12k/Kconfig | 2 +-
> > drivers/net/wireless/ath/ath12k/ahb.c | 10 +-
> > drivers/remoteproc/Kconfig | 4 +-
> > drivers/remoteproc/qcom_q6v5_mss.c | 5 +-
> > drivers/remoteproc/qcom_q6v5_pas.c | 51 +-
> > drivers/remoteproc/qcom_wcnss.c | 12 +-
> > drivers/soc/qcom/mdt_loader.c | 12 +-
> > include/linux/firmware/qcom/qcom_pas.h | 43 ++
> > include/linux/firmware/qcom/qcom_scm.h | 29 --
> > include/linux/soc/qcom/mdt_loader.h | 6 +-
> > 28 files changed, 1119 insertions(+), 320 deletions(-)
> > create mode 100644 arch/arm64/boot/dts/qcom/kodiak-el2.dtso
> > create mode 100644 drivers/firmware/qcom/qcom_pas.c
> > create mode 100644 drivers/firmware/qcom/qcom_pas.h
> > create mode 100644 drivers/firmware/qcom/qcom_pas_tee.c
> > create mode 100644 include/linux/firmware/qcom/qcom_pas.h
> >
>
> In my automation I do bisection builds and it fails when I bisect.
Thanks for this report. It's really rather a directly dependency of
qcom_q6v5_pas on mdt_loader. Switching them individually is causing this
git bisection problem. I don't see any other way to fix this apart from
mergging patch 5/16 and 7/16. Will do that for v7.
>
> At "remoteproc: qcom_q6v5_mss: Switch to generic PAS TZ APIs":
>
> ../drivers/remoteproc/qcom_q6v5_pas.c: In function 'qcom_pas_load':
> ../drivers/remoteproc/qcom_q6v5_pas.c:244:44: error: passing argument 1 of 'qcom_mdt_pas_load' from incompatible pointer type [-Wincompatible-pointer-types]
> 244 | ret = qcom_mdt_pas_load(pas->dtb_pas_ctx, pas->dtb_firmware,
> | ~~~^~~~~~~~~~~~~
> | |
> | struct qcom_pas_context *
> In file included from ../drivers/remoteproc/qcom_q6v5_pas.c:27:
> ../include/linux/soc/qcom/mdt_loader.h:23:52: note: expected 'struct qcom_scm_pas_context *' but argument is of type 'struct qcom_pas_context *'
> 23 | int qcom_mdt_pas_load(struct qcom_scm_pas_context *ctx, const struct firmware *fw,
> | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~
> ../drivers/remoteproc/qcom_q6v5_pas.c: In function 'qcom_pas_start':
> ../drivers/remoteproc/qcom_q6v5_pas.c:322:36: error: passing argument 1 of 'qcom_mdt_pas_load' from incompatible pointer type [-Wincompatible-pointer-types]
> 322 | ret = qcom_mdt_pas_load(pas->pas_ctx, pas->firmware, rproc->firmware,
> | ~~~^~~~~~~~~
> | |
> | struct qcom_pas_context *
> ../include/linux/soc/qcom/mdt_loader.h:23:52: note: expected 'struct qcom_scm_pas_context *' but argument is of type 'struct qcom_pas_context *'
> 23 | int qcom_mdt_pas_load(struct qcom_scm_pas_context *ctx, const struct firmware *fw,
> | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~
> make[5]: *** [../scripts/Makefile.build:289: drivers/remoteproc/qcom_q6v5_pas.o] Error 1
>
>
> At "remoteproc: qcom_q6v5_pas: Switch over to generic PAS TZ APIs":
>
> ../drivers/remoteproc/qcom_q6v5_pas.c: In function 'qcom_pas_load':
> ../drivers/remoteproc/qcom_q6v5_pas.c:244:44: error: passing argument 1 of 'qcom_mdt_pas_load' from incompatible pointer type [-Wincompatible-pointer-types]
> 244 | ret = qcom_mdt_pas_load(pas->dtb_pas_ctx, pas->dtb_firmware,
> | ~~~^~~~~~~~~~~~~
> | |
> | struct qcom_pas_context *
> In file included from ../drivers/remoteproc/qcom_q6v5_pas.c:27:
> ../include/linux/soc/qcom/mdt_loader.h:23:52: note: expected 'struct qcom_scm_pas_context *' but argument is of type 'struct qcom_pas_context *'
> 23 | int qcom_mdt_pas_load(struct qcom_scm_pas_context *ctx, const struct firmware *fw,
> | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~
> ../drivers/remoteproc/qcom_q6v5_pas.c: In function 'qcom_pas_start':
> ../drivers/remoteproc/qcom_q6v5_pas.c:322:36: error: passing argument 1 of 'qcom_mdt_pas_load' from incompatible pointer type [-Wincompatible-pointer-types]
> 322 | ret = qcom_mdt_pas_load(pas->pas_ctx, pas->firmware, rproc->firmware,
> | ~~~^~~~~~~~~
> | |
> | struct qcom_pas_context *
> ../include/linux/soc/qcom/mdt_loader.h:23:52: note: expected 'struct qcom_scm_pas_context *' but argument is of type 'struct qcom_pas_context *'
> 23 | int qcom_mdt_pas_load(struct qcom_scm_pas_context *ctx, const struct firmware *fw,
> | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~
> make[5]: *** [../scripts/Makefile.build:289: drivers/remoteproc/qcom_q6v5_pas.o] Error 1
>
>
> This is because the 5/16 patch depends upon changes in the 7/16 patch.
It is rather because of direct dependency of 5/16 on 7/16, I will merge
them both.
-Sumit
^ permalink raw reply
* Re: [PATCH v6 11/16] media: qcom: Switch to generic PAS TZ APIs
From: Sumit Garg @ 2026-05-22 7:25 UTC (permalink / raw)
To: Vikash Garodia
Cc: andersson, linux-arm-msm, devicetree, dri-devel, freedreno,
linux-media, netdev, linux-wireless, ath12k, linux-remoteproc,
konradybcio, robh, krzk+dt, conor+dt, robin.clark, sean, akhilpo,
lumag, abhinav.kumar, jesszhan0024, marijn.suijten, airlied,
simona, dikshita.agarwal, bod, mchehab, elder, andrew+netdev,
davem, edumazet, kuba, pabeni, jjohnson, mathieu.poirier,
trilokkumar.soni, mukesh.ojha, pavan.kondeti, jorge.ramirez,
tonyh, vignesh.viswanathan, srinivas.kandagatla, amirreza.zarrabi,
jens.wiklander, op-tee, apurupa, skare, linux-kernel, Sumit Garg,
pgujjula
In-Reply-To: <07cdbd20-f0c5-4be5-878a-ef23dc633767@oss.qualcomm.com>
Hi Vikash,
On Thu, May 21, 2026 at 12:10:41PM +0530, Vikash Garodia wrote:
>
> On 5/18/2026 12:58 PM, Sumit Garg wrote:
> > diff --git a/drivers/media/platform/qcom/iris/iris_firmware.c b/drivers/media/platform/qcom/iris/iris_firmware.c
> > index 5f408024e967..b3c5281aea91 100644
> > --- a/drivers/media/platform/qcom/iris/iris_firmware.c
> > +++ b/drivers/media/platform/qcom/iris/iris_firmware.c
> > @@ -4,6 +4,7 @@
> > */
> > #include <linux/firmware.h>
> > +#include <linux/firmware/qcom/qcom_pas.h>
> > #include <linux/firmware/qcom/qcom_scm.h>
> > #include <linux/of_address.h>
> > #include <linux/of_reserved_mem.h>
> > @@ -79,7 +80,7 @@ int iris_fw_load(struct iris_core *core)
> > return -ENOMEM;
> > }
> > - ret = qcom_scm_pas_auth_and_reset(core->iris_platform_data->pas_id);
> > + ret = qcom_pas_auth_and_reset(core->iris_platform_data->pas_id);
> > if (ret) {
> > dev_err(core->dev, "auth and reset failed: %d\n", ret);
> > return ret;
> > @@ -93,7 +94,7 @@ int iris_fw_load(struct iris_core *core)
> > cp_config->cp_nonpixel_size);
> > if (ret) {
> > dev_err(core->dev, "qcom_scm_mem_protect_video_var failed: %d\n", ret);
> > - qcom_scm_pas_shutdown(core->iris_platform_data->pas_id);
> > + qcom_pas_shutdown(core->iris_platform_data->pas_id);
> > return ret;
> > }
> > }
> > @@ -103,10 +104,10 @@ int iris_fw_load(struct iris_core *core)
> > int iris_fw_unload(struct iris_core *core)
> > {
> > - return qcom_scm_pas_shutdown(core->iris_platform_data->pas_id);
> > + return qcom_pas_shutdown(core->iris_platform_data->pas_id);
> > }
> > int iris_set_hw_state(struct iris_core *core, bool resume)
> > {
> > - return qcom_scm_set_remote_state(resume, 0);
> > + return qcom_pas_set_remote_state(resume, 0);
> > }
> > diff --git a/drivers/media/platform/qcom/venus/Kconfig b/drivers/media/platform/qcom/venus/Kconfig
> > index 63ee8c78dc6d..7997b8aa427a 100644
> > --- a/drivers/media/platform/qcom/venus/Kconfig
> > +++ b/drivers/media/platform/qcom/venus/Kconfig
> > @@ -6,6 +6,7 @@ config VIDEO_QCOM_VENUS
> > select OF_DYNAMIC if ARCH_QCOM
> > select QCOM_MDT_LOADER
> > select QCOM_SCM
> > + select QCOM_PAS
> > select VIDEOBUF2_DMA_CONTIG
> > select V4L2_MEM2MEM_DEV
> > help
> > diff --git a/drivers/media/platform/qcom/venus/firmware.c b/drivers/media/platform/qcom/venus/firmware.c
> > index 1de7436713ed..3a38ff985822 100644
> > --- a/drivers/media/platform/qcom/venus/firmware.c
> > +++ b/drivers/media/platform/qcom/venus/firmware.c
> > @@ -12,6 +12,7 @@
> > #include <linux/of_reserved_mem.h>
> > #include <linux/platform_device.h>
> > #include <linux/of_device.h>
> > +#include <linux/firmware/qcom/qcom_pas.h>
> > #include <linux/firmware/qcom/qcom_scm.h>
> > #include <linux/sizes.h>
> > #include <linux/soc/qcom/mdt_loader.h>
> > @@ -58,7 +59,7 @@ int venus_set_hw_state(struct venus_core *core, bool resume)
> > int ret;
> > if (core->use_tz) {
> > - ret = qcom_scm_set_remote_state(resume, 0);
> > + ret = qcom_pas_set_remote_state(resume, 0);
> > if (resume && ret == -EINVAL)
> > ret = 0;
> > return ret;
> > @@ -218,7 +219,7 @@ int venus_boot(struct venus_core *core)
> > int ret;
> > if (!IS_ENABLED(CONFIG_QCOM_MDT_LOADER) ||
> > - (core->use_tz && !qcom_scm_is_available()))
> > + (core->use_tz && !qcom_pas_is_available()))
> > return -EPROBE_DEFER;
> > ret = of_property_read_string_index(dev->of_node, "firmware-name", 0,
> > @@ -236,7 +237,7 @@ int venus_boot(struct venus_core *core)
> > core->fw.mem_phys = mem_phys;
> > if (core->use_tz)
> > - ret = qcom_scm_pas_auth_and_reset(VENUS_PAS_ID);
> > + ret = qcom_pas_auth_and_reset(VENUS_PAS_ID);
> > else
> > ret = venus_boot_no_tz(core, mem_phys, mem_size);
> > @@ -259,7 +260,7 @@ int venus_boot(struct venus_core *core)
> > res->cp_nonpixel_start,
> > res->cp_nonpixel_size);
> > if (ret) {
> > - qcom_scm_pas_shutdown(VENUS_PAS_ID);
> > + qcom_pas_shutdown(VENUS_PAS_ID);
> > dev_err(dev, "set virtual address ranges fail (%d)\n",
> > ret);
> > return ret;
>
>
> API "qcom_scm_mem_protect_video_var() would also need this migration, any
> reason not to consider that ?
This SCM call is very specific to the media subsystem and don't align
with the generic PAS APIs. I rather think these kind of special SMCs can
rather be treated as SiP calls supported in TF-A but we have to analyze
if we even need these SCM calls for the open boot stack or not.
However, with OP-TEE there is still work in progress to enable media upstream
as Jorge posted in earlier versions on this patch-set due to IOMMU dependency.
>
> Could you please check, if any such usage of legacy *scm* APIs, like the one
> i pointed above, can be enforced to err out at compile time ?
It will error out at runtime automatically since TF-A doesn't support
this SCM/SMC call as of now.
-Sumit
^ permalink raw reply
* [PATCH] wifi: mt76: mt7996: remove redundant pdev->bus check in probe
From: Lorenzo Bianconi @ 2026-05-22 7:24 UTC (permalink / raw)
To: Felix Fietkau, Ryder Lee, Shayne Chen, Sean Wang,
Matthias Brugger, AngeloGioacchino Del Regno
Cc: Dan Carpenter, linux-wireless, linux-arm-kernel, linux-mediatek,
Lorenzo Bianconi
Drop the unnecessary pdev->bus NULL check in mt7996_pci_probe() since
the pointer is already dereferenced earlier in mt76_pci_disable_aspm(),
making the check dead code. Silences the related Smatch warning.
Fixes: 377aa17d2aed ("wifi: mt76: mt7996: Add NPU offload support to MT7996 driver")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7996/pci.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/pci.c b/drivers/net/wireless/mediatek/mt76/mt7996/pci.c
index 12523ddba630..b7d9193e042f 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/pci.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/pci.c
@@ -141,7 +141,7 @@ static int mt7996_pci_probe(struct pci_dev *pdev,
dev->hif2 = hif2;
mt76_npu_init(mdev, pci_resource_start(pdev, 0),
- pdev->bus && pci_domain_nr(pdev->bus) ? 3 : 2);
+ pci_domain_nr(pdev->bus) ? 3 : 2);
ret = mt7996_mmio_wed_init(dev, pdev, false, &irq);
if (ret < 0)
---
base-commit: e9aeddfe98ebccd3761ac7dd316af4fb5de1c28a
change-id: 20260522-mt7996-pdev-bus-fix-0ea1302f0d68
Best regards,
--
Lorenzo Bianconi <lorenzo@kernel.org>
^ permalink raw reply related
* [PATCH v4] PCI: Disable broken FLR on MediaTek MT7925
From: Jose Ignacio Tornos Martinez @ 2026-05-22 7:06 UTC (permalink / raw)
To: bhelgaas, alex
Cc: nbd, lorenzo, shayne.chen, sean.wang, linux-pci, linux-wireless,
linux-kernel, Jose Ignacio Tornos Martinez
The MediaTek MT7925 WiFi device advertises FLR capability, but it does
not work correctly. This manifests in VFIO passthrough scenarios: normal
VM operation works fine, including clean shutdown/reboot. However, when
the VM terminates uncleanly (crash, force-off), VFIO attempts to reset
the device before it can be assigned to another VM. Because FLR is broken,
the reset fails preventing reuse.
This is similar to its predecessor MT7922 (see commit 81f64e925c29 ("PCI:
Avoid FLR for Mediatek MT7922 WiFi")), but with different symptoms.
The MT7922 issue manifests as config read failures (returning ~0) after
FLR. The MT7925 shows different behavior: config reads work correctly
after FLR, but firmware communication fails.
First VM start with MT7925 works fine:
mt7925e 0000:08:00.0: ASIC revision: 79250000
mt7925e 0000:08:00.0: WM Firmware Version: ____000000, Build Time:
20260106153120
After force reset or VM crash, when VFIO attempts FLR to reset the device
for reassignment, firmware initialization fails:
mt7925e 0000:08:00.0: ASIC revision: 79250000
mt7925e 0000:08:00.0: Message 00000010 (seq 1) timeout
mt7925e 0000:08:00.0: Failed to get patch semaphore
[Repeats with increasing sequence numbers 2-10]
mt7925e 0000:08:00.0: hardware init failed
The driver cannot acquire the patch semaphore needed for firmware
initialization, indicating that FLR does not properly reset the firmware
state. The device remains in this broken state until physical power cycle.
Disable FLR for MT7925 so the PCI core falls back to Secondary Bus Reset,
which successfully resets the device and allows reinitialization for VFIO
passthrough reuse.
Signed-off-by: Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
---
v4: Improved commit message with specific dmesg evidence showing firmware
initialization failure after FLR (Bjorn Helgaas feedback)
v2: https://lore.kernel.org/all/20260521061205.12727-1-jtornosm@redhat.com/
drivers/pci/quirks.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
index 000000000000..111111111111 100644
--- a/drivers/pci/quirks.c
+++ b/drivers/pci/quirks.c
@@ -5607,6 +5607,7 @@
* Intel 82579LM Gigabit Ethernet Controller 0x1502
* Intel 82579V Gigabit Ethernet Controller 0x1503
* Mediatek MT7922 802.11ax PCI Express Wireless Network Adapter
+ * Mediatek MT7925 802.11be PCI Express Wireless Network Adapter
*/
static void quirk_no_flr(struct pci_dev *dev)
{
@@ -5617,6 +5618,7 @@ DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_AMD, 0x7901, quirk_no_flr);
DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x1502, quirk_no_flr);
DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x1503, quirk_no_flr);
DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_MEDIATEK, 0x0616, quirk_no_flr);
+DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_MEDIATEK, 0x7925, quirk_no_flr);
/* FLR may cause the SolidRun SNET DPU (rev 0x1) to hang */
static void quirk_no_flr_snet(struct pci_dev *dev)
--
2.53.0
^ permalink raw reply related
* Re: [PATCH v3] PCI: Disable broken FLR on MediaTek MT7925
From: Jose Ignacio Tornos Martinez @ 2026-05-22 6:48 UTC (permalink / raw)
To: helgaas
Cc: Ryder.Lee, alex, bhelgaas, jtornosm, linux-kernel, linux-pci,
linux-wireless, lorenzo, nbd, sean.wang, shayne.chen
In-Reply-To: <20260521161932.GA167656@bhelgaas>
Hello Bjorn,
Thank you for the feedback.
> How do we know the device is an "undefined state"? Does it just not
> respond to config accesses? Is there something in dmesg that shows
> the problem?
> I suppose it's similar to 81f64e925c29 ("PCI: Avoid FLR for Mediatek
> MT7922 WiFi")?
> I guess I'm just looking for some text more specific than "undefined
> state".
You're right, "undefined state" is too vague.
I can prepare v4 with what I've seen is happening . The
symptoms are similar to MT7922 but not identical:
**First VM start (works fine):**
mt7925e 0000:08:00.0: ASIC revision: 79250000
mt7925e 0000:08:00.0: WM Firmware Version: ____000000, Build Time: 20260106153120
**After force reset/VM crash (FLR attempted, firmware communication broken):**
mt7925e 0000:08:00.0: ASIC revision: 79250000
mt7925e 0000:08:00.0: Message 00000010 (seq 1) timeout
mt7925e 0000:08:00.0: Failed to get patch semaphore
(Repeats 10 times with increasing seq numbers)
mt7925e 0000:08:00.0: hardware init failed
Unlike MT7922 which shows config read failures, MT7925e config reads work
correctly after FLR (lspci shows all capabilities). However, firmware
communication is broken - the driver cannot acquire the patch semaphore
needed for firmware initialization. The device remains broken until
physical power cycle.
Secondary Bus Reset (fallback after quirk_no_flr) successfully resets the
device and allows reinitialization.
> Can we get any of the MediaTek folks to comment on this:
> https://sashiko.dev/#/patchset/20260508145153.717641-1-jtornosm@redhat.com?part=1
>
> Sashiko suggested that Device ID 0x0717 might have the same FLR
> problem.
I don't have that device to confirm the same behavior. I'll wait for
MediaTek maintainers (now CC'd) to confirm whether 0x0717 exhibits the
same FLR issue. If confirmed, I can add it in a follow-up patch or the
next version.
Thanks
Best regards
José Ignacio
^ permalink raw reply
* Re: [PATCH 02/10] [v3] input: gpio-keys: make legacy gpiolib optional
From: Matti Vaittinen @ 2026-05-22 4:55 UTC (permalink / raw)
To: Arnd Bergmann, linux-gpio
Cc: linux-kernel, Arnd Bergmann, Christian Lamparter, Johannes Berg,
Aaro Koskinen, Andreas Kemnade, Kevin Hilman, Roger Quadros,
Tony Lindgren, Thomas Bogendoerfer, John Paul Adrian Glaubitz,
Thomas Gleixner, Ingo Molnar, Borislav Petkov, Dave Hansen, x86,
H. Peter Anvin, Linus Walleij, Bartosz Golaszewski,
Dmitry Torokhov, Lee Jones, Pavel Machek, Florian Fainelli,
Jonas Gorski, Andrew Lunn, Vladimir Oltean, David S. Miller,
Eric Dumazet, Jakub Kicinski, Paolo Abeni, linux-wireless,
linux-omap, linux-arm-kernel, linux-mips, linux-sh, linux-input,
linux-leds, netdev
In-Reply-To: <20260520183815.2510387-3-arnd@kernel.org>
On 20/05/2026 21:38, Arnd Bergmann wrote:
> From: Arnd Bergmann <arnd@arndb.de>
>
> Most users of gpio-keys and gpio-keys-polled use modern gpiolib
> interfaces, but there are still number of ancient sh, arm32 and x86
> machines that have never been converted.
>
> Add an #ifdef block for the parts of the driver that are only used on
> those legacy machines.
>
> The two Rohm PMIC drivers use a gpio-keys device without an actual GPIO,
> passing an IRQ number instead. In order to keep this working both with
> and with CONFIG_GPIOLIB_LEGACY, change the gpio-keys driver to ignore
> the gpio number if an IRQ is passed.
>
> Link: https://lore.kernel.org/all/b3c94552-c104-42e3-be15-7e8362e8039e@gmail.com/
> Link: https://lore.kernel.org/all/afJXG4_rtaj3l2Dk@google.com/
> Signed-off-by: Arnd Bergmann <arnd@arndb.de>
> ---
> v3: resend
> v2: skip the fake GPIO number passing from mfd
>
> The removal of the arm platforms using this is not yet going to happen
> for 7.2, and Dmitry's changes for the Rohm drivers have not yet
> made it into linux-next as of 2026-05-20, so for the moment I
> would still like to see this patch get merged, even if we are
> closing in on completely removing the legacy gpio support in
> the gpio_keys driver, so we can make CONFIG_GPIOLIB_LEGACY
> default-disabled sooner.
I am (still) all fine with this, even though I like Dmitry's set. I
suppose you already have a plan for merging this, but I still have to
ask - why the MFD changes aren't in own patch? I feel it would have
simplified merging, backporting, reviewing and reverting if needed.
Well, other than that:
Reviewed-by: Matti Vaittinen <mazziesaccount@gmail.com>
Yours,
-- Matti
---
Matti Vaittinen
Linux kernel developer at ROHM Semiconductors
Oulu Finland
~~ When things go utterly wrong vim users can always type :help! ~~
^ permalink raw reply
* [PATCH ath-next] wifi: ath9k: improve stability on AR9330/AR9340
From: Rosen Penev @ 2026-05-21 23:24 UTC (permalink / raw)
To: linux-wireless; +Cc: Toke Høiland-Jørgensen, open list
Setting a couple of registers on these platforms improves stability.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
---
drivers/net/wireless/ath/ath9k/hw.c | 25 +++++++++++++++++++++++++
drivers/net/wireless/ath/ath9k/phy.h | 3 +++
2 files changed, 28 insertions(+)
diff --git a/drivers/net/wireless/ath/ath9k/hw.c b/drivers/net/wireless/ath/ath9k/hw.c
index 05c95e67a853..5168c02bb73c 100644
--- a/drivers/net/wireless/ath/ath9k/hw.c
+++ b/drivers/net/wireless/ath/ath9k/hw.c
@@ -248,6 +248,19 @@ void ath9k_hw_get_channel_centers(struct ath_hw *ah,
centers->synth_center + (extoff * HT40_CHANNEL_CENTER_SHIFT);
}
+static inline void ath9k_hw_disable_pll_lock_detect(struct ath_hw *ah)
+{
+ /* On AR9330 and AR9340 devices, some PHY registers must be
+ * tuned to gain better stability/performance. These registers
+ * might be changed while doing wlan reset so the registers must
+ * be reprogrammed after each reset.
+ */
+ REG_CLR_BIT(ah, AR_PHY_USB_CTRL1, BIT(20));
+ REG_RMW(ah, AR_PHY_USB_CTRL2,
+ (1 << 21) | (0xf << 22),
+ (1 << 21) | (0x3 << 22));
+}
+
/******************/
/* Chip Revisions */
/******************/
@@ -1438,6 +1451,9 @@ static bool ath9k_hw_set_reset(struct ath_hw *ah, int type)
if (AR_SREV_9100(ah))
udelay(50);
+ if (AR_SREV_9330(ah) || AR_SREV_9340(ah))
+ ath9k_hw_disable_pll_lock_detect(ah);
+
return true;
}
@@ -1537,6 +1553,9 @@ static bool ath9k_hw_chip_reset(struct ath_hw *ah,
ar9003_hw_internal_regulator_apply(ah);
ath9k_hw_init_pll(ah, chan);
+ if (AR_SREV_9330(ah) || AR_SREV_9340(ah))
+ ath9k_hw_disable_pll_lock_detect(ah);
+
return true;
}
@@ -1843,6 +1862,9 @@ static int ath9k_hw_do_fastcc(struct ath_hw *ah, struct ath9k_channel *chan)
if (AR_SREV_9271(ah))
ar9002_hw_load_ani_reg(ah, chan);
+ if (AR_SREV_9330(ah) || AR_SREV_9340(ah))
+ ath9k_hw_disable_pll_lock_detect(ah);
+
return 0;
fail:
return -EINVAL;
@@ -2074,6 +2096,9 @@ int ath9k_hw_reset(struct ath_hw *ah, struct ath9k_channel *chan,
ath9k_hw_set_radar_params(ah);
}
+ if (AR_SREV_9330(ah) || AR_SREV_9340(ah))
+ ath9k_hw_disable_pll_lock_detect(ah);
+
return 0;
}
EXPORT_SYMBOL(ath9k_hw_reset);
diff --git a/drivers/net/wireless/ath/ath9k/phy.h b/drivers/net/wireless/ath/ath9k/phy.h
index 4a1b99238ec2..af667a3629b1 100644
--- a/drivers/net/wireless/ath/ath9k/phy.h
+++ b/drivers/net/wireless/ath/ath9k/phy.h
@@ -48,6 +48,9 @@
#define AR_PHY_PLL_CONTROL 0x16180
#define AR_PHY_PLL_MODE 0x16184
+#define AR_PHY_USB_CTRL1 0x16c84
+#define AR_PHY_USB_CTRL2 0x16c88
+
enum ath9k_ant_div_comb_lna_conf {
ATH_ANT_DIV_COMB_LNA1_MINUS_LNA2,
ATH_ANT_DIV_COMB_LNA2,
--
2.54.0
^ permalink raw reply related
* [PATCH ath-next] wifi: ath9k: call external_reset on AR91xx
From: Rosen Penev @ 2026-05-21 23:23 UTC (permalink / raw)
To: linux-wireless; +Cc: Toke Høiland-Jørgensen, open list
Fixes some stability issues there.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Rosen Penev <rosenp@gmail.com>
---
drivers/net/wireless/ath/ath9k/hw.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/ath9k/hw.c b/drivers/net/wireless/ath/ath9k/hw.c
index 5168c02bb73c..cde318a21a81 100644
--- a/drivers/net/wireless/ath/ath9k/hw.c
+++ b/drivers/net/wireless/ath/ath9k/hw.c
@@ -1448,8 +1448,12 @@ static bool ath9k_hw_set_reset(struct ath_hw *ah, int type)
if (!AR_SREV_9100(ah))
REG_WRITE(ah, AR_RC, 0);
- if (AR_SREV_9100(ah))
+ if (AR_SREV_9100(ah)) {
+ /* Reset the AHB-WMAC interface */
+ if (ah->external_reset)
+ ah->external_reset();
udelay(50);
+ }
if (AR_SREV_9330(ah) || AR_SREV_9340(ah))
ath9k_hw_disable_pll_lock_detect(ah);
--
2.54.0
^ permalink raw reply related
* [PATCH ath-next] wifi: ath9k: owl: remove misleading error message
From: Rosen Penev @ 2026-05-21 23:21 UTC (permalink / raw)
To: linux-wireless
Cc: Toke Høiland-Jørgensen, Andreas Färber,
Manivannan Sadhasivam,
moderated list:ARM/ACTIONS SEMI ARCHITECTURE,
moderated list:ARM/ACTIONS SEMI ARCHITECTURE, open list
The error is about the firmware failing to be requested, not calibration
data. Just return directly anyways.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
---
drivers/net/wireless/ath/ath9k/ath9k_pci_owl_loader.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/drivers/net/wireless/ath/ath9k/ath9k_pci_owl_loader.c b/drivers/net/wireless/ath/ath9k/ath9k_pci_owl_loader.c
index b9ef34709202..4460ee7f44e1 100644
--- a/drivers/net/wireless/ath/ath9k/ath9k_pci_owl_loader.c
+++ b/drivers/net/wireless/ath/ath9k/ath9k_pci_owl_loader.c
@@ -204,12 +204,8 @@ static int owl_probe(struct pci_dev *pdev,
scnprintf(eeprom_name, sizeof(eeprom_name), "ath9k-eeprom-pci-%s.bin",
dev_name(dev));
- err = request_firmware_nowait(THIS_MODULE, true, eeprom_name,
+ return request_firmware_nowait(THIS_MODULE, true, eeprom_name,
&pdev->dev, GFP_KERNEL, ctx, owl_fw_cb);
- if (err)
- dev_err(&pdev->dev, "failed to request caldata (%d).\n", err);
-
- return err;
}
static void owl_remove(struct pci_dev *pdev)
--
2.54.0
^ permalink raw reply related
* [PATCH ath-next] wifi: ath9k_htc: allocate tx_buf and buf together
From: Rosen Penev @ 2026-05-21 23:20 UTC (permalink / raw)
To: linux-wireless; +Cc: Toke Høiland-Jørgensen, open list
Use a flexible array member to combine allocations. No need to have them
separate as they are always together.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
---
drivers/net/wireless/ath/ath9k/hif_usb.c | 14 ++------------
drivers/net/wireless/ath/ath9k/hif_usb.h | 2 +-
2 files changed, 3 insertions(+), 13 deletions(-)
diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c
index 821909b81ea9..8ae4e5d4fa14 100644
--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
@@ -454,7 +454,6 @@ static void hif_usb_stop(void *hif_handle)
usb_kill_urb(tx_buf->urb);
list_del(&tx_buf->list);
usb_free_urb(tx_buf->urb);
- kfree(tx_buf->buf);
kfree(tx_buf);
spin_lock_irqsave(&hif_dev->tx.tx_lock, flags);
}
@@ -811,7 +810,6 @@ static void ath9k_hif_usb_dealloc_tx_urbs(struct hif_device_usb *hif_dev)
&hif_dev->tx.tx_buf, list) {
list_del(&tx_buf->list);
usb_free_urb(tx_buf->urb);
- kfree(tx_buf->buf);
kfree(tx_buf);
}
spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags);
@@ -828,7 +826,6 @@ static void ath9k_hif_usb_dealloc_tx_urbs(struct hif_device_usb *hif_dev)
usb_kill_urb(tx_buf->urb);
list_del(&tx_buf->list);
usb_free_urb(tx_buf->urb);
- kfree(tx_buf->buf);
kfree(tx_buf);
spin_lock_irqsave(&hif_dev->tx.tx_lock, flags);
}
@@ -849,14 +846,10 @@ static int ath9k_hif_usb_alloc_tx_urbs(struct hif_device_usb *hif_dev)
init_usb_anchor(&hif_dev->mgmt_submitted);
for (i = 0; i < MAX_TX_URB_NUM; i++) {
- tx_buf = kzalloc_obj(*tx_buf);
+ tx_buf = kzalloc_flex(*tx_buf, buf, MAX_TX_BUF_SIZE);
if (!tx_buf)
goto err;
- tx_buf->buf = kzalloc(MAX_TX_BUF_SIZE, GFP_KERNEL);
- if (!tx_buf->buf)
- goto err;
-
tx_buf->urb = usb_alloc_urb(0, GFP_KERNEL);
if (!tx_buf->urb)
goto err;
@@ -871,10 +864,7 @@ static int ath9k_hif_usb_alloc_tx_urbs(struct hif_device_usb *hif_dev)
return 0;
err:
- if (tx_buf) {
- kfree(tx_buf->buf);
- kfree(tx_buf);
- }
+ kfree(tx_buf);
ath9k_hif_usb_dealloc_tx_urbs(hif_dev);
return -ENOMEM;
}
diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.h b/drivers/net/wireless/ath/ath9k/hif_usb.h
index b3e66b0485a5..c28033ee61ce 100644
--- a/drivers/net/wireless/ath/ath9k/hif_usb.h
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.h
@@ -77,13 +77,13 @@ extern int htc_use_dev_fw;
#define HIF_USB_MAX_TXPIPES 4
struct tx_buf {
- u8 *buf;
u16 len;
u16 offset;
struct urb *urb;
struct sk_buff_head skb_queue;
struct hif_device_usb *hif_dev;
struct list_head list;
+ u8 buf[];
};
struct rx_buf {
--
2.54.0
^ permalink raw reply related
* [PATCH ath-next] wifi: ath9k: remove disabling of bands
From: Rosen Penev @ 2026-05-21 23:18 UTC (permalink / raw)
To: linux-wireless; +Cc: Toke Høiland-Jørgensen, open list
The old platform data code that used this is gone and this serves no
purpose.
The modern way to disable bands is ieee80211-freq-limit, which is
already implemented.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
---
drivers/net/wireless/ath/ath9k/hw.c | 16 ++++------------
drivers/net/wireless/ath/ath9k/hw.h | 2 --
2 files changed, 4 insertions(+), 14 deletions(-)
diff --git a/drivers/net/wireless/ath/ath9k/hw.c b/drivers/net/wireless/ath/ath9k/hw.c
index cde318a21a81..9202998920a9 100644
--- a/drivers/net/wireless/ath/ath9k/hw.c
+++ b/drivers/net/wireless/ath/ath9k/hw.c
@@ -2527,19 +2527,11 @@ int ath9k_hw_fill_cap_info(struct ath_hw *ah)
eeval = ah->eep_ops->get_eeprom(ah, EEP_OP_MODE);
- if (eeval & AR5416_OPFLAGS_11A) {
- if (ah->disable_5ghz)
- ath_warn(common, "disabling 5GHz band\n");
- else
- pCap->hw_caps |= ATH9K_HW_CAP_5GHZ;
- }
+ if (eeval & AR5416_OPFLAGS_11A)
+ pCap->hw_caps |= ATH9K_HW_CAP_5GHZ;
- if (eeval & AR5416_OPFLAGS_11G) {
- if (ah->disable_2ghz)
- ath_warn(common, "disabling 2GHz band\n");
- else
- pCap->hw_caps |= ATH9K_HW_CAP_2GHZ;
- }
+ if (eeval & AR5416_OPFLAGS_11G)
+ pCap->hw_caps |= ATH9K_HW_CAP_2GHZ;
if ((pCap->hw_caps & (ATH9K_HW_CAP_2GHZ | ATH9K_HW_CAP_5GHZ)) == 0) {
ath_err(common, "both bands are disabled\n");
diff --git a/drivers/net/wireless/ath/ath9k/hw.h b/drivers/net/wireless/ath/ath9k/hw.h
index d9d2f64c5570..b942b8303d8f 100644
--- a/drivers/net/wireless/ath/ath9k/hw.h
+++ b/drivers/net/wireless/ath/ath9k/hw.h
@@ -974,8 +974,6 @@ struct ath_hw {
bool is_clk_25mhz;
int (*get_mac_revision)(void);
int (*external_reset)(void);
- bool disable_2ghz;
- bool disable_5ghz;
const struct firmware *eeprom_blob;
u16 *nvmem_blob; /* devres managed */
--
2.54.0
^ permalink raw reply related
* Re: [GIT PULL] wireless-next-2026-05-21
From: patchwork-bot+netdevbpf @ 2026-05-21 23:17 UTC (permalink / raw)
To: Johannes Berg; +Cc: netdev, linux-wireless
In-Reply-To: <20260521153519.380276-3-johannes@sipsolutions.net>
Hello:
This pull request was applied to netdev/net-next.git (main)
by Jakub Kicinski <kuba@kernel.org>:
On Thu, 21 May 2026 17:34:34 +0200 you wrote:
> Hi,
>
> OK this one's pretty sparse, but I'll send it anyway so we
> can sync up with wireless content etc. later. I guess I'll
> get more driver pull requests for -next as we get to later
> RCs.
>
> [...]
Here is the summary with links:
- [GIT,PULL] wireless-next-2026-05-21
https://git.kernel.org/netdev/net-next/c/1a1f055318d8
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply
* [PATCH v8 6/6] wifi: mac80211: Fix PERR frame processing
From: Masashi Honma @ 2026-05-21 22:58 UTC (permalink / raw)
To: linux-wireless; +Cc: johannes, Masashi Honma
In-Reply-To: <20260521225842.31815-1-masashi.honma@gmail.com>
There are no issues with the PERR processing itself; however, to maintain
consistency with the previous PREQ/PREP code modifications, I will create a
new mesh_path_parse_error_frame() function to separately implement the
frame format validation and the "not supported" check.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
---
include/linux/ieee80211-mesh.h | 41 ++++++++++++++++++++++++++++++++++
net/mac80211/mesh_hwmp.c | 14 ++++++++++--
net/mac80211/parse.c | 9 ++++++--
3 files changed, 60 insertions(+), 4 deletions(-)
diff --git a/include/linux/ieee80211-mesh.h b/include/linux/ieee80211-mesh.h
index b4fca2937de0..bd83c647a578 100644
--- a/include/linux/ieee80211-mesh.h
+++ b/include/linux/ieee80211-mesh.h
@@ -365,4 +365,45 @@ static inline bool ieee80211_mesh_prep_size_ok(const u8 *pos, u8 elen)
return elen == needed;
}
+/* IEEE Std 802.11-2016 9.4.2.115 PERR element */
+static inline bool ieee80211_mesh_perr_size_ok(const u8 *pos, u8 elen)
+{
+ struct ieee80211_mesh_hwmp_perr *perr_elem = (void *)pos;
+ u8 number_of_dst;
+ u8 needed;
+ const u8 *start;
+ int i;
+
+ start = pos;
+ needed = sizeof(struct ieee80211_mesh_hwmp_perr);
+ pos += sizeof(struct ieee80211_mesh_hwmp_perr);
+
+ /* Check if the element contains number of dst */
+ if (elen < needed)
+ return false;
+
+ number_of_dst = perr_elem->number_of_dst;
+ if (number_of_dst < 1 || number_of_dst > 19)
+ return false;
+
+ for (i = 0; i < number_of_dst; i++) {
+ struct ieee80211_mesh_hwmp_perr_dst *perr_dst =
+ &perr_elem->dsts[i];
+ u8 dst_len;
+
+ /* Check if the element contains flags */
+ if (elen < pos - start + 1)
+ return false;
+
+ dst_len = sizeof(struct ieee80211_mesh_hwmp_perr_dst) +
+ ((perr_dst->flags & AE_F) ? ETH_ALEN : 0)
+ /* Destination External Address */ +
+ 2 /* Reason Code */;
+ needed += dst_len;
+ pos += dst_len;
+ }
+
+ return elen == needed;
+}
+
#endif /* LINUX_IEEE80211_MESH_H */
diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c
index 391d37721b23..a74d7b28a35d 100644
--- a/net/mac80211/mesh_hwmp.c
+++ b/net/mac80211/mesh_hwmp.c
@@ -957,9 +957,19 @@ void mesh_rx_path_sel_frame(struct ieee80211_sub_if_data *sdata,
path_metric);
}
if (elems->perr) {
- if (elems->perr_len != 15)
- /* Right now we support only one destination per PERR */
+ struct ieee80211_mesh_hwmp_perr *perr_elem =
+ (struct ieee80211_mesh_hwmp_perr *)elems->perr;
+ int i;
+
+ /* Right now we support only one destination per PERR */
+ if (perr_elem->number_of_dst != 1)
goto free;
+
+ /* Right now we do not support AE (Address Extension) */
+ for (i = 0; i < perr_elem->number_of_dst; i++)
+ if (perr_elem->dsts[i].flags & AE_F)
+ goto free;
+
hwmp_perr_frame_process(sdata, mgmt, elems->perr);
}
if (elems->rann)
diff --git a/net/mac80211/parse.c b/net/mac80211/parse.c
index bbd1e1bc77b4..d84e5e12ad24 100644
--- a/net/mac80211/parse.c
+++ b/net/mac80211/parse.c
@@ -565,8 +565,13 @@ _ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params,
}
break;
case WLAN_EID_PERR:
- elems->perr = pos;
- elems->perr_len = elen;
+ if (ieee80211_mesh_perr_size_ok(pos, elen)) {
+ elems->perr = pos;
+ elems->perr_len = elen;
+ } else {
+ elem_parse_failed =
+ IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
+ }
break;
case WLAN_EID_RANN:
if (elen >= sizeof(struct ieee80211_rann_ie))
--
2.43.0
^ permalink raw reply related
* [PATCH v8 5/6] wifi: mac80211: Fix overread in PREP frame processing
From: Masashi Honma @ 2026-05-21 22:58 UTC (permalink / raw)
To: linux-wireless; +Cc: johannes, Masashi Honma
In-Reply-To: <20260521225842.31815-1-masashi.honma@gmail.com>
When the AF flag is enabled, hwmp_prep_frame_process() overreads orig_addr
by 2 bytes. Since this occurs within the socket buffer, it does not read
across memory boundaries and therefore poses no security risk; however, we
will fix it as a precaution.
In this fix, a new function mesh_path_parse_reply_frame() is established to
separate the implementation of frame format validation and the check for
unsupported features. This is intended to facilitate future work when
implementing the currently unsupported parts.
Assisted-by: Claude:Sonnet 4.6
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
---
include/linux/ieee80211-mesh.h | 16 ++++++++++++++++
net/mac80211/mesh_hwmp.c | 4 ++--
net/mac80211/parse.c | 9 +++++++--
3 files changed, 25 insertions(+), 4 deletions(-)
diff --git a/include/linux/ieee80211-mesh.h b/include/linux/ieee80211-mesh.h
index 42a5bd73838c..b4fca2937de0 100644
--- a/include/linux/ieee80211-mesh.h
+++ b/include/linux/ieee80211-mesh.h
@@ -349,4 +349,20 @@ static inline bool ieee80211_mesh_preq_size_ok(const u8 *pos, u8 elen)
return elen == needed;
}
+/* IEEE Std 802.11-2016 9.4.2.114 PREP element */
+static inline bool ieee80211_mesh_prep_size_ok(const u8 *pos, u8 elen)
+{
+ u8 needed;
+
+ /* Check if the element contains flags */
+ if (elen < 1)
+ return false;
+
+ needed = sizeof(struct ieee80211_mesh_hwmp_prep_top) +
+ (ieee80211_mesh_preq_prep_ae_enabled(pos) ? ETH_ALEN : 0)
+ /* Target External Address */ +
+ sizeof(struct ieee80211_mesh_hwmp_prep_bottom);
+ return elen == needed;
+}
+
#endif /* LINUX_IEEE80211_MESH_H */
diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c
index ad3e575a0a94..391d37721b23 100644
--- a/net/mac80211/mesh_hwmp.c
+++ b/net/mac80211/mesh_hwmp.c
@@ -947,8 +947,8 @@ void mesh_rx_path_sel_frame(struct ieee80211_sub_if_data *sdata,
path_metric);
}
if (elems->prep) {
- if (elems->prep_len != 31)
- /* Right now we support no AE */
+ /* Right now we do not support AE (Address Extension) */
+ if (ieee80211_mesh_preq_prep_ae_enabled(elems->prep))
goto free;
path_metric = hwmp_route_info_get(sdata, mgmt, elems->prep,
MPATH_PREP);
diff --git a/net/mac80211/parse.c b/net/mac80211/parse.c
index 9e52cc48fc18..bbd1e1bc77b4 100644
--- a/net/mac80211/parse.c
+++ b/net/mac80211/parse.c
@@ -556,8 +556,13 @@ _ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params,
}
break;
case WLAN_EID_PREP:
- elems->prep = pos;
- elems->prep_len = elen;
+ if (ieee80211_mesh_prep_size_ok(pos, elen)) {
+ elems->prep = pos;
+ elems->prep_len = elen;
+ } else {
+ elem_parse_failed =
+ IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
+ }
break;
case WLAN_EID_PERR:
elems->perr = pos;
--
2.43.0
^ permalink raw reply related
* [PATCH v8 4/6] wifi: mac80211: Fix overread in PREQ frame processing
From: Masashi Honma @ 2026-05-21 22:58 UTC (permalink / raw)
To: linux-wireless; +Cc: johannes, Masashi Honma
In-Reply-To: <20260521225842.31815-1-masashi.honma@gmail.com>
When the AF flag is enabled, hwmp_preq_frame_process() overreads
target_addr by 2 bytes. Since this occurs within the socket buffer, it does
not read across memory boundaries and therefore poses no security risk;
however, we will fix it as a precaution.
In this fix, a new function mesh_path_parse_request_frame() is established
to separate the implementation of frame format validation and the check for
unsupported features. This is intended to facilitate future work when
implementing the currently unsupported parts.
Assisted-by: Claude:Sonnet 4.6
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
---
include/linux/ieee80211-mesh.h | 28 ++++++++++++++++++++++++++++
net/mac80211/mesh_hwmp.c | 12 ++++++++++--
net/mac80211/parse.c | 9 +++++++--
3 files changed, 45 insertions(+), 4 deletions(-)
diff --git a/include/linux/ieee80211-mesh.h b/include/linux/ieee80211-mesh.h
index 0e9bd56b54f2..42a5bd73838c 100644
--- a/include/linux/ieee80211-mesh.h
+++ b/include/linux/ieee80211-mesh.h
@@ -321,4 +321,32 @@ ieee80211_mesh_hwmp_perr_get_rcode(const u8 *ie, u8 dst_idx)
(dst->flags & AE_F) ? ETH_ALEN : 0]);
}
+/* IEEE Std 802.11-2016 9.4.2.113 PREQ element */
+static inline bool ieee80211_mesh_preq_size_ok(const u8 *pos, u8 elen)
+{
+ struct ieee80211_mesh_hwmp_preq_bottom *preq_elem_bottom =
+ ieee80211_mesh_hwmp_preq_get_bottom(pos);
+ u8 target_count;
+ u8 needed;
+
+ /* Check if the element contains flags */
+ if (elen < 1)
+ return false;
+
+ /* Check if the element contains target_count */
+ needed = sizeof(struct ieee80211_mesh_hwmp_preq_top) +
+ (ieee80211_mesh_preq_prep_ae_enabled(pos) ? ETH_ALEN : 0)
+ /* Originator External Address */ +
+ sizeof(struct ieee80211_mesh_hwmp_preq_bottom);
+ if (elen < needed)
+ return false;
+
+ target_count = preq_elem_bottom->target_count;
+ if (target_count < 1 || target_count > 20)
+ return false;
+
+ needed += target_count * sizeof(struct ieee80211_mesh_hwmp_preq_target);
+ return elen == needed;
+}
+
#endif /* LINUX_IEEE80211_MESH_H */
diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c
index fa144a187fe2..ad3e575a0a94 100644
--- a/net/mac80211/mesh_hwmp.c
+++ b/net/mac80211/mesh_hwmp.c
@@ -929,9 +929,17 @@ void mesh_rx_path_sel_frame(struct ieee80211_sub_if_data *sdata,
return;
if (elems->preq) {
- if (elems->preq_len != 37)
- /* Right now we support just 1 destination and no AE */
+ struct ieee80211_mesh_hwmp_preq_bottom *preq_elem_bottom =
+ ieee80211_mesh_hwmp_preq_get_bottom(elems->preq);
+
+ /* Right now we do not support AE (Address Extension) */
+ if (ieee80211_mesh_preq_prep_ae_enabled(elems->preq))
goto free;
+
+ /* Right now we only support 1 target */
+ if (preq_elem_bottom->target_count != 1)
+ goto free;
+
path_metric = hwmp_route_info_get(sdata, mgmt, elems->preq,
MPATH_PREQ);
if (path_metric)
diff --git a/net/mac80211/parse.c b/net/mac80211/parse.c
index 5e61457be0f3..9e52cc48fc18 100644
--- a/net/mac80211/parse.c
+++ b/net/mac80211/parse.c
@@ -547,8 +547,13 @@ _ieee802_11_parse_elems_full(struct ieee80211_elems_parse_params *params,
elems->awake_window = (void *)pos;
break;
case WLAN_EID_PREQ:
- elems->preq = pos;
- elems->preq_len = elen;
+ if (ieee80211_mesh_preq_size_ok(pos, elen)) {
+ elems->preq = pos;
+ elems->preq_len = elen;
+ } else {
+ elem_parse_failed =
+ IEEE80211_PARSE_ERR_BAD_ELEM_SIZE;
+ }
break;
case WLAN_EID_PREP:
elems->prep = pos;
--
2.43.0
^ permalink raw reply related
* [PATCH v8 3/6] wifi: mac80211: Use struct instead of macro for PERR frame
From: Masashi Honma @ 2026-05-21 22:58 UTC (permalink / raw)
To: linux-wireless; +Cc: johannes, Masashi Honma
In-Reply-To: <20260521225842.31815-1-masashi.honma@gmail.com>
The existing PERR_IE_* macros access HWMP PERR frame fields via hardcoded
byte offsets. Each PERR destination entry contains an optional 6-byte AE
(Address Extension) address followed by a reason code, making offset-based
access error-prone.
Introduce typed packed C structs to represent the PERR frame layout:
- ieee80211_mesh_hwmp_perr: top-level frame containing TTL and
destination count
- ieee80211_mesh_hwmp_perr_dst: per-destination entry with optional AE
address and variable-position reason code
Add ieee80211_mesh_hwmp_perr_get_rcode() to locate the reason code in
each destination entry depending on whether the AE flag is set.
This refactoring makes the PERR processing code consistent with the
struct-based approach adopted for PREQ and PREP in preceding patches.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
---
include/linux/ieee80211-mesh.h | 25 +++++++++++++++++++++++++
net/mac80211/mesh_hwmp.c | 31 +++++--------------------------
2 files changed, 30 insertions(+), 26 deletions(-)
diff --git a/include/linux/ieee80211-mesh.h b/include/linux/ieee80211-mesh.h
index 4ce4e47d6d01..0e9bd56b54f2 100644
--- a/include/linux/ieee80211-mesh.h
+++ b/include/linux/ieee80211-mesh.h
@@ -71,6 +71,20 @@ struct ieee80211_mesh_hwmp_prep_bottom {
__le32 orig_sn;
} __packed;
+struct ieee80211_mesh_hwmp_perr_dst {
+ u8 flags;
+ u8 addr[ETH_ALEN];
+ __le32 sn;
+ /* optional Destination External Address */
+ u8 variable[];
+} __packed;
+
+struct ieee80211_mesh_hwmp_perr {
+ u8 ttl;
+ u8 number_of_dst;
+ struct ieee80211_mesh_hwmp_perr_dst dsts[];
+} __packed;
+
/* Mesh flags */
#define MESH_FLAGS_AE_A4 0x1
#define MESH_FLAGS_AE_A5_A6 0x2
@@ -296,4 +310,15 @@ ieee80211_mesh_hwmp_prep_get_bottom(const u8 *ie)
ieee80211_mesh_preq_prep_ae_enabled(ie) ? ETH_ALEN : 0];
}
+static inline u16
+ieee80211_mesh_hwmp_perr_get_rcode(const u8 *ie, u8 dst_idx)
+{
+ struct ieee80211_mesh_hwmp_perr *perr_ie = (void *)ie;
+ struct ieee80211_mesh_hwmp_perr_dst *dst =
+ &perr_ie->dsts[dst_idx];
+
+ return get_unaligned_le16(&dst->variable[
+ (dst->flags & AE_F) ? ETH_ALEN : 0]);
+}
+
#endif /* LINUX_IEEE80211_MESH_H */
diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c
index 39b782370df0..fa144a187fe2 100644
--- a/net/mac80211/mesh_hwmp.c
+++ b/net/mac80211/mesh_hwmp.c
@@ -20,29 +20,7 @@
static void mesh_queue_preq(struct mesh_path *, u8);
-static inline u32 u32_field_get(const u8 *preq_elem, int offset, bool ae)
-{
- if (ae)
- offset += 6;
- return get_unaligned_le32(preq_elem + offset);
-}
-
-static inline u16 u16_field_get(const u8 *preq_elem, int offset, bool ae)
-{
- if (ae)
- offset += 6;
- return get_unaligned_le16(preq_elem + offset);
-}
-
/* HWMP IE processing macros */
-#define AE_F_SET(x) (*x & AE_F)
-
-#define PERR_IE_TTL(x) (*(x))
-#define PERR_IE_TARGET_FLAGS(x) (*(x + 2))
-#define PERR_IE_TARGET_ADDR(x) (x + 3)
-#define PERR_IE_TARGET_SN(x) u32_field_get(x, 9, 0)
-#define PERR_IE_TARGET_RCODE(x) u16_field_get(x, 13, 0)
-
#define MSEC_TO_TU(x) (x*1000/1024)
#define SN_GT(x, y) ((s32)(y - x) < 0)
#define SN_LT(x, y) ((s32)(x - y) < 0)
@@ -774,6 +752,7 @@ static void hwmp_perr_frame_process(struct ieee80211_sub_if_data *sdata,
const u8 *perr_elem)
{
struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
+ struct ieee80211_mesh_hwmp_perr *perr_elem_s = (void *)perr_elem;
struct mesh_path *mpath;
u8 ttl;
const u8 *ta, *target_addr;
@@ -781,15 +760,15 @@ static void hwmp_perr_frame_process(struct ieee80211_sub_if_data *sdata,
u16 target_rcode;
ta = mgmt->sa;
- ttl = PERR_IE_TTL(perr_elem);
+ ttl = perr_elem_s->ttl;
if (ttl <= 1) {
ifmsh->mshstats.dropped_frames_ttl++;
return;
}
ttl--;
- target_addr = PERR_IE_TARGET_ADDR(perr_elem);
- target_sn = PERR_IE_TARGET_SN(perr_elem);
- target_rcode = PERR_IE_TARGET_RCODE(perr_elem);
+ target_addr = perr_elem_s->dsts[0].addr;
+ target_sn = le32_to_cpu(perr_elem_s->dsts[0].sn);
+ target_rcode = ieee80211_mesh_hwmp_perr_get_rcode(perr_elem, 0);
rcu_read_lock();
mpath = mesh_path_lookup(sdata, target_addr);
--
2.43.0
^ permalink raw reply related
* [PATCH v8 2/6] wifi: mac80211: Use struct instead of macro for PREP frame
From: Masashi Honma @ 2026-05-21 22:58 UTC (permalink / raw)
To: linux-wireless; +Cc: johannes, Masashi Honma
In-Reply-To: <20260521225842.31815-1-masashi.honma@gmail.com>
The existing PREP_IE_* macros access HWMP PREP frame fields via hardcoded
byte offsets. When the AE (Address Extension) flag is set, an additional
6 bytes appear mid-frame, making the offset arithmetic error-prone.
Introduce typed packed C structs to represent the PREP frame layout:
- ieee80211_mesh_hwmp_prep_top: fixed fields before the optional AE
address
- ieee80211_mesh_hwmp_prep_bottom: fields after the optional AE address
Add ieee80211_mesh_hwmp_prep_get_bottom() to locate the bottom struct
correctly based on whether the AE flag is set.
This preparatory refactoring is needed to fix a 2-byte overread of
orig_addr in hwmp_prep_frame_process() when AE is enabled, which is
addressed in a subsequent patch.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
---
include/linux/ieee80211-mesh.h | 27 ++++++++++++++++++++
net/mac80211/mesh_hwmp.c | 46 ++++++++++++++++------------------
2 files changed, 49 insertions(+), 24 deletions(-)
diff --git a/include/linux/ieee80211-mesh.h b/include/linux/ieee80211-mesh.h
index bf4a544aed00..4ce4e47d6d01 100644
--- a/include/linux/ieee80211-mesh.h
+++ b/include/linux/ieee80211-mesh.h
@@ -53,6 +53,24 @@ struct ieee80211_mesh_hwmp_preq_bottom {
struct ieee80211_mesh_hwmp_preq_target targets[];
} __packed;
+struct ieee80211_mesh_hwmp_prep_top {
+ u8 flags;
+ u8 hopcount;
+ u8 ttl;
+ u8 target_addr[ETH_ALEN];
+ __le32 target_sn;
+
+ /* optional Target External Address */
+ u8 variable[];
+} __packed;
+
+struct ieee80211_mesh_hwmp_prep_bottom {
+ __le32 lifetime;
+ __le32 metric;
+ u8 orig_addr[ETH_ALEN];
+ __le32 orig_sn;
+} __packed;
+
/* Mesh flags */
#define MESH_FLAGS_AE_A4 0x1
#define MESH_FLAGS_AE_A5_A6 0x2
@@ -269,4 +287,13 @@ ieee80211_mesh_hwmp_preq_get_bottom(const u8 *ie)
ieee80211_mesh_preq_prep_ae_enabled(ie) ? ETH_ALEN : 0];
}
+static inline struct ieee80211_mesh_hwmp_prep_bottom *
+ieee80211_mesh_hwmp_prep_get_bottom(const u8 *ie)
+{
+ struct ieee80211_mesh_hwmp_prep_top *top = (void *)ie;
+
+ return (void *)&top->variable[
+ ieee80211_mesh_preq_prep_ae_enabled(ie) ? ETH_ALEN : 0];
+}
+
#endif /* LINUX_IEEE80211_MESH_H */
diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c
index 1a6a22b185d9..39b782370df0 100644
--- a/net/mac80211/mesh_hwmp.c
+++ b/net/mac80211/mesh_hwmp.c
@@ -37,16 +37,6 @@ static inline u16 u16_field_get(const u8 *preq_elem, int offset, bool ae)
/* HWMP IE processing macros */
#define AE_F_SET(x) (*x & AE_F)
-#define PREP_IE_FLAGS(x) (*(x))
-#define PREP_IE_HOPCOUNT(x) (*(x + 1))
-#define PREP_IE_TTL(x) (*(x + 2))
-#define PREP_IE_ORIG_ADDR(x) (AE_F_SET(x) ? x + 27 : x + 21)
-#define PREP_IE_ORIG_SN(x) u32_field_get(x, 27, AE_F_SET(x))
-#define PREP_IE_LIFETIME(x) u32_field_get(x, 13, AE_F_SET(x))
-#define PREP_IE_METRIC(x) u32_field_get(x, 17, AE_F_SET(x))
-#define PREP_IE_TARGET_ADDR(x) (x + 3)
-#define PREP_IE_TARGET_SN(x) u32_field_get(x, 9, 0)
-
#define PERR_IE_TTL(x) (*(x))
#define PERR_IE_TARGET_FLAGS(x) (*(x + 2))
#define PERR_IE_TARGET_ADDR(x) (x + 3)
@@ -419,11 +409,16 @@ static u32 hwmp_route_info_get(struct ieee80211_sub_if_data *sdata,
* so that we can easily use a single function to gather path
* information from both PREQ and PREP frames.
*/
- orig_addr = PREP_IE_TARGET_ADDR(hwmp_ie);
- orig_sn = PREP_IE_TARGET_SN(hwmp_ie);
- orig_lifetime = PREP_IE_LIFETIME(hwmp_ie);
- orig_metric = PREP_IE_METRIC(hwmp_ie);
- hopcount = PREP_IE_HOPCOUNT(hwmp_ie) + 1;
+ struct ieee80211_mesh_hwmp_prep_top *prep_elem_top =
+ (void *)hwmp_ie;
+ struct ieee80211_mesh_hwmp_prep_bottom *prep_elem_bottom =
+ ieee80211_mesh_hwmp_prep_get_bottom(hwmp_ie);
+
+ orig_addr = prep_elem_top->target_addr;
+ orig_sn = le32_to_cpu(prep_elem_top->target_sn);
+ orig_lifetime = le32_to_cpu(prep_elem_bottom->lifetime);
+ orig_metric = le32_to_cpu(prep_elem_bottom->metric);
+ hopcount = prep_elem_top->hopcount + 1;
break;
default:
rcu_read_unlock();
@@ -714,6 +709,9 @@ static void hwmp_prep_frame_process(struct ieee80211_sub_if_data *sdata,
const u8 *prep_elem, u32 metric)
{
struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
+ struct ieee80211_mesh_hwmp_prep_top *prep_elem_top = (void *)prep_elem;
+ struct ieee80211_mesh_hwmp_prep_bottom *prep_elem_bottom =
+ ieee80211_mesh_hwmp_prep_get_bottom(prep_elem);
struct mesh_path *mpath;
const u8 *target_addr, *orig_addr;
u8 ttl, hopcount, flags;
@@ -721,9 +719,9 @@ static void hwmp_prep_frame_process(struct ieee80211_sub_if_data *sdata,
u32 target_sn, orig_sn, lifetime;
mhwmp_dbg(sdata, "received PREP from %pM\n",
- PREP_IE_TARGET_ADDR(prep_elem));
+ prep_elem_top->target_addr);
- orig_addr = PREP_IE_ORIG_ADDR(prep_elem);
+ orig_addr = prep_elem_bottom->orig_addr;
if (ether_addr_equal(orig_addr, sdata->vif.addr))
/* destination, no forwarding required */
return;
@@ -731,7 +729,7 @@ static void hwmp_prep_frame_process(struct ieee80211_sub_if_data *sdata,
if (!ifmsh->mshcfg.dot11MeshForwarding)
return;
- ttl = PREP_IE_TTL(prep_elem);
+ ttl = prep_elem_top->ttl;
if (ttl <= 1) {
sdata->u.mesh.mshstats.dropped_frames_ttl++;
return;
@@ -750,12 +748,12 @@ static void hwmp_prep_frame_process(struct ieee80211_sub_if_data *sdata,
memcpy(next_hop, next_hop_deref_protected(mpath)->sta.addr, ETH_ALEN);
spin_unlock_bh(&mpath->state_lock);
--ttl;
- flags = PREP_IE_FLAGS(prep_elem);
- lifetime = PREP_IE_LIFETIME(prep_elem);
- hopcount = PREP_IE_HOPCOUNT(prep_elem) + 1;
- target_addr = PREP_IE_TARGET_ADDR(prep_elem);
- target_sn = PREP_IE_TARGET_SN(prep_elem);
- orig_sn = PREP_IE_ORIG_SN(prep_elem);
+ flags = prep_elem_top->flags;
+ lifetime = le32_to_cpu(prep_elem_bottom->lifetime);
+ hopcount = prep_elem_top->hopcount + 1;
+ target_addr = prep_elem_top->target_addr;
+ target_sn = le32_to_cpu(prep_elem_top->target_sn);
+ orig_sn = le32_to_cpu(prep_elem_bottom->orig_sn);
mesh_path_sel_frame_tx(MPATH_PREP, flags, orig_addr, orig_sn, 0,
target_addr, target_sn, next_hop, hopcount,
--
2.43.0
^ permalink raw reply related
* [PATCH v8 1/6] wifi: mac80211: Use struct instead of macro for PREQ frame
From: Masashi Honma @ 2026-05-21 22:58 UTC (permalink / raw)
To: linux-wireless; +Cc: johannes, Masashi Honma
The existing PREQ_IE_* macros access HWMP PREQ frame fields via hardcoded
byte offsets. When the AE (Address Extension) flag is set, an additional
6 bytes appear mid-frame, and the macros handle this with conditional
arithmetic (e.g., AE_F_SET(x) ? x + N+6 : x + N). This approach
obscures the frame layout and is prone to miscalculation.
Introduce typed packed C structs to represent the PREQ frame layout:
- ieee80211_mesh_hwmp_preq_top: fixed fields before the optional AE
address
- ieee80211_mesh_hwmp_preq_bottom: fields after the optional AE address
- ieee80211_mesh_hwmp_preq_target: per-target fields
Add ieee80211_mesh_hwmp_preq_get_bottom() to locate the bottom struct
correctly based on whether the AE flag is set.
This preparatory refactoring is needed to fix a 2-byte overread of
target_addr in hwmp_preq_frame_process() when AE is enabled, which is
addressed in a subsequent patch.
Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
---
include/linux/ieee80211-mesh.h | 42 +++++++++++++++++++++
net/mac80211/mesh_hwmp.c | 67 ++++++++++++++++------------------
2 files changed, 74 insertions(+), 35 deletions(-)
diff --git a/include/linux/ieee80211-mesh.h b/include/linux/ieee80211-mesh.h
index 4b829bcb38b6..bf4a544aed00 100644
--- a/include/linux/ieee80211-mesh.h
+++ b/include/linux/ieee80211-mesh.h
@@ -28,12 +28,40 @@ struct ieee80211s_hdr {
u8 eaddr2[ETH_ALEN];
} __packed __aligned(2);
+struct ieee80211_mesh_hwmp_preq_target {
+ u8 flags;
+ u8 addr[ETH_ALEN];
+ __le32 sn;
+} __packed;
+
+struct ieee80211_mesh_hwmp_preq_top {
+ u8 flags;
+ u8 hopcount;
+ u8 ttl;
+ __le32 preq_id;
+ u8 orig_addr[ETH_ALEN];
+ __le32 orig_sn;
+
+ /* optional AE, lifetime, metric, target */
+ u8 variable[];
+} __packed;
+
+struct ieee80211_mesh_hwmp_preq_bottom {
+ __le32 lifetime;
+ __le32 metric;
+ u8 target_count;
+ struct ieee80211_mesh_hwmp_preq_target targets[];
+} __packed;
+
/* Mesh flags */
#define MESH_FLAGS_AE_A4 0x1
#define MESH_FLAGS_AE_A5_A6 0x2
#define MESH_FLAGS_AE 0x3
#define MESH_FLAGS_PS_DEEP 0x4
+/* HWMP IE processing macros */
+#define AE_F (1<<6)
+
/**
* enum ieee80211_preq_flags - mesh PREQ element flags
*
@@ -227,4 +255,18 @@ enum ieee80211_root_mode_identifier {
IEEE80211_PROACTIVE_RANN = 4,
};
+static inline bool ieee80211_mesh_preq_prep_ae_enabled(const u8 *ie)
+{
+ return ie[0] & AE_F;
+}
+
+static inline struct ieee80211_mesh_hwmp_preq_bottom *
+ieee80211_mesh_hwmp_preq_get_bottom(const u8 *ie)
+{
+ struct ieee80211_mesh_hwmp_preq_top *top = (void *)ie;
+
+ return (void *)&top->variable[
+ ieee80211_mesh_preq_prep_ae_enabled(ie) ? ETH_ALEN : 0];
+}
+
#endif /* LINUX_IEEE80211_MESH_H */
diff --git a/net/mac80211/mesh_hwmp.c b/net/mac80211/mesh_hwmp.c
index 9d89ebcce1c1..1a6a22b185d9 100644
--- a/net/mac80211/mesh_hwmp.c
+++ b/net/mac80211/mesh_hwmp.c
@@ -35,24 +35,11 @@ static inline u16 u16_field_get(const u8 *preq_elem, int offset, bool ae)
}
/* HWMP IE processing macros */
-#define AE_F (1<<6)
#define AE_F_SET(x) (*x & AE_F)
-#define PREQ_IE_FLAGS(x) (*(x))
-#define PREQ_IE_HOPCOUNT(x) (*(x + 1))
-#define PREQ_IE_TTL(x) (*(x + 2))
-#define PREQ_IE_PREQ_ID(x) u32_field_get(x, 3, 0)
-#define PREQ_IE_ORIG_ADDR(x) (x + 7)
-#define PREQ_IE_ORIG_SN(x) u32_field_get(x, 13, 0)
-#define PREQ_IE_LIFETIME(x) u32_field_get(x, 17, AE_F_SET(x))
-#define PREQ_IE_METRIC(x) u32_field_get(x, 21, AE_F_SET(x))
-#define PREQ_IE_TARGET_F(x) (*(AE_F_SET(x) ? x + 32 : x + 26))
-#define PREQ_IE_TARGET_ADDR(x) (AE_F_SET(x) ? x + 33 : x + 27)
-#define PREQ_IE_TARGET_SN(x) u32_field_get(x, 33, AE_F_SET(x))
-
-
-#define PREP_IE_FLAGS(x) PREQ_IE_FLAGS(x)
-#define PREP_IE_HOPCOUNT(x) PREQ_IE_HOPCOUNT(x)
-#define PREP_IE_TTL(x) PREQ_IE_TTL(x)
+
+#define PREP_IE_FLAGS(x) (*(x))
+#define PREP_IE_HOPCOUNT(x) (*(x + 1))
+#define PREP_IE_TTL(x) (*(x + 2))
#define PREP_IE_ORIG_ADDR(x) (AE_F_SET(x) ? x + 27 : x + 21)
#define PREP_IE_ORIG_SN(x) u32_field_get(x, 27, AE_F_SET(x))
#define PREP_IE_LIFETIME(x) u32_field_get(x, 13, AE_F_SET(x))
@@ -415,11 +402,16 @@ static u32 hwmp_route_info_get(struct ieee80211_sub_if_data *sdata,
switch (action) {
case MPATH_PREQ:
- orig_addr = PREQ_IE_ORIG_ADDR(hwmp_ie);
- orig_sn = PREQ_IE_ORIG_SN(hwmp_ie);
- orig_lifetime = PREQ_IE_LIFETIME(hwmp_ie);
- orig_metric = PREQ_IE_METRIC(hwmp_ie);
- hopcount = PREQ_IE_HOPCOUNT(hwmp_ie) + 1;
+ struct ieee80211_mesh_hwmp_preq_top *preq_elem_top =
+ (void *)hwmp_ie;
+ struct ieee80211_mesh_hwmp_preq_bottom *preq_elem_bottom =
+ ieee80211_mesh_hwmp_preq_get_bottom(hwmp_ie);
+
+ orig_addr = preq_elem_top->orig_addr;
+ orig_sn = le32_to_cpu(preq_elem_top->orig_sn);
+ orig_lifetime = le32_to_cpu(preq_elem_bottom->lifetime);
+ orig_metric = le32_to_cpu(preq_elem_bottom->metric);
+ hopcount = preq_elem_top->hopcount + 1;
break;
case MPATH_PREP:
/* Originator here refers to the MP that was the target in the
@@ -579,6 +571,11 @@ static void hwmp_preq_frame_process(struct ieee80211_sub_if_data *sdata,
const u8 *preq_elem, u32 orig_metric)
{
struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
+ struct ieee80211_mesh_hwmp_preq_top *preq_elem_top = (void *)preq_elem;
+ struct ieee80211_mesh_hwmp_preq_bottom *preq_elem_bottom =
+ ieee80211_mesh_hwmp_preq_get_bottom(preq_elem);
+ struct ieee80211_mesh_hwmp_preq_target *target =
+ preq_elem_bottom->targets;
struct mesh_path *mpath = NULL;
const u8 *target_addr, *orig_addr;
const u8 *da;
@@ -589,13 +586,13 @@ static void hwmp_preq_frame_process(struct ieee80211_sub_if_data *sdata,
bool root_is_gate;
/* Update target SN, if present */
- target_addr = PREQ_IE_TARGET_ADDR(preq_elem);
- orig_addr = PREQ_IE_ORIG_ADDR(preq_elem);
- target_sn = PREQ_IE_TARGET_SN(preq_elem);
- orig_sn = PREQ_IE_ORIG_SN(preq_elem);
- target_flags = PREQ_IE_TARGET_F(preq_elem);
+ target_addr = target[0].addr;
+ orig_addr = preq_elem_top->orig_addr;
+ target_sn = le32_to_cpu(target[0].sn);
+ orig_sn = le32_to_cpu(preq_elem_top->orig_sn);
+ target_flags = target[0].flags;
/* Proactive PREQ gate announcements */
- flags = PREQ_IE_FLAGS(preq_elem);
+ flags = preq_elem_top->flags;
root_is_gate = !!(flags & RANN_FLAG_IS_GATE);
mhwmp_dbg(sdata, "received PREQ from %pM\n", orig_addr);
@@ -655,7 +652,7 @@ static void hwmp_preq_frame_process(struct ieee80211_sub_if_data *sdata,
}
if (reply) {
- lifetime = PREQ_IE_LIFETIME(preq_elem);
+ lifetime = le32_to_cpu(preq_elem_bottom->lifetime);
ttl = ifmsh->mshcfg.element_ttl;
if (ttl != 0) {
mhwmp_dbg(sdata, "replying to the PREQ\n");
@@ -673,22 +670,22 @@ static void hwmp_preq_frame_process(struct ieee80211_sub_if_data *sdata,
u32 preq_id;
u8 hopcount;
- ttl = PREQ_IE_TTL(preq_elem);
- lifetime = PREQ_IE_LIFETIME(preq_elem);
+ ttl = preq_elem_top->ttl;
+ lifetime = le32_to_cpu(preq_elem_bottom->lifetime);
if (ttl <= 1) {
ifmsh->mshstats.dropped_frames_ttl++;
return;
}
mhwmp_dbg(sdata, "forwarding the PREQ from %pM\n", orig_addr);
--ttl;
- preq_id = PREQ_IE_PREQ_ID(preq_elem);
- hopcount = PREQ_IE_HOPCOUNT(preq_elem) + 1;
+ preq_id = le32_to_cpu(preq_elem_top->preq_id);
+ hopcount = preq_elem_top->hopcount + 1;
da = (mpath && mpath->is_root) ?
mpath->rann_snd_addr : broadcast_addr;
if (flags & IEEE80211_PREQ_PROACTIVE_PREP_FLAG) {
- target_addr = PREQ_IE_TARGET_ADDR(preq_elem);
- target_sn = PREQ_IE_TARGET_SN(preq_elem);
+ target_addr = target[0].addr;
+ target_sn = le32_to_cpu(target[0].sn);
}
mesh_path_sel_frame_tx(MPATH_PREQ, flags, orig_addr,
--
2.43.0
^ permalink raw reply related
* Re: [PATCH v7 1/6] wifi: mac80211: Use struct instead of macro for PREQ frame
From: Masashi Honma @ 2026-05-21 22:58 UTC (permalink / raw)
To: Jeff Johnson; +Cc: linux-wireless, johannes
In-Reply-To: <87dfbe33-7705-4ee7-bdde-565d2dfc8287@oss.qualcomm.com>
Thank you, I fixed the issue.
2026年5月22日(金) 1:49 Jeff Johnson <jeff.johnson@oss.qualcomm.com>:
>
> On 5/21/2026 1:56 AM, Masashi Honma wrote:
> > In preparation for subsequent patches.
> >
> > Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
>
> I'm surprised Johannes hasn't pushed back on your sparse commit text.
>
> We have guidelines that you aren't following:
> https://www.kernel.org/doc/html/latest/process/submitting-patches.html#describe-your-changes
>
> Having commit text that fully describes what you are doing and why you are
> doing it makes it much easier for folks to understand and review your patches.
>
> /jeff
^ permalink raw reply
* Re: [GIT PULL] wireless-2026-05-21
From: Jakub Kicinski @ 2026-05-21 18:37 UTC (permalink / raw)
To: Johannes Berg; +Cc: netdev, linux-wireless
In-Reply-To: <20260521152903.374070-3-johannes@sipsolutions.net>
On Thu, 21 May 2026 17:28:37 +0200 Johannes Berg wrote:
> Sorry for the last minute thing ... if it makes it at all.
> I forgot during the day, and it's already more because we
> had a holiday last week.
>
> Please pull and let us know if there's any problem.
I'm also late today. I'm almost tempted to pretend I was waiting
for you ;)
^ permalink raw reply
* Re: [GIT PULL] wireless-2026-05-21
From: patchwork-bot+netdevbpf @ 2026-05-21 18:30 UTC (permalink / raw)
To: Johannes Berg; +Cc: netdev, linux-wireless
In-Reply-To: <20260521152903.374070-3-johannes@sipsolutions.net>
Hello:
This pull request was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:
On Thu, 21 May 2026 17:28:37 +0200 you wrote:
> Hi,
>
> Sorry for the last minute thing ... if it makes it at all.
> I forgot during the day, and it's already more because we
> had a holiday last week.
>
> Please pull and let us know if there's any problem.
>
> [...]
Here is the summary with links:
- [GIT,PULL] wireless-2026-05-21
https://git.kernel.org/netdev/net/c/0e3c08f1b7b7
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply
* Re: [PATCH v7 1/6] wifi: mac80211: Use struct instead of macro for PREQ frame
From: Jeff Johnson @ 2026-05-21 16:49 UTC (permalink / raw)
To: Masashi Honma, linux-wireless; +Cc: johannes
In-Reply-To: <20260521085647.394151-1-masashi.honma@gmail.com>
On 5/21/2026 1:56 AM, Masashi Honma wrote:
> In preparation for subsequent patches.
>
> Signed-off-by: Masashi Honma <masashi.honma@gmail.com>
I'm surprised Johannes hasn't pushed back on your sparse commit text.
We have guidelines that you aren't following:
https://www.kernel.org/doc/html/latest/process/submitting-patches.html#describe-your-changes
Having commit text that fully describes what you are doing and why you are
doing it makes it much easier for folks to understand and review your patches.
/jeff
^ permalink raw reply
* Re: [PATCH v3] PCI: Disable broken FLR on MediaTek MT7925
From: Bjorn Helgaas @ 2026-05-21 16:19 UTC (permalink / raw)
To: Jose Ignacio Tornos Martinez
Cc: bhelgaas, alex, nbd, lorenzo, shayne.chen, sean.wang, linux-pci,
linux-wireless, linux-kernel, Ryder Lee
In-Reply-To: <20260521061205.12727-1-jtornosm@redhat.com>
[+cc Ryder]
On Thu, May 21, 2026 at 08:12:05AM +0200, Jose Ignacio Tornos Martinez wrote:
> The MediaTek MT7925 WiFi device (14c3:7925) advertises FLR capability
> but the implementation is broken - reset always fails, leaving the device
> in an undefined state.
>
> This manifests in VFIO passthrough scenarios: Normal VM operation works
> fine, including clean shutdown/reboot. However, when the VM terminates
> uncleanly (crash, force-off), VFIO attempts to reset the device before
> it can be assigned to another VM. Because FLR is broken, the reset fails
> and the device remains in an undefined state, preventing reuse.
How do we know the device is an "undefined state"? Does it just not
respond to config accesses? Is there something in dmesg that shows
the problem?
I suppose it's similar to 81f64e925c29 ("PCI: Avoid FLR for Mediatek
MT7922 WiFi")?
I guess I'm just looking for some text more specific than "undefined
state".
Can we get any of the MediaTek folks to comment on this:
https://sashiko.dev/#/patchset/20260508145153.717641-1-jtornosm@redhat.com?part=1
Sashiko suggested that Device ID 0x0717 might have the same FLR
problem.
> Disable FLR for this device so the PCI core falls back to working reset
> methods (PM reset or bus reset).
>
> This follows the existing pattern used for the MediaTek MT7922 WiFi
> (14c3:0616), which is the predecessor device and already uses this quirk.
>
> Signed-off-by: Jose Ignacio Tornos Martinez <jtornosm@redhat.com>
> ---
> v3: Resend with MediaTek wireless maintainers CC'd
> v2: https://lore.kernel.org/all/20260508145153.717641-1-jtornosm@redhat.com/
>
> drivers/pci/quirks.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c
> index 000000000000..111111111111 100644
> --- a/drivers/pci/quirks.c
> +++ b/drivers/pci/quirks.c
> @@ -5607,6 +5607,7 @@
> * Intel 82579LM Gigabit Ethernet Controller 0x1502
> * Intel 82579V Gigabit Ethernet Controller 0x1503
> * Mediatek MT7922 802.11ax PCI Express Wireless Network Adapter
> + * Mediatek MT7925 802.11be PCI Express Wireless Network Adapter
> */
> static void quirk_no_flr(struct pci_dev *dev)
> {
> @@ -5617,6 +5618,7 @@ DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_AMD, 0x7901, quirk_no_flr);
> DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x1502, quirk_no_flr);
> DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_INTEL, 0x1503, quirk_no_flr);
> DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_MEDIATEK, 0x0616, quirk_no_flr);
> +DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_MEDIATEK, 0x7925, quirk_no_flr);
>
> /* FLR may cause the SolidRun SNET DPU (rev 0x1) to hang */
> static void quirk_no_flr_snet(struct pci_dev *dev)
> --
> 2.53.0
>
^ permalink raw reply
* [GIT PULL] wireless-next-2026-05-21
From: Johannes Berg @ 2026-05-21 15:34 UTC (permalink / raw)
To: netdev; +Cc: linux-wireless
Hi,
OK this one's pretty sparse, but I'll send it anyway so we
can sync up with wireless content etc. later. I guess I'll
get more driver pull requests for -next as we get to later
RCs.
Please pull and let us know if there's any problem.
Thanks,
johannes
The following changes since commit 878492af7d503f4b093ea903173500be00e9cbe7:
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net (2026-05-14 10:08:06 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git tags/wireless-next-2026-05-21
for you to fetch changes up to 1d174fec87850e1005db9b106f84bbbb19cb59b9:
ARM: dts: omap2: add stlc4560 spi-wireless node (2026-05-20 12:05:04 +0200)
----------------------------------------------------------------
Not much going on here right now:
- mac80211/hwsim:
- some NAN related things
- MCS/NSS rate issues with S1G
- p54: port SPI version to device-tree
- (a few other random things)
----------------------------------------------------------------
Arnd Bergmann (3):
dt-bindings: net: add st,stlc4560/p54spi binding
p54spi: convert to devicetree
ARM: dts: omap2: add stlc4560 spi-wireless node
Daniel Gabay (1):
wifi: mac80211: allow cipher change on NAN_DATA interfaces
Deepanshu Kartikey (1):
wifi: mac80211_hwsim: reject NAN on multi-radio wiphys
Ilan Peer (2):
wifi: mac80211: Allow per station GTK for NAN Data interfaces
wifi: mac80211_hwsim: Do not declare NAN support for Extended Key ID
Johannes Berg (3):
wifi: mac80211: check stations are removed before MLD change
wifi: mac80211_hwsim: advertise NPCA capability
wifi: cfg80211: add a function to parse UHR DBE
Lachlan Hodges (2):
wifi: mac80211: skip NSS and BW init for S1G sta
wifi: mac80211: don't recalc min def for S1G chan ctx
Miri Korenblit (1):
wifi: mac80211: don't call ieee80211_handle_reconfig_failure when not needed
Rosen Penev (2):
wifi: rt2x00: allocate anchor with rt2x00dev
wifi: plfxlc: use module_usb_driver() macro
.../bindings/net/wireless/st,stlc4560.yaml | 61 +++++++
MAINTAINERS | 1 +
arch/arm/boot/dts/ti/omap/omap2.dtsi | 4 +
.../arm/boot/dts/ti/omap/omap2420-n8x0-common.dtsi | 12 ++
arch/arm/mach-omap2/board-n8x0.c | 18 --
drivers/net/wireless/intersil/p54/p54spi.c | 67 +++----
drivers/net/wireless/intersil/p54/p54spi.h | 3 +
drivers/net/wireless/purelifi/plfxlc/usb.c | 25 +--
drivers/net/wireless/ralink/rt2x00/rt2x00.h | 3 +-
drivers/net/wireless/ralink/rt2x00/rt2x00usb.c | 11 +-
drivers/net/wireless/virtual/mac80211_hwsim_main.c | 31 +++-
include/net/cfg80211.h | 10 ++
net/mac80211/chan.c | 10 +-
net/mac80211/key.c | 22 ++-
net/mac80211/link.c | 5 +-
net/mac80211/sta_info.c | 17 ++
net/mac80211/util.c | 6 +-
net/wireless/chan.c | 130 ++++++++++++++
net/wireless/tests/chan.c | 192 ++++++++++++++++++++-
19 files changed, 508 insertions(+), 120 deletions(-)
create mode 100644 Documentation/devicetree/bindings/net/wireless/st,stlc4560.yaml
^ permalink raw reply
* [GIT PULL] wireless-2026-05-21
From: Johannes Berg @ 2026-05-21 15:28 UTC (permalink / raw)
To: netdev; +Cc: linux-wireless
Hi,
Sorry for the last minute thing ... if it makes it at all.
I forgot during the day, and it's already more because we
had a holiday last week.
Please pull and let us know if there's any problem.
Thanks,
johannes
The following changes since commit fcee7d82f27d6a8b1ddc5bbefda59b4e441e9bc0:
Merge tag 'net-7.1-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net (2026-05-07 10:32:03 -0700)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless.git tags/wireless-2026-05-21
for you to fetch changes up to dc14686f27df6454b13b16ad1c9203ab3e9b0375:
wifi: cfg80211: wext: validate chandef in monitor mode (2026-05-20 11:44:19 +0200)
----------------------------------------------------------------
Quite a few more updates:
- cfg80211/mac80211:
- various security(-ish) fixes
- fix A-MSDU subframe handling
- fix multi-link element parsing
- ath10: avoid sending commands to dead device
- ath11k:
- fix WMI buffer leaks on error conditions
- fix UAF in RX MSDU coalesce path
- allow peer ID 0 on RX path (legal for mobile devices)
- reinitialize shared SRNG pointers on restart
- ath12k:
- fix 20 MHz-only parsing of EHT-MCS map
- iwlwifi:
- fix TSO segmentation explosion
- don't TX to dead device
- fix warning in WoWLAN
- fix TX rates on old devices
- disconnect on beacon loss only if also no other traffic
- fill NULL-ptr deref
- fix STEP_URM hardware access
----------------------------------------------------------------
Alexandru Hossu (1):
wifi: mac80211: bounds-check link_id in ieee80211_ml_epcs
Baochen Qiang (1):
wifi: ath12k: fix EHT TX MCS limitation due to wrong 20 MHz-only parsing
Cole Leavitt (1):
wifi: iwlwifi: mld: fix TSO segmentation explosion when AMSDU is disabled
Emmanuel Grumbach (2):
wifi: iwlwifi: mld: disconnect only after 6 beacons without Rx
wifi: mac80211: don't override max_amsdu_subframes
Johannes Berg (6):
wifi: iwlwifi: mvm: fix driver-set TX rates on old devices
wifi: iwlwifi: mld: don't WARN on WoWLAN suspend w/o BSS vif
wifi: mac80211: fix MLE defragmentation
wifi: mac80211: fix multi-link element inheritance
Merge tag 'iwlwifi-fixes-2026-05-16' of https://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/iwlwifi-next
Merge tag 'ath-current-20260519' of git://git.kernel.org/pub/scm/linux/kernel/git/ath/ath
John Walker (1):
wifi: cfg80211: advance loop vars in cfg80211_merge_profile()
Kang Yang (1):
wifi: ath10k: skip WMI and beacon transmission when device is wedged
Kartik Nair (1):
wifi: cfg80211: wext: validate chandef in monitor mode
Kyle Farnung (1):
wifi: ath11k: clear shared SRNG pointer state on restart
Matthew Leach (1):
wifi: ath11k: fix peer resolution on rx path when peer_id=0
Michael Bommarito (1):
wifi: mac80211: consume only present negotiated TTLM maps
Miri Korenblit (1):
wifi: iwlwifi: mld: don't dereference a pointer before NULL checking it
Moriya Itzchaki (1):
wifi: iwlwifi: use correct function to read STEP_URM register
Nicolas Escande (3):
wifi: ath11k: fix error path leaks in some WMI WOW calls
wifi: ath11k: fix error path leaks in some WMI calls
wifi: ath11k: fix error path leak in ath11k_tm_cmd_wmi_ftm()
Sheroz Juraev (1):
wifi: iwlwifi: mld: stop TX during firmware restart
Shitalkumar Gandhi (1):
wifi: wilc1000: fix dma_buffer leak on bus acquire failure
Willmar Knikker (1):
wifi: ath11k: fix use after free in ath11k_dp_rx_msdu_coalesce()
Zhao Li (1):
wifi: mac80211: capture fast-RX rate before mesh reuses skb->cb
drivers/net/wireless/ath/ath10k/wmi.c | 17 ++-
drivers/net/wireless/ath/ath11k/dp_rx.c | 9 +-
drivers/net/wireless/ath/ath11k/hal.c | 14 ++-
drivers/net/wireless/ath/ath11k/hal_rx.c | 5 +-
drivers/net/wireless/ath/ath11k/testmode.c | 1 +
drivers/net/wireless/ath/ath11k/wmi.c | 131 ++++++++++++++++++---
drivers/net/wireless/ath/ath12k/mac.c | 8 +-
drivers/net/wireless/intel/iwlwifi/mld/constants.h | 4 +-
drivers/net/wireless/intel/iwlwifi/mld/d3.c | 6 +-
drivers/net/wireless/intel/iwlwifi/mld/link.c | 13 +-
drivers/net/wireless/intel/iwlwifi/mld/tx.c | 15 ++-
drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c | 27 +++--
drivers/net/wireless/intel/iwlwifi/mvm/utils.c | 14 +--
.../intel/iwlwifi/pcie/gen1_2/trans-gen2.c | 6 +-
drivers/net/wireless/microchip/wilc1000/wlan.c | 2 +-
net/mac80211/cfg.c | 5 +-
net/mac80211/mlme.c | 5 +-
net/mac80211/parse.c | 107 ++++++++++-------
net/mac80211/rx.c | 6 +-
net/wireless/scan.c | 3 +
net/wireless/wext-compat.c | 2 +
21 files changed, 276 insertions(+), 124 deletions(-)
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox