* [PATCH v2 1/2] wifi: mac80211: validate extension-frame layout before RX
From: Zhao Li @ 2026-06-11 16:19 UTC (permalink / raw)
To: Johannes Berg
Cc: Thomas Pedersen, linux-wireless, linux-kernel, Zhao Li, stable
In-Reply-To: <20260611161943.91069-4-enderaoelyther@gmail.com>
Extension frames only have the extension header at the regular 802.11
header offset. The generic RX path can still reach helpers and interface
dispatch code that read regular header address fields before unsupported
extension subtypes are dropped.
mac80211 currently only handles S1G beacon extension frames. Drop other
extension subtypes before they can reach regular-header RX processing.
For S1G beacons, linearize the SKB with the management-frame path and
require the fixed S1G beacon header, including optional fixed fields
indicated by frame control, before generic RX dispatch.
Route S1G beacons through the station/default-link RX path without
regular-header station lookup. Avoid regular-header address reads in the
mac80211 RX paths that process S1G extension beacons, including
accept-frame, duplicate-detection, address-copy, and MLO
address-translation paths.
Also make ieee80211_get_bssid() length-safe before returning the S1G
source-address pointer.
Fixes: 09a740ce352e ("mac80211: receive and process S1G beacons")
Cc: stable@vger.kernel.org
Signed-off-by: Zhao Li <enderaoelyther@gmail.com>
---
net/mac80211/rx.c | 34 ++++++++++++++++++++++++++++++++--
net/mac80211/util.c | 3 +++
2 files changed, 35 insertions(+), 2 deletions(-)
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 3fb40449c6c5c..3ddde3e808364 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -1526,6 +1526,9 @@ ieee80211_rx_h_check_dup(struct ieee80211_rx_data *rx)
if (status->flag & RX_FLAG_DUP_VALIDATED)
return RX_CONTINUE;
+ if (ieee80211_is_ext(hdr->frame_control))
+ return RX_CONTINUE;
+
/*
* Drop duplicate 802.11 retransmissions
* (IEEE 802.11-2012: 9.3.2.10 "Duplicate detection and recovery")
@@ -4487,12 +4490,16 @@ static bool ieee80211_accept_frame(struct ieee80211_rx_data *rx)
struct ieee80211_hdr *hdr = (void *)skb->data;
struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
u8 *bssid = ieee80211_get_bssid(hdr, skb->len, sdata->vif.type);
- bool multicast = is_multicast_ether_addr(hdr->addr1) ||
- ieee80211_is_s1g_beacon(hdr->frame_control);
+ bool multicast;
static const u8 nan_network_id[ETH_ALEN] __aligned(2) = {
0x51, 0x6F, 0x9A, 0x01, 0x00, 0x00
};
+ if (ieee80211_is_s1g_beacon(hdr->frame_control))
+ return sdata->vif.type == NL80211_IFTYPE_STATION && bssid;
+
+ multicast = is_multicast_ether_addr(hdr->addr1);
+
switch (sdata->vif.type) {
case NL80211_IFTYPE_STATION:
if (!bssid && !sdata->u.mgd.use_4addr)
@@ -5174,6 +5181,11 @@ static bool ieee80211_prepare_and_rx_handle(struct ieee80211_rx_data *rx,
hdr = (struct ieee80211_hdr *)rx->skb->data;
}
+ if (ieee80211_is_s1g_beacon(hdr->frame_control)) {
+ ieee80211_invoke_rx_handlers(rx);
+ return true;
+ }
+
/* Store a copy of the pre-translated link addresses for SW crypto */
if (unlikely(is_unicast_ether_addr(hdr->addr1) &&
!ieee80211_is_data(hdr->frame_control)))
@@ -5263,6 +5275,13 @@ static bool ieee80211_rx_for_interface(struct ieee80211_rx_data *rx,
struct sta_info *sta;
int link_id = -1;
+ if (ieee80211_is_s1g_beacon(hdr->frame_control)) {
+ if (!ieee80211_rx_data_set_sta(rx, NULL, -1))
+ return false;
+
+ return ieee80211_prepare_and_rx_handle(rx, skb, consume);
+ }
+
/*
* Look up link station first, in case there's a
* chance that they might have a link address that
@@ -5338,6 +5357,17 @@ static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw,
err = -ENOBUFS;
else
err = skb_linearize(skb);
+ } else if (ieee80211_is_s1g_beacon(fc)) {
+ size_t s1g_hdr_len = offsetof(struct ieee80211_ext,
+ u.s1g_beacon.variable) +
+ ieee80211_s1g_optional_len(fc);
+
+ if (skb->len < s1g_hdr_len)
+ err = -ENOBUFS;
+ else
+ err = skb_linearize(skb);
+ } else if (ieee80211_is_ext(fc)) {
+ err = -EINVAL;
} else {
err = !pskb_may_pull(skb, ieee80211_hdrlen(fc));
}
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 2529b01e2cd55..5bc719222a87d 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -73,6 +73,9 @@ u8 *ieee80211_get_bssid(struct ieee80211_hdr *hdr, size_t len,
if (ieee80211_is_s1g_beacon(fc)) {
struct ieee80211_ext *ext = (void *) hdr;
+ if (len < offsetofend(struct ieee80211_ext, u.s1g_beacon.sa))
+ return NULL;
+
return ext->u.s1g_beacon.sa;
}
--
2.50.1 (Apple Git-155)
^ permalink raw reply related
* [PATCH v2 0/2] wifi: handle S1G and extension-frame RX layout
From: Zhao Li @ 2026-06-11 16:19 UTC (permalink / raw)
To: Johannes Berg; +Cc: Thomas Pedersen, linux-wireless, linux-kernel, Zhao Li
In-Reply-To: <20260610162700.58722-1-enderaoelyther@gmail.com>
Hi,
v2 keeps the mac80211 RX fix focused on the extension-frame layout and
adds a small cfg80211 companion fix for S1G scan-result TSF handling.
The first patch changes the RX entry path to validate and linearize S1G
beacons before generic RX dispatch, route S1G beacons without regular
addr2 station lookup, and drop unsupported extension frames before they
can reach regular-header address handling.
The second patch keeps cfg80211's regular management-frame TSF read out
of the S1G path and derives the S1G BSS TSF from the S1G beacon timestamp
and the S1G Beacon Compatibility element.
For process clarity: I used AI-assisted tooling for data-flow tracing,
state-machine analysis, code review, security checks, side-effect review,
and patch drafting. I reviewed the result and take responsibility for the
submission.
Changes since v1:
- Linearize S1G beacon SKBs together with management frames instead of
using a later pskb_may_pull() check.
- Keep the management-frame and S1G beacon minimum-length checks tied to
their respective frame layouts.
- Route S1G beacons through the station/default-link RX path without
regular addr2 station lookup.
- Avoid repeated per-sink S1G guards in the address-copy and MLO
translation paths by invoking RX handlers directly for S1G beacons.
- Drop unsupported non-S1G extension frames before generic RX dispatch.
- Add the cfg80211 S1G TSF companion fix.
Zhao Li (2):
wifi: mac80211: validate extension-frame layout before RX
wifi: cfg80211: derive S1G beacon TSF from S1G fields
net/mac80211/rx.c | 34 ++++++++++++++++++++++++++++++++--
net/mac80211/util.c | 3 +++
net/wireless/scan.c | 5 +++--
3 files changed, 38 insertions(+), 4 deletions(-)
--
2.50.1 (Apple Git-155)
^ permalink raw reply
* [PATCH] wifi: libertas_tf: kill shared URB before resubmitting it
From: Runyu Xiao @ 2026-06-11 15:18 UTC (permalink / raw)
To: linux-wireless
Cc: libertas-dev, linville, luisca, linux-kernel, jianhao.xu,
runyu.xiao, stable
libertas_tf's usb_tx_block() reuses a shared send URB and immediately
does usb_fill_bulk_urb() plus usb_submit_urb() on it. Depending on the
caller, that shared carrier is either cardp->tx_urb or cardp->cmd_urb.
There is no patch-local usb_kill_urb() before reuse, and the file-local
completion path provides no busy flag, completion, or other ownership
handoff that would make active reuse safe.
A running system can reach this through if_usb_host_to_card() for normal
data or command traffic, if_usb_issue_boot_command() for firmware boot
commands, and if_usb_send_fw_pkt() for firmware download packets. Those
paths all feed back into the same helper, so a second submission can
refill and resubmit an URB while the previous transfer is still active.
The issue was found by our static analysis tool and manually audited on
Linux v6.18.21. It was further validated with a focused QEMU no-device KCSAN
harness, which reproduced active reuse of both shared carriers:
cardp->tx_urb through if_usb_host_to_card(), and cardp->cmd_urb through
if_usb_issue_boot_command() and if_usb_send_fw_pkt().
Call usb_kill_urb(urb) after selecting the shared target URB and before
refilling it, so both tx_urb and cmd_urb are quiesced before reuse.
Fixes: c305a19a0d0a ("libertas_tf: usb specific functions")
Cc: stable@vger.kernel.org
Signed-off-by: Runyu Xiao <runyu.xiao@seu.edu.cn>
---
drivers/net/wireless/marvell/libertas_tf/if_usb.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/wireless/marvell/libertas_tf/if_usb.c b/drivers/net/wireless/marvell/libertas_tf/if_usb.c
index 5662a244f82a..7542956d3c47 100644
--- a/drivers/net/wireless/marvell/libertas_tf/if_usb.c
+++ b/drivers/net/wireless/marvell/libertas_tf/if_usb.c
@@ -387,6 +387,8 @@ static int usb_tx_block(struct if_usb_card *cardp, uint8_t *payload,
else
urb = cardp->cmd_urb;
+ usb_kill_urb(urb);
+
usb_fill_bulk_urb(urb, cardp->udev,
usb_sndbulkpipe(cardp->udev,
cardp->ep_out),
--
2.34.1
^ permalink raw reply related
* Re: [PATCH] wifi: ath9k: hif_usb: don't dereference hif_dev after re-arming firmware request
From: Toke Høiland-Jørgensen @ 2026-06-11 14:29 UTC (permalink / raw)
To: xiaoblac
Cc: Oleksij Rempel, linux-wireless, linux-kernel, syzkaller-bugs,
Cheng Yongkang, syzbot+50122cbc2874b1eb25b0
In-Reply-To: <20260605153210.20471-1-1020691186@qq.com>
xiaoblac <teel4res@gmail.com> writes:
> From: Cheng Yongkang <teel4res@gmail.com>
>
> ath9k_hif_request_firmware() re-arms an asynchronous firmware load via
> request_firmware_nowait(), passing hif_dev as the completion context, and
> then still dereferences hif_dev:
>
> dev_info(&hif_dev->udev->dev, "ath9k_htc: Firmware %s requested\n",
> hif_dev->fw_name);
>
> The re-armed callback ath9k_hif_usb_firmware_cb() runs on the "events"
> workqueue and, when the firmware is missing, walks the retry chain into
> ath9k_hif_usb_firmware_fail() -> complete_all(&hif_dev->fw_done). That
> releases the wait_for_completion(&hif_dev->fw_done) in a concurrent
> ath9k_hif_usb_disconnect(), which then kfree()s hif_dev. The trailing
> dev_info() in the frame that re-armed the request can therefore read freed
> memory (hif_dev->udev, the first field of struct hif_device_usb):
>
> BUG: KASAN: slab-use-after-free in ath9k_hif_request_firmware
> Read of size 8 ... by task kworker/...
> ath9k_hif_request_firmware
> ath9k_hif_usb_firmware_cb drivers/net/wireless/ath/ath9k/hif_usb.c:1247
> request_firmware_work_func
> Allocated by ...:
> ath9k_hif_usb_probe drivers/net/wireless/ath/ath9k/hif_usb.c
> Freed by ...:
> ath9k_hif_usb_disconnect -> kfree drivers/net/wireless/ath/ath9k/hif_usb.c
>
> The fw_done barrier only makes disconnect wait for the firmware chain to
> *terminate*; it does not protect the outer ath9k_hif_request_firmware()
> frame that re-armed the request and keeps touching hif_dev afterwards.
>
> Drop the post-request dev_info(): it is the only use of hif_dev after the
> async request is armed, and it is purely informational (the dev_err() on the
> failure path runs only when request_firmware_nowait() did not arm a callback,
> so hif_dev is still alive there).
>
> This was first reported by syzbot as a single, non-reproduced crash that was
> later auto-obsoleted, and was independently rediscovered by the reFuzz fuzzer,
> which produced a C reproducer (USB-gadget connect/disconnect of an ath9k_htc
> device whose firmware download fails). The vulnerable code is unchanged and
> still present in v7.1-rc6, where the slab-use-after-free reproduces under KASAN
> once the (sub-microsecond) race window is widened.
>
> Fixes: e904cf6fe230 ("ath9k_htc: introduce support for different fw versions")
> Reported-by: syzbot+50122cbc2874b1eb25b0@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=50122cbc2874b1eb25b0
> Signed-off-by: Cheng Yongkang <teel4res@gmail.com>
Thank you for the fix!
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
^ permalink raw reply
* Re: rtw88: WiFi card is not offloaded properly when suspending the OS
From: Giovanni Santini @ 2026-06-11 13:11 UTC (permalink / raw)
To: Ping-Ke Shih, stable@vger.kernel.org,
linux-wireless@vger.kernel.org
Cc: Linux regressions mailing list
In-Reply-To: <efae0a4db2ab4b6193922b393d3dcdd6@realtek.com>
Hi Ping-Ke,
In short I should build the LTS kernel using the provided source with
all the module patches applied one by one, correct?
If so, should I also set the modprobe.d options plus disable IOMMU?
After I know this I can start testing.
Small update: the .35 LTS kernel has no issues for me, while 7.0.11 works.
I was able to get my laptop to sleep a few times, but at a certain point
the issue happened.
It is a bit hard to replicate the issue, so I will try my best.
On 2026-06-08 03:32, Ping-Ke Shih wrote:
> Giovanni Santini <giovannisantini93@yahoo.it> wrote:
>> Jun 02 17:25:33 archlinux-tug kernel: rtw88_8822ce 0000:03:00.0: failed
>> to send h2c command
>> Jun 02 17:25:33 archlinux-tug kernel: rtw88_8822ce 0000:03:00.0: failed
>> to send h2c command
>> Jun 02 17:25:33 archlinux-tug kernel: rtw88_8822ce 0000:03:00.0: failed
>> to send h2c command
>> Jun 02 17:25:33 archlinux-tug kernel: rtw88_8822ce 0000:03:00.0: failed
>> to send h2c command
>> Jun 02 17:25:36 archlinux-tug kernel: rtw88_8822ce 0000:03:00.0: failed
>> to poll offset=0x5 mask=0x2 value=0x0
>> Jun 02 17:25:36 archlinux-tug kernel: ------------[ cut here ]------------
>> Jun 02 17:25:36 archlinux-tug kernel: failed to read DBI register,
>> addr=0x0719
> Add these below to see if it can help.
>
> sudo nano /etc/modprobe.d/rtw88.conf
> options rtw88_core disable_lps_deep=y
> options rtw88_pci disable_aspm=y
>
> After cold reboot, check /sys/modules/rtw88_*/paramters/* to see if
> the modification takes effect.
>
>> I'm attaching the full boot log, if you need a fresh one I can provide it.
> Before "failed to poll ..." log, I also see
>
> Jun 02 17:25:02 archlinux-tug kernel: rtw88_8822ce 0000:03:00.0: AMD-Vi:
> Event logged [IO_PAGE_FAULT domain=0x000e address=0xae9668bc flags=0x0000]
>
> Please try to turn off IOMMU by editing /etc/default/grub
> GRUB_CMDLINE_LINUX_DEFAULT="quiet splash amd_iommu=off iommu=off"
>
> And then update-grub
>
>> I run ArchLinux with KDE Plasma, for networking I use NetworkManager and
>> wpa_supplicant.
>>
>> If you would like me to run tests with e.g. just iwd I can do so, just
>> let me know what setup you would like me to have.
>>
>> I do not have this issue with the LTS kernel 6.18.34. This affects 7.0
>> and 7.1.
>> I believe this issue was not present in < 7 kernels, but I cannot guarantee.
>> I can however downgrade to previous kernels to understand where the
>> issue was introduced.
> The commits between 6.18.34 ~ 7.0.10 are quite few, and I can't find the
> one that can affect the behavior. Please switch your kernel back to 6.18.34,
> and apply rtw88's patches added until 7.0.10.
>
> Since the last commit of 6.18 is fce6fee0817b8899e0ee38ab6b98f0d7e939ceed
>
> Please use below commands to get the (20) patches:
> drivers/net/wireless/realtek/rtw88$ git format-patch v7.0.10...fce6fee0817b8899e0ee38ab6b98f0d7e939ceed -- ./
>
> Then you can add them one by one to see which one is the cause.
>
> The git repository you need is:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git
>
>
> Ping-Ke
>
>
--
Giovanni Santini
^ permalink raw reply
* [PATCH] [wireless-next] wifi: mac80211: allocate backup ieee80211_nan_sched_cfg off stack
From: Arnd Bergmann @ 2026-06-11 13:00 UTC (permalink / raw)
To: Johannes Berg, Miri Korenblit; +Cc: Arnd Bergmann, linux-wireless, linux-kernel
From: Arnd Bergmann <arnd@arndb.de>
The ieee80211_nan_sched_cfg structure is too large to keep on the
per thread stack:
net/mac80211/nan.c:251:5: error: stack frame size (1560) exceeds limit (1536) in 'ieee80211_nan_set_local_sched' [-Werror,-Wframe-larger-than]
251 | int ieee80211_nan_set_local_sched(struct ieee80211_sub_if_data *sdata,
Allocate this dynamically using kmalloc_obj() to reduce the stack
usage of this function to a manageable 344 bytes for the same
configuration.
Fixes: 589c06e8fdee ("wifi: mac80211: add NAN local schedule support")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
---
net/mac80211/nan.c | 35 +++++++++++++++++++----------------
1 file changed, 19 insertions(+), 16 deletions(-)
diff --git a/net/mac80211/nan.c b/net/mac80211/nan.c
index 1800bb96dd29..19e08661be43 100644
--- a/net/mac80211/nan.c
+++ b/net/mac80211/nan.c
@@ -253,9 +253,12 @@ int ieee80211_nan_set_local_sched(struct ieee80211_sub_if_data *sdata,
{
struct ieee80211_nan_channel *sched_idx_to_chan[IEEE80211_NAN_MAX_CHANNELS] = {};
struct ieee80211_nan_sched_cfg *sched_cfg = &sdata->vif.cfg.nan_sched;
- struct ieee80211_nan_sched_cfg backup_sched;
+ struct ieee80211_nan_sched_cfg *backup_sched __free(kfree) = kmalloc_obj(*backup_sched);
int ret;
+ if (!backup_sched)
+ return -ENOMEM;
+
if (sched->n_channels > IEEE80211_NAN_MAX_CHANNELS)
return -EOPNOTSUPP;
@@ -275,13 +278,13 @@ int ieee80211_nan_set_local_sched(struct ieee80211_sub_if_data *sdata,
bitmap_zero(sdata->u.nan.removed_channels, IEEE80211_NAN_MAX_CHANNELS);
- memcpy(backup_sched.schedule, sched_cfg->schedule,
- sizeof(backup_sched.schedule));
- memcpy(backup_sched.channels, sched_cfg->channels,
- sizeof(backup_sched.channels));
- memcpy(backup_sched.avail_blob, sched_cfg->avail_blob,
- sizeof(backup_sched.avail_blob));
- backup_sched.avail_blob_len = sched_cfg->avail_blob_len;
+ memcpy(backup_sched->schedule, sched_cfg->schedule,
+ sizeof(backup_sched->schedule));
+ memcpy(backup_sched->channels, sched_cfg->channels,
+ sizeof(backup_sched->channels));
+ memcpy(backup_sched->avail_blob, sched_cfg->avail_blob,
+ sizeof(backup_sched->avail_blob));
+ backup_sched->avail_blob_len = sched_cfg->avail_blob_len;
memcpy(sched_cfg->avail_blob, sched->nan_avail_blob,
sched->nan_avail_blob_len);
@@ -380,17 +383,17 @@ int ieee80211_nan_set_local_sched(struct ieee80211_sub_if_data *sdata,
if (!chan_def->chan)
continue;
- if (!cfg80211_chandef_identical(&backup_sched.channels[i].chanreq.oper,
+ if (!cfg80211_chandef_identical(&backup_sched->channels[i].chanreq.oper,
chan_def))
ieee80211_nan_remove_channel(sdata,
&sched_cfg->channels[i]);
}
/* Re-add all backed up channels */
- for (int i = 0; i < ARRAY_SIZE(backup_sched.channels); i++) {
+ for (int i = 0; i < ARRAY_SIZE(backup_sched->channels); i++) {
struct ieee80211_nan_channel *chan = &sched_cfg->channels[i];
- *chan = backup_sched.channels[i];
+ *chan = backup_sched->channels[i];
/*
* For deferred update, no channels were removed and the channel
@@ -421,11 +424,11 @@ int ieee80211_nan_set_local_sched(struct ieee80211_sub_if_data *sdata,
}
}
- memcpy(sched_cfg->schedule, backup_sched.schedule,
- sizeof(backup_sched.schedule));
- memcpy(sched_cfg->avail_blob, backup_sched.avail_blob,
- sizeof(backup_sched.avail_blob));
- sched_cfg->avail_blob_len = backup_sched.avail_blob_len;
+ memcpy(sched_cfg->schedule, backup_sched->schedule,
+ sizeof(backup_sched->schedule));
+ memcpy(sched_cfg->avail_blob, backup_sched->avail_blob,
+ sizeof(backup_sched->avail_blob));
+ sched_cfg->avail_blob_len = backup_sched->avail_blob_len;
sched_cfg->deferred = false;
bitmap_zero(sdata->u.nan.removed_channels, IEEE80211_NAN_MAX_CHANNELS);
--
2.39.5
^ permalink raw reply related
* [PATCH] wifi: mt76: fix airoha_npu dependency tracking
From: Arnd Bergmann @ 2026-06-11 12:58 UTC (permalink / raw)
To: Felix Fietkau, Lorenzo Bianconi, Ryder Lee, Matthias Brugger,
AngeloGioacchino Del Regno
Cc: Arnd Bergmann, Shayne Chen, Sean Wang, Rex Lu, linux-wireless,
linux-kernel, linux-arm-kernel, linux-mediatek
From: Arnd Bergmann <arnd@arndb.de>
There is a new build failure with MT7996E=m MT76_CORE=y and NET_AIROHA_NPU=m:
ld.lld: error: undefined symbol: airoha_npu_get
ld.lld: error: undefined symbol: airoha_npu_put
>>> referenced by npu.c
>>> drivers/net/wireless/mediatek/mt76/npu.o:(mt76_npu_init) in archive vmlinux.a
Fix this by reworking the dependency for the MT7996_NPU to only
allow enabling that when mt76_core can link against the npu driver.
To make sure this gets caught more easily in the future when additional
mt76 variants need the same dependency, also turn CONFIG_MT76_NPU into
a tristate symbol that has the same dependency.
Fixes: 7fb554b1b623 ("wifi: mt76: Introduce the NPU generic layer")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
---
drivers/net/wireless/mediatek/mt76/Kconfig | 4 ++--
drivers/net/wireless/mediatek/mt76/Makefile | 6 +++++-
drivers/net/wireless/mediatek/mt76/mt76.h | 2 +-
drivers/net/wireless/mediatek/mt76/mt7996/Kconfig | 2 +-
4 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/Kconfig b/drivers/net/wireless/mediatek/mt76/Kconfig
index 502303622a53..d941e67a222d 100644
--- a/drivers/net/wireless/mediatek/mt76/Kconfig
+++ b/drivers/net/wireless/mediatek/mt76/Kconfig
@@ -38,8 +38,8 @@ config MT792x_USB
select MT76_USB
config MT76_NPU
- bool
- depends on MT76_CORE
+ tristate
+ depends on NET_AIROHA_NPU=y || MT76=NET_AIROHA_NPU
source "drivers/net/wireless/mediatek/mt76/mt76x0/Kconfig"
source "drivers/net/wireless/mediatek/mt76/mt76x2/Kconfig"
diff --git a/drivers/net/wireless/mediatek/mt76/Makefile b/drivers/net/wireless/mediatek/mt76/Makefile
index 1d42adfe8030..cacdd2b13d05 100644
--- a/drivers/net/wireless/mediatek/mt76/Makefile
+++ b/drivers/net/wireless/mediatek/mt76/Makefile
@@ -12,7 +12,11 @@ mt76-y := \
mmio.o util.o trace.o dma.o mac80211.o debugfs.o eeprom.o \
tx.o agg-rx.o mcu.o wed.o scan.o channel.o
-mt76-$(CONFIG_MT76_NPU) += npu.o
+ifdef CONFIG_MT76_NPU
+# CONFIG_MT76_NPU is tristate to simplify dependency tracking,
+# but it behaves as a bool symbol here.
+mt76-y += npu.o
+endif
mt76-$(CONFIG_PCI) += pci.o
mt76-$(CONFIG_NL80211_TESTMODE) += testmode.o
diff --git a/drivers/net/wireless/mediatek/mt76/mt76.h b/drivers/net/wireless/mediatek/mt76/mt76.h
index 07955555f84d..60bd155cc7d5 100644
--- a/drivers/net/wireless/mediatek/mt76/mt76.h
+++ b/drivers/net/wireless/mediatek/mt76/mt76.h
@@ -1647,7 +1647,7 @@ int mt76_testmode_dump(struct ieee80211_hw *hw, struct sk_buff *skb,
int mt76_testmode_set_state(struct mt76_phy *phy, enum mt76_testmode_state state);
int mt76_testmode_alloc_skb(struct mt76_phy *phy, u32 len);
-#ifdef CONFIG_MT76_NPU
+#if IS_ENABLED(CONFIG_MT76_NPU)
void mt76_npu_check_ppe(struct mt76_dev *dev, struct sk_buff *skb,
u32 info);
int mt76_npu_dma_add_buf(struct mt76_phy *phy, struct mt76_queue *q,
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/Kconfig b/drivers/net/wireless/mediatek/mt76/mt7996/Kconfig
index 5503d03bf62c..5742bce12fbb 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/Kconfig
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/Kconfig
@@ -16,6 +16,6 @@ config MT7996E
config MT7996_NPU
bool "MT7996 (PCIe) NPU support"
depends on MT7996E
- depends on NET_AIROHA_NPU=y || MT7996E=NET_AIROHA_NPU
+ depends on NET_AIROHA_NPU=y || MT76_CORE=NET_AIROHA_NPU
select MT76_NPU
default n
--
2.39.5
^ permalink raw reply related
* Re: [PATCH] wifi: ieee80211: validate MLE common info length
From: Johannes Berg @ 2026-06-11 12:14 UTC (permalink / raw)
To: Zhao Li; +Cc: linux-wireless, linux-kernel, stable
In-Reply-To: <20260610154303.37079-1-enderaoelyther@gmail.com>
On Wed, 2026-06-10 at 23:43 +0800, Zhao Li wrote:
> ieee80211_mle_size_ok() verifies that the advertised common information
> length is large enough for the fixed fields that are present, but it does
> not verify that the length also fits in the containing element.
>
> Reconfiguration and Priority Access MLEs also carry a common information
> length octet, but currently skip the common-length check. Reconfiguration
> additionally fails to include the length octet in the minimum common size.
>
> Validate the common information length for Reconfiguration and Priority
> Access MLEs, account for the Reconfiguration length octet, and reject
> common lengths that exceed the element body.
>
> Fixes: 0f48b8b88aa9 ("wifi: ieee80211: add definitions for multi-link element")
> Cc: stable@vger.kernel.org
> Signed-off-by: Zhao Li <enderaoelyther@gmail.com>
> ---
> include/linux/ieee80211-eht.h | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/include/linux/ieee80211-eht.h b/include/linux/ieee80211-eht.h
> index a97b1d01f3acf..d875045abf6cc 100644
> --- a/include/linux/ieee80211-eht.h
> +++ b/include/linux/ieee80211-eht.h
> @@ -878,6 +878,8 @@ static inline bool ieee80211_mle_size_ok(const u8 *data, size_t len)
> check_common_len = true;
> break;
> case IEEE80211_ML_CONTROL_TYPE_RECONF:
> + common += 1;
> + check_common_len = true;
> if (control & IEEE80211_MLC_RECONF_PRES_MLD_MAC_ADDR)
> common += ETH_ALEN;
> if (control & IEEE80211_MLC_RECONF_PRES_EML_CAPA)
> @@ -893,6 +895,7 @@ static inline bool ieee80211_mle_size_ok(const u8 *data, size_t len)
> break;
> case IEEE80211_ML_CONTROL_TYPE_PRIO_ACCESS:
> common = ETH_ALEN + 1;
> + check_common_len = true;
> break;
You just made check_common_len redundant, it's now always true.
I originally introduced it because variable[0] wasn't always common_len,
but that actually got fixed in later drafts, and we should've adjusted
that when we added +1 to all of these, e.g. commit 19aa842dcbb58.
We should probably more comprehensively change the whole thing so that
common_info_len is a separate u8 rather than variable[0], but that's
going to be much harder to do.
A smaller but probably better change would be to use the sub-structs
here that are defined, e.g. struct ieee80211_mle_preq_common_info,
struct ieee80211_mle_tdls_common_info and struct
ieee80211_mle_basic_common_info. But the layout is a bit stupid even
that way, dunno.
johannes
^ permalink raw reply
* Re: [PATCH 7/7] arm64: dts: qcom: sm8350-hdk: describe WiFi/BT chip
From: Konrad Dybcio @ 2026-06-11 12:09 UTC (permalink / raw)
To: Dmitry Baryshkov, Manivannan Sadhasivam, Lorenzo Pieralisi,
Krzysztof Wilczyński, Rob Herring, Bjorn Helgaas, Qiang Yu,
Jeff Johnson, Liam Girdwood, Mark Brown, Krzysztof Kozlowski,
Conor Dooley, Bartosz Golaszewski, Marcel Holtmann,
Luiz Augusto von Dentz, Balakrishna Godavarthi, Rocky Liao,
Bjorn Andersson, Konrad Dybcio
Cc: linux-arm-msm, linux-pci, linux-kernel, linux-wireless, ath11k,
devicetree, Bartosz Golaszewski, linux-bluetooth
In-Reply-To: <20260601-sm8350-wifi-v1-7-242917d88031@oss.qualcomm.com>
On 6/1/26 11:46 AM, Dmitry Baryshkov wrote:
> The SM8350 HDK has onboard WiFi/BT chip, WCN6851. It is an earlier
> version of well-known WCN6855 WiFI/BT SoC. Describe the PMU, BT and WiFI
> parts of the device.
[...]
> + wcn6855-pmu {
> + compatible = "qcom,wcn6851-pmu", "qcom,wcn6855-pmu";
> +
> + pinctrl-0 = <&bt_en>, <&wlan_en>, <&swctrl>;
> + pinctrl-names = "default";
> +
> + wlan-enable-gpios = <&tlmm 64 GPIO_ACTIVE_HIGH>;
> + bt-enable-gpios = <&tlmm 65 GPIO_ACTIVE_HIGH>;
> + swctrl-gpios = <&tlmm 153 GPIO_ACTIVE_HIGH>;
> +
> + vddio-supply = <&vreg_s10b_1p8>;
> + vddaon-supply = <&vreg_s11b_0p95>;
> + vddpmu-supply = <&vreg_s11b_0p95>;
> + vddpmumx-supply = <&vreg_s2e_0p85>;
> + vddpmucx-supply = <&vreg_s11b_0p95>;
> + vddrfa0p95-supply = <&vreg_s11b_0p95>;
> + vddrfa1p3-supply = <&vreg_s12b_1p25>;
> + vddrfa1p9-supply = <&vreg_s1c_1p86>;
> + vddpcie1p3-supply = <&vreg_s12b_1p25>;
> + vddpcie1p9-supply = <&vreg_s1c_1p86>;
[...]
> @@ -373,6 +437,13 @@ vreg_l7e_2p8: ldo7 {
> regulator-name = "vreg_l7e_2p8";
> regulator-min-microvolt = <2800000>;
> regulator-max-microvolt = <2800000>;
> +
> + /*
> + * This is used by the RF front-end for which there is
> + * no way to represent it in DT (yet?).
> + */
> + regulator-boot-on;
> + regulator-always-on;
msm-5.4 maps this to bt-vdd-asd-supply (asd being a keyboard smash,
perhaps?) - what is its actual use?
Konrad
^ permalink raw reply
* Re: [PATCH 5/7] arm64: dts: qcom: sm8350: expand UART18 to 4 pins config
From: Konrad Dybcio @ 2026-06-11 12:04 UTC (permalink / raw)
To: Dmitry Baryshkov, Manivannan Sadhasivam, Lorenzo Pieralisi,
Krzysztof Wilczyński, Rob Herring, Bjorn Helgaas, Qiang Yu,
Jeff Johnson, Liam Girdwood, Mark Brown, Krzysztof Kozlowski,
Conor Dooley, Bartosz Golaszewski, Marcel Holtmann,
Luiz Augusto von Dentz, Balakrishna Godavarthi, Rocky Liao,
Bjorn Andersson, Konrad Dybcio
Cc: linux-arm-msm, linux-pci, linux-kernel, linux-wireless, ath11k,
devicetree, Bartosz Golaszewski, linux-bluetooth
In-Reply-To: <20260601-sm8350-wifi-v1-5-242917d88031@oss.qualcomm.com>
On 6/1/26 11:46 AM, Dmitry Baryshkov wrote:
> On SM8350 platforms the primary use of UART18 is a 4-pin UART (targeting
> Bluetooth or other similar applications). Add all 4 pins to the default
> pinctrl entry for the UART.
>
> Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
> ---
Reviewed-by: Konrad Dybcio <konrad.dybcio@oss.qualcomm.com>
Konrad
^ permalink raw reply
* Re: [PATCH] wifi: mac80211: validate S1G beacon length before RX
From: Johannes Berg @ 2026-06-11 12:03 UTC (permalink / raw)
To: Zhao Li; +Cc: Thomas Pedersen, linux-wireless, linux-kernel, stable
In-Reply-To: <20260610162700.58722-1-enderaoelyther@gmail.com>
On Thu, 2026-06-11 at 00:27 +0800, Zhao Li wrote:
> S1G beacons are extension frames, so ieee80211_hdrlen() only guarantees
> the extension header before the generic RX path starts dispatching the
> frame.
>
> The RX path can then reach helpers and interface handling code that read
> regular 802.11 header address fields, which are not present at those
> offsets in an S1G beacon.
>
> Pull the complete S1G beacon fixed header, including optional fixed
> fields indicated by frame control, before generic RX dispatch.
>
> Also make ieee80211_get_bssid() length-safe for S1G beacons and avoid
> regular-header address reads for S1G frames in accept/interface/MLO
> address handling. Skip extension frames in duplicate detection for the
> same reason, since that path consumes the regular sequence-control field.
This is all true, but all of the below seems far too complicated a fix?
Also seems like you should probably disclose some LLM usage, unless
you're going to tell me you wrote all this code yourself?
> @@ -4487,12 +4490,17 @@ static bool ieee80211_accept_frame(struct ieee80211_rx_data *rx)
> struct ieee80211_hdr *hdr = (void *)skb->data;
> struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
> u8 *bssid = ieee80211_get_bssid(hdr, skb->len, sdata->vif.type);
> - bool multicast = is_multicast_ether_addr(hdr->addr1) ||
> - ieee80211_is_s1g_beacon(hdr->frame_control);
> + bool s1g = ieee80211_is_s1g_beacon(hdr->frame_control);
> + bool multicast;
> static const u8 nan_network_id[ETH_ALEN] __aligned(2) = {
> 0x51, 0x6F, 0x9A, 0x01, 0x00, 0x00
> };
>
> + if (s1g)
no need to introduce the 's1g' variable, and it sounds weird anyway
because s1g uses other frames too, not just beacons
> @@ -5175,11 +5183,13 @@ static bool ieee80211_prepare_and_rx_handle(struct ieee80211_rx_data *rx,
> }
>
> /* Store a copy of the pre-translated link addresses for SW crypto */
> - if (unlikely(is_unicast_ether_addr(hdr->addr1) &&
> + if (unlikely(!ieee80211_is_s1g_beacon(hdr->frame_control) &&
> + is_unicast_ether_addr(hdr->addr1) &&
> !ieee80211_is_data(hdr->frame_control)))
> memcpy(rx->link_addrs, &hdr->addrs, 3 * ETH_ALEN);
>
> if (unlikely(rx->sta && rx->sta->sta.mlo) &&
> + !ieee80211_is_s1g_beacon(hdr->frame_control) &&
> is_unicast_ether_addr(hdr->addr1) &&
> !ieee80211_is_probe_resp(hdr->frame_control) &&
> !ieee80211_is_beacon(hdr->frame_control)) {
This seems very ... specific, and doing the same thing twice also seems
odd. While not great, I'd probably advocate for a goto or just doing the
invoke() separately for s1g beacons.
> @@ -5260,23 +5270,30 @@ static bool ieee80211_rx_for_interface(struct ieee80211_rx_data *rx,
> {
> struct link_sta_info *link_sta;
> struct ieee80211_hdr *hdr = (void *)skb->data;
> + u8 *sta_addr = hdr->addr2;
> struct sta_info *sta;
> int link_id = -1;
>
> + if (ieee80211_is_s1g_beacon(hdr->frame_control)) {
> + sta_addr = ieee80211_get_bssid(hdr, skb->len, rx->sdata->vif.type);
> + if (!sta_addr)
> + return false;
> + }
That one seems even weirder - especially in the face of your *other*
changes that attempt to never access hdr-> without making sure it's
actually the right format ... you still create a pointer to addr2 here.
It's valid since you never use it, but it's also weird because it pretty
much looks like hdr->addr2 _is_ OK at the whole function level.
> +
> /*
> * Look up link station first, in case there's a
> * chance that they might have a link address that
> * is identical to the MLD address, that way we'll
> * have the link information if needed.
> */
> - link_sta = link_sta_info_get_bss(rx->sdata, hdr->addr2);
> + link_sta = link_sta_info_get_bss(rx->sdata, sta_addr);
Obviously, if things work today, we didn't really need the link_sta for
these frames, and that makes some sense since there's no MLO and it's
just ieee80211_rx_mgmt_beacon() basically. Probably better to just skip
this entirely and handle s1g beacons separately.
> if (link_sta) {
> sta = link_sta->sta;
> link_id = link_sta->link_id;
> } else {
> struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
>
> - sta = sta_info_get_bss(rx->sdata, hdr->addr2);
> + sta = sta_info_get_bss(rx->sdata, sta_addr);
> if (status->link_valid) {
> link_id = status->link_id;
> } else if (ieee80211_vif_is_mld(&rx->sdata->vif) &&
> @@ -5347,6 +5364,12 @@ static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw,
> return;
> }
>
> + if (ieee80211_is_s1g_beacon(fc) &&
> + !pskb_may_pull(skb, ieee80211_s1g_beacon_min_len(fc))) {
> + dev_kfree_skb(skb);
> + return;
> + }
I'm fairly certain this still leaves things (e.g.
ieee80211_rx_mgmt_beacon()) wrong if the driver ever reports an s1g
beacon as a frag skb.
I think much better to just treat this frame like mgmt frames and
linearize it earlier in the function along with mgmt frames etc. Still
need to check the length, but we could even do that there as well,
rather than this late.
johannes
^ permalink raw reply
* Re: [stable request] mt7921e: backport two mt76 fixes to 6.12.y
From: Ajrat Makhmutov @ 2026-06-11 10:38 UTC (permalink / raw)
To: Sasha Levin, stable
Cc: Felix Fietkau, Lorenzo Bianconi, Ryder Lee, Shayne Chen,
Sean Wang, linux-wireless
In-Reply-To: <20260610-stable-reply-0014@kernel.org>
Hi Sasha,
> I'm going to hold off on this one. The second commit, 5ed54896b6bd,
> introduces a reachable dev->mutex self-deadlock on STA-remove-while-ROC;
> the follow-up that cures it (d5059e52) isn't in any stable tree and was
> never marked for stable (it's only in linux-next so far).
Thanks, and good catch.
I'll resend the request for all three together as soon as it lands in
Linus' tree.
Note for whenever it does: when applied to 6.12.y, d5059e52 needs one
trivial
change - keep del_timer_sync() instead of timer_delete_sync(), as the timer
API rename is not present in 6.12.y.
Thanks,
Ajrat
^ permalink raw reply
* Re: [PATCH v12 10/22] wifi: nxpwifi: implement cfg80211 ops for STA and AP modes
From: Jeff Chen @ 2026-06-11 9:43 UTC (permalink / raw)
To: Rafael Beims
Cc: linux-wireless, linux-kernel, briannorris, johannes, francesco,
wyatt.hsu, s.hauer, ulf.hansson
In-Reply-To: <aimMeKc7yODvwNOT@burns.beims.me>
On Wed, Jun 10, 2026 at 01:10:32 PM -0300, Rafael Beims wrote:
> After a quick check, it seems that this patch contains the same
> problem being fixed here:
> https://lore.kernel.org/all/20260610150021.1018611-1-rafael@beims.me/
>
> Maybe it would be worth it to confirm and fix it before sending the pull request.
>
> Rafael
>
Hi Rafael,
Thanks for the analysis. I’ll incorporate this into nxpwifi as well.
Thanks,
Jeff
^ permalink raw reply
* Re:RE: [PATCH] wifi: rtw89: fw: correct rtw89_fw_h2c_default_cmac_tbl_be()
From: Wentao Guan @ 2026-06-11 9:11 UTC (permalink / raw)
To: Ping-Ke Shih (pkshih@realtek.com
Cc: linux-wireless@vger.kernel.org, linux-kernel,
dian_syuan0116 (dian_syuan0116@r, 占俊,
聂诚
In-Reply-To: <1017648a65ec4b139b76e2eb7583da26@realtek.com>
> Ping-Ke Shih <pkshih@realtek.com> wrote:
> > Sent: Thursday, June 11, 2026 5:06 PM
> > To: Wentao Guan <guanwentao@uniontech.com>
> > Cc: linux-wireless@vger.kernel.org; linux-kernel@vger.kernel.org; David Yang(楊典軒)
> > <dian_syuan0116@realtek.com>; zhanjun@uniontech.com; niecheng1@uniontech.com
> > Subject: RE: [PATCH] wifi: rtw89: fw: correct rtw89_fw_h2c_default_cmac_tbl_be()
> >
> > Wentao Guan <guanwentao@uniontech.com> wrote:
> > > BE_CCTL_INFO_W2_PRELOAD_ENABLE is for h2c->w2, not h2c->w1.
> > > These will cause h2c->w1 wrong overlap by w2 and w2 not initialized.
> >
> > Thanks for the catch.
> >
> > >
> > > Fixes: c73607b3a8ef ("wifi: rtw89: fw: add CMAC H2C command to initialize default value for RTL8922D")
> > > Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
> >
> > Acked-by: Ping-Ke Shih <pkshih@realtek.com>
> >
>
> To let subject clear, I'll change it to
> " wifi: rtw89: fw: correct preload field of w2 in rtw89_fw_h2c_default_cmac_tbl_be() "
OK, thanks for you review.
BRs
Wentao Guan
^ permalink raw reply
* RE: [PATCH] wifi: rtw89: fw: correct rtw89_fw_h2c_default_cmac_tbl_be()
From: Ping-Ke Shih @ 2026-06-11 9:08 UTC (permalink / raw)
To: Ping-Ke Shih, Wentao Guan
Cc: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org,
David Yang(楊典軒), zhanjun@uniontech.com,
niecheng1@uniontech.com
In-Reply-To: <60dbac65771f46ae85efb922dd9f319e@realtek.com>
Ping-Ke Shih <pkshih@realtek.com> wrote:
> Sent: Thursday, June 11, 2026 5:06 PM
> To: Wentao Guan <guanwentao@uniontech.com>
> Cc: linux-wireless@vger.kernel.org; linux-kernel@vger.kernel.org; David Yang(楊典軒)
> <dian_syuan0116@realtek.com>; zhanjun@uniontech.com; niecheng1@uniontech.com
> Subject: RE: [PATCH] wifi: rtw89: fw: correct rtw89_fw_h2c_default_cmac_tbl_be()
>
> Wentao Guan <guanwentao@uniontech.com> wrote:
> > BE_CCTL_INFO_W2_PRELOAD_ENABLE is for h2c->w2, not h2c->w1.
> > These will cause h2c->w1 wrong overlap by w2 and w2 not initialized.
>
> Thanks for the catch.
>
> >
> > Fixes: c73607b3a8ef ("wifi: rtw89: fw: add CMAC H2C command to initialize default value for RTL8922D")
> > Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
>
> Acked-by: Ping-Ke Shih <pkshih@realtek.com>
>
To let subject clear, I'll change it to
" wifi: rtw89: fw: correct preload field of w2 in rtw89_fw_h2c_default_cmac_tbl_be() "
^ permalink raw reply
* RE: [PATCH] wifi: rtw89: fw: correct rtw89_fw_h2c_default_cmac_tbl_be()
From: Ping-Ke Shih @ 2026-06-11 9:05 UTC (permalink / raw)
To: Wentao Guan
Cc: linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org,
David Yang(楊典軒), zhanjun@uniontech.com,
niecheng1@uniontech.com
In-Reply-To: <20260611082021.46650-1-guanwentao@uniontech.com>
Wentao Guan <guanwentao@uniontech.com> wrote:
> BE_CCTL_INFO_W2_PRELOAD_ENABLE is for h2c->w2, not h2c->w1.
> These will cause h2c->w1 wrong overlap by w2 and w2 not initialized.
Thanks for the catch.
>
> Fixes: c73607b3a8ef ("wifi: rtw89: fw: add CMAC H2C command to initialize default value for RTL8922D")
> Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
^ permalink raw reply
* Re: [PATCH] wifi: mwifiex: fix roaming to different channel in host_mlme mode
From: Francesco Dolcini @ 2026-06-11 8:53 UTC (permalink / raw)
To: Rafael Beims
Cc: Brian Norris, Francesco Dolcini, Rafael Beims, linux-wireless,
linux-kernel, Jeff Chen, stable
In-Reply-To: <20260610150021.1018611-1-rafael@beims.me>
On Wed, Jun 10, 2026 at 12:00:18PM -0300, Rafael Beims wrote:
> From: Rafael Beims <rafael.beims@toradex.com>
>
> When host MLME is enabled, mwifiex_cfg80211_authenticate() transmits the
> authentication frame on a remain-on-channel (ROC) reservation so that the
> frame is sent on the target BSS's channel. The ROC is only configured
> when priv->auth_flag is zero.
...
>
> Fixes: 36995892c271 ("wifi: mwifiex: add host mlme for client mode")
> Cc: stable@vger.kernel.org
> Assisted-by: Claude:claude-opus-4-7
> Signed-off-by: Rafael Beims <rafael.beims@toradex.com>
Reviewed-by: Francesco Dolcini <francesco.dolcini@toradex.com>
^ permalink raw reply
* [PATCH ath-next v2] wifi: ath12k: avoid setting 320MHZ support on non 6GHz band
From: Nicolas Escande @ 2026-06-11 8:44 UTC (permalink / raw)
To: ath12k; +Cc: linux-wireless
On a split phy qcn9274 (2.4GHz + 5GHz low), "iw phy" reports 320MHz
realated features on the 5GHz band while it should not:
Wiphy phy1
[...]
Band 2:
[...]
EHT Iftypes: managed
[...]
EHT PHY Capabilities: (0xe2ffdbe018778000):
320MHz in 6GHz Supported
[...]
Beamformee SS (320MHz): 7
[...]
Number Of Sounding Dimensions (320MHz): 3
[...]
EHT MCS/NSS: (0x22222222222222222200000000):
This is also reflected in the beacons sent by a mesh interface started on
that band. They erroneously advertise 320MHZ support too.
This should not happen as the spec at section 9.4.2.323.3 says we should
not set the 320MHz related fields when not operating on a 6GHz band.
For example it says about Bit 0 "Support For 320 MHz In 6 GHz"
"Reserved if the EHT Capabilities element is indicating capabilities for
the 2.4 GHz or 5 GHz bands."
Fix this by clearing the related bits when converting from WMI eht phy
capabilities to mac80211 phy capabilities, for bands other than 6GHz.
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00218-QCAHKSWPL_SILICONZ-1
Signed-off-by: Nicolas Escande <nico.escande@gmail.com>
---
Changes from v1:
- rebased on ath-next
- clear all 6GHz / 320MHz related phy capabilities fields from the firmware
---
drivers/net/wireless/ath/ath12k/wmi.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c
index 84a31b953db8..a8a4654c4f34 100644
--- a/drivers/net/wireless/ath/ath12k/wmi.c
+++ b/drivers/net/wireless/ath/ath12k/wmi.c
@@ -5154,6 +5154,7 @@ static void ath12k_wmi_eht_caps_parse(struct ath12k_pdev *pdev, u32 band,
__le32 cap_info_internal)
{
struct ath12k_band_cap *cap_band = &pdev->cap.band[band];
+ u8 *phy_cap = (u8 *)&cap_band->eht_cap_phy_info[0];
u32 support_320mhz;
u8 i;
@@ -5167,8 +5168,22 @@ static void ath12k_wmi_eht_caps_parse(struct ath12k_pdev *pdev, u32 band,
for (i = 0; i < WMI_MAX_EHTCAP_PHY_SIZE; i++)
cap_band->eht_cap_phy_info[i] = le32_to_cpu(cap_phy_info[i]);
- if (band == NL80211_BAND_6GHZ)
+ if (band == NL80211_BAND_6GHZ) {
cap_band->eht_cap_phy_info[0] |= support_320mhz;
+ } else {
+ /*
+ * It seems the firmware can report capabilities specific to
+ * 6GHz also for 5GHz, so lets explicitely clear them out.
+ */
+ phy_cap[0] &= ~IEEE80211_EHT_PHY_CAP0_320MHZ_IN_6GHZ;
+ phy_cap[1] &= ~IEEE80211_EHT_PHY_CAP1_BEAMFORMEE_SS_320MHZ_MASK;
+ phy_cap[2] &= ~IEEE80211_EHT_PHY_CAP2_SOUNDING_DIM_320MHZ_MASK;
+ phy_cap[3] &= ~IEEE80211_EHT_PHY_CAP3_SOUNDING_DIM_320MHZ_MASK;
+ phy_cap[6] &= ~IEEE80211_EHT_PHY_CAP6_MCS15_SUPP_320MHZ;
+ phy_cap[6] &= ~IEEE80211_EHT_PHY_CAP6_EHT_DUP_6GHZ_SUPP;
+ phy_cap[7] &= ~IEEE80211_EHT_PHY_CAP7_NON_OFDMA_UL_MU_MIMO_320MHZ;
+ phy_cap[7] &= ~IEEE80211_EHT_PHY_CAP7_MU_BEAMFORMER_320MHZ; ;
+ }
cap_band->eht_mcs_20_only = le32_to_cpu(supp_mcs[0]);
cap_band->eht_mcs_80 = le32_to_cpu(supp_mcs[1]);
--
2.54.0
^ permalink raw reply related
* [PATCH] wifi: rtw89: fw: correct rtw89_fw_h2c_default_cmac_tbl_be()
From: Wentao Guan @ 2026-06-11 8:20 UTC (permalink / raw)
To: pkshih
Cc: linux-wireless, linux-kernel, dian_syuan0116, zhanjun, niecheng1,
Wentao Guan
BE_CCTL_INFO_W2_PRELOAD_ENABLE is for h2c->w2, not h2c->w1.
These will cause h2c->w1 wrong overlap by w2 and w2 not initialized.
Fixes: c73607b3a8ef ("wifi: rtw89: fw: add CMAC H2C command to initialize default value for RTL8922D")
Signed-off-by: Wentao Guan <guanwentao@uniontech.com>
---
drivers/net/wireless/realtek/rtw89/fw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/realtek/rtw89/fw.c b/drivers/net/wireless/realtek/rtw89/fw.c
index 17704f054727a..af9bcdcef8fbb 100644
--- a/drivers/net/wireless/realtek/rtw89/fw.c
+++ b/drivers/net/wireless/realtek/rtw89/fw.c
@@ -3711,7 +3711,7 @@ int rtw89_fw_h2c_default_cmac_tbl_be(struct rtw89_dev *rtwdev,
le32_encode_bits(4, BE_CCTL_INFO_W1_RTS_RTY_LOWEST_RATE);
h2c->m1 = cpu_to_le32(BE_CCTL_INFO_W1_ALL);
- h2c->w1 = le32_encode_bits(preld, BE_CCTL_INFO_W2_PRELOAD_ENABLE);
+ h2c->w2 = le32_encode_bits(preld, BE_CCTL_INFO_W2_PRELOAD_ENABLE);
h2c->m2 = cpu_to_le32(BE_CCTL_INFO_W2_ALL);
h2c->m3 = cpu_to_le32(BE_CCTL_INFO_W3_ALL);
--
2.30.2
^ permalink raw reply related
* Re: [PATCH v8 2/3] PCI: Add device-specific reset for Qualcomm devices
From: Jose Ignacio Tornos Martinez @ 2026-06-11 7:29 UTC (permalink / raw)
To: alex
Cc: ath11k, ath12k, bhelgaas, jjohnson, jtornosm, linux-kernel,
linux-pci, linux-wireless, mani, mhi
In-Reply-To: <20260610131517.6d7bd63a@shazbot.org>
Hi Alex,
> This seems to suggest that the D3cold reset method is also untested...
> I'd suggest dropping the D3cold throughout, unless you can get someone
> to volunteer to test it. It seems like you really just want this quirk
> to do a D3hot regardless of NoSoftRst+ with a select set of devices
> where it appears to do more than nothing, where doing nothing is
> effectively what's left after the other reset methods are being quirked
> off for being worse than nothing. Thanks,
Agreed, I don't have access to hardware with _PR3 support to install the
Qualcomm devices - all my testing for these has been on platforms without
_PR3 (desktop M.2 adapters).
I'll drop the general d3cold infrastructure (patch 1/3) entirely and simplify
patch 2/3 to just a D3hot-only device-specific reset for the specific Qualcomm
devices where testing shows it works despite NoSoftRst+.
v9 coming soon.
Thanks,
Best regards
Jose Ignacio
^ permalink raw reply
* [PATCH wireless-next v5 4/4] wifi: mac80211_hwsim: report TX status link_id
From: Priyansha Tiwari @ 2026-06-11 6:22 UTC (permalink / raw)
To: johannes; +Cc: veerendranath.jakkam, linux-wireless, quic_drohan
In-Reply-To: <20260611062225.2144241-1-pritiwa@qti.qualcomm.com>
From: Priyansha Tiwari <priyansha.tiwari@oss.qualcomm.com>
Populate link_valid/link_id in mac80211_hwsim TX status so the
transmitted link is reported to mac80211.
Set the link information in both the direct TX status path and the
wmediumd/netlink TX status path.
Signed-off-by: Priyansha Tiwari <priyansha.tiwari@oss.qualcomm.com>
---
.../wireless/virtual/mac80211_hwsim_main.c | 43 +++++++++++++++++--
1 file changed, 40 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/virtual/mac80211_hwsim_main.c b/drivers/net/wireless/virtual/mac80211_hwsim_main.c
index 0dd8a6c85953..61fd8d8ba1a0 100644
--- a/drivers/net/wireless/virtual/mac80211_hwsim_main.c
+++ b/drivers/net/wireless/virtual/mac80211_hwsim_main.c
@@ -2103,6 +2103,7 @@ static void mac80211_hwsim_tx(struct ieee80211_hw *hw,
bool ack, unicast_data;
enum nl80211_chan_width confbw = NL80211_CHAN_WIDTH_20_NOHT;
u32 _portid, i;
+ int tx_link_id = -1;
if (WARN_ON(skb->len < 10)) {
/* Should not happen; just a sanity check for addr1 use */
@@ -2160,6 +2161,9 @@ static void mac80211_hwsim_tx(struct ieee80211_hw *hw,
hdr, &link_sta);
}
+ if (bss_conf)
+ tx_link_id = bss_conf->link_id;
+
if (unlikely(!bss_conf)) {
/* if it's an MLO STA, it might have deactivated all
* links temporarily - but we don't handle real PS in
@@ -2271,6 +2275,12 @@ static void mac80211_hwsim_tx(struct ieee80211_hw *hw,
if (!(txi->flags & IEEE80211_TX_CTL_NO_ACK) && ack)
txi->flags |= IEEE80211_TX_STAT_ACK;
+
+ if (tx_link_id >= 0) {
+ txi->status.link_valid = 1;
+ txi->status.link_id = tx_link_id;
+ }
+
ieee80211_tx_status_irqsafe(hw, skb);
}
@@ -6092,6 +6102,7 @@ static int mac80211_hwsim_new_radio(struct genl_info *info,
wiphy_ext_feature_set(hw->wiphy, NL80211_EXT_FEATURE_CQM_RSSI_LIST);
wiphy_ext_feature_set(hw->wiphy, NL80211_EXT_FEATURE_PUNCT);
+ wiphy_ext_feature_set(hw->wiphy, NL80211_EXT_FEATURE_PROBE_AP);
for (i = 0; i < ARRAY_SIZE(data->link_data); i++) {
hrtimer_setup(&data->link_data[i].beacon_timer, mac80211_hwsim_beacon,
@@ -6317,6 +6328,27 @@ static void hwsim_register_wmediumd(struct net *net, u32 portid)
spin_unlock_bh(&hwsim_radio_lock);
}
+static int mac80211_hwsim_get_link_id(struct ieee80211_vif *vif,
+ struct ieee80211_hdr *hdr)
+{
+ int i;
+
+ if (!vif || !ieee80211_vif_is_mld(vif))
+ return -1;
+
+ for (i = 0; i < IEEE80211_MLD_MAX_NUM_LINKS; i++) {
+ struct ieee80211_bss_conf *link_conf;
+
+ link_conf = rcu_dereference(vif->link_conf[i]);
+ if (!link_conf)
+ continue;
+ if (ether_addr_equal(link_conf->addr, hdr->addr2))
+ return i;
+ }
+
+ return -1;
+}
+
static int hwsim_tx_info_frame_received_nl(struct sk_buff *skb_2,
struct genl_info *info)
{
@@ -6397,13 +6429,18 @@ static int hwsim_tx_info_frame_received_nl(struct sk_buff *skb_2,
txi->status.ack_signal = nla_get_u32(info->attrs[HWSIM_ATTR_SIGNAL]);
+ hdr = (struct ieee80211_hdr *)skb->data;
+ i = mac80211_hwsim_get_link_id(txi->control.vif, hdr);
+ if (i >= 0) {
+ txi->status.link_valid = 1;
+ txi->status.link_id = i;
+ }
+
if (!(hwsim_flags & HWSIM_TX_CTL_NO_ACK) &&
(hwsim_flags & HWSIM_TX_STAT_ACK)) {
- if (skb->len >= 16) {
- hdr = (struct ieee80211_hdr *) skb->data;
+ if (skb->len >= 16)
mac80211_hwsim_monitor_ack(data2->channel,
hdr->addr2);
- }
txi->flags |= IEEE80211_TX_STAT_ACK;
}
--
2.34.1
^ permalink raw reply related
* [PATCH wireless-next v5 3/4] wifi: mac80211: implement STA-mode peer probing
From: Priyansha Tiwari @ 2026-06-11 6:22 UTC (permalink / raw)
To: johannes; +Cc: veerendranath.jakkam, linux-wireless, quic_drohan
In-Reply-To: <20260611062225.2144241-1-pritiwa@qti.qualcomm.com>
From: Priyansha Tiwari <priyansha.tiwari@oss.qualcomm.com>
Add STA/P2P-client support to ieee80211_probe_peer(): when called
for a station interface, send a null-data frame (TODS) to the
associated AP and report the ACK via cfg80211_probe_status().
For MLO connections the driver/firmware selects the link
(IEEE80211_LINK_UNSPECIFIED); for non-MLO the single link is used.
Signed-off-by: Priyansha Tiwari <priyansha.tiwari@oss.qualcomm.com>
---
include/net/mac80211.h | 2 +-
net/mac80211/cfg.c | 111 ++++++++++++++++++++---------------------
net/mac80211/status.c | 5 +-
3 files changed, 60 insertions(+), 58 deletions(-)
diff --git a/include/net/mac80211.h b/include/net/mac80211.h
index 4f95da023746..7ce0b5163671 100644
--- a/include/net/mac80211.h
+++ b/include/net/mac80211.h
@@ -1396,7 +1396,7 @@ struct ieee80211_tx_info {
u8 pad;
u16 tx_time;
u8 flags;
- u8 pad2;
+ u8 link_valid:1, link_id:4;
void *status_driver_data[16 / sizeof(void *)];
} status;
struct {
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 9c311c8290f7..3dd60bfbf709 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -4956,101 +4956,104 @@ static int ieee80211_probe_peer(struct wiphy *wiphy, struct net_device *dev,
struct ieee80211_local *local = sdata->local;
struct ieee80211_qos_hdr *nullfunc;
struct sk_buff *skb;
- int size = sizeof(*nullfunc);
__le16 fc;
- bool qos;
+ bool qos, fromds;
+ struct ieee80211_bss_conf *conf;
struct ieee80211_tx_info *info;
struct sta_info *sta;
struct ieee80211_chanctx_conf *chanctx_conf;
- struct ieee80211_bss_conf *conf;
enum nl80211_band band;
- u8 link_id;
+ const u8 *dst_addr;
+ const u8 *src_addr;
+ int link_id;
+ int size;
int ret;
/* the lock is needed to assign the cookie later */
lockdep_assert_wiphy(local->hw.wiphy);
- rcu_read_lock();
- sta = sta_info_get_bss(sdata, peer);
- if (!sta) {
- ret = -ENOLINK;
- goto unlock;
+ switch (ieee80211_vif_type_p2p(&sdata->vif)) {
+ case NL80211_IFTYPE_AP:
+ fromds = true;
+ break;
+ case NL80211_IFTYPE_STATION:
+ /* For STA, the peer is always the associated AP/GO */
+ peer = sdata->vif.cfg.ap_addr;
+ fromds = false;
+ break;
+ default:
+ return -EOPNOTSUPP;
}
+ sta = sta_info_get_bss(sdata, peer);
+ if (!sta)
+ return -ENOLINK;
+
qos = sta->sta.wme;
+ dst_addr = sta->sta.addr;
if (ieee80211_vif_is_mld(&sdata->vif)) {
if (sta->sta.mlo) {
link_id = IEEE80211_LINK_UNSPECIFIED;
+ src_addr = sdata->vif.addr;
} else {
/*
- * For non-MLO clients connected to an AP MLD, band
- * information is not used; instead, sta->deflink is
- * used to send packets.
+ * For non-MLO clients connected to an AP MLD,
+ * use the link address for the client's link.
*/
link_id = sta->deflink.link_id;
-
- conf = rcu_dereference(sdata->vif.link_conf[link_id]);
-
- if (unlikely(!conf)) {
- ret = -ENOLINK;
- goto unlock;
- }
+ conf = wiphy_dereference(local->hw.wiphy,
+ sdata->vif.link_conf[link_id]);
+ if (unlikely(!conf))
+ return -ENOLINK;
+ src_addr = conf->addr;
}
/* MLD transmissions must not rely on the band */
band = 0;
} else {
- chanctx_conf = rcu_dereference(sdata->vif.bss_conf.chanctx_conf);
- if (WARN_ON(!chanctx_conf)) {
- ret = -EINVAL;
- goto unlock;
- }
+ chanctx_conf = wiphy_dereference(local->hw.wiphy,
+ sdata->vif.bss_conf.chanctx_conf);
+ if (WARN_ON(!chanctx_conf))
+ return -EINVAL;
band = chanctx_conf->def.chan->band;
link_id = 0;
+ src_addr = sdata->vif.addr;
}
- if (qos) {
- fc = cpu_to_le16(IEEE80211_FTYPE_DATA |
- IEEE80211_STYPE_QOS_NULLFUNC |
- IEEE80211_FCTL_FROMDS);
- } else {
+ size = sizeof(*nullfunc);
+ fc = cpu_to_le16(IEEE80211_FTYPE_DATA |
+ (qos ? IEEE80211_STYPE_QOS_NULLFUNC
+ : IEEE80211_STYPE_NULLFUNC) |
+ (fromds ? IEEE80211_FCTL_FROMDS : IEEE80211_FCTL_TODS));
+ if (!qos)
size -= 2;
- fc = cpu_to_le16(IEEE80211_FTYPE_DATA |
- IEEE80211_STYPE_NULLFUNC |
- IEEE80211_FCTL_FROMDS);
- }
skb = dev_alloc_skb(local->hw.extra_tx_headroom + size);
- if (!skb) {
- ret = -ENOMEM;
- goto unlock;
- }
+ if (!skb)
+ return -ENOMEM;
skb->dev = dev;
-
skb_reserve(skb, local->hw.extra_tx_headroom);
nullfunc = skb_put(skb, size);
+ memset(nullfunc, 0, size);
nullfunc->frame_control = fc;
- nullfunc->duration_id = 0;
- memcpy(nullfunc->addr1, sta->sta.addr, ETH_ALEN);
- if (ieee80211_vif_is_mld(&sdata->vif) && !sta->sta.mlo) {
- memcpy(nullfunc->addr2, conf->addr, ETH_ALEN);
- memcpy(nullfunc->addr3, conf->addr, ETH_ALEN);
- } else {
- memcpy(nullfunc->addr2, sdata->vif.addr, ETH_ALEN);
- memcpy(nullfunc->addr3, sdata->vif.addr, ETH_ALEN);
- }
- nullfunc->seq_ctrl = 0;
- info = IEEE80211_SKB_CB(skb);
+ memcpy(nullfunc->addr1, dst_addr, ETH_ALEN);
+ memcpy(nullfunc->addr2, src_addr, ETH_ALEN);
+ memcpy(nullfunc->addr3, fromds ? src_addr : dst_addr, ETH_ALEN);
+ info = IEEE80211_SKB_CB(skb);
info->flags |= IEEE80211_TX_CTL_REQ_TX_STATUS |
IEEE80211_TX_INTFL_NL80211_FRAME_TX;
info->band = band;
-
info->control.flags |= u32_encode_bits(link_id,
IEEE80211_TX_CTRL_MLO_LINK);
+ if (link_id != IEEE80211_LINK_UNSPECIFIED) {
+ info->status.link_valid = 1;
+ info->status.link_id = link_id;
+ }
+
skb_set_queue_mapping(skb, IEEE80211_AC_VO);
skb->priority = 7;
if (qos)
@@ -5059,18 +5062,14 @@ static int ieee80211_probe_peer(struct wiphy *wiphy, struct net_device *dev,
ret = ieee80211_attach_ack_skb(local, skb, cookie, GFP_ATOMIC);
if (ret) {
kfree_skb(skb);
- goto unlock;
+ return ret;
}
local_bh_disable();
ieee80211_xmit(sdata, sta, skb);
local_bh_enable();
- ret = 0;
-unlock:
- rcu_read_unlock();
-
- return ret;
+ return 0;
}
static int ieee80211_cfg_get_channel(struct wiphy *wiphy,
diff --git a/net/mac80211/status.c b/net/mac80211/status.c
index c3d29aed93fe..d635490f59d3 100644
--- a/net/mac80211/status.c
+++ b/net/mac80211/status.c
@@ -655,7 +655,10 @@ static void ieee80211_report_ack_skb(struct ieee80211_local *local,
GFP_ATOMIC);
else if (ieee80211_is_any_nullfunc(hdr->frame_control))
cfg80211_probe_status(sdata->dev, hdr->addr1,
- cookie, -1, acked,
+ cookie,
+ info->status.link_valid ?
+ info->status.link_id : -1,
+ acked,
info->status.ack_signal,
is_valid_ack_signal,
GFP_ATOMIC);
--
2.34.1
^ permalink raw reply related
* [PATCH wireless-next v5 2/4] wifi: cfg80211/nl80211: add STA-mode peer probing
From: Priyansha Tiwari @ 2026-06-11 6:22 UTC (permalink / raw)
To: johannes; +Cc: veerendranath.jakkam, linux-wireless, quic_drohan
In-Reply-To: <20260611062225.2144241-1-pritiwa@qti.qualcomm.com>
From: Priyansha Tiwari <priyansha.tiwari@oss.qualcomm.com>
Add NL80211_EXT_FEATURE_PROBE_AP to allow drivers to advertise
support for probing the associated AP from STA/P2P-client mode.
Extend nl80211_probe_peer() to accept STA/P2P-client interfaces
when the driver advertises NL80211_EXT_FEATURE_PROBE_AP; in that
case the MAC attribute must be omitted (the peer is implied by
the association).
Update cfg80211_probe_status() to accept an optional peer address
and a link_id parameter (-1 for non-MLO), and include
NL80211_ATTR_MLO_LINK_ID in the event when link_id >= 0.
Update all callers.
Signed-off-by: Priyansha Tiwari <priyansha.tiwari@oss.qualcomm.com>
---
drivers/net/wireless/ath/wil6210/cfg80211.c | 2 +-
include/net/cfg80211.h | 14 +++---
include/uapi/linux/nl80211.h | 20 +++++---
net/mac80211/status.c | 2 +-
net/wireless/nl80211.c | 52 ++++++++++++++-------
5 files changed, 59 insertions(+), 31 deletions(-)
diff --git a/drivers/net/wireless/ath/wil6210/cfg80211.c b/drivers/net/wireless/ath/wil6210/cfg80211.c
index a85ff2a4316b..5f2bd9a31faf 100644
--- a/drivers/net/wireless/ath/wil6210/cfg80211.c
+++ b/drivers/net/wireless/ath/wil6210/cfg80211.c
@@ -2326,7 +2326,7 @@ static void wil_probe_client_handle(struct wil6210_priv *wil,
*/
bool alive = (sta->status == wil_sta_connected);
- cfg80211_probe_status(ndev, sta->addr, req->cookie, alive,
+ cfg80211_probe_status(ndev, sta->addr, req->cookie, -1, alive,
0, false, GFP_KERNEL);
}
diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
index 549b2214e833..ddefe5acc5ae 100644
--- a/include/net/cfg80211.h
+++ b/include/net/cfg80211.h
@@ -5086,8 +5086,8 @@ struct mgmt_frame_regs {
* @tdls_mgmt: Transmit a TDLS management frame.
* @tdls_oper: Perform a high-level TDLS operation (e.g. TDLS link setup).
*
- * @probe_peer: probe an associated client, must return a cookie that it
- * later passes to cfg80211_probe_status().
+ * @probe_peer: probe a connected peer (AP: STA MAC required; STA: no MAC),
+ * must return a cookie that is later passed to cfg80211_probe_status().
*
* @set_noack_map: Set the NoAck Map for the TIDs.
*
@@ -9846,15 +9846,17 @@ bool cfg80211_rx_unexpected_4addr_frame(struct net_device *dev, const u8 *addr,
/**
* cfg80211_probe_status - notify userspace about probe status
* @dev: the device the probe was sent on
- * @addr: the address of the peer
- * @cookie: the cookie filled in @probe_client previously
+ * @peer: The peer MAC address (or MLD address for MLO) or %NULL if not
+ * applicable (e.g. for STA/P2P-client)
+ * @cookie: the cookie filled in @probe_peer previously
+ * @link_id: The link ID on which the probe was sent (or -1 for non-MLO)
* @acked: indicates whether probe was acked or not
* @ack_signal: signal strength (in dBm) of the ACK frame.
* @is_valid_ack_signal: indicates the ack_signal is valid or not.
* @gfp: allocation flags
*/
-void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
- u64 cookie, bool acked, s32 ack_signal,
+void cfg80211_probe_status(struct net_device *dev, const u8 *peer, u64 cookie,
+ int link_id, bool acked, s32 ack_signal,
bool is_valid_ack_signal, gfp_t gfp);
/**
diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
index d1907dd12a80..6b8071606e6f 100644
--- a/include/uapi/linux/nl80211.h
+++ b/include/uapi/linux/nl80211.h
@@ -922,13 +922,15 @@
* and wasn't already in a 4-addr VLAN. The event will be sent similarly
* to the %NL80211_CMD_UNEXPECTED_FRAME event, to the same listener.
*
- * @NL80211_CMD_PROBE_PEER: Probe an associated station on an AP interface
- * by sending a null data frame to it and reporting when the frame is
- * acknowledged. This is used to allow timing out inactive clients. Uses
- * %NL80211_ATTR_IFINDEX and %NL80211_ATTR_MAC. The command returns a
- * direct reply with an %NL80211_ATTR_COOKIE that is later used to match
- * up the event with the request. The event includes the same data and
- * has %NL80211_ATTR_ACK set if the frame was ACKed.
+ * @NL80211_CMD_PROBE_PEER: Probe a connected peer by sending a null data
+ * frame and reporting when the frame is acknowledged.
+ * In AP/GO mode, %NL80211_ATTR_MAC is required to identify the client.
+ * In STA/P2P-client mode, %NL80211_ATTR_MAC must be omitted (the AP is
+ * implied); the driver must advertise %NL80211_EXT_FEATURE_PROBE_AP.
+ * The command returns a direct reply with an %NL80211_ATTR_COOKIE that
+ * is later used to match up the event with the request. The event
+ * includes the same data and has %NL80211_ATTR_ACK set if the frame
+ * was ACKed.
*
* @NL80211_CMD_REGISTER_BEACONS: Register this socket to receive beacons from
* other BSSes when any interfaces are in AP mode. This helps implement
@@ -7086,6 +7088,9 @@ enum nl80211_feature_flags {
* LTF key seed via %NL80211_KEY_LTF_SEED. The seed is used to generate
* secure LTF keys for secure LTF measurement sessions.
*
+ * @NL80211_EXT_FEATURE_PROBE_AP: Driver supports probing the associated AP
+ * in STA mode using @NL80211_CMD_PROBE_PEER.
+ *
* @NUM_NL80211_EXT_FEATURES: number of extended features.
* @MAX_NL80211_EXT_FEATURES: highest extended feature index.
*/
@@ -7167,6 +7172,7 @@ enum nl80211_ext_feature_index {
NL80211_EXT_FEATURE_IEEE8021X_AUTH,
NL80211_EXT_FEATURE_ROC_ADDR_FILTER,
NL80211_EXT_FEATURE_SET_KEY_LTF_SEED,
+ NL80211_EXT_FEATURE_PROBE_AP,
/* add new features before the definition below */
NUM_NL80211_EXT_FEATURES,
diff --git a/net/mac80211/status.c b/net/mac80211/status.c
index dd1dbba06838..c3d29aed93fe 100644
--- a/net/mac80211/status.c
+++ b/net/mac80211/status.c
@@ -655,7 +655,7 @@ static void ieee80211_report_ack_skb(struct ieee80211_local *local,
GFP_ATOMIC);
else if (ieee80211_is_any_nullfunc(hdr->frame_control))
cfg80211_probe_status(sdata->dev, hdr->addr1,
- cookie, acked,
+ cookie, -1, acked,
info->status.ack_signal,
is_valid_ack_signal,
GFP_ATOMIC);
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 29505f64591b..e339ea116a13 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -16148,16 +16148,32 @@ static int nl80211_probe_peer(struct sk_buff *skb, struct genl_info *info)
struct wireless_dev *wdev = dev->ieee80211_ptr;
struct sk_buff *msg;
void *hdr;
- const u8 *addr;
+ const u8 *addr = NULL;
u64 cookie;
int err;
- if (wdev->iftype != NL80211_IFTYPE_AP &&
- wdev->iftype != NL80211_IFTYPE_P2P_GO)
+ /* Allow in AP, STA, and their P2P counterparts */
+ switch (wdev->iftype) {
+ case NL80211_IFTYPE_AP:
+ case NL80211_IFTYPE_P2P_GO:
+ if (!info->attrs[NL80211_ATTR_MAC])
+ return -EINVAL;
+ addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
+ break;
+ case NL80211_IFTYPE_STATION:
+ case NL80211_IFTYPE_P2P_CLIENT:
+ if (!wiphy_ext_feature_isset(&rdev->wiphy,
+ NL80211_EXT_FEATURE_PROBE_AP))
+ return -EOPNOTSUPP;
+ if (!wdev->connected)
+ return -ENOLINK;
+ /* STA/P2P-client probes the currently associated AP/GO. */
+ if (info->attrs[NL80211_ATTR_MAC])
+ return -EINVAL;
+ break;
+ default:
return -EOPNOTSUPP;
-
- if (!info->attrs[NL80211_ATTR_MAC])
- return -EINVAL;
+ }
if (!rdev->ops->probe_peer)
return -EOPNOTSUPP;
@@ -16173,8 +16189,6 @@ static int nl80211_probe_peer(struct sk_buff *skb, struct genl_info *info)
goto free_msg;
}
- addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
-
err = rdev_probe_peer(rdev, dev, addr, &cookie);
if (err)
goto free_msg;
@@ -22588,8 +22602,8 @@ void cfg80211_sta_opmode_change_notify(struct net_device *dev, const u8 *mac,
}
EXPORT_SYMBOL(cfg80211_sta_opmode_change_notify);
-void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
- u64 cookie, bool acked, s32 ack_signal,
+void cfg80211_probe_status(struct net_device *dev, const u8 *peer, u64 cookie,
+ int link_id, bool acked, s32 ack_signal,
bool is_valid_ack_signal, gfp_t gfp)
{
struct wireless_dev *wdev = dev->ieee80211_ptr;
@@ -22597,7 +22611,7 @@ void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
struct sk_buff *msg;
void *hdr;
- trace_cfg80211_probe_status(dev, addr, cookie, acked);
+ trace_cfg80211_probe_status(dev, peer, cookie, acked);
msg = nlmsg_new(NLMSG_DEFAULT_SIZE, gfp);
@@ -22612,12 +22626,18 @@ void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
nla_put_u32(msg, NL80211_ATTR_IFINDEX, dev->ifindex) ||
- nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, addr) ||
+ (peer && nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, peer)) ||
nla_put_u64_64bit(msg, NL80211_ATTR_COOKIE, cookie,
- NL80211_ATTR_PAD) ||
- (acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
- (is_valid_ack_signal && nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL,
- ack_signal)))
+ NL80211_ATTR_PAD))
+ goto nla_put_failure;
+
+ if (link_id >= 0 &&
+ nla_put_u8(msg, NL80211_ATTR_MLO_LINK_ID, link_id))
+ goto nla_put_failure;
+
+ if ((acked && nla_put_flag(msg, NL80211_ATTR_ACK)) ||
+ (is_valid_ack_signal &&
+ nla_put_s32(msg, NL80211_ATTR_ACK_SIGNAL, ack_signal)))
goto nla_put_failure;
genlmsg_end(msg, hdr);
--
2.34.1
^ permalink raw reply related
* [PATCH wireless-next v5 1/4] wifi: nl80211/cfg80211: rename probe_client to probe_peer
From: Priyansha Tiwari @ 2026-06-11 6:22 UTC (permalink / raw)
To: johannes; +Cc: veerendranath.jakkam, linux-wireless, quic_drohan
In-Reply-To: <20260611062225.2144241-1-pritiwa@qti.qualcomm.com>
From: Priyansha Tiwari <priyansha.tiwari@oss.qualcomm.com>
Rename NL80211_CMD_PROBE_CLIENT to NL80211_CMD_PROBE_PEER in the UAPI
enum and retain NL80211_CMD_PROBE_CLIENT as a compatibility alias.
Rename the .probe_client cfg80211_ops callback to .probe_peer and
update all in-tree users (wil6210, mwifiex) and mac80211 so the
tree continues to build after this change.
Signed-off-by: Priyansha Tiwari <priyansha.tiwari@oss.qualcomm.com>
---
drivers/net/wireless/ath/wil6210/cfg80211.c | 8 ++++----
drivers/net/wireless/marvell/mwifiex/cfg80211.c | 8 ++++----
include/net/cfg80211.h | 6 +++---
include/uapi/linux/nl80211.h | 5 +++--
net/mac80211/cfg.c | 6 +++---
net/wireless/nl80211.c | 17 ++++++++---------
net/wireless/rdev-ops.h | 10 +++++-----
net/wireless/trace.h | 2 +-
8 files changed, 31 insertions(+), 31 deletions(-)
diff --git a/drivers/net/wireless/ath/wil6210/cfg80211.c b/drivers/net/wireless/ath/wil6210/cfg80211.c
index d6ef92cfcbaf..a85ff2a4316b 100644
--- a/drivers/net/wireless/ath/wil6210/cfg80211.c
+++ b/drivers/net/wireless/ath/wil6210/cfg80211.c
@@ -2379,9 +2379,9 @@ void wil_probe_client_flush(struct wil6210_vif *vif)
mutex_unlock(&vif->probe_client_mutex);
}
-static int wil_cfg80211_probe_client(struct wiphy *wiphy,
- struct net_device *dev,
- const u8 *peer, u64 *cookie)
+static int wil_cfg80211_probe_peer(struct wiphy *wiphy,
+ struct net_device *dev,
+ const u8 *peer, u64 *cookie)
{
struct wil6210_priv *wil = wiphy_to_wil(wiphy);
struct wil6210_vif *vif = ndev_to_vif(dev);
@@ -2660,7 +2660,7 @@ static const struct cfg80211_ops wil_cfg80211_ops = {
.add_station = wil_cfg80211_add_station,
.del_station = wil_cfg80211_del_station,
.change_station = wil_cfg80211_change_station,
- .probe_client = wil_cfg80211_probe_client,
+ .probe_peer = wil_cfg80211_probe_peer,
.change_bss = wil_cfg80211_change_bss,
/* P2P device */
.start_p2p_device = wil_cfg80211_start_p2p_device,
diff --git a/drivers/net/wireless/marvell/mwifiex/cfg80211.c b/drivers/net/wireless/marvell/mwifiex/cfg80211.c
index c9daf893472f..99d96088e364 100644
--- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c
+++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c
@@ -4558,9 +4558,9 @@ mwifiex_cfg80211_disassociate(struct wiphy *wiphy,
}
static int
-mwifiex_cfg80211_probe_client(struct wiphy *wiphy,
- struct net_device *dev, const u8 *peer,
- u64 *cookie)
+mwifiex_cfg80211_probe_peer(struct wiphy *wiphy,
+ struct net_device *dev, const u8 *peer,
+ u64 *cookie)
{
/* hostapd looks for NL80211_CMD_PROBE_CLIENT support; otherwise,
* it requires monitor-mode support (which mwifiex doesn't support).
@@ -4726,7 +4726,7 @@ int mwifiex_register_cfg80211(struct mwifiex_adapter *adapter)
ops->disassoc = mwifiex_cfg80211_disassociate;
ops->disconnect = NULL;
ops->connect = NULL;
- ops->probe_client = mwifiex_cfg80211_probe_client;
+ ops->probe_peer = mwifiex_cfg80211_probe_peer;
}
wiphy->max_scan_ssids = MWIFIEX_MAX_SSID_LIST_LENGTH;
wiphy->max_scan_ie_len = MWIFIEX_MAX_VSIE_LEN;
diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
index 8188ad200de5..549b2214e833 100644
--- a/include/net/cfg80211.h
+++ b/include/net/cfg80211.h
@@ -5086,7 +5086,7 @@ struct mgmt_frame_regs {
* @tdls_mgmt: Transmit a TDLS management frame.
* @tdls_oper: Perform a high-level TDLS operation (e.g. TDLS link setup).
*
- * @probe_client: probe an associated client, must return a cookie that it
+ * @probe_peer: probe an associated client, must return a cookie that it
* later passes to cfg80211_probe_status().
*
* @set_noack_map: Set the NoAck Map for the TIDs.
@@ -5488,8 +5488,8 @@ struct cfg80211_ops {
int (*tdls_oper)(struct wiphy *wiphy, struct net_device *dev,
const u8 *peer, enum nl80211_tdls_operation oper);
- int (*probe_client)(struct wiphy *wiphy, struct net_device *dev,
- const u8 *peer, u64 *cookie);
+ int (*probe_peer)(struct wiphy *wiphy, struct net_device *dev,
+ const u8 *peer, u64 *cookie);
int (*set_noack_map)(struct wiphy *wiphy,
struct net_device *dev,
diff --git a/include/uapi/linux/nl80211.h b/include/uapi/linux/nl80211.h
index 9998f6c0a665..d1907dd12a80 100644
--- a/include/uapi/linux/nl80211.h
+++ b/include/uapi/linux/nl80211.h
@@ -922,7 +922,7 @@
* and wasn't already in a 4-addr VLAN. The event will be sent similarly
* to the %NL80211_CMD_UNEXPECTED_FRAME event, to the same listener.
*
- * @NL80211_CMD_PROBE_CLIENT: Probe an associated station on an AP interface
+ * @NL80211_CMD_PROBE_PEER: Probe an associated station on an AP interface
* by sending a null data frame to it and reporting when the frame is
* acknowledged. This is used to allow timing out inactive clients. Uses
* %NL80211_ATTR_IFINDEX and %NL80211_ATTR_MAC. The command returns a
@@ -1558,7 +1558,7 @@ enum nl80211_commands {
NL80211_CMD_UNEXPECTED_FRAME,
- NL80211_CMD_PROBE_CLIENT,
+ NL80211_CMD_PROBE_PEER,
NL80211_CMD_REGISTER_BEACONS,
@@ -1729,6 +1729,7 @@ enum nl80211_commands {
#define NL80211_CMD_GET_MESH_PARAMS NL80211_CMD_GET_MESH_CONFIG
#define NL80211_CMD_SET_MESH_PARAMS NL80211_CMD_SET_MESH_CONFIG
#define NL80211_MESH_SETUP_VENDOR_PATH_SEL_IE NL80211_MESH_SETUP_IE
+#define NL80211_CMD_PROBE_CLIENT NL80211_CMD_PROBE_PEER
/**
* enum nl80211_attrs - nl80211 netlink attributes
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 3b58af59f7e4..9c311c8290f7 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -4949,8 +4949,8 @@ static int ieee80211_set_rekey_data(struct wiphy *wiphy,
return 0;
}
-static int ieee80211_probe_client(struct wiphy *wiphy, struct net_device *dev,
- const u8 *peer, u64 *cookie)
+static int ieee80211_probe_peer(struct wiphy *wiphy, struct net_device *dev,
+ const u8 *peer, u64 *cookie)
{
struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
struct ieee80211_local *local = sdata->local;
@@ -6060,7 +6060,7 @@ const struct cfg80211_ops mac80211_config_ops = {
.tdls_mgmt = ieee80211_tdls_mgmt,
.tdls_channel_switch = ieee80211_tdls_channel_switch,
.tdls_cancel_channel_switch = ieee80211_tdls_cancel_channel_switch,
- .probe_client = ieee80211_probe_client,
+ .probe_peer = ieee80211_probe_peer,
.set_noack_map = ieee80211_set_noack_map,
#ifdef CONFIG_PM
.set_wakeup = ieee80211_set_wakeup,
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 85057bd4d565..29505f64591b 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -2444,7 +2444,7 @@ static int nl80211_add_commands_unsplit(struct cfg80211_registered_device *rdev,
}
if (rdev->wiphy.max_sched_scan_reqs)
CMD(sched_scan_start, START_SCHED_SCAN);
- CMD(probe_client, PROBE_CLIENT);
+ CMD(probe_peer, PROBE_PEER);
CMD(set_noack_map, SET_NOACK_MAP);
if (rdev->wiphy.flags & WIPHY_FLAG_REPORTS_OBSS) {
i++;
@@ -16141,8 +16141,7 @@ static int nl80211_register_unexpected_frame(struct sk_buff *skb,
return 0;
}
-static int nl80211_probe_client(struct sk_buff *skb,
- struct genl_info *info)
+static int nl80211_probe_peer(struct sk_buff *skb, struct genl_info *info)
{
struct cfg80211_registered_device *rdev = info->user_ptr[0];
struct net_device *dev = info->user_ptr[1];
@@ -16160,7 +16159,7 @@ static int nl80211_probe_client(struct sk_buff *skb,
if (!info->attrs[NL80211_ATTR_MAC])
return -EINVAL;
- if (!rdev->ops->probe_client)
+ if (!rdev->ops->probe_peer)
return -EOPNOTSUPP;
msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
@@ -16168,7 +16167,7 @@ static int nl80211_probe_client(struct sk_buff *skb,
return -ENOMEM;
hdr = nl80211hdr_put(msg, info->snd_portid, info->snd_seq, 0,
- NL80211_CMD_PROBE_CLIENT);
+ NL80211_CMD_PROBE_PEER);
if (!hdr) {
err = -ENOBUFS;
goto free_msg;
@@ -16176,7 +16175,7 @@ static int nl80211_probe_client(struct sk_buff *skb,
addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
- err = rdev_probe_client(rdev, dev, addr, &cookie);
+ err = rdev_probe_peer(rdev, dev, addr, &cookie);
if (err)
goto free_msg;
@@ -20033,9 +20032,9 @@ static const struct genl_small_ops nl80211_small_ops[] = {
.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV),
},
{
- .cmd = NL80211_CMD_PROBE_CLIENT,
+ .cmd = NL80211_CMD_PROBE_PEER,
.validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP,
- .doit = nl80211_probe_client,
+ .doit = nl80211_probe_peer,
.flags = GENL_UNS_ADMIN_PERM,
.internal_flags = IFLAGS(NL80211_FLAG_NEED_NETDEV_UP),
},
@@ -22605,7 +22604,7 @@ void cfg80211_probe_status(struct net_device *dev, const u8 *addr,
if (!msg)
return;
- hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_CLIENT);
+ hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_PROBE_PEER);
if (!hdr) {
nlmsg_free(msg);
return;
diff --git a/net/wireless/rdev-ops.h b/net/wireless/rdev-ops.h
index 63c26e8b1139..6c3bad8b2d6f 100644
--- a/net/wireless/rdev-ops.h
+++ b/net/wireless/rdev-ops.h
@@ -948,13 +948,13 @@ static inline int rdev_tdls_oper(struct cfg80211_registered_device *rdev,
return ret;
}
-static inline int rdev_probe_client(struct cfg80211_registered_device *rdev,
- struct net_device *dev, const u8 *peer,
- u64 *cookie)
+static inline int rdev_probe_peer(struct cfg80211_registered_device *rdev,
+ struct net_device *dev, const u8 *peer,
+ u64 *cookie)
{
int ret;
- trace_rdev_probe_client(&rdev->wiphy, dev, peer);
- ret = rdev->ops->probe_client(&rdev->wiphy, dev, peer, cookie);
+ trace_rdev_probe_peer(&rdev->wiphy, dev, peer);
+ ret = rdev->ops->probe_peer(&rdev->wiphy, dev, peer, cookie);
trace_rdev_return_int_cookie(&rdev->wiphy, ret, *cookie);
return ret;
}
diff --git a/net/wireless/trace.h b/net/wireless/trace.h
index 94944f2a39a4..8c2a91b85c39 100644
--- a/net/wireless/trace.h
+++ b/net/wireless/trace.h
@@ -2132,7 +2132,7 @@ DECLARE_EVENT_CLASS(rdev_pmksa,
WIPHY_PR_ARG, NETDEV_PR_ARG, __entry->bssid)
);
-TRACE_EVENT(rdev_probe_client,
+TRACE_EVENT(rdev_probe_peer,
TP_PROTO(struct wiphy *wiphy, struct net_device *netdev,
const u8 *peer),
TP_ARGS(wiphy, netdev, peer),
--
2.34.1
^ permalink raw reply related
* [PATCH wireless-next v5 0/4] wifi: nl80211: introduce PROBE_PEER for AP and STA
From: Priyansha Tiwari @ 2026-06-11 6:22 UTC (permalink / raw)
To: johannes; +Cc: veerendranath.jakkam, linux-wireless, quic_drohan
From: Priyansha Tiwari <priyansha.tiwari@oss.qualcomm.com>
This series introduces a unified mechanism to probe connected peers.
It generalizes the legacy AP-only PROBE_CLIENT functionality by adding
NL80211_CMD_PROBE_PEER and enabling (feature-gated) STA-side probing.
With this, AP/GO continues to probe associated stations as before, and
STA/P2P-client can probe the connected AP for faster link health checks.
For MLO connections, mac80211 supports per-link STA probing to obtain
link-specific ACK information.
Patch 1 renames NL80211_CMD_PROBE_CLIENT to NL80211_CMD_PROBE_PEER in
the UAPI enum (keeping PROBE_CLIENT as a compatibility alias) and renames
the .probe_client cfg80211_ops callback to .probe_peer. All in-tree users
(wil6210, mwifiex, mac80211) are updated so the tree builds after this
patch. This is a pure rename with no behaviour change; documentation is
intentionally left unchanged.
Patch 2 updates the @probe_peer documentation in cfg80211_ops to describe
the STA-mode semantics, adds NL80211_EXT_FEATURE_PROBE_AP to advertise
STA-side support, extends cfg80211_probe_status() to carry an optional
peer address and a link_id (-1 for non-MLO), and extends the nl80211
handler to accept STA/P2P-client interfaces when the driver advertises
the feature (MAC attribute must be omitted; the AP is implied by the
association). All callers of cfg80211_probe_status() are updated.
Patch 3 adds per-link PROBE_PEER support in mac80211 for STA/P2P-client
mode. For STA/P2P-client, it uses IEEE80211_LINK_UNSPECIFIED together
with the associated AP/GO address and lets the driver select the link.
For non-MLO connections, mac80211 still fills info->band from the
current chanctx so legacy transmissions continue to carry the correct
band information. The link_valid/link_id bitfields in
ieee80211_tx_info.status are set before transmitting and read back in
ieee80211_report_ack_skb() to report the actual link_id to userspace.
AP/GO behaviour is unchanged.
Patch 4 makes mac80211_hwsim populate link_valid/link_id in TX status
for both the direct TX status path and the wmediumd/netlink TX status
path.
---
Changes in v5:
- Patch 3:
* Renamed peer_addr to dst_addr for clarity.
* Reworked ieee80211_probe_peer() to share more logic between
AP and STA modes by using ieee80211_vif_type_p2p(),
overriding the STA peer to the associated AP/GO address,
and pulling the common sta lookup/qos handling out of the
switch.
* Kept the remaining AP/STA difference limited to the DS bits,
while preserving the existing MLO/non-MLO address and band
handling.
Changes in v4:
- Patch 3:
* Dropped guard(rcu)() from ieee80211_probe_peer() and used
wiphy_dereference() under the already held wiphy lock.
* Simplified STA/P2P-client probing to use
IEEE80211_LINK_UNSPECIFIED together with the associated
AP/GO address for both MLO and non-MLO cases.
* Kept the non-MLO band lookup via chanctx so legacy
transmissions still carry the correct band.
* Return -ENOLINK when the associated AP STA entry is missing,
instead of falling back to non-QoS probing.
Changes in v3:
- Restructured patch split:
* Patch 1: pure rename (probe_client -> probe_peer), no doc changes
* Patch 2: documentation update for STA-mode semantics +
nl80211 API logic change + cfg80211_probe_status update
* Patch 3: mac80211 implementation
- Removed unnecessary bitfield padding (no pad2:3)
- Moved MAC-omission check for STA mode into cfg80211/nl80211
(not mac80211).
- Used switch statement in both nl80211_probe_peer() and
ieee80211_probe_peer().
- Used guard(rcu)() instead of manual rcu_read_lock/unlock
- Return -ENOLINK (not -ENOTCONN) for unconnected STA, consistent
with cfg80211 conventions
Priyansha Tiwari (4):
wifi: nl80211/cfg80211: rename probe_client to probe_peer
wifi: cfg80211/nl80211: add STA-mode peer probing
wifi: mac80211: implement STA-mode peer probing
wifi: mac80211_hwsim: report TX status link_id
drivers/net/wireless/ath/wil6210/cfg80211.c | 10 +-
.../net/wireless/marvell/mwifiex/cfg80211.c | 8 +-
.../wireless/virtual/mac80211_hwsim_main.c | 43 ++++++-
include/net/cfg80211.h | 18 +--
include/net/mac80211.h | 2 +-
include/uapi/linux/nl80211.h | 23 ++--
net/mac80211/cfg.c | 117 +++++++++---------
net/mac80211/status.c | 5 +-
net/wireless/nl80211.c | 69 +++++++----
net/wireless/rdev-ops.h | 10 +-
net/wireless/trace.h | 2 +-
11 files changed, 187 insertions(+), 120 deletions(-)
--
2.34.1
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox