- 28 Apr, 2023 2 commits
-
-
Fedor Pchelkin authored
For the reasons also described in commit b383e8ab ("wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()"), ath9k_htc_rx_msg() should validate pkt_len before accessing the SKB. For example, the obtained SKB may have been badly constructed with pkt_len = 8. In this case, the SKB can only contain a valid htc_frame_hdr but after being processed in ath9k_htc_rx_msg() and passed to ath9k_wmi_ctrl_rx() endpoint RX handler, it is expected to have a WMI command header which should be located inside its data payload. Implement sanity checking inside ath9k_wmi_ctrl_rx(). Otherwise, uninit memory can be referenced. Tested on Qualcomm Atheros Communications AR9271 802.11n . Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: fb9987d0 ("ath9k_htc: Support for AR9271 chipset.") Reported-and-tested-by: syzbot+f2cb6e0ffdb961921e4d@syzkaller.appspotmail.com Signed-off-by:
Fedor Pchelkin <pchelkin@ispras.ru> Acked-by:
Toke Høiland-Jørgensen <toke@toke.dk> Signed-off-by:
Kalle Valo <quic_kvalo@quicinc.com> Link: https://lore.kernel.org/r/20230424183348.111355-1-pchelkin@ispras.ru
-
Peter Seiderer authored
Fix ath9k_hw_verify_hang()/ar9003_hw_detect_mac_hang() register offset calculation (do not overflow the shift for the second register/queues above five, use the register layout described in the comments above ath9k_hw_verify_hang() instead). Fixes: 222e0483 ("ath9k: Fix MAC HW hang check for AR9003") Reported-by:
Gregg Wonderly <greggwonderly@seqtechllc.com> Link: https://lore.kernel.org/linux-wireless/E3A9C354-0CB7-420C-ADEF-F0177FB722F4@seqtechllc.com/Signed-off-by:
Peter Seiderer <ps.report@gmx.net> Acked-by:
Simon Horman <simon.horman@corigine.com> Signed-off-by:
-
- 26 Apr, 2023 3 commits
-
-
Carl Huang authored
Low receive throughput is seen on WCN7850 because ADDBA related parameters are not updated to firmware when receive ADDBA session starts. Fix it by sending WMI_PEER_REORDER_QUEUE_SETUP_CMDID again to firmware to update the ADDBA related parameters for chips which have false reoq_lut_support in hw_params. For chips which have true reoq_lut_support in hw_params don't need this command to send to firmware. Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0-03427-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.15378.4 Signed-off-by:
Carl Huang <quic_cjhuang@quicinc.com> Signed-off-by:
-
Carl Huang authored
The PCIe PERST pin is currently pulled down on WCN7850 and it causes some power leakage. Fix it by notifying firmware not to pull down PCIe PERST pin in QMI message for WCN7850. Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0-03427-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.15378.4 Signed-off-by:
-
Carl Huang authored
Currently the CNSS (Connectivity Subsystem) QMI feature is assigned to qmi_wlanfw_host_cap_req_msg_v01 request directly, this prevents chip-specific CNSS features from being added easily. Solve this by adding a new field qmi_cnss_feature_bitmap to hw_params so chip-specific CNSS features can be assigned to this field and later assigned to qmi_wlanfw_host_cap_req_msg_v01 request. Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0-03427-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.15378.4 Signed-off-by:
-
- 20 Apr, 2023 33 commits
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.gitKalle Valo authored
ath.git patches for v6.4. Major changes: wcn36xx * support for pronto v3 hardware ath11k * PCIe DeviceTree bindings * WCN6750: enable SAR support ath10k * convert DeviceTree bindings to YAML
-
https://github.com/nbd168/wirelessKalle Valo authored
mt76 patches for 6.4 - fixes - connac code unification - mt7921 p2p support - mt7996 mesh a-msdu support - mt7996 eht support - mt7996 coredump support
-
Simon Horman authored
Update spelling in comments in main.h Found by inspection. Signed-off-by:
Simon Horman <horms@kernel.org> Reviewed-by:
Ping-Ke Shih <pkshih@realtek.com> Signed-off-by:
Kalle Valo <kvalo@kernel.org> Link: https://lore.kernel.org/r/20230418-rtw88-starspell-v1-1-70e52a23979b@kernel.org
-
Arnd Bergmann authored
This driver does not actually use the ISA DMA API, it is purely PIO based, so remove the dependency. Signed-off-by:
Arnd Bergmann <arnd@arndb.de> Reviewed-by:
-
Bitterblue Smith authored
The goal of writing 0x6954341e / 0x6955341e to REG_OFDM0_XA_AGC_CORE1 appears to be setting the initial gain, which is stored in bits 0..6. Bits 7..31 are the same as what the phy init tables write. Modify only bits 0..6 so that we don't have to care about the values of the others. This way we don't have to add another "else if" for the RTL8192FU. Why we need to change the initial gain from the default 0x20 to 0x1e? Not sure. Some of the vendor drivers change it to 0x1e before scanning and then restore it to the original value after. Signed-off-by:
Bitterblue Smith <rtl8821cerfe2@gmail.com> Reviewed-by:
-
Bitterblue Smith authored
Also add rtl8xxxu_write32_mask, rtl8xxxu_write_rfreg_mask. These helper functions make it easier to modify only parts of a register by eliminating the call to the register reading function and the bit manipulations. Signed-off-by:
-
Bitterblue Smith authored
Most devices have a vendor name, product name, and serial number in the efuse, but it's pretty useless. It duplicates the information already printed by the USB subsystem: usb 1-4: New USB device found, idVendor=0bda, idProduct=8178, bcdDevice= 2.00 usb 1-4: New USB device strings: Mfr=1, Product=2, SerialNumber=3 usb 1-4: Product: 802.11n WLAN Adapter usb 1-4: Manufacturer: Realtek usb 1-4: SerialNumber: 00e04c000001 -> usb 1-4: Vendor: Realtek -> usb 1-4: Product: 802.11n WLAN Adapter usb 1-4: New USB device found, idVendor=0bda, idProduct=818b, bcdDevice= 2.00 usb 1-4: New USB device strings: Mfr=1, Product=2, SerialNumber=3 usb 1-4: Product: 802.11n NIC usb 1-4: Manufacturer: Realtek usb 1-4: SerialNumber: 00e04c000001 -> usb 1-4: Vendor: Realtek -> usb 1-4: Product: 802.11n NIC -> usb 1-4: Serial not available. usb 1-4: New USB device found, idVendor=0bda, idProduct=f179, bcdDevice= 0.00 usb 1-4: New USB device strings: Mfr=1, Product=2, SerialNumber=3 usb 1-4: Product: 802.11n usb 1-4: Manufacturer: Realtek usb 1-4: SerialNumber: 002E2DC0041F -> usb 1-4: Vendor: Realtek -> usb 1-4: Product: 802.11n usb 1-4: New USB device found, idVendor=0bda, idProduct=8179, bcdDevice= 0.00 usb 1-4: New USB device strings: Mfr=1, Product=2, SerialNumber=3 usb 1-4: Product: 802.11n NIC usb 1-4: Manufacturer: Realtek usb 1-4: SerialNumber: 00E04C0001 -> usb 1-4: Vendor: Realtek -> usb 1-4: Product: 802.11n NIC -> usb 1-4: Serial: 00E04C0001 Also, that data is not interpreted correctly in all cases: usb 3-1.1.2: New USB device found, idVendor=0bda, idProduct=8179, bcdDevice= 0.00 usb 3-1.1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3 usb 3-1.1.2: Product: 802.11n NIC usb 3-1.1.2: Manufacturer: Realtek usb 3-1.1.2: Vendor: Realtek usb 3-1.1.2: Product: \x03802.11n NI usb 3-1.1.2: Serial: \xff\xff\xff\xff\xff\xff\xff\xff\xff\xff\xff Link: https://bugzilla.kernel.org/show_bug.cgi?id=217231Signed-off-by:
-
Larry Finger authored
Kmemleak shows the following leak arising from routine in the usb probe routine: unreferenced object 0xffff895cb29bba00 (size 512): comm "(udev-worker)", pid 534, jiffies 4294903932 (age 102751.088s) hex dump (first 32 bytes): 77 30 30 30 00 00 00 00 02 2f 2d 2b 30 00 00 00 w000...../-+0... 02 00 2a 28 00 00 00 00 ff 55 ff ff ff 00 00 00 ..*(.....U...... backtrace: [<ffffffff9265fa36>] kmalloc_trace+0x26/0x90 [<ffffffffc17eec41>] rtw_usb_probe+0x2f1/0x680 [rtw_usb] [<ffffffffc03e19fd>] usb_probe_interface+0xdd/0x2e0 [usbcore] [<ffffffff92b4f2fe>] really_probe+0x18e/0x3d0 [<ffffffff92b4f5b8>] __driver_probe_device+0x78/0x160 [<ffffffff92b4f6bf>] driver_probe_device+0x1f/0x90 [<ffffffff92b4f8df>] __driver_attach+0xbf/0x1b0 [<ffffffff92b4d350>] bus_for_each_dev+0x70/0xc0 [<ffffffff92b4e51e>] bus_add_driver+0x10e/0x210 [<ffffffff92b50935>] driver_register+0x55/0xf0 [<ffffffffc03e0708>] usb_register_driver+0x88/0x140 [usbcore] [<ffffffff92401153>] do_one_initcall+0x43/0x210 [<ffffffff9254f42a>] do_init_module+0x4a/0x200 [<ffffffff92551d1c>] __do_sys_finit_module+0xac/0x120 [<ffffffff92ee6626>] do_syscall_64+0x56/0x80 [<ffffffff9300006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 The leak was verified to be real by unloading the driver, which resulted in a dangling pointer to the allocation. The allocated memory is freed in rtw_usb_intf_deinit(). Signed-off-by:Larry Finger <Larry.Finger@lwfinger.net> Cc: Sascha Hauer <s.hauer@pengutronix.de> Cc: Ping-Ke Shih <pkshih@realtek.com> Reviewed-by:
-
Sascha Hauer authored
We have to call rtw8821c_switch_rf_set() with SWITCH_TO_WLG or SWITCH_TO_BTG according to the chip variant as denoted in rfe_option. The information which argument to use for which variant has been taken from the vendor driver. Signed-off-by:
Sascha Hauer <s.hauer@pengutronix.de> Reviewed-by:
-
Sascha Hauer authored
According to the vendor driver the pkg_type has to be set to '1' for some rtw8821c variants. As the pkg_type has been hardcoded to '0', add a field for it in struct rtw_hal and set this correctly in the rtw8821c part. With this parsing of a rtw_table is influenced and check_positive() in phy.c returns true for some cases here. The same is done in the vendor driver. However, this has no visible effect on the driver here. Signed-off-by:
-
Sascha Hauer authored
On my RTW8821CU chipset rfe_option reads as 0x22. Looking at the vendor driver suggests that the field width of rfe_option is 5 bit, so rfe_option should be masked with 0x1f. Without this the rfe_option comparisons with 2 further down the driver evaluate as false when they should really evaluate as true. The effect is that 2G channels do not work. rfe_option is also used as an array index into rtw8821c_rfe_defs[]. rtw8821c_rfe_defs[34] (0x22) was added as part of adding USB support, likely because rfe_option reads as 0x22. As this now becomes 0x2, rtw8821c_rfe_defs[34] is no longer used and can be removed. Note that this might not be the whole truth. In the vendor driver there are indeed places where the unmasked rfe_option value is used. However, the driver has several places where rfe_option is tested with the pattern if (rfe_option == 2 || rfe_option == 0x22) or if (rfe_option == 4 || rfe_option == 0x24), so that rfe_option BIT(5) has no influence on the code path taken. We therefore mask BIT(5) out from rfe_option entirely until this assumption is proved wrong by some chip variant we do not know yet. Signed-off-by:
Alexandru gagniuc <mr.nuke.me@gmail.com> Tested-by:
ValdikSS <iam@valdikss.org.ru> Cc: stable@vger.kernel.org Reviewed-by:
-
Sascha Hauer authored
The RTW88 chipsets have four different priority queues in hardware. For the USB type chipsets the packets destined for a specific priority queue must be sent through the endpoint corresponding to the queue. This was not fully understood when porting from the RTW88 USB out of tree driver and thus violated. This patch implements the qsel to endpoint mapping as in get_usb_bulkout_id_88xx() in the downstream driver. Without this the driver often issues "timed out to flush queue 3" warnings and often TX stalls completely. Signed-off-by:
-
Po-Hao Huang authored
Allow 8822c to operate two interface concurrently, only 1 AP mode plus 1 station mode under same frequency is supported. Combination of other types will not be added until requested. Signed-off-by:
Po-Hao Huang <phhuang@realtek.com> Signed-off-by:
-
Po-Hao Huang authored
This patch allows vifs sharing same hardware with the AP mode vif to do scan, do note that this could lead to packet loss or disconnection of the AP's clients. Since we don't have chanctx, update scan info upon set channel so bandwidth changes won't go unnoticed and get misconfigured after scan. Download beacon just before scan starts to allow hardware to get proper content to do beaconing. Last, beacons should only be transmitted in AP's operating channel. Turn related beacon functions off while we're in other channels so the receiving stations won't get confused. Signed-off-by:
-
Po-Hao Huang authored
Only abort scan with current scanning VIF. If we have more than one interface, we could call rtw_hw_scan_abort() with the wrong VIF as input. This avoids potential null pointer being accessed when actually the other VIF is scanning. Signed-off-by:
-
Po-Hao Huang authored
Only gather reserved pages from AP interface after it has started. Or else ieee80211_beacon_get_*() returns NULL and causes other VIFs' reserved pages fail to download. Update location of current reserved page after beacon renews so offsets changed by beacon can be recognized. Signed-off-by:
-
Po-Hao Huang authored
Firmware can't support PS mode during AP mode, so disallow this case. Signed-off-by:
-
Po-Hao Huang authored
Extend 8822c's reserved page number to accommodate additional required pages. Reserved page is an area of memory in the FIFO dedicated for special purposes. Previously only one interface is supported so 8 pages should suffice, extend it so we can support 2 interfaces concurrently. Signed-off-by:
-
Po-Hao Huang authored
Switch port settings if AP mode does not start on port 0 because of hardware limitation. For some ICs, beacons on ports other than zero could misbehave and do not issue properly, to fix this we change AP VIFs to port zero when multiple interfaces is active. Signed-off-by:
-
Po-Hao Huang authored
In order to support multiple interfaces, multiple port settings will be required. Current code always uses port 0 and should be changed. Declare a bitmap with size equal to hardware port number to record the current usage. Signed-off-by:
-
Ping-Ke Shih authored
The function to request DLE (data link engine) buffer uses 'u16' as return value that mixes error code, so change it to 'int' as regular error code. Also, treat invalid register value (0xfff) as an error. Signed-off-by:
-
Yingsha Xu authored
Smatch complains that: debugfs_hw_add() warn: 'statsd' is an error pointer or valid Debugfs checks are generally not supposed to be checked for errors and it is not necessary here. Just delete the dead code. Signed-off-by:
Yingsha Xu <ysxu@hust.edu.cn> Reviewed-by:
Dongliang Mu <dzm91@hust.edu.cn> Link: https://lore.kernel.org/r/20230419104548.30124-1-ysxu@hust.edu.cnSigned-off-by:
Johannes Berg <johannes.berg@intel.com>
-
Avraham Stern authored
When CSME takes ownership, the driver sets RFKILL on, and this triggers driver unload and sending the confirmation SAP message. However, when IWL_MVM_MEI_REPORT_RFKILL is set, RFKILL was not reported and as a result, the driver did not confirm the ownership transition. Fix it. Signed-off-by:
Avraham Stern <avraham.stern@intel.com> Signed-off-by:
Gregory Greenman <gregory.greenman@intel.com> Link: https://lore.kernel.org/r/20230418122405.29ac3cd3df73.I96b32bc274bfe1e3871e54d3fa29c7ac4f40446f@changeidSigned-off-by:
-
Avraham Stern authored
When the host disconnects from the AP CSME takes ownership right away. Since the driver never asks for ownership again wifi is left in rfkill until CSME releases the NIC, although in many cases the host could re-connect shortly after the disconnection. To allow the host to recover from occasional disconnection, re-ask for ownership to let the host connect again. Allow one minute before re-asking for ownership to avoid too frequent ownership transitions. Signed-off-by:
-
Avraham Stern authored
When mei filtered scan is performed, it must find the AP on the first scan, otherwise CSME will take the ownership of the NIC. Make this scan more aggressive by scanning the channel the AP is supposed to be on (as reported by CSME) several times. Signed-off-by:
-
Avraham Stern authored
When CSME is connected and has link protection set, the driver must connect to the same AP CSME is connected to. When in link protection, modify scan request parameters to include only the channel of the AP CSME is connected to and scan for the same SSID. In addition, filter the scan results to include only results from the same AP. This will make sure the driver will connect to the same AP and will do it fast enough to keep the session alive. Signed-off-by:
-
Gregory Greenman authored
Enable driver's support for MLO APIs to unlock this functionality. Signed-off-by:
-
Johannes Berg authored
For constant values we don't need rcu_assign_pointer(), use RCU_INIT_POINTER() instead. Signed-off-by:
-
Johannes Berg authored
If we do get multiple notifications from firmware, then we might have allocated 'notif', but don't free it. Fix that by checking for duplicates before allocation. Fixes: 4da46a06 ("wifi: iwlwifi: mvm: Add support for wowlan info notification") Signed-off-by:
-
Alon Giladi authored
We should pass the newly allocated data to fill. Signed-off-by:
Alon Giladi <alon.giladi@intel.com> Signed-off-by:
-
Johannes Berg authored
The RADA/firmware collaborate on MIC stripping in the following way: - the firmware fills the IWL_RX_MPDU_MFLG1_MIC_CRC_LEN_MASK value for how many words need to be removed at the end of the frame, CRC and, if decryption was done, MIC - if the RADA is active, it will - remove that much from the end of the frame - zero the value in IWL_RX_MPDU_MFLG1_MIC_CRC_LEN_MASK As a consequence, the only thing the driver should need to do is to - unconditionally tell mac80211 that the MIC was removed if decryption was already done - remove as much as IWL_RX_MPDU_MFLG1_MIC_CRC_LEN_MASK says at the end of the frame, since either RADA did it and then the value is 0, or RADA was disabled and then the value is whatever should be removed to strip both CRC & MIC However, all this code was historically grown and getting a bit confused. Originally, we were indicating that the MIC was not stripped, which is the version of the code upstreamed in commit 780e87c2 ("iwlwifi: mvm: add 9000 series RX processing") which indicated RX_FLAG_DECRYPTED in iwl_mvm_rx_crypto(). We later had a commit to change that to also indicate that the MIC was stripped, adding RX_FLAG_MIC_STRIPPED. However, this was then "fixed" later to only do that conditionally on RADA being enabled, since otherwise RADA didn't strip the MIC bytes yet. At the time, we were also always including the FCS if the RADA was not enabled, so that was still broken wrt. the FCS if the RADA isn't enabled - but that's a pretty rare case. Notably though, it does happen for management frames, where we do need to remove the MIC and CRC but the RADA is disabled. Later, in commit 40a0b38d ("iwlwifi: mvm: Fix calculation of frame length"), we changed this again, upstream this was just a single commit, but internally it was split into first the correct commit and then an additional fix that reduced the number of bytes that are removed by crypt_len. Note that this is clearly wrong since crypt_len indicates the length of the PN header (always 8), not the length of the MIC (8 or 16 depending on algorithm). However, this additional fix mostly canceled the other bugs, apart from the confusion about the size of the MIC. To fix this correctly, remove all those additional workarounds. We really should always indicate to mac80211 the MIC was stripped (it cannot use it anyway if decryption was already done), and also always actually remove it and the CRC regardless of the RADA being enabled or not. That's simple though, the value indicated in the metadata is zeroed by the RADA if it's enabled and used the value, so there's no need to check if it's enabled or not. Notably then, this fixes the MIC size confusion, letting us receive GCMP-256 encrypted management frames correctly that would otherwise be reported to mac80211 8 bytes too short since the RADA is turned off for them, crypt_len is 8, but the MIC size is 16, so when we do the adjustment based on IWL_RX_MPDU_MFLG1_MIC_CRC_LEN_MASK (which indicates 20 bytes to remove) we remove 12 bytes but indicate then to mac80211 the MIC is still present, so mac80211 again removes the MIC of 16 bytes, for an overall removal of 28 rather than 20 bytes. Signed-off-by:
-
Johannes Berg authored
Fix a memory leak that occurs when reading the fw_info file all the way, since we return NULL indicating no more data, but don't free the status tracking object. Fixes: 36dfe9ac ("iwlwifi: dump api version in yaml format") Signed-off-by:
-
Mukesh Sisodiya authored
Add support for B0 version of MAC of MR device Signed-off-by:
Mukesh Sisodiya <mukesh.sisodiya@intel.com> Signed-off-by:
-
- 19 Apr, 2023 2 commits
-
-
Muna Sinada authored
This is a regression fix for 80+80 and 160 MHz support bits being cleared, therefore not adverised. Remove disable of 80+80 and 160 MHz capability flags and assign valid center frequency 2 similar to VHT80_80. Fixes: 38dfe775 ("wifi: ath11k: push MU-MIMO params from hostapd to hardware") Reported-by:
Robert Marko <robert.marko@sartura.hr> Tested-by: Robert Marko <robert.marko@sartura.hr> # IPQ8074 WLAN.HK.2.9.0.1-01385-QCAHKSWPL_SILICONZ-1 Link: https://bugzilla.kernel.org/show_bug.cgi?id=217299Co-developed-by:
P Praneesh <quic_ppranees@quicinc.com> Signed-off-by:
Muna Sinada <quic_msinada@quicinc.com> Signed-off-by:
-
Toke Høiland-Jørgensen authored
This partially reverts commit e161d4b6. Turns out the channelmap variable is not actually read-only, it's modified through the MCI_GPM_CLR_CHANNEL_BIT() macro further down in the function, so making it read-only causes page faults when that code is hit. Link: https://bugzilla.kernel.org/show_bug.cgi?id=217183 Fixes: e161d4b6 ("wifi: ath9k: Make arrays prof_prio and channelmap static const") Cc: stable@vger.kernel.org Signed-off-by:
-
