tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'wireless-2024-02-14' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless

Johannes Berg says:

====================
Valentine's day edition, with just few fixes because
that's how we love it ;-)

iwlwifi:
- correct A3 in A-MSDUs
- fix crash when operating as AP and running out of station
slots to use
- clear link ID to correct some later checks against it
- fix error codes in SAR table loading
- fix error path in PPAG table read

mac80211:
- reload a pointer after SKB may have changed
(only in certain monitor inject mode scenarios)

* tag 'wireless-2024-02-14' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless:
wifi: iwlwifi: mvm: fix a crash when we run out of stations
wifi: iwlwifi: uninitialized variable in iwl_acpi_get_ppag_table()
wifi: iwlwifi: Fix some error codes
wifi: iwlwifi: clear link_id in time_event
wifi: iwlwifi: mvm: use correct address 3 in A-MSDU
wifi: mac80211: reload info pointer in ieee80211_tx_dequeue()
====================

Link: https://lore.kernel.org/r/20240214184326.132813-3-johannes@sipsolutions.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Jakub Kicinski 63a3dd6e 9b23fceb

+82 -21
+9 -6
drivers/net/wireless/intel/iwlwifi/fw/acpi.c
··· 618 618 &tbl_rev); 619 619 if (!IS_ERR(wifi_pkg)) { 620 620 if (tbl_rev != 2) { 621 - ret = PTR_ERR(wifi_pkg); 621 + ret = -EINVAL; 622 622 goto out_free; 623 623 } 624 624 ··· 634 634 &tbl_rev); 635 635 if (!IS_ERR(wifi_pkg)) { 636 636 if (tbl_rev != 1) { 637 - ret = PTR_ERR(wifi_pkg); 637 + ret = -EINVAL; 638 638 goto out_free; 639 639 } 640 640 ··· 650 650 &tbl_rev); 651 651 if (!IS_ERR(wifi_pkg)) { 652 652 if (tbl_rev != 0) { 653 - ret = PTR_ERR(wifi_pkg); 653 + ret = -EINVAL; 654 654 goto out_free; 655 655 } 656 656 ··· 707 707 &tbl_rev); 708 708 if (!IS_ERR(wifi_pkg)) { 709 709 if (tbl_rev != 2) { 710 - ret = PTR_ERR(wifi_pkg); 710 + ret = -EINVAL; 711 711 goto out_free; 712 712 } 713 713 ··· 723 723 &tbl_rev); 724 724 if (!IS_ERR(wifi_pkg)) { 725 725 if (tbl_rev != 1) { 726 - ret = PTR_ERR(wifi_pkg); 726 + ret = -EINVAL; 727 727 goto out_free; 728 728 } 729 729 ··· 739 739 &tbl_rev); 740 740 if (!IS_ERR(wifi_pkg)) { 741 741 if (tbl_rev != 0) { 742 - ret = PTR_ERR(wifi_pkg); 742 + ret = -EINVAL; 743 743 goto out_free; 744 744 } 745 745 ··· 1115 1115 IWL_DEBUG_RADIO(fwrt, "Reading PPAG table v1 (tbl_rev=0)\n"); 1116 1116 goto read_table; 1117 1117 } 1118 + 1119 + ret = PTR_ERR(wifi_pkg); 1120 + goto out_free; 1118 1121 1119 1122 read_table: 1120 1123 fwrt->ppag_ver = tbl_rev;
+3
drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
··· 3687 3687 NL80211_TDLS_SETUP); 3688 3688 } 3689 3689 3690 + if (ret) 3691 + return ret; 3692 + 3690 3693 for_each_sta_active_link(vif, sta, link_sta, i) 3691 3694 link_sta->agg.max_rc_amsdu_len = 1; 3692 3695
+4
drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c
··· 505 505 return false; 506 506 507 507 mvm_sta = iwl_mvm_sta_from_mac80211(sta); 508 + 509 + if (WARN_ON_ONCE(!mvm_sta->dup_data)) 510 + return false; 511 + 508 512 dup_data = &mvm_sta->dup_data[queue]; 509 513 510 514 /*
+2 -1
drivers/net/wireless/intel/iwlwifi/mvm/time-event.c
··· 1 1 // SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause 2 2 /* 3 - * Copyright (C) 2012-2014, 2018-2023 Intel Corporation 3 + * Copyright (C) 2012-2014, 2018-2024 Intel Corporation 4 4 * Copyright (C) 2013-2015 Intel Mobile Communications GmbH 5 5 * Copyright (C) 2017 Intel Deutschland GmbH 6 6 */ ··· 972 972 if (!le32_to_cpu(notif->status) || !le32_to_cpu(notif->start)) { 973 973 /* End TE, notify mac80211 */ 974 974 mvmvif->time_event_data.id = SESSION_PROTECT_CONF_MAX_ID; 975 + mvmvif->time_event_data.link_id = -1; 975 976 iwl_mvm_p2p_roc_finished(mvm); 976 977 ieee80211_remain_on_channel_expired(mvm->hw); 977 978 } else if (le32_to_cpu(notif->start)) {
+61 -12
drivers/net/wireless/intel/iwlwifi/mvm/tx.c
··· 520 520 } 521 521 } 522 522 523 + static void iwl_mvm_copy_hdr(void *cmd, const void *hdr, int hdrlen, 524 + const u8 *addr3_override) 525 + { 526 + struct ieee80211_hdr *out_hdr = cmd; 527 + 528 + memcpy(cmd, hdr, hdrlen); 529 + if (addr3_override) 530 + memcpy(out_hdr->addr3, addr3_override, ETH_ALEN); 531 + } 532 + 523 533 /* 524 534 * Allocates and sets the Tx cmd the driver data pointers in the skb 525 535 */ 526 536 static struct iwl_device_tx_cmd * 527 537 iwl_mvm_set_tx_params(struct iwl_mvm *mvm, struct sk_buff *skb, 528 538 struct ieee80211_tx_info *info, int hdrlen, 529 - struct ieee80211_sta *sta, u8 sta_id) 539 + struct ieee80211_sta *sta, u8 sta_id, 540 + const u8 *addr3_override) 530 541 { 531 542 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; 532 543 struct iwl_device_tx_cmd *dev_cmd; ··· 595 584 cmd->len = cpu_to_le16((u16)skb->len); 596 585 597 586 /* Copy MAC header from skb into command buffer */ 598 - memcpy(cmd->hdr, hdr, hdrlen); 587 + iwl_mvm_copy_hdr(cmd->hdr, hdr, hdrlen, addr3_override); 599 588 600 589 cmd->flags = cpu_to_le16(flags); 601 590 cmd->rate_n_flags = cpu_to_le32(rate_n_flags); ··· 610 599 cmd->len = cpu_to_le16((u16)skb->len); 611 600 612 601 /* Copy MAC header from skb into command buffer */ 613 - memcpy(cmd->hdr, hdr, hdrlen); 602 + iwl_mvm_copy_hdr(cmd->hdr, hdr, hdrlen, addr3_override); 614 603 615 604 cmd->flags = cpu_to_le32(flags); 616 605 cmd->rate_n_flags = cpu_to_le32(rate_n_flags); ··· 628 617 iwl_mvm_set_tx_cmd_rate(mvm, tx_cmd, info, sta, hdr->frame_control); 629 618 630 619 /* Copy MAC header from skb into command buffer */ 631 - memcpy(tx_cmd->hdr, hdr, hdrlen); 620 + iwl_mvm_copy_hdr(tx_cmd->hdr, hdr, hdrlen, addr3_override); 632 621 633 622 out: 634 623 return dev_cmd; ··· 831 820 832 821 IWL_DEBUG_TX(mvm, "station Id %d, queue=%d\n", sta_id, queue); 833 822 834 - dev_cmd = iwl_mvm_set_tx_params(mvm, skb, &info, hdrlen, NULL, sta_id); 823 + dev_cmd = iwl_mvm_set_tx_params(mvm, skb, &info, hdrlen, NULL, sta_id, 824 + NULL); 835 825 if (!dev_cmd) 836 826 return -1; 837 827 ··· 1152 1140 */ 1153 1141 static int iwl_mvm_tx_mpdu(struct iwl_mvm *mvm, struct sk_buff *skb, 1154 1142 struct ieee80211_tx_info *info, 1155 - struct ieee80211_sta *sta) 1143 + struct ieee80211_sta *sta, 1144 + const u8 *addr3_override) 1156 1145 { 1157 1146 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; 1158 1147 struct iwl_mvm_sta *mvmsta; ··· 1185 1172 iwl_mvm_probe_resp_set_noa(mvm, skb); 1186 1173 1187 1174 dev_cmd = iwl_mvm_set_tx_params(mvm, skb, info, hdrlen, 1188 - sta, mvmsta->deflink.sta_id); 1175 + sta, mvmsta->deflink.sta_id, 1176 + addr3_override); 1189 1177 if (!dev_cmd) 1190 1178 goto drop; 1191 1179 ··· 1308 1294 struct iwl_mvm_sta *mvmsta = iwl_mvm_sta_from_mac80211(sta); 1309 1295 struct ieee80211_tx_info info; 1310 1296 struct sk_buff_head mpdus_skbs; 1297 + struct ieee80211_vif *vif; 1311 1298 unsigned int payload_len; 1312 1299 int ret; 1313 1300 struct sk_buff *orig_skb = skb; 1301 + const u8 *addr3; 1314 1302 1315 1303 if (WARN_ON_ONCE(!mvmsta)) 1316 1304 return -1; ··· 1323 1307 memcpy(&info, skb->cb, sizeof(info)); 1324 1308 1325 1309 if (!skb_is_gso(skb)) 1326 - return iwl_mvm_tx_mpdu(mvm, skb, &info, sta); 1310 + return iwl_mvm_tx_mpdu(mvm, skb, &info, sta, NULL); 1327 1311 1328 1312 payload_len = skb_tail_pointer(skb) - skb_transport_header(skb) - 1329 1313 tcp_hdrlen(skb) + skb->data_len; 1330 1314 1331 1315 if (payload_len <= skb_shinfo(skb)->gso_size) 1332 - return iwl_mvm_tx_mpdu(mvm, skb, &info, sta); 1316 + return iwl_mvm_tx_mpdu(mvm, skb, &info, sta, NULL); 1333 1317 1334 1318 __skb_queue_head_init(&mpdus_skbs); 1319 + 1320 + vif = info.control.vif; 1321 + if (!vif) 1322 + return -1; 1335 1323 1336 1324 ret = iwl_mvm_tx_tso(mvm, skb, &info, sta, &mpdus_skbs); 1337 1325 if (ret) ··· 1343 1323 1344 1324 WARN_ON(skb_queue_empty(&mpdus_skbs)); 1345 1325 1346 - while (!skb_queue_empty(&mpdus_skbs)) { 1347 - skb = __skb_dequeue(&mpdus_skbs); 1326 + /* 1327 + * As described in IEEE sta 802.11-2020, table 9-30 (Address 1328 + * field contents), A-MSDU address 3 should contain the BSSID 1329 + * address. 1330 + * Pass address 3 down to iwl_mvm_tx_mpdu() and further to set it 1331 + * in the command header. We need to preserve the original 1332 + * address 3 in the skb header to correctly create all the 1333 + * A-MSDU subframe headers from it. 1334 + */ 1335 + switch (vif->type) { 1336 + case NL80211_IFTYPE_STATION: 1337 + addr3 = vif->cfg.ap_addr; 1338 + break; 1339 + case NL80211_IFTYPE_AP: 1340 + addr3 = vif->addr; 1341 + break; 1342 + default: 1343 + addr3 = NULL; 1344 + break; 1345 + } 1348 1346 1349 - ret = iwl_mvm_tx_mpdu(mvm, skb, &info, sta); 1347 + while (!skb_queue_empty(&mpdus_skbs)) { 1348 + struct ieee80211_hdr *hdr; 1349 + bool amsdu; 1350 + 1351 + skb = __skb_dequeue(&mpdus_skbs); 1352 + hdr = (void *)skb->data; 1353 + amsdu = ieee80211_is_data_qos(hdr->frame_control) && 1354 + (*ieee80211_get_qos_ctl(hdr) & 1355 + IEEE80211_QOS_CTL_A_MSDU_PRESENT); 1356 + 1357 + ret = iwl_mvm_tx_mpdu(mvm, skb, &info, sta, 1358 + amsdu ? addr3 : NULL); 1350 1359 if (ret) { 1351 1360 /* Free skbs created as part of TSO logic that have not yet been dequeued */ 1352 1361 __skb_queue_purge(&mpdus_skbs);
+3 -2
net/mac80211/tx.c
··· 5 5 * Copyright 2006-2007 Jiri Benc <jbenc@suse.cz> 6 6 * Copyright 2007 Johannes Berg <johannes@sipsolutions.net> 7 7 * Copyright 2013-2014 Intel Mobile Communications GmbH 8 - * Copyright (C) 2018-2022 Intel Corporation 8 + * Copyright (C) 2018-2024 Intel Corporation 9 9 * 10 10 * Transmit and frame generation functions. 11 11 */ ··· 3927 3927 goto begin; 3928 3928 3929 3929 skb = __skb_dequeue(&tx.skbs); 3930 + info = IEEE80211_SKB_CB(skb); 3930 3931 3931 3932 if (!skb_queue_empty(&tx.skbs)) { 3932 3933 spin_lock_bh(&fq->lock); ··· 3972 3971 } 3973 3972 3974 3973 encap_out: 3975 - IEEE80211_SKB_CB(skb)->control.vif = vif; 3974 + info->control.vif = vif; 3976 3975 3977 3976 if (tx.sta && 3978 3977 wiphy_ext_feature_isset(local->hw.wiphy, NL80211_EXT_FEATURE_AQL)) {