| Age | Commit message (Collapse) | Author |
|---|
|
Repair "bad line" warnings by starting each line with " *".
Add or correct kernel-doc entries for missing struct members in
struct ath_tx_stats.
Warning: ../drivers/net/wireless/ath/ath9k/debug.h:144 bad line:
may have had errors.
Warning: ../drivers/net/wireless/ath/ath9k/debug.h:146 bad line:
may have had errors.
Warning: ../drivers/net/wireless/ath/ath9k/debug.h:156 bad line:
Valid only for:
Warning: ../drivers/net/wireless/ath/ath9k/debug.h:157 bad line:
- non-aggregate condition.
Warning: ../drivers/net/wireless/ath/ath9k/debug.h:158 bad line:
- first packet of aggregate.
Warning: drivers/net/wireless/ath/ath9k/debug.h:191 struct member
'xretries' not described in 'ath_tx_stats'
Warning: drivers/net/wireless/ath/ath9k/debug.h:191 struct member
'data_underrun' not described in 'ath_tx_stats'
Warning: drivers/net/wireless/ath/ath9k/debug.h:191 struct member
'delim_underrun' not described in 'ath_tx_stats'
Fixes: 99c15bf575b1 ("ath9k: Report total tx/rx bytes and packets in debugfs.")
Fixes: fec247c0d5bf ("ath9k: Add debug counters for TX")
Fixes: 5a6f78afdabe ("ath9k: show excessive-retry MPDUs in debugfs")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Link: https://patch.msgid.link/20251117020304.448687-1-rdunlap@infradead.org
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
|
|
Add a description for ATH5K_DEBUG_ANI and delete the descriptions for
3 undefined enum descriptions to prevent these warnings:
Warning: drivers/net/wireless/ath/ath5k/debug.h:111 Enum value
'ATH5K_DEBUG_ANI' not described in enum 'ath5k_debug_level'
Warning: drivers/net/wireless/ath/ath5k/debug.h:111 Excess enum value
'%ATH5K_DEBUG_DUMP_RX' description in 'ath5k_debug_level'
Warning: drivers/net/wireless/ath/ath5k/debug.h:111 Excess enum value
'%ATH5K_DEBUG_DUMP_TX' description in 'ath5k_debug_level'
Warning: drivers/net/wireless/ath/ath5k/debug.h:111 Excess enum value
'%ATH5K_DEBUG_TRACE' description in 'ath5k_debug_level'
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20251128010401.546506-1-rdunlap@infradead.org
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
|
|
Clear TX/RX ring index, PCI operating mode, SER setting, PCI LTR and
preinit settings.
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260110022019.2254969-9-pkshih@realtek.com
|
|
The MAC settings are different from RTL8922A to RTL8922D, including
scheduler, DLE, DCPU, MLO, NAV, TMAC, TX/RX protocol, RMAC, IMR, host RPT,
AMSDU. Update them accordingly.
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260110022019.2254969-8-pkshih@realtek.com
|
|
For beamforming procedure, hardware reserve memory page for CSI response.
The unit of register is (value - 1), so add one accordingly as expected.
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260110022019.2254969-7-pkshih@realtek.com
|
|
Firmware does customized features by CUSTID, so align the ID definition
to have expected features enabled.
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260110022019.2254969-6-pkshih@realtek.com
|
|
For certain chip models, EHT protocol is disabled, and driver must follow
the capabilities. Otherwise, chips become unusable.
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260110022019.2254969-5-pkshih@realtek.com
|
|
Add support for fixed EHT GI/LTF via nl80211.
The command example:
iw wlan0 set bitrates eht-gi-6 0.8 eht-ltf-6 2
Signed-off-by: Kuan-Chung Chen <damon.chen@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260110022019.2254969-4-pkshih@realtek.com
|
|
Some APs disconnect clients by sending a Disassociation frame
rather than a Deauthentication frame. Since these frames use
different reason codes in WoWLAN mode, this commit adds support
for handling Disassociation to prevent missed disconnection events.
Signed-off-by: Chin-Yen Lee <timlee@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260110022019.2254969-3-pkshih@realtek.com
|
|
Hardware rarely reports abnormal sequence number in TX release report,
which will access out-of-bounds of wd_ring->pages array, causing NULL
pointer dereference.
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP NOPTI
CPU: 1 PID: 1085 Comm: irq/129-rtw89_p Tainted: G S U
6.1.145-17510-g2f3369c91536 #1 (HASH:69e8 1)
Call Trace:
<IRQ>
rtw89_pci_release_tx+0x18f/0x300 [rtw89_pci (HASH:4c83 2)]
rtw89_pci_napi_poll+0xc2/0x190 [rtw89_pci (HASH:4c83 2)]
net_rx_action+0xfc/0x460 net/core/dev.c:6578 net/core/dev.c:6645 net/core/dev.c:6759
handle_softirqs+0xbe/0x290 kernel/softirq.c:601
? rtw89_pci_interrupt_threadfn+0xc5/0x350 [rtw89_pci (HASH:4c83 2)]
__local_bh_enable_ip+0xeb/0x120 kernel/softirq.c:499 kernel/softirq.c:423
</IRQ>
<TASK>
rtw89_pci_interrupt_threadfn+0xf8/0x350 [rtw89_pci (HASH:4c83 2)]
? irq_thread+0xa7/0x340 kernel/irq/manage.c:0
irq_thread+0x177/0x340 kernel/irq/manage.c:1205 kernel/irq/manage.c:1314
? thaw_kernel_threads+0xb0/0xb0 kernel/irq/manage.c:1202
? irq_forced_thread_fn+0x80/0x80 kernel/irq/manage.c:1220
kthread+0xea/0x110 kernel/kthread.c:376
? synchronize_irq+0x1a0/0x1a0 kernel/irq/manage.c:1287
? kthread_associate_blkcg+0x80/0x80 kernel/kthread.c:331
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295
</TASK>
To prevent crash, validate rpp_info.seq before using.
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260110022019.2254969-2-pkshih@realtek.com
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/ath/ath into wireless
Jeff Johnson says:
==================
ath.git update for v6.19-rc6
A collection of small bug fixes in ath10k and ath12k.
==================
Link: https://patch.msgid.link/98386125-c0bb-495e-b2ba-2765aaed19d8@oss.qualcomm.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
|
|
Wrong P2P device link id value of 0 was introduced in ath12k_mac_op_tx() by [1].
During the P2P negotiation process, there is only one scan vdev with link ID 15.
Currently, the device link ID is incorrectly set to 0 in ath12k_mac_op_tx()
during the P2P negotiation process, which leads to TX failures.
Set the correct P2P device link ID to 15 to fix the TX failure issue.
Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.115823.3
Fixes: 648a121bafa3 ("wifi: ath12k: ath12k_mac_op_tx(): MLO support") # [1]
Signed-off-by: Yingying Tang <yingying.tang@oss.qualcomm.com>
Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
Cc: linux-next@vger.kernel.org
Cc: netdev@vger.kernel.org
Link: https://patch.msgid.link/20260113054636.2620035-1-yingying.tang@oss.qualcomm.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
---
Note to linux-next and netdev maintainers:
This patch going through the "current" tree conflicts with
the following going through the "next" tree:
commit 631ee338f04d ("Merge branch 'ath12k-ng' into ath-next")
The conflict resolution is to leave the following file unmodified:
drivers/net/wireless/ath/ath12k/mac.
And to apply the following patch to ath12k_wifi7_mac_op_tx()
in the file drivers/net/wireless/ath/ath12k/wifi7/hw.c -705,7 +705,10
return;
}
} else {
- link_id = 0;
+ if (vif->type == NL80211_IFTYPE_P2P_DEVICE)
+ link_id = ATH12K_FIRST_SCAN_LINK;
+ else
+ link_id = 0;
}
arvif = rcu_dereference(ahvif->link[link_id]);
|
|
Commit [1] converted the management transmission work item into a
wiphy work. Since a wiphy work can only run under wiphy lock
protection, a race condition happens in below scenario:
1. a management frame is queued for transmission.
2. ath12k_mac_op_flush() gets called to flush pending frames associated
with the hardware (i.e, vif being NULL). Then in ath12k_mac_flush()
the process waits for the transmission done.
3. Since wiphy lock has been taken by the flush process, the transmission
work item has no chance to run, hence the dead lock.
>From user view, this dead lock results in below issue:
wlp8s0: authenticate with xxxxxx (local address=xxxxxx)
wlp8s0: send auth to xxxxxx (try 1/3)
wlp8s0: authenticate with xxxxxx (local address=xxxxxx)
wlp8s0: send auth to xxxxxx (try 1/3)
wlp8s0: authenticated
wlp8s0: associate with xxxxxx (try 1/3)
wlp8s0: aborting association with xxxxxx by local choice (Reason: 3=DEAUTH_LEAVING)
ath12k_pci 0000:08:00.0: failed to flush mgmt transmit queue, mgmt pkts pending 1
The dead lock can be avoided by invoking wiphy_work_flush() to proactively
run the queued work item. Note actually it is already present in
ath12k_mac_op_flush(), however it does not protect the case where vif
being NULL. Hence move it ahead to cover this case as well.
Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.115823.3
Fixes: 56dcbf0b5207 ("wifi: ath12k: convert struct ath12k::wmi_mgmt_tx_work to struct wiphy_work") # [1]
Reported-by: Stuart Hayhurst <stuart.a.hayhurst@gmail.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220959
Signed-off-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
Link: https://patch.msgid.link/20260113-ath12k-fix-dead-lock-while-flushing-v1-1-9713621f3a0f@oss.qualcomm.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
|
|
Scan finish workqueue was introduced in __ath12k_mac_scan_finish() by [1].
During ath12k_mac_op_cancel_remain_on_channel(), scan state is set to
ABORTING and should be reset to IDLE in the queued work. However,
wiphy_work_cancel() is called before exiting
ath12k_mac_op_cancel_remain_on_channel(), which prevents the work
from running and leaves the state in ABORTING. This blocks all
subsequent scan requests.
Replace wiphy_work_cancel() with wiphy_work_flush() to ensure the
queued work runs and scan state is reset to IDLE.
Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.115823.3
Fixes: 3863f014ad23 ("wifi: ath12k: symmetrize scan vdev creation and deletion during HW scan") # [1]
Signed-off-by: Yingying Tang <yingying.tang@oss.qualcomm.com>
Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
Link: https://patch.msgid.link/20260112115516.2144219-1-yingying.tang@oss.qualcomm.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
|
|
Cancel the scheduled scan request only on the vdev that has an active
scan running. Currently, ahvif->links_map is used to obtain the links,
but this includes links for which no scan is scheduled. In failure cases
where the scan fails due to an invalid channel definition, other links
which are not yet brought up (vdev not created) may also be accessed,
leading to the following trace:
Unable to handle kernel paging request at virtual address 0000000000004c8c
pc : _raw_spin_lock_bh+0x1c/0x54
lr : ath12k_scan_abort+0x20/0xc8 [ath12k]
Call trace:
_raw_spin_lock_bh+0x1c/0x54 (P)
ath12k_mac_op_cancel_hw_scan+0xac/0xc4 [ath12k]
ieee80211_scan_cancel+0xcc/0x12c [mac80211]
ieee80211_do_stop+0x6c4/0x7a8 [mac80211]
ieee80211_stop+0x60/0xd8 [mac80211]
Skip links that are not created or are not the current scan vdev. This
ensures only the scan for the matching links is aborted and avoids
aborting unrelated links during cancellation, thus aligning with how
start/cleanup manage ar->scan.arvif.
Also, remove the redundant arvif->is_started check from
ath12k_mac_op_cancel_hw_scan() that was introduced in commit 3863f014ad23
("wifi: ath12k: symmetrize scan vdev creation and deletion during HW
scan") to avoid deleting the scan interface if the scan is triggered on
the existing AP vdev as this use case is already handled in
ath12k_scan_vdev_clean_work().
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1
Fixes: feed05f1526e ("wifi: ath12k: Split scan request for split band device")
Signed-off-by: Manish Dharanenthiran <manish.dharanenthiran@oss.qualcomm.com>
Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan@oss.qualcomm.com>
Link: https://patch.msgid.link/20260107-scan_vdev-v1-1-b600aedc645a@qti.qualcomm.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
|
|
Add the ID 2001:3323 to the table to support an additional RTL8832AU
adapter: D-Link VR Air Bridge (DWA-F18).
Compile tested only.
Link: https://github.com/morrownr/rtw89/pull/44
Signed-off-by: Zenm Chen <zenmchen@gmail.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260112004759.6028-1-zenmchen@gmail.com
|
|
Add the ID 0db0:f0c8 to the table to support an additional RTL8832BU
adapter: MSI AX1800 Nano (GUAX18N).
Compile tested only.
Link: https://github.com/morrownr/rtl8852bu-20250826/pull/2
Signed-off-by: Zenm Chen <zenmchen@gmail.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260112004358.5516-1-zenmchen@gmail.com
|
|
Update EDCCA settings of MAC part for RTL8922D to consider EDCCA state
signaled by BB circuit.
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260108120320.2217402-14-pkshih@realtek.com
|
|
The preinit is to initialize partial MAC hardware needed before
downloading firmware, and then does post-init after firmware runs.
For RTL8922D, initialize some DMAC and CMAC at this step.
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260108120320.2217402-13-pkshih@realtek.com
|
|
To enable/disable CMAC function somewhere, separate controls of CMAC power
and function into individual functions. Also correct the hardware settings
by the way.
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260108120320.2217402-12-pkshih@realtek.com
|
|
For coming chip 8922DE, the DMA channel set is different from existing one,
so use predefined mask to handle the difference.
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260108120320.2217402-11-pkshih@realtek.com
|
|
The preload_init is to define preload size from memory to transmitting
buffer. The different generations should call its callback respectively
but suddenly it is missed. However, the register definitions of WiFi 6/7
are the same, things are well. For the coming RTL8922D, settings are
different, so abstract it.
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260108120320.2217402-10-pkshih@realtek.com
|
|
WP (WiFi payload) quota is to point to payload being transmitting in
memory. Assign quota to indicate WP page full.
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260108120320.2217402-9-pkshih@realtek.com
|
|
MPDU quota is to define number of memory used to handle packets in DLE
(Data Link Engine). All chips use the same value before, but the RTL8922D
need to use chip specific value.
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260108120320.2217402-8-pkshih@realtek.com
|
|
The RTL8922D has additional quota 13 of SNRPT for PLE (payload engine).
Set value to the quota according to predefined tables.
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260108120320.2217402-7-pkshih@realtek.com
|
|
The quota of DLE and PLE depends on hardware design and consideration of
performance and application. Define them accordingly.
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260108120320.2217402-6-pkshih@realtek.com
|
|
rtw89_fwdl_secure_idmem_share_mode()
The return type of rtw89_fwdl_secure_idmem_share_mode() is void, so no need
a return.
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260108120320.2217402-5-pkshih@realtek.com
|
|
Update software control API due to 8922D PTA hardware changes.
Signed-off-by: Chia-Yuan Li <leo.li@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260108120320.2217402-4-pkshih@realtek.com
|
|
Assign timeslot to WiFi if power state is on. Since firmware isn't working
at this moment, write scoreboard register to notify BT. Extend the code to
support two BT for coming chips.
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260108120320.2217402-3-pkshih@realtek.com
|
|
The coex scoreboard is to exchange WiFi and BT profiles, and the coming
chip 8922D changes the design including extend to two scoreboards and
individual register for cfg/get. Follow the changes to abstract current
code, but not change logic for existing chips at all.
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260108120320.2217402-2-pkshih@realtek.com
|
|
https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next
Johannes Berg says:
====================
First set of changes for the current -next cycle, of note:
- ath12k gets an overhaul to support multi-wiphy device
wiphy and pave the way for future device support in
the same driver (rather than splitting to ath13k)
- mac80211 gets some better iteration macros
* tag 'wireless-next-2026-01-12' of https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next: (120 commits)
wifi: mac80211: remove width argument from ieee80211_parse_bitrates
wifi: mac80211_hwsim: remove NAN by default
wifi: mac80211: improve station iteration ergonomics
wifi: mac80211: improve interface iteration ergonomics
wifi: cfg80211: include S1G_NO_PRIMARY flag when sending channel
wifi: mac80211: unexport ieee80211_get_bssid()
wl1251: Replace strncpy with strscpy in wl1251_acx_fw_version
wifi: iwlegacy: 3945-rs: remove redundant pointer check in il3945_rs_tx_status() and il3945_rs_get_rate()
wifi: mac80211: don't send an unused argument to ieee80211_check_combinations
wifi: libertas: fix WARNING in usb_tx_block
wifi: mwifiex: Allocate dev name earlier for interface workqueue name
wifi: wlcore: sdio: Use pm_ptr instead of #ifdef CONFIG_PM
wifi: cfg80211: Fix use_for flag update on BSS refresh
wifi: brcmfmac: rename function that frees vif
wifi: brcmfmac: fix/add kernel-doc comments
wifi: mac80211: Update csa_finalize to use link_id
wifi: cfg80211: add cfg80211_stop_link() for per-link teardown
wifi: ath12k: Skip DP peer creation for scan vdev
wifi: ath12k: move firmware stats request outside of atomic context
wifi: ath12k: add the missing RCU lock in ath12k_dp_tx_free_txbuf()
...
====================
Link: https://patch.msgid.link/20260112185836.378736-3-johannes@sipsolutions.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
|
We're improving NAN support, but NAN datapath support also
means we need to change some other things, e.g. related to
rate control. Remove NAN by default again from hwsim since
it's the much newer feature.
Link: https://patch.msgid.link/20260108143139.0d4af6ae3609.Ie444b9f5aedabc713c6a1279b5b55976cfb4c465@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
|
|
strncpy() is deprecated [1] for NUL-terminated destination buffers since
it does not guarantee NUL termination. Remove the manual NUL termination
and replace strncpy() with strscpy() to ensure NUL termination of the
destination buffer.
Using strscpy_pad() to retain the NUL-padding behavior of strncpy() is
not needed because ->fw_ver is only used as a C-string.
Link: https://www.kernel.org/doc/html/latest/process/deprecated.html#strncpy-on-nul-terminated-strings [1]
Signed-off-by: Thorsten Blum <thorsten.blum@linux.dev>
Link: https://patch.msgid.link/20260111134301.598839-1-thorsten.blum@linux.dev
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
|
|
il3945_rs_tx_status() and il3945_rs_get_rate()
The variable il_sta passed into these two functions cannot be NULL, so
remove the related null checks.
Signed-off-by: Tuo Li <islituo@gmail.com>
Acked-by: Stanislaw Gruszka <stf_xl@wp.pl>
Link: https://patch.msgid.link/20260111171118.203249-1-islituo@gmail.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
|
|
The "i" iterator variable is used to count two different things but
unfortunately we can't store two different numbers in the same variable.
Use "i" for the outside loop and "j" for the inside loop.
Cc: stable@vger.kernel.org
Fixes: d219b7eb3792 ("mwifiex: handle BT coex event to adjust Rx BA window size")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Jeff Chen <jeff.chen_1@nxp.com>
Link: https://patch.msgid.link/aWAM2MGUWRP0zWUd@stanley.mountain
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
|
|
The struct ieee80211_vif contains trailing space for vif driver data,
when struct ieee80211_vif is allocated, the total memory size that is
allocated is sizeof(struct ieee80211_vif) + size of vif driver data.
The size of vif driver data is set by each WiFi driver as needed.
The RSI911x driver does not set vif driver data size, no trailing space
for vif driver data is therefore allocated past struct ieee80211_vif .
The RSI911x driver does however use the vif driver data to store its
vif driver data structure "struct vif_priv". An access to vif->drv_priv
leads to access out of struct ieee80211_vif bounds and corruption of
some memory.
In case of the failure observed locally, rsi_mac80211_add_interface()
would write struct vif_priv *vif_info = (struct vif_priv *)vif->drv_priv;
vif_info->vap_id = vap_idx. This write corrupts struct fq_tin member
struct list_head new_flows . The flow = list_first_entry(head, struct
fq_flow, flowchain); in fq_tin_reset() then reports non-NULL bogus
address, which when accessed causes a crash.
The trigger is very simple, boot the machine with init=/bin/sh , mount
devtmpfs, sysfs, procfs, and then do "ip link set wlan0 up", "sleep 1",
"ip link set wlan0 down" and the crash occurs.
Fix this by setting the correct size of vif driver data, which is the
size of "struct vif_priv", so that memory is allocated and the driver
can store its driver data in it, instead of corrupting memory around
it.
Cc: stable@vger.kernel.org
Fixes: dad0d04fa7ba ("rsi: Add RS9113 wireless driver")
Signed-off-by: Marek Vasut <marex@nabladev.com>
Link: https://patch.msgid.link/20260109235817.150330-1-marex@nabladev.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
|
|
freq_to_idx() is used to map a channel to a survey index. Commit
acc152f9be20 ("wifi: ath12k: combine channel list for split-phy devices in
single-wiphy") adds radio specific frequency range check in this helper to
make sure an invalid index is returned if the channel falls outside that
range. However, this check introduces a race, resulting in below warnings
as reported in [1].
ath12k_pci 0000:08:00.0: chan info: invalid frequency 6455 (idx 101 out of bounds)
ath12k_pci 0000:08:00.0: chan info: invalid frequency 6535 (idx 101 out of bounds)
ath12k_pci 0000:08:00.0: chan info: invalid frequency 6615 (idx 101 out of bounds)
ath12k_pci 0000:08:00.0: chan info: invalid frequency 6695 (idx 101 out of bounds)
ath12k_pci 0000:08:00.0: chan info: invalid frequency 6775 (idx 101 out of bounds)
ath12k_pci 0000:08:00.0: chan info: invalid frequency 6855 (idx 101 out of bounds)
ath12k_pci 0000:08:00.0: chan info: invalid frequency 6935 (idx 101 out of bounds)
ath12k_pci 0000:08:00.0: chan info: invalid frequency 7015 (idx 101 out of bounds)
ath12k_pci 0000:08:00.0: chan info: invalid frequency 7095 (idx 101 out of bounds)
ath12k_pci 0000:08:00.0: chan info: invalid frequency 6435 (idx 101 out of bounds)
Race scenario:
1) A regdomain covering below frequency range is uploaded to host via
WMI_REG_CHAN_LIST_CC_EXT_EVENTID event:
Country 00, CFG Regdomain UNSET FW Regdomain 0, num_reg_rules 6
1. (2402 - 2472 @ 40) (0, 20) (0 ms) (FLAGS 360448) (0, 0)
2. (2457 - 2477 @ 20) (0, 20) (0 ms) (FLAGS 360576) (0, 0)
3. (5170 - 5330 @ 160) (0, 20) (0 ms) (FLAGS 264320) (0, 0)
4. (5490 - 5730 @ 160) (0, 20) (0 ms) (FLAGS 264320) (0, 0)
5. (5735 - 5895 @ 160) (0, 20) (0 ms) (FLAGS 264320) (0, 0)
6. (5925 - 7125 @ 320) (0, 24) (0 ms) (FLAGS 2056) (0, 255)
As a result, radio frequency range is updated as [2402, 7125]
ath12k_pci 0000:08:00.0: mac pdev 0 freq limit updated. New range 2402->7125 MHz
If no scan in progress or after scan finished, command
WMI_SCAN_CHAN_LIST_CMDID is sent to firmware notifying that firmware
is allowed to do scan on all channels within that range.
The running path is:
/* redomain uploaded */
1. WMI_REG_CHAN_LIST_CC_EXT_EVENTID
2. ath12k_reg_chan_list_event()
3. ath12k_reg_handle_chan_list()
4. queue_work(..., &ar->regd_update_work)
5. ath12k_regd_update_work()
6. ath12k_regd_update()
/* update radio frequency range */
7. ath12k_mac_update_freq_range()
8. regulatory_set_wiphy_regd()
9. ath12k_reg_notifier()
10. ath12k_reg_update_chan_list()
11. queue_work(..., &ar->regd_channel_update_work)
12. ath12k_regd_update_chan_list_work()
/* wait scan finishes */
13. wait_for_completion_timeout(&ar->scan.completed, ...)
/* command notifying list of valid channels */
14. ath12k_wmi_send_scan_chan_list_cmd()
2) Hardware scan is triggered on all allowed channels.
3) Before scan completed, 11D mechanism detects a new country code
ath12k_pci 0000:08:00.0: wmi 11d new cc GB
With this code sent to firmware, firmware uploads a new regdomain
Country GB, CFG Regdomain ETSI FW Regdomain 2, num_reg_rules 9
1. (2402 - 2482 @ 40) (0, 20) (0 ms) (FLAGS 360448) (0, 0)
2. (5170 - 5250 @ 80) (0, 23) (0 ms) (FLAGS 264192) (0, 0)
3. (5250 - 5330 @ 80) (0, 23) (0 ms) (FLAGS 264216) (0, 0)
4. (5490 - 5590 @ 80) (0, 30) (0 ms) (FLAGS 264208)
5. (5590 - 5650 @ 40) (0, 30) (600000 ms) (FLAGS 264208)
6. (5650 - 5730 @ 80) (0, 30) (0 ms) (FLAGS 264208)
7. (5735 - 5875 @ 80) (0, 14) (0 ms) (FLAGS 264192) (0, 0)
8. (5855 - 5875 @ 20) (0, 14) (0 ms) (FLAGS 264192) (0, 0)
9. (5945 - 6425 @ 320) (0, 24) (0 ms) (FLAGS 2056) (0, 11)
Then radio frequency range is updated as [2402, 6425]
ath12k_pci 0000:08:00.0: mac pdev 0 freq limit updated. New range 2402->6425 MHz
Please note this is a smaller range than the previous one. Later host
runs the same path for the purpose of notifying the new channel list.
However since scan not completed, host just waits there. Meanwhile,
firmware is possibly scanning channels outside the new range. As a
result, WMI_CHAN_INFO_EVENTID events for those channels fail
freq_to_idx() check and triggers warnings above.
Fix this issue by removing radio frequency check in freq_to_idx(). This is
valid because channels being scanned do not synchronize with frequency
range update. Besides, this won't cause any problem, since freq_to_idx()
is only used for survey data. Even out-of-range channels filled in the
survey, they won't get delivered to userspace due to the range check
already there in ath12k_mac_op_get_survey().
Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.115823.3
Fixes: acc152f9be20 ("wifi: ath12k: combine channel list for split-phy devices in single-wiphy")
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=220871 # 1
Signed-off-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
Link: https://patch.msgid.link/20260108-ath12k-fix-freq-to-idx-v1-1-b2458cf7aa0d@oss.qualcomm.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
|
|
dma_alloc_coherent() allocates a DMA mapped buffer and stores the
addresses in XXX_unaligned fields. Those should be reused when freeing
the buffer rather than the aligned addresses.
Fixes: d889913205cf ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices")
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
Link: https://patch.msgid.link/20260106084905.18622-2-fourier.thomas@gmail.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
|
|
dma_alloc_coherent() allocates a DMA mapped buffer and stores the
addresses in XXX_unaligned fields. Those should be reused when freeing
the buffer rather than the aligned addresses.
Fixes: 2a1e1ad3fd37 ("ath10k: Add support for 64 bit ce descriptor")
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Fourier <fourier.thomas@gmail.com>
Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
Link: https://patch.msgid.link/20260105210439.20131-2-fourier.thomas@gmail.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
|
|
RACK is to ask firmware send received ACK to driver when a H2C command
is received. This is necessary for WiFi 6 chips only.
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260106030911.15528-11-pkshih@realtek.com
|
|
The coming chip RTL8922D has variant of hardware with different AID. Add
AID field to header of firmware elements, and compare AID with the value
read from hardware.
Currently, apply this rule to BB and RF parameters.
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260106030911.15528-10-pkshih@realtek.com
|
|
CMAC H2C command is to configure CMAC such as TX retry and padding. Add to
update CMAC function block while puncturing is changing.
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260106030911.15528-9-pkshih@realtek.com
|
|
CMAC H2C command is to configure CMAC such as TX retry and padding. Add to
update CMAC function block when BT-coex want shorter TX time due to
timeslot assignment, or when MCC want higher retry time to improve
connection rate.
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260106030911.15528-8-pkshih@realtek.com
|
|
CMAC H2C command is to configure CMAC such as TX retry and padding. Add to
update CMAC function block while AMPDU is established.
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260106030911.15528-7-pkshih@realtek.com
|
|
CMAC H2C command is to configure CMAC such as TX retry and padding. Add to
update CMAC function block according to associated peer.
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260106030911.15528-6-pkshih@realtek.com
|
|
CMAC H2C command is to configure CMAC such as TX retry and padding. Add to
reset CMAC function block to default value.
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260106030911.15528-5-pkshih@realtek.com
|
|
Write association data including address and security key of peer to
hardware. Add the command for RTL8922D accordingly.
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260106030911.15528-4-pkshih@realtek.com
|
|
Add RXDESC v3 to parse meta data of receiving packets for RTL8922D.
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260106030911.15528-3-pkshih@realtek.com
|
|
Add TXWD v3 to assist in transmitting for RTL8922D according to hardware
design.
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20260106030911.15528-2-pkshih@realtek.com
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
Pull networking fixes from Jakub Kicinski:
"Including fixes from netfilter and wireless.
Current release - fix to a fix:
- net: do not write to msg_get_inq in callee
- arp: do not assume dev_hard_header() does not change skb->head
Current release - regressions:
- wifi: mac80211: don't iterate not running interfaces
- eth: mlx5: fix NULL pointer dereference in ioctl module EEPROM
Current release - new code bugs:
- eth: bnge: add AUXILIARY_BUS to Kconfig dependencies
Previous releases - regressions:
- eth: mlx5: dealloc forgotten PSP RX modify header
Previous releases - always broken:
- ping: fix ICMP out SNMP stats double-counting with ICMP sockets
- bonding: preserve NETIF_F_ALL_FOR_ALL across TSO updates
- bridge: fix C-VLAN preservation in 802.1ad vlan_tunnel egress
- eth: bnxt: fix potential data corruption with HW GRO/LRO"
* tag 'net-6.19-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (70 commits)
arp: do not assume dev_hard_header() does not change skb->head
net: enetc: fix build warning when PAGE_SIZE is greater than 128K
atm: Fix dma_free_coherent() size
tools: ynl: don't install tests
net: do not write to msg_get_inq in callee
bnxt_en: Fix NULL pointer crash in bnxt_ptp_enable during error cleanup
net: usb: pegasus: fix memory leak in update_eth_regs_async()
net: 3com: 3c59x: fix possible null dereference in vortex_probe1()
net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset
wifi: mac80211: collect station statistics earlier when disconnect
wifi: mac80211: restore non-chanctx injection behaviour
wifi: mac80211_hwsim: disable BHs for hwsim_radio_lock
wifi: mac80211: don't iterate not running interfaces
wifi: mac80211_hwsim: fix typo in frequency notification
wifi: avoid kernel-infoleak from struct iw_point
net: airoha: Fix schedule while atomic in airoha_ppe_deinit()
selftests: netdevsim: add carrier state consistency test
net: netdevsim: fix inconsistent carrier state after link/unlink
selftests: drv-net: Bring back tool() to driver __init__s
net/sched: act_api: avoid dereferencing ERR_PTR in tcf_idrinfo_destroy
...
|
