- 07 Sep, 2022 4 commits
-
-
Hans de Goede authored
The Chuwi Hi8 Pro tablet contains quite generic names in the sys_vendor and product_name DMI strings, without this patch brcmfmac will try to load: "brcmfmac43430a0-sdio.Default string-Default string.txt" as nvram file which is way too generic. The Chuwi Hi8 Pro uses the same Ampak AP6212 module as the Chuwi Vi8 Plus and the nvram for the Vi8 Plus is already in linux-firmware, so point the new DMI nvram filename quirk to the Vi8 Plus nvram file. Signed-off-by:
Hans de Goede <hdegoede@redhat.com> Signed-off-by:
Kalle Valo <kvalo@kernel.org> Link: https://lore.kernel.org/r/20220810142333.141044-1-hdegoede@redhat.com
-
Hans de Goede authored
Many devices ship with a nvram ccode value of X2/XT/XU/XV/ALL which are all special world-wide compatibility ccode-s. Most of these world-wide ccode-s allow passive scan mode only for 2.4GHz channels 12-14, only enabling them when an AP is seen on them. Since linux-firmware has moved to the new cyfmac43430-sdio.bin + cyfmac43430-sdio.clm_blob firmware files this no longer works and 43430 devices using e.g. an X2 ccode fail to connect to an AP on channel 13. Add the 43430 chip-id to the list of chips for which to use the ISO3166 country code + rev 0 as fallback in brcmf_translate_country_code() to fix this. Signed-off-by:
-
Alexander Coffin authored
> ret = brcmf_proto_tx_queue_data(drvr, ifp->ifidx, skb); may be schedule, and then complete before the line > ndev->stats.tx_bytes += skb->len; [ 46.912801] ================================================================== [ 46.920552] BUG: KASAN: use-after-free in brcmf_netdev_start_xmit+0x718/0x8c8 [brcmfmac] [ 46.928673] Read of size 4 at addr ffffff803f5882e8 by task systemd-resolve/328 [ 46.935991] [ 46.937514] CPU: 1 PID: 328 Comm: systemd-resolve Tainted: G O 5.4.199-[REDACTED] #1 [ 46.947255] Hardware name: [REDACTED] [ 46.954568] Call trace: [ 46.957037] dump_backtrace+0x0/0x2b8 [ 46.960719] show_stack+0x24/0x30 [ 46.964052] dump_stack+0x128/0x194 [ 46.967557] print_address_description.isra.0+0x64/0x380 [ 46.972877] __kasan_report+0x1d4/0x240 [ 46.976723] kasan_report+0xc/0x18 [ 46.980138] __asan_report_load4_noabort+0x18/0x20 [ 46.985027] brcmf_netdev_start_xmit+0x718/0x8c8 [brcmfmac] [ 46.990613] dev_hard_start_xmit+0x1bc/0xda0 [ 46.994894] sch_direct_xmit+0x198/0xd08 [ 46.998827] __qdisc_run+0x37c/0x1dc0 [ 47.002500] __dev_queue_xmit+0x1528/0x21f8 [ 47.006692] dev_queue_xmit+0x24/0x30 [ 47.010366] neigh_resolve_output+0x37c/0x678 [ 47.014734] ip_finish_output2+0x598/0x2458 [ 47.018927] __ip_finish_output+0x300/0x730 [ 47.023118] ip_output+0x2e0/0x430 [ 47.026530] ip_local_out+0x90/0x140 [ 47.030117] igmpv3_sendpack+0x14c/0x228 [ 47.034049] igmpv3_send_cr+0x384/0x6b8 [ 47.037895] igmp_ifc_timer_expire+0x4c/0x118 [ 47.042262] call_timer_fn+0x1cc/0xbe8 [ 47.046021] __run_timers+0x4d8/0xb28 [ 47.049693] run_timer_softirq+0x24/0x40 [ 47.053626] __do_softirq+0x2c0/0x117c [ 47.057387] irq_exit+0x2dc/0x388 [ 47.060715] __handle_domain_irq+0xb4/0x158 [ 47.064908] gic_handle_irq+0x58/0xb0 [ 47.068581] el0_irq_naked+0x50/0x5c [ 47.072162] [ 47.073665] Allocated by task 328: [ 47.077083] save_stack+0x24/0xb0 [ 47.080410] __kasan_kmalloc.isra.0+0xc0/0xe0 [ 47.084776] kasan_slab_alloc+0x14/0x20 [ 47.088622] kmem_cache_alloc+0x15c/0x468 [ 47.092643] __alloc_skb+0xa4/0x498 [ 47.096142] igmpv3_newpack+0x158/0xd78 [ 47.099987] add_grhead+0x210/0x288 [ 47.103485] add_grec+0x6b0/0xb70 [ 47.106811] igmpv3_send_cr+0x2e0/0x6b8 [ 47.110657] igmp_ifc_timer_expire+0x4c/0x118 [ 47.115027] call_timer_fn+0x1cc/0xbe8 [ 47.118785] __run_timers+0x4d8/0xb28 [ 47.122457] run_timer_softirq+0x24/0x40 [ 47.126389] __do_softirq+0x2c0/0x117c [ 47.130142] [ 47.131643] Freed by task 180: [ 47.134712] save_stack+0x24/0xb0 [ 47.138041] __kasan_slab_free+0x108/0x180 [ 47.142146] kasan_slab_free+0x10/0x18 [ 47.145904] slab_free_freelist_hook+0xa4/0x1b0 [ 47.150444] kmem_cache_free+0x8c/0x528 [ 47.154292] kfree_skbmem+0x94/0x108 [ 47.157880] consume_skb+0x10c/0x5a8 [ 47.161466] __dev_kfree_skb_any+0x88/0xa0 [ 47.165598] brcmu_pkt_buf_free_skb+0x44/0x68 [brcmutil] [ 47.171023] brcmf_txfinalize+0xec/0x190 [brcmfmac] [ 47.176016] brcmf_proto_bcdc_txcomplete+0x1c0/0x210 [brcmfmac] [ 47.182056] brcmf_sdio_sendfromq+0x8dc/0x1e80 [brcmfmac] [ 47.187568] brcmf_sdio_dpc+0xb48/0x2108 [brcmfmac] [ 47.192529] brcmf_sdio_dataworker+0xc8/0x238 [brcmfmac] [ 47.197859] process_one_work+0x7fc/0x1a80 [ 47.201965] worker_thread+0x31c/0xc40 [ 47.205726] kthread+0x2d8/0x370 [ 47.208967] ret_from_fork+0x10/0x18 [ 47.212546] [ 47.214051] The buggy address belongs to the object at ffffff803f588280 [ 47.214051] which belongs to the cache skbuff_head_cache of size 208 [ 47.227086] The buggy address is located 104 bytes inside of [ 47.227086] 208-byte region [ffffff803f588280, ffffff803f588350) [ 47.238814] The buggy address belongs to the page: [ 47.243618] page:ffffffff00dd6200 refcount:1 mapcount:0 mapping:ffffff804b6bf800 index:0xffffff803f589900 compound_mapcount: 0 [ 47.255007] flags: 0x10200(slab|head) [ 47.258689] raw: 0000000000010200 ffffffff00dfa980 0000000200000002 ffffff804b6bf800 [ 47.266439] raw: ffffff803f589900 0000000080190018 00000001ffffffff 0000000000000000 [ 47.274180] page dumped because: kasan: bad access detected [ 47.279752] [ 47.281251] Memory state around the buggy address: [ 47.286051] ffffff803f588180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.293277] ffffff803f588200: fb fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 47.300502] >ffffff803f588280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 47.307723] ^ [ 47.314343] ffffff803f588300: fb fb fb fb fb fb fb fb fb fb fc fc fc fc fc fc [ 47.321569] ffffff803f588380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb [ 47.328789] ================================================================== Signed-off-by:
Alexander Coffin <alex.coffin@matician.com> Signed-off-by:
-
Kees Cook authored
In preparation for FORTIFY_SOURCE performing run-time destination buffer bounds checking for memcpy(), refactor the use of struct iwl_calib_result: - Have struct iwl_calib_result contain struct iwl_calib_cmd since functions expect to operate on the "data" flex array in "cmd", which follows the "hdr" member. - Switch argument passing around to use struct iwl_calib_cmd instead of struct iwl_calib_hdr to prepare functions to see the "data" member. - Change iwl_calib_set()'s "len" argument to a size_t since it is always unsigned and is normally receiving the output of sizeof(). - Add an explicit length sanity check in iwl_calib_set(). - Adjust the memcpy() to avoid copying across the now visible composite flex array structure. This avoids the future run-time warning: memcpy: detected field-spanning write (size 8) of single field "&res->hdr" (size 4) Cc: Luca Coelho <luciano.coelho@intel.com> Cc: Kalle Valo <kvalo@codeaurora.org> Cc: "David S. Miller" <davem@davemloft.net> Cc: Jakub Kicinski <kuba@kernel.org> Cc: Lee Jones <lee.jones@linaro.org> Cc: Johannes Berg <johannes.berg@intel.com> Cc: linux-wireless@vger.kernel.org Cc: netdev@vger.kernel.org Reported-by:
Andy Lavr <andy.lavr@gmail.com> Signed-off-by:
Kees Cook <keescook@chromium.org> Signed-off-by:
-
- 06 Sep, 2022 16 commits
-
-
Johannes Berg authored
One of my previous patches here changed the function prototype, but since it was (half?) automated, I didn't update the docs. Fix that now. Fixes: b3e2130b ("wifi: mac80211: change QoS settings API to take link into account") Signed-off-by:
Johannes Berg <johannes.berg@intel.com>
-
Johannes Berg authored
By default, even in client mode, hwsim always had all links active, where it then uses them in a round-robin fashion. Re-enable that by activating all valid links work right after the connection is authorized. Signed-off-by: -
Johannes Berg authored
Implement an API function and debugfs file to switch active links. Also provide an async version of the API so drivers can call it in arbitrary contexts, e.g. while in the authorized callback. Signed-off-by: -
Benjamin Berg authored
The A-MSDU data needs to be stored per-link and aggregated into a single value for the station. Add a new struct ieee_80211_sta_aggregates in order to store this data and a new function ieee80211_sta_recalc_aggregates to update the current data for the STA. Note that in the non MLO case the pointer in ieee80211_sta will directly reference the data in deflink.agg, which means that recalculation may be skipped in that case. Signed-off-by:
Benjamin Berg <benjamin.berg@intel.com> Signed-off-by:
-
Johannes Berg authored
On secondary MLO links, I forgot to set the beacon interval and DTIM period, fix that. Signed-off-by: -
Johannes Berg authored
Add macros (and an exported function) to allow checking some link RCU protected accesses that are happening in callbacks from mac80211 and are thus under the correct lock. Signed-off-by: -
Johannes Berg authored
In hwsim we now track when we receive NDP (or other frames carrying a PM bit) to see if a link should be active, but then of course we also need to transmit NDPs to at least set a link to inactive when we deacivate it. Implement that as well as sending an NDP when we activate a link, which allows receiving frames before transmitting any. Signed-off-by: -
Johannes Berg authored
Add a link_id parameter to ieee80211_nullfunc_get() to be able to obtain a correctly addressed frame. Signed-off-by: -
Johannes Berg authored
Track the powersave bit on frames where we can look up the STA by link addresses and set the links active or inactive accordingly, and use this information to TX only on links that are actually active in the peer. Note that this doesn't implement powersave fully so if no link is active things will not work right. Signed-off-by: -
Johannes Berg authored
With the link activation handling in mac80211, skip any inactive links on TX. Signed-off-by: -
Johannes Berg authored
Add a new API function ieee80211_find_sta_by_link_addrs() that looks up the STA and link ID based on interface and station link addresses. We're going to use it for mac80211-hwsim to track on the AP side which links are active. Signed-off-by: -
Johannes Berg authored
In order to let the driver select active links and properly make multi-link connections, as a first step isolate the driver from inactive links, and set the active links to be only the association link for client-side interfaces. For AP side nothing changes since APs always have to have all their links active. To simplify things, update the for_each_sta_active_link() API to include the appropriate vif pointer. This also implies not allocating a chanctx for an inactive link, which requires a few more changes. Since we now no longer try to program multiple links to the driver, remove the check in the MLME code. Signed-off-by: -
Benjamin Berg authored
The SMPS power save mode needs to be per-link rather than being shared for all links. As such, move it into struct ieee80211_link_sta. Signed-off-by:
-
Benjamin Berg authored
Use rx->link_sta everywhere instead of accessing the default link. Signed-off-by:
-
Johannes Berg authored
Now that we have a link_sta pointer in the rx struct we also need to fill it in all the cases. It didn't matter so much until now as we weren't using it, but the code should really be able to assume that if the rx.sta is set, so is rx.link_sta. Fixes: ccdde7c7 ("wifi: mac80211: properly implement MLO key handling") Signed-off-by:
-
Johannes Berg authored
Merge wireless/main to get the rx.link fix, which is needed for further work in this area. Signed-off-by:
-
- 04 Sep, 2022 1 commit
-
-
David S. Miller authored
Merge tag 'wireless-next-2022-09-03' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next Johannes Berg says: ==================== drivers - rtw89: large update across the map, e.g. coex, pci(e), etc. - ath9k: uninit memory read fix - ath10k: small peer map fix and a WCN3990 device fix - wfx: underflow stack - the "change MAC address while IFF_UP" change from James we discussed - more MLO work, including a set of fixes for the previous code, now that we have more code we can exercise it more - prevent some features with MLO that aren't ready yet (AP_VLAN and 4-address connections) ==================== Signed-off-by:
David S. Miller <davem@davemloft.net>
-
- 03 Sep, 2022 19 commits
-
-
Johannes Berg authored
In netlink RX, now that we can actually have multiple channel contexts for MLO, things don't work well as we only keep a single pointer, and then on link switching we might NULL it, and hit the return if the channel is NULL. However, we already use mac80211_hwsim_tx_iter() which deals with all this, so remove the test and adjust the remaining code a bit. This then means we no longer use the chanctx pointer, so remove it as well. Signed-off-by: -
Johannes Berg authored
Currently, other paths calling drv_sta_state() hold the mutex and therefore drivers can assume that, and look at links with that protection. Fix that for the reconfig path as well; to do it more easily use ieee80211_reconfig_stations() for the AP/AP_VLAN station reconfig as well. Signed-off-by: -
Johannes Berg authored
Add an MLD address attribute to BSS entries that the interface is currently associated with to help userspace figure out what's going on. Signed-off-by: -
Johannes Berg authored
Refactor the code to apply QoS settings to the driver so we can call it on link switch. Signed-off-by: -
Johannes Berg authored
Catch the bugs fixed in mac80211 by the previous commits and warn if an invalid address is added (or removed). Signed-off-by: -
Johannes Berg authored
When we stop a not-yet-started scan, we erroneously call into the driver, causing a sequence of sw_scan_start() followed by sw_scan_complete() twice. This will cause a warning in hwsim with next in line commit that validates the address passed to wmediumd/virtio. Fix this by doing the calls only if we were actually scanning. Signed-off-by: -
Johannes Berg authored
Right now, we assign the link address only after we add the link to the driver, which is quite obviously wrong. It happens to work in many cases because it gets updated immediately, and then link_conf updates may update it, but it's clearly not really right. Set the link address during ieee80211_mgd_setup_link() so it's set before telling the driver about the link. Fixes: 81151ce4 ("wifi: mac80211: support MLO authentication/association with one link") Signed-off-by:
-
Johannes Berg authored
We probably should've done that originally, we already have about 300 lines of code there, and will add more. Move all the link code we wrote to a new file. Signed-off-by: -
Johannes Berg authored
Refactor some common RX functionality between the netlink and non-netlink paths, adding the special hwsim TLV (if compiled) also in the netlink path. Signed-off-by: -
Johannes Berg authored
Just as an additional check that mac80211 isn't doing anything strange, add a check of the STA magic (which gets assigned when the station is added, and cleared when the station is removed). Signed-off-by: -
Johannes Berg authored
We don't need the sdata argument, and it doesn't make any sense for a direct conversion from one value to another, so just remove the argument Signed-off-by: -
Johannes Berg authored
Now that we have proper multicast TX in mac80211, there's no longer a need to fake something here. Signed-off-by: -
Jinpeng Cui authored
Return value from rdev_set_mcast_rate() directly instead of taking this in another redundant variable. Reported-by:
Zeal Robot <zealci@zte.com.cn> Signed-off-by:
Jinpeng Cui <cui.jinpeng2@zte.com.cn> Signed-off-by:
-
James Prestwood authored
Adds support in mac80211 for NL80211_EXT_FEATURE_POWERED_ADDR_CHANGE. The motivation behind this functionality is to fix limitations of address randomization on frequencies which are disallowed in world roaming. The way things work now, if a client wants to randomize their address per-connection it must power down the device, change the MAC, and power back up. Here lies a problem since powering down the device may result in frequencies being disabled (until the regdom is set). If the desired BSS is on one such frequency the client is unable to connect once the phy is powered again. For mac80211 based devices changing the MAC while powered is possible but currently disallowed (-EBUSY). This patch adds some logic to allow a MAC change while powered by removing the interface, changing the MAC, and adding it again. mac80211 will advertise support for this feature so userspace can determine the best course of action e.g. disallow address randomization on certain frequencies if not supported. There are certain limitations put on this which simplify the logic: - No active connection - No offchannel work, including scanning. Signed-off-by:
James Prestwood <prestwoj@gmail.com> Signed-off-by:
-
James Prestwood authored
Add a new extended feature bit signifying that the wireless hardware supports changing the MAC address while the underlying net_device is powered. Note that this has a different meaning from IFF_LIVE_ADDR_CHANGE as additional restrictions might be imposed by the hardware, such as: - No connection is active on this interface, carrier is off - No scan is in progress - No offchannel operations are in progress Signed-off-by:
-
Johannes Berg authored
We haven't tried this yet, and it's not very likely to work well right now, so for now disable 4-addr use on interfaces that are MLDs. Signed-off-by:
-
Johannes Berg authored
Do not allow VLANs to be added to AP interfaces that are MLDs, this isn't going to work because the link structs aren't propagated to the VLAN interfaces yet. Signed-off-by:
-
Johannes Berg authored
We sometimes copy all the addresses from the 802.11 header for the AAD, which may cause complaints from fortify checks. Use struct_group() to avoid the compiler warnings/errors. Change-Id: Ic3ea389105e7813b22095b295079eecdabde5045 Signed-off-by: -
Soenke Huster authored
An invalid packet with a length shorter than the specified length in the netlink header can lead to use-after-frees and slab-out-of-bounds in the processing of the netlink attributes, such as the following: BUG: KASAN: slab-out-of-bounds in __nla_validate_parse+0x1258/0x2010 Read of size 2 at addr ffff88800ac7952c by task kworker/0:1/12 Workqueue: events hwsim_virtio_rx_work Call Trace: <TASK> dump_stack_lvl+0x45/0x5d print_report.cold+0x5e/0x5e5 kasan_report+0xb1/0x1c0 __nla_validate_parse+0x1258/0x2010 __nla_parse+0x22/0x30 hwsim_virtio_handle_cmd.isra.0+0x13f/0x2d0 hwsim_virtio_rx_work+0x1b2/0x370 process_one_work+0x8df/0x1530 worker_thread+0x575/0x11a0 kthread+0x29d/0x340 ret_from_fork+0x22/0x30 </TASK> Discarding packets with an invalid length solves this. Therefore, skb->len must be set at reception. Change-Id: Ieaeb9a4c62d3beede274881a7c2722c6c6f477b6 Signed-off-by:
Soenke Huster <soenke.huster@eknoes.de> Signed-off-by:
-
