- 15 Nov, 2021 22 commits
-
-
Wen Gong authored
When station connect to AP, the wmi command sequence is: peer_create->vdev_start->vdev_up and sequence of station disconnect fo AP is: peer_delete->vdev_down->vdev_stop The sequence of disconnect is not opposite of connect, it caused firmware crash when it handle wmi vdev stop cmd when the AP is support TWT of 802.11 ax, because firmware need access the bss peer for vdev stop cmd. [ 390.438564] ath11k_pci 0000:05:00.0: wmi cmd send 0x6001 ret 0 [ 390.438567] ath11k_pci 0000:05:00.0: WMI peer create vdev_id 0 peer_addr c4:04:15:3b:e0:39 [ 390.472724] ath11k_pci 0000:05:00.0: mac vdev 0 start center_freq 2437 phymode 11ax-he20-2g [ 390.472731] ath11k_pci 0000:05:00.0: wmi cmd send 0x5003 ret 0 [ 390.560849] ath11k_pci 0000:05:00.0: wmi cmd send 0x5005 ret 0 [ 390.560850] ath11k_pci 0000:05:00.0: WMI mgmt vdev up id 0x0 assoc id 1 bssid c4:04:15:3b:e0:39 [ 399.432896] ath11k_pci 0000:05:00.0: WMI peer delete vdev_id 0 peer_addr c4:04:15:3b:e0:39 [ 399.432902] ath11k_pci 0000:05:00.0: wmi cmd send 0x6002 ret 0 [ 399.441380] ath11k_pci 0000:05:00.0: wmi cmd send 0x5007 ret 0 [ 399.441381] ath11k_pci 0000:05:00.0: WMI vdev down id 0x0 [ 399.454681] ath11k_pci 0000:05:00.0: wmi cmd send 0x5006 ret 0 [ 399.454682] ath11k_pci 0000:05:00.0: WMI vdev stop id 0x0 The opposite sequence of disconnect should be: vdev_down->vdev_stop->peer_delete This patch change the sequence of disconnect for station as above opposite sequence for QCA6390, firmware not crash again with this patch. Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1 Signed-off-by: Wen Gong <quic_wgong@quicinc.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20211027093825.12167-1-quic_wgong@quicinc.com
-
Wen Gong authored
parameter of msecs_to_jiffies should be (3 * 1000) instead of (3 * HZ) Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1 Signed-off-by: Wen Gong <quic_wgong@quicinc.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20211026032014.27010-1-quic_wgong@quicinc.com
-
Wen Gong authored
Currently in ath11k_mac_op_sta_statistics() there is the following logic: if (!arsta->txrate.legacy && !arsta->txrate.nss) return; Unfortunately if this condition is true then the function returns without setting parameters that follow the txrate. To address this issue remove the return and instead invert the logic to set the txrate logic if (arsta->txrate.legacy || arsta->txrate.nss). The same was done also in ath10k in commit 1cd6ba8a ("ath10k: remove return for NL80211_STA_INFO_TX_BITRATE"). Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1 Signed-off-by: Wen Gong <wgong@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20211011084957.31024-1-wgong@codeaurora.org
-
Wen Gong authored
When NSS ratio enabled reported by firmware, SUPPORTS_VHT_EXT_NSS_BW is set in ath11k, meanwhile IEEE80211_VHT_EXT_NSS_BW_CAPABLE also need to be set, otherwise it is invalid because spec in IEEE Std 802.11
™ ‐2020 as below. Table 9-273-Supported VHT-MCS and NSS Set subfields, it has subfield VHT Extended NSS BW Capable, its definition is: Indicates whether the STA is capable of interpreting the Extended NSS BW Support subfield of the VHT Capabilities Information field. dmesg have a message without this patch: ieee80211 phy0: copying sband (band 1) due to VHT EXT NSS BW flag It means mac80211 will set IEEE80211_VHT_EXT_NSS_BW_CAPABLE if ath11k not set it in ieee80211_register_hw(). So it is better to set it in ath11k. Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-01720.1-QCAHSPSWPL_V1_V2_SILICONZ_LITE-1 Signed-off-by: Wen Gong <wgong@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20211013073704.15888-1-wgong@codeaurora.org -
P Praneesh authored
Avoid unnecessary idr_find calls before the idr_remove calls. Because idr_remove gives the valid ptr if id is valid otherwise return NULL ptr. So removed the idr_find before idr_remove in tx completion path. Also no need to disable the bottom half preempt if it is already in the bottom half context, so modify the spin_lock_bh to spin_lock in the data tx completion path. Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.4.0.1-01734-QCAHKSWPL_SILICONZ-1 v2 Co-developed-by: Karthikeyan Periyasamy <periyasa@codeaurora.org> Signed-off-by: Karthikeyan Periyasamy <periyasa@codeaurora.org> Signed-off-by: Jouni Malinen <jouni@codeaurora.org> Signed-off-by: P Praneesh <ppranees@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1630560820-21905-13-git-send-email-ppranees@codeaurora.org
-
P Praneesh authored
Add branch prediction in dp_tx code path in tx and tx completion handlers. Also in ath11k_dp_tx_complete_msdu , the pointer that is returned by rcu_dereference() is not dereferenced. so it is preferable to use rcu_access_pointer() here. Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.4.0.1-01734-QCAHKSWPL_SILICONZ-1 v2 Co-developed-by: Sriram R <srirrama@codeaurora.org> Signed-off-by: Sriram R <srirrama@codeaurora.org> Signed-off-by: Jouni Malinen <jouni@codeaurora.org> Signed-off-by: P Praneesh <ppranees@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1630560820-21905-12-git-send-email-ppranees@codeaurora.org
-
P Praneesh authored
Currently while loop is used to find the tx completion ring number and it is not required since the tx ring mask and the group id can be combined to directly fetch the ring number. Hence remove the while loop and directly get the ring number from tx mask and group id. Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.4.0.1-01734-QCAHKSWPL_SILICONZ-1 v2 Co-developed-by: Sriram R <srirrama@codeaurora.org> Signed-off-by: Sriram R <srirrama@codeaurora.org> Signed-off-by: Jouni Malinen <jouni@codeaurora.org> Signed-off-by: P Praneesh <ppranees@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1630560820-21905-11-git-send-email-ppranees@codeaurora.org
-
P Praneesh authored
Replace use of mod operator with a manual wrap around to avoid additional cost of using mod operation. Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.4.0.1-01734-QCAHKSWPL_SILICONZ-1 v2 Co-developed-by: Sriram R <srirrama@codeaurora.org> Signed-off-by: Sriram R <srirrama@codeaurora.org> Signed-off-by: Jouni Malinen <jouni@codeaurora.org> Signed-off-by: P Praneesh <ppranees@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1630560820-21905-10-git-send-email-ppranees@codeaurora.org
-
P Praneesh authored
Similar to REO destination ring, also allocate HAL_WBM2SW_RELEASE from cacheable memory so that descriptors could be prefetched during tx completion handling. Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.4.0.1-01734-QCAHKSWPL_SILICONZ-1 v2 Co-developed-by: Sriram R <srirrama@codeaurora.org> Signed-off-by: Sriram R <srirrama@codeaurora.org> Signed-off-by: Jouni Malinen <jouni@codeaurora.org> Signed-off-by: P Praneesh <ppranees@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1630560820-21905-9-git-send-email-ppranees@codeaurora.org
-
P Praneesh authored
In datapath, add branch predictors where required in the process rx(). This protects high value rx path without having performance overhead. Also while processing rx packets, the pointer that is returned by rcu_dereference() is not dereferenced. so it is preferable to use rcu_access_pointer() here. Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.4.0.1.r2-00012-QCAHKSWPL_SILICONZ-1 Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.4.0.1-01695-QCAHKSWPL_SILICONZ-1 Co-developed-by: Sriram R <srirrama@codeaurora.org> Signed-off-by: Sriram R <srirrama@codeaurora.org> Signed-off-by: Jouni Malinen <jouni@codeaurora.org> Signed-off-by: P Praneesh <ppranees@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1630560820-21905-8-git-send-email-ppranees@codeaurora.org
-
P Praneesh authored
The usage of quota variable inside ath11k_dp_rx_process_received_packets() is redundant. Since we would queue only max packets to the list before calling this function so it would never exceed quota. Hence removing usage of quota variable. Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.4.0.1.r2-00012-QCAHKSWPL_SILICONZ-1 Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.4.0.1-01695-QCAHKSWPL_SILICONZ-1 Co-developed-by: Sriram R <srirrama@codeaurora.org> Signed-off-by: Sriram R <srirrama@codeaurora.org> Signed-off-by: Jouni Malinen <jouni@codeaurora.org> Signed-off-by: P Praneesh <ppranees@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1630560820-21905-7-git-send-email-ppranees@codeaurora.org
-
P Praneesh authored
The Active Pdev and CAC check are done for each msdu in ath11k_dp_rx_process_received_packets which is a overhead. To avoid this overhead, collect all msdus in a per mac msdu list and pass to function. Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.4.0.1.r2-00012-QCAHKSWPL_SILICONZ-1 Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.4.0.1-01695-QCAHKSWPL_SILICONZ-1 Co-developed-by: Sriram R <srirrama@codeaurora.org> Signed-off-by: Sriram R <srirrama@codeaurora.org> Signed-off-by: Jouni Malinen <jouni@codeaurora.org> Signed-off-by: P Praneesh <ppranees@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1630560820-21905-6-git-send-email-ppranees@codeaurora.org
-
P Praneesh authored
In ath11k_dp_process_rx(), after processing rx_desc from ath11k_hal_srng_dst_get_next_entry(), ath11k_hal_srng_dst_num_free() is accessed everytime because of done flag is not set. To avoid this additional access to ath11k_hal_srng_dst_num_free(), increment total_msdu_reaped only when continuation is not set and update done flag correspondingly. Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.4.0.1.r2-00012-QCAHKSWPL_SILICONZ-1 Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.4.0.1-01695-QCAHKSWPL_SILICONZ-1 Co-developed-by: Sriram R <srirrama@codeaurora.org> Signed-off-by: Sriram R <srirrama@codeaurora.org> Signed-off-by: Jouni Malinen <jouni@codeaurora.org> Signed-off-by: P Praneesh <ppranees@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1630560820-21905-5-git-send-email-ppranees@codeaurora.org
-
P Praneesh authored
In data path, to reduce the CPU cycles spending on descriptor access wrapper function, changed those functions as static inline. Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.4.0.1.r2-00012-QCAHKSWPL_SILICONZ-1 Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.4.0.1-01695-QCAHKSWPL_SILICONZ-1 Co-developed-by: Sriram R <srirrama@codeaurora.org> Signed-off-by: Sriram R <srirrama@codeaurora.org> Signed-off-by: Jouni Malinen <jouni@codeaurora.org> Signed-off-by: P Praneesh <ppranees@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1630560820-21905-4-git-send-email-ppranees@codeaurora.org
-
P Praneesh authored
tcl_data and reo_dst rings are currently being allocated using dma_allocate_coherent() which is non cacheable. Allocating ring memory from cacheable memory area allows cached descriptor access and prefetch next descriptors to optimize CPU usage during descriptor processing on NAPI. Based on the hardware param we can enable or disable this feature for the corresponding platform. Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.4.0.1.r2-00012-QCAHKSWPL_SILICONZ-1 Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.4.0.1-01695-QCAHKSWPL_SILICONZ-1 Co-developed-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org> Signed-off-by: Pradeep Kumar Chitrapu <pradeepc@codeaurora.org> Co-developed-by: Sriram R <srirrama@codeaurora.org> Signed-off-by: Sriram R <srirrama@codeaurora.org> Signed-off-by: Jouni Malinen <jouni@codeaurora.org> Signed-off-by: P Praneesh <ppranees@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1630560820-21905-3-git-send-email-ppranees@codeaurora.org
-
P Praneesh authored
Host driver doesn't need to process CE8 interrupts (used by target independently) The volume of interrupts is huge within short interval, CPU0 CPU1 CPU2 CPU3 14022188 0 0 0 GIC 71 Edge ce8 Hence disabling unused CE8 interrupt will improve CPU usage. Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.4.0.1.r2-00012-QCAHKSWPL_SILICONZ-1 Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.4.0.1-01695-QCAHKSWPL_SILICONZ-1 Co-developed-by: Sriram R <srirrama@codeaurora.org> Signed-off-by: Sriram R <srirrama@codeaurora.org> Signed-off-by: Jouni Malinen <jouni@codeaurora.org> Signed-off-by: P Praneesh <ppranees@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1630560820-21905-2-git-send-email-ppranees@codeaurora.org
-
Venkateswara Naralasetty authored
Currently the updated bandwidth for the peer will be configured to the firmware after channel switch from the sta_rc_update_wk. If the updated bandwidth is greater than the configured peer phymode during the peer assoc may result firmware assert. For example, initially AP is in HE40 mode and the peer phymode is configured as MODE_11AX_HE40 during peer assoc. Now user change the channel width to HE80 then, the peer bandwidth will be updated as HE80 to the firmware. This will trigger firmware assert due to peer bandwidth is greater than the peer phymode. Fix this issue by sending peer assoc command before setting the updated peer bandwith to firmware. Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.5.0.1-01100-QCAHKSWPL_SILICONZ-1 Signed-off-by: Venkateswara Naralasetty <quic_vnaralas@quicinc.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1636644002-25446-1-git-send-email-quic_vnaralas@quicinc.com
-
Seevalamuthu Mariappan authored
Below compilation error is reported when built with W=1, drivers/net/wireless/ath/ath11k/mac.c:5408:22: error: parameter 'changed_flags' set but not used [-Werror,-Wunused-but-set-parameter] changed_flags is set, but left unused. So, remove unnecessary set. Compile tested only. Reported-by: kernel test robot <lkp@intel.com> Signed-off-by: Seevalamuthu Mariappan <quic_seevalam@quicinc.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1636609967-5114-1-git-send-email-quic_seevalam@quicinc.com
-
Karthikeyan Periyasamy authored
In CE pipe cleanup, DMA memory gets freed by the aligned address (base_addr_owner_space) which is wrong. It needs to be freed by the address (base_addr_owner_space_unaligned) returned by dma_alloc. So free the dma memory by the proper address. This was found in code review. Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1-00729-QCAHKSWPL_SILICONZ-3 v2 Signed-off-by: Karthikeyan Periyasamy <quic_periyasa@quicinc.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1636561290-18966-1-git-send-email-quic_periyasa@quicinc.com
-
Karthikeyan Periyasamy authored
In STA kickout event processing, the peer object is protected under spin lock BH. Release this lock after picking up the vdev_id from the peer object instead after ieee80211_report_low_ack(). This will minimize the lock hold period which will improve performance since base_lock is used across the data path. This was found in code review. Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1-00729-QCAHKSWPL_SILICONZ-3 v2 Signed-off-by: Karthikeyan Periyasamy <quic_periyasa@quicinc.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1636560388-24955-1-git-send-email-quic_periyasa@quicinc.com
-
Karthikeyan Periyasamy authored
When there is an error in add interface process from ath11k_mac_set_kickout(), the code attempts to handle a fallback for add_interface. When this fallback succeeds, the driver returns zero rather than error code. This leads to success for the non created VAP. In cleanup, driver gets remove interface callback for the non created VAP and proceeds to self peer delete request which leads to FW assert. Since it was already deleted on the fallback of add interface, return the actual error code instead of fallback return code. Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1-00729-QCAHKSWPL_SILICONZ-3 v2 Signed-off-by: Karthikeyan Periyasamy <quic_periyasa@quicinc.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1636558557-2874-1-git-send-email-quic_periyasa@quicinc.com
-
Karthikeyan Periyasamy authored
Firmware expects host to authorize the peer after the successful key install. But host authorize the peer before the key install, this trigger the firmware assert which leads to Q6 crash. To avoid this Q6 crash, host should authorize the peer after the key install. So introduce is_authorized in peer object to identify that peer is authorize or not. When IEEE80211_STA_CONTROL_PORT flag is unset, peer move to authorize state before the vdev up. When the same flag is set then peer move to authorize state after vdev up. So added authorise check in ath11k_bss_assoc() to handle the earlier state transition case. Also added the WMI authorize procedure in ath11k_mac_op_sta_state() to handle the non-earlier state transition case. Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.4.0.1-01492-QCAHKSWPL_SILICONZ-1 Signed-off-by: Karthikeyan Periyasamy <quic_periyasa@quicinc.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1636554200-12345-1-git-send-email-quic_periyasa@quicinc.com
-
- 12 Nov, 2021 3 commits
-
-
Rameshkumar Sundaram authored
AUTH flag is needed when peer assoc command is sent from host in security mode for non-assoc cases. Firmware will handle AUTH flag when client is associating as AUTH flag will be set after key exchange. For internally provided peer assoc commands from host, there won't be any key exchange, so AUTH flag is expected to be set in host. Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.4.0.1-01838-QCAHKSWPL_SILICONZ-1 Co-developed-by: Lavanya Suresh <lavaks@codeaurora.org> Signed-off-by: Lavanya Suresh <lavaks@codeaurora.org> Signed-off-by: Rameshkumar Sundaram <quic_ramess@quicinc.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/1635177786-20854-1-git-send-email-quic_ramess@quicinc.com
-
Rameshkumar Sundaram authored
HTT_PPDU_STATS_CFG_PDEV_ID bit mask for target FW PPDU stats request message was set as bit 8 to 15. Bit 8 is reserved for soc stats and pdev id starts from bit 9. Hence change the bitmask as bit 9 to 15 and fill the proper pdev id in the request message. In commit 701e48a4 ("ath11k: add packet log support for QCA6390"), both HTT_PPDU_STATS_CFG_PDEV_ID and pdev_mask were changed, but this pdev_mask calculation is not valid for platforms which has multiple pdevs with 1 rxdma per pdev, as this is writing same value(i.e. 2) for all pdevs. Hence fixed it to consider pdev_idx as well, to make it compatible for both single and multi pd cases. Tested on: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1-01092-QCAHKSWPL_SILICONZ-1 Tested on: IPQ6018 hw1.0 WLAN.HK.2.5.0.1-01067-QCAHKSWPL_SILICONZ-1 Fixes: 701e48a4 ("ath11k: add packet log support for QCA6390") Co-developed-by: Sathishkumar Muruganandam <murugana@codeaurora.org> Signed-off-by: Sathishkumar Muruganandam <murugana@codeaurora.org> Signed-off-by: Rameshkumar Sundaram <ramess@codeaurora.org> Signed-off-by: Jouni Malinen <jouni@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20210721212029.142388-10-jouni@codeaurora.org
-
Zekun Shen authored
Unexpected WDCMSG_TARGET_START replay can lead to null-ptr-deref when ar->tx_cmd->odata is NULL. The patch adds a null check to prevent such case. KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] ar5523_cmd+0x46a/0x581 [ar5523] ar5523_probe.cold+0x1b7/0x18da [ar5523] ? ar5523_cmd_rx_cb+0x7a0/0x7a0 [ar5523] ? __pm_runtime_set_status+0x54a/0x8f0 ? _raw_spin_trylock_bh+0x120/0x120 ? pm_runtime_barrier+0x220/0x220 ? __pm_runtime_resume+0xb1/0xf0 usb_probe_interface+0x25b/0x710 really_probe+0x209/0x5d0 driver_probe_device+0xc6/0x1b0 device_driver_attach+0xe2/0x120 I found the bug using a custome USBFuzz port. It's a research work to fuzz USB stack/drivers. I modified it to fuzz ath9k driver only, providing hand-crafted usb descriptors to QEMU. After fixing the code (fourth byte in usb packet) to WDCMSG_TARGET_START, I got the null-ptr-deref bug. I believe the bug is triggerable whenever cmd->odata is NULL. After patching, I tested with the same input and no longer see the KASAN report. This was NOT tested on a real device. Signed-off-by: Zekun Shen <bruceshenzk@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/YXsmPQ3awHFLuAj2@10-18-43-117.dynapool.wireless.nyu.edu
-
- 10 Nov, 2021 2 commits
-
-
Carl Huang authored
To reduce power consumption enable 802.11 power save mode in station mode. This allows both radio and CPU to sleep more. Only enable the mode on QCA6390 and WCN6855, it's unknown how other hardware families support this feature. To test that power save mode is running run "iw dev wls1 set power_save off", check there is no NULL Data frame seen by a sniffer. And run "iw dev wls1 set power_save on" and check there is a NULL Data frame in sniffer. Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1 Signed-off-by: Carl Huang <cjhuang@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20211108123826.8463-2-kvalo@codeaurora.org
-
Kalle Valo authored
It's more descriptive to use the actual enum used by the firmware instead of a boolean so change ath11k_wmi_pdev_set_ps_mode() to use a boolean. Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1 Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20211108123826.8463-1-kvalo@codeaurora.org
-
- 08 Nov, 2021 5 commits
-
-
Benjamin Li authored
The linear mapping between the BD rate field and the driver's 5GHz legacy rates table (wcn_5ghz_rates) does not only apply for the latter four rates -- it applies to all eight rates. Fixes: 6ea131ac ("wcn36xx: Fix warning due to bad rate_idx") Signed-off-by: Benjamin Li <benl@squareup.com> Tested-by: Loic Poulain <loic.poulain@linaro.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20211104010548.1107405-3-benl@squareup.com
-
Benjamin Li authored
status.band is used in determination of status.rate -- for 5GHz on legacy rates there is a linear shift between the BD descriptor's rate field and the wcn36xx driver's rate table (wcn_5ghz_rates). We have a special clause to populate status.band for hardware scan offload frames. However, this block occurs after status.rate is already populated. Correctly handle this dependency by moving the band block before the rate block. This patch addresses kernel warnings & missing scan results for 5GHz APs that send their beacons/probe responses at the higher four legacy rates (24-54 Mbps), when using hardware scan offload: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 0 at net/mac80211/rx.c:4532 ieee80211_rx_napi+0x744/0x8d8 Modules linked in: wcn36xx [...] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 4.19.107-g73909fa #1 Hardware name: Square, Inc. T2 (all variants) (DT) Call trace: dump_backtrace+0x0/0x148 show_stack+0x14/0x1c dump_stack+0xb8/0xf0 __warn+0x2ac/0x2d8 warn_slowpath_null+0x44/0x54 ieee80211_rx_napi+0x744/0x8d8 ieee80211_tasklet_handler+0xa4/0xe0 tasklet_action_common+0xe0/0x118 tasklet_action+0x20/0x28 __do_softirq+0x108/0x1ec irq_exit+0xd4/0xd8 __handle_domain_irq+0x84/0xbc gic_handle_irq+0x4c/0xb8 el1_irq+0xe8/0x190 lpm_cpuidle_enter+0x220/0x260 cpuidle_enter_state+0x114/0x1c0 cpuidle_enter+0x34/0x48 do_idle+0x150/0x268 cpu_startup_entry+0x20/0x24 rest_init+0xd4/0xe0 start_kernel+0x398/0x430 ---[ end trace ae28cb759352b403 ]--- Fixes: 8a27ca39 ("wcn36xx: Correct band/freq reporting on RX") Signed-off-by: Benjamin Li <benl@squareup.com> Tested-by: Loic Poulain <loic.poulain@linaro.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20211104010548.1107405-2-benl@squareup.com
-
Bryan O'Donoghue authored
When deiniting the DXE hardware we should reset the block to ensure there is no spurious DMA write transaction from the downstream WCNSS to upstream MSM at a skbuff address we will have released. Fixes: 8e84c258 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680 hardware") Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20211105122152.1580542-4-bryan.odonoghue@linaro.org
-
Bryan O'Donoghue authored
When unloading the driver we are not releasing the DMA descriptors which we previously allocated. Fixes: 8e84c258 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680 hardware") Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20211105122152.1580542-3-bryan.odonoghue@linaro.org
-
Bryan O'Donoghue authored
Right now we have a broken sequence where we enable DMA channel interrupts which can be left enabled and never disabled if we hit an error path. Worse still when we unload the driver, the DMA channel interrupt bits are left intact. About the only saving grace here is that we do remember to disable the wcnss interrupt when unload the driver. Fixes: 8e84c258 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680 hardware") Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20211105122152.1580542-2-bryan.odonoghue@linaro.org
-
- 01 Nov, 2021 7 commits
-
-
Yang Guang authored
Using swap() make it more readable. Reported-by: Zeal Robot <zealci@zte.com.cn> Signed-off-by: Yang Guang <yang.guang5@zte.com.cn> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20211028010451.7754-1-yang.guang5@zte.com.cn
-
Bryan O'Donoghue authored
Firmware can trigger a missed beacon indication, this is not the same as a lost signal. Flag to Linux the missed beacon and let the WiFi stack decide for itself if the link is up or down by sending its own probe to determine this. We should only be signalling the link is lost when the firmware indicates Fixes: 8e84c258 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680 hardware") Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20211027232529.657764-1-bryan.odonoghue@linaro.org
-
Benjamin Li authored
An SMD capture from the downstream prima driver on WCN3680B shows the following command sequence for connected scans: - init_scan_req - start_scan_req, channel 1 - end_scan_req, channel 1 - start_scan_req, channel 2 - ... - end_scan_req, channel 3 - finish_scan_req - init_scan_req - start_scan_req, channel 4 - ... - end_scan_req, channel 6 - finish_scan_req - ... - end_scan_req, channel 165 - finish_scan_req Upstream currently never calls wcn36xx_smd_end_scan, and in some cases[1] still sends finish_scan_req twice in a row or before init_scan_req. A typical connected scan looks like this: - init_scan_req - start_scan_req, channel 1 - finish_scan_req - init_scan_req - start_scan_req, channel 2 - ... - start_scan_req, channel 165 - finish_scan_req - finish_scan_req This patch cleans up scanning so that init/finish and start/end are always paired together and correctly nested. - init_scan_req - start_scan_req, channel 1 - end_scan_req, channel 1 - finish_scan_req - init_scan_req - start_scan_req, channel 2 - end_scan_req, channel 2 - ... - start_scan_req, channel 165 - end_scan_req, channel 165 - finish_scan_req Note that upstream will not do batching of 3 active-probe scans before returning to the operating channel, and this patch does not change that. To match downstream in this aspect, adjust IEEE80211_PROBE_DELAY and/or the 125ms max off-channel time in ieee80211_scan_state_decision. [1]: commit d195d7aa ("wcn36xx: Ensure finish scan is not requested before start scan") addressed one case of finish_scan_req being sent without a preceding init_scan_req (the case of the operating channel coinciding with the first scan channel); two other cases are: 1) if SW scan is started and aborted immediately, without scanning any channels, we send a finish_scan_req without ever sending init_scan_req, and 2) as SW scan logic always returns us to the operating channel before calling wcn36xx_sw_scan_complete, finish_scan_req is always sent twice at the end of a SW scan Fixes: 8e84c258 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680 hardware") Signed-off-by: Benjamin Li <benl@squareup.com> Tested-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20211027170306.555535-4-benl@squareup.com
-
Benjamin Li authored
Without ieee80211_ops->flush implemented to empty HW queues, mac80211 will do a 100ms dead wait after stopping SW queues, before leaving the operating channel to resume a software connected scan[1]. (see ieee80211_scan_state_resume) This wait is correctly included in the calculation for whether or not we've exceeded max off-channel time, as it occurs after sending the null frame with PS bit set. Thus, with 125 ms max off-channel time we only have 25 ms of scan time, which technically isn't even enough to scan one channel (although mac80211 always scans at least one channel per off- channel window). Moreover, for passive probes we end up spending at least 100 ms + 111 ms (IEEE80211_PASSIVE_CHANNEL_TIME) "off-channel"[2], which exceeds the listen interval of 200 ms that we provide in our association request frame. That's technically out-of-spec. [1]: Until recently, wcn36xx performed software (rather than FW-offloaded) scanning when 5GHz channels are requested. This apparent limitation is now resolved -- see commit 1395f8a6a4d5 ("wcn36xx: Enable hardware scan offload for 5Ghz band"). [2]: in quotes because about 100 ms of it is still on-channel but with PS set Signed-off-by: Benjamin Li <benl@squareup.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20211027170306.555535-3-benl@squareup.com
-
Benjamin Li authored
Add some MAC debug prints for more easily demarcating a software scan when parsing logs. Signed-off-by: Benjamin Li <benl@squareup.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20211027170306.555535-2-benl@squareup.com
-
Christian Lamparter authored
ATH10K chips are used it wide range of routers, accesspoints, range extenders, network appliances. On these embedded devices, calibration data is often stored on the main system's flash and was out of reach for the driver. To bridge this gap, ath10k is getting extended to pull the (pre-)calibration data through nvmem subsystem. To do this, a nvmem-cell containing the information can either be specified in the platform data or via device-tree. Tested with: Netgear EX6150v2 (IPQ4018 - pre-calibration method) TP-Link Archer C7 v2 (QCA9880v2 - old calibration method) Cc: Robert Marko <robimarko@gmail.com> Cc: Thibaut VARÈNE <hacks@slashdirt.org> Signed-off-by: Christian Lamparter <chunkeey@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20211016234609.1568317-1-chunkeey@gmail.com
-
Wen Gong authored
Commit 6f4d7030 ("ath11k: support SMPS configuration for 6 GHz") changed "if (ht_cap & WMI_HT_CAP_DYNAMIC_SMPS)" to "if (ht_cap & WMI_HT_CAP_DYNAMIC_SMPS || ar->supports_6ghz)" which means NL80211_FEATURE_DYNAMIC_SMPS is enabled for all chips which support 6 GHz. However, WCN6855 supports 6 GHz but it does not support feature NL80211_FEATURE_DYNAMIC_SMPS, and this can lead to MU-MIMO test failures for WCN6855. Disable NL80211_FEATURE_DYNAMIC_SMPS for WCN6855 since its ht_cap does not support WMI_HT_CAP_DYNAMIC_SMPS. Enable the feature only on QCN9074 as that's the only other device supporting 6 GHz band. Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-01720.1-QCAHSPSWPL_V1_V2_SILICONZ_LITE-1 Signed-off-by: Wen Gong <wgong@codeaurora.org> Signed-off-by: Jouni Malinen <jouni@codeaurora.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20210914163726.38604-3-jouni@codeaurora.org
-
- 28 Oct, 2021 1 commit
-
-
Johan Hovold authored
Add the missing endpoint max-packet sanity check to probe() to avoid division by zero in ath10k_usb_hif_tx_sg() in case a malicious device has broken descriptors (or when doing descriptor fuzz testing). Note that USB core will reject URBs submitted for endpoints with zero wMaxPacketSize but that drivers doing packet-size calculations still need to handle this (cf. commit 2548288b ("USB: Fix: Don't skip endpoint descriptors with maxpacket=0")). Fixes: 9cbee358 ("ath6kl: add full USB support") Cc: stable@vger.kernel.org # 3.5 Signed-off-by: Johan Hovold <johan@kernel.org> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20211027080819.6675-3-johan@kernel.org
-