Merge tag 'net-6.16-rc6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Pull more networking fixes from Jakub Kicinski
"Big chunk of fixes for WiFi, Johannes says probably the last for the
release.

The Netlink fixes (on top of the tree) restore operation of iw (WiFi
CLI) which uses sillily small recv buffer, and is the reason for this
'emergency PR'.

The GRE multicast fix also stands out among the user-visible
regressions.

Current release - fix to a fix:

- netlink: make sure we always allow at least one skb to be queued,
even if the recvbuf is (mis)configured to be tiny

Previous releases - regressions:

- gre: fix IPv6 multicast route creation

Previous releases - always broken:

- wifi: prevent A-MSDU attacks in mesh networks

- wifi: cfg80211: fix S1G beacon head validation and detection

- wifi: mac80211:
- always clear frame buffer to prevent stack leak in cases which
hit a WARN()
- fix monitor interface in device restart

- wifi: mwifiex: discard erroneous disassoc frames on STA interface

- wifi: mt76:
- prevent null-deref in mt7925_sta_set_decap_offload()
- add missing RCU annotations, and fix sleep in atomic
- fix decapsulation offload
- fixes for scanning

- phy: microchip: improve link establishment and reset handling

- eth: mlx5e: fix race between DIM disable and net_dim()

- bnxt_en: correct DMA unmap len for XDP_REDIRECT"

* tag 'net-6.16-rc6-2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (44 commits)
netlink: make sure we allow at least one dump skb
netlink: Fix rmem check in netlink_broadcast_deliver().
bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT
bnxt_en: Flush FW trace before copying to the coredump
bnxt_en: Fix DCB ETS validation
net: ll_temac: Fix missing tx_pending check in ethtools_set_ringparam()
net/mlx5e: Add new prio for promiscuous mode
net/mlx5e: Fix race between DIM disable and net_dim()
net/mlx5: Reset bw_share field when changing a node's parent
can: m_can: m_can_handle_lost_msg(): downgrade msg lost in rx message to debug level
selftests: net: lib: fix shift count out of range
selftests: Add IPv6 multicast route generation tests for GRE devices.
gre: Fix IPv6 multicast route creation.
net: phy: microchip: limit 100M workaround to link-down events on LAN88xx
net: phy: microchip: Use genphy_soft_reset() to purge stale LPA bits
ibmvnic: Fix hardcoded NUM_RX_STATS/NUM_TX_STATS with dynamic sizeof
net: appletalk: Fix device refcount leak in atrtr_create()
netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto()
wifi: mac80211: add the virtual monitor after reconfig complete
wifi: mac80211: always initialize sdata::key_list
...

Linus Torvalds 11 months ago c7979c39 5265593a

+500 -277

57 changed files

expand all

drivers

net

can

m_can

m_can.c

ethernet

broadcom

bnxt

bnxt_coredump.c

bnxt_dcb.c

bnxt_xdp.c

ibm

ibmvnic.h

mellanox

mlx5

core

fs.h

en_dim.c

en_fs.c

esw

qos.c

fs_core.c

xilinx

ll_temac_main.c

phy

microchip.c

wireless

marvell

mwifiex

util.c

mediatek

mt76

mt76.h

mt7603

dma.c

mac.c

mt7615

mac.c

mt76_connac_mac.c

mt76_connac_mcu.c

mt76x02.h

mt76x02_mac.c

mt7915

mac.c

mcu.c

mmio.c

mt7921

mac.c

main.c

mt7925

init.c

mac.c

main.c

mcu.c

mcu.h

regs.h

mt792x_core.c

mt792x_mac.c

mt7996

mac.c

main.c

mcu.c

mt7996.h

tx.c

util.c

ralink

rt2x00

rt2x00soc.c

rt2x00soc.h

zydas

zd1211rw

zd_mac.c

include

linux

ieee80211.h

net

netfilter

nf_flow_table.h

net

appletalk

ddp.c

ipv6

addrconf.c

mac80211

cfg.c

iface.c

mlme.c

parse.c

util.c

netlink

af_netlink.c

wireless

nl80211.c

util.c

tools

testing

selftests

net

gre_ipv6_lladdr.sh

lib.sh

+1 -1

drivers/net/can/m_can/m_can.c

··· 665 665 struct can_frame *frame; 666 666 u32 timestamp = 0; 667 667 668 - netdev_err(dev, "msg lost in rxf0\n"); 668 + netdev_dbg(dev, "msg lost in rxf0\n"); 669 669 670 670 stats->rx_errors++; 671 671 stats->rx_over_errors++;

+11 -7

drivers/net/ethernet/broadcom/bnxt/bnxt_coredump.c

··· 368 368 if (!ctxm->mem_valid || !seg_id) 369 369 continue; 370 370 371 - if (trace) 371 + if (trace) { 372 372 extra_hlen = BNXT_SEG_RCD_LEN; 373 + if (buf) { 374 + u16 trace_type = bnxt_bstore_to_trace[type]; 375 + 376 + bnxt_fill_drv_seg_record(bp, &record, ctxm, 377 + trace_type); 378 + } 379 + } 380 + 373 381 if (buf) 374 382 data = buf + BNXT_SEG_HDR_LEN + extra_hlen; 383 + 375 384 seg_len = bnxt_copy_ctx_mem(bp, ctxm, data, 0) + extra_hlen; 376 385 if (buf) { 377 386 bnxt_fill_coredump_seg_hdr(bp, &seg_hdr, NULL, seg_len, 378 387 0, 0, 0, comp_id, seg_id); 379 388 memcpy(buf, &seg_hdr, BNXT_SEG_HDR_LEN); 380 389 buf += BNXT_SEG_HDR_LEN; 381 - if (trace) { 382 - u16 trace_type = bnxt_bstore_to_trace[type]; 383 - 384 - bnxt_fill_drv_seg_record(bp, &record, ctxm, 385 - trace_type); 390 + if (trace) 386 391 memcpy(buf, &record, BNXT_SEG_RCD_LEN); 387 - } 388 392 buf += seg_len; 389 393 } 390 394 len += BNXT_SEG_HDR_LEN + seg_len;

drivers/net/ethernet/broadcom/bnxt/bnxt_dcb.c

··· 487 487 488 488 if ((ets->tc_tx_bw[i] || ets->tc_tsa[i]) && i > bp->max_tc) 489 489 return -EINVAL; 490 + } 490 491 492 + for (i = 0; i < max_tc; i++) { 491 493 switch (ets->tc_tsa[i]) { 492 494 case IEEE_8021QAZ_TSA_STRICT: 493 495 break;

+1 -1

drivers/net/ethernet/broadcom/bnxt/bnxt_xdp.c

··· 115 115 tx_buf->action = XDP_REDIRECT; 116 116 tx_buf->xdpf = xdpf; 117 117 dma_unmap_addr_set(tx_buf, mapping, mapping); 118 - dma_unmap_len_set(tx_buf, len, 0); 118 + dma_unmap_len_set(tx_buf, len, len); 119 119 } 120 120 121 121 void bnxt_tx_int_xdp(struct bnxt *bp, struct bnxt_napi *bnapi, int budget)

+6 -2

drivers/net/ethernet/ibm/ibmvnic.h

··· 211 211 u8 reserved[72]; 212 212 } __packed __aligned(8); 213 213 214 - #define NUM_TX_STATS 3 215 214 struct ibmvnic_tx_queue_stats { 216 215 u64 batched_packets; 217 216 u64 direct_packets; ··· 218 219 u64 dropped_packets; 219 220 }; 220 221 221 - #define NUM_RX_STATS 3 222 + #define NUM_TX_STATS \ 223 + (sizeof(struct ibmvnic_tx_queue_stats) / sizeof(u64)) 224 + 222 225 struct ibmvnic_rx_queue_stats { 223 226 u64 packets; 224 227 u64 bytes; 225 228 u64 interrupts; 226 229 }; 230 + 231 + #define NUM_RX_STATS \ 232 + (sizeof(struct ibmvnic_rx_queue_stats) / sizeof(u64)) 227 233 228 234 struct ibmvnic_acl_buffer { 229 235 __be32 len;

+7 -2

drivers/net/ethernet/mellanox/mlx5/core/en/fs.h

··· 18 18 19 19 enum { 20 20 MLX5E_TC_PRIO = 0, 21 - MLX5E_NIC_PRIO 21 + MLX5E_PROMISC_PRIO, 22 + MLX5E_NIC_PRIO, 22 23 }; 23 24 24 25 struct mlx5e_flow_table { ··· 69 68 MLX5_HASH_FIELD_SEL_DST_IP |\ 70 69 MLX5_HASH_FIELD_SEL_IPSEC_SPI) 71 70 72 - /* NIC prio FTS */ 71 + /* NIC promisc FT level */ 73 72 enum { 74 73 MLX5E_PROMISC_FT_LEVEL, 74 + }; 75 + 76 + /* NIC prio FTS */ 77 + enum { 75 78 MLX5E_VLAN_FT_LEVEL, 76 79 MLX5E_L2_FT_LEVEL, 77 80 MLX5E_TTC_FT_LEVEL,

+2 -2

drivers/net/ethernet/mellanox/mlx5/core/en_dim.c

··· 113 113 __set_bit(MLX5E_RQ_STATE_DIM, &rq->state); 114 114 } else { 115 115 __clear_bit(MLX5E_RQ_STATE_DIM, &rq->state); 116 - 116 + synchronize_net(); 117 117 mlx5e_dim_disable(rq->dim); 118 118 rq->dim = NULL; 119 119 } ··· 140 140 __set_bit(MLX5E_SQ_STATE_DIM, &sq->state); 141 141 } else { 142 142 __clear_bit(MLX5E_SQ_STATE_DIM, &sq->state); 143 - 143 + synchronize_net(); 144 144 mlx5e_dim_disable(sq->dim); 145 145 sq->dim = NULL; 146 146 }

+1 -1

drivers/net/ethernet/mellanox/mlx5/core/en_fs.c

··· 780 780 ft_attr.max_fte = MLX5E_PROMISC_TABLE_SIZE; 781 781 ft_attr.autogroup.max_num_groups = 1; 782 782 ft_attr.level = MLX5E_PROMISC_FT_LEVEL; 783 - ft_attr.prio = MLX5E_NIC_PRIO; 783 + ft_attr.prio = MLX5E_PROMISC_PRIO; 784 784 785 785 ft->t = mlx5_create_auto_grouped_flow_table(fs->ns, &ft_attr); 786 786 if (IS_ERR(ft->t)) {

drivers/net/ethernet/mellanox/mlx5/core/esw/qos.c

··· 1076 1076 return err; 1077 1077 } 1078 1078 esw_qos_node_set_parent(node, parent); 1079 + node->bw_share = 0; 1079 1080 1080 1081 return 0; 1081 1082 }

+9 -4

drivers/net/ethernet/mellanox/mlx5/core/fs_core.c

··· 113 113 #define ETHTOOL_PRIO_NUM_LEVELS 1 114 114 #define ETHTOOL_NUM_PRIOS 11 115 115 #define ETHTOOL_MIN_LEVEL (KERNEL_MIN_LEVEL + ETHTOOL_NUM_PRIOS) 116 - /* Promiscuous, Vlan, mac, ttc, inner ttc, {UDP/ANY/aRFS/accel/{esp, esp_err}}, IPsec policy, 116 + /* Vlan, mac, ttc, inner ttc, {UDP/ANY/aRFS/accel/{esp, esp_err}}, IPsec policy, 117 117 * {IPsec RoCE MPV,Alias table},IPsec RoCE policy 118 118 */ 119 - #define KERNEL_NIC_PRIO_NUM_LEVELS 11 119 + #define KERNEL_NIC_PRIO_NUM_LEVELS 10 120 120 #define KERNEL_NIC_NUM_PRIOS 1 121 - /* One more level for tc */ 122 - #define KERNEL_MIN_LEVEL (KERNEL_NIC_PRIO_NUM_LEVELS + 1) 121 + /* One more level for tc, and one more for promisc */ 122 + #define KERNEL_MIN_LEVEL (KERNEL_NIC_PRIO_NUM_LEVELS + 2) 123 + 124 + #define KERNEL_NIC_PROMISC_NUM_PRIOS 1 125 + #define KERNEL_NIC_PROMISC_NUM_LEVELS 1 123 126 124 127 #define KERNEL_NIC_TC_NUM_PRIOS 1 125 128 #define KERNEL_NIC_TC_NUM_LEVELS 3 ··· 190 187 ADD_NS(MLX5_FLOW_TABLE_MISS_ACTION_DEF, 191 188 ADD_MULTIPLE_PRIO(KERNEL_NIC_TC_NUM_PRIOS, 192 189 KERNEL_NIC_TC_NUM_LEVELS), 190 + ADD_MULTIPLE_PRIO(KERNEL_NIC_PROMISC_NUM_PRIOS, 191 + KERNEL_NIC_PROMISC_NUM_LEVELS), 193 192 ADD_MULTIPLE_PRIO(KERNEL_NIC_NUM_PRIOS, 194 193 KERNEL_NIC_PRIO_NUM_LEVELS))), 195 194 ADD_PRIO(0, BY_PASS_MIN_LEVEL, 0, FS_CHAINING_CAPS,

+1 -1

drivers/net/ethernet/xilinx/ll_temac_main.c

··· 1309 1309 if (ering->rx_pending > RX_BD_NUM_MAX || 1310 1310 ering->rx_mini_pending || 1311 1311 ering->rx_jumbo_pending || 1312 - ering->rx_pending > TX_BD_NUM_MAX) 1312 + ering->tx_pending > TX_BD_NUM_MAX) 1313 1313 return -EINVAL; 1314 1314 1315 1315 if (netif_running(ndev))

+2 -1

drivers/net/phy/microchip.c

··· 332 332 * As workaround, set to 10 before setting to 100 333 333 * at forced 100 F/H mode. 334 334 */ 335 - if (!phydev->autoneg && phydev->speed == 100) { 335 + if (phydev->state == PHY_NOLINK && !phydev->autoneg && phydev->speed == 100) { 336 336 /* disable phy interrupt */ 337 337 temp = phy_read(phydev, LAN88XX_INT_MASK); 338 338 temp &= ~LAN88XX_INT_MASK_MDINTPIN_EN_; ··· 488 488 .config_init = lan88xx_config_init, 489 489 .config_aneg = lan88xx_config_aneg, 490 490 .link_change_notify = lan88xx_link_change_notify, 491 + .soft_reset = genphy_soft_reset, 491 492 492 493 /* Interrupt handling is broken, do not define related 493 494 * functions to force polling.

+3 -1

drivers/net/wireless/marvell/mwifiex/util.c

··· 459 459 "auth: receive authentication from %pM\n", 460 460 ieee_hdr->addr3); 461 461 } else { 462 - if (!priv->wdev.connected) 462 + if (!priv->wdev.connected || 463 + !ether_addr_equal(ieee_hdr->addr3, 464 + priv->curr_bss_params.bss_descriptor.mac_address)) 463 465 return 0; 464 466 465 467 if (ieee80211_is_deauth(ieee_hdr->frame_control)) {

+10

drivers/net/wireless/mediatek/mt76/mt76.h

··· 1224 1224 #define mt76_dereference(p, dev) \ 1225 1225 rcu_dereference_protected(p, lockdep_is_held(&(dev)->mutex)) 1226 1226 1227 + static inline struct mt76_wcid * 1228 + __mt76_wcid_ptr(struct mt76_dev *dev, u16 idx) 1229 + { 1230 + if (idx >= ARRAY_SIZE(dev->wcid)) 1231 + return NULL; 1232 + return rcu_dereference(dev->wcid[idx]); 1233 + } 1234 + 1235 + #define mt76_wcid_ptr(dev, idx) __mt76_wcid_ptr(&(dev)->mt76, idx) 1236 + 1227 1237 struct mt76_dev *mt76_alloc_device(struct device *pdev, unsigned int size, 1228 1238 const struct ieee80211_ops *ops, 1229 1239 const struct mt76_driver_ops *drv_ops);

+1 -1

drivers/net/wireless/mediatek/mt76/mt7603/dma.c

··· 44 44 if (idx >= MT7603_WTBL_STA - 1) 45 45 goto free; 46 46 47 - wcid = rcu_dereference(dev->mt76.wcid[idx]); 47 + wcid = mt76_wcid_ptr(dev, idx); 48 48 if (!wcid) 49 49 goto free; 50 50

+2 -8

drivers/net/wireless/mediatek/mt76/mt7603/mac.c

··· 487 487 struct mt7603_sta *sta; 488 488 struct mt76_wcid *wcid; 489 489 490 - if (idx >= MT7603_WTBL_SIZE) 491 - return NULL; 492 - 493 - wcid = rcu_dereference(dev->mt76.wcid[idx]); 490 + wcid = mt76_wcid_ptr(dev, idx); 494 491 if (unicast || !wcid) 495 492 return wcid; 496 493 ··· 1263 1266 if (pid == MT_PACKET_ID_NO_ACK) 1264 1267 return; 1265 1268 1266 - if (wcidx >= MT7603_WTBL_SIZE) 1267 - return; 1268 - 1269 1269 rcu_read_lock(); 1270 1270 1271 - wcid = rcu_dereference(dev->mt76.wcid[wcidx]); 1271 + wcid = mt76_wcid_ptr(dev, wcidx); 1272 1272 if (!wcid) 1273 1273 goto out; 1274 1274

+2 -5

drivers/net/wireless/mediatek/mt76/mt7615/mac.c

··· 90 90 struct mt7615_sta *sta; 91 91 struct mt76_wcid *wcid; 92 92 93 - if (idx >= MT7615_WTBL_SIZE) 94 - return NULL; 95 - 96 - wcid = rcu_dereference(dev->mt76.wcid[idx]); 93 + wcid = mt76_wcid_ptr(dev, idx); 97 94 if (unicast || !wcid) 98 95 return wcid; 99 96 ··· 1501 1504 1502 1505 rcu_read_lock(); 1503 1506 1504 - wcid = rcu_dereference(dev->mt76.wcid[wcidx]); 1507 + wcid = mt76_wcid_ptr(dev, wcidx); 1505 1508 if (!wcid) 1506 1509 goto out; 1507 1510

+1 -1

drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c

··· 1172 1172 wcid_idx = wcid->idx; 1173 1173 } else { 1174 1174 wcid_idx = le32_get_bits(txwi[1], MT_TXD1_WLAN_IDX); 1175 - wcid = rcu_dereference(dev->wcid[wcid_idx]); 1175 + wcid = __mt76_wcid_ptr(dev, wcid_idx); 1176 1176 1177 1177 if (wcid && wcid->sta) { 1178 1178 sta = container_of((void *)wcid, struct ieee80211_sta,

+3 -3

drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.c

··· 287 287 288 288 mt76_connac_mcu_get_wlan_idx(dev, wcid, &hdr.wlan_idx_lo, 289 289 &hdr.wlan_idx_hi); 290 - skb = mt76_mcu_msg_alloc(dev, NULL, len); 290 + skb = __mt76_mcu_msg_alloc(dev, NULL, len, len, GFP_ATOMIC); 291 291 if (!skb) 292 292 return ERR_PTR(-ENOMEM); 293 293 ··· 1740 1740 if (!sreq->ssids[i].ssid_len) 1741 1741 continue; 1742 1742 1743 - req->ssids[i].ssid_len = cpu_to_le32(sreq->ssids[i].ssid_len); 1744 - memcpy(req->ssids[i].ssid, sreq->ssids[i].ssid, 1743 + req->ssids[n_ssids].ssid_len = cpu_to_le32(sreq->ssids[i].ssid_len); 1744 + memcpy(req->ssids[n_ssids].ssid, sreq->ssids[i].ssid, 1745 1745 sreq->ssids[i].ssid_len); 1746 1746 n_ssids++; 1747 1747 }

+1 -4

drivers/net/wireless/mediatek/mt76/mt76x02.h

··· 262 262 { 263 263 struct mt76_wcid *wcid; 264 264 265 - if (idx >= MT76x02_N_WCIDS) 266 - return NULL; 267 - 268 - wcid = rcu_dereference(dev->wcid[idx]); 265 + wcid = __mt76_wcid_ptr(dev, idx); 269 266 if (!wcid) 270 267 return NULL; 271 268

+1 -3

drivers/net/wireless/mediatek/mt76/mt76x02_mac.c

··· 564 564 565 565 rcu_read_lock(); 566 566 567 - if (stat->wcid < MT76x02_N_WCIDS) 568 - wcid = rcu_dereference(dev->mt76.wcid[stat->wcid]); 569 - 567 + wcid = mt76_wcid_ptr(dev, stat->wcid); 570 568 if (wcid && wcid->sta) { 571 569 void *priv; 572 570

+3 -9

drivers/net/wireless/mediatek/mt76/mt7915/mac.c

··· 56 56 struct mt7915_sta *sta; 57 57 struct mt76_wcid *wcid; 58 58 59 - if (idx >= ARRAY_SIZE(dev->mt76.wcid)) 60 - return NULL; 61 - 62 - wcid = rcu_dereference(dev->mt76.wcid[idx]); 59 + wcid = mt76_wcid_ptr(dev, idx); 63 60 if (unicast || !wcid) 64 61 return wcid; 65 62 ··· 914 917 u16 idx; 915 918 916 919 idx = FIELD_GET(MT_TX_FREE_WLAN_ID, info); 917 - wcid = rcu_dereference(dev->mt76.wcid[idx]); 920 + wcid = mt76_wcid_ptr(dev, idx); 918 921 sta = wcid_to_sta(wcid); 919 922 if (!sta) 920 923 continue; ··· 1010 1013 if (pid < MT_PACKET_ID_WED) 1011 1014 return; 1012 1015 1013 - if (wcidx >= mt7915_wtbl_size(dev)) 1014 - return; 1015 - 1016 1016 rcu_read_lock(); 1017 1017 1018 - wcid = rcu_dereference(dev->mt76.wcid[wcidx]); 1018 + wcid = mt76_wcid_ptr(dev, wcidx); 1019 1019 if (!wcid) 1020 1020 goto out; 1021 1021

+1 -1

drivers/net/wireless/mediatek/mt76/mt7915/mcu.c

··· 3986 3986 3987 3987 rcu_read_lock(); 3988 3988 3989 - wcid = rcu_dereference(dev->mt76.wcid[wlan_idx]); 3989 + wcid = mt76_wcid_ptr(dev, wlan_idx); 3990 3990 if (wcid) 3991 3991 wcid->stats.tx_packets += le32_to_cpu(res->tx_packets); 3992 3992 else

+1 -4

drivers/net/wireless/mediatek/mt76/mt7915/mmio.c

··· 587 587 588 588 dev = container_of(wed, struct mt7915_dev, mt76.mmio.wed); 589 589 590 - if (idx >= mt7915_wtbl_size(dev)) 591 - return; 592 - 593 590 rcu_read_lock(); 594 591 595 - wcid = rcu_dereference(dev->mt76.wcid[idx]); 592 + wcid = mt76_wcid_ptr(dev, idx); 596 593 if (wcid) { 597 594 wcid->stats.rx_bytes += le32_to_cpu(stats->rx_byte_cnt); 598 595 wcid->stats.rx_packets += le32_to_cpu(stats->rx_pkt_cnt);

+3 -3

drivers/net/wireless/mediatek/mt76/mt7921/mac.c

··· 465 465 466 466 rcu_read_lock(); 467 467 468 - wcid = rcu_dereference(dev->mt76.wcid[wcidx]); 468 + wcid = mt76_wcid_ptr(dev, wcidx); 469 469 if (!wcid) 470 470 goto out; 471 471 ··· 516 516 517 517 count++; 518 518 idx = FIELD_GET(MT_TX_FREE_WLAN_ID, info); 519 - wcid = rcu_dereference(dev->mt76.wcid[idx]); 519 + wcid = mt76_wcid_ptr(dev, idx); 520 520 sta = wcid_to_sta(wcid); 521 521 if (!sta) 522 522 continue; ··· 816 816 u16 idx; 817 817 818 818 idx = le32_get_bits(txwi[1], MT_TXD1_WLAN_IDX); 819 - wcid = rcu_dereference(mdev->wcid[idx]); 819 + wcid = __mt76_wcid_ptr(mdev, idx); 820 820 sta = wcid_to_sta(wcid); 821 821 822 822 if (sta && likely(e->skb->protocol != cpu_to_be16(ETH_P_PAE)))

drivers/net/wireless/mediatek/mt76/mt7921/main.c

··· 1180 1180 struct mt792x_sta *msta = (struct mt792x_sta *)sta->drv_priv; 1181 1181 struct mt792x_dev *dev = mt792x_hw_dev(hw); 1182 1182 1183 + if (!msta->deflink.wcid.sta) 1184 + return; 1185 + 1183 1186 mt792x_mutex_acquire(dev); 1184 1187 1185 1188 if (enabled)

drivers/net/wireless/mediatek/mt76/mt7925/init.c

··· 52 52 53 53 name = devm_kasprintf(&wiphy->dev, GFP_KERNEL, "mt7925_%s", 54 54 wiphy_name(wiphy)); 55 + if (!name) 56 + return -ENOMEM; 55 57 56 58 hwmon = devm_hwmon_device_register_with_groups(&wiphy->dev, name, phy, 57 59 mt7925_hwmon_groups);

+3 -3

drivers/net/wireless/mediatek/mt76/mt7925/mac.c

··· 1040 1040 1041 1041 rcu_read_lock(); 1042 1042 1043 - wcid = rcu_dereference(dev->mt76.wcid[wcidx]); 1043 + wcid = mt76_wcid_ptr(dev, wcidx); 1044 1044 if (!wcid) 1045 1045 goto out; 1046 1046 ··· 1122 1122 u16 idx; 1123 1123 1124 1124 idx = FIELD_GET(MT_TXFREE_INFO_WLAN_ID, info); 1125 - wcid = rcu_dereference(dev->mt76.wcid[idx]); 1125 + wcid = mt76_wcid_ptr(dev, idx); 1126 1126 sta = wcid_to_sta(wcid); 1127 1127 if (!sta) 1128 1128 continue; ··· 1445 1445 u16 idx; 1446 1446 1447 1447 idx = le32_get_bits(txwi[1], MT_TXD1_WLAN_IDX); 1448 - wcid = rcu_dereference(mdev->wcid[idx]); 1448 + wcid = __mt76_wcid_ptr(mdev, idx); 1449 1449 sta = wcid_to_sta(wcid); 1450 1450 1451 1451 if (sta && likely(e->skb->protocol != cpu_to_be16(ETH_P_PAE)))

+7 -1

drivers/net/wireless/mediatek/mt76/mt7925/main.c

··· 1481 1481 1482 1482 mt792x_mutex_acquire(dev); 1483 1483 1484 - err = mt7925_mcu_sched_scan_req(mphy, vif, req); 1484 + err = mt7925_mcu_sched_scan_req(mphy, vif, req, ies); 1485 1485 if (err < 0) 1486 1486 goto out; 1487 1487 ··· 1603 1603 unsigned long valid = mvif->valid_links; 1604 1604 u8 i; 1605 1605 1606 + if (!msta->vif) 1607 + return; 1608 + 1606 1609 mt792x_mutex_acquire(dev); 1607 1610 1608 1611 valid = ieee80211_vif_is_mld(vif) ? mvif->valid_links : BIT(0); ··· 1619 1616 set_bit(MT_WCID_FLAG_HDR_TRANS, &mlink->wcid.flags); 1620 1617 else 1621 1618 clear_bit(MT_WCID_FLAG_HDR_TRANS, &mlink->wcid.flags); 1619 + 1620 + if (!mlink->wcid.sta) 1621 + continue; 1622 1622 1623 1623 mt7925_mcu_wtbl_update_hdr_trans(dev, vif, sta, i); 1624 1624 }

+61 -18

drivers/net/wireless/mediatek/mt76/mt7925/mcu.c

··· 164 164 bool suspend, struct cfg80211_wowlan *wowlan) 165 165 { 166 166 struct mt76_vif_link *mvif = (struct mt76_vif_link *)vif->drv_priv; 167 + struct ieee80211_scan_ies ies = {}; 167 168 struct mt76_dev *dev = phy->dev; 168 169 struct { 169 170 struct { ··· 195 194 req.wow_ctrl_tlv.trigger |= (UNI_WOW_DETECT_TYPE_DISCONNECT | 196 195 UNI_WOW_DETECT_TYPE_BCN_LOST); 197 196 if (wowlan->nd_config) { 198 - mt7925_mcu_sched_scan_req(phy, vif, wowlan->nd_config); 197 + mt7925_mcu_sched_scan_req(phy, vif, wowlan->nd_config, &ies); 199 198 req.wow_ctrl_tlv.trigger |= UNI_WOW_DETECT_TYPE_SCH_SCAN_HIT; 200 199 mt7925_mcu_sched_scan_enable(phy, vif, suspend); 201 200 } ··· 2819 2818 return err; 2820 2819 } 2821 2820 2821 + static void 2822 + mt7925_mcu_build_scan_ie_tlv(struct mt76_dev *mdev, 2823 + struct sk_buff *skb, 2824 + struct ieee80211_scan_ies *scan_ies) 2825 + { 2826 + u32 max_len = sizeof(struct scan_ie_tlv) + MT76_CONNAC_SCAN_IE_LEN; 2827 + struct scan_ie_tlv *ie; 2828 + enum nl80211_band i; 2829 + struct tlv *tlv; 2830 + const u8 *ies; 2831 + u16 ies_len; 2832 + 2833 + for (i = 0; i <= NL80211_BAND_6GHZ; i++) { 2834 + if (i == NL80211_BAND_60GHZ) 2835 + continue; 2836 + 2837 + ies = scan_ies->ies[i]; 2838 + ies_len = scan_ies->len[i]; 2839 + 2840 + if (!ies || !ies_len) 2841 + continue; 2842 + 2843 + if (ies_len > max_len) 2844 + return; 2845 + 2846 + tlv = mt76_connac_mcu_add_tlv(skb, UNI_SCAN_IE, 2847 + sizeof(*ie) + ies_len); 2848 + ie = (struct scan_ie_tlv *)tlv; 2849 + 2850 + memcpy(ie->ies, ies, ies_len); 2851 + ie->ies_len = cpu_to_le16(ies_len); 2852 + 2853 + switch (i) { 2854 + case NL80211_BAND_2GHZ: 2855 + ie->band = 1; 2856 + break; 2857 + case NL80211_BAND_6GHZ: 2858 + ie->band = 3; 2859 + break; 2860 + default: 2861 + ie->band = 2; 2862 + break; 2863 + } 2864 + 2865 + max_len -= (sizeof(*ie) + ies_len); 2866 + } 2867 + } 2868 + 2822 2869 int mt7925_mcu_hw_scan(struct mt76_phy *phy, struct ieee80211_vif *vif, 2823 2870 struct ieee80211_scan_request *scan_req) 2824 2871 { ··· 2892 2843 2893 2844 max_len = sizeof(*hdr) + sizeof(*req) + sizeof(*ssid) + 2894 2845 sizeof(*bssid) * MT7925_RNR_SCAN_MAX_BSSIDS + 2895 - sizeof(*chan_info) + sizeof(*misc) + sizeof(*ie); 2846 + sizeof(*chan_info) + sizeof(*misc) + sizeof(*ie) + 2847 + MT76_CONNAC_SCAN_IE_LEN; 2896 2848 2897 2849 skb = mt76_mcu_msg_alloc(mdev, NULL, max_len); 2898 2850 if (!skb) ··· 2919 2869 if (i > MT7925_RNR_SCAN_MAX_BSSIDS) 2920 2870 break; 2921 2871 2922 - ssid->ssids[i].ssid_len = cpu_to_le32(sreq->ssids[i].ssid_len); 2923 - memcpy(ssid->ssids[i].ssid, sreq->ssids[i].ssid, 2872 + ssid->ssids[n_ssids].ssid_len = cpu_to_le32(sreq->ssids[i].ssid_len); 2873 + memcpy(ssid->ssids[n_ssids].ssid, sreq->ssids[i].ssid, 2924 2874 sreq->ssids[i].ssid_len); 2925 2875 n_ssids++; 2926 2876 } ··· 2975 2925 } 2976 2926 chan_info->channel_type = sreq->n_channels ? 4 : 0; 2977 2927 2978 - tlv = mt76_connac_mcu_add_tlv(skb, UNI_SCAN_IE, sizeof(*ie)); 2979 - ie = (struct scan_ie_tlv *)tlv; 2980 - if (sreq->ie_len > 0) { 2981 - memcpy(ie->ies, sreq->ie, sreq->ie_len); 2982 - ie->ies_len = cpu_to_le16(sreq->ie_len); 2983 - } 2984 - 2985 2928 req->scan_func |= SCAN_FUNC_SPLIT_SCAN; 2986 2929 2987 2930 tlv = mt76_connac_mcu_add_tlv(skb, UNI_SCAN_MISC, sizeof(*misc)); ··· 2984 2941 sreq->mac_addr_mask); 2985 2942 req->scan_func |= SCAN_FUNC_RANDOM_MAC; 2986 2943 } 2944 + 2945 + /* Append scan probe IEs as the last tlv */ 2946 + mt7925_mcu_build_scan_ie_tlv(mdev, skb, &scan_req->ies); 2987 2947 2988 2948 err = mt76_mcu_skb_send_msg(mdev, skb, MCU_UNI_CMD(SCAN_REQ), 2989 2949 true); ··· 2999 2953 3000 2954 int mt7925_mcu_sched_scan_req(struct mt76_phy *phy, 3001 2955 struct ieee80211_vif *vif, 3002 - struct cfg80211_sched_scan_request *sreq) 2956 + struct cfg80211_sched_scan_request *sreq, 2957 + struct ieee80211_scan_ies *ies) 3003 2958 { 3004 2959 struct mt76_vif_link *mvif = (struct mt76_vif_link *)vif->drv_priv; 3005 2960 struct ieee80211_channel **scan_list = sreq->channels; ··· 3088 3041 } 3089 3042 chan_info->channel_type = sreq->n_channels ? 4 : 0; 3090 3043 3091 - tlv = mt76_connac_mcu_add_tlv(skb, UNI_SCAN_IE, sizeof(*ie)); 3092 - ie = (struct scan_ie_tlv *)tlv; 3093 - if (sreq->ie_len > 0) { 3094 - memcpy(ie->ies, sreq->ie, sreq->ie_len); 3095 - ie->ies_len = cpu_to_le16(sreq->ie_len); 3096 - } 3044 + /* Append scan probe IEs as the last tlv */ 3045 + mt7925_mcu_build_scan_ie_tlv(mdev, skb, ies); 3097 3046 3098 3047 return mt76_mcu_skb_send_msg(mdev, skb, MCU_UNI_CMD(SCAN_REQ), 3099 3048 true);

+3 -2

drivers/net/wireless/mediatek/mt76/mt7925/mcu.h

··· 269 269 __le16 ies_len; 270 270 u8 band; 271 271 u8 pad; 272 - u8 ies[MT76_CONNAC_SCAN_IE_LEN]; 272 + u8 ies[]; 273 273 }; 274 274 275 275 struct scan_misc_tlv { ··· 673 673 struct ieee80211_vif *vif); 674 674 int mt7925_mcu_sched_scan_req(struct mt76_phy *phy, 675 675 struct ieee80211_vif *vif, 676 - struct cfg80211_sched_scan_request *sreq); 676 + struct cfg80211_sched_scan_request *sreq, 677 + struct ieee80211_scan_ies *ies); 677 678 int mt7925_mcu_sched_scan_enable(struct mt76_phy *phy, 678 679 struct ieee80211_vif *vif, 679 680 bool enable);

+1 -1

drivers/net/wireless/mediatek/mt76/mt7925/regs.h

··· 58 58 59 59 #define MT_INT_TX_DONE_MCU (MT_INT_TX_DONE_MCU_WM | \ 60 60 MT_INT_TX_DONE_FWDL) 61 - #define MT_INT_TX_DONE_ALL (MT_INT_TX_DONE_MCU_WM | \ 61 + #define MT_INT_TX_DONE_ALL (MT_INT_TX_DONE_MCU | \ 62 62 MT_INT_TX_DONE_BAND0 | \ 63 63 GENMASK(18, 4)) 64 64

+27 -5

drivers/net/wireless/mediatek/mt76/mt792x_core.c

··· 28 28 }, 29 29 }; 30 30 31 - static const struct ieee80211_iface_limit if_limits_chanctx[] = { 31 + static const struct ieee80211_iface_limit if_limits_chanctx_mcc[] = { 32 32 { 33 33 .max = 2, 34 34 .types = BIT(NL80211_IFTYPE_STATION) | ··· 36 36 }, 37 37 { 38 38 .max = 1, 39 - .types = BIT(NL80211_IFTYPE_AP) | 40 - BIT(NL80211_IFTYPE_P2P_GO) 39 + .types = BIT(NL80211_IFTYPE_P2P_GO) 40 + }, 41 + { 42 + .max = 1, 43 + .types = BIT(NL80211_IFTYPE_P2P_DEVICE) 44 + } 45 + }; 46 + 47 + static const struct ieee80211_iface_limit if_limits_chanctx_scc[] = { 48 + { 49 + .max = 2, 50 + .types = BIT(NL80211_IFTYPE_STATION) | 51 + BIT(NL80211_IFTYPE_P2P_CLIENT) 52 + }, 53 + { 54 + .max = 1, 55 + .types = BIT(NL80211_IFTYPE_AP) 41 56 }, 42 57 { 43 58 .max = 1, ··· 62 47 63 48 static const struct ieee80211_iface_combination if_comb_chanctx[] = { 64 49 { 65 - .limits = if_limits_chanctx, 66 - .n_limits = ARRAY_SIZE(if_limits_chanctx), 50 + .limits = if_limits_chanctx_mcc, 51 + .n_limits = ARRAY_SIZE(if_limits_chanctx_mcc), 67 52 .max_interfaces = 3, 68 53 .num_different_channels = 2, 54 + .beacon_int_infra_match = false, 55 + }, 56 + { 57 + .limits = if_limits_chanctx_scc, 58 + .n_limits = ARRAY_SIZE(if_limits_chanctx_scc), 59 + .max_interfaces = 3, 60 + .num_different_channels = 1, 69 61 .beacon_int_infra_match = false, 70 62 } 71 63 };

+1 -4

drivers/net/wireless/mediatek/mt76/mt792x_mac.c

··· 142 142 struct mt792x_sta *sta; 143 143 struct mt76_wcid *wcid; 144 144 145 - if (idx >= ARRAY_SIZE(dev->mt76.wcid)) 146 - return NULL; 147 - 148 - wcid = rcu_dereference(dev->mt76.wcid[idx]); 145 + wcid = mt76_wcid_ptr(dev, idx); 149 146 if (unicast || !wcid) 150 147 return wcid; 151 148

+10 -42

drivers/net/wireless/mediatek/mt76/mt7996/mac.c

··· 61 61 struct mt76_wcid *wcid; 62 62 int i; 63 63 64 - if (idx >= ARRAY_SIZE(dev->mt76.wcid)) 65 - return NULL; 66 - 67 - wcid = rcu_dereference(dev->mt76.wcid[idx]); 64 + wcid = mt76_wcid_ptr(dev, idx); 68 65 if (!wcid) 69 66 return NULL; 70 67 ··· 1246 1249 u16 idx; 1247 1250 1248 1251 idx = FIELD_GET(MT_TXFREE_INFO_WLAN_ID, info); 1249 - wcid = rcu_dereference(dev->mt76.wcid[idx]); 1252 + wcid = mt76_wcid_ptr(dev, idx); 1250 1253 sta = wcid_to_sta(wcid); 1251 1254 if (!sta) 1252 1255 goto next; ··· 1468 1471 if (pid < MT_PACKET_ID_NO_SKB) 1469 1472 return; 1470 1473 1471 - if (wcidx >= mt7996_wtbl_size(dev)) 1472 - return; 1473 - 1474 1474 rcu_read_lock(); 1475 1475 1476 - wcid = rcu_dereference(dev->mt76.wcid[wcidx]); 1476 + wcid = mt76_wcid_ptr(dev, wcidx); 1477 1477 if (!wcid) 1478 1478 goto out; 1479 1479 ··· 2347 2353 void mt7996_mac_sta_rc_work(struct work_struct *work) 2348 2354 { 2349 2355 struct mt7996_dev *dev = container_of(work, struct mt7996_dev, rc_work); 2350 - struct ieee80211_bss_conf *link_conf; 2351 - struct ieee80211_link_sta *link_sta; 2352 2356 struct mt7996_sta_link *msta_link; 2353 - struct mt7996_vif_link *link; 2354 - struct mt76_vif_link *mlink; 2355 - struct ieee80211_sta *sta; 2356 2357 struct ieee80211_vif *vif; 2357 - struct mt7996_sta *msta; 2358 2358 struct mt7996_vif *mvif; 2359 2359 LIST_HEAD(list); 2360 2360 u32 changed; 2361 - u8 link_id; 2362 2361 2363 - rcu_read_lock(); 2364 2362 spin_lock_bh(&dev->mt76.sta_poll_lock); 2365 2363 list_splice_init(&dev->sta_rc_list, &list); 2366 2364 ··· 2363 2377 2364 2378 changed = msta_link->changed; 2365 2379 msta_link->changed = 0; 2366 - 2367 - sta = wcid_to_sta(&msta_link->wcid); 2368 - link_id = msta_link->wcid.link_id; 2369 - msta = msta_link->sta; 2370 - mvif = msta->vif; 2371 - vif = container_of((void *)mvif, struct ieee80211_vif, drv_priv); 2372 - 2373 - mlink = rcu_dereference(mvif->mt76.link[link_id]); 2374 - if (!mlink) 2375 - continue; 2376 - 2377 - link_sta = rcu_dereference(sta->link[link_id]); 2378 - if (!link_sta) 2379 - continue; 2380 - 2381 - link_conf = rcu_dereference(vif->link_conf[link_id]); 2382 - if (!link_conf) 2383 - continue; 2380 + mvif = msta_link->sta->vif; 2381 + vif = container_of((void *)mvif, struct ieee80211_vif, 2382 + drv_priv); 2384 2383 2385 2384 spin_unlock_bh(&dev->mt76.sta_poll_lock); 2386 - 2387 - link = (struct mt7996_vif_link *)mlink; 2388 2385 2389 2386 if (changed & (IEEE80211_RC_SUPP_RATES_CHANGED | 2390 2387 IEEE80211_RC_NSS_CHANGED | 2391 2388 IEEE80211_RC_BW_CHANGED)) 2392 - mt7996_mcu_add_rate_ctrl(dev, vif, link_conf, 2393 - link_sta, link, msta_link, 2389 + mt7996_mcu_add_rate_ctrl(dev, msta_link->sta, vif, 2390 + msta_link->wcid.link_id, 2394 2391 true); 2395 2392 2396 2393 if (changed & IEEE80211_RC_SMPS_CHANGED) 2397 - mt7996_mcu_set_fixed_field(dev, link_sta, link, 2398 - msta_link, NULL, 2394 + mt7996_mcu_set_fixed_field(dev, msta_link->sta, NULL, 2395 + msta_link->wcid.link_id, 2399 2396 RATE_PARAM_MMPS_UPDATE); 2400 2397 2401 2398 spin_lock_bh(&dev->mt76.sta_poll_lock); 2402 2399 } 2403 2400 2404 2401 spin_unlock_bh(&dev->mt76.sta_poll_lock); 2405 - rcu_read_unlock(); 2406 2402 } 2407 2403 2408 2404 void mt7996_mac_work(struct work_struct *work)

+2 -3

drivers/net/wireless/mediatek/mt76/mt7996/main.c

··· 1112 1112 if (err) 1113 1113 return err; 1114 1114 1115 - err = mt7996_mcu_add_rate_ctrl(dev, vif, link_conf, 1116 - link_sta, link, 1117 - msta_link, false); 1115 + err = mt7996_mcu_add_rate_ctrl(dev, msta_link->sta, vif, 1116 + link_id, false); 1118 1117 if (err) 1119 1118 return err; 1120 1119

+141 -58

drivers/net/wireless/mediatek/mt76/mt7996/mcu.c

··· 555 555 switch (le16_to_cpu(res->tag)) { 556 556 case UNI_ALL_STA_TXRX_RATE: 557 557 wlan_idx = le16_to_cpu(res->rate[i].wlan_idx); 558 - wcid = rcu_dereference(dev->mt76.wcid[wlan_idx]); 558 + wcid = mt76_wcid_ptr(dev, wlan_idx); 559 559 560 560 if (!wcid) 561 561 break; ··· 565 565 break; 566 566 case UNI_ALL_STA_TXRX_ADM_STAT: 567 567 wlan_idx = le16_to_cpu(res->adm_stat[i].wlan_idx); 568 - wcid = rcu_dereference(dev->mt76.wcid[wlan_idx]); 568 + wcid = mt76_wcid_ptr(dev, wlan_idx); 569 569 570 570 if (!wcid) 571 571 break; ··· 579 579 break; 580 580 case UNI_ALL_STA_TXRX_MSDU_COUNT: 581 581 wlan_idx = le16_to_cpu(res->msdu_cnt[i].wlan_idx); 582 - wcid = rcu_dereference(dev->mt76.wcid[wlan_idx]); 582 + wcid = mt76_wcid_ptr(dev, wlan_idx); 583 583 584 584 if (!wcid) 585 585 break; ··· 676 676 677 677 e = (void *)skb->data; 678 678 idx = le16_to_cpu(e->wlan_id); 679 - if (idx >= ARRAY_SIZE(dev->mt76.wcid)) 680 - break; 681 - 682 - wcid = rcu_dereference(dev->mt76.wcid[idx]); 679 + wcid = mt76_wcid_ptr(dev, idx); 683 680 if (!wcid || !wcid->sta) 684 681 break; 685 682 ··· 1902 1905 MCU_WM_UNI_CMD(RA), true); 1903 1906 } 1904 1907 1905 - int mt7996_mcu_set_fixed_field(struct mt7996_dev *dev, 1906 - struct ieee80211_link_sta *link_sta, 1907 - struct mt7996_vif_link *link, 1908 - struct mt7996_sta_link *msta_link, 1909 - void *data, u32 field) 1908 + int mt7996_mcu_set_fixed_field(struct mt7996_dev *dev, struct mt7996_sta *msta, 1909 + void *data, u8 link_id, u32 field) 1910 1910 { 1911 - struct sta_phy_uni *phy = data; 1911 + struct mt7996_vif *mvif = msta->vif; 1912 + struct mt7996_sta_link *msta_link; 1912 1913 struct sta_rec_ra_fixed_uni *ra; 1914 + struct sta_phy_uni *phy = data; 1915 + struct mt76_vif_link *mlink; 1913 1916 struct sk_buff *skb; 1917 + int err = -ENODEV; 1914 1918 struct tlv *tlv; 1915 1919 1916 - skb = __mt76_connac_mcu_alloc_sta_req(&dev->mt76, &link->mt76, 1920 + rcu_read_lock(); 1921 + 1922 + mlink = rcu_dereference(mvif->mt76.link[link_id]); 1923 + if (!mlink) 1924 + goto error_unlock; 1925 + 1926 + msta_link = rcu_dereference(msta->link[link_id]); 1927 + if (!msta_link) 1928 + goto error_unlock; 1929 + 1930 + skb = __mt76_connac_mcu_alloc_sta_req(&dev->mt76, mlink, 1917 1931 &msta_link->wcid, 1918 1932 MT7996_STA_UPDATE_MAX_SIZE); 1919 - if (IS_ERR(skb)) 1920 - return PTR_ERR(skb); 1933 + if (IS_ERR(skb)) { 1934 + err = PTR_ERR(skb); 1935 + goto error_unlock; 1936 + } 1921 1937 1922 1938 tlv = mt76_connac_mcu_add_tlv(skb, STA_REC_RA_UPDATE, sizeof(*ra)); 1923 1939 ra = (struct sta_rec_ra_fixed_uni *)tlv; ··· 1945 1935 if (phy) 1946 1936 ra->phy = *phy; 1947 1937 break; 1948 - case RATE_PARAM_MMPS_UPDATE: 1938 + case RATE_PARAM_MMPS_UPDATE: { 1939 + struct ieee80211_sta *sta = wcid_to_sta(&msta_link->wcid); 1940 + struct ieee80211_link_sta *link_sta; 1941 + 1942 + link_sta = rcu_dereference(sta->link[link_id]); 1943 + if (!link_sta) { 1944 + dev_kfree_skb(skb); 1945 + goto error_unlock; 1946 + } 1947 + 1949 1948 ra->mmps_mode = mt7996_mcu_get_mmps_mode(link_sta->smps_mode); 1950 1949 break; 1950 + } 1951 1951 default: 1952 1952 break; 1953 1953 } 1954 1954 ra->field = cpu_to_le32(field); 1955 1955 1956 + rcu_read_unlock(); 1957 + 1956 1958 return mt76_mcu_skb_send_msg(&dev->mt76, skb, 1957 1959 MCU_WMWA_UNI_CMD(STA_REC_UPDATE), true); 1960 + error_unlock: 1961 + rcu_read_unlock(); 1962 + 1963 + return err; 1958 1964 } 1959 1965 1960 1966 static int 1961 - mt7996_mcu_add_rate_ctrl_fixed(struct mt7996_dev *dev, 1962 - struct ieee80211_link_sta *link_sta, 1963 - struct mt7996_vif_link *link, 1964 - struct mt7996_sta_link *msta_link) 1967 + mt7996_mcu_add_rate_ctrl_fixed(struct mt7996_dev *dev, struct mt7996_sta *msta, 1968 + struct ieee80211_vif *vif, u8 link_id) 1965 1969 { 1966 - struct cfg80211_chan_def *chandef = &link->phy->mt76->chandef; 1967 - struct cfg80211_bitrate_mask *mask = &link->bitrate_mask; 1968 - enum nl80211_band band = chandef->chan->band; 1970 + struct ieee80211_link_sta *link_sta; 1971 + struct cfg80211_bitrate_mask mask; 1972 + struct mt7996_sta_link *msta_link; 1973 + struct mt7996_vif_link *link; 1969 1974 struct sta_phy_uni phy = {}; 1970 - int ret, nrates = 0; 1975 + struct ieee80211_sta *sta; 1976 + int ret, nrates = 0, idx; 1977 + enum nl80211_band band; 1978 + bool has_he; 1971 1979 1972 1980 #define __sta_phy_bitrate_mask_check(_mcs, _gi, _ht, _he) \ 1973 1981 do { \ 1974 - u8 i, gi = mask->control[band]._gi; \ 1982 + u8 i, gi = mask.control[band]._gi; \ 1975 1983 gi = (_he) ? gi : gi == NL80211_TXRATE_FORCE_SGI; \ 1976 1984 phy.sgi = gi; \ 1977 - phy.he_ltf = mask->control[band].he_ltf; \ 1978 - for (i = 0; i < ARRAY_SIZE(mask->control[band]._mcs); i++) { \ 1979 - if (!mask->control[band]._mcs[i]) \ 1985 + phy.he_ltf = mask.control[band].he_ltf; \ 1986 + for (i = 0; i < ARRAY_SIZE(mask.control[band]._mcs); i++) { \ 1987 + if (!mask.control[band]._mcs[i]) \ 1980 1988 continue; \ 1981 - nrates += hweight16(mask->control[band]._mcs[i]); \ 1982 - phy.mcs = ffs(mask->control[band]._mcs[i]) - 1; \ 1989 + nrates += hweight16(mask.control[band]._mcs[i]); \ 1990 + phy.mcs = ffs(mask.control[band]._mcs[i]) - 1; \ 1983 1991 if (_ht) \ 1984 1992 phy.mcs += 8 * i; \ 1985 1993 } \ 1986 1994 } while (0) 1987 1995 1988 - if (link_sta->he_cap.has_he) { 1996 + rcu_read_lock(); 1997 + 1998 + link = mt7996_vif_link(dev, vif, link_id); 1999 + if (!link) 2000 + goto error_unlock; 2001 + 2002 + msta_link = rcu_dereference(msta->link[link_id]); 2003 + if (!msta_link) 2004 + goto error_unlock; 2005 + 2006 + sta = wcid_to_sta(&msta_link->wcid); 2007 + link_sta = rcu_dereference(sta->link[link_id]); 2008 + if (!link_sta) 2009 + goto error_unlock; 2010 + 2011 + band = link->phy->mt76->chandef.chan->band; 2012 + has_he = link_sta->he_cap.has_he; 2013 + mask = link->bitrate_mask; 2014 + idx = msta_link->wcid.idx; 2015 + 2016 + if (has_he) { 1989 2017 __sta_phy_bitrate_mask_check(he_mcs, he_gi, 0, 1); 1990 2018 } else if (link_sta->vht_cap.vht_supported) { 1991 2019 __sta_phy_bitrate_mask_check(vht_mcs, gi, 0, 0); 1992 2020 } else if (link_sta->ht_cap.ht_supported) { 1993 2021 __sta_phy_bitrate_mask_check(ht_mcs, gi, 1, 0); 1994 2022 } else { 1995 - nrates = hweight32(mask->control[band].legacy); 1996 - phy.mcs = ffs(mask->control[band].legacy) - 1; 2023 + nrates = hweight32(mask.control[band].legacy); 2024 + phy.mcs = ffs(mask.control[band].legacy) - 1; 1997 2025 } 2026 + 2027 + rcu_read_unlock(); 2028 + 1998 2029 #undef __sta_phy_bitrate_mask_check 1999 2030 2000 2031 /* fall back to auto rate control */ 2001 - if (mask->control[band].gi == NL80211_TXRATE_DEFAULT_GI && 2002 - mask->control[band].he_gi == GENMASK(7, 0) && 2003 - mask->control[band].he_ltf == GENMASK(7, 0) && 2032 + if (mask.control[band].gi == NL80211_TXRATE_DEFAULT_GI && 2033 + mask.control[band].he_gi == GENMASK(7, 0) && 2034 + mask.control[band].he_ltf == GENMASK(7, 0) && 2004 2035 nrates != 1) 2005 2036 return 0; 2006 2037 2007 2038 /* fixed single rate */ 2008 2039 if (nrates == 1) { 2009 - ret = mt7996_mcu_set_fixed_field(dev, link_sta, link, 2010 - msta_link, &phy, 2040 + ret = mt7996_mcu_set_fixed_field(dev, msta, &phy, link_id, 2011 2041 RATE_PARAM_FIXED_MCS); 2012 2042 if (ret) 2013 2043 return ret; 2014 2044 } 2015 2045 2016 2046 /* fixed GI */ 2017 - if (mask->control[band].gi != NL80211_TXRATE_DEFAULT_GI || 2018 - mask->control[band].he_gi != GENMASK(7, 0)) { 2047 + if (mask.control[band].gi != NL80211_TXRATE_DEFAULT_GI || 2048 + mask.control[band].he_gi != GENMASK(7, 0)) { 2019 2049 u32 addr; 2020 2050 2021 2051 /* firmware updates only TXCMD but doesn't take WTBL into 2022 2052 * account, so driver should update here to reflect the 2023 2053 * actual txrate hardware sends out. 2024 2054 */ 2025 - addr = mt7996_mac_wtbl_lmac_addr(dev, msta_link->wcid.idx, 7); 2026 - if (link_sta->he_cap.has_he) 2055 + addr = mt7996_mac_wtbl_lmac_addr(dev, idx, 7); 2056 + if (has_he) 2027 2057 mt76_rmw_field(dev, addr, GENMASK(31, 24), phy.sgi); 2028 2058 else 2029 2059 mt76_rmw_field(dev, addr, GENMASK(15, 12), phy.sgi); 2030 2060 2031 - ret = mt7996_mcu_set_fixed_field(dev, link_sta, link, 2032 - msta_link, &phy, 2061 + ret = mt7996_mcu_set_fixed_field(dev, msta, &phy, link_id, 2033 2062 RATE_PARAM_FIXED_GI); 2034 2063 if (ret) 2035 2064 return ret; 2036 2065 } 2037 2066 2038 2067 /* fixed HE_LTF */ 2039 - if (mask->control[band].he_ltf != GENMASK(7, 0)) { 2040 - ret = mt7996_mcu_set_fixed_field(dev, link_sta, link, 2041 - msta_link, &phy, 2068 + if (mask.control[band].he_ltf != GENMASK(7, 0)) { 2069 + ret = mt7996_mcu_set_fixed_field(dev, msta, &phy, link_id, 2042 2070 RATE_PARAM_FIXED_HE_LTF); 2043 2071 if (ret) 2044 2072 return ret; 2045 2073 } 2046 2074 2047 2075 return 0; 2076 + 2077 + error_unlock: 2078 + rcu_read_unlock(); 2079 + 2080 + return -ENODEV; 2048 2081 } 2049 2082 2050 2083 static void ··· 2198 2145 memset(ra->rx_rcpi, INIT_RCPI, sizeof(ra->rx_rcpi)); 2199 2146 } 2200 2147 2201 - int mt7996_mcu_add_rate_ctrl(struct mt7996_dev *dev, 2202 - struct ieee80211_vif *vif, 2203 - struct ieee80211_bss_conf *link_conf, 2204 - struct ieee80211_link_sta *link_sta, 2205 - struct mt7996_vif_link *link, 2206 - struct mt7996_sta_link *msta_link, bool changed) 2148 + int mt7996_mcu_add_rate_ctrl(struct mt7996_dev *dev, struct mt7996_sta *msta, 2149 + struct ieee80211_vif *vif, u8 link_id, 2150 + bool changed) 2207 2151 { 2152 + struct ieee80211_bss_conf *link_conf; 2153 + struct ieee80211_link_sta *link_sta; 2154 + struct mt7996_sta_link *msta_link; 2155 + struct mt7996_vif_link *link; 2156 + struct ieee80211_sta *sta; 2208 2157 struct sk_buff *skb; 2209 - int ret; 2158 + int ret = -ENODEV; 2159 + 2160 + rcu_read_lock(); 2161 + 2162 + link = mt7996_vif_link(dev, vif, link_id); 2163 + if (!link) 2164 + goto error_unlock; 2165 + 2166 + msta_link = rcu_dereference(msta->link[link_id]); 2167 + if (!msta_link) 2168 + goto error_unlock; 2169 + 2170 + sta = wcid_to_sta(&msta_link->wcid); 2171 + link_sta = rcu_dereference(sta->link[link_id]); 2172 + if (!link_sta) 2173 + goto error_unlock; 2174 + 2175 + link_conf = rcu_dereference(vif->link_conf[link_id]); 2176 + if (!link_conf) 2177 + goto error_unlock; 2210 2178 2211 2179 skb = __mt76_connac_mcu_alloc_sta_req(&dev->mt76, &link->mt76, 2212 2180 &msta_link->wcid, 2213 2181 MT7996_STA_UPDATE_MAX_SIZE); 2214 - if (IS_ERR(skb)) 2215 - return PTR_ERR(skb); 2182 + if (IS_ERR(skb)) { 2183 + ret = PTR_ERR(skb); 2184 + goto error_unlock; 2185 + } 2216 2186 2217 2187 /* firmware rc algorithm refers to sta_rec_he for HE control. 2218 2188 * once dev->rc_work changes the settings driver should also ··· 2249 2173 */ 2250 2174 mt7996_mcu_sta_rate_ctrl_tlv(skb, dev, vif, link_conf, link_sta, link); 2251 2175 2176 + rcu_read_unlock(); 2177 + 2252 2178 ret = mt76_mcu_skb_send_msg(&dev->mt76, skb, 2253 2179 MCU_WMWA_UNI_CMD(STA_REC_UPDATE), true); 2254 2180 if (ret) 2255 2181 return ret; 2256 2182 2257 - return mt7996_mcu_add_rate_ctrl_fixed(dev, link_sta, link, msta_link); 2183 + return mt7996_mcu_add_rate_ctrl_fixed(dev, msta, vif, link_id); 2184 + 2185 + error_unlock: 2186 + rcu_read_unlock(); 2187 + 2188 + return ret; 2258 2189 } 2259 2190 2260 2191 static int

+5 -11

drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h

··· 620 620 int mt7996_mcu_add_obss_spr(struct mt7996_phy *phy, 621 621 struct mt7996_vif_link *link, 622 622 struct ieee80211_he_obss_pd *he_obss_pd); 623 - int mt7996_mcu_add_rate_ctrl(struct mt7996_dev *dev, 624 - struct ieee80211_vif *vif, 625 - struct ieee80211_bss_conf *link_conf, 626 - struct ieee80211_link_sta *link_sta, 627 - struct mt7996_vif_link *link, 628 - struct mt7996_sta_link *msta_link, bool changed); 623 + int mt7996_mcu_add_rate_ctrl(struct mt7996_dev *dev, struct mt7996_sta *msta, 624 + struct ieee80211_vif *vif, u8 link_id, 625 + bool changed); 629 626 int mt7996_set_channel(struct mt76_phy *mphy); 630 627 int mt7996_mcu_set_chan_info(struct mt7996_phy *phy, u16 tag); 631 628 int mt7996_mcu_set_tx(struct mt7996_dev *dev, struct ieee80211_vif *vif, 632 629 struct ieee80211_bss_conf *link_conf); 633 630 int mt7996_mcu_set_fixed_rate_ctrl(struct mt7996_dev *dev, 634 631 void *data, u16 version); 635 - int mt7996_mcu_set_fixed_field(struct mt7996_dev *dev, 636 - struct ieee80211_link_sta *link_sta, 637 - struct mt7996_vif_link *link, 638 - struct mt7996_sta_link *msta_link, 639 - void *data, u32 field); 632 + int mt7996_mcu_set_fixed_field(struct mt7996_dev *dev, struct mt7996_sta *msta, 633 + void *data, u8 link_id, u32 field); 640 634 int mt7996_mcu_set_eeprom(struct mt7996_dev *dev); 641 635 int mt7996_mcu_get_eeprom(struct mt7996_dev *dev, u32 offset, u8 *buf, u32 buf_len); 642 636 int mt7996_mcu_get_eeprom_free_block(struct mt7996_dev *dev, u8 *block_num);

+5 -6

drivers/net/wireless/mediatek/mt76/tx.c

··· 64 64 struct mt76_tx_cb *cb = mt76_tx_skb_cb(skb); 65 65 struct mt76_wcid *wcid; 66 66 67 - wcid = rcu_dereference(dev->wcid[cb->wcid]); 67 + wcid = __mt76_wcid_ptr(dev, cb->wcid); 68 68 if (wcid) { 69 69 status.sta = wcid_to_sta(wcid); 70 70 if (status.sta && (wcid->rate.flags || wcid->rate.legacy)) { ··· 251 251 252 252 rcu_read_lock(); 253 253 254 - if (wcid_idx < ARRAY_SIZE(dev->wcid)) 255 - wcid = rcu_dereference(dev->wcid[wcid_idx]); 256 - 254 + wcid = __mt76_wcid_ptr(dev, wcid_idx); 257 255 mt76_tx_check_non_aql(dev, wcid, skb); 258 256 259 257 #ifdef CONFIG_NL80211_TESTMODE ··· 536 538 break; 537 539 538 540 mtxq = (struct mt76_txq *)txq->drv_priv; 539 - wcid = rcu_dereference(dev->wcid[mtxq->wcid]); 541 + wcid = __mt76_wcid_ptr(dev, mtxq->wcid); 540 542 if (!wcid || test_bit(MT_WCID_FLAG_PS, &wcid->flags)) 541 543 continue; 542 544 ··· 615 617 if ((dev->drv->drv_flags & MT_DRV_HW_MGMT_TXQ) && 616 618 !(info->flags & IEEE80211_TX_CTL_HW_80211_ENCAP) && 617 619 !ieee80211_is_data(hdr->frame_control) && 618 - !ieee80211_is_bufferable_mmpdu(skb)) 620 + (!ieee80211_is_bufferable_mmpdu(skb) || 621 + ieee80211_is_deauth(hdr->frame_control))) 619 622 qid = MT_TXQ_PSD; 620 623 621 624 q = phy->q_tx[qid];

+1 -1

drivers/net/wireless/mediatek/mt76/util.c

··· 83 83 if (!(mask & 1)) 84 84 continue; 85 85 86 - wcid = rcu_dereference(dev->wcid[j]); 86 + wcid = __mt76_wcid_ptr(dev, j); 87 87 if (!wcid || wcid->phy_idx != phy_idx) 88 88 continue; 89 89

+1 -3

drivers/net/wireless/ralink/rt2x00/rt2x00soc.c

··· 108 108 } 109 109 EXPORT_SYMBOL_GPL(rt2x00soc_probe); 110 110 111 - int rt2x00soc_remove(struct platform_device *pdev) 111 + void rt2x00soc_remove(struct platform_device *pdev) 112 112 { 113 113 struct ieee80211_hw *hw = platform_get_drvdata(pdev); 114 114 struct rt2x00_dev *rt2x00dev = hw->priv; ··· 119 119 rt2x00lib_remove_dev(rt2x00dev); 120 120 rt2x00soc_free_reg(rt2x00dev); 121 121 ieee80211_free_hw(hw); 122 - 123 - return 0; 124 122 } 125 123 EXPORT_SYMBOL_GPL(rt2x00soc_remove); 126 124

+1 -1

drivers/net/wireless/ralink/rt2x00/rt2x00soc.h

··· 17 17 * SoC driver handlers. 18 18 */ 19 19 int rt2x00soc_probe(struct platform_device *pdev, const struct rt2x00_ops *ops); 20 - int rt2x00soc_remove(struct platform_device *pdev); 20 + void rt2x00soc_remove(struct platform_device *pdev); 21 21 #ifdef CONFIG_PM 22 22 int rt2x00soc_suspend(struct platform_device *pdev, pm_message_t state); 23 23 int rt2x00soc_resume(struct platform_device *pdev);

+5 -1

drivers/net/wireless/zydas/zd1211rw/zd_mac.c

··· 583 583 584 584 skb_queue_tail(q, skb); 585 585 while (skb_queue_len(q) > ZD_MAC_MAX_ACK_WAITERS) { 586 - zd_mac_tx_status(hw, skb_dequeue(q), 586 + skb = skb_dequeue(q); 587 + if (!skb) 588 + break; 589 + 590 + zd_mac_tx_status(hw, skb, 587 591 mac->ack_pending ? mac->ack_signal : 0, 588 592 NULL); 589 593 mac->ack_pending = 0;

+33 -12

include/linux/ieee80211.h

··· 663 663 } 664 664 665 665 /** 666 - * ieee80211_is_s1g_short_beacon - check if frame is an S1G short beacon 667 - * @fc: frame control bytes in little-endian byteorder 668 - * Return: whether or not the frame is an S1G short beacon, 669 - * i.e. it is an S1G beacon with 'next TBTT' flag set 670 - */ 671 - static inline bool ieee80211_is_s1g_short_beacon(__le16 fc) 672 - { 673 - return ieee80211_is_s1g_beacon(fc) && 674 - (fc & cpu_to_le16(IEEE80211_S1G_BCN_NEXT_TBTT)); 675 - } 676 - 677 - /** 678 666 * ieee80211_is_atim - check if IEEE80211_FTYPE_MGMT && IEEE80211_STYPE_ATIM 679 667 * @fc: frame control bytes in little-endian byteorder 680 668 * Return: whether or not the frame is an ATIM frame ··· 4887 4899 return true; 4888 4900 4889 4901 return false; 4902 + } 4903 + 4904 + /** 4905 + * ieee80211_is_s1g_short_beacon - check if frame is an S1G short beacon 4906 + * @fc: frame control bytes in little-endian byteorder 4907 + * @variable: pointer to the beacon frame elements 4908 + * @variable_len: length of the frame elements 4909 + * Return: whether or not the frame is an S1G short beacon. As per 4910 + * IEEE80211-2024 11.1.3.10.1, The S1G beacon compatibility element shall 4911 + * always be present as the first element in beacon frames generated at a 4912 + * TBTT (Target Beacon Transmission Time), so any frame not containing 4913 + * this element must have been generated at a TSBTT (Target Short Beacon 4914 + * Transmission Time) that is not a TBTT. Additionally, short beacons are 4915 + * prohibited from containing the S1G beacon compatibility element as per 4916 + * IEEE80211-2024 9.3.4.3 Table 9-76, so if we have an S1G beacon with 4917 + * either no elements or the first element is not the beacon compatibility 4918 + * element, we have a short beacon. 4919 + */ 4920 + static inline bool ieee80211_is_s1g_short_beacon(__le16 fc, const u8 *variable, 4921 + size_t variable_len) 4922 + { 4923 + if (!ieee80211_is_s1g_beacon(fc)) 4924 + return false; 4925 + 4926 + /* 4927 + * If the frame does not contain at least 1 element (this is perfectly 4928 + * valid in a short beacon) and is an S1G beacon, we have a short 4929 + * beacon. 4930 + */ 4931 + if (variable_len < 2) 4932 + return true; 4933 + 4934 + return variable[0] != WLAN_EID_S1G_BCN_COMPAT; 4890 4935 } 4891 4936 4892 4937 struct element {

+1 -1

include/net/netfilter/nf_flow_table.h

··· 370 370 371 371 static inline bool nf_flow_pppoe_proto(struct sk_buff *skb, __be16 *inner_proto) 372 372 { 373 - if (!pskb_may_pull(skb, PPPOE_SES_HLEN)) 373 + if (!pskb_may_pull(skb, ETH_HLEN + PPPOE_SES_HLEN)) 374 374 return false; 375 375 376 376 *inner_proto = __nf_flow_pppoe_proto(skb);

net/appletalk/ddp.c

··· 576 576 577 577 /* Fill in the routing entry */ 578 578 rt->target = ta->sat_addr; 579 + dev_put(rt->dev); /* Release old device */ 579 580 dev_hold(devhint); 580 581 rt->dev = devhint; 581 582 rt->flags = r->rt_flags;

+2 -7

net/ipv6/addrconf.c

··· 3525 3525 3526 3526 ASSERT_RTNL(); 3527 3527 3528 - idev = ipv6_find_idev(dev); 3529 - if (IS_ERR(idev)) { 3530 - pr_debug("%s: add_dev failed\n", __func__); 3528 + idev = addrconf_add_dev(dev); 3529 + if (IS_ERR(idev)) 3531 3530 return; 3532 - } 3533 3531 3534 3532 /* Generate the IPv6 link-local address using addrconf_addr_gen(), 3535 3533 * unless we have an IPv4 GRE device not bound to an IP address and ··· 3541 3543 } 3542 3544 3543 3545 add_v4_addrs(idev); 3544 - 3545 - if (dev->flags & IFF_POINTOPOINT) 3546 - addrconf_add_mroute(dev); 3547 3546 } 3548 3547 #endif 3549 3548

+14

net/mac80211/cfg.c

··· 1959 1959 ieee80211_sta_init_nss(link_sta); 1960 1960 1961 1961 if (params->opmode_notif_used) { 1962 + enum nl80211_chan_width width = link->conf->chanreq.oper.width; 1963 + 1964 + switch (width) { 1965 + case NL80211_CHAN_WIDTH_20: 1966 + case NL80211_CHAN_WIDTH_40: 1967 + case NL80211_CHAN_WIDTH_80: 1968 + case NL80211_CHAN_WIDTH_160: 1969 + case NL80211_CHAN_WIDTH_80P80: 1970 + case NL80211_CHAN_WIDTH_320: /* not VHT, allowed for HE/EHT */ 1971 + break; 1972 + default: 1973 + return -EINVAL; 1974 + } 1975 + 1962 1976 /* returned value is only needed for rc update, but the 1963 1977 * rc isn't initialized here yet, so ignore it 1964 1978 */

+2 -2

net/mac80211/iface.c

··· 1150 1150 { 1151 1151 sdata->local = local; 1152 1152 1153 + INIT_LIST_HEAD(&sdata->key_list); 1154 + 1153 1155 /* 1154 1156 * Initialize the default link, so we can use link_id 0 for non-MLD, 1155 1157 * and that continues to work for non-MLD-aware drivers that use just ··· 2211 2209 ieee80211_sdata_init(local, sdata); 2212 2210 2213 2211 ieee80211_init_frag_cache(&sdata->frags); 2214 - 2215 - INIT_LIST_HEAD(&sdata->key_list); 2216 2212 2217 2213 wiphy_delayed_work_init(&sdata->dec_tailroom_needed_wk, 2218 2214 ieee80211_delayed_tailroom_dec);

+9 -3

net/mac80211/mlme.c

··· 3934 3934 3935 3935 lockdep_assert_wiphy(local->hw.wiphy); 3936 3936 3937 + if (frame_buf) 3938 + memset(frame_buf, 0, IEEE80211_DEAUTH_FRAME_LEN); 3939 + 3937 3940 if (WARN_ON(!ap_sta)) 3938 3941 return; 3939 3942 ··· 7198 7195 struct ieee80211_bss_conf *bss_conf = link->conf; 7199 7196 struct ieee80211_vif_cfg *vif_cfg = &sdata->vif.cfg; 7200 7197 struct ieee80211_mgmt *mgmt = (void *) hdr; 7198 + struct ieee80211_ext *ext = NULL; 7201 7199 size_t baselen; 7202 7200 struct ieee802_11_elems *elems; 7203 7201 struct ieee80211_local *local = sdata->local; ··· 7224 7220 /* Process beacon from the current BSS */ 7225 7221 bssid = ieee80211_get_bssid(hdr, len, sdata->vif.type); 7226 7222 if (ieee80211_is_s1g_beacon(mgmt->frame_control)) { 7227 - struct ieee80211_ext *ext = (void *) mgmt; 7223 + ext = (void *)mgmt; 7228 7224 variable = ext->u.s1g_beacon.variable + 7229 7225 ieee80211_s1g_optional_len(ext->frame_control); 7230 7226 } ··· 7411 7407 } 7412 7408 7413 7409 if ((ncrc == link->u.mgd.beacon_crc && link->u.mgd.beacon_crc_valid) || 7414 - ieee80211_is_s1g_short_beacon(mgmt->frame_control)) 7410 + (ext && ieee80211_is_s1g_short_beacon(ext->frame_control, 7411 + parse_params.start, 7412 + parse_params.len))) 7415 7413 goto free; 7416 7414 link->u.mgd.beacon_crc = ncrc; 7417 7415 link->u.mgd.beacon_crc_valid = true; ··· 10705 10699 */ 10706 10700 for_each_mle_subelement(sub, (const u8 *)elems->ml_epcs, 10707 10701 elems->ml_epcs_len) { 10702 + struct ieee802_11_elems *link_elems __free(kfree) = NULL; 10708 10703 struct ieee80211_link_data *link; 10709 - struct ieee802_11_elems *link_elems __free(kfree); 10710 10704 u8 *pos = (void *)sub->data; 10711 10705 u16 control; 10712 10706 ssize_t len;

+2 -4

net/mac80211/parse.c

··· 758 758 { 759 759 const struct element *elem, *sub; 760 760 size_t profile_len = 0; 761 - bool found = false; 762 761 763 762 if (!bss || !bss->transmitted_bss) 764 763 return profile_len; ··· 808 809 index[2], 809 810 new_bssid); 810 811 if (ether_addr_equal(new_bssid, bss->bssid)) { 811 - found = true; 812 812 elems->bssid_index_len = index[1]; 813 813 elems->bssid_index = (void *)&index[2]; 814 - break; 814 + return profile_len; 815 815 } 816 816 } 817 817 } 818 818 819 - return found ? profile_len : 0; 819 + return 0; 820 820 } 821 821 822 822 static void

+4 -5

net/mac80211/util.c

··· 2144 2144 cfg80211_sched_scan_stopped_locked(local->hw.wiphy, 0); 2145 2145 2146 2146 wake_up: 2147 - 2148 - if (local->virt_monitors > 0 && 2149 - local->virt_monitors == local->open_count) 2150 - ieee80211_add_virtual_monitor(local); 2151 - 2152 2147 /* 2153 2148 * Clear the WLAN_STA_BLOCK_BA flag so new aggregation 2154 2149 * sessions can be established after a resume. ··· 2196 2201 ieee80211_sta_restart(sdata); 2197 2202 } 2198 2203 } 2204 + 2205 + if (local->virt_monitors > 0 && 2206 + local->virt_monitors == local->open_count) 2207 + ieee80211_add_virtual_monitor(local); 2199 2208 2200 2209 if (!suspended) 2201 2210 return 0;

+4 -3

net/netlink/af_netlink.c

··· 1395 1395 rmem = atomic_add_return(skb->truesize, &sk->sk_rmem_alloc); 1396 1396 rcvbuf = READ_ONCE(sk->sk_rcvbuf); 1397 1397 1398 - if ((rmem != skb->truesize || rmem <= rcvbuf) && 1398 + if ((rmem == skb->truesize || rmem <= rcvbuf) && 1399 1399 !test_bit(NETLINK_S_CONGESTED, &nlk->state)) { 1400 1400 netlink_skb_set_owner_r(skb, sk); 1401 1401 __netlink_sendskb(sk, skb); ··· 2258 2258 struct netlink_ext_ack extack = {}; 2259 2259 struct netlink_callback *cb; 2260 2260 struct sk_buff *skb = NULL; 2261 + unsigned int rmem, rcvbuf; 2261 2262 size_t max_recvmsg_len; 2262 2263 struct module *module; 2263 2264 int err = -ENOBUFS; 2264 2265 int alloc_min_size; 2265 - unsigned int rmem; 2266 2266 int alloc_size; 2267 2267 2268 2268 if (!lock_taken) ··· 2294 2294 if (!skb) 2295 2295 goto errout_skb; 2296 2296 2297 + rcvbuf = READ_ONCE(sk->sk_rcvbuf); 2297 2298 rmem = atomic_add_return(skb->truesize, &sk->sk_rmem_alloc); 2298 - if (rmem >= READ_ONCE(sk->sk_rcvbuf)) { 2299 + if (rmem != skb->truesize && rmem >= rcvbuf) { 2299 2300 atomic_sub(skb->truesize, &sk->sk_rmem_alloc); 2300 2301 goto errout_skb; 2301 2302 }

+5 -2

net/wireless/nl80211.c

··· 229 229 unsigned int len = nla_len(attr); 230 230 const struct element *elem; 231 231 const struct ieee80211_mgmt *mgmt = (void *)data; 232 + const struct ieee80211_ext *ext; 232 233 unsigned int fixedlen, hdrlen; 233 234 bool s1g_bcn; 234 235 ··· 238 237 239 238 s1g_bcn = ieee80211_is_s1g_beacon(mgmt->frame_control); 240 239 if (s1g_bcn) { 241 - fixedlen = offsetof(struct ieee80211_ext, 242 - u.s1g_beacon.variable); 240 + ext = (struct ieee80211_ext *)mgmt; 241 + fixedlen = 242 + offsetof(struct ieee80211_ext, u.s1g_beacon.variable) + 243 + ieee80211_s1g_optional_len(ext->frame_control); 243 244 hdrlen = offsetof(struct ieee80211_ext, u.s1g_beacon); 244 245 } else { 245 246 fixedlen = offsetof(struct ieee80211_mgmt,

+50 -2

net/wireless/util.c

··· 820 820 } 821 821 EXPORT_SYMBOL(ieee80211_is_valid_amsdu); 822 822 823 + 824 + /* 825 + * Detects if an MSDU frame was maliciously converted into an A-MSDU 826 + * frame by an adversary. This is done by parsing the received frame 827 + * as if it were a regular MSDU, even though the A-MSDU flag is set. 828 + * 829 + * For non-mesh interfaces, detection involves checking whether the 830 + * payload, when interpreted as an MSDU, begins with a valid RFC1042 831 + * header. This is done by comparing the A-MSDU subheader's destination 832 + * address to the start of the RFC1042 header. 833 + * 834 + * For mesh interfaces, the MSDU includes a 6-byte Mesh Control field 835 + * and an optional variable-length Mesh Address Extension field before 836 + * the RFC1042 header. The position of the RFC1042 header must therefore 837 + * be calculated based on the mesh header length. 838 + * 839 + * Since this function intentionally parses an A-MSDU frame as an MSDU, 840 + * it only assumes that the A-MSDU subframe header is present, and 841 + * beyond this it performs its own bounds checks under the assumption 842 + * that the frame is instead parsed as a non-aggregated MSDU. 843 + */ 844 + static bool 845 + is_amsdu_aggregation_attack(struct ethhdr *eth, struct sk_buff *skb, 846 + enum nl80211_iftype iftype) 847 + { 848 + int offset; 849 + 850 + /* Non-mesh case can be directly compared */ 851 + if (iftype != NL80211_IFTYPE_MESH_POINT) 852 + return ether_addr_equal(eth->h_dest, rfc1042_header); 853 + 854 + offset = __ieee80211_get_mesh_hdrlen(eth->h_dest[0]); 855 + if (offset == 6) { 856 + /* Mesh case with empty address extension field */ 857 + return ether_addr_equal(eth->h_source, rfc1042_header); 858 + } else if (offset + ETH_ALEN <= skb->len) { 859 + /* Mesh case with non-empty address extension field */ 860 + u8 temp[ETH_ALEN]; 861 + 862 + skb_copy_bits(skb, offset, temp, ETH_ALEN); 863 + return ether_addr_equal(temp, rfc1042_header); 864 + } 865 + 866 + return false; 867 + } 868 + 823 869 void ieee80211_amsdu_to_8023s(struct sk_buff *skb, struct sk_buff_head *list, 824 870 const u8 *addr, enum nl80211_iftype iftype, 825 871 const unsigned int extra_headroom, ··· 907 861 /* the last MSDU has no padding */ 908 862 if (subframe_len > remaining) 909 863 goto purge; 910 - /* mitigate A-MSDU aggregation injection attacks */ 911 - if (ether_addr_equal(hdr.eth.h_dest, rfc1042_header)) 864 + /* mitigate A-MSDU aggregation injection attacks, to be 865 + * checked when processing first subframe (offset == 0). 866 + */ 867 + if (offset == 0 && is_amsdu_aggregation_attack(&hdr.eth, skb, iftype)) 912 868 goto purge; 913 869 914 870 offset += sizeof(struct ethhdr);

+17 -10

tools/testing/selftests/net/gre_ipv6_lladdr.sh

··· 24 24 ip -netns "${NS0}" address add dev lo 2001:db8::10/64 nodad 25 25 } 26 26 27 - # Check if network device has an IPv6 link-local address assigned. 27 + # Check the IPv6 configuration of a network device. 28 + # 29 + # We currently check the generation of the link-local IPv6 address and the 30 + # creation of the ff00::/8 multicast route. 28 31 # 29 32 # Parameters: 30 33 # ··· 38 35 # a link-local address) 39 36 # * $4: The user visible name for the scenario being tested 40 37 # 41 - check_ipv6_ll_addr() 38 + check_ipv6_device_config() 42 39 { 43 40 local DEV="$1" 44 41 local EXTRA_MATCH="$2" ··· 48 45 RET=0 49 46 set +e 50 47 ip -netns "${NS0}" -6 address show dev "${DEV}" scope link | grep "fe80::" | grep -q "${EXTRA_MATCH}" 51 - check_err_fail "${XRET}" $? "" 48 + check_err_fail "${XRET}" $? "IPv6 link-local address generation" 49 + 50 + ip -netns "${NS0}" -6 route show table local type multicast ff00::/8 proto kernel | grep -q "${DEV}" 51 + check_err_fail 0 $? "IPv6 multicast route creation" 52 + 52 53 log_test "${MSG}" 53 54 set -e 54 55 } ··· 109 102 ;; 110 103 esac 111 104 112 - # Check that IPv6 link-local address is generated when device goes up 105 + # Check the IPv6 device configuration when it goes up 113 106 ip netns exec "${NS0}" sysctl -qw net.ipv6.conf.gretest.addr_gen_mode="${ADDR_GEN_MODE}" 114 107 ip -netns "${NS0}" link set dev gretest up 115 - check_ipv6_ll_addr gretest "${MATCH_REGEXP}" "${XRET}" "config: ${MSG}" 108 + check_ipv6_device_config gretest "${MATCH_REGEXP}" "${XRET}" "config: ${MSG}" 116 109 117 110 # Now disable link-local address generation 118 111 ip -netns "${NS0}" link set dev gretest down 119 112 ip netns exec "${NS0}" sysctl -qw net.ipv6.conf.gretest.addr_gen_mode=1 120 113 ip -netns "${NS0}" link set dev gretest up 121 114 122 - # Check that link-local address generation works when re-enabled while 123 - # the device is already up 115 + # Check the IPv6 device configuration when link-local address 116 + # generation is re-enabled while the device is already up 124 117 ip netns exec "${NS0}" sysctl -qw net.ipv6.conf.gretest.addr_gen_mode="${ADDR_GEN_MODE}" 125 - check_ipv6_ll_addr gretest "${MATCH_REGEXP}" "${XRET}" "update: ${MSG}" 118 + check_ipv6_device_config gretest "${MATCH_REGEXP}" "${XRET}" "update: ${MSG}" 126 119 127 120 ip -netns "${NS0}" link del dev gretest 128 121 } ··· 133 126 local MODE 134 127 135 128 for GRE_TYPE in "gre" "gretap"; do 136 - printf "\n####\nTesting IPv6 link-local address generation on ${GRE_TYPE} devices\n####\n\n" 129 + printf "\n####\nTesting IPv6 configuration of ${GRE_TYPE} devices\n####\n\n" 137 130 138 131 for MODE in "eui64" "none" "stable-privacy" "random"; do 139 132 test_gre_device "${GRE_TYPE}" 192.0.2.10 192.0.2.11 "${MODE}" ··· 149 142 local MODE 150 143 151 144 for GRE_TYPE in "ip6gre" "ip6gretap"; do 152 - printf "\n####\nTesting IPv6 link-local address generation on ${GRE_TYPE} devices\n####\n\n" 145 + printf "\n####\nTesting IPv6 configuration of ${GRE_TYPE} devices\n####\n\n" 153 146 154 147 for MODE in "eui64" "none" "stable-privacy" "random"; do 155 148 test_gre_device "${GRE_TYPE}" 2001:db8::10 2001:db8::11 "${MODE}"

+1 -1

tools/testing/selftests/net/lib.sh

··· 312 312 local test_name=$1; shift 313 313 local opt_str=$1; shift 314 314 local result=$1; shift 315 - local retmsg=$1; shift 315 + local retmsg=$1 316 316 317 317 printf "TEST: %-60s [%s]\n" "$test_name $opt_str" "$result" 318 318 if [[ $retmsg ]]; then

Configure Feed

Configure Feed