* [PATCH AUTOSEL 5.4 01/31] wifi: rt2x00: restart beacon queue when hardware reset
@ 2024-01-16 20:02 Sasha Levin
2024-01-16 20:02 ` [PATCH AUTOSEL 5.4 10/31] wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus() Sasha Levin
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: Sasha Levin @ 2024-01-16 20:02 UTC (permalink / raw
To: linux-kernel, stable
Cc: Shiji Yang, Stanislaw Gruszka, Kalle Valo, Sasha Levin,
linux-wireless
From: Shiji Yang <yangshiji66@outlook.com>
[ Upstream commit a11d965a218f0cd95b13fe44d0bcd8a20ce134a8 ]
When a hardware reset is triggered, all registers are reset, so all
queues are forced to stop in hardware interface. However, mac80211
will not automatically stop the queue. If we don't manually stop the
beacon queue, the queue will be deadlocked and unable to start again.
This patch fixes the issue where Apple devices cannot connect to the
AP after calling ieee80211_restart_hw().
Signed-off-by: Shiji Yang <yangshiji66@outlook.com>
Acked-by: Stanislaw Gruszka <stf_xl@wp.pl>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/TYAP286MB031530EB6D98DCE4DF20766CBCA4A@TYAP286MB0315.JPNP286.PROD.OUTLOOK.COM
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ralink/rt2x00/rt2x00dev.c | 3 +++
drivers/net/wireless/ralink/rt2x00/rt2x00mac.c | 11 +++++++++++
2 files changed, 14 insertions(+)
diff --git a/drivers/net/wireless/ralink/rt2x00/rt2x00dev.c b/drivers/net/wireless/ralink/rt2x00/rt2x00dev.c
index c3eab767bc21..f504f3529407 100644
--- a/drivers/net/wireless/ralink/rt2x00/rt2x00dev.c
+++ b/drivers/net/wireless/ralink/rt2x00/rt2x00dev.c
@@ -101,6 +101,7 @@ void rt2x00lib_disable_radio(struct rt2x00_dev *rt2x00dev)
rt2x00link_stop_tuner(rt2x00dev);
rt2x00queue_stop_queues(rt2x00dev);
rt2x00queue_flush_queues(rt2x00dev, true);
+ rt2x00queue_stop_queue(rt2x00dev->bcn);
/*
* Disable radio.
@@ -1283,6 +1284,7 @@ int rt2x00lib_start(struct rt2x00_dev *rt2x00dev)
rt2x00dev->intf_ap_count = 0;
rt2x00dev->intf_sta_count = 0;
rt2x00dev->intf_associated = 0;
+ rt2x00dev->intf_beaconing = 0;
/* Enable the radio */
retval = rt2x00lib_enable_radio(rt2x00dev);
@@ -1310,6 +1312,7 @@ void rt2x00lib_stop(struct rt2x00_dev *rt2x00dev)
rt2x00dev->intf_ap_count = 0;
rt2x00dev->intf_sta_count = 0;
rt2x00dev->intf_associated = 0;
+ rt2x00dev->intf_beaconing = 0;
}
static inline void rt2x00lib_set_if_combinations(struct rt2x00_dev *rt2x00dev)
diff --git a/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c b/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c
index beb20c5faf5f..a0fb167b58fe 100644
--- a/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c
+++ b/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c
@@ -578,6 +578,17 @@ void rt2x00mac_bss_info_changed(struct ieee80211_hw *hw,
*/
if (changes & BSS_CHANGED_BEACON_ENABLED) {
mutex_lock(&intf->beacon_skb_mutex);
+
+ /*
+ * Clear the 'enable_beacon' flag and clear beacon because
+ * the beacon queue has been stopped after hardware reset.
+ */
+ if (test_bit(DEVICE_STATE_RESET, &rt2x00dev->flags) &&
+ intf->enable_beacon) {
+ intf->enable_beacon = false;
+ rt2x00queue_clear_beacon(rt2x00dev, vif);
+ }
+
if (!bss_conf->enable_beacon && intf->enable_beacon) {
rt2x00dev->intf_beaconing--;
intf->enable_beacon = false;
--
2.43.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH AUTOSEL 5.4 10/31] wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus()
2024-01-16 20:02 [PATCH AUTOSEL 5.4 01/31] wifi: rt2x00: restart beacon queue when hardware reset Sasha Levin
@ 2024-01-16 20:02 ` Sasha Levin
2024-01-16 20:02 ` [PATCH AUTOSEL 5.4 27/31] wifi: rtl8xxxu: Add additional USB IDs for RTL8192EU devices Sasha Levin
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Sasha Levin @ 2024-01-16 20:02 UTC (permalink / raw
To: linux-kernel, stable
Cc: Minsuk Kang, Toke Høiland-Jørgensen, Kalle Valo,
Sasha Levin, kvalo, linux-wireless
From: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
[ Upstream commit 2adc886244dff60f948497b59affb6c6ebb3c348 ]
Fix an array-index-out-of-bounds read in ath9k_htc_txstatus(). The bug
occurs when txs->cnt, data from a URB provided by a USB device, is
bigger than the size of the array txs->txstatus, which is
HTC_MAX_TX_STATUS. WARN_ON() already checks it, but there is no bug
handling code after the check. Make the function return if that is the
case.
Found by a modified version of syzkaller.
UBSAN: array-index-out-of-bounds in htc_drv_txrx.c
index 13 is out of range for type '__wmi_event_txstatus [12]'
Call Trace:
ath9k_htc_txstatus
ath9k_wmi_event_tasklet
tasklet_action_common
__do_softirq
irq_exit_rxu
sysvec_apic_timer_interrupt
Signed-off-by: Minsuk Kang <linuxlovemin@yonsei.ac.kr>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20231113065756.1491991-1-linuxlovemin@yonsei.ac.kr
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
index ee021738bef0..be4fa41bdb12 100644
--- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
+++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c
@@ -647,9 +647,10 @@ void ath9k_htc_txstatus(struct ath9k_htc_priv *priv, void *wmi_event)
struct ath9k_htc_tx_event *tx_pend;
int i;
- for (i = 0; i < txs->cnt; i++) {
- WARN_ON(txs->cnt > HTC_MAX_TX_STATUS);
+ if (WARN_ON_ONCE(txs->cnt > HTC_MAX_TX_STATUS))
+ return;
+ for (i = 0; i < txs->cnt; i++) {
__txs = &txs->txstatus[i];
skb = ath9k_htc_tx_get_packet(priv, __txs);
--
2.43.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH AUTOSEL 5.4 27/31] wifi: rtl8xxxu: Add additional USB IDs for RTL8192EU devices
2024-01-16 20:02 [PATCH AUTOSEL 5.4 01/31] wifi: rt2x00: restart beacon queue when hardware reset Sasha Levin
2024-01-16 20:02 ` [PATCH AUTOSEL 5.4 10/31] wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus() Sasha Levin
@ 2024-01-16 20:02 ` Sasha Levin
2024-01-16 20:02 ` [PATCH AUTOSEL 5.4 29/31] wifi: rtlwifi: add calculate_bit_shift() Sasha Levin
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Sasha Levin @ 2024-01-16 20:02 UTC (permalink / raw
To: linux-kernel, stable
Cc: Zenm Chen, Ping-Ke Shih, Kalle Valo, Sasha Levin, Jes.Sorensen,
linux-wireless
From: Zenm Chen <zenmchen@gmail.com>
[ Upstream commit 4e87ca403e2008b9e182239e1abbf6876a55eb33 ]
Add additional USB IDs found in the vendor driver from
https://github.com/Mange/rtl8192eu-linux-driver to support more
RTL8192EU devices.
Signed-off-by: Zenm Chen <zenmchen@gmail.com>
Reviewed-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://msgid.link/20231217123017.1982-1-zenmchen@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
index 2648b30aab76..0d9e31746fd2 100644
--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
@@ -6362,6 +6362,18 @@ static const struct usb_device_id dev_table[] = {
.driver_info = (unsigned long)&rtl8192eu_fops},
{USB_DEVICE_AND_INTERFACE_INFO(USB_VENDOR_ID_REALTEK, 0x818c, 0xff, 0xff, 0xff),
.driver_info = (unsigned long)&rtl8192eu_fops},
+/* D-Link DWA-131 rev C1 */
+{USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x3312, 0xff, 0xff, 0xff),
+ .driver_info = (unsigned long)&rtl8192eu_fops},
+/* TP-Link TL-WN8200ND V2 */
+{USB_DEVICE_AND_INTERFACE_INFO(0x2357, 0x0126, 0xff, 0xff, 0xff),
+ .driver_info = (unsigned long)&rtl8192eu_fops},
+/* Mercusys MW300UM */
+{USB_DEVICE_AND_INTERFACE_INFO(0x2c4e, 0x0100, 0xff, 0xff, 0xff),
+ .driver_info = (unsigned long)&rtl8192eu_fops},
+/* Mercusys MW300UH */
+{USB_DEVICE_AND_INTERFACE_INFO(0x2c4e, 0x0104, 0xff, 0xff, 0xff),
+ .driver_info = (unsigned long)&rtl8192eu_fops},
#endif
{ }
};
--
2.43.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH AUTOSEL 5.4 29/31] wifi: rtlwifi: add calculate_bit_shift()
2024-01-16 20:02 [PATCH AUTOSEL 5.4 01/31] wifi: rt2x00: restart beacon queue when hardware reset Sasha Levin
2024-01-16 20:02 ` [PATCH AUTOSEL 5.4 10/31] wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus() Sasha Levin
2024-01-16 20:02 ` [PATCH AUTOSEL 5.4 27/31] wifi: rtl8xxxu: Add additional USB IDs for RTL8192EU devices Sasha Levin
@ 2024-01-16 20:02 ` Sasha Levin
2024-01-16 20:02 ` [PATCH AUTOSEL 5.4 30/31] wifi: rtlwifi: rtl8723{be,ae}: using calculate_bit_shift() Sasha Levin
2024-01-16 20:02 ` [PATCH AUTOSEL 5.4 31/31] wifi: cfg80211: free beacon_ies when overridden from hidden BSS Sasha Levin
4 siblings, 0 replies; 6+ messages in thread
From: Sasha Levin @ 2024-01-16 20:02 UTC (permalink / raw
To: linux-kernel, stable
Cc: Su Hui, Ping-Ke Shih, Kalle Valo, Sasha Levin, linux-wireless
From: Su Hui <suhui@nfschina.com>
[ Upstream commit 52221dfddbbfb5b4e029bb2efe9bb7da33ec1e46 ]
There are many same functions like _rtl88e_phy_calculate_bit_shift(),
_rtl92c_phy_calculate_bit_shift() and so on. And these functions can
cause undefined bitwise shift behavior. Add calculate_bit_shift() to
replace them and fix undefined behavior in subsequent patches.
Signed-off-by: Su Hui <suhui@nfschina.com>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://msgid.link/20231219065739.1895666-2-suhui@nfschina.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtlwifi/wifi.h | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/net/wireless/realtek/rtlwifi/wifi.h b/drivers/net/wireless/realtek/rtlwifi/wifi.h
index 3bdda1c98339..abec9ceabe28 100644
--- a/drivers/net/wireless/realtek/rtlwifi/wifi.h
+++ b/drivers/net/wireless/realtek/rtlwifi/wifi.h
@@ -3230,4 +3230,11 @@ static inline struct ieee80211_sta *rtl_find_sta(struct ieee80211_hw *hw,
return ieee80211_find_sta(mac->vif, mac_addr);
}
+static inline u32 calculate_bit_shift(u32 bitmask)
+{
+ if (WARN_ON_ONCE(!bitmask))
+ return 0;
+
+ return __ffs(bitmask);
+}
#endif
--
2.43.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH AUTOSEL 5.4 30/31] wifi: rtlwifi: rtl8723{be,ae}: using calculate_bit_shift()
2024-01-16 20:02 [PATCH AUTOSEL 5.4 01/31] wifi: rt2x00: restart beacon queue when hardware reset Sasha Levin
` (2 preceding siblings ...)
2024-01-16 20:02 ` [PATCH AUTOSEL 5.4 29/31] wifi: rtlwifi: add calculate_bit_shift() Sasha Levin
@ 2024-01-16 20:02 ` Sasha Levin
2024-01-16 20:02 ` [PATCH AUTOSEL 5.4 31/31] wifi: cfg80211: free beacon_ies when overridden from hidden BSS Sasha Levin
4 siblings, 0 replies; 6+ messages in thread
From: Sasha Levin @ 2024-01-16 20:02 UTC (permalink / raw
To: linux-kernel, stable
Cc: Su Hui, Kalle Valo, Sasha Levin, pkshih, linux-wireless
From: Su Hui <suhui@nfschina.com>
[ Upstream commit 5c16618bc06a41ad68fd8499a21d35ef57ca06c2 ]
Using calculate_bit_shift() to replace rtl8723_phy_calculate_bit_shift().
And fix an undefined bitwise shift behavior problem.
Signed-off-by: Su Hui <suhui@nfschina.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://msgid.link/20231219065739.1895666-12-suhui@nfschina.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtlwifi/rtl8723ae/phy.c | 6 +++---
drivers/net/wireless/realtek/rtlwifi/rtl8723be/phy.c | 4 ++--
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/phy.c
index 54a3aec1dfa7..bc42bfc394a5 100644
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/phy.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/phy.c
@@ -50,7 +50,7 @@ u32 rtl8723e_phy_query_rf_reg(struct ieee80211_hw *hw,
rfpath, regaddr);
}
- bitshift = rtl8723_phy_calculate_bit_shift(bitmask);
+ bitshift = calculate_bit_shift(bitmask);
readback_value = (original_value & bitmask) >> bitshift;
spin_unlock_irqrestore(&rtlpriv->locks.rf_lock, flags);
@@ -82,7 +82,7 @@ void rtl8723e_phy_set_rf_reg(struct ieee80211_hw *hw,
original_value = rtl8723_phy_rf_serial_read(hw,
rfpath,
regaddr);
- bitshift = rtl8723_phy_calculate_bit_shift(bitmask);
+ bitshift = calculate_bit_shift(bitmask);
data =
((original_value & (~bitmask)) |
(data << bitshift));
@@ -91,7 +91,7 @@ void rtl8723e_phy_set_rf_reg(struct ieee80211_hw *hw,
rtl8723_phy_rf_serial_write(hw, rfpath, regaddr, data);
} else {
if (bitmask != RFREG_OFFSET_MASK) {
- bitshift = rtl8723_phy_calculate_bit_shift(bitmask);
+ bitshift = calculate_bit_shift(bitmask);
data =
((original_value & (~bitmask)) |
(data << bitshift));
diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/phy.c
index aa8a0950fcea..d753e3d15bdb 100644
--- a/drivers/net/wireless/realtek/rtlwifi/rtl8723be/phy.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723be/phy.c
@@ -42,7 +42,7 @@ u32 rtl8723be_phy_query_rf_reg(struct ieee80211_hw *hw, enum radio_path rfpath,
spin_lock_irqsave(&rtlpriv->locks.rf_lock, flags);
original_value = rtl8723_phy_rf_serial_read(hw, rfpath, regaddr);
- bitshift = rtl8723_phy_calculate_bit_shift(bitmask);
+ bitshift = calculate_bit_shift(bitmask);
readback_value = (original_value & bitmask) >> bitshift;
spin_unlock_irqrestore(&rtlpriv->locks.rf_lock, flags);
@@ -70,7 +70,7 @@ void rtl8723be_phy_set_rf_reg(struct ieee80211_hw *hw, enum radio_path path,
if (bitmask != RFREG_OFFSET_MASK) {
original_value = rtl8723_phy_rf_serial_read(hw, path,
regaddr);
- bitshift = rtl8723_phy_calculate_bit_shift(bitmask);
+ bitshift = calculate_bit_shift(bitmask);
data = ((original_value & (~bitmask)) |
(data << bitshift));
}
--
2.43.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH AUTOSEL 5.4 31/31] wifi: cfg80211: free beacon_ies when overridden from hidden BSS
2024-01-16 20:02 [PATCH AUTOSEL 5.4 01/31] wifi: rt2x00: restart beacon queue when hardware reset Sasha Levin
` (3 preceding siblings ...)
2024-01-16 20:02 ` [PATCH AUTOSEL 5.4 30/31] wifi: rtlwifi: rtl8723{be,ae}: using calculate_bit_shift() Sasha Levin
@ 2024-01-16 20:02 ` Sasha Levin
4 siblings, 0 replies; 6+ messages in thread
From: Sasha Levin @ 2024-01-16 20:02 UTC (permalink / raw
To: linux-kernel, stable
Cc: Benjamin Berg, Johannes Berg, Miri Korenblit, Sasha Levin,
johannes, davem, edumazet, kuba, pabeni, linux-wireless, netdev
From: Benjamin Berg <benjamin.berg@intel.com>
[ Upstream commit 32af9a9e1069e55bc02741fb00ac9d0ca1a2eaef ]
This is a more of a cosmetic fix. The branch will only be taken if
proberesp_ies is set, which implies that beacon_ies is not set unless we
are connected to an AP that just did a channel switch. And, in that case
we should have found the BSS in the internal storage to begin with.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://msgid.link/20231220133549.b898e22dadff.Id8c4c10aedd176ef2e18a4cad747b299f150f9df@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/wireless/scan.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index e35c54ba2fd5..f3a957f2bc49 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -1294,8 +1294,12 @@ cfg80211_bss_update(struct cfg80211_registered_device *rdev,
list_add(&new->hidden_list,
&hidden->hidden_list);
hidden->refcount++;
+
+ ies = (void *)rcu_dereference(new->pub.beacon_ies);
rcu_assign_pointer(new->pub.beacon_ies,
hidden->pub.beacon_ies);
+ if (ies)
+ kfree_rcu(ies, rcu_head);
}
} else {
/*
--
2.43.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-01-16 20:04 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-01-16 20:02 [PATCH AUTOSEL 5.4 01/31] wifi: rt2x00: restart beacon queue when hardware reset Sasha Levin
2024-01-16 20:02 ` [PATCH AUTOSEL 5.4 10/31] wifi: ath9k: Fix potential array-index-out-of-bounds read in ath9k_htc_txstatus() Sasha Levin
2024-01-16 20:02 ` [PATCH AUTOSEL 5.4 27/31] wifi: rtl8xxxu: Add additional USB IDs for RTL8192EU devices Sasha Levin
2024-01-16 20:02 ` [PATCH AUTOSEL 5.4 29/31] wifi: rtlwifi: add calculate_bit_shift() Sasha Levin
2024-01-16 20:02 ` [PATCH AUTOSEL 5.4 30/31] wifi: rtlwifi: rtl8723{be,ae}: using calculate_bit_shift() Sasha Levin
2024-01-16 20:02 ` [PATCH AUTOSEL 5.4 31/31] wifi: cfg80211: free beacon_ies when overridden from hidden BSS Sasha Levin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).