The DCM condition was not checked well for channel switch in both AP and
station scenarios. Teardown was also not done for AP/GO DCM. Add the
missing checks.
Reported-by: Peer, Ilan <ilan.peer@intel.com>
Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
It was possible to enter an endless loop while
processing a single pci copy engine pipe. This
could effectively render ath10k incapable of
responding to any requests.
An example case when this could happen is when
firmware generates a lot of events, e.g. spectral
scan phyerr via WMI.
Reported-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Some radios may share the same ID and revision but differ by a version.
E.g. radio in BCM5357B0 is version 1 and requires specific handling.
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Newer devices need different workarounds for cores 0 and 1.
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Add some missing ops and prepare for new devices support. This patch is
a great stability improvement for BCM43217. Earlier Tenda W322E used to
disconnect every 2 minutes (16 times over 30 minutes). With this fix I
got it running for 4 hours (with iperf) without any disconnection.
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
This fixes handling channel 14 and adds code for BCM43217.
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
mmc_rescan will scan for non-removable cards only once, hence the card
will not be rediscovered.
Signed-off-by: Andreas Fenkart <afenkart@gmail.com>
Acked-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
When the firmware asserts, we restart the device and reset
the relevant data we hold in the driver. BT Coex data was
not reset and because of that, the driver wouldn't
reconfigure the firmware properly after firmware restart.
Same for beacon filtering. Fix that.
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
When we associate, we may have heard the beacon before the
association. In that case, BSS_CHANGED_BEACON_INFO will be
set along with BSS_CHANGED_ASSOC in changes in
bss_info_change.
In this case, we didn't update the smart fifo nor beacon
filtering leaving those two feature disabled.
Signed-off-by: Eran Harary <eran.harary@intel.com>
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Add the Control Status Registers to the firmware error dump
infrastructure.
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Use the fw-error-dump infrastructure to dump the periphery
registers. Only certain ranges are readable, so dump only
these.
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
The mvm op_mode won't allocate the buffer for the transport
any more. The transport allocates its own buffer and mvm
is in charge of splicing the buffers in the debugfs hook.
This makes the repartition easier to handle.
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
modinfo and kerneldoc disagreed on the meaning of this field.
Reported-by: Andrea Oliveri <oliveriandrea@gmail.com>
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Add OTP to the string: "can't parse empty OTP/NVM section"
NVM usually refers to nvm_file while the problem can be in
the OTP.
Signed-off-by: Eran Harary <eran.harary@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
The recent unified scan api change introduced issues
when stopping ongoing scans, since both regular and
sched scan now use same stopped notification.
When issuing a new scan right after a running one,
we get the "old" notification and handle it wrongly
as notification for the current scan.
Fix it by introducing a new function that make sure
we consume the pending notifications before issuing
a new scan.
Signed-off-by: Eliad Peller <eliad@wizery.com>
Reviewed-by: ArikX Nemtsov <arik@wizery.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
According to new requirements, the ACK / CTS kill mask is
not related to reduced TX power anymore. This allows to
remove the code that tracked reduced TX power enablement
across different interfaces.
The ACK / CTS kill mask is now fetch from a table. It
depends on the Activity grading (activity from BT) and on
the Look Up Table (LUT) type.
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
The Remain On Channel framework added to the firmare is
a bit like time events. It allows the driver to request
the firmware to be on a certain channel for a certain time.
Unlike the time events, the ROC infrastructure doesn't need
a MAC context in the firmware - it uses a generic context
called "auxiliary framework".
This is useful for any offchannel activity that is not bound
to a specific MAC.
The flow is synchronized much like with time events:
1) The driver receives an action frame from the wpa_supplicant
via nl80211 that requests to be sent offchannel.
2) The driver sends an Aux ROC command (0x53) to the firmware.
3) The firmware responds with the unique id of the time event.
4) When time event starts, the driver puts the frame in the
Aux queue.
Special care needs to be taken when the time events ends:
the queue needs to be cleaned-up.
Signed-off-by: Ariej Marjieh <ariej.marjieh@intel.com>
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Apparently fw/hw generates a corrupted QoS Control
Field in Qos NullFunc frames. The only way to
workaround this is to downgrade frames to
NullFunc. This should be okay since powersave is
done by fw/hw and these frames are only used for
CQM purposes (e.g. from hostapd to check if
station is still connected).
This doesn't fix any user visible bug that I know
of. It just prevents from sending out funky frames
on the air.
Reported-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
It always bugged me how tid is computed and stored
in a temporary var before written to the control
buffer. It was confusing and it made it difficult
to work with tx helpers.
While at it rename the qos workaround function as
it was misleading - it's not a workaround but
preparation for nwifi tx mode.
Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
The commits 08c30aca9e "Bluetooth: Remove
RFCOMM session refcnt" and 8ff52f7d04
"Bluetooth: Return RFCOMM session ptrs to avoid freed session"
allow rfcomm_recv_ua and rfcomm_session_close to delete the session
(and free the corresponding socket) and propagate NULL session pointer
to the upper callers.
Additional fix is required to terminate the loop in rfcomm_process_rx
function to avoid use of freed 'sk' memory.
The issue is only reproducible with kernel option CONFIG_PAGE_POISONING
enabled making freed memory being changed and filled up with fixed char
value used to unmask use-after-free issues.
Signed-off-by: Vignesh Raman <Vignesh_Raman@mentor.com>
Signed-off-by: Vitaly Kuzmichev <Vitaly_Kuzmichev@mentor.com>
Acked-by: Dean Jenkins <Dean_Jenkins@mentor.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Cc: stable@vger.kernel.org
Firmware could request inspection of some
submitted tx requests. Since the callback wasn't
implemented it was possible to bleed tx msdu_ids
which could translate to tx flushing timeouts.
There's nothing ath10k can do to help firmware
with tx processing now so just report all tx
frames as already inspected to prevent firmware
from sending up inspection events and force it to
report regular tx completion indications with
discard status.
Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Apparently iomap writes that unmask CE irqs aren't
propagated properly sometimes. Before failing try
to poll for the control response message as it may
have been delivered without an interrupt.
Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
Some drivers may be performing most of Tx/Rx
aggregation on their own (e.g. in firmware)
including AddBa/DelBa negotiations but may
otherwise require Rx reordering assistance.
The patch exports 2 new functions for establishing
Rx aggregation sessions in assumption device
driver has taken care of the necessary
negotiations.
Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
[fix endian bug]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Some drivers (e.g. ath10k) report A-MSDU subframes
individually with identical seqno. The A-MPDU Rx
reorder code did not account for that which made
it practically unusable with drivers using
RX_FLAG_AMSDU_MORE because it would end up
dropping a lot of frames resulting in confusion in
upper network transport layers.
Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
sdata can't be NULL, and key being NULL is really not possible
unless the code is modified.
The sdata check made a static analyze (klocwork) unhappy because
we would get pointer to local (sdata->local) and only then check
if sdata is non-NULL.
Signed-off-by: Eytan Lifshitz <eytan.lifshitz@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
[remove !key check as well]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
It's safer practice to use sizeof(*ptr) instead of sizeof(ptr_type) when
allocating memory in case the type changes. This also fixes the
following style of warnings from static analyzers:
CHECK: Prefer kzalloc(sizeof(*ie)...) over kzalloc(sizeof(struct inquiry_entry)...)
+ ie = kzalloc(sizeof(struct inquiry_entry), GFP_KERNEL);
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
The NULL pointer access could happen when ieee80211_crypto_hw_decrypt
is called from ieee80211_rx_h_decrypt with the following condition:
1. rx->key->conf.cipher is not WEP, CCMP, TKIP or AES_CMAC
2. rx->sta is NULL
When ieee80211_crypto_hw_decrypt is called, it verifies
rx->sta->cipher_scheme and it will cause Oops if rx->sta is NULL.
This path adds an addirional rx->sta == NULL verification in
ieee80211_crypto_hw_decrypt for this case.
Signed-off-by: Max Stepanov <Max.Stepanov@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Since "wireless-regdb: remove antenna gain" was merged in the
wireless-regdb tree, the awk script parser has been incompatible
with the 'official' regulatory database. This fixes that up.
Without this change the max EIRP is set to 0 making 802.11 devices
useless.
The fragile nature of the awk parser must be replaced, but ideas
over how to do that in the most scalable way are being reviewed.
In the meantime update the documentation for CFG80211_INTERNAL_REGDB
so folks are aware of expectations for now.
Reported-by: John Walker <john@x109.net>
Reported-by: Krishna Chaitanya <chaitanya.mgit@gmail.com>
Signed-off-by: Luis R. Rodriguez <mcgrof@suse.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
The csa_active flag was added in sdata a while ago and made
IEEE80211_STA_CSA_RECEIVED redundant. The new flag is also used to
mark when CSA is ongoing on other iftypes and took over the old one as
the preferred method for checking whether we're in the middle of a
channel switch. Remove the old, redundant flag.
Signed-off-by: Luciano Coelho <luciano.coelho@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Since the teardown packet is created while the queues are
stopped, it isn't sent immediately, but rather is pending.
To be sure that when we flush the queues prior to destroying
the station we also send this packet - the tasklet handling
pending packets is invoked to flush the packets.
Signed-off-by: Liad Kaufman <liad.kaufman@intel.com>
Reviewed-by: ArikX Nemtsov <arik@wizery.com>
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
If the AP receives actions frames destined for other peers, it may
mistakenly toggle BA-sessions from itself to a peer.
Ignore TDLS data packets as well - the AP should not handle them.
Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Some VHT TDLS peers (Google Nexus 5) include the VHT-AID IE in their
TDLS setup request/response. Usermode passes this aid as the station
aid, causing it to fail verifiction, since this happens in the
"set_station" stage. Make an exception for the TDLS use-case.
Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
TDLS VHT support requires some more information elements during setup.
While these are not there, mask out the peer's VHT capabilities so that
VHT rates are not mistakenly used.
Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Set for completeness mostly, currently unused in the code.
Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Add the HT capabilities and HT operation information elements to TDLS
setup packets where appropriate.
Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
We can only be a station for TDLS connections. Also fix a bug where
a delayed work could be left scheduled if the station interface was
brought down during TDLS setup.
Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
When TDLS QoS is supported by the the peer and the local card, add
the WMM parameter IE to the setup-confirm frame. Take the QoS settings
from the current AP, or if unsupported, use the default values from
the specification. This behavior is mandated by IEEE802.11-2012 section
10.22.4.
Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
Reviewed-by: Liad Kaufman <liad.kaufman@intel.com>
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
If QoS is supported by the card, add an appropriate IE to TDLS setup-
request and setup-response frames.
Consolidate the setting of the WMM info IE across mac80211.
Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
Reviewed-by: Liad Kaufman <liad.kaufman@intel.com>
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
When sending setup-failure frames, set the capability field to zero, as
mandated by the specification (IEEE802.11-2012 8.5.13).
Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
Reviewed-by: Liad Kaufman <liad.kaufman@intel.com>
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
