We don't check for the validity of the lengths in the packet received
from the firmware. If the MPDU length received in the rx descriptor
is too short to contain the header length and the crypt length
together, we may end up trying to copy a negative number of bytes
(headlen - hdrlen < 0) which will underflow and cause us to try to
copy a huge amount of data. This causes oopses such as this one:
BUG: unable to handle kernel paging request at ffff896be2970000
PGD 5e201067 P4D 5e201067 PUD 5e205067 PMD 16110d063 PTE 8000000162970161
Oops: 0003 [#1] PREEMPT SMP NOPTI
CPU: 2 PID: 1824 Comm: irq/134-iwlwifi Not tainted 4.19.33-04308-geea41cf4930f #1
Hardware name: [...]
RIP: 0010:memcpy_erms+0x6/0x10
Code: 90 90 90 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 <f3> a4 c3
0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe
RSP: 0018:ffffa4630196fc60 EFLAGS: 00010287
RAX: ffff896be2924618 RBX: ffff896bc8ecc600 RCX: 00000000fffb4610
RDX: 00000000fffffff8 RSI: ffff896a835e2a38 RDI: ffff896be2970000
RBP: ffffa4630196fd30 R08: ffff896bc8ecc600 R09: ffff896a83597000
R10: ffff896bd6998400 R11: 000000000200407f R12: ffff896a83597050
R13: 00000000fffffff8 R14: 0000000000000010 R15: ffff896a83597038
FS: 0000000000000000(0000) GS:ffff896be8280000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff896be2970000 CR3: 000000005dc12002 CR4: 00000000003606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
iwl_mvm_rx_mpdu_mq+0xb51/0x121b [iwlmvm]
iwl_pcie_rx_handle+0x58c/0xa89 [iwlwifi]
iwl_pcie_irq_rx_msix_handler+0xd9/0x12a [iwlwifi]
irq_thread_fn+0x24/0x49
irq_thread+0xb0/0x122
kthread+0x138/0x140
ret_from_fork+0x1f/0x40
Fix that by checking the lengths for correctness and trigger a warning
to show that we have received wrong data.
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Report all NO_DATA events to mac80211 so they get captured
in radiotap for usage in sniffer scenarios; map the info
type to a reasonable radiotap type for this.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
The spatial reuse 4 words fields are fetched from the HE-SIGA
by the firmware and propagated to the driver through the
Rx info. This is useful to populate the radiotap header.
We were looking at the wrong place in the firmware data and
got bogus values. Fix that.
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Fixes: bdf180c8d3 ("iwlwifi: mvm: change PHY data RX for HE radiotap")
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
In HE-TB PPDUs (labeled HE-TRIG in radiotap), we were overwriting
the data4.spatial_reuse_1 field with the spatial reuse data that
the firmware gives us for SU/MU PPDUs. Fix that by moving that,
we are already setting the data4.spatial_reuse_{1,2,3,4} fields
in the TB PPDU case.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Fixes: 69f3ca8ed3 ("iwlwifi: mvm: show more HE radiotap data for TB PPDUs")
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
We now no longer have any special code in
iwl_mvm_pass_packet_to_mac80211(), so don't
need to pass NO_PSDU packets through it.
Stop doing so and clean up the code there.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Hiding the HE radiotap data for further processing of the SKB just
caused another bug when adding the L-SIG data. Simply stop doing
this and adjust the skb->data pointer accordingly when we need to
get the 802.11 header.
While at it, also verify and fix the data alignment, we need to add
2 bytes padding with the vendor data to ensure the whole length of
all radiotap headers is a multiple of 4.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Fixes: 6721039d5b ("iwlwifi: mvm: add L-SIG length to radiotap")
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Expose the trigger-based PPDU SIG-A bandwidth to radiotap in
the newly defined bits thereof.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Some switch-cases were missing a fall through comment, so the compiler
may warn. Fix that by adding the comments where needed. In other
cases there was more text in the comment, which the compiler doesn't
recognize, so either remove the extra text or move it to a separate
comment line as appropriate.
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
A call to iwl_mvm_add_rtap_sniffer_config() was missing due to a merge
damage when I submitted the patch mentioned below. And this causes
the following compilation warning:
drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c:195:13: warning: 'iwl_mvm_add_rtap_sniffer_config' defined but not used [-Wunused-function]
static void iwl_mvm_add_rtap_sniffer_config(struct iwl_mvm *mvm,
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Fix it by adding the if block that calls this function.
Fixes: 9bf13bee2d ("iwlwifi: mvm: include configured sniffer AID in radiotap")
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
In order to make more sense out of the captured radiotap data e.g.
when the configured AID changes, add the currently configured AID
to the radiotap data as a vendor extension field.
This is made race-free by updating the included value from inside
the RX path (using a notification wait) for the command response
from the firmware, which thus means it's serialized with frame RX.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
The reorder buffer is bypassed because the firmware won't have
any BA sessions, document this.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Implement CSI (channel estimation matrix) reporting in the mvm
driver, if the firmware has the capability.
Currently only a debugfs API is provided as the API is still
under discussion.
For now, RX aggregation must be disabled to use this feature
on data frames as we haven't found a good way to attach the
data to A-MPDUs, given complexities with multi-queue.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
The current code assigns the reference, and then goes to increment
it if the toggle bit has changed. That way, we get
Toggle 0 0 0 0 1 1 1 1
ID 1 1 1 1 1 2 2 2
Fix that by assigning the post-toggle ID to get
Toggle 0 0 0 0 1 1 1 1
ID 1 1 1 1 2 2 2 2
Reported-by: Danny Alexander <danny.alexander@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Fixes: fbe4112791 ("iwlwifi: mvm: update mpdu metadata API")
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Due to a general shortage of RX API bits, the firmware is going
to reuse this bit on non-CCK frames to mean something else. Use
it only on CCK frames to prepare for that change.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Take the NSS value from 'rx_vec' rather than from 'rate_n_flags'.
The rate_n_flags has only 2 bits for the NSS giving a max of 4SS
(0 = 1SS etc.). Since there may be up to 8SS use the rx_vec which
has 3 bits for the NSS.
While at it, fix the rx_vec array to length of 2.
Signed-off-by: Shaul Triebitz <shaul.triebitz@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
When setting the EOF bit in Rx flags (propagated
to radiotap) do not depend it on the PPDU type (SU/MU/TB)
since it doesn't.
Signed-off-by: Shaul Triebitz <shaul.triebitz@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Handle RX no data notification, which is used for advertising NDP to
radiotap.
Signed-off-by: Golan Ben Ami <golan.ben.ami@intel.com>
Signed-off-by: Shaul Triebitz <shaul.triebitz@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
UL_DL is irrelevant to HE TRIG_BASED PPDU.
Signed-off-by: Shaul Triebitz <shaul.triebitz@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
We may have the L-SIG length depending on the phy_data info type;
add it to radiotap when we do.
Move getting the phy_data out one layer up and the info type into
it so we can use this data more generically. We need to call the
iwl_mvm_rx_he() function for other reasons as well, so can't just
combine all of that into something like iwl_mvm_parse_phy_data().
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Shaul Triebitz <shaul.triebitz@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
The firmware changed the PHY data API, so follow suit.
Some data is now available even for HT/VHT frames, so
the info type in the metadata was changed. This change
isn't backwards compatible, but
1) the firmware with the old API was never released;
2) the only overlap in the info type field is from the
old type of TB to the new of HT, so this basically
just means that with older FW and newer driver the
data will be considered missing.
While at it, remove the extra code to set the LTF syms
corresponding to the streams and use the data from the
device instead - we don't really need this in any case
other than when we have it from the device.
As the new API gives use the spatial reuse 1-4 fields
for trigger-based PPDUs, also expose that to radiotap.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Shaul Triebitz <shaul.triebitz@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Fixes gcc '-Wunused-but-set-variable' warning:
drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c: In function 'iwl_mvm_rx_mpdu_mq':
drivers/net/wireless/intel/iwlwifi/mvm/rxmq.c:1386:7: warning:
variable 'he_phy_data' set but not used [-Wunused-but-set-variable]
u64 he_phy_data;
'he_phy_data' never used since be introduce in
commit 18ead597da ("iwlwifi: support new rx_mpdu_desc api")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
For trigger-based PPDUs, most values aren't part of the HE-SIG-A
because they're preconfigured by the trigger frame. However, we
still have this information since we used the trigger frame to
configure the hardware, so we can (and do) read it back out and
can thus show it in radiotap.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
When the info type is MU, we still have the data from the TSF
overload words, so should decode that. When it's MU_EXT_INFO
we additionally have the SIG-B common 0/1/2 fields.
Also document the validity depending on the info type and fix
the name of the regular TB PPDU info type accordingly.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
For SU/SU-ER/MU PPDUs we have spatial reuse.
For those where it's relevant we also know the pre-FEC
padding factor, PE disambiguity bit, beam change bit
and doppler bit.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Add information about the LDCP extra symbol segment to the HE
data when applicable (not for trigger-based PPDUs).
While at it, clean up the code for UL/DL a bit.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
This code gets shorter if it doesn't have to check all the
conditions, so move it to an appropriate place that has all
of them validated already.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Split the code out into a separate routine, and move that to be
called inside the previously introduced iwl_mvm_decode_he_phy_data()
function.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Pull some of the decoding of he_phy_data into a separate function so
we don't need to check over and over again if it's valid.
While at it, fix the UL/DL bit reporting to be for all but trigger-
based frames.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
As detected by Luca during code review when I move this in the
next patch, the code here is putting the data into the wrong
field (flags1 instead of flags2). Fix that.
Fixes: e5721e3f77 ("iwlwifi: mvm: add radiotap data for HE")
Reported-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Remove a stray empty line, unbreak some lines that aren't
really that long, and move on variable setting into the
initializer to avoid initializing it twice.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
This is equivalent to checking he_phy_data != HE_PHY_DATA_INVAL,
which is already done in a number of places, so remove the extra
'overload' variable entirely.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
The triplet of get trigger, is trigger enabled and is trigger stopped
repeats itself. Group them in a function to avoid code duplication.
Signed-off-by: Sara Sharon <sara.sharon@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Make the adjustments for gen2 TX and RX of TKIP packets. Strip MIC on
RX. Don't add IV space and keep the MIC space zeroed on TX.
Devices that support gen2 data path support TKIP only in station mode.
In all other modes, fall back to SW encryption. Do this early in the
set_key() callback so that the key flags would not be incorrectly set.
Signed-off-by: David Spinadel <david.spinadel@intel.com>
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
We already report the RU offset, so we'd better also
report that we know the value.
Fixes: e5721e3f77 ("iwlwifi: mvm: add radiotap data for HE")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Check the actual bit (mask) in Rx notification rate_n_flags.
Signed-off-by: Shaul Triebitz <shaul.triebitz@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Decode the HE TB PPDU data that we get in sniffer mode
and use it to populate the HE radiotap information.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
If the bandwidth is only 20 MHz, then the second channel doesn't
exist, but the hardware reports the CRC was OK. Suppress the data
of the second channel in the HE radiotap in this case, by marking
it as not known.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
This is the same as for SU PPDUs, so it's easy to do.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
The GI duration depends on the frame type in some cases,
take that into account when decoding for radiotap.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
I evidently completely confused "number of LTF symbols" and "LTF size".
Radiotap was reporting the former, while I thought it was the latter,
and we really need both.
Add the LTF symbol size into the newly defined field in radiotap.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Implement the extended HE-MU info type decoding to show the HE-SIG-B
common contents in the HE-MU radiotap field.
The DW4 data is partially overwritten by the hardware in all cases, so
only the higher 16 bits can be used. To be able to use it for the HE
SIG-B common data anyway, move the bits around in the following way:
SIG-B common 0: DW 4 -> DW 7
SIG-B common 1: DW 7 -> DW 8
SIG-B common 2: DW 8 -> DW 4 (upper half)
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
The HE code is bloating the RX handling, and makes it too big.
Signed-off-by: Sara Sharon <sara.sharon@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
The HE code is bloating the RX handling, and makes it too big.
Signed-off-by: Sara Sharon <sara.sharon@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Current implementation turns this bit on only for HE MU.
Signed-off-by: Liad Kaufman <liad.kaufman@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
22560 devices use a new rx_mpdu_desc api.
Update the code to use the new api.
Signed-off-by: Golan Ben Ami <golan.ben.ami@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
