Add support to enable/disable PHC clock. The PHC clock includes support
for fetching the cross timestamp i.e. a non-atomic snapshot of the current
time from the hardware (WiFi device) clock and system clock (wall-clock)
simultaneously.
Signed-off-by: NKrishnanand Prabhu <krishnanand.prabhu@intel.com>
Signed-off-by: NLuca Coelho <luciano.coelho@intel.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230320122330.ae1d64f513b9.Ib3b6ad61c9fa2fc5908f1e0d6f59f4af6eec1a77@changeidSigned-off-by: NJohannes Berg <johannes.berg@intel.com>

This chip is found in cheap "free driver" USB adapters from Aliexpress.
Initially they pretend to be a CD-ROM containing the driver for Windows.
"Ejecting" switches the device to wifi mode.

Features: 2.4 GHz, b/g/n mode, 1T1R, 150 Mbps.

This chip is more unique than other Realtek chips:

* The registers at addresses 0x0-0xff, which all the other chips use,
  can't be used here. New registers at 0x8000-0x80ff must be used
  instead. And it's not a simple matter of adding 0x8000: 0x2
  (REG_SYS_FUNC) became 0x8004, 0x80 (REG_MCU_FW_DL) became 0x8090,
  etc.

* Also there are a few new registers which must be accessed indirectly
  because their addresses don't fit in 16 bits. No other chips seem to
  have these.

* The vendor driver compiles to 8188gu.ko, but the code calls the chip
  RTL8710B(U) pretty much everywhere, including messages visible to the
  user.

Another difference compared to the other chips supported by rtl8xxxu is
that it has a new PHY status struct, or three of them actually, from
which we extract the RSSI, among other things. This is not unique,
though, just new. The chips supported by rtw88 also use it.
Signed-off-by: NBitterblue Smith <rtl8821cerfe2@gmail.com>
Reviewed-by: NPing-Ke Shih <pkshih@realtek.com>
Tested-by: Philipp Hortmann <philipp.g.hortmann@gmail.com> # Edimax N150
Signed-off-by: NKalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/4edbe29f-00b9-8eef-9789-20bed0b141e2@gmail.com

Always run the entire init sequence (rtl8xxxu_init_device()) for
RTL8192EU. It's what the vendor driver does too.

This fixes a bug where the device is unable to connect after
rebooting:

wlp3s0f3u2: send auth to ... (try 1/3)
wlp3s0f3u2: send auth to ... (try 2/3)
wlp3s0f3u2: send auth to ... (try 3/3)
wlp3s0f3u2: authentication with ... timed out

Rebooting leaves the device powered on (partially? at least the
firmware is still running), but not really in a working state.

Cc: stable@vger.kernel.org
Signed-off-by: NBitterblue Smith <rtl8821cerfe2@gmail.com>
Acked-by: NJes Sorensen <jes@trained-monkey.org>
Signed-off-by: NKalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/4eb111a9-d4c4-37d0-b376-4e202de7153c@gmail.com

Clang errors:

  drivers/net/wireless/intel/iwlwifi/iwl-devtrace.c:15:32: error: unknown warning group '-Wsuggest-attribute=format', ignored [-Werror,-Wunknown-warning-option]
  #pragma GCC diagnostic ignored "-Wsuggest-attribute=format"
                                 ^
  1 error generated.

The warning being disabled by this pragma is GCC specific. Guard its use
with CONFIG_CC_IS_GCC so that it is not used with clang to clear up the
error.

Fixes: 4eca8cbf ("wifi: iwlwifi: suppress printf warnings in tracing")
Link: https://github.com/ClangBuiltLinux/linux/issues/1818Signed-off-by: NNathan Chancellor <nathan@kernel.org>
Link: https://lore.kernel.org/r/20230315-iwlwifi-fix-pragma-v1-1-ad23f92c4739@kernel.orgSigned-off-by: NJohannes Berg <johannes.berg@intel.com>

This can't really be fixed due to the macro layout of
tracepoints (you'd need a special tracepoint macro for
when this is needed), so just suppress the warnings.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

There are a number of issues here:
 * if trans->reduce_power_loaded is already true, we call
   iwl_trans_set_reduce_power() with an uninitialized len
   value
 * in this case we also clobber a previous load/setting
 * if iwl_uefi_get_reduced_power() returns an ERR_PTR() we
   try to kfree() it

Move the iwl_trans_set_reduce_power() call into the success
case only to fix these issues.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230314194113.aa2cf2281f5d.I33b4ab3427f1921c184c52fecd0f46781a89dc8a@changeidSigned-off-by: NJohannes Berg <johannes.berg@intel.com>

Add missing rf support for Bz device and B-Step for BnJ device
Signed-off-by: NMukesh Sisodiya <mukesh.sisodiya@intel.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230314194113.14c373dcfe15.I96b96a8b149ac181e962f4b82e0d15b172823d0f@changeidSigned-off-by: NJohannes Berg <johannes.berg@intel.com>

If there's a rate->index that maps inside the range but
to an uninitialized value, then that's also a bad rate,
avoid printing "(nil)" in that case and rather print the
"BAD_RATE" string instead as in the else branch.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230314194113.06b38d160fc5.I45a9254d3658b1ce796aa4c427193d3cbf638d7e@changeidSigned-off-by: NJohannes Berg <johannes.berg@intel.com>

This patch addresses the checkpatch.pl warning that code indent should
use tabs.
Signed-off-by: NSolomon Tan <solomonbstoner@protonmail.ch>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230314194113.eaca2a9b08f2.Ic81d60185c13cfc750bf93fbabac57314cb5de13@changeidSigned-off-by: NJohannes Berg <johannes.berg@intel.com>

This patch addresses the error from checkpatch.pl that a space is
required before an open parenthesis.
Signed-off-by: NSolomon Tan <solomonbstoner@protonmail.ch>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230314194113.a21ba1967d94.Iaa52fc6517ea9efb3efc7b1b98f4df2a288de1c3@changeidSigned-off-by: NJohannes Berg <johannes.berg@intel.com>

This patch addresses the error from checkpatch.pl regarding the presence
of prohibited spaces.
Signed-off-by: NSolomon Tan <solomonbstoner@protonmail.ch>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230314194113.557d6841a166.I0957923fe9ea20c1ec9140477033548ccfe93e9a@changeidSigned-off-by: NJohannes Berg <johannes.berg@intel.com>

Spelling mistakes (triple letters) in comment.
Detected with the help of Coccinelle.
Signed-off-by: NJulia Lawall <Julia.Lawall@inria.fr>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230314194113.fb2fc470e949.I1f3a347b533bcdb6bcd310f752ab3349800efb49@changeidSigned-off-by: NJohannes Berg <johannes.berg@intel.com>

cppcheck reports
[drivers/net/wireless/intel/iwlwifi/mvm/rs.c:2686]: (warning) Assignment of function parameter has no effect outside the function. Did you forget dereferencing it?

The setting of the 'sta' parameter is not needed.  In the if-check that sets it
to NULL, mvm_sta is also set to NULL.  Then the next statement checks if
mvm_sta is NULL and does an early return. So remove setting sta.
Signed-off-by: NTom Rix <trix@redhat.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230314194113.711fe28cfdd6.I2f723f9d44f65720baaf3e84b72109759350a8f5@changeidSigned-off-by: NJohannes Berg <johannes.berg@intel.com>

This is another patch in the series adding all the ops
for the new MLD ieee80211_ops.
The callback added here uses the new MLD FW API
Signed-off-by: NMiri Korenblit <miriam.rachel.korenblit@intel.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230314194113.5d4bcd384425.I263eef3aad8efe23a597843fe7c56924038c8fdc@changeidSigned-off-by: NJohannes Berg <johannes.berg@intel.com>

Since parts of the functionality of this function is going to be used
also by the MLD version of it, put in a separate function the parts
that are common for both MLD and non-MLD modes.
The common function will later be used in the MLD ops.
Signed-off-by: NMiri Korenblit <miriam.rachel.korenblit@intel.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230314194113.fa05929badb9.I2222dc86cf7d7a7bb58c6a2f2529c8089bfe58b4@changeidSigned-off-by: NJohannes Berg <johannes.berg@intel.com>

This is another patch in the series adding all the ops
for the new MLD ieee80211_ops.
The callback added here uses the new MLD FW API.
Signed-off-by: NMiri Korenblit <miriam.rachel.korenblit@intel.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230314194113.d3753975e720.I45f89cc81370d2cf8d4f51748ccb3ec675eff1bd@changeidSigned-off-by: NJohannes Berg <johannes.berg@intel.com>

Since parts of the functionality of this function is going to be used
also by the MLD version of it, put in a separate function the parts
that are common for both MLD and non-MLD modes.
The common function will later be used in the MLD ops.
Signed-off-by: NMiri Korenblit <miriam.rachel.korenblit@intel.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230314194113.844755701cac.I1c650718ad2381eabc38f4103c1aac67936a1ffc@changeidSigned-off-by: NJohannes Berg <johannes.berg@intel.com>

As the MLD mode and its new APIs are introduced,
we've decided to add a new ieee80211_ops dedicated for
MLD callbacks. Add the MLD remove_interface() callback
which uses the new MLD APIs.
Signed-off-by: NMiri Korenblit <miriam.rachel.korenblit@intel.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230314194113.b87c5c0a4b6b.I631173a73d6ffd7232aa539ea8b356a222fac398@changeidSigned-off-by: NJohannes Berg <johannes.berg@intel.com>

As the MLD mode and its new APIs are introduced,
we've decided to add a new ieee80211_ops dedicated for
MLD callbacks. Add the MLD add_interface() callback
which uses the new MLD APIs added the previous patches.
Signed-off-by: NMiri Korenblit <miriam.rachel.korenblit@intel.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230314194113.6adc29bff39b.I97ed469028009be9392dcc6f7b5ffbe45f4b2c43@changeidSigned-off-by: NJohannes Berg <johannes.berg@intel.com>

As a part of the new MLD FW API changes, we have new commands for STA
related operations (add/remove/aux/disable tx).
Add structures and enum definitions, along with part of the functions
that sends this commands.
This functions will be in used and more will be added in the next patches.
Signed-off-by: NMiri Korenblit <miriam.rachel.korenblit@intel.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230314194113.132873ce015c.I7b12a77e5be066730762e6ceeeaa7190293c3df1@changeidSigned-off-by: NJohannes Berg <johannes.berg@intel.com>

As a part of the new MLD FW API changes, we have a new LINK command
to add/remove/configure a link.
Add structures and enum definitions, along with the functions that
sends this command (i.e. add, remove and change mac ctxt).
These functions will be in used in the next patches.
Signed-off-by: NMiri Korenblit <miriam.rachel.korenblit@intel.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230314194113.d7808329effb.I13bea2db206b78540bc866bc3ab755ad5be78c53@changeidSigned-off-by: NJohannes Berg <johannes.berg@intel.com>

As a part of the new MLD FW API changes, we have a new MAC CTXT command.
Add structures and enum definitions, along with the functions that
sends this command (i.e. add, remove and change mac ctxt).
This functions will be in used in the next patches.
Signed-off-by: NMiri Korenblit <miriam.rachel.korenblit@intel.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230314194113.99a41a5bc55f.I310312c829f5f2f69b64fcddce487b1eab80165b@changeidSigned-off-by: NJohannes Berg <johannes.berg@intel.com>

Refactor MAC_CONTEXT_CMD sending flow:

1. As the new MLD API is introduced, there are some common fields in
both the old and new APIs. The MAC_CONTEXT_CMD of the non-MLD API
has common fields with the link and mac commands of the new MLD API.
Put this common parts in functions so it can be used later by the
new MLD API.

2. Use iwl_mvm_mac_ctxt_send_cmd when removing a mac instead of
implementing the same functionality once again.

3. Change the debug print when sending the command to be more specific,
so it will be easy to distinguish later if the old or new mac command
was sent.
Signed-off-by: NMiri Korenblit <miriam.rachel.korenblit@intel.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230314194113.3ab62700db4e.I2e353b308667c215aa456c160e0d90de2b9b85cc@changeidSigned-off-by: NJohannes Berg <johannes.berg@intel.com>

Refactor STA_HE_CTXT_CMD sending flow:

1. As the new MLD API is introduced, there are some common fields in
both the old and new APIs. The STA_HE_CTXT_CMD of the non-MLD API
has common fields with the link and mac commands of the new MLD API.
Put this common parts in functions so it can be used later by the
new MLD API.

2. The HE capability which indicates whether the NIC is ack-enabled or
not is the same for all bands. No need to take it from the specific
band which is currently in use. Take it from the low band - this
simplifies the code and doesn't require a phy_ctxt.
Signed-off-by: NMiri Korenblit <miriam.rachel.korenblit@intel.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230314194113.7ca960596953.Ifc3e816461abbd69c6fd87752342afcedfebc293@changeidSigned-off-by: NJohannes Berg <johannes.berg@intel.com>

Add driver defined dump file name extension for beacon loss
and FW Assert case.
Signed-off-by: NMukesh Sisodiya <mukesh.sisodiya@intel.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230314194113.2a2ee92995e9.I38fff588e32276796cd757309fc811241f827c7a@changeidSigned-off-by: NJohannes Berg <johannes.berg@intel.com>

Add tlv in dump file for dump file name extension.
Signed-off-by: NMukesh Sisodiya <mukesh.sisodiya@intel.com>
Signed-off-by: NGreenman, Gregory <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230314194113.ffc28212994e.Ie5f10709548497061f95c1634d942dd2facf72ec@changeidSigned-off-by: NJohannes Berg <johannes.berg@intel.com>

In FW restart scenarios, we allocate the queues from the
iwl_mvm_realloc_queues_after_restart() function, but that
is called before we insert the station ID into our map
(mvm->fw_id_to_mac_id).

However, in all cases where we're actually allocating a
queue for a "real" (not bcast, aux, ...) station we have
the sta pointer already, so just pass it along to use it
instead of looking it up.

This fixes an issue where after restart we only allocated
a queue of size 16 (due to the ordering issue described
above), and thus never got good throughput again since no
aggregates could be formed on transmit.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230314194113.4d70868003e8.I3476fee5c12f5b1af2be5e2f38a9df7d66d02b62@changeidSigned-off-by: NJohannes Berg <johannes.berg@intel.com>

Commit f79cbc77 ("wifi: move mac80211_hwsim and virt_wifi to virtual
directory") and commit 298e50ad ("wifi: move raycs, wl3501 and
rndis_wlan to legacy directory") move remaining wireless drivers into
subdirectories, but does not adjust the entries in MAINTAINERS.

Hence, ./scripts/get_maintainer.pl --self-test=patterns complains about
broken references.

Repair these file references in those wireless driver sections.
Signed-off-by: NLukas Bulwahn <lukas.bulwahn@gmail.com>
Signed-off-by: NKalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20230314041848.5120-1-lukas.bulwahn@gmail.com

ath.git patches for v6.4. Major changes:

ath10k

* enable threaded napi on WCN3990

ath11k

* push MU-MIMO params from hostapd to hardware

* tx ack signal support for management packets

Fix a slab-out-of-bounds read that occurs in kmemdup() called from
brcmf_get_assoc_ies().
The bug could occur when assoc_info->req_len, data from a URB provided
by a USB device, is bigger than the size of buffer which is defined as
WL_EXTRA_BUF_MAX.

Add the size check for req_len/resp_len of assoc_info.

Found by a modified version of syzkaller.

[   46.592467][    T7] ==================================================================
[   46.594687][    T7] BUG: KASAN: slab-out-of-bounds in kmemdup+0x3e/0x50
[   46.596572][    T7] Read of size 3014656 at addr ffff888019442000 by task kworker/0:1/7
[   46.598575][    T7]
[   46.599157][    T7] CPU: 0 PID: 7 Comm: kworker/0:1 Tainted: G           O      5.14.0+ #145
[   46.601333][    T7] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
[   46.604360][    T7] Workqueue: events brcmf_fweh_event_worker
[   46.605943][    T7] Call Trace:
[   46.606584][    T7]  dump_stack_lvl+0x8e/0xd1
[   46.607446][    T7]  print_address_description.constprop.0.cold+0x93/0x334
[   46.608610][    T7]  ? kmemdup+0x3e/0x50
[   46.609341][    T7]  kasan_report.cold+0x79/0xd5
[   46.610151][    T7]  ? kmemdup+0x3e/0x50
[   46.610796][    T7]  kasan_check_range+0x14e/0x1b0
[   46.611691][    T7]  memcpy+0x20/0x60
[   46.612323][    T7]  kmemdup+0x3e/0x50
[   46.612987][    T7]  brcmf_get_assoc_ies+0x967/0xf60
[   46.613904][    T7]  ? brcmf_notify_vif_event+0x3d0/0x3d0
[   46.614831][    T7]  ? lock_chain_count+0x20/0x20
[   46.615683][    T7]  ? mark_lock.part.0+0xfc/0x2770
[   46.616552][    T7]  ? lock_chain_count+0x20/0x20
[   46.617409][    T7]  ? mark_lock.part.0+0xfc/0x2770
[   46.618244][    T7]  ? lock_chain_count+0x20/0x20
[   46.619024][    T7]  brcmf_bss_connect_done.constprop.0+0x241/0x2e0
[   46.620019][    T7]  ? brcmf_parse_configure_security.isra.0+0x2a0/0x2a0
[   46.620818][    T7]  ? __lock_acquire+0x181f/0x5790
[   46.621462][    T7]  brcmf_notify_connect_status+0x448/0x1950
[   46.622134][    T7]  ? rcu_read_lock_bh_held+0xb0/0xb0
[   46.622736][    T7]  ? brcmf_cfg80211_join_ibss+0x7b0/0x7b0
[   46.623390][    T7]  ? find_held_lock+0x2d/0x110
[   46.623962][    T7]  ? brcmf_fweh_event_worker+0x19f/0xc60
[   46.624603][    T7]  ? mark_held_locks+0x9f/0xe0
[   46.625145][    T7]  ? lockdep_hardirqs_on_prepare+0x3e0/0x3e0
[   46.625871][    T7]  ? brcmf_cfg80211_join_ibss+0x7b0/0x7b0
[   46.626545][    T7]  brcmf_fweh_call_event_handler.isra.0+0x90/0x100
[   46.627338][    T7]  brcmf_fweh_event_worker+0x557/0xc60
[   46.627962][    T7]  ? brcmf_fweh_call_event_handler.isra.0+0x100/0x100
[   46.628736][    T7]  ? rcu_read_lock_sched_held+0xa1/0xd0
[   46.629396][    T7]  ? rcu_read_lock_bh_held+0xb0/0xb0
[   46.629970][    T7]  ? lockdep_hardirqs_on_prepare+0x273/0x3e0
[   46.630649][    T7]  process_one_work+0x92b/0x1460
[   46.631205][    T7]  ? pwq_dec_nr_in_flight+0x330/0x330
[   46.631821][    T7]  ? rwlock_bug.part.0+0x90/0x90
[   46.632347][    T7]  worker_thread+0x95/0xe00
[   46.632832][    T7]  ? __kthread_parkme+0x115/0x1e0
[   46.633393][    T7]  ? process_one_work+0x1460/0x1460
[   46.633957][    T7]  kthread+0x3a1/0x480
[   46.634369][    T7]  ? set_kthread_struct+0x120/0x120
[   46.634933][    T7]  ret_from_fork+0x1f/0x30
[   46.635431][    T7]
[   46.635687][    T7] Allocated by task 7:
[   46.636151][    T7]  kasan_save_stack+0x1b/0x40
[   46.636628][    T7]  __kasan_kmalloc+0x7c/0x90
[   46.637108][    T7]  kmem_cache_alloc_trace+0x19e/0x330
[   46.637696][    T7]  brcmf_cfg80211_attach+0x4a0/0x4040
[   46.638275][    T7]  brcmf_attach+0x389/0xd40
[   46.638739][    T7]  brcmf_usb_probe+0x12de/0x1690
[   46.639279][    T7]  usb_probe_interface+0x2aa/0x760
[   46.639820][    T7]  really_probe+0x205/0xb70
[   46.640342][    T7]  __driver_probe_device+0x311/0x4b0
[   46.640876][    T7]  driver_probe_device+0x4e/0x150
[   46.641445][    T7]  __device_attach_driver+0x1cc/0x2a0
[   46.642000][    T7]  bus_for_each_drv+0x156/0x1d0
[   46.642543][    T7]  __device_attach+0x23f/0x3a0
[   46.643065][    T7]  bus_probe_device+0x1da/0x290
[   46.643644][    T7]  device_add+0xb7b/0x1eb0
[   46.644130][    T7]  usb_set_configuration+0xf59/0x16f0
[   46.644720][    T7]  usb_generic_driver_probe+0x82/0xa0
[   46.645295][    T7]  usb_probe_device+0xbb/0x250
[   46.645786][    T7]  really_probe+0x205/0xb70
[   46.646258][    T7]  __driver_probe_device+0x311/0x4b0
[   46.646804][    T7]  driver_probe_device+0x4e/0x150
[   46.647387][    T7]  __device_attach_driver+0x1cc/0x2a0
[   46.647926][    T7]  bus_for_each_drv+0x156/0x1d0
[   46.648454][    T7]  __device_attach+0x23f/0x3a0
[   46.648939][    T7]  bus_probe_device+0x1da/0x290
[   46.649478][    T7]  device_add+0xb7b/0x1eb0
[   46.649936][    T7]  usb_new_device.cold+0x49c/0x1029
[   46.650526][    T7]  hub_event+0x1c98/0x3950
[   46.650975][    T7]  process_one_work+0x92b/0x1460
[   46.651535][    T7]  worker_thread+0x95/0xe00
[   46.651991][    T7]  kthread+0x3a1/0x480
[   46.652413][    T7]  ret_from_fork+0x1f/0x30
[   46.652885][    T7]
[   46.653131][    T7] The buggy address belongs to the object at ffff888019442000
[   46.653131][    T7]  which belongs to the cache kmalloc-2k of size 2048
[   46.654669][    T7] The buggy address is located 0 bytes inside of
[   46.654669][    T7]  2048-byte region [ffff888019442000, ffff888019442800)
[   46.656137][    T7] The buggy address belongs to the page:
[   46.656720][    T7] page:ffffea0000651000 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x19440
[   46.657792][    T7] head:ffffea0000651000 order:3 compound_mapcount:0 compound_pincount:0
[   46.658673][    T7] flags: 0x100000000010200(slab|head|node=0|zone=1)
[   46.659422][    T7] raw: 0100000000010200 0000000000000000 dead000000000122 ffff888100042000
[   46.660363][    T7] raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
[   46.661236][    T7] page dumped because: kasan: bad access detected
[   46.661956][    T7] page_owner tracks the page as allocated
[   46.662588][    T7] page last allocated via order 3, migratetype Unmovable, gfp_mask 0x52a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP), pid 7, ts 31136961085, free_ts 0
[   46.664271][    T7]  prep_new_page+0x1aa/0x240
[   46.664763][    T7]  get_page_from_freelist+0x159a/0x27c0
[   46.665340][    T7]  __alloc_pages+0x2da/0x6a0
[   46.665847][    T7]  alloc_pages+0xec/0x1e0
[   46.666308][    T7]  allocate_slab+0x380/0x4e0
[   46.666770][    T7]  ___slab_alloc+0x5bc/0x940
[   46.667264][    T7]  __slab_alloc+0x6d/0x80
[   46.667712][    T7]  kmem_cache_alloc_trace+0x30a/0x330
[   46.668299][    T7]  brcmf_usbdev_qinit.constprop.0+0x50/0x470
[   46.668885][    T7]  brcmf_usb_probe+0xc97/0x1690
[   46.669438][    T7]  usb_probe_interface+0x2aa/0x760
[   46.669988][    T7]  really_probe+0x205/0xb70
[   46.670487][    T7]  __driver_probe_device+0x311/0x4b0
[   46.671031][    T7]  driver_probe_device+0x4e/0x150
[   46.671604][    T7]  __device_attach_driver+0x1cc/0x2a0
[   46.672192][    T7]  bus_for_each_drv+0x156/0x1d0
[   46.672739][    T7] page_owner free stack trace missing
[   46.673335][    T7]
[   46.673620][    T7] Memory state around the buggy address:
[   46.674213][    T7]  ffff888019442700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   46.675083][    T7]  ffff888019442780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[   46.675994][    T7] >ffff888019442800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   46.676875][    T7]                    ^
[   46.677323][    T7]  ffff888019442880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   46.678190][    T7]  ffff888019442900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   46.679052][    T7] ==================================================================
[   46.679945][    T7] Disabling lock debugging due to kernel taint
[   46.680725][    T7] Kernel panic - not syncing:
Reviewed-by: NArend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: NJisoo Jang <jisoo.jang@yonsei.ac.kr>
Signed-off-by: NKalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20230309104457.22628-1-jisoo.jang@yonsei.ac.kr

drivers/net/wireless/realtek/rtw88/usb.c:876 rtw_usb_probe()
warn: 'hw' from ieee80211_alloc_hw() not released on lines: 811

Fix this by modifying return to a goto statement.
Signed-off-by: NDongliang Mu <dzm91@hust.edu.cn>
Reviewed-by: NPing-Ke Shih <pkshih@realtek.com>
Signed-off-by: NKalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20230309021636.528601-1-dzm91@hust.edu.cn

To support v5 version firmware cycle report, apply the related structure
and functions. v5 cycle report add a group of status to show how the
free-run/TDMA training goes to. It is a firmware mechanism that can auto
adjust coexistence mode between TDMA and free run mechanism at 3 antenna
solution. v5 version provide more reference data to let the mechanism
make decision.
Signed-off-by: NChing-Te Ku <ku920601@realtek.com>
Signed-off-by: NPing-Ke Shih <pkshih@realtek.com>
Signed-off-by: NKalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20230308053225.24377-8-pkshih@realtek.com

Compare to v1 and v2 removed some not usable parameters. Save firmware
code size. The information can show how frequent and how long the
Bluetooth scan do. It will help to debug coexistence issue.
Signed-off-by: NChing-Te Ku <ku920601@realtek.com>
Signed-off-by: NPing-Ke Shih <pkshih@realtek.com>
Signed-off-by: NKalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20230308053225.24377-7-pkshih@realtek.com

Correct pointer assignment of v1 null data report. It doesn't really
change logic at all, but it looks more readable.
Signed-off-by: NChing-Te Ku <ku920601@realtek.com>
Signed-off-by: NPing-Ke Shih <pkshih@realtek.com>
Signed-off-by: NKalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20230308053225.24377-6-pkshih@realtek.com

The v2 firmware report reduce its maximum register numbers from 30 to 20,
it can help to save firmware code size.
Signed-off-by: NChing-Te Ku <ku920601@realtek.com>
Signed-off-by: NPing-Ke Shih <pkshih@realtek.com>
Signed-off-by: NKalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20230308053225.24377-5-pkshih@realtek.com

There is a new mechanism which can do some real time performance
tuning for WiFi and BT. This TX/RX info is a condition provide to
firmware to do traffic analysis.
Signed-off-by: NChing-Te Ku <ku920601@realtek.com>
Signed-off-by: NPing-Ke Shih <pkshih@realtek.com>
Signed-off-by: NKalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20230308053225.24377-4-pkshih@realtek.com

Remove WiFi traffic busy level & traffic rate from active role information.
This information will move to v5 version TDMA cycle info.
Signed-off-by: NChing-Te Ku <ku920601@realtek.com>
Signed-off-by: NPing-Ke Shih <pkshih@realtek.com>
Signed-off-by: NKalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20230308053225.24377-3-pkshih@realtek.com

The error map and counter can help to analyze is coexistence mechanism
going well or not. For example, if there is E2G (External control Wi-Fi
slot for Wi-Fi 2.4 GHz) hang counter, it means Wi-Fi firmware didn't cut
a slot for Wi-Fi 2.4 GHz. Maybe something wrong with firmware timer.
Signed-off-by: NChing-Te Ku <ku920601@realtek.com>
Signed-off-by: NPing-Ke Shih <pkshih@realtek.com>
Signed-off-by: NKalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20230308053225.24377-2-pkshih@realtek.com

Replace the calculations for the payload length in
qtnf_cmd_band_fill_iftype with struct_size() and size_sub(). While
the payload length does not get directly passed to an allocation function,
the performed calculation is still calculating the size of a flexible array
structure (minus the size of a header structure).
Signed-off-by: NJacob Keller <jacob.e.keller@intel.com>
Cc: Igor Mitsyanko <imitsyanko@quantenna.com>
Cc: Sergey Matyukevich <geomatsi@gmail.com>
Signed-off-by: NKalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20230307230212.3735818-1-jacob.e.keller@intel.com

The ipw_fw_error structure contains a payload[] flexible array as well as
two pointers to this array area, ->elem, and ->log. The total size of the
allocated structure is computed without use of the <linux/overflow.h>
macros.

There's no reason to keep both a payload[] and an extra pointer to both the
elem and log members. Convert the elem pointer member into the flexible
array member, removing payload.

Fix the allocation of the ipw_fw_error structure to use size_add(),
struct_size(), and array_size() to compute the allocation. This ensures
that any overflow saturates at SIZE_MAX rather than overflowing and
potentially allowing an undersized allocation.

Before the structure change, the layout of ipw_fw_error was:

struct ipw_fw_error {
        long unsigned int          jiffies;              /*     0     8 */
        u32                        status;               /*     8     4 */
        u32                        config;               /*    12     4 */
        u32                        elem_len;             /*    16     4 */
        u32                        log_len;              /*    20     4 */
        struct ipw_error_elem *    elem;                 /*    24     8 */
        struct ipw_event *         log;                  /*    32     8 */
        u8                         payload[];            /*    40     0 */

        /* size: 40, cachelines: 1, members: 8 */
        /* last cacheline: 40 bytes */
};

After this change, the layout is now:

struct ipw_fw_error {
        long unsigned int          jiffies;              /*     0     8 */
        u32                        status;               /*     8     4 */
        u32                        config;               /*    12     4 */
        u32                        elem_len;             /*    16     4 */
        u32                        log_len;              /*    20     4 */
        struct ipw_event *         log;                  /*    24     8 */
        struct ipw_error_elem      elem[];               /*    32     0 */

        /* size: 32, cachelines: 1, members: 7 */
        /* last cacheline: 32 bytes */
};

This saves a total of 8 bytes for every ipw_fw_error allocation, and
removes the risk of a potential overflow on the allocation.
Signed-off-by: NJacob Keller <jacob.e.keller@intel.com>
Cc: Stanislav Yakovlev <stas.yakovlev@gmail.com>
Signed-off-by: NKalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20230307230148.3735684-1-jacob.e.keller@intel.com