When doing the PLDR flow, the fw goes through a re-read and needs
PCI re-enumeration in order to recover. In this case, skip the mac
start retry and fw dumps as all the fw and registers are invalid
until the PCI re-enumeration.

In addition, print the register that shows the re-read counter
when loading the fw.
Signed-off-by: NAvraham Stern <avraham.stern@intel.com>
Link: https://lore.kernel.org/r/20221123225313.9ae77968961e.Ie06e886cef4b5921b65dacb7724db1276bed38cb@changeidSigned-off-by: NGregory Greenman <gregory.greenman@intel.com>

We see kernel crashes and lockups and KASAN errors related to ax210
firmware crashes.  One of the KASAN dumps pointed at the tx path,
and it appears there is indeed a way to double-free an skb.

If iwl_mvm_tx_skb_sta returns non-zero, then the 'skb' sent into the
method will be freed.  But, in case where we build TSO skb buffer,
the skb may also be freed in error case.  So, return 0 in that particular
error case and do cleanup manually.

BUG: KASAN: use-after-free in __list_del_entry_valid+0x12/0x90
iwlwifi 0000:06:00.0: 0x00000000 | tsf hi
Read of size 8 at addr ffff88813cfa4ba0 by task btserver/9650

CPU: 4 PID: 9650 Comm: btserver Tainted: G        W         5.19.8+ #5
iwlwifi 0000:06:00.0: 0x00000000 | time gp1
Hardware name: Default string Default string/SKYBAY, BIOS 5.12 02/19/2019
Call Trace:
 <TASK>
 dump_stack_lvl+0x55/0x6d
 print_report.cold.12+0xf2/0x684
iwlwifi 0000:06:00.0: 0x1D0915A8 | time gp2
 ? __list_del_entry_valid+0x12/0x90
 kasan_report+0x8b/0x180
iwlwifi 0000:06:00.0: 0x00000001 | uCode revision type
 ? __list_del_entry_valid+0x12/0x90
 __list_del_entry_valid+0x12/0x90
iwlwifi 0000:06:00.0: 0x00000048 | uCode version major
 tcp_update_skb_after_send+0x5d/0x170
 __tcp_transmit_skb+0xb61/0x15c0
iwlwifi 0000:06:00.0: 0xDAA05125 | uCode version minor
 ? __tcp_select_window+0x490/0x490
iwlwifi 0000:06:00.0: 0x00000420 | hw version
 ? trace_kmalloc_node+0x29/0xd0
 ? __kmalloc_node_track_caller+0x12a/0x260
 ? memset+0x1f/0x40
 ? __build_skb_around+0x125/0x150
 ? __alloc_skb+0x1d4/0x220
 ? skb_zerocopy_clone+0x55/0x230
iwlwifi 0000:06:00.0: 0x00489002 | board version
 ? kmalloc_reserve+0x80/0x80
 ? rcu_read_lock_bh_held+0x60/0xb0
 tcp_write_xmit+0x3f1/0x24d0
iwlwifi 0000:06:00.0: 0x034E001C | hcmd
 ? __check_object_size+0x180/0x350
iwlwifi 0000:06:00.0: 0x24020000 | isr0
 tcp_sendmsg_locked+0x8a9/0x1520
iwlwifi 0000:06:00.0: 0x01400000 | isr1
 ? tcp_sendpage+0x50/0x50
iwlwifi 0000:06:00.0: 0x48F0000A | isr2
 ? lock_release+0xb9/0x400
 ? tcp_sendmsg+0x14/0x40
iwlwifi 0000:06:00.0: 0x00C3080C | isr3
 ? lock_downgrade+0x390/0x390
 ? do_raw_spin_lock+0x114/0x1d0
iwlwifi 0000:06:00.0: 0x00200000 | isr4
 ? rwlock_bug.part.2+0x50/0x50
iwlwifi 0000:06:00.0: 0x034A001C | last cmd Id
 ? rwlock_bug.part.2+0x50/0x50
 ? lockdep_hardirqs_on_prepare+0xe/0x200
iwlwifi 0000:06:00.0: 0x0000C2F0 | wait_event
 ? __local_bh_enable_ip+0x87/0xe0
 ? inet_send_prepare+0x220/0x220
iwlwifi 0000:06:00.0: 0x000000C4 | l2p_control
 tcp_sendmsg+0x22/0x40
 sock_sendmsg+0x5f/0x70
iwlwifi 0000:06:00.0: 0x00010034 | l2p_duration
 __sys_sendto+0x19d/0x250
iwlwifi 0000:06:00.0: 0x00000007 | l2p_mhvalid
 ? __ia32_sys_getpeername+0x40/0x40
iwlwifi 0000:06:00.0: 0x00000000 | l2p_addr_match
 ? rcu_read_lock_held_common+0x12/0x50
 ? rcu_read_lock_sched_held+0x5a/0xd0
 ? rcu_read_lock_bh_held+0xb0/0xb0
 ? rcu_read_lock_sched_held+0x5a/0xd0
 ? rcu_read_lock_sched_held+0x5a/0xd0
 ? lock_release+0xb9/0x400
 ? lock_downgrade+0x390/0x390
 ? ktime_get+0x64/0x130
 ? ktime_get+0x8d/0x130
 ? rcu_read_lock_held_common+0x12/0x50
 ? rcu_read_lock_sched_held+0x5a/0xd0
 ? rcu_read_lock_held_common+0x12/0x50
 ? rcu_read_lock_sched_held+0x5a/0xd0
 ? rcu_read_lock_bh_held+0xb0/0xb0
 ? rcu_read_lock_bh_held+0xb0/0xb0
 __x64_sys_sendto+0x6f/0x80
 do_syscall_64+0x34/0xb0
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f1d126e4531
Code: 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 35 80 0c 00 41 89 ca 8b 00 85 c0 75 1c 45 31 c9 45 31 c0 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 67 c3 66 0f 1f 44 00 00 55 48 83 ec 20 48 89
RSP: 002b:00007ffe21a679d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 000000000000ffdc RCX: 00007f1d126e4531
RDX: 0000000000010000 RSI: 000000000374acf0 RDI: 0000000000000014
RBP: 00007ffe21a67ac0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000010
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000
 </TASK>

Allocated by task 9650:
 kasan_save_stack+0x1c/0x40
 __kasan_slab_alloc+0x6d/0x90
 kmem_cache_alloc_node+0xf3/0x2b0
 __alloc_skb+0x191/0x220
 tcp_stream_alloc_skb+0x3f/0x330
 tcp_sendmsg_locked+0x67c/0x1520
 tcp_sendmsg+0x22/0x40
 sock_sendmsg+0x5f/0x70
 __sys_sendto+0x19d/0x250
 __x64_sys_sendto+0x6f/0x80
 do_syscall_64+0x34/0xb0
 entry_SYSCALL_64_after_hwframe+0x46/0xb0

Freed by task 9650:
 kasan_save_stack+0x1c/0x40
 kasan_set_track+0x21/0x30
 kasan_set_free_info+0x20/0x30
 __kasan_slab_free+0x102/0x170
 kmem_cache_free+0xc8/0x3e0
 iwl_mvm_mac_itxq_xmit+0x124/0x270 [iwlmvm]
 ieee80211_queue_skb+0x874/0xd10 [mac80211]
 ieee80211_xmit_fast+0xf80/0x1180 [mac80211]
 __ieee80211_subif_start_xmit+0x287/0x680 [mac80211]
 ieee80211_subif_start_xmit+0xcd/0x730 [mac80211]
 dev_hard_start_xmit+0xf6/0x420
 __dev_queue_xmit+0x165b/0x1b50
 ip_finish_output2+0x66e/0xfb0
 __ip_finish_output+0x487/0x6d0
 ip_output+0x11c/0x350
 __ip_queue_xmit+0x36b/0x9d0
 __tcp_transmit_skb+0xb35/0x15c0
 tcp_write_xmit+0x3f1/0x24d0
 tcp_sendmsg_locked+0x8a9/0x1520
 tcp_sendmsg+0x22/0x40
 sock_sendmsg+0x5f/0x70
 __sys_sendto+0x19d/0x250
 __x64_sys_sendto+0x6f/0x80
 do_syscall_64+0x34/0xb0
 entry_SYSCALL_64_after_hwframe+0x46/0xb0

The buggy address belongs to the object at ffff88813cfa4b40
 which belongs to the cache skbuff_fclone_cache of size 472
The buggy address is located 96 bytes inside of
 472-byte region [ffff88813cfa4b40, ffff88813cfa4d18)

The buggy address belongs to the physical page:
page:ffffea0004f3e900 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88813cfa6c40 pfn:0x13cfa4
head:ffffea0004f3e900 order:2 compound_mapcount:0 compound_pincount:0
flags: 0x5fff8000010200(slab|head|node=0|zone=2|lastcpupid=0x3fff)
raw: 005fff8000010200 ffffea0004656b08 ffffea0008e8cf08 ffff8881081a5240
raw: ffff88813cfa6c40 0000000000170015 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88813cfa4a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88813cfa4b00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
>ffff88813cfa4b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                               ^
 ffff88813cfa4c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88813cfa4c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Fixes: 08f7d8b6 ("iwlwifi: mvm: bring back mvm GSO code")
Link: https://lore.kernel.org/linux-wireless/20220928193057.16132-1-greearb@candelatech.com/Tested-by: NAmol Jawale <amol.jawale@candelatech.com>
Signed-off-by: NBen Greear <greearb@candelatech.com>
Link: https://lore.kernel.org/r/20221123225313.21b1ee31d666.I3b3ba184433dd2a544d91eeeda29b467021824ae@changeidSigned-off-by: NGregory Greenman <gregory.greenman@intel.com>

These are register values which are needed for debug regardless of alive
fail/success.
Signed-off-by: NDaniel Gabay <daniel.gabay@intel.com>
Link: https://lore.kernel.org/r/20221123225313.a5ae3679491b.Ic618934df084a9b269e56d892665523c79e40eee@changeidSigned-off-by: NGregory Greenman <gregory.greenman@intel.com>

Update EHT MAC and PHY capabilities for GL device
for station and softap interface.
Add relevant code in nvm_fixup_sband_iftd.
Signed-off-by: NAbhishek Naik <abhishek.naik@intel.com>
Link: https://lore.kernel.org/r/20221122220713.1da816ab7ffc.Ief570e27007c9e2ad3a97bee4b074e2fc1c75bae@changeidSigned-off-by: NGregory Greenman <gregory.greenman@intel.com>

We support large A-MPDU in EHT in 2.4 GHz, so add the right
bits for that in the EHT capabilities.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
Link: https://lore.kernel.org/r/20221122220713.3e7449760415.Id394d7fd0acaca48d429feccda4e66dbadaab993@changeidSigned-off-by: NGregory Greenman <gregory.greenman@intel.com>

We can't have it in AP mode unless for debug, since we don't have
160 MHz in HE PHY capabilities, and also set it only in 6 GHz even
if (unlike in HE) it's always defined.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
Link: https://lore.kernel.org/r/20221122220713.293ef3e5a1c4.I867526a6bd3f93ee50076ff359436dfb5ec6101c@changeidSigned-off-by: NGregory Greenman <gregory.greenman@intel.com>

The bits are reserved on the opposite bands, so we shouldn't
always send them, only the 2G bit on 2.4 GHz and the 5G bits
on 5/6GHz. Fix that.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
Link: https://lore.kernel.org/r/20221122220713.0a075d00c796.Ib4cac0b7f90dfadebceceb1e07c8cdfd7a4138f6@changeidSigned-off-by: NGregory Greenman <gregory.greenman@intel.com>

In an EHT connection fill in the HE context command
with PPE Thresholds field from EHT Capabilities IE.
If PPE Thresholds field presents only in HE Capabilities IE,
take the thresholds from there.
If it's not present in both - set the Common Nominal Packet Padding
field from EHT Capabilities IE.
Signed-off-by: NMiri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://lore.kernel.org/r/20221122220713.062ac86110f2.I0bcd5ee35f4d987a49f15501985f90e0d3ce7590@changeidSigned-off-by: NGregory Greenman <gregory.greenman@intel.com>

In 11be we can receive 1K aggregation size so update our max HW rx
aggregation for mac80211 usage.
Signed-off-by: NMordechay Goodstein <mordechay.goodstein@intel.com>
Link: https://lore.kernel.org/r/20221122220713.ef0431f64975.Ie4d90c376c822694f4523ff0fb5731f20004c24d@changeidSigned-off-by: NGregory Greenman <gregory.greenman@intel.com>

Rate scale needs to be configured to what MCS it can use per BW and NSS,
this is done by parsing our capabilities of TX and peer's capabilities of
RX and setting the minimum for rate scale usage.

Also do some cleanup removing redundant enum defines not used by
FW/Driver.
Signed-off-by: NMordechay Goodstein <mordechay.goodstein@intel.com>
Link: https://lore.kernel.org/r/20221122220713.f71f3b4c4583.I7b5e8071df91146c4bee3e9bcb7ad62595b275e1@changeidSigned-off-by: NGregory Greenman <gregory.greenman@intel.com>

Support 320 MHz PHY configuration and while doing so rewrite
the code since we'd otherwise double the number of cases in
the switch statement.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
Link: https://lore.kernel.org/r/20221122220713.964db911b733.If56c94a9bf20c050f35d2421b680e400a9f4aeb8@changeidSigned-off-by: NGregory Greenman <gregory.greenman@intel.com>

Add support for advertising EHT capabilities if supported by
device SKU and not disabled by module parameters.
Signed-off-by: NIlan Peer <ilan.peer@intel.com>
Link: https://lore.kernel.org/r/20221122220713.6bc00d851794.I214005645f3da21d8f2458a70355deeca04a19e8@changeidSigned-off-by: NGregory Greenman <gregory.greenman@intel.com>

When iwlmei driver is removed, it removes all the interfaces
since CSME will take over the NIC while there is no SAP connection.
When the iwlmei driver is removed due to the host being suspended,
this results in the interface being down after resume since the
interface was removed on suspend so mac80211 will not try to bring it
up on resume.
Since on suspend the mac is stopped anyway by mac80211, there is
no need to remove the interface in this case. Wait for the mac
to stop instead. Once the mac is stopped, the driver will not
access the NIC anymore so it is safe for CSME to take over.
Signed-off-by: NAvraham Stern <avraham.stern@intel.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20221102165239.371102f04586.I813a964607b3e92ea275a0cf56df57227c11ae88@changeid

Disconnections are reported to CSME as long link down. As a result,
CSME will take ownership right away so the host doesn't have a
chance to reconnect, although in many cases it could quickly reconnect
and preserve host connectivity.
Report disconnections as temporary so CSME will give the host some
grace time to reconnect.
Signed-off-by: NAvraham Stern <avraham.stern@intel.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20221102165239.401665457652.Ie5de9eacc5a51cf0965a08c202caf3fbc3a91ec4@changeid

wait_event_timeout() return value indicates whether the condition
evaluated to true or not, so no need to re-take the lock and
check the got_ownership flag.
Signed-off-by: NAvraham Stern <avraham.stern@intel.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20221102165239.33159054626f.Ief9e2dc42f96f8044c197d32172003a5ead0f8d3@changeid

If the FW needs to do OTP re-read, the driver must notify CSME before
loading the FW so CSME will not try to access the NIC during the
re-read. Once the alive notification is received, CSME is notified
that NIC access is allowed again.
Signed-off-by: NAvraham Stern <avraham.stern@intel.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20221102165239.49eb8c6d455f.I7f0a5debb2d3d662a4151199bbec24613f324c13@changeid

When setting the rate for Tx, the code tried to get the lowest
allowed rate but without considering the BSS basic rates. Fix this
by considering the basic rates.

In addition, declare support for configuring beacon Tx rate and when
configured use the configured Tx beacon rate to set beacon tx command rate.
Signed-off-by: NIlan Peer <ilan.peer@intel.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20221102165239.be8403f0d5c0.I7d141646746b96310efd75fc77ca9aebc61aefcc@changeid

In order to support MLD, the key API is also changing to have
station masks instead of just the station ID etc. Change the
driver to support this, and add the new code in a new file so
it's more clearly separated.

For now this isn't separated at the mac80211 ops level, which
we wanted to do, but we're calling these functions in a place
when pre-start keys are installed in iwl_mvm_start_ap_ibss(),
and the function has some glue logic to mac80211. We may want
to change that later.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20221102165239.ed9ccd814abc.Iacc7360de68807fbac19e5b67c86504b39cc15df@changeid

The failed_alloc variable is used as a bitmask in the loop where we
check DRAM allocations.  But erroneously, we were clearing the DRAM
alloc IDs we removed as an integer.

Fix that by clearing them as bits instead.
Signed-off-by: NRotem Saado <rotem.saado@intel.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20221102165239.688dec28b1d9.I470b8d29c28d16f25f4192773f075940de7ed33c@changeid

In some rare occasions, the firmware may let some frames with invalid
rates, such as CCK rates on the high band, come through.  This causes
the driver to issue a warning, but since this is a possible issue and
it's not really a bug in the driver, convert the warning into an
error.
Signed-off-by: NLuca Coelho <luciano.coelho@intel.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20221102165239.3d3673c70556.I13464b11d405fd6021618b0a32404cecb7e9ac51@changeid

The A step of BL devices doesn't support STBC, so we need to disable
it.

Create new HT params and a macro to use specifically with BL A-step
devices where STBC is disabled.
Signed-off-by: NLuca Coelho <luciano.coelho@intel.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20221102165239.806dbfa53f40.I4b14a8be30795bdcd73686bd1f9222e7ab93b505@changeid

Update the for loop that iterates over all the DBGCs to include DBGC4.
DBGC4 is only supported staring from the BZ family of devices, so check
the family before accepting it.
Signed-off-by: NRotem Saado <rotem.saado@intel.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20221102165239.0b6050b41060.Id662c716c2e3c2c850740d1f71e2801e02aeddaf@changeid

For Bz A-step hardware, the checksum offload is broken and
we need to use the old way, which is still there. Do that,
which requires taking the checksum capability bits out of
the IWL_DEVICE_BZ macro and listing them individually.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20221102165239.6bc379f1b0b1.I204223f1b1c2fe26f414aea6679ef7fce681c33a@changeid

If cloning the SKB fails, don't try to use it, but rather return
as if we should pass it.

Coverity CID: 1503456

Fixes: 2da4366f ("iwlwifi: mei: add the driver to allow cooperation with CSME")
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20221030191011.0ce03ba99601.I87960b7cb0a3d16b9fd8d9144027e7e2587f5a58@changeid

The AMT_STATE sap message handler tries to take the rtnl lock.
This means that in case the rtnl lock is already taken, sap messages
will not be processed.
When an interface is brought up, the host requests ownership from
csme. However, since the rtnl lock is already held, if there is a
pending amt state message, the host will not be able to read the
ownership confirm message because the amt state message handler
is pending. As a result, the host fails to get ownership although
csme granted it.
Fix it by moving the part that needs the rtnl lock into a dedicated
worker, so handling sap messages can continue.

Fixes: 2da4366f ("iwlwifi: mei: add the driver to allow cooperation with CSME")
Signed-off-by: NAvraham Stern <avraham.stern@intel.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20221030191011.8599f2b4e9dd.I518f79e9099bf815c5f8d90235b4ce3250f59970@changeid

Devices with new Tx API have the IV introduced by the HW and it is not
present in the skb at all. Hence we don't need to tell
iwl_mvm_mei_tx_copy_to_csme to jump over 8 bytes to get to the ethernet
header.

Fixes: 2da4366f ("iwlwifi: mei: add the driver to allow cooperation with CSME")
Signed-off-by: NEmmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20221030191011.12dc42133502.Idd744ffeeb84b880eb497963ee02563cbb959a42@changeid

We should not send any SAP command to CSME if AMT is disabled.
Reported-by: NToke Høiland-Jørgensen <toke@toke.dk>
Fixes: 2da4366f ("iwlwifi: mei: add the driver to allow cooperation with CSME")
Signed-off-by: NEmmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20221030191011.ea222d41c781.Ifc90ddc3e35187683ff7f59371d792b61c8854c8@changeid

It is possible that CSME will try to take ownership while the driver
is stopping. In this case, if the CSME takes ownership message arrives
after the driver started unregistering, the iwl_mei_cache->ops is
already invalid, so the host will not answer with the ownership
confirmed message.
Similarly, if the take ownership message arrived after the mac was
stopped or when iwl_mvm_up() failed, setting rfkill will not trigger
sending the confirm message. As a result, CSME will not take
ownership, which will result in a disconnection.

Fix it by sending the ownership confirmed message immediately in such
cases.

Fixes: 2da4366f ("iwlwifi: mei: add the driver to allow cooperation with CSME")
Signed-off-by: NAvraham Stern <avraham.stern@intel.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20221030191011.b2a4c009e3e6.I7f931b7ee8b168e8ac88b11f23bff98b7ed3cb19@changeid

Notify csme when associated with TKIP cipher. TKIP is supported
by csme.
Signed-off-by: NAvraham Stern <avraham.stern@intel.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20221030191011.cea63e4a355c.If6cdfa52529a79b923191c89dad7ed871d2ad2c6@changeid

Rather than incurring a division or requesting too many random bytes for
the given range, use the prandom_u32_max() function, which only takes
the minimum required bytes from the RNG and avoids divisions. This was
done mechanically with this coccinelle script:

@basic@
expression E;
type T;
identifier get_random_u32 =~ "get_random_int|prandom_u32|get_random_u32";
typedef u64;
@@
(
- ((T)get_random_u32() % (E))
+ prandom_u32_max(E)
|
- ((T)get_random_u32() & ((E) - 1))
+ prandom_u32_max(E * XXX_MAKE_SURE_E_IS_POW2)
|
- ((u64)(E) * get_random_u32() >> 32)
+ prandom_u32_max(E)
|
- ((T)get_random_u32() & ~PAGE_MASK)
+ prandom_u32_max(PAGE_SIZE)
)

@multi_line@
identifier get_random_u32 =~ "get_random_int|prandom_u32|get_random_u32";
identifier RAND;
expression E;
@@

-       RAND = get_random_u32();
        ... when != RAND
-       RAND %= (E);
+       RAND = prandom_u32_max(E);

// Find a potential literal
@literal_mask@
expression LITERAL;
type T;
identifier get_random_u32 =~ "get_random_int|prandom_u32|get_random_u32";
position p;
@@

        ((T)get_random_u32()@p & (LITERAL))

// Add one to the literal.
@script:python add_one@
literal << literal_mask.LITERAL;
RESULT;
@@

value = None
if literal.startswith('0x'):
        value = int(literal, 16)
elif literal[0] in '123456789':
        value = int(literal, 10)
if value is None:
        print("I don't know how to handle %s" % (literal))
        cocci.include_match(False)
elif value == 2**32 - 1 or value == 2**31 - 1 or value == 2**24 - 1 or value == 2**16 - 1 or value == 2**8 - 1:
        print("Skipping 0x%x for cleanup elsewhere" % (value))
        cocci.include_match(False)
elif value & (value + 1) != 0:
        print("Skipping 0x%x because it's not a power of two minus one" % (value))
        cocci.include_match(False)
elif literal.startswith('0x'):
        coccinelle.RESULT = cocci.make_expr("0x%x" % (value + 1))
else:
        coccinelle.RESULT = cocci.make_expr("%d" % (value + 1))

// Replace the literal mask with the calculated result.
@plus_one@
expression literal_mask.LITERAL;
position literal_mask.p;
expression add_one.RESULT;
identifier FUNC;
@@

-       (FUNC()@p & (LITERAL))
+       prandom_u32_max(RESULT)

@collapse_ret@
type T;
identifier VAR;
expression E;
@@

 {
-       T VAR;
-       VAR = (E);
-       return VAR;
+       return E;
 }

@drop_var@
type T;
identifier VAR;
@@

 {
-       T VAR;
        ... when != VAR
 }
Reviewed-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: NKees Cook <keescook@chromium.org>
Reviewed-by: NYury Norov <yury.norov@gmail.com>
Reviewed-by: NKP Singh <kpsingh@kernel.org>
Reviewed-by: Jan Kara <jack@suse.cz> # for ext4 and sbitmap
Reviewed-by: Christoph Böhmwalder <christoph.boehmwalder@linbit.com> # for drbd
Acked-by: NJakub Kicinski <kuba@kernel.org>
Acked-by: Heiko Carstens <hca@linux.ibm.com> # for s390
Acked-by: Ulf Hansson <ulf.hansson@linaro.org> # for mmc
Acked-by: Darrick J. Wong <djwong@kernel.org> # for xfs
Signed-off-by: NJason A. Donenfeld <Jason@zx2c4.com>

BUGs like this are still reproducible:

[   31.509616] list_add corruption. prev->next should be next (ffff8f8644242300), but was ffff8f86493fd300. (prev=ffff8f86493fd300).
[   31.521544] ------------[ cut here ]------------
[   31.526248] kernel BUG at lib/list_debug.c:30!
[   31.530781] invalid opcode: 0000 [#1] PREEMPT SMP PTI
[   31.535831] CPU: 1 PID: 626 Comm: wpa_supplicant Not tainted 6.0.0+ #7
[   31.542450] Hardware name: Dell Inc. Inspiron 660s/0478VN       , BIOS A07 08/24/2012
[   31.550484] RIP: 0010:__list_add_valid.cold+0x3a/0x5b
[   31.555537] Code: f2 4c 89 c1 48 89 fe 48 c7 c7 28 20 69 89 e8 4c e3 fd ff 0f 0b 48 89 d1 4c 89 c6 4c 89 ca 48 c7 c7 d0 1f 69 89 e8 35 e3 fd ff <0f> 0b 4c 89 c1 48 c7 c7 78 1f 69 89 e8 24 e3 fd ff 0f 0b 48 c7 c7
[   31.574605] RSP: 0018:ffff9f6f00dc3748 EFLAGS: 00010286
[   31.579990] RAX: 0000000000000075 RBX: ffff8f8644242080 RCX: 0000000000000000
[   31.587155] RDX: 0000000000000201 RSI: ffffffff8967862d RDI: 00000000ffffffff
[   31.594482] RBP: ffff8f86493fd2e8 R08: 0000000000000000 R09: 00000000ffffdfff
[   31.601735] R10: ffff9f6f00dc3608 R11: ffffffff89f46128 R12: ffff8f86493fd300
[   31.608986] R13: ffff8f86493fd300 R14: ffff8f8644242300 R15: ffff8f8643dd3f2c
[   31.616151] FS:  00007f3bb9a707c0(0000) GS:ffff8f865a300000(0000) knlGS:0000000000000000
[   31.624447] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   31.630286] CR2: 00007fe3647d5600 CR3: 00000001125a6002 CR4: 00000000000606e0
[   31.637539] Call Trace:
[   31.639936]  <TASK>
[   31.642143]  iwl_mvm_mac_wake_tx_queue+0x71/0x90 [iwlmvm]
[   31.647569]  ieee80211_queue_skb+0x4b6/0x720 [mac80211]
...

So, it is necessary to extend the applied solution with commit 14a3aacf
("iwlwifi: mvm: fix double list_add at iwl_mvm_mac_wake_tx_queue")
to all other cases where the station queues are invalidated and the related
lists are not emptied. Because, otherwise as before, if some new element is
added later to the list in iwl_mvm_mac_wake_tx_queue, it can match with the
old one and produce the same commented BUG.

That is, in order to avoid this problem completely, we must also remove the
related lists for the other cases when station queues are invalidated.

Fixes: cfbc6c4c ("iwlwifi: mvm: support mac80211 TXQs model")
Reported-by: NPetr Stourac <pstourac@redhat.com>
Tested-by: NPetr Stourac <pstourac@redhat.com>
Signed-off-by: NJose Ignacio Tornos Martinez <jtornosm@redhat.com>
Signed-off-by: NKalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20221010081611.145027-1-jtornosm@redhat.com

mac80211 is fully switching over to the internal TX queue (iTXQ)
implementation. Update all drivers not yet providing the now mandatory
wake_tx_queue() callback.

As an side effect the netdev interfaces of all updated drivers will
switch to the noqueue qdisc.
Signed-off-by: NAlexander Wetzel <alexander@wetzel-home.de>
[add staging drivers]
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

We tell driver developers to always pass NAPI_POLL_WEIGHT
as the weight to netif_napi_add(). This may be confusing
to newcomers, drop the weight argument, those who really
need to tweak the weight can use netif_napi_add_weight().

Acked-by: Marc Kleine-Budde <mkl@pengutronix.de> # for CAN
Link: https://lore.kernel.org/r/20220927132753.750069-1-kuba@kernel.orgSigned-off-by: NJakub Kicinski <kuba@kernel.org>

In preparation for reducing the use of ksize(), explicitly track the
size of scan_cmd allocations. This also allows for noticing if the scan
size changes unexpectedly. Note that using ksize() was already incorrect
here, in the sense that ksize() would not match the actual allocation
size, which would trigger future run-time allocation bounds checking.
(In other words, memset() may know how large scan_cmd was allocated for,
but ksize() will return the upper bounds of the actually allocated memory,
causing a run-time warning about an overflow.)

Cc: Gregory Greenman <gregory.greenman@intel.com>
Cc: Kalle Valo <kvalo@kernel.org>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: Luca Coelho <luciano.coelho@intel.com>
Cc: Johannes Berg <johannes.berg@intel.com>
Cc: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Cc: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Cc: Ilan Peer <ilan.peer@intel.com>
Cc: linux-wireless@vger.kernel.org
Cc: netdev@vger.kernel.org
Signed-off-by: NKees Cook <keescook@chromium.org>
Signed-off-by: NKalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20220923220853.3302056-1-keescook@chromium.org

This notification replaces the WOWLAN_GET_STATUSES command-and-response,
so it's required to parse all the keys in the notification just like
what happened when that command was used.

Move around a few required static functions in order to avoid forward
declarations.
Signed-off-by: NNaftali Goldstein <naftali.goldstein@intel.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20220906161827.ca3fb23cab81.I0a9fe7729af4567b98813bc51bad13ee5512a0ae@changeidSigned-off-by: NGregory Greenman <gregory.greenman@intel.com>

In recent patches notifications based d3 resume flow was added,
and the resume flow was changed.

Currently, when resuming from d3 during which an assert was thrown,
the resume flow skips the iteration over active interfaces
preventing the sta to reconnect to the ap.

Perform the iteration in case an assert was thrown to fix it.
Signed-off-by: NYedidya Benshimol <yedidya.ben.shimol@intel.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20220906161827.ad888cc6cd91.Ib56e416fce17df089edf76d22896430df5ebe080@changeidSigned-off-by: NGregory Greenman <gregory.greenman@intel.com>

We have recently enabled resume flow based on notifications.
These notifications are sent by the FW when completing the resume flow.
From IWL_DEVICE_FAMILY_AX210 the resume flow is triggered by the
transport layer on iwl_trans_d3_resume.
On IWL_DEVICE_FAMILY_22000 and earlier we trigger the resume flow by
sending the D0I3 command.

Currently, we are waiting for the notifications before sending the
command, the notifications won't be sent by the FW since there is no
resume trigger to piggyback on.

Send the command before starting the wait flow to fix it.
Signed-off-by: NHaim, Dreyfuss <haim.dreyfuss@intel.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20220906161827.5f0f251edf9c.Ia49ab73105af6f52aa7d318f4984edecd3b0671a@changeidSigned-off-by: NGregory Greenman <gregory.greenman@intel.com>

To support FW versions that send the scan match information as
an asynchronous notification.
Signed-off-by: NIlan Peer <ilan.peer@intel.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20220906161827.bbc5602d0b6f.I1329c231f82e7bf18f7dba0ccbd9f2d4080cbfc1@changeidSigned-off-by: NGregory Greenman <gregory.greenman@intel.com>

We have recently added support for resume based on notifications.
Enable it.
Signed-off-by: NHaim Dreyfuss <haim.dreyfuss@intel.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20220906161827.a6344ba23df5.I09fce8cf5aac1d46b40ae81b1abcf7a0e54af196@changeidSigned-off-by: NGregory Greenman <gregory.greenman@intel.com>

Due to IMR, when host returns from hibernate, commands cannot
be sent as part of the resume flow, and so after ending
d3 the FW needs to send notifications instead of responses.
This notification indicates whether a fw reset is required.
Signed-off-by: NYedidya Benshimol <yedidya.ben.shimol@intel.com>
Signed-off-by: NHaim Dreyfuss <haim.dreyfuss@intel.com>
Signed-off-by: NGregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20220906161827.898ecba881b2.I13eb69bb5af08b9ac33043647eaed6b8d50e8659@changeidSigned-off-by: NGregory Greenman <gregory.greenman@intel.com>