Hi!
On Mon, 2023-01-23 at 14:07 +0530, Krishna Chaitanya wrote:
> Hi,
>
> I am using the ath.git (ea726a8d305a : was testing external Atheros
> cards) + linux-firmware (bb2d42d) and the monitor mode stopped working
> with iwlwifi. There is a warning from UBSAN: "UBSAN:
> shift-out-of-bounds in
> drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c:657:22".
>
> The root cause was this c6ce1c74ef292 which defaults the assignment to
> 0xFFFF and then that was being used for the shift.
>
> I have tried to fix the warning with the below patch (just for an
> experiment, not a proper one), the warning is gone, but no frames are
> seen in Wireshark.
>
> Below is the version information, any help is appreciated, monitor
> mode is important for me.
>
> lspci: Network controller: Intel Corporation Wi-Fi 6 AX201 (rev 20)
>
> [ +0.003790] iwlwifi 0000:00:14.3: api flags index 2 larger than
> supported by driver
> [ +0.000046] iwlwifi 0000:00:14.3: TLV_FW_FSEQ_VERSION: FSEQ Version:
> 89.3.35.37
> [ +0.001519] iwlwifi 0000:00:14.3: loaded firmware version
> 72.daa05125.0 QuZ-a0-hr-b0-72.ucode op_mode iwlmvm
> [ +0.034887] iwlwifi 0000:00:14.3: Detected Intel(R) Wi-Fi 6 AX201
> 160MHz, REV=0x351
> [ +0.000083] thermal thermal_zone7: failed to read out thermal zone (-61)
> [ +0.122144] iwlwifi 0000:00:14.3: Detected RF HR B3, rfid=0x10a100
> [ +0.065701] iwlwifi 0000:00:14.3: base HW address: 4c:79:6e:90:94:71
> [ +0.019826] iwlwifi 0000:00:14.3 wlp0s20f3: renamed from wlan0
> [ +14.210987] device mon0 entered promiscuous mode
> [Jan24 18:20] device mon0 left promiscuous mode
>
> ---
> diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c
> b/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c
> index 83abfe996138..591f9fdd0ec4 100644
> --- a/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c
> +++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c
> @@ -654,9 +654,13 @@ static int iwl_mvm_mac_ctxt_cmd_listener(struct
> iwl_mvm *mvm,
> u32 action)
> {
> struct iwl_mac_ctx_cmd cmd = {};
> - u32 tfd_queue_msk = BIT(mvm->snif_queue);
> + u32 tfd_queue_msk = 0;
> int ret;
>
> + if (mvm->snif_queue != IWL_MVM_INVALID_QUEUE) {
> + tfd_queue_msk = BIT(mvm->snif_queue);
> + }
> +
> WARN_ON(vif->type != NL80211_IFTYPE_MONITOR);
>
> iwl_mvm_mac_ctxt_cmd_common(mvm, vif, &cmd, NULL, action);
> diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
> b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
> index 515dd3e0730d..784a7f72b819 100644
> --- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
> +++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
> @@ -2084,6 +2084,7 @@ static int iwl_mvm_add_int_sta_with_queue(struct
> iwl_mvm *mvm, int macidx,
> }
>
> *queue = txq;
> + sta->tfd_queue_msk = BIT(*queue);
> }
>
> return 0;
> @@ -2092,11 +2093,15 @@ static int
> iwl_mvm_add_int_sta_with_queue(struct iwl_mvm *mvm, int macidx,
> int iwl_mvm_add_aux_sta(struct iwl_mvm *mvm, u32 lmac_id)
> {
> int ret;
> + u32 tfd_queue_msk = 0;
>
> lockdep_assert_held(&mvm->mutex);
> + if (mvm->aux_queue != IWL_MVM_INVALID_QUEUE) {
> + tfd_queue_msk = BIT(mvm->aux_queue);
> + }
>
> /* Allocate aux station and assign to it the aux queue */
> - ret = iwl_mvm_allocate_int_sta(mvm, &mvm->aux_sta, BIT(mvm->aux_queue),
> + ret = iwl_mvm_allocate_int_sta(mvm, &mvm->aux_sta, tfd_queue_msk,
> NL80211_IFTYPE_UNSPECIFIED,
> IWL_STA_AUX_ACTIVITY);
> if (ret)
This bug was already fixed in our internal repository. You can use the driver from [1]
until this fix will make it's way to the upstream (please use master branch).
[1] https://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/backport-iwlwifi.git
