Re: iwlwifi: Monitor mode broken with 6.1.0

From: Krishna Chaitanya <chaitanya.mgit@gmail.com>
To: "Greenman, Gregory" <gregory.greenman@intel.com>
Cc: "linux-wireless@vger.kernel.org" <linux-wireless@vger.kernel.org>,
	"johannes@sipsolutions.net" <johannes@sipsolutions.net>,
	"egrumbach@gmail.com" <egrumbach@gmail.com>
Subject: Re: iwlwifi: Monitor mode broken with 6.1.0
Date: Mon, 23 Jan 2023 21:41:25 +0530	[thread overview]
Message-ID: <CABPxzYKc58mqCjyy+rzbrhZm5wCRKUm1Vs=HiP9OVsVSO3DiKA@mail.gmail.com> (raw)
In-Reply-To: <714df952bf0b0f53a2f7a6714083e93e39632f49.camel@intel.com>

On Mon, Jan 23, 2023 at 6:29 PM Greenman, Gregory
<gregory.greenman@intel.com> wrote:
>
> Hi!
>
> On Mon, 2023-01-23 at 14:07 +0530, Krishna Chaitanya wrote:
> > Hi,
> >
> > I am using the ath.git (ea726a8d305a : was testing external Atheros
> > cards) + linux-firmware (bb2d42d) and the monitor mode stopped working
> > with iwlwifi. There is a warning from UBSAN: "UBSAN:
> > shift-out-of-bounds in
> > drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c:657:22".
> >
> > The root cause was this c6ce1c74ef292 which defaults the assignment to
> > 0xFFFF and then that was being used for the shift.
> >
> > I have tried to fix the warning with the below patch (just for an
> > experiment, not a proper one), the warning is gone, but no frames are
> > seen in Wireshark.
> >
> > Below is the version information, any help is appreciated, monitor
> > mode is important for me.
> >
> > lspci: Network controller: Intel Corporation Wi-Fi 6 AX201 (rev 20)
> >
> > [  +0.003790] iwlwifi 0000:00:14.3: api flags index 2 larger than
> > supported by driver
> > [  +0.000046] iwlwifi 0000:00:14.3: TLV_FW_FSEQ_VERSION: FSEQ Version:
> > 89.3.35.37
> > [  +0.001519] iwlwifi 0000:00:14.3: loaded firmware version
> > 72.daa05125.0 QuZ-a0-hr-b0-72.ucode op_mode iwlmvm
> > [  +0.034887] iwlwifi 0000:00:14.3: Detected Intel(R) Wi-Fi 6 AX201
> > 160MHz, REV=0x351
> > [  +0.000083] thermal thermal_zone7: failed to read out thermal zone (-61)
> > [  +0.122144] iwlwifi 0000:00:14.3: Detected RF HR B3, rfid=0x10a100
> > [  +0.065701] iwlwifi 0000:00:14.3: base HW address: 4c:79:6e:90:94:71
> > [  +0.019826] iwlwifi 0000:00:14.3 wlp0s20f3: renamed from wlan0
> > [ +14.210987] device mon0 entered promiscuous mode
> > [Jan24 18:20] device mon0 left promiscuous mode
> >
> > ---
> > diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c
> > b/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c
> > index 83abfe996138..591f9fdd0ec4 100644
> > --- a/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c
> > +++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c
> > @@ -654,9 +654,13 @@ static int iwl_mvm_mac_ctxt_cmd_listener(struct
> > iwl_mvm *mvm,
> >                                          u32 action)
> >  {
> >         struct iwl_mac_ctx_cmd cmd = {};
> > -       u32 tfd_queue_msk = BIT(mvm->snif_queue);
> > +       u32 tfd_queue_msk = 0;
> >         int ret;
> >
> > +       if (mvm->snif_queue != IWL_MVM_INVALID_QUEUE) {
> > +               tfd_queue_msk = BIT(mvm->snif_queue);
> > +       }
> > +
> >         WARN_ON(vif->type != NL80211_IFTYPE_MONITOR);
> >
> >         iwl_mvm_mac_ctxt_cmd_common(mvm, vif, &cmd, NULL, action);
> > diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
> > b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
> > index 515dd3e0730d..784a7f72b819 100644
> > --- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
> > +++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
> > @@ -2084,6 +2084,7 @@ static int iwl_mvm_add_int_sta_with_queue(struct
> > iwl_mvm *mvm, int macidx,
> >                 }
> >
> >                 *queue = txq;
> > +               sta->tfd_queue_msk = BIT(*queue);
> >         }
> >
> >         return 0;
> > @@ -2092,11 +2093,15 @@ static int
> > iwl_mvm_add_int_sta_with_queue(struct iwl_mvm *mvm, int macidx,
> >  int iwl_mvm_add_aux_sta(struct iwl_mvm *mvm, u32 lmac_id)
> >  {
> >         int ret;
> > +       u32 tfd_queue_msk = 0;
> >
> >         lockdep_assert_held(&mvm->mutex);
> > +       if (mvm->aux_queue != IWL_MVM_INVALID_QUEUE) {
> > +               tfd_queue_msk = BIT(mvm->aux_queue);
> > +       }
> >
> >         /* Allocate aux station and assign to it the aux queue */
> > -       ret = iwl_mvm_allocate_int_sta(mvm, &mvm->aux_sta, BIT(mvm->aux_queue),
> > +       ret = iwl_mvm_allocate_int_sta(mvm, &mvm->aux_sta, tfd_queue_msk,
> >                                        NL80211_IFTYPE_UNSPECIFIED,
> >                                        IWL_STA_AUX_ACTIVITY);
> >         if (ret)
>
> This bug was already fixed in our internal repository. You can use the driver from [1]
> until this fix will make it's way to the upstream (please use master branch).
>
> [1] https://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/backport-iwlwifi.git
Excellent, thanks for the reply.

The driver in [1] was not building due to 20b0b53aca436 but it was simple
to fix, after installation (and reboot) the warning is gone, but still
unable to sniff.

FW is now updated to:
loaded firmware version 77.2dda880d.0 QuZ-a0-hr-b0-77.ucode op_mode iwlmvm