iwlwifi: Monitor mode broken with 6.1.0

From: Krishna Chaitanya <chaitanya.mgit@gmail.com>
To: linux-wireless <linux-wireless@vger.kernel.org>
Cc: Johannes Berg <johannes@sipsolutions.net>,
	Emmanuel Grumbach <egrumbach@gmail.com>
Subject: iwlwifi: Monitor mode broken with 6.1.0
Date: Mon, 23 Jan 2023 14:07:10 +0530	[thread overview]
Message-ID: <CABPxzY+_Mjercvvh5XHmtHdNCKXDupVbL4PKXgzZPiUesRsRMA@mail.gmail.com> (raw)

Hi,

I am using the ath.git (ea726a8d305a : was testing external Atheros
cards) + linux-firmware (bb2d42d) and the monitor mode stopped working
with iwlwifi. There is a warning from UBSAN: "UBSAN:
shift-out-of-bounds in
drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c:657:22".

The root cause was this c6ce1c74ef292 which defaults the assignment to
0xFFFF and then that was being used for the shift.

I have tried to fix the warning with the below patch (just for an
experiment, not a proper one), the warning is gone, but no frames are
seen in Wireshark.

Below is the version information, any help is appreciated, monitor
mode is important for me.

lspci: Network controller: Intel Corporation Wi-Fi 6 AX201 (rev 20)

[  +0.003790] iwlwifi 0000:00:14.3: api flags index 2 larger than
supported by driver
[  +0.000046] iwlwifi 0000:00:14.3: TLV_FW_FSEQ_VERSION: FSEQ Version:
89.3.35.37
[  +0.001519] iwlwifi 0000:00:14.3: loaded firmware version
72.daa05125.0 QuZ-a0-hr-b0-72.ucode op_mode iwlmvm
[  +0.034887] iwlwifi 0000:00:14.3: Detected Intel(R) Wi-Fi 6 AX201
160MHz, REV=0x351
[  +0.000083] thermal thermal_zone7: failed to read out thermal zone (-61)
[  +0.122144] iwlwifi 0000:00:14.3: Detected RF HR B3, rfid=0x10a100
[  +0.065701] iwlwifi 0000:00:14.3: base HW address: 4c:79:6e:90:94:71
[  +0.019826] iwlwifi 0000:00:14.3 wlp0s20f3: renamed from wlan0
[ +14.210987] device mon0 entered promiscuous mode
[Jan24 18:20] device mon0 left promiscuous mode

---

diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c
b/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c
index 83abfe996138..591f9fdd0ec4 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c
@@ -654,9 +654,13 @@ static int iwl_mvm_mac_ctxt_cmd_listener(struct
iwl_mvm *mvm,
                                         u32 action)
 {
        struct iwl_mac_ctx_cmd cmd = {};
-       u32 tfd_queue_msk = BIT(mvm->snif_queue);
+       u32 tfd_queue_msk = 0;
        int ret;

+       if (mvm->snif_queue != IWL_MVM_INVALID_QUEUE) {
+               tfd_queue_msk = BIT(mvm->snif_queue);
+       }
+
        WARN_ON(vif->type != NL80211_IFTYPE_MONITOR);

        iwl_mvm_mac_ctxt_cmd_common(mvm, vif, &cmd, NULL, action);
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
index 515dd3e0730d..784a7f72b819 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
@@ -2084,6 +2084,7 @@ static int iwl_mvm_add_int_sta_with_queue(struct
iwl_mvm *mvm, int macidx,
                }

                *queue = txq;
+               sta->tfd_queue_msk = BIT(*queue);
        }

        return 0;
@@ -2092,11 +2093,15 @@ static int
iwl_mvm_add_int_sta_with_queue(struct iwl_mvm *mvm, int macidx,
 int iwl_mvm_add_aux_sta(struct iwl_mvm *mvm, u32 lmac_id)
 {
        int ret;
+       u32 tfd_queue_msk = 0;

        lockdep_assert_held(&mvm->mutex);
+       if (mvm->aux_queue != IWL_MVM_INVALID_QUEUE) {
+               tfd_queue_msk = BIT(mvm->aux_queue);
+       }

        /* Allocate aux station and assign to it the aux queue */
-       ret = iwl_mvm_allocate_int_sta(mvm, &mvm->aux_sta, BIT(mvm->aux_queue),
+       ret = iwl_mvm_allocate_int_sta(mvm, &mvm->aux_sta, tfd_queue_msk,
                                       NL80211_IFTYPE_UNSPECIFIED,
                                       IWL_STA_AUX_ACTIVITY);
        if (ret)
