Re: [PATCH v3] mac80211: mesh: fix wrong mesh TTL offset calculation

[kbuild test robot]

Hi Peter,

Thank you for the patch! Yet something to improve:

[auto build test ERROR on mac80211-next/master]
[also build test ERROR on v4.15-rc9 next-20180126]
[if your patch is applied to the wrong git tree, please drop us a note to help 
improve the system]

url:
https://github.com/0day-ci/linux/commits/peter-oh-bowerswilkins-com/mac80211-mesh-fix-wrong-mesh-TTL-offset-calculation/20180128-042444
base:   https://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next.git 
master
config: i386-randconfig-x070-201804 (attached as .config)
compiler: gcc-7 (Debian 7.2.0-12) 7.2.1 20171025
reproduce:
# save the attached .config to linux build tree
make ARCH=i386 

All errors (new ones prefixed by >>):

   net//mac80211/mesh.c: In function 'mesh_fwd_csa_frame':
>> net//mac80211/mesh.c:1271:40: error: decrement of member 'mesh_ttl' in 
>> read-only object
 elems->mesh_chansw_params_ie->mesh_ttl--;
   ^~
>> net//mac80211/mesh.c:1272:43: error: assignment of member 'mesh_flags' in 
>> read-only object
 elems->mesh_chansw_params_ie->mesh_flags &=
  ^~

vim +/mesh_ttl +1271 net//mac80211/mesh.c

  1256  
  1257  static int mesh_fwd_csa_frame(struct ieee80211_sub_if_data *sdata,
  1258 struct ieee80211_mgmt *mgmt, size_t len,
  1259 struct ieee802_11_elems *elems)
  1260  {
  1261  struct ieee80211_mgmt *mgmt_fwd;
  1262  struct sk_buff *skb;
  1263  struct ieee80211_local *local = sdata->local;
  1264  
  1265  skb = dev_alloc_skb(local->tx_headroom + len);
  1266  if (!skb)
  1267  return -ENOMEM;
  1268  skb_reserve(skb, local->tx_headroom);
  1269  mgmt_fwd = skb_put(skb, len);
  1270  
> 1271  elems->mesh_chansw_params_ie->mesh_ttl--;
> 1272  elems->mesh_chansw_params_ie->mesh_flags &=
  1273  ~WLAN_EID_CHAN_SWITCH_PARAM_INITIATOR;
  1274  
  1275  memcpy(mgmt_fwd, mgmt, len);
  1276  eth_broadcast_addr(mgmt_fwd->da);
  1277  memcpy(mgmt_fwd->sa, sdata->vif.addr, ETH_ALEN);
  1278  memcpy(mgmt_fwd->bssid, sdata->vif.addr, ETH_ALEN);
  1279  
  1280  ieee80211_tx_skb(sdata, skb);
  1281  return 0;
  1282  }
  1283  

---
0-DAY kernel test infrastructureOpen Source Technology Center
https://lists.01.org/pipermail/kbuild-all   Intel Corporation


.config.gz
Description: application/gzip

Re: [PATCH 03/10] rtlwifi: Use 6 bits as sequence number of TX report

[Larry Finger]

On 01/26/2018 01:46 AM, pks...@realtek.com wrote:

From: Ping-Ke Shih 

In new design, SW_DEFINE[1:0] of tx desc are used by firmware, and the TX
report only contains SW_DEFINE[7:0]. To satisfy with all cases, driver uses
SW_DEFINE[7:2] as sequence number.
Besides, the format of tx report have been changed, so a new flag
RTL_SPEC_EXT_C2H is used to access report.

Signed-off-by: Ping-Ke Shih 


This change was tested on an old design (RTL8188CE). No problems were observed.

Acked-by: Larry Finger 

Re: [PATCH 04/10] rtlwifi: Extend tx_power_by_rate_offset size for newer IC

[Larry Finger]

On 01/26/2018 01:46 AM, pks...@realtek.com wrote:

From: Ping-Ke Shih 

In older design, the TX power is grouped into rate section (smaller array
size), but new design groups them into rate (larger array size). Thus,
we extend the size for both cases, and add compile time assertion.

Signed-off-by: Ping-Ke Shih 
---


I hate to see any arrays getting larger, but I can see that changes in rates 
make this inevitable. The BUILD_BUG_ON() is a good addition.


Acked-by: Larry Finger 

Re: [PATCH 05/10] rtlwifi: Add rate section and its related definition and comment

[Larry Finger]

On 01/26/2018 01:46 AM, pks...@realtek.com wrote:

From: Ping-Ke Shih 

Add comments to make it to be easier to understand, and add compile time
assertions.

Signed-off-by: Ping-Ke Shih 


This is a good improvement.

Acked-by: Larry Finger 

Re: [PATCH 06/10] rtlwifi: Fix VHT NSS in RC

[Larry Finger]

On 01/26/2018 01:46 AM, pks...@realtek.com wrote:

From: Ping-Ke Shih 

NSS is a argument of highest rate in RC, and it occupies bit 4-7 so use
ieee80211_rate_set_vht() to fill the values. Since it got correct rate
index, we don't need to check chips to assign NSS in set function anymore.

Signed-off-by: Ping-Ke Shih 
---
  drivers/net/wireless/realtek/rtlwifi/rc.c | 49 +--
  1 file changed, 40 insertions(+), 9 deletions(-)

diff --git a/drivers/net/wireless/realtek/rtlwifi/rc.c 
b/drivers/net/wireless/realtek/rtlwifi/rc.c
index d1cb7d405618..396bed8d3d51 100644
--- a/drivers/net/wireless/realtek/rtlwifi/rc.c
+++ b/drivers/net/wireless/realtek/rtlwifi/rc.c
@@ -42,6 +42,17 @@ static u8 _rtl_rc_get_highest_rix(struct rtl_priv *rtlpriv,
struct rtl_phy *rtlphy = &(rtlpriv->phy);
struct rtl_sta_info *sta_entry = NULL;
u16 wireless_mode = 0;
+   u8 nss;
+   struct ieee80211_tx_rate rate;
+
+   if (get_rf_type(rtlphy) >= RF_4T4R)
+   nss = 4;
+   else if (get_rf_type(rtlphy) >= RF_3T3R)
+   nss = 3;
+   else if (get_rf_type(rtlphy) >= RF_2T2R)
+   nss = 2;
+   else
+   nss = 1;


As a general rule, I think that if ... else if ... else if ... else ... 
constructions should be changed to switch statements. This one is simple enough 
that there will be no complications, but keep this in mind in the future.


Acked-by: Larry Finger 

Re: [PATCH 07/10] rtlwifi: add definition radio_mask for RF and maximum bandwidth

[Larry Finger]

On 01/26/2018 01:46 AM, pks...@realtek.com wrote:

From: Ping-Ke Shih 

Add rf mask definition (BIT 0, BIT 1, BIT 2, ...) that is different from
rf path definition (0, 1, 2, ...), and then combinations of rf path are
possible.

Signed-off-by: Ping-Ke Shih 


I agree that an rf path mask is useful.

Acked-by: Larry Finger 


---
  drivers/net/wireless/realtek/rtlwifi/wifi.h | 8 
  1 file changed, 8 insertions(+)

diff --git a/drivers/net/wireless/realtek/rtlwifi/wifi.h 
b/drivers/net/wireless/realtek/rtlwifi/wifi.h
index 4de2ab1d5416..2e9a20273a2d 100644
--- a/drivers/net/wireless/realtek/rtlwifi/wifi.h
+++ b/drivers/net/wireless/realtek/rtlwifi/wifi.h
@@ -286,6 +286,13 @@ enum radio_path {
RF90_PATH_D = 3,
  };
  
+enum radio_mask {

+   RF_MASK_A = BIT(0),
+   RF_MASK_B = BIT(1),
+   RF_MASK_C = BIT(2),
+   RF_MASK_D = BIT(3),
+};
+
  enum regulation_txpwr_lmt {
TXPWR_LMT_FCC = 0,
TXPWR_LMT_MKK = 1,
@@ -579,6 +586,7 @@ enum ht_channel_width {
HT_CHANNEL_WIDTH_20 = 0,
HT_CHANNEL_WIDTH_20_40 = 1,
HT_CHANNEL_WIDTH_80 = 2,
+   HT_CHANNEL_WIDTH_MAX,
  };
  
  /* Ref: 802.11i sepc D10.0 7.3.2.25.1

Re: [PATCH 08/10] rtlwifi: add efuse ops for other components

[Larry Finger]

On 01/26/2018 01:46 AM, pks...@realtek.com wrote:

From: Ping-Ke Shih 

The new component phydm need to access efuse content, so we prepare ops
for reference.

Signed-off-by: Tsang-Shian Lin 
Signed-off-by: Ping-Ke Shih 


Acked-by: Larry Finger 

Re: [PATCH v5 00/12] spectre variant1 mitigations for tip/x86/pti

[Dan Williams]

[ adding lkml ]

I had inadvertently dropped lkml when sending this to Thomas. Archive here:

https://marc.info/?l=linux-wireless=151704026325010=2
https://marc.info/?l=linux-arch=151704027225013=2
https://marc.info/?l=linux-arch=151704027225014=2
https://marc.info/?l=linux-arch=151704027625015=2
https://marc.info/?l=linux-arch=151704028225016=2
https://marc.info/?l=linux-arch=151704028725019=2
https://marc.info/?l=linux-arch=151704086725186=2
https://marc.info/?l=linux-arch=151704030025025=2
https://marc.info/?l=linux-arch=151704030525028=2
https://marc.info/?l=linux-arch=151704031125029=2
https://marc.info/?l=linux-arch=151704032225034=2
https://marc.info/?l=linux-arch=151704032625035=2
https://marc.info/?l=linux-arch=151704032725037=2


On Fri, Jan 26, 2018 at 11:55 PM, Dan Williams  wrote:
> Hi Thomas,
>
> Here's another spin of the spectre-v1 mitigations for 4.16.
>
> Changes since v4.1: [1]
> * Tweak the sanitization scheme yet again to make it even simpler. Now,
>   instead of 'array_ptr' to get a sanitized pointer to an array element,
>   just provide an array index sanitization helper 'array_idx' to be called
>   after successfully validating the index is in bounds. I.e. in the
>   exact same location one would otherwise put an lfence, place this
>   sanitizer:
>
>   if (idx < sz) {
>   idx = array_idx(idx, sz);
>   val = array[idx];
>   }
>
>   This lets the implementation include more sanity checking that the
>   compiler can usually compile out. It otherwise appears to produce
>   better assembly. This also cleans up the concern about comparing the
>   value returned from array_ptr to create another speculation point.
>   (Russell, Linus, Cyril)
>
> * Drop the syscall_64_fastpath.  This is the straightforward patch from
>   Linus that might also be in flight from Andy, but I went ahead and
>   included it since I did not see it on LKML yet.
>
> * Kill the MASK_NOSPEC macro and just open code it. (Andy)
>
> * Add system-call-number sanitization to the slow path syscall table
>   lookups.
>
> * Redo the array_ptr conversions with array_idx.
>
> * Update /sys/devices/system/cpu/vulnerabilities/spectre_v1 to indicate
>   the new protections. It now reports "Vulnerable: Minimal user pointer
>   sanitization". (Jiri)
>
> ---
>
> Dan Williams (11):
>   array_idx: sanitize speculative array de-references
>   x86: implement array_idx_mask
>   x86: introduce __uaccess_begin_nospec and ifence
>   x86, __get_user: use __uaccess_begin_nospec
>   x86, get_user: use pointer masking to limit speculation
>   x86: remove the syscall_64 fast-path
>   x86: sanitize sycall table de-references under speculation
>   vfs, fdtable: prevent bounds-check bypass via speculative execution
>   kvm, x86: update spectre-v1 mitigation
>   nl80211: sanitize array index in parse_txq_params
>   x86/spectre: report get_user mitigation for spectre_v1
>
> Mark Rutland (1):
>   Documentation: document array_idx
>
>
>  Documentation/speculation.txt |   87 
>  arch/x86/entry/common.c   |3 +
>  arch/x86/entry/entry_64.S |  116 
> -
>  arch/x86/entry/syscall_64.c   |7 +-
>  arch/x86/include/asm/barrier.h|   26 
>  arch/x86/include/asm/msr.h|3 -
>  arch/x86/include/asm/uaccess.h|   15 -
>  arch/x86/include/asm/uaccess_32.h |6 +-
>  arch/x86/include/asm/uaccess_64.h |   12 ++--
>  arch/x86/kernel/cpu/bugs.c|2 -
>  arch/x86/kvm/vmx.c|   14 +++-
>  arch/x86/lib/getuser.S|   10 +++
>  arch/x86/lib/usercopy_32.c|8 +--
>  include/linux/fdtable.h   |5 +-
>  include/linux/nospec.h|   64 
>  net/wireless/nl80211.c|9 ++-
>  16 files changed, 239 insertions(+), 148 deletions(-)
>  create mode 100644 Documentation/speculation.txt
>  create mode 100644 include/linux/nospec.h

Re: [PATCH 10/10] rtlwifi: btcoex: Add 8822be btcoex supported files for wifi only

[Larry Finger]

On 01/26/2018 01:46 AM, pks...@realtek.com wrote:

From: Ping-Ke Shih 

The wifi only btcoex is used to solo card (without BT), and it is also
useful to exclude the interference with BT to make debug easier.
There are only four ops for wifi only btcoex to initialze antenna and
switch the settings while band is changed.

Signed-off-by: Ping-Ke Shih 


Acked-by: Larry Finger 

Re: [PATCH 09/10] rtlwifi: btcoex: add routine to set default port id

[Larry Finger]

On 01/26/2018 01:46 AM, pks...@realtek.com wrote:

From: Ping-Ke Shih 

Tell wifi and BT firmware the default port ID to set multiports' state
properly, but only 8822be needs this function currently.

Signed-off-by: Ping-Ke Shih 
---


This patch results in the following compiler warnings:

  CC [M]  drivers/net/wireless/realtek/rtlwifi/rtl8723be/dm.o
drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtcoutsrc.c:1052:13: warning: 
‘halbtc_set_default_port_id_cmd’ defined but not used [-Wunused-function]

 static void halbtc_set_default_port_id_cmd(void *bt_context)
 ^~
drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtcoutsrc.c:1042:13: warning: 
‘halbtc_send_wifi_port_id_cmd’ defined but not used [-Wunused-function]

 static void halbtc_send_wifi_port_id_cmd(void *bt_context)
 ^~

Something seems to be wrong. As these routines will likely be needed later, you 
need to remove the static notation and put their prototypes in a header to quiet 
Sparse.


Larry



  .../realtek/rtlwifi/btcoexist/halbtcoutsrc.c   | 22 ++
  drivers/net/wireless/realtek/rtlwifi/wifi.h|  5 +
  2 files changed, 27 insertions(+)

diff --git a/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtcoutsrc.c 
b/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtcoutsrc.c
index 1404729441a2..5e41b204f7c0 100644
--- a/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtcoutsrc.c
+++ b/drivers/net/wireless/realtek/rtlwifi/btcoexist/halbtcoutsrc.c
@@ -1039,6 +1039,28 @@ static void halbtc_fill_h2c_cmd(void *bt_context, u8 
element_id,
cmd_len, cmd_buf);
  }
  
+static void halbtc_send_wifi_port_id_cmd(void *bt_context)

+{
+   struct btc_coexist *btcoexist = (struct btc_coexist *)bt_context;
+   struct rtl_priv *rtlpriv = btcoexist->adapter;
+   u8 cmd_buf[1] = {0};/* port id [2:0] = 0 */
+
+   rtlpriv->cfg->ops->fill_h2c_cmd(rtlpriv->mac80211.hw, H2C_BT_PORT_ID,
+   1, cmd_buf);
+}
+
+static void halbtc_set_default_port_id_cmd(void *bt_context)
+{
+   struct btc_coexist *btcoexist = (struct btc_coexist *)bt_context;
+   struct rtl_priv *rtlpriv = btcoexist->adapter;
+   struct ieee80211_hw *hw = rtlpriv->mac80211.hw;
+
+   if (!rtlpriv->cfg->ops->set_default_port_id_cmd)
+   return;
+
+   rtlpriv->cfg->ops->set_default_port_id_cmd(hw);
+}
+
  static
  void halbtc_set_bt_reg(void *btc_context, u8 reg_type, u32 offset, u32 
set_val)
  {
diff --git a/drivers/net/wireless/realtek/rtlwifi/wifi.h 
b/drivers/net/wireless/realtek/rtlwifi/wifi.h
index 0e8aae0c05c1..1c9ed28b42da 100644
--- a/drivers/net/wireless/realtek/rtlwifi/wifi.h
+++ b/drivers/net/wireless/realtek/rtlwifi/wifi.h
@@ -153,6 +153,10 @@ enum rtl8192c_h2c_cmd {
MAX_H2CCMD
  };
  
+enum {

+   H2C_BT_PORT_ID = 0x71,
+};
+
  #define GET_TX_REPORT_SN_V1(c2h)  (c2h[6])
  #define GET_TX_REPORT_ST_V1(c2h)  (c2h[0] & 0xC0)
  #define GET_TX_REPORT_RETRY_V1(c2h)   (c2h[2] & 0x3F)
@@ -2256,6 +2260,7 @@ struct rtl_hal_ops {
void (*bt_coex_off_before_lps) (struct ieee80211_hw *hw);
void (*fill_h2c_cmd) (struct ieee80211_hw *hw, u8 element_id,
  u32 cmd_len, u8 *p_cmdbuffer);
+   void (*set_default_port_id_cmd)(struct ieee80211_hw *hw);
bool (*get_btc_status) (void);
bool (*is_fw_header)(struct rtlwifi_firmware_header *hdr);
u32 (*rx_command_packet)(struct ieee80211_hw *hw,

Re: [PATCH v5 00/12] spectre variant1 mitigations for tip/x86/pti

[Linus Torvalds]

On Fri, Jan 26, 2018 at 11:55 PM, Dan Williams  wrote:
>
> Here's another spin of the spectre-v1 mitigations for 4.16.

I see nothing really objectionable here.

And unlike Spectre-v2 and Meltdown, I expect Spectre-v1 to be with us
for a long time. It's not a "CPU did a bad job with checking the
cached information it had" (whether it be from the TLB, BTB or RSB),
it's pretty fundamental to just regular conditional branch prediction.

So ack from me, and I don't expect this to be behind any config options.

I still haven't really seen any numbers for this, but I _assume_ it's
basically not measurable.

 Linus

Re: [PATCH 01/10] rtlwifi: enable mac80211 fast-tx support

[Larry Finger]

On 01/26/2018 01:46 AM, pks...@realtek.com wrote:

From: Ping-Ke Shih 

Enable the mac80211 fast-tx feature, since our driver already support
hw_flags required by fast-tx and is able to let mac80211 stack to transmit
packet through fast-xmit path.

Signed-off-by: Yan-Hsuan Chuang 
Signed-off-by: Ping-Ke Shih 


Acked-by: Larry Finger 

Re: [PATCH] ath9k: Print has_queued in debugfs.

[Toke Høiland-Jørgensen]

Ben Greear  writes:

> On 01/27/2018 05:29 AM, Toke Høiland-Jørgensen wrote:
>> gree...@candelatech.com writes:
>>
>>> From: Ben Greear 
>>>
>>> The PAUSED field was never printed per tid.  Replace that
>>> with has_queued, which might help someone track down strange
>>> bugs related to aqm.
>>>
>>> And, make tx-queue debug info show peer BSSID as well as vdev
>>> MAC to aid debugging with multiple stations connected to the
>>> same peer.
>>>
>>> Signed-off-by: Ben Greear 
>>> ---
>>>  drivers/net/wireless/ath/ath9k/debug_sta.c | 10 ++
>>>  drivers/net/wireless/ath/ath9k/xmit.c  |  5 +++--
>>>  2 files changed, 9 insertions(+), 6 deletions(-)
>>>
>>> diff --git a/drivers/net/wireless/ath/ath9k/debug_sta.c 
>>> b/drivers/net/wireless/ath/ath9k/debug_sta.c
>>> index efc692e..a45f1f5 100644
>>> --- a/drivers/net/wireless/ath/ath9k/debug_sta.c
>>> +++ b/drivers/net/wireless/ath/ath9k/debug_sta.c
>>> @@ -48,9 +48,10 @@ static ssize_t read_file_node_aggr(struct file *file, 
>>> char __user *user_buf,
>>>  an->mpdudensity);
>>>
>>> len += scnprintf(buf + len, size - len,
>>> -"\n%3s%11s%10s%10s%10s%10s%9s%6s%8s\n",
>>> +"\n%3s%11s%10s%10s%10s%10s%9s%6s%9s\n",
>>>  "TID", "SEQ_START", "SEQ_NEXT", "BAW_SIZE",
>>> -"BAW_HEAD", "BAW_TAIL", "BAR_IDX", "SCHED", "PAUSED");
>>> +"BAW_HEAD", "BAW_TAIL", "BAR_IDX", "SCHED",
>>> +"HAS-QUED");
>>>
>>> for (tidno = 0; tidno < IEEE80211_NUM_TIDS; tidno++) {
>>> tid = ath_node_to_tid(an, tidno);
>>> @@ -58,7 +59,7 @@ static ssize_t read_file_node_aggr(struct file *file, 
>>> char __user *user_buf,
>>> ath_txq_lock(sc, txq);
>>> if (tid->active) {
>>> len += scnprintf(buf + len, size - len,
>>> -"%3d%11d%10d%10d%10d%10d%9d%6d\n",
>>> +"%3d%11d%10d%10d%10d%10d%9d%6d%9d\n",
>>>  tid->tidno,
>>>  tid->seq_start,
>>>  tid->seq_next,
>>> @@ -66,7 +67,8 @@ static ssize_t read_file_node_aggr(struct file *file, 
>>> char __user *user_buf,
>>>  tid->baw_head,
>>>  tid->baw_tail,
>>>  tid->bar_index,
>>> -!list_empty(>list));
>>> +!list_empty(>list),
>>> +tid->has_queued);
>>
>> Would it perhaps be useful to print the length of tid->retry_q instead
>> of / in addition to has_queued? Planning to get rid of the has_queued
>> variable entirely...
>
> I'm just getting started looking at this. 4.9 kernel works fine, so it
> seems to be a regression in the aqm stuff since that is the big change
> between 4.9 and 4.13.
>
> From a brief look yesterday, it seems that has_queued is not
> adequately protected by locks, but also, it was '1', which indicates
> it wants to send pkts (?), so I guess it was not hitting a locking
> race.

It's only ever accessed under ath_txq_lock(), so I don't think it's a
locking issue.

> Can you point me at the scheduler code (method name?). I'll be looking
> at that as soon as I get time.

ath_txq_schedule() is the main scheduler (in xmit.c). As I said it may
be the airtime fairness scheduler that's throttling stations; did you
look at the airtime debugfs file?

-Toke

Re: [PATCH] ath9k: Print has_queued in debugfs.

[Ben Greear]

On 01/27/2018 05:29 AM, Toke Høiland-Jørgensen wrote:

gree...@candelatech.com writes:


From: Ben Greear 

The PAUSED field was never printed per tid.  Replace that
with has_queued, which might help someone track down strange
bugs related to aqm.

And, make tx-queue debug info show peer BSSID as well as vdev
MAC to aid debugging with multiple stations connected to the
same peer.

Signed-off-by: Ben Greear 
---
 drivers/net/wireless/ath/ath9k/debug_sta.c | 10 ++
 drivers/net/wireless/ath/ath9k/xmit.c  |  5 +++--
 2 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/drivers/net/wireless/ath/ath9k/debug_sta.c 
b/drivers/net/wireless/ath/ath9k/debug_sta.c
index efc692e..a45f1f5 100644
--- a/drivers/net/wireless/ath/ath9k/debug_sta.c
+++ b/drivers/net/wireless/ath/ath9k/debug_sta.c
@@ -48,9 +48,10 @@ static ssize_t read_file_node_aggr(struct file *file, char 
__user *user_buf,
 an->mpdudensity);

len += scnprintf(buf + len, size - len,
-"\n%3s%11s%10s%10s%10s%10s%9s%6s%8s\n",
+"\n%3s%11s%10s%10s%10s%10s%9s%6s%9s\n",
 "TID", "SEQ_START", "SEQ_NEXT", "BAW_SIZE",
-"BAW_HEAD", "BAW_TAIL", "BAR_IDX", "SCHED", "PAUSED");
+"BAW_HEAD", "BAW_TAIL", "BAR_IDX", "SCHED",
+"HAS-QUED");

for (tidno = 0; tidno < IEEE80211_NUM_TIDS; tidno++) {
tid = ath_node_to_tid(an, tidno);
@@ -58,7 +59,7 @@ static ssize_t read_file_node_aggr(struct file *file, char 
__user *user_buf,
ath_txq_lock(sc, txq);
if (tid->active) {
len += scnprintf(buf + len, size - len,
-"%3d%11d%10d%10d%10d%10d%9d%6d\n",
+"%3d%11d%10d%10d%10d%10d%9d%6d%9d\n",
 tid->tidno,
 tid->seq_start,
 tid->seq_next,
@@ -66,7 +67,8 @@ static ssize_t read_file_node_aggr(struct file *file, char 
__user *user_buf,
 tid->baw_head,
 tid->baw_tail,
 tid->bar_index,
-!list_empty(>list));
+!list_empty(>list),
+tid->has_queued);


Would it perhaps be useful to print the length of tid->retry_q instead
of / in addition to has_queued? Planning to get rid of the has_queued
variable entirely...


I'm just getting started looking at this.  4.9 kernel works fine, so it seems
to be a regression in the aqm stuff since that is the big change between 4.9
and 4.13.

From a brief look yesterday, it seems that has_queued is not adequately 
protected
by locks, but also, it was '1', which indicates it wants to send pkts (?), so I 
guess
it was not hitting a locking race.

Can you point me at the scheduler code (method name?).  I'll be looking at that
as soon as I get time.

Thanks,
Ben



-Toke



--
Ben Greear 
Candela Technologies Inc  http://www.candelatech.com

[PATCH 4.16 3/4] mt76: avoid re-queueing A-MPDU rx reorder work if no frames are pending

[Felix Fietkau]

Fixes: aee5b8cf2477 ("mt76: implement A-MPDU rx reordering in the driver code")
Signed-off-by: Felix Fietkau 
---
 drivers/net/wireless/mediatek/mt76/agg-rx.c | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/mediatek/mt76/agg-rx.c 
b/drivers/net/wireless/mediatek/mt76/agg-rx.c
index e9784b50e2af..fcb208d1f276 100644
--- a/drivers/net/wireless/mediatek/mt76/agg-rx.c
+++ b/drivers/net/wireless/mediatek/mt76/agg-rx.c
@@ -98,6 +98,7 @@ mt76_rx_aggr_reorder_work(struct work_struct *work)
   reorder_work.work);
struct mt76_dev *dev = tid->dev;
struct sk_buff_head frames;
+   int nframes;
 
__skb_queue_head_init();
 
@@ -105,9 +106,12 @@ mt76_rx_aggr_reorder_work(struct work_struct *work)
 
spin_lock(>lock);
mt76_rx_aggr_check_release(tid, );
+   nframes = tid->nframes;
spin_unlock(>lock);
 
-   ieee80211_queue_delayed_work(tid->dev->hw, >reorder_work, 
REORDER_TIMEOUT);
+   if (nframes)
+   ieee80211_queue_delayed_work(tid->dev->hw, >reorder_work,
+REORDER_TIMEOUT);
mt76_rx_complete(dev, , -1);
 
local_bh_enable();
-- 
2.14.2

[PATCH 4.16 2/4] mt76: implement processing of BlockAckReq frames

[Felix Fietkau]

Avoids timeouts on reordered A-MPDU rx frames

Fixes: aee5b8cf2477 ("mt76: implement A-MPDU rx reordering in the driver code")
Signed-off-by: Felix Fietkau 
---
 drivers/net/wireless/mediatek/mt76/agg-rx.c | 34 -
 1 file changed, 33 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/mediatek/mt76/agg-rx.c 
b/drivers/net/wireless/mediatek/mt76/agg-rx.c
index 8027bb7c03c2..e9784b50e2af 100644
--- a/drivers/net/wireless/mediatek/mt76/agg-rx.c
+++ b/drivers/net/wireless/mediatek/mt76/agg-rx.c
@@ -113,6 +113,33 @@ mt76_rx_aggr_reorder_work(struct work_struct *work)
local_bh_enable();
 }
 
+static void
+mt76_rx_aggr_check_ctl(struct sk_buff *skb, struct sk_buff_head *frames)
+{
+   struct mt76_rx_status *status = (struct mt76_rx_status *) skb->cb;
+   struct ieee80211_bar *bar = (struct ieee80211_bar *) skb->data;
+   struct mt76_wcid *wcid = status->wcid;
+   struct mt76_rx_tid *tid;
+   u16 seqno;
+
+   if (!ieee80211_is_ctl(bar->frame_control))
+   return;
+
+   if (!ieee80211_is_back_req(bar->frame_control))
+   return;
+
+   status->tid = le16_to_cpu(bar->control) >> 12;
+   seqno = le16_to_cpu(bar->start_seq_num) >> 4;
+   tid = rcu_dereference(wcid->aggr[status->tid]);
+   if (!tid)
+   return;
+
+   spin_lock_bh(>lock);
+   mt76_rx_aggr_release_frames(tid, frames, seqno);
+   mt76_rx_aggr_release_head(tid, frames);
+   spin_unlock_bh(>lock);
+}
+
 void mt76_rx_aggr_reorder(struct sk_buff *skb, struct sk_buff_head *frames)
 {
struct mt76_rx_status *status = (struct mt76_rx_status *) skb->cb;
@@ -126,9 +153,14 @@ void mt76_rx_aggr_reorder(struct sk_buff *skb, struct 
sk_buff_head *frames)
__skb_queue_tail(frames, skb);
 
sta = wcid_to_sta(wcid);
-   if (!sta || !status->aggr)
+   if (!sta)
return;
 
+   if (!status->aggr) {
+   mt76_rx_aggr_check_ctl(skb, frames);
+   return;
+   }
+
tid = rcu_dereference(wcid->aggr[status->tid]);
if (!tid)
return;
-- 
2.14.2

[PATCH 4.16 1/4] mt76: implement AP_LINK_PS

[Felix Fietkau]

With software A-MPDU reordering in place, frames that notify mac80211 of
powersave changes are reordered as well, which can cause connection
stalls. Fix this by implementing powersave state processing in the
driver.

Fixes: aee5b8cf2477 ("mt76: implement A-MPDU rx reordering in the driver code")
Signed-off-by: Felix Fietkau 
---
 drivers/net/wireless/mediatek/mt76/mac80211.c| 52 +++-
 drivers/net/wireless/mediatek/mt76/mt76.h| 10 +
 drivers/net/wireless/mediatek/mt76/mt76x2.h  |  2 +
 drivers/net/wireless/mediatek/mt76/mt76x2_init.c |  1 +
 drivers/net/wireless/mediatek/mt76/mt76x2_main.c | 28 ++---
 5 files changed, 78 insertions(+), 15 deletions(-)

diff --git a/drivers/net/wireless/mediatek/mt76/mac80211.c 
b/drivers/net/wireless/mediatek/mt76/mac80211.c
index 5fcb2deb89a2..85f8d324ebf8 100644
--- a/drivers/net/wireless/mediatek/mt76/mac80211.c
+++ b/drivers/net/wireless/mediatek/mt76/mac80211.c
@@ -276,6 +276,7 @@ int mt76_register_device(struct mt76_dev *dev, bool vht,
ieee80211_hw_set(hw, TX_AMSDU);
ieee80211_hw_set(hw, TX_FRAG_LIST);
ieee80211_hw_set(hw, MFP_CAPABLE);
+   ieee80211_hw_set(hw, AP_LINK_PS);
 
wiphy->flags |= WIPHY_FLAG_IBSS_RSN;
 
@@ -470,6 +471,53 @@ mt76_check_ccmp_pn(struct sk_buff *skb)
return 0;
 }
 
+static void
+mt76_check_ps(struct mt76_dev *dev, struct sk_buff *skb)
+{
+   struct mt76_rx_status *status = (struct mt76_rx_status *) skb->cb;
+   struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
+   struct ieee80211_sta *sta;
+   struct mt76_wcid *wcid = status->wcid;
+   bool ps;
+
+   if (!wcid || !wcid->sta)
+   return;
+
+   sta = container_of((void *) wcid, struct ieee80211_sta, drv_priv);
+
+   if (!test_bit(MT_WCID_FLAG_CHECK_PS, >flags))
+   return;
+
+   if (ieee80211_is_pspoll(hdr->frame_control)) {
+   ieee80211_sta_pspoll(sta);
+   return;
+   }
+
+   if (ieee80211_has_morefrags(hdr->frame_control) ||
+   !(ieee80211_is_mgmt(hdr->frame_control) ||
+ ieee80211_is_data(hdr->frame_control)))
+   return;
+
+   ps = ieee80211_has_pm(hdr->frame_control);
+
+   if (ps && (ieee80211_is_data_qos(hdr->frame_control) ||
+  ieee80211_is_qos_nullfunc(hdr->frame_control)))
+   ieee80211_sta_uapsd_trigger(sta, status->tid);
+
+   if (!!test_bit(MT_WCID_FLAG_PS, >flags) == ps)
+   return;
+
+   if (ps) {
+   set_bit(MT_WCID_FLAG_PS, >flags);
+   mt76_stop_tx_queues(dev, sta, true);
+   } else {
+   clear_bit(MT_WCID_FLAG_PS, >flags);
+   }
+
+   ieee80211_sta_ps_transition(sta, ps);
+   dev->drv->sta_ps(dev, sta, ps);
+}
+
 void mt76_rx_complete(struct mt76_dev *dev, struct sk_buff_head *frames,
  int queue)
 {
@@ -498,8 +546,10 @@ void mt76_rx_poll_complete(struct mt76_dev *dev, enum 
mt76_rxq_id q)
 
__skb_queue_head_init();
 
-   while ((skb = __skb_dequeue(>rx_skb[q])) != NULL)
+   while ((skb = __skb_dequeue(>rx_skb[q])) != NULL) {
+   mt76_check_ps(dev, skb);
mt76_rx_aggr_reorder(skb, );
+   }
 
mt76_rx_complete(dev, , q);
 }
diff --git a/drivers/net/wireless/mediatek/mt76/mt76.h 
b/drivers/net/wireless/mediatek/mt76/mt76.h
index 129015c9d116..d2ce15093edd 100644
--- a/drivers/net/wireless/mediatek/mt76/mt76.h
+++ b/drivers/net/wireless/mediatek/mt76/mt76.h
@@ -121,11 +121,18 @@ struct mt76_queue_ops {
void (*kick)(struct mt76_dev *dev, struct mt76_queue *q);
 };
 
+enum mt76_wcid_flags {
+   MT_WCID_FLAG_CHECK_PS,
+   MT_WCID_FLAG_PS,
+};
+
 struct mt76_wcid {
struct mt76_rx_tid __rcu *aggr[IEEE80211_NUM_TIDS];
 
struct work_struct aggr_work;
 
+   unsigned long flags;
+
u8 idx;
u8 hw_key_idx;
 
@@ -206,6 +213,9 @@ struct mt76_driver_ops {
   struct sk_buff *skb);
 
void (*rx_poll_complete)(struct mt76_dev *dev, enum mt76_rxq_id q);
+
+   void (*sta_ps)(struct mt76_dev *dev, struct ieee80211_sta *sta,
+  bool ps);
 };
 
 struct mt76_channel_state {
diff --git a/drivers/net/wireless/mediatek/mt76/mt76x2.h 
b/drivers/net/wireless/mediatek/mt76/mt76x2.h
index 17df17afd9bf..e62131b88102 100644
--- a/drivers/net/wireless/mediatek/mt76/mt76x2.h
+++ b/drivers/net/wireless/mediatek/mt76/mt76x2.h
@@ -218,6 +218,8 @@ void mt76x2_rx_poll_complete(struct mt76_dev *mdev, enum 
mt76_rxq_id q);
 void mt76x2_queue_rx_skb(struct mt76_dev *mdev, enum mt76_rxq_id q,
 struct sk_buff *skb);
 
+void mt76x2_sta_ps(struct mt76_dev *dev, struct ieee80211_sta *sta, bool ps);
+
 void mt76x2_update_channel(struct mt76_dev *mdev);
 
 s8 mt76x2_tx_get_max_txpwr_adj(struct mt76x2_dev *dev,
diff --git a/drivers/net/wireless/mediatek/mt76/mt76x2_init.c 

[PATCH 4.16 4/4] mt76: do not set status->aggr for NULL data frames

[Felix Fietkau]

Avoids data connection stalls when the client toggles powersave mode

Fixes: aee5b8cf2477 ("mt76: implement A-MPDU rx reordering in the driver code")
Signed-off-by: Felix Fietkau 
---
 drivers/net/wireless/mediatek/mt76/mt76x2_mac.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/mediatek/mt76/mt76x2_mac.c 
b/drivers/net/wireless/mediatek/mt76/mt76x2_mac.c
index 6c30b5eaa9ca..7ea3d841918e 100644
--- a/drivers/net/wireless/mediatek/mt76/mt76x2_mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt76x2_mac.c
@@ -341,7 +341,7 @@ int mt76x2_mac_process_rx(struct mt76x2_dev *dev, struct 
sk_buff *skb,
 
mt76x2_remove_hdr_pad(skb, pad_len);
 
-   if (rxinfo & MT_RXINFO_BA)
+   if ((rxinfo & MT_RXINFO_BA) && !(rxinfo & MT_RXINFO_NULL))
status->aggr = true;
 
if (WARN_ON_ONCE(len > skb->len))
-- 
2.14.2

Re: [PATCH v2 0/6] wl1251: Fix MAC address for Nokia N900

[Pali Rohár]

On Friday 05 January 2018 02:45:10 Luis R. Rodriguez wrote:
> On Tue, Jan 02, 2018 at 08:23:45PM +0100, Pali Rohár wrote:
> > On Friday 10 November 2017 00:38:22 Pali Rohár wrote:
> > > This patch series fix processing MAC address for wl1251 chip found in 
> > > Nokia N900.
> > > 
> > > Changes since v1:
> > > * Added Acked-by for Pavel Machek
> > > * Fixed grammar
> > > * Magic numbers for NVS offsets are replaced by defines
> > > * Check for validity of mac address NVS data is moved into function
> > > * Changed order of patches as Pavel requested
> > > 
> > > Pali Rohár (6):
> > >   wl1251: Update wl->nvs_len after wl->nvs is valid
> > >   wl1251: Generate random MAC address only if driver does not have
> > > valid
> > >   wl1251: Parse and use MAC address from supplied NVS data
> > >   wl1251: Set generated MAC address back to NVS data
> > >   firmware: Add request_firmware_prefer_user() function
> > >   wl1251: Use request_firmware_prefer_user() for loading NVS
> > > calibration data
> > > 
> > >  drivers/base/firmware_class.c  |   45 +-
> > >  drivers/net/wireless/ti/wl1251/Kconfig |1 +
> > >  drivers/net/wireless/ti/wl1251/main.c  |  104 
> > > ++--
> > >  include/linux/firmware.h   |9 +++
> > >  4 files changed, 138 insertions(+), 21 deletions(-)
> > 
> > Hi! Are there any comments for first 4 patches? If not, could they be
> > accepted and merged?
> 
> Since the first 4 patches do not touch the firmware API they seem fine to me 
> so
> long as the maintainer accepts them. Maybe resend and clarify you have dropped
> the other ones and amend with the new tags.

According to get_maintainer.pl, Kalle Valo is maintainer.

Kalle Valo, if you do not have any other comments, can you accept first
4 patches? Or do you really need to resent first 4 patches again?

-- 
Pali Rohár
pali.ro...@gmail.com


signature.asc
Description: PGP signature

Re: [PATCH] ath9k: Print has_queued in debugfs.

[Toke Høiland-Jørgensen]

gree...@candelatech.com writes:

> From: Ben Greear 
>
> The PAUSED field was never printed per tid.  Replace that
> with has_queued, which might help someone track down strange
> bugs related to aqm.
>
> And, make tx-queue debug info show peer BSSID as well as vdev
> MAC to aid debugging with multiple stations connected to the
> same peer.
>
> Signed-off-by: Ben Greear 
> ---
>  drivers/net/wireless/ath/ath9k/debug_sta.c | 10 ++
>  drivers/net/wireless/ath/ath9k/xmit.c  |  5 +++--
>  2 files changed, 9 insertions(+), 6 deletions(-)
>
> diff --git a/drivers/net/wireless/ath/ath9k/debug_sta.c 
> b/drivers/net/wireless/ath/ath9k/debug_sta.c
> index efc692e..a45f1f5 100644
> --- a/drivers/net/wireless/ath/ath9k/debug_sta.c
> +++ b/drivers/net/wireless/ath/ath9k/debug_sta.c
> @@ -48,9 +48,10 @@ static ssize_t read_file_node_aggr(struct file *file, char 
> __user *user_buf,
>an->mpdudensity);
>  
>   len += scnprintf(buf + len, size - len,
> -  "\n%3s%11s%10s%10s%10s%10s%9s%6s%8s\n",
> +  "\n%3s%11s%10s%10s%10s%10s%9s%6s%9s\n",
>"TID", "SEQ_START", "SEQ_NEXT", "BAW_SIZE",
> -  "BAW_HEAD", "BAW_TAIL", "BAR_IDX", "SCHED", "PAUSED");
> +  "BAW_HEAD", "BAW_TAIL", "BAR_IDX", "SCHED",
> +  "HAS-QUED");
>  
>   for (tidno = 0; tidno < IEEE80211_NUM_TIDS; tidno++) {
>   tid = ath_node_to_tid(an, tidno);
> @@ -58,7 +59,7 @@ static ssize_t read_file_node_aggr(struct file *file, char 
> __user *user_buf,
>   ath_txq_lock(sc, txq);
>   if (tid->active) {
>   len += scnprintf(buf + len, size - len,
> -  "%3d%11d%10d%10d%10d%10d%9d%6d\n",
> +  "%3d%11d%10d%10d%10d%10d%9d%6d%9d\n",
>tid->tidno,
>tid->seq_start,
>tid->seq_next,
> @@ -66,7 +67,8 @@ static ssize_t read_file_node_aggr(struct file *file, char 
> __user *user_buf,
>tid->baw_head,
>tid->baw_tail,
>tid->bar_index,
> -  !list_empty(>list));
> +  !list_empty(>list),
> +  tid->has_queued);

Would it perhaps be useful to print the length of tid->retry_q instead
of / in addition to has_queued? Planning to get rid of the has_queued
variable entirely...

-Toke

Re: ath9k will not tx packets sometimes.

[Toke Høiland-Jørgensen]

Ben Greear  writes:

> I'm doing a test with 200 virtual stations on each of 6 ath9k radios.
>
> When I configure stations for DHCP, I see cases where stations on a particular
> radio will not transmit anything sometimes.  I see no 'XMIT' logs that show 
> indication of
> frames being received in the driver from the upper stack, but if I use 
> 'tshark' on
> a station interface, it shows frames being 'transmitted'.
>
> I do, however, see this, which looks like it might show
> an issue.  It looks like whatever 'aqm' is, it has an ever expanding number
> of backlog packets:

The aqm is the intermediate queues in mac80211. So this indicates that
the driver is not pulling packets for transmission.

With that many stations, I wonder whether it is due to the airtime
fairness scheduler throttling the station? What is the contents of
debug/ieee80211/wiphy2/netdev\:sta30194/stations/00\:0e\:8e\:69\:b8\:f7/airtime
while the station is not transmitting? And is it all stations on that
particular radio, or only some of them?

-Toke

Re: [for-4.15] ssb: Disable PCI host for PCI_DRIVERS_GENERIC

[James Hogan]

On Sat, Jan 27, 2018 at 10:08:56AM +0100, Andreas Schwab wrote:
> On Jan 16 2018, Kalle Valo  wrote:
> 
> > 58eae1416b80 ssb: Disable PCI host for PCI_DRIVERS_GENERIC
> 
> That breaks wireless on PowerMac!  There is nothing MIPS-specific about
> SSB.

Yes, really sorry about that. There is a patch here:
https://patchwork.kernel.org/patch/10185397/

Cheers
James

Re: [for-4.15] ssb: Disable PCI host for PCI_DRIVERS_GENERIC

[Andreas Schwab]

On Jan 16 2018, Kalle Valo  wrote:

> 58eae1416b80 ssb: Disable PCI host for PCI_DRIVERS_GENERIC

That breaks wireless on PowerMac!  There is nothing MIPS-specific about
SSB.

Andreas.

-- 
Andreas Schwab, sch...@linux-m68k.org
GPG Key fingerprint = 58CA 54C7 6D53 942B 1756  01D3 44D5 214B 8276 4ED5
"And now for something completely different."

rtl8723bs: rtnl_is_locked() misuse

[Kirill Tkhai]

Hi,

I'm reporting you about misuse of rtnl_is_locked() in rtw_change_ifname() 
function.
Note, that rtnl_is_locked() *does not mean* rtnl is locked on the *current cpu*.
This primitive returns true in case of rtnl is locked somewhere in the system.
So, it can't be used in the below code:

if (!rtnl_is_locked())
unregister_netdev(cur_pnetdev);
else
unregister_netdevice(cur_pnetdev);

Kirill

wilc1000: rtnl_is_locked() misuse

[Kirill Tkhai]

Hi,

I'm reporting you about misuse of rtnl_is_locked() in 
WILC_WFI_deinit_mon_interface() function.
Note, that rtnl_is_locked() *does not mean* rtnl is locked on the *current 
cpu*. This primitive
returns true in case of rtnl is locked somewhere in the system. So, it can't be 
used in the below
code:

int WILC_WFI_deinit_mon_interface(void)
{
bool rollback_lock = false;

if (wilc_wfi_mon) {
if (rtnl_is_locked()) { <--Mistake
rtnl_unlock();
rollback_lock = true;
}
unregister_netdev(wilc_wfi_mon);

if (rollback_lock) {
rtnl_lock();
rollback_lock = false;
}
wilc_wfi_mon = NULL;
}
return 0;
}

Kirill

[PATCH v5 11/12] nl80211: sanitize array index in parse_txq_params

[Dan Williams]

Wireless drivers rely on parse_txq_params to validate that
txq_params->ac is less than NL80211_NUM_ACS by the time the low-level
driver's ->conf_tx() handler is called. Use a new helper, 'array_idx',
to sanitize txq_params->ac with respect to speculation. I.e. ensure that
any speculation into ->conf_tx() handlers is done with a value of
txq_params->ac that is within the bounds of [0, NL80211_NUM_ACS).

Reported-by: Christian Lamparter 
Reported-by: Elena Reshetova 
Acked-by: Johannes Berg 
Cc: "David S. Miller" 
Cc: linux-wireless@vger.kernel.org
Signed-off-by: Dan Williams 
---
 net/wireless/nl80211.c |9 ++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index d396cb61a280..1479a1c7819c 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -16,6 +16,7 @@
 #include 
 #include 
 #include 
+#include 
 #include 
 #include 
 #include 
@@ -2056,20 +2057,22 @@ static const struct nla_policy 
txq_params_policy[NL80211_TXQ_ATTR_MAX + 1] = {
 static int parse_txq_params(struct nlattr *tb[],
struct ieee80211_txq_params *txq_params)
 {
+   u8 ac;
+
if (!tb[NL80211_TXQ_ATTR_AC] || !tb[NL80211_TXQ_ATTR_TXOP] ||
!tb[NL80211_TXQ_ATTR_CWMIN] || !tb[NL80211_TXQ_ATTR_CWMAX] ||
!tb[NL80211_TXQ_ATTR_AIFS])
return -EINVAL;
 
-   txq_params->ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
+   ac = nla_get_u8(tb[NL80211_TXQ_ATTR_AC]);
txq_params->txop = nla_get_u16(tb[NL80211_TXQ_ATTR_TXOP]);
txq_params->cwmin = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMIN]);
txq_params->cwmax = nla_get_u16(tb[NL80211_TXQ_ATTR_CWMAX]);
txq_params->aifs = nla_get_u8(tb[NL80211_TXQ_ATTR_AIFS]);
 
-   if (txq_params->ac >= NL80211_NUM_ACS)
+   if (ac >= NL80211_NUM_ACS)
return -EINVAL;
-
+   txq_params->ac = array_idx(ac, NL80211_NUM_ACS);
return 0;
 }
 

[PATCH v5 00/12] spectre variant1 mitigations for tip/x86/pti

[Dan Williams]

Hi Thomas,

Here's another spin of the spectre-v1 mitigations for 4.16.

Changes since v4.1: [1]
* Tweak the sanitization scheme yet again to make it even simpler. Now,
  instead of 'array_ptr' to get a sanitized pointer to an array element,
  just provide an array index sanitization helper 'array_idx' to be called
  after successfully validating the index is in bounds. I.e. in the
  exact same location one would otherwise put an lfence, place this
  sanitizer:

  if (idx < sz) {
  idx = array_idx(idx, sz);
  val = array[idx];
  }

  This lets the implementation include more sanity checking that the
  compiler can usually compile out. It otherwise appears to produce
  better assembly. This also cleans up the concern about comparing the
  value returned from array_ptr to create another speculation point.
  (Russell, Linus, Cyril)

* Drop the syscall_64_fastpath.  This is the straightforward patch from
  Linus that might also be in flight from Andy, but I went ahead and
  included it since I did not see it on LKML yet.

* Kill the MASK_NOSPEC macro and just open code it. (Andy)

* Add system-call-number sanitization to the slow path syscall table
  lookups.

* Redo the array_ptr conversions with array_idx.

* Update /sys/devices/system/cpu/vulnerabilities/spectre_v1 to indicate
  the new protections. It now reports "Vulnerable: Minimal user pointer
  sanitization". (Jiri)

---

Dan Williams (11):
  array_idx: sanitize speculative array de-references
  x86: implement array_idx_mask
  x86: introduce __uaccess_begin_nospec and ifence
  x86, __get_user: use __uaccess_begin_nospec
  x86, get_user: use pointer masking to limit speculation
  x86: remove the syscall_64 fast-path
  x86: sanitize sycall table de-references under speculation
  vfs, fdtable: prevent bounds-check bypass via speculative execution
  kvm, x86: update spectre-v1 mitigation
  nl80211: sanitize array index in parse_txq_params
  x86/spectre: report get_user mitigation for spectre_v1

Mark Rutland (1):
  Documentation: document array_idx


 Documentation/speculation.txt |   87 
 arch/x86/entry/common.c   |3 +
 arch/x86/entry/entry_64.S |  116 -
 arch/x86/entry/syscall_64.c   |7 +-
 arch/x86/include/asm/barrier.h|   26 
 arch/x86/include/asm/msr.h|3 -
 arch/x86/include/asm/uaccess.h|   15 -
 arch/x86/include/asm/uaccess_32.h |6 +-
 arch/x86/include/asm/uaccess_64.h |   12 ++--
 arch/x86/kernel/cpu/bugs.c|2 -
 arch/x86/kvm/vmx.c|   14 +++-
 arch/x86/lib/getuser.S|   10 +++
 arch/x86/lib/usercopy_32.c|8 +--
 include/linux/fdtable.h   |5 +-
 include/linux/nospec.h|   64 
 net/wireless/nl80211.c|9 ++-
 16 files changed, 239 insertions(+), 148 deletions(-)
 create mode 100644 Documentation/speculation.txt
 create mode 100644 include/linux/nospec.h