Ping-Ke Shih [Mon, 30 Mar 2026 06:58:42 +0000 (14:58 +0800)]
wifi: rtw89: 8922d: add set TX power callback
Set TX power depends on operating channel. The Tx power factors are data
rate, channel, bandwidth and etc. Also, consider SAR as a factor of TX
power limit.
Ping-Ke Shih [Mon, 30 Mar 2026 06:58:41 +0000 (14:58 +0800)]
wifi: rtw89: 8922d: add RF calibration ops
The chips ops related to RF calibration include init, init_late, channel,
band_change, scan, and track. The init_late is similar to init, but HCI
is ready, so receiving C2H event is possible. The ops channel is the main
function that do all RF calibration on operating channel.
The ops band_change and scan are to reset RF calibration because channel is
switching at these moment, we need to reset RF state. The ops track is to
monitor temperature to check if re-calibrate RF again.
Ping-Ke Shih [Mon, 30 Mar 2026 06:58:40 +0000 (14:58 +0800)]
wifi: rtw89: 8922d: add set channel with pre-/post- helpers
The main set channel function calls MAC/BB/RF ones, and pre-/post- helpers
are called before/after the main function to backup/restore and
stop/restart circuits, including TX scheduler, PPDU status, DACK and TSSI.
Christos Longros [Sun, 29 Mar 2026 07:45:50 +0000 (09:45 +0200)]
wifi: rtw89: fix typo "frome" -> "from" in rx_freq_frome_ie
The chip_info field rx_freq_frome_ie (RX frequency from Information
Element) has a typo. The function that uses it is already spelled
correctly: rtw89_core_update_rx_freq_from_ie. Rename the field to
match.
Bitterblue Smith [Wed, 25 Mar 2026 22:27:15 +0000 (00:27 +0200)]
wifi: rtw88: coex: Ignore BT info byte 5 from RTL8821A
Sometimes while watching a Youtube video with Bluetooth headphones the
audio has a lot of interruptions, because the 5th byte of the BT info
sent by RTL8821AU has strange values, which result in
coex_stat->bt_hid_pair_num being 2 or 3. When this happens
rtw_coex_freerun_check() returns true, which causes
rtw_coex_action_wl_connected() to call rtw_coex_action_freerun() instead
of rtw_coex_action_bt_a2dp().
The RTL8821AU vendor driver doesn't do anything with the 5th byte of the
BT info, so ignore it here as well.
Zong-Zhe Yang [Wed, 25 Mar 2026 07:21:30 +0000 (15:21 +0800)]
wifi: rtw89: fw: load TX power elements according to AID
For different A-die, there will be different TX power parameters.
In FW element header, the corresponding A-die ID will be described.
So, compare runtime AID with that to load the target TX power
parameters.
Ping-Ke Shih [Wed, 25 Mar 2026 07:21:29 +0000 (15:21 +0800)]
wifi: rtw89: phy: load RF parameters relying on ACV for RTL8922D
RF parameters are conditional formats with RFE type and CV as arguments,
but RTL8922D has many variants and use ACV as argument instead of CV.
Add to select proper register values.
Ping-Ke Shih [Wed, 25 Mar 2026 07:21:27 +0000 (15:21 +0800)]
wifi: rtw89: mac: disable pre-load function for RTL8922DE
The pre-load function is a MAC function to pre-load TX packets into
WiFi device's memory, so it can enhance performance. However, RTL8922DE
has not fully verified and fine tune this function, temporarily disable
this function.
Ping-Ke Shih [Wed, 25 Mar 2026 07:21:26 +0000 (15:21 +0800)]
wifi: rtw89: mac: add specific case to dump mac memory for RTL8922D
The RTL8922D can reuse most mac memory addresses, but only
RTW89_MAC_MEM_SECURITY_CAM is different from existing one. Add a function
to return the specific memory address for RTL8922D.
Ping-Ke Shih [Wed, 25 Mar 2026 07:21:25 +0000 (15:21 +0800)]
wifi: rtw89: pci: clear SER ISR when initial and leaving WoWLAN for WiFi 7 chips
The PCIE SER is to diagnose PCIE becomes abnormal, relying on IMR settings
to trigger interrupt when status is weird. Update settings to disable
PHY error flag 9, and clear ISR when initial and leaving WoWLAN.
Chin-Yen Lee [Wed, 25 Mar 2026 07:21:24 +0000 (15:21 +0800)]
wifi: rtw89: wow: enable MLD address for Magic packet wakeup
Under MLO connections, the original Magic Packet configuration
only supported Link Addresses for wakeup. Update the setting
to support both MLD Address and Link Addresses for wakeup process.
Ping-Ke Shih [Tue, 24 Mar 2026 06:20:49 +0000 (14:20 +0800)]
wifi: rtw89: 8922d: add set channel of RF part
The set channel of RF part is to configure channel and bandwidth on a
register. The function to encode channel and bandwidth into register
value will be implemented by coming patch.
Ping-Ke Shih [Tue, 24 Mar 2026 06:20:48 +0000 (14:20 +0800)]
wifi: rtw89: 8922d: add set channel of BB part
The set channel of BB part is the main part, which according to channel
and bandwidth to configure CCK SCO, RX gain of LNA and TIA programmed
in efuse for CCK and OFDM rate, and spur elimination of CSI and NBI tones.
Ping-Ke Shih [Tue, 24 Mar 2026 06:20:47 +0000 (14:20 +0800)]
wifi: rtw89: 8922d: add set channel of MAC part
The set channel is a key function to switch to specific operating channel.
For MAC part, configure hardware according to channel bandwidth, and
enable CCK rate for 2GHz band only.
Ping-Ke Shih [Tue, 24 Mar 2026 06:20:46 +0000 (14:20 +0800)]
wifi: rtw89: 8922d: read and configure RF by calibration data from efuse physical map
The calibration data is from physical map, including 1) thermal trim to
align output thermal value across chips, and 2) PA bias to transmit
expected power by controller.
Ping-Ke Shih [Tue, 24 Mar 2026 06:20:45 +0000 (14:20 +0800)]
wifi: rtw89: 8922d: define efuse map and read necessary fields
Define specific efuse map for RTL8922D, including TSSI, RX gain, MAC
address, RFE type and etc. The additional fields comparing to existing
chips are BT setting (define BT switch GPIO, antenna number and etc) and
gain offset2 (define more fields like existing RX gain offset).
Ping-Ke Shih [Tue, 24 Mar 2026 06:20:44 +0000 (14:20 +0800)]
wifi: rtw89: 8922d: add power on/off functions
The power on function is the first entry to power on hardware including
all MAC/BB/RF circuits, and then it becomes possible to do high level
operations, such as WiFi scan, connection.
If connection becomes unavailable, device stays into idle mode, calling
power off function to cut power.
Ping-Ke Shih [Tue, 24 Mar 2026 06:20:43 +0000 (14:20 +0800)]
wifi: rtw89: 8922d: add definition of quota, registers and efuse block
The quota is used to configure memory size for TX/RX, and the definition
of registers includes H2C command, C2H event, WoWLAN reason, IMR of CMAC
and DMAC, ACK rate selector, RF kill GPIO, and BB functions of dynamic
initial gain and EDCCA. The layout of efuse block is to define logic
map of efuse, such as MAC address and RF calibration values.
Ping-Ke Shih [Tue, 24 Mar 2026 01:10:01 +0000 (09:10 +0800)]
wifi: rtw88: validate RX rate to prevent out-of-bound
The reported RX rate might be unexpected, causing kernel warns:
Rate marked as a VHT rate but data is invalid: MCS: 0, NSS: 0
WARNING: net/mac80211/rx.c:5491 at ieee80211_rx_list+0x183/0x1020 [mac80211]
As the RX rate can be index of an array under certain conditions, validate
it to prevent accessing array out-of-bound potentially.
Tested on HP Notebook P3S95EA#ACB (kernel 6.19.9-1-cachyos):
- No WARNING: net/mac80211/rx.c:5491 observed after the v2 patch.
The unexpected `NSS: 0, MCS: 0` VHT rate warnings are successfully
mitigated.
- The system remains fully stable through prolonged idle periods,
high network load, active Bluetooth A2DP usage, and multiple deep
suspend/resume cycles.
- Zero h2c timeouts or firmware lps state errors observed in dmesg.
wifi: rtw89: phy: fix uninitialized variable access in rtw89_phy_cfo_set_crystal_cap()
In the rtw89_phy_cfo_set_crystal_cap() function, for chips other than
RTL8852A/RTL8851B, the values read by rtw89_mac_read_xtal_si() are
stored into the local variables sc_xi_val and sc_xo_val. If either
read fails, these variables remain uninitialized, they are later
used to update cfo->crystal_cap and in debug print statements. This
can lead to undefined behavior.
Fix the issue by initializing sc_xi_val and sc_xo_val to zero,
like is implemented in vendor driver.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Christian Hewitt [Tue, 17 Mar 2026 11:21:55 +0000 (11:21 +0000)]
wifi: rtw89: retry efuse physical map dump on transient failure
On Radxa Rock 5B with a RTL8852BE combo WiFi/BT card, the efuse
physical map dump intermittently fails with -EBUSY during probe.
The failure occurs in rtw89_dump_physical_efuse_map_ddv() where
read_poll_timeout_atomic() times out waiting for the B_AX_EF_RDY
bit after 1 second.
The root cause is a timing race during boot: the WiFi driver's
chip initialization (firmware download via PCIe) overlaps with
Bluetooth firmware download to the same combo chip via USB. This
can leave the efuse controller temporarily unavailable when the
WiFi driver attempts to read the efuse map.
The firmware download path retries up to 5 times, but the efuse
read that follows has no similar logic. Address this by adding
retry loop logic (also up to 5 attempts) around physical efuse
map dump.
Bitterblue Smith [Wed, 18 Mar 2026 17:45:13 +0000 (19:45 +0200)]
wifi: rtw88: TX QOS Null data the same way as Null data
When filling out the TX descriptor, Null data frames are treated like
management frames, but QOS Null data frames are treated like normal
data frames. Somehow this causes a problem for the firmware.
When connected to a network in the 2.4 GHz band, wpa_supplicant (or
NetworkManager?) triggers a scan every five minutes. During these scans
mac80211 transmits many QOS Null frames in quick succession. Because
these frames are marked with IEEE80211_TX_CTL_REQ_TX_STATUS, rtw88
asks the firmware to report the TX ACK status for each of these frames.
Sometimes the firmware can't process the TX status requests quickly
enough, they add up, it only processes some of them, and then marks
every subsequent TX status report with the wrong number.
The symptom is that after a while the warning "failed to get tx report
from firmware" appears every five minutes.
This problem apparently happens only with the older RTL8723D, RTL8821A,
RTL8812A, and probably RTL8703B chips.
Treat QOS Null data frames the same way as Null data frames. This seems
to avoid the problem.
Tested with RTL8821AU, RTL8723DU, RTL8811CU, and RTL8812BU.
Ping-Ke Shih [Mon, 16 Mar 2026 03:56:35 +0000 (11:56 +0800)]
wifi: rtw88: add quirks to disable PCI ASPM and deep LPS for HP P3S95EA#ACB
On an HP laptop (P3S95EA#ACB) equipped with a Realtek RTL8821CE 802.11ac
PCIe adapter (PCI ID: 10ec:c821), the system experiences a hard lockup
(complete freeze of the UI and kernel, sysrq doesn't work, requires
holding the power button) when the WiFi adapter enters the power
saving state. Disable PCI ASPM to avoid system freeze.
In addition, driver throws messages periodically. Though this doesn't
always cause unstable connection, missing H2C commands might cause
unpredictable results. Disable deep LPS to avoid this as well.
rtw88_8821ce 0000:13:00.0: firmware failed to leave lps state
rtw88_8821ce 0000:13:00.0: failed to send h2c command
rtw88_8821ce 0000:13:00.0: failed to send h2c command
Tested on HP Notebook P3S95EA#ACB (kernel 6.19.7-1-cachyos):
- No hard freeze observed during idle or active usage.
- Zero h2c or lps errors in dmesg across idle (10 min),
load stress (100MB download), and suspend/resume cycle.
- Both quirk flags confirmed active via sysfs without any
manual modprobe parameters.
Shin-Yi Lin [Thu, 12 Mar 2026 05:57:24 +0000 (13:57 +0800)]
wifi: rtw89: usb: Rx aggregation for RTL8832CU/RTL8851BU
USB RX Aggregation is a performance optimization technique used
in USB network devices to increase throughput.
Instead of sending every received network packet to the host computer
individually, the device hardware groups multiple smaller packets
into a single, large USB Bulk Transfer.
* toAP/toNB use iperf3 respectively.
With Cisco BE6000 - iperf3 tcp 10 pair (to another NB)
[6G 160Mhz]:
RTL8832CU-USB3.0
before after
TX 941 941
RX 847 919
RTL8832CU-USB2.0
before after
TX 293 286
RX 342 356
[5G 80Mhz]:
RTL8832CU-USB3.0
before after
TX 864 877
RX 864 902
RTL8832CU-USB2.0
before after
TX 279 271
RX 327 349
Zong-Zhe Yang [Tue, 10 Mar 2026 08:01:46 +0000 (16:01 +0800)]
wifi: rtw89: debug: simulate Wi-Fi 7 SER L0/L1 without PS mode
Current triggers of Wi-Fi 7 SER (system error recovery) L0/L1 simulation
don't yet guarantee working with PS mode. So, leave PS mode first before
triggering them for now.
Po-Hao Huang [Tue, 10 Mar 2026 08:01:45 +0000 (16:01 +0800)]
wifi: rtw89: Recalculate station aggregates when AMSDU length changes for MLO links
Currently, AMSDU length is updated per-link for MLO but not propagated
to the station aggregates, causing suboptimal TX throughput. This change
ensures station aggregates are recalculated when any link's AMSDU length
changes.
Po-Hao Huang [Tue, 10 Mar 2026 08:01:44 +0000 (16:01 +0800)]
wifi: rtw89: Drop malformed AMPDU frames with abnormal PN
Fix connection issue caused by AMPDU frames with abnormal PN patterns
(out-of-order packets with correct MPDU sequence numbers but paired
with abnormal PN values, which is next PN of previous in-order packet).
This is causing packet drops, low throughput and disconnections. It is
observed in fields with some specific AP firmwares. Do this workaround for
better interoperability since some APs could never receive a proper FW
update.
Zong-Zhe Yang [Tue, 10 Mar 2026 08:01:43 +0000 (16:01 +0800)]
wifi: rtw89: replace RF mutex with wiphy lock assertion
Now, stack has introduced wiphy lock. And, the normal paths calling
RF read/write should be under wiphy lock. So, replace RF mutex with
wiphy lock assertion. Besides, in dbgfs paths, add the corresponding
lock option.
Chin-Yen Lee [Tue, 10 Mar 2026 08:01:42 +0000 (16:01 +0800)]
wifi: rtw89: wow: add retry for ensuring packet are processed
Before entering WoWLAN mode, the driver must ensure that
all received packets have been processed to prevent packet
loss. Consequently, a retry mechanism has been implemented
to guarantee completion.
Zong-Zhe Yang [Tue, 10 Mar 2026 08:01:41 +0000 (16:01 +0800)]
wifi: rtw89: chan: recalc MLO DBCC mode based on current entity mode
Since MLD vif can do MLSR switch, it may not always run on HW band 0.
But when preparing MCC for MLD + P2P, P2P vif needs to use HW band 0
to handle connection, i.e. uses of HW bands may be different by vif.
The current major role/vif can be indicated through entity mode. So,
based on it, recalculate MLO DBCC mode to change use of HW band.
Zong-Zhe Yang [Tue, 10 Mar 2026 08:01:40 +0000 (16:01 +0800)]
wifi: rtw89: chan: simplify link handling related to ROC
The original channel is swapped out for the target channel during ROC.
And, all vifs/links accessing the original channel will be marked with
off-channel. So, it doesn't seem necessary for chan.c to determine which
link instance it is.
Zong-Zhe Yang [Tue, 10 Mar 2026 08:01:39 +0000 (16:01 +0800)]
wifi: rtw89: tweak settings of TX power and channel for Wi-Fi 7
The support_mlo flag depends on FW features, so it's determined at runtime.
Since Wi-Fi 7 chip now needs to initialize second HW band, if support_mlo
is not allowed, second HW band might act without settings of TX power and
channel. So, set that for Wi-Fi 7 chip.
Zong-Zhe Yang [Tue, 10 Mar 2026 08:01:38 +0000 (16:01 +0800)]
wifi: rtw89: move disabling dynamic mechanism functions to core
Some dynamic mechanism (DM) may need to be disabled during some normal
processes rather than debugging. For example, should not do MLSR switch
during SCAN/ROC or even MCC. So, move the disabling DM functions to core
for impending uses.
Ping-Ke Shih [Tue, 10 Mar 2026 08:01:37 +0000 (16:01 +0800)]
wifi: rtw89: phy: limit AMPDU number for RA try rate
When RA (Rate Adaptive) does try higher rate, a TRY bit is flagged, and
hardware will reference registers configured by this patch as maximum
number of AMPDU. To prevent aggregate too many MPDU over peer's capability
causing loss in peer side, set the minimum values across all stations and
TID since there is single one register per hardware band. Consider MLD
case, a BA session can run across two hardware bands, so set the same
value as well.
Johan Hovold [Mon, 9 Mar 2026 08:33:36 +0000 (09:33 +0100)]
wifi: rtlwifi: usb: drop redundant device reference
Driver core holds a reference to the USB interface and its parent USB
device while the interface is bound to a driver and there is no need to
take additional references unless the structures are needed after
disconnect.
Drop the redundant device reference to reduce cargo culting, make it
easier to spot drivers where an extra reference is needed, and reduce
the risk of memory leaks when drivers fail to release it.
Johan Hovold [Fri, 6 Mar 2026 09:32:06 +0000 (10:32 +0100)]
wifi: rtw89: drop redundant device reference
Driver core holds a reference to the USB interface and its parent USB
device while the interface is bound to a driver and there is no need to
take additional references unless the structures are needed after
disconnect.
Drop the redundant device reference to reduce cargo culting, make it
easier to spot drivers where an extra reference is needed, and reduce
the risk of memory leaks when drivers fail to release it.
Johan Hovold [Fri, 6 Mar 2026 08:51:44 +0000 (09:51 +0100)]
wifi: rtw88: fix device leak on probe failure
Driver core holds a reference to the USB interface and its parent USB
device while the interface is bound to a driver and there is no need to
take additional references unless the structures are needed after
disconnect.
This driver takes a reference to the USB device during probe but does
not to release it on all probe errors (e.g. when descriptor parsing
fails).
Drop the redundant device reference to fix the leak, reduce cargo
culting, make it easier to spot drivers where an extra reference is
needed, and reduce the risk of further memory leaks.
Johan Hovold [Fri, 6 Mar 2026 08:51:43 +0000 (09:51 +0100)]
wifi: rtl8xxxu: drop redundant device reference
Driver core holds a reference to the USB interface and its parent USB
device while the interface is bound to a driver and there is no need to
take additional references unless the structures are needed after
disconnect.
Drop the redundant device reference to reduce cargo culting, make it
easier to spot drivers where an extra reference is needed, and reduce
the risk of memory leaks when drivers fail to release it.
Johan Hovold [Fri, 6 Mar 2026 08:51:42 +0000 (09:51 +0100)]
wifi: rtl818x: drop redundant device reference
Driver core holds a reference to the USB interface and its parent USB
device while the interface is bound to a driver and there is no need to
take additional references unless the structures are needed after
disconnect.
Drop the redundant device reference to reduce cargo culting, make it
easier to spot drivers where an extra reference is needed, and reduce
the risk of memory leaks when drivers fail to release it.
Yi Cong [Fri, 6 Mar 2026 07:16:27 +0000 (15:16 +0800)]
wifi: rtl8xxxu: fix potential use of uninitialized value
The local variables 'mcs' and 'nss' in rtl8xxxu_update_ra_report() are
passed to rtl8xxxu_desc_to_mcsrate() as output parameters. If the helper
function encounters an unhandled rate index, it may return without setting
these values, leading to the use of uninitialized stack data.
Remove the helper rtl8xxxu_desc_to_mcsrate() and inline the logic into
rtl8xxxu_update_ra_report(). This fixes the use of uninitialized 'mcs'
and 'nss' variables for legacy rates.
The new implementation explicitly handles:
- Legacy rates: Set bitrate only.
- HT rates (MCS0-15): Set MCS flags, index, and NSS (1 or 2) directly.
- Invalid rates: Return early.
Duoming Zhou [Mon, 23 Feb 2026 04:55:22 +0000 (12:55 +0800)]
wifi: rtlwifi: pci: fix possible use-after-free caused by unfinished irq_prepare_bcn_tasklet
The irq_prepare_bcn_tasklet is initialized in rtl_pci_init() and
scheduled when RTL_IMR_BCNINT interrupt is triggered by hardware.
But it is never killed in rtl_pci_deinit(). When the rtlwifi card
probe fails or is being detached, the ieee80211_hw is deallocated.
However, irq_prepare_bcn_tasklet may still be running or pending,
leading to use-after-free when the freed ieee80211_hw is accessed
in _rtl_pci_prepare_bcn_tasklet().
Similar to irq_tasklet, add tasklet_kill() in rtl_pci_deinit() to
ensure that irq_prepare_bcn_tasklet is properly terminated before
the ieee80211_hw is released.
Fedor Pchelkin [Fri, 20 Feb 2026 09:47:30 +0000 (12:47 +0300)]
wifi: rtw88: check for PCI upstream bridge existence
pci_upstream_bridge() returns NULL if the device is on a root bus. If
8821CE is installed in the system with such a PCI topology, the probing
routine will crash. This has probably been unnoticed as 8821CE is mostly
supplied in laptops where there is a PCI-to-PCI bridge located upstream
from the device. However the card might be installed on a system with
different configuration.
Check if the bridge does exist for the specific workaround to be applied.
Found by Linux Verification Center (linuxtesting.org) with Svace static
analysis tool.
Fixes: 24f5e38a13b5 ("rtw88: Disable PCIe ASPM while doing NAPI poll on 8821CE") Cc: stable@vger.kernel.org Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru> Acked-by: Ping-Ke Shih <pkshih@realtek.com> Signed-off-by: Ping-Ke Shih <pkshih@realtek.com> Link: https://patch.msgid.link/20260220094730.49791-1-pchelkin@ispras.ru
Zong-Zhe Yang [Fri, 13 Feb 2026 06:15:52 +0000 (14:15 +0800)]
wifi: rtw89: ser: post-recover DMAC state to prevent LPS
If entering LPS during SER (system error recovery), IMR might fail to
be re-enabled after SER. Then, the next SER would not be noticed well.
After FW v0.35.100.0, Wi-Fi 7 chipsets adjust the order in which SER
recovers DMAC state to prevent LPS from being in the middle of SER.
Zong-Zhe Yang [Fri, 13 Feb 2026 06:15:51 +0000 (14:15 +0800)]
wifi: rtw89: ser: Wi-Fi 7 reset HALT C2H after reading it
When a SER (system error recovery) interrupt happens, driver reads HALT C2H
register to get the error status via MAC. For Wi-Fi 7 chipset, driver needs
to reset HALT C2H register after reading it to make FW aware that.
Zong-Zhe Yang [Fri, 13 Feb 2026 06:15:50 +0000 (14:15 +0800)]
wifi: rtw89: debug: add SER SW counters to count simulation
Some chipsets, e.g. Wi-Fi 7, will not record SER (system error recovery),
which are triggered by simulations, in the HW counters. Their HW counters
only record the SER happen in field. However for verification, it's still
needed to check if simulations are triggered. So, add SW counters to count
any causes that SER happen. But, SW can only count L1 and L2. SW does not
involve L0 SER, so SW cannot count it.
Kuan-Chung Chen [Fri, 13 Feb 2026 06:15:48 +0000 (14:15 +0800)]
wifi: rtw89: add H2C command to protect TX/RX for unused PHY
For BE chips, the unused PHY should pause transmissions and receptions.
This ensures that no unexpected packets are routed to an inactive PHY,
which could otherwise trigger SER L0 and lead to TX hang.
Zong-Zhe Yang [Fri, 13 Feb 2026 06:15:47 +0000 (14:15 +0800)]
wifi: rtw89: 8851b: update supported firmware format to 1
More data will be included in Firmware file and loaded via FW elements.
Increase RTL8851B FW format to 1 to prevent old driver from failing to
recognize FW with FW elements.
Zong-Zhe Yang [Fri, 13 Feb 2026 06:15:46 +0000 (14:15 +0800)]
wifi: rtw89: 8852a: update supported firmware format to 1
More data will be included in Firmware file and loaded via FW elements.
Unlike other chips, for RF radio, RTL8852A uses rtw89_phy_config_rf_reg
instead of v1, so update loading handling of corresponding FW element.
And then, increase RTL8852A FW format to 1 to prevent old driver from
misusing the data in FW elements.
Zong-Zhe Yang [Fri, 13 Feb 2026 06:15:45 +0000 (14:15 +0800)]
wifi: rtw89: 8852a: move DIG tables to rtw8852a.c
Now, most of PHY parameter tables in driver can be loaded via FW elements.
Plan to generate the corresponding FW elements for 8852A PHY tables. Then,
after FW elements work for a enough time, rtw8852a_table.c can be cleaned
up. However, DIG (dynamic initial gain) tables are legacy for 8852A only,
so FW element doesn't support. Their sizes are not very big, so move them
to rtw8852a.c and keep rtw8852a_table.c for PHY tables which are supported
by FW elements.
Ping-Ke Shih [Fri, 13 Feb 2026 06:15:44 +0000 (14:15 +0800)]
wifi: rtw89: 8852b: update supported firmware format to 2
After firmware version 0.29.29.15, more data are included in firmware
file. Increase format to 2 to prevent old driver failed to load the new
firmware.
Zong-Zhe Yang [Fri, 13 Feb 2026 06:15:43 +0000 (14:15 +0800)]
wifi: rtw89: add general way to generate module firmware string
Module firmware string depends on max format of the firmware. When max
format is 0, the module firmware string will be like XYZ.bin. However,
when max format N > 0, the module firmware string will become XYZ-N.bin.
Originally, when one chip updated its max firmware format from 0 to 1,
the module firmware string also needed to be changed. However, did not
need to do for other cases, e.g. from 1 to 2. It's a bit inconvenient
to always remember that from 0 to 1 is a special case.
So, add a general macro to generate the corresponding module firmware
string based on max firmware format.
Ping-Ke Shih [Fri, 13 Feb 2026 06:15:42 +0000 (14:15 +0800)]
wifi: rtw89: fw: recognize firmware type B by AID
Select a firmware suit including normal and WoWLAN firmware by chip AID
from multiple firmware, because coming RTL8922D has variant hardware with
different chip AID.
Ping-Ke Shih [Fri, 13 Feb 2026 06:15:41 +0000 (14:15 +0800)]
wifi: rtw89: fw: add fw_def struct to put firmware name and format version
The RTL8922DE has a RTL8922DE-VS variant which uses different firmware
name and format version, and the rule to select firmware type will be
needed to extend. Prepare for coming patches.
Ching-Te Ku [Fri, 13 Feb 2026 05:34:45 +0000 (13:34 +0800)]
wifi: rtw88: coex: Solve LE-HID lag & update coex version to 26020420
When Wi-Fi enters power save, the register value can not be read
correctly. If mechanism take the wrong information to make decision,
it will run with wrong parameters. It leads Bluetooth low-energy
HID lag. Add logic to isolate the wrong register state.
RTL8851BU and RTL8852BU currently have much lower TX speed than
expected, ~100 and ~300 Mbps, respectively. This is because part of the
chip's memory is allocated for some unknown firmware features instead of
the TX buffers.
The vendor drivers have a module parameter called "rtw_quota_turbo_en",
which can be used to choose between full TX speed or the unknown
firmware features. It is on by default.
Change the relevant chip parameters to implement the turbo mode. Do it
only for USB because PCI is already fast even without the turbo mode.
It's unclear if SDIO will need it or not.
Avraham Stern [Wed, 7 Jan 2026 13:20:02 +0000 (15:20 +0200)]
wifi: cfg80211: support key installation on non-netdev wdevs
Currently key installation is only supported for netdev. For NAN,
support most key operations (except setting default data key) on
wdevs instead of netdevs, and adjust all the APIs and tracing to
match.
Since nothing currently sets NL80211_EXT_FEATURE_SECURE_NAN, this
doesn't change anything (P2P Device already isn't allowed.)
Miri Korenblit [Mon, 2 Mar 2026 07:11:46 +0000 (09:11 +0200)]
wifi: cfg80211: make cluster id an array
cfg80211_nan_conf::cluster_id is currently a pointer, but there is no real
reason to not have it an array. It makes things easier as there is no
need to check the pointer validity each time.
If a cluster ID wasn't provided by user space it will be randomized.
Kexin Sun [Sat, 28 Feb 2026 06:19:44 +0000 (14:19 +0800)]
wifi: mac80211: update outdated comment
The function ieee80211_start_scan() was refactored and replaced by
__ieee80211_start_scan() in commit f3b85252f081 ("mac80211: fix scan
races and rework scanning"). Update the comment in
ieee80211_tx_h_check_assoc() accordingly.
Additionally, remove the broken gmane.org link in the comment.
Suggested-by: Lachlan Hodges <lachlan.hodges@morsemicro.com> Suggested-by: Johannes Berg <johannes@sipsolutions.net> Assisted-by: unnamed:deepseek-v3.2 coccinelle Signed-off-by: Kexin Sun <kexinsun@smail.nju.edu.cn> Link: https://patch.msgid.link/20260228061944.887-1-kexinsun@smail.nju.edu.cn Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Kavita Kavita [Thu, 26 Feb 2026 18:55:53 +0000 (00:25 +0530)]
wifi: mac80211: Advertise IEEE 802.1X authentication support
Advertise support for IEEE 802.1X authentication protocol directly from
mac80211, without depending on driver indication of (Re)Association
frame encryption capability.
As specified in "IEEE P802.11bi/D4.0, clauses 12.16.5 and 12.16.8.2",
IEEE 802.1X authentication can operate with or without (Re)Association
frame encryption support. Therefore, mac80211 can safely advertise
802.1X support independently of driver capabilities.
Kavita Kavita [Thu, 26 Feb 2026 18:55:52 +0000 (00:25 +0530)]
wifi: mac80211: Add support for IEEE 802.1X authentication protocol in non-AP STA mode
Add support for the IEEE 802.1X authentication protocol in non-AP STA
mode, as specified in "IEEE P802.11bi/D4.0, 12.16.5".
IEEE 802.1X authentication involves multiple Authentication frame
exchanges, with the non-AP STA and AP alternating transaction
sequence numbers. The number of Authentication frame exchanges
depends on the EAP method in use. For IEEE 802.1X authentication,
process only Authentication frames with the expected transaction
sequence number.
For IEEE 802.1X Authentication, Table 9-71 specifies that the
Encapsulation Length field as specified in Clause 9.4.1.82 shall be
present in all IEEE 802.1X Authentication frames. Drop the frame in
the mac80211 if the Encapsulation Length field is missing.
After receiving the final Authentication frame with status code
WLAN_STATUS_8021X_AUTH_SUCCESS from the AP, mac80211 marks the state
as authenticated, as it indicates the EAP handshake has completed
successfully over the Authentication frames as specified in
Clause 12.16.5.
In the PMKSA caching case, only two Authentication frames are
exchanged if the AP identifies a valid PMKSA, then as specified
in Clause 12.16.8.3, the AP shall set the Status Code to
WLAN_STATUS_SUCCESS in the final Authentication frame and must not
include an encapsulated EAPOL PDU. This frame will be the final
Authentication frame from the AP when PMKSA caching is enabled,
and mac80211 marks the state as authenticated.
In case of authentication success or failure, forward the
Authentication frame to userspace(e.g. wpa_supplicant), and let
userspace validate the Authentication frame from the AP as per the
specification.
Kavita Kavita [Thu, 26 Feb 2026 18:55:51 +0000 (00:25 +0530)]
wifi: cfg80211: add support for IEEE 802.1X Authentication Protocol
Add an extended feature flag NL80211_EXT_FEATURE_IEEE8021X_AUTH to
allow a driver to indicate support for the IEEE 802.1X authentication
protocol in non-AP STA mode, as defined in
"IEEE P802.11bi/D4.0, 12.16.5".
In case of SME in userspace, the Authentication frame body is prepared
in userspace while the driver finalizes the Authentication frame once
it receives the required fields and elements. The driver indicates
support for IEEE 802.1X authentication using the extended feature flag
so that userspace can initiate IEEE 802.1X authentication.
When the feature flag is set, process IEEE 802.1X Authentication frames
from userspace in non-AP STA mode. If the flag is not set, reject
IEEE 802.1X Authentication frames.
Define a new authentication type NL80211_AUTHTYPE_IEEE8021X for
IEEE 802.1X authentication.
Kavita Kavita [Thu, 26 Feb 2026 18:55:50 +0000 (00:25 +0530)]
wifi: mac80211: Advertise EPPKE support based on driver capabilities
Advertise support for Enhanced Privacy Protection Key Exchange (EPPKE)
authentication protocol in mac80211 when the driver supports
(Re)Association frame encryption. Since EPPKE mandates (Re)Association
frame encryption.
wifi: mac80211: Fix AAD/Nonce computation for management frames with MLO
Per IEEE Std 802.11be-2024, 12.5.2.3.3, if the MPDU is an
individually addressed Data frame between an AP MLD and a
non-AP MLD associated with the AP MLD, then A1/A2/A3
will be MLD MAC addresses. Otherwise, Al/A2/A3 will be
over-the-air link MAC addresses.
Currently, during AAD and Nonce computation for software based
encryption/decryption cases, mac80211 directly uses the addresses it
receives in the skb frame header. However, after the first
authentication, management frame addresses for non-AP MLD stations
are translated to MLD addresses from over the air link addresses in
software. This means that the skb header could contain translated MLD
addresses, which when used as is, can lead to incorrect AAD/Nonce
computation.
In the following manner, ensure that the right set of addresses are used:
In the receive path, stash the pre-translated link addresses in
ieee80211_rx_data and use them for the AAD/Nonce computations
when required.
In the transmit path, offload the encryption for a CCMP/GCMP key
to the hwsim driver that can then ensure that encryption and hence
the AAD/Nonce computations are performed on the frame containing the
right set of addresses, i.e, MLD addresses if unicast data frame and
link addresses otherwise.
To do so, register the set key handler in hwsim driver so mac80211 is
aware that it is the driver that would take care of encrypting the
frame. Offload encryption for a CCMP/GCMP key, while keeping the
encryption for WEP/TKIP and MMIE generation for a AES_CMAC or a
AES_GMAC key still at the SW crypto in mac layer
Co-developed-by: Rohan Dutta <quic_drohan@quicinc.com> Signed-off-by: Rohan Dutta <quic_drohan@quicinc.com> Signed-off-by: Sai Pratyusha Magam <sai.magam@oss.qualcomm.com> Link: https://patch.msgid.link/20260226042959.3766157-1-sai.magam@oss.qualcomm.com
[only store and apply link_addrs for unicast non-data
rather storing always and applying for !unicast_data] Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Rosen Penev [Mon, 23 Feb 2026 21:40:04 +0000 (13:40 -0800)]
wifi: rt2x00: use generic nvmem_cell_get
The library doesn't necessarily depend on OF. This codepath is used by
both soc (OF only) and pci (no such requirement). After this, the only
of specific function is of_get_mac_address, which is needed for nvmem.
Sriram R [Thu, 19 Feb 2026 19:42:42 +0000 (01:12 +0530)]
wifi: mac80211: fetch unsolicited probe response template by link ID
Currently, the unsolicited probe response template is always fetched from
the default link of a virtual interface in both Multi-Link Operation (MLO)
and non-MLO cases. However, in the MLO case there is a need to fetch the
unsolicited probe response template from a specific link instead of the
default link.
Hence, add support for fetching the unsolicited probe response template
based on the link ID from the corresponding link data.
Sriram R [Thu, 19 Feb 2026 19:42:41 +0000 (01:12 +0530)]
wifi: mac80211: fetch FILS discovery template by link ID
Currently, the FILS discovery template is always fetched from the default
link of a virtual interface in both Multi-Link Operation (MLO) and
non-MLO cases. However, in the MLO case there is a need to fetch the FILS
discovery template from a specific link instead of the default link.
Hence, add support for fetching the FILS discovery template based on the
link ID from the corresponding link data.
Miri Korenblit [Thu, 19 Feb 2026 09:47:14 +0000 (11:47 +0200)]
wifi: cfg80211: refactor wiphy_suspend
The sequence of operations that needs to be done in wiphy_suspend is
identical for the case where there is no wowlan configured, and for the
case that it is but the driver refused to do wowlan (by returning 1 from
rdev_suspend).
The current code duplicates this set of operations for each one of the
cases.
In particular, next patch will change the locking of cfg80211_leave_all to
not hold the wiphy lock, which will be easier to do if it is not called
twice.
Change the code to handle first the case that wowlan is configured, and
then handle both cases (driver refused to do wowlan and no wowlan
configured) in one place.
Note that this changes the behaviour to set suspended=true also when
we were not registered yet, but that makes sense anyway, as wiphy works
can be queued also before registration.
Miri Korenblit [Thu, 19 Feb 2026 09:47:13 +0000 (11:47 +0200)]
wifi: nl80211/cfg80211: support stations of non-netdev interfaces
Currently, a station can only be added to a netdev interface,
mainly because there was no need for a station of a non-netdev
interface.
But for NAN, we will have stations that belong to the NL80211_IFTYPE_NAN
interface.
Prepare for adding/changing/deleting a station that belongs to a non-netdev
interface. This doesn't actually allow such stations - this will be done
in a different patch.
Miri Korenblit [Thu, 19 Feb 2026 09:47:12 +0000 (11:47 +0200)]
wifi: cfg80211: remove unneeded call to cfg80211_leave
In cfg80211_destroy_ifaces, we first close all netdev wdevs, which will
trigger a NETDEV_GOING_DOWN event that will call cfg80211_leave,
and for non-netdev wdevs, we call cfg80211_remove_virtual_intf which
calles cfg80211_unregister_wdev, which handles the "leaving" for those
interfaces (i.e. stop_nan and stop_p2p_device)
Miri Korenblit [Thu, 19 Feb 2026 09:47:11 +0000 (11:47 +0200)]
wifi: nl80211: refactor nl80211_parse_chandef
In order to be able to use this function also for nested attributes,
change this function to receive a pointer to extack and to the
attributes array, instead of receiving the info and extracting them out
of it.
While at it, use NL_SET_ERR_MSG_ATTR with the frequency of the chandef.
-Wflex-array-member-not-at-end was introduced in GCC-14, and we are
getting ready to enable it, globally.
Move the conflicting declarations (which in a couple of cases happen
to be in a union, so the entire unions are moved) to the end of the
corresponding structures, struct il_frame, and struct il3945_frame.
Notice that `struct il_tx_beacon_cmd`, `struct il4965_tx_resp`, and
`struct il3945_tx_beacon_cmd` are flexible structures, this is
structures that contain a flexible-array member.
The case for struct il4965_beacon_notif is different. Since this
structure is defined by hardware, we create the new `struct
il4965_tx_resp_hdr` type. We then use this newly created type to
replace the object type causing trouble in struct il4965_beacon_notif,
namely `struct il4965_tx_resp`.
Also, once -fms-extensions is enabled, we can use transparent struct
members in struct il4965_tx_resp.
Notice that the newly created type does not contain the flex-array
member `agg_status`, which is the object causing the -Wfamnae warnings.
This object is currently in a union along with `__le32 status`, so
anything using struct il4965_beacon_notif needs to have its own view
of `status`. To preserve the memory layout, we therefore add member
`__le32 beacon_tx_status` to struct il4965_beacon_notif.
After these changes, the size of struct il4965_beacon_notif along
with its member's offsets remain the same, hence the memory layout
doesn't change:
11 drivers/net/wireless/intel/iwlegacy/common.h:526:11: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end]
11 drivers/net/wireless/intel/iwlegacy/commands.h:2667:31: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end]
4 drivers/net/wireless/intel/iwlegacy/3945.h:131:11: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end]
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> Acked-by: Stanislaw Gruszka <stf_xl@wp.pl> Link: https://patch.msgid.link/aZLienEatf9KC6Rx@kspp Signed-off-by: Johannes Berg <johannes.berg@intel.com>
wifi: cfg80211: add support to handle incumbent signal detected event from mac80211/driver
When any incumbent signal is detected by an AP/mesh interface operating
in 6 GHz band, FCC mandates the AP/mesh to vacate the channels affected
by it [1].
Add a new API cfg80211_incumbent_signal_notify() that can be used
by mac80211 or drivers to notify the higher layers about the signal
interference event with the interference bitmap in which each bit
denotes the affected 20 MHz in the operating channel.
Add support for the new nl80211 event and nl80211 attribute as well to
notify userspace on the details about the interference event. Userspace is
expected to process it and take further action - vacate the channel, or
reduce the bandwidth.
wifi: mac80211: Set link ID for NULL packets sent to probe stations
Currently, for AP MLD, the link ID is not provided when a NULL
packet is triggered to probe a station. For non-MLO stations connected
to an AP MLD, use the station's default link to send the NULL packets
and set addr2 and addr3 to the link address. For MLO stations, set the
link ID to unspecified to let the driver select the appropriate link.
Co-developed-by: Sriram R <quic_srirrama@quicinc.com> Signed-off-by: Sriram R <quic_srirrama@quicinc.com> Co-developed-by: Rameshkumar Sundaram <rameshkumar.sundaram@oss.qualcomm.com> Signed-off-by: Rameshkumar Sundaram <rameshkumar.sundaram@oss.qualcomm.com> Signed-off-by: Suraj P Kizhakkethil <suraj.kizhakkethil@oss.qualcomm.com> Link: https://patch.msgid.link/20260213100126.1414398-3-suraj.kizhakkethil@oss.qualcomm.com
[init link_id in each branch instead of default to zero] Signed-off-by: Johannes Berg <johannes.berg@intel.com>
wifi: mac80211: set band information only for non-MLD when probing stations using NULL frame
Currently, when sending a NULL frame to probe a station, the band
information is derived from the chanctx_conf in the mac80211 vif's
bss_conf. However, for AP MLD, chanctx_conf is not assigned to the
vif's bss_conf; instead it is assigned on a per-link basis. As a result,
for AP MLD, sending a NULL packet to probe will trigger a warning.
Daniel Hodges [Fri, 6 Feb 2026 19:44:01 +0000 (14:44 -0500)]
wifi: mwifiex: fix use-after-free in mwifiex_adapter_cleanup()
The mwifiex_adapter_cleanup() function uses timer_delete()
(non-synchronous) for the wakeup_timer before the adapter structure is
freed. This is incorrect because timer_delete() does not wait for any
running timer callback to complete.
If the wakeup_timer callback (wakeup_timer_fn) is executing when
mwifiex_adapter_cleanup() is called, the callback will continue to
access adapter fields (adapter->hw_status, adapter->if_ops.card_reset,
etc.) which may be freed by mwifiex_free_adapter() called later in the
mwifiex_remove_card() path.
Use timer_delete_sync() instead to ensure any running timer callback has
completed before returning.
Fixes: 4636187da60b ("mwifiex: add wakeup timer based recovery mechanism") Cc: stable@vger.kernel.org Signed-off-by: Daniel Hodges <git@danielhodges.dev> Link: https://patch.msgid.link/20260206194401.2346-1-git@danielhodges.dev Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Janusz Dziedzic [Fri, 6 Feb 2026 17:15:50 +0000 (18:15 +0100)]
wifi: cfg80211: events, report background radar
In case we report radar event add also information
this is connected with background one, so user mode
application like hostapd, could check it and behave
correctly.
Janusz Dziedzic [Fri, 6 Feb 2026 17:15:49 +0000 (18:15 +0100)]
wifi: cfg80211: set and report chandef CAC ongoing
Allow to track and check CAC state from user mode by
simple check phy channels eg. using iw phy1 channels
command.
This is done for regular CAC and background CAC.
It is important for background CAC while we can start
it from any app (eg. iw or hostapd).
Janusz Dziedzic [Fri, 6 Feb 2026 17:15:48 +0000 (18:15 +0100)]
wifi: cfg80211: fix background CAC
Fix:
- Send CAC_ABORT event when background CAC is canceled
- Cancel CAC done workqueue when radar is detected
- Release background wdev ownership when CAC is aborted or passed
- Clean lower layer background radar state when CAC is aborted or passed
- Prevent sending abort event when radar event is sent
Zilin Guan [Mon, 19 Jan 2026 09:26:25 +0000 (09:26 +0000)]
wifi: mwifiex: Fix memory leak in mwifiex_11n_aggregate_pkt()
In mwifiex_11n_aggregate_pkt(), skb_aggr is allocated via
mwifiex_alloc_dma_align_buf(). If mwifiex_is_ralist_valid() returns false,
the function currently returns -1 immediately without freeing the
previously allocated skb_aggr, causing a memory leak.
Since skb_aggr has not yet been queued via skb_queue_tail(), no other
references to this memory exist. Therefore, it has to be freed locally
before returning the error.
Fix this by calling mwifiex_write_data_complete() to free skb_aggr before
returning the error status.
Compile tested only. Issue found using a prototype static analysis tool
and code review.
Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver") Signed-off-by: Zilin Guan <zilin@seu.edu.cn> Reviewed-by: Jeff Chen <jeff.chen_1@nxp.com> Link: https://patch.msgid.link/20260119092625.1349934-1-zilin@seu.edu.cn Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Cross-merge networking fixes after downstream PR (net-7.0-rc2).
Conflicts:
tools/testing/selftests/drivers/net/hw/rss_ctx.py 19c3a2a81d2b ("selftests: drv-net: rss: Generate unique ports for RSS context tests") ce5a0f4612db ("selftests: drv-net: rss_ctx: test RSS contexts persist after ifdown/up")
include/net/inet_connection_sock.h 858d2a4f67ff6 ("tcp: fix potential race in tcp_v6_syn_recv_sock()") fcd3d039fab69 ("tcp: make tcp_v{4,6}_send_check() static")
https://lore.kernel.org/aZ8PSFLzBrEU3I89@sirena.org.uk
drivers/net/ethernet/mellanox/mlx5/core/en/xsk/setup.c
drivers/net/ethernet/mellanox/mlx5/core/en/xsk/pool.c 69050f8d6d075 ("treewide: Replace kmalloc with kmalloc_obj for non-scalar types") bf4afc53b77ae ("Convert 'alloc_obj' family to use the new default GFP_KERNEL argument") 8a96b9144f18a ("net/mlx5e: Alloc xsk channel param out of mlx5e_open_xsk()")
Adjacent changes:
net/netfilter/ipvs/ip_vs_ctl.c c59bd9e62e06 ("ipvs: use more counters to avoid service lookups") bf4afc53b77a ("Convert 'alloc_obj' family to use the new default GFP_KERNEL argument")
Linus Torvalds [Thu, 26 Feb 2026 16:00:13 +0000 (08:00 -0800)]
Merge tag 'net-7.0-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
Pull networking fixes from Paolo Abeni:
"Including fixes from IPsec, Bluetooth and netfilter
Current release - regressions:
- wifi: fix dev_alloc_name() return value check
- rds: fix recursive lock in rds_tcp_conn_slots_available
Current release - new code bugs:
- vsock: lock down child_ns_mode as write-once
Previous releases - regressions:
- core:
- do not pass flow_id to set_rps_cpu()
- consume xmit errors of GSO frames
- netconsole: avoid OOB reads, msg is not nul-terminated
- netfilter: h323: fix OOB read in decode_choice()
- tcp: re-enable acceptance of FIN packets when RWIN is 0
- udplite: fix null-ptr-deref in __udp_enqueue_schedule_skb().
- wifi: brcmfmac: fix potential kernel oops when probe fails
- phy: register phy led_triggers during probe to avoid AB-BA deadlock
- eth:
- bnxt_en: fix deleting of Ntuple filters
- wan: farsync: fix use-after-free bugs caused by unfinished tasklets
- xscale: check for PTP support properly
Previous releases - always broken:
- tcp: fix potential race in tcp_v6_syn_recv_sock()
- kcm: fix zero-frag skb in frag_list on partial sendmsg error
- xfrm:
- fix race condition in espintcp_close()
- always flush state and policy upon NETDEV_UNREGISTER event
- bluetooth:
- purge error queues in socket destructors
- fix response to L2CAP_ECRED_CONN_REQ
- eth:
- mlx5:
- fix circular locking dependency in dump
- fix "scheduling while atomic" in IPsec MAC address query
- gve: fix incorrect buffer cleanup for QPL
- team: avoid NETDEV_CHANGEMTU event when unregistering slave
- usb: validate USB endpoints"
* tag 'net-7.0-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (72 commits)
netfilter: nf_conntrack_h323: fix OOB read in decode_choice()
dpaa2-switch: validate num_ifs to prevent out-of-bounds write
net: consume xmit errors of GSO frames
vsock: document write-once behavior of the child_ns_mode sysctl
vsock: lock down child_ns_mode as write-once
selftests/vsock: change tests to respect write-once child ns mode
net/mlx5e: Fix "scheduling while atomic" in IPsec MAC address query
net/mlx5: Fix missing devlink lock in SRIOV enable error path
net/mlx5: E-switch, Clear legacy flag when moving to switchdev
net/mlx5: LAG, disable MPESW in lag_disable_change()
net/mlx5: DR, Fix circular locking dependency in dump
selftests: team: Add a reference count leak test
team: avoid NETDEV_CHANGEMTU event when unregistering slave
net: mana: Fix double destroy_workqueue on service rescan PCI path
MAINTAINERS: Update maintainer entry for QUALCOMM ETHQOS ETHERNET DRIVER
dpll: zl3073x: Remove redundant cleanup in devm_dpll_init()
selftests/net: packetdrill: Verify acceptance of FIN packets when RWIN is 0
tcp: re-enable acceptance of FIN packets when RWIN is 0
vsock: Use container_of() to get net namespace in sysctl handlers
net: usb: kaweth: validate USB endpoints
...
Vahagn Vardanian [Wed, 25 Feb 2026 13:06:18 +0000 (14:06 +0100)]
netfilter: nf_conntrack_h323: fix OOB read in decode_choice()
In decode_choice(), the boundary check before get_len() uses the
variable `len`, which is still 0 from its initialization at the top of
the function:
unsigned int type, ext, len = 0;
...
if (ext || (son->attr & OPEN)) {
BYTE_ALIGN(bs);
if (nf_h323_error_boundary(bs, len, 0)) /* len is 0 here */
return H323_ERROR_BOUND;
len = get_len(bs); /* OOB read */
When the bitstream is exactly consumed (bs->cur == bs->end), the check
nf_h323_error_boundary(bs, 0, 0) evaluates to (bs->cur + 0 > bs->end),
which is false. The subsequent get_len() call then dereferences
*bs->cur++, reading 1 byte past the end of the buffer. If that byte
has bit 7 set, get_len() reads a second byte as well.
This can be triggered remotely by sending a crafted Q.931 SETUP message
with a User-User Information Element containing exactly 2 bytes of
PER-encoded data ({0x08, 0x00}) to port 1720 through a firewall with
the nf_conntrack_h323 helper active. The decoder fully consumes the
PER buffer before reaching this code path, resulting in a 1-2 byte
heap-buffer-overflow read confirmed by AddressSanitizer.
Fix this by checking for 2 bytes (the maximum that get_len() may read)
instead of the uninitialized `len`. This matches the pattern used at
every other get_len() call site in the same file, where the caller
checks for 2 bytes of available data before calling get_len().
Fixes: ec8a8f3c31dd ("netfilter: nf_ct_h323: Extend nf_h323_error_boundary to work on bits as well") Signed-off-by: Vahagn Vardanian <vahagn@redrays.io> Signed-off-by: Florian Westphal <fw@strlen.de> Link: https://patch.msgid.link/20260225130619.1248-2-fw@strlen.de Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Junrui Luo [Tue, 24 Feb 2026 11:05:56 +0000 (19:05 +0800)]
dpaa2-switch: validate num_ifs to prevent out-of-bounds write
The driver obtains sw_attr.num_ifs from firmware via dpsw_get_attributes()
but never validates it against DPSW_MAX_IF (64). This value controls
iteration in dpaa2_switch_fdb_get_flood_cfg(), which writes port indices
into the fixed-size cfg->if_id[DPSW_MAX_IF] array. When firmware reports
num_ifs >= 64, the loop can write past the array bounds.
Add a bound check for num_ifs in dpaa2_switch_init().
dpaa2_switch_fdb_get_flood_cfg() appends the control interface (port
num_ifs) after all matched ports. When num_ifs == DPSW_MAX_IF and all
ports match the flood filter, the loop fills all 64 slots and the control
interface write overflows by one entry.
The check uses >= because num_ifs == DPSW_MAX_IF is also functionally
broken.
build_if_id_bitmap() silently drops any ID >= 64:
if (id[i] < DPSW_MAX_IF)
bmap[id[i] / 64] |= ...
Qingfang Deng [Tue, 24 Feb 2026 01:50:52 +0000 (09:50 +0800)]
pppoe: remove kernel-mode relay support
The kernel-mode PPPoE relay feature and its two associated ioctls
(PPPOEIOCSFWD and PPPOEIOCDFWD) are not used by any existing userspace
PPPoE implementations. The most commonly-used package, RP-PPPoE [1],
handles the relaying entirely in userspace.
This legacy code has remained in the driver since its introduction in
kernel 2.3.99-pre7 for over two decades, but has served no practical
purpose.
projects / thirdparty / kernel / linux.git / log
