From: Sasha Levin Date: Tue, 10 Aug 2021 12:10:01 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v4.4.280~9 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7a37dbef307f6257e62dcc2f92b401af3f5ae002;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/alpha-send-stop-ipi-to-send-to-online-cpus.patch b/queue-5.4/alpha-send-stop-ipi-to-send-to-online-cpus.patch new file mode 100644 index 00000000000..db0c0220815 --- /dev/null +++ b/queue-5.4/alpha-send-stop-ipi-to-send-to-online-cpus.patch @@ -0,0 +1,48 @@ +From 6a334b62b4d0c06d264d776e75baee029c3b970a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Jan 2021 10:16:27 -0500 +Subject: alpha: Send stop IPI to send to online CPUs + +From: Prarit Bhargava + +[ Upstream commit caace6ca4e06f09413fb8f8a63319594cfb7d47d ] + +This issue was noticed while debugging a shutdown issue where some +secondary CPUs are not being shutdown correctly. A fix for that [1] requires +that secondary cpus be offlined using the cpu_online_mask so that the +stop operation is a no-op if CPU HOTPLUG is disabled. I, like the author in +[1] looked at the architectures and found that alpha is one of two +architectures that executes smp_send_stop() on all possible CPUs. + +On alpha, smp_send_stop() sends an IPI to all possible CPUs but only needs +to send them to online CPUs. + +Send the stop IPI to only the online CPUs. + +[1] https://lkml.org/lkml/2020/1/10/250 + +Signed-off-by: Prarit Bhargava +Cc: Richard Henderson +Cc: Ivan Kokshaysky +Signed-off-by: Matt Turner +Signed-off-by: Sasha Levin +--- + arch/alpha/kernel/smp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/alpha/kernel/smp.c b/arch/alpha/kernel/smp.c +index 5f90df30be20..06fd42417aa9 100644 +--- a/arch/alpha/kernel/smp.c ++++ b/arch/alpha/kernel/smp.c +@@ -585,7 +585,7 @@ void + smp_send_stop(void) + { + cpumask_t to_whom; +- cpumask_copy(&to_whom, cpu_possible_mask); ++ cpumask_copy(&to_whom, cpu_online_mask); + cpumask_clear_cpu(smp_processor_id(), &to_whom); + #ifdef DEBUG_IPI_MSG + if (hard_smp_processor_id() != boot_cpu_id) +-- +2.30.2 + diff --git a/queue-5.4/libata-fix-ata_pio_sector-for-config_highmem.patch b/queue-5.4/libata-fix-ata_pio_sector-for-config_highmem.patch new file mode 100644 index 00000000000..f0e5afa19aa --- /dev/null +++ b/queue-5.4/libata-fix-ata_pio_sector-for-config_highmem.patch @@ -0,0 +1,92 @@ +From 331afc2d8fd5bc73ae9542e53f73758587369a62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jul 2021 15:02:37 +0200 +Subject: libata: fix ata_pio_sector for CONFIG_HIGHMEM + +From: Christoph Hellwig + +[ Upstream commit ecef6a9effe49e8e2635c839020b9833b71e934c ] + +Data transfers are not required to be block aligned in memory, so they +span two pages. Fix this by splitting the call to >sff_data_xfer into +two for that case. + +This has been broken since the initial libata import before the damn +of git, but was uncovered by the legacy ide driver removal. + +Reported-by: kernel test robot +Signed-off-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20210709130237.3730959-1-hch@lst.de +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-sff.c | 35 +++++++++++++++++++++++++++-------- + 1 file changed, 27 insertions(+), 8 deletions(-) + +diff --git a/drivers/ata/libata-sff.c b/drivers/ata/libata-sff.c +index 038db94216a9..454f9d7d42fe 100644 +--- a/drivers/ata/libata-sff.c ++++ b/drivers/ata/libata-sff.c +@@ -641,6 +641,20 @@ unsigned int ata_sff_data_xfer32(struct ata_queued_cmd *qc, unsigned char *buf, + } + EXPORT_SYMBOL_GPL(ata_sff_data_xfer32); + ++static void ata_pio_xfer(struct ata_queued_cmd *qc, struct page *page, ++ unsigned int offset, size_t xfer_size) ++{ ++ bool do_write = (qc->tf.flags & ATA_TFLAG_WRITE); ++ unsigned char *buf; ++ ++ buf = kmap_atomic(page); ++ qc->ap->ops->sff_data_xfer(qc, buf + offset, xfer_size, do_write); ++ kunmap_atomic(buf); ++ ++ if (!do_write && !PageSlab(page)) ++ flush_dcache_page(page); ++} ++ + /** + * ata_pio_sector - Transfer a sector of data. + * @qc: Command on going +@@ -652,11 +666,9 @@ EXPORT_SYMBOL_GPL(ata_sff_data_xfer32); + */ + static void ata_pio_sector(struct ata_queued_cmd *qc) + { +- int do_write = (qc->tf.flags & ATA_TFLAG_WRITE); + struct ata_port *ap = qc->ap; + struct page *page; + unsigned int offset; +- unsigned char *buf; + + if (!qc->cursg) { + qc->curbytes = qc->nbytes; +@@ -674,13 +686,20 @@ static void ata_pio_sector(struct ata_queued_cmd *qc) + + DPRINTK("data %s\n", qc->tf.flags & ATA_TFLAG_WRITE ? "write" : "read"); + +- /* do the actual data transfer */ +- buf = kmap_atomic(page); +- ap->ops->sff_data_xfer(qc, buf + offset, qc->sect_size, do_write); +- kunmap_atomic(buf); ++ /* ++ * Split the transfer when it splits a page boundary. Note that the ++ * split still has to be dword aligned like all ATA data transfers. ++ */ ++ WARN_ON_ONCE(offset % 4); ++ if (offset + qc->sect_size > PAGE_SIZE) { ++ unsigned int split_len = PAGE_SIZE - offset; + +- if (!do_write && !PageSlab(page)) +- flush_dcache_page(page); ++ ata_pio_xfer(qc, page, offset, split_len); ++ ata_pio_xfer(qc, nth_page(page, 1), 0, ++ qc->sect_size - split_len); ++ } else { ++ ata_pio_xfer(qc, page, offset, qc->sect_size); ++ } + + qc->curbytes += qc->sect_size; + qc->cursg_ofs += qc->sect_size; +-- +2.30.2 + diff --git a/queue-5.4/net-qla3xxx-fix-schedule-while-atomic-in-ql_wait_for.patch b/queue-5.4/net-qla3xxx-fix-schedule-while-atomic-in-ql_wait_for.patch new file mode 100644 index 00000000000..b9ebe8fe64b --- /dev/null +++ b/queue-5.4/net-qla3xxx-fix-schedule-while-atomic-in-ql_wait_for.patch @@ -0,0 +1,58 @@ +From 9abaf80794abb88da5762d707a0e27a6fd466846 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Jul 2021 21:45:12 +0800 +Subject: net/qla3xxx: fix schedule while atomic in ql_wait_for_drvr_lock and + ql_adapter_reset + +From: Letu Ren + +[ Upstream commit 92766c4628ea349c8ddab0cd7bd0488f36e5c4ce ] + +When calling the 'ql_wait_for_drvr_lock' and 'ql_adapter_reset', the driver +has already acquired the spin lock, so the driver should not call 'ssleep' +in atomic context. + +This bug can be fixed by using 'mdelay' instead of 'ssleep'. + +Reported-by: Letu Ren +Signed-off-by: Letu Ren +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qla3xxx.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qla3xxx.c b/drivers/net/ethernet/qlogic/qla3xxx.c +index 5dc36c51636c..6ca2216e4058 100644 +--- a/drivers/net/ethernet/qlogic/qla3xxx.c ++++ b/drivers/net/ethernet/qlogic/qla3xxx.c +@@ -155,7 +155,7 @@ static int ql_wait_for_drvr_lock(struct ql3_adapter *qdev) + "driver lock acquired\n"); + return 1; + } +- ssleep(1); ++ mdelay(1000); + } while (++i < 10); + + netdev_err(qdev->ndev, "Timed out waiting for driver lock...\n"); +@@ -3291,7 +3291,7 @@ static int ql_adapter_reset(struct ql3_adapter *qdev) + if ((value & ISP_CONTROL_SR) == 0) + break; + +- ssleep(1); ++ mdelay(1000); + } while ((--max_wait_time)); + + /* +@@ -3327,7 +3327,7 @@ static int ql_adapter_reset(struct ql3_adapter *qdev) + ispControlStatus); + if ((value & ISP_CONTROL_FSR) == 0) + break; +- ssleep(1); ++ mdelay(1000); + } while ((--max_wait_time)); + } + if (max_wait_time == 0) +-- +2.30.2 + diff --git a/queue-5.4/reiserfs-add-check-for-root_inode-in-reiserfs_fill_s.patch b/queue-5.4/reiserfs-add-check-for-root_inode-in-reiserfs_fill_s.patch new file mode 100644 index 00000000000..b60b3bb2010 --- /dev/null +++ b/queue-5.4/reiserfs-add-check-for-root_inode-in-reiserfs_fill_s.patch @@ -0,0 +1,98 @@ +From 46f9493454d7e5934111c37f77060878be507792 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Jul 2021 12:07:43 +0800 +Subject: reiserfs: add check for root_inode in reiserfs_fill_super + +From: Yu Kuai + +[ Upstream commit 2acf15b94d5b8ea8392c4b6753a6ffac3135cd78 ] + +Our syzcaller report a NULL pointer dereference: + +BUG: kernel NULL pointer dereference, address: 0000000000000000 +PGD 116e95067 P4D 116e95067 PUD 1080b5067 PMD 0 +Oops: 0010 [#1] SMP KASAN +CPU: 7 PID: 592 Comm: a.out Not tainted 5.13.0-next-20210629-dirty #67 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-p4 +RIP: 0010:0x0 +Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. +RSP: 0018:ffff888114e779b8 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: 1ffff110229cef39 RCX: ffffffffaa67e1aa +RDX: 0000000000000000 RSI: ffff88810a58ee00 RDI: ffff8881233180b0 +RBP: ffffffffac38e9c0 R08: ffffffffaa67e17e R09: 0000000000000001 +R10: ffffffffb91c5557 R11: fffffbfff7238aaa R12: ffff88810a58ee00 +R13: ffff888114e77aa0 R14: 0000000000000000 R15: ffff8881233180b0 +FS: 00007f946163c480(0000) GS:ffff88839f1c0000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffffffffffffd6 CR3: 00000001099c1000 CR4: 00000000000006e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + __lookup_slow+0x116/0x2d0 + ? page_put_link+0x120/0x120 + ? __d_lookup+0xfc/0x320 + ? d_lookup+0x49/0x90 + lookup_one_len+0x13c/0x170 + ? __lookup_slow+0x2d0/0x2d0 + ? reiserfs_schedule_old_flush+0x31/0x130 + reiserfs_lookup_privroot+0x64/0x150 + reiserfs_fill_super+0x158c/0x1b90 + ? finish_unfinished+0xb10/0xb10 + ? bprintf+0xe0/0xe0 + ? __mutex_lock_slowpath+0x30/0x30 + ? __kasan_check_write+0x20/0x30 + ? up_write+0x51/0xb0 + ? set_blocksize+0x9f/0x1f0 + mount_bdev+0x27c/0x2d0 + ? finish_unfinished+0xb10/0xb10 + ? reiserfs_kill_sb+0x120/0x120 + get_super_block+0x19/0x30 + legacy_get_tree+0x76/0xf0 + vfs_get_tree+0x49/0x160 + ? capable+0x1d/0x30 + path_mount+0xacc/0x1380 + ? putname+0x97/0xd0 + ? finish_automount+0x450/0x450 + ? kmem_cache_free+0xf8/0x5a0 + ? putname+0x97/0xd0 + do_mount+0xe2/0x110 + ? path_mount+0x1380/0x1380 + ? copy_mount_options+0x69/0x140 + __x64_sys_mount+0xf0/0x190 + do_syscall_64+0x35/0x80 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +This is because 'root_inode' is initialized with wrong mode, and +it's i_op is set to 'reiserfs_special_inode_operations'. Thus add +check for 'root_inode' to fix the problem. + +Link: https://lore.kernel.org/r/20210702040743.1918552-1-yukuai3@huawei.com +Signed-off-by: Yu Kuai +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/reiserfs/super.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/fs/reiserfs/super.c b/fs/reiserfs/super.c +index 1b9c7a387dc7..913f5af9bf24 100644 +--- a/fs/reiserfs/super.c ++++ b/fs/reiserfs/super.c +@@ -2082,6 +2082,14 @@ static int reiserfs_fill_super(struct super_block *s, void *data, int silent) + unlock_new_inode(root_inode); + } + ++ if (!S_ISDIR(root_inode->i_mode) || !inode_get_bytes(root_inode) || ++ !root_inode->i_size) { ++ SWARN(silent, s, "", "corrupt root inode, run fsck"); ++ iput(root_inode); ++ errval = -EUCLEAN; ++ goto error; ++ } ++ + s->s_root = d_make_root(root_inode); + if (!s->s_root) + goto error; +-- +2.30.2 + diff --git a/queue-5.4/reiserfs-check-directory-items-on-read-from-disk.patch b/queue-5.4/reiserfs-check-directory-items-on-read-from-disk.patch new file mode 100644 index 00000000000..aa1eadbb33d --- /dev/null +++ b/queue-5.4/reiserfs-check-directory-items-on-read-from-disk.patch @@ -0,0 +1,79 @@ +From 10d4cb782e01c205b5033fd113086d4de434ef04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Jul 2021 20:59:29 +0530 +Subject: reiserfs: check directory items on read from disk + +From: Shreyansh Chouhan + +[ Upstream commit 13d257503c0930010ef9eed78b689cec417ab741 ] + +While verifying the leaf item that we read from the disk, reiserfs +doesn't check the directory items, this could cause a crash when we +read a directory item from the disk that has an invalid deh_location. + +This patch adds a check to the directory items read from the disk that +does a bounds check on deh_location for the directory entries. Any +directory entry header with a directory entry offset greater than the +item length is considered invalid. + +Link: https://lore.kernel.org/r/20210709152929.766363-1-chouhan.shreyansh630@gmail.com +Reported-by: syzbot+c31a48e6702ccb3d64c9@syzkaller.appspotmail.com +Signed-off-by: Shreyansh Chouhan +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/reiserfs/stree.c | 31 ++++++++++++++++++++++++++----- + 1 file changed, 26 insertions(+), 5 deletions(-) + +diff --git a/fs/reiserfs/stree.c b/fs/reiserfs/stree.c +index 9e64e23014e8..07d787145cc3 100644 +--- a/fs/reiserfs/stree.c ++++ b/fs/reiserfs/stree.c +@@ -387,6 +387,24 @@ void pathrelse(struct treepath *search_path) + search_path->path_length = ILLEGAL_PATH_ELEMENT_OFFSET; + } + ++static int has_valid_deh_location(struct buffer_head *bh, struct item_head *ih) ++{ ++ struct reiserfs_de_head *deh; ++ int i; ++ ++ deh = B_I_DEH(bh, ih); ++ for (i = 0; i < ih_entry_count(ih); i++) { ++ if (deh_location(&deh[i]) > ih_item_len(ih)) { ++ reiserfs_warning(NULL, "reiserfs-5094", ++ "directory entry location seems wrong %h", ++ &deh[i]); ++ return 0; ++ } ++ } ++ ++ return 1; ++} ++ + static int is_leaf(char *buf, int blocksize, struct buffer_head *bh) + { + struct block_head *blkh; +@@ -454,11 +472,14 @@ static int is_leaf(char *buf, int blocksize, struct buffer_head *bh) + "(second one): %h", ih); + return 0; + } +- if (is_direntry_le_ih(ih) && (ih_item_len(ih) < (ih_entry_count(ih) * IH_SIZE))) { +- reiserfs_warning(NULL, "reiserfs-5093", +- "item entry count seems wrong %h", +- ih); +- return 0; ++ if (is_direntry_le_ih(ih)) { ++ if (ih_item_len(ih) < (ih_entry_count(ih) * IH_SIZE)) { ++ reiserfs_warning(NULL, "reiserfs-5093", ++ "item entry count seems wrong %h", ++ ih); ++ return 0; ++ } ++ return has_valid_deh_location(bh, ih); + } + prev_location = ih_location(ih); + } +-- +2.30.2 + diff --git a/queue-5.4/series b/queue-5.4/series index cbc5c9bd885..e7098cb6b92 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -76,3 +76,9 @@ spi-meson-spicc-fix-memory-leak-in-meson_spicc_remove.patch soc-ixp4xx-qmgr-fix-invalid-__iomem-access.patch perf-x86-amd-don-t-touch-the-amd64_eventsel_hostonly-bit-inside-the-guest.patch bpf-selftests-adjust-few-selftest-result_unpriv-outcomes.patch +libata-fix-ata_pio_sector-for-config_highmem.patch +reiserfs-add-check-for-root_inode-in-reiserfs_fill_s.patch +reiserfs-check-directory-items-on-read-from-disk.patch +virt_wifi-fix-error-on-connect.patch +alpha-send-stop-ipi-to-send-to-online-cpus.patch +net-qla3xxx-fix-schedule-while-atomic-in-ql_wait_for.patch diff --git a/queue-5.4/virt_wifi-fix-error-on-connect.patch b/queue-5.4/virt_wifi-fix-error-on-connect.patch new file mode 100644 index 00000000000..85a0bb5c7c1 --- /dev/null +++ b/queue-5.4/virt_wifi-fix-error-on-connect.patch @@ -0,0 +1,155 @@ +From 4a1610dfd25d974ee92825179b1095a571c8b4e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Jul 2021 17:44:23 +0200 +Subject: virt_wifi: fix error on connect + +From: Matteo Croce + +[ Upstream commit 17109e9783799be2a063b2bd861a508194b0a487 ] + +When connecting without first doing a scan, the BSS list is empty +and __cfg80211_connect_result() generates this warning: + +$ iw dev wlan0 connect -w VirtWifi +[ 15.371989] ------------[ cut here ]------------ +[ 15.372179] WARNING: CPU: 0 PID: 92 at net/wireless/sme.c:756 __cfg80211_connect_result+0x402/0x440 +[ 15.372383] CPU: 0 PID: 92 Comm: kworker/u2:2 Not tainted 5.13.0-kvm #444 +[ 15.372512] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-3.fc34 04/01/2014 +[ 15.372597] Workqueue: cfg80211 cfg80211_event_work +[ 15.372756] RIP: 0010:__cfg80211_connect_result+0x402/0x440 +[ 15.372818] Code: 48 2b 04 25 28 00 00 00 75 59 48 8b 3b 48 8b 76 10 48 8d 65 e0 5b 41 5c 41 5d 41 5e 5d 49 8d 65 f0 41 5d e9 d0 d4 fd ff 0f 0b <0f> 0b e9 f6 fd ff ff e8 f2 4a b4 ff e9 ec fd ff ff 0f 0b e9 19 fd +[ 15.372966] RSP: 0018:ffffc900005cbdc0 EFLAGS: 00010246 +[ 15.373022] RAX: 0000000000000000 RBX: ffff8880028e2400 RCX: ffff8880028e2472 +[ 15.373088] RDX: 0000000000000002 RSI: 00000000fffffe01 RDI: ffffffff815335ba +[ 15.373149] RBP: ffffc900005cbe00 R08: 0000000000000008 R09: ffff888002bdf8b8 +[ 15.373209] R10: ffff88803ec208f0 R11: ffffffffffffe9ae R12: ffff88801d687d98 +[ 15.373280] R13: ffff88801b5fe000 R14: ffffc900005cbdc0 R15: dead000000000100 +[ 15.373330] FS: 0000000000000000(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000 +[ 15.373382] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 15.373425] CR2: 000056421c468958 CR3: 000000001b458001 CR4: 0000000000170eb0 +[ 15.373478] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 15.373529] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 15.373580] Call Trace: +[ 15.373611] ? cfg80211_process_wdev_events+0x10e/0x170 +[ 15.373743] cfg80211_process_wdev_events+0x10e/0x170 +[ 15.373783] cfg80211_process_rdev_events+0x21/0x40 +[ 15.373846] cfg80211_event_work+0x20/0x30 +[ 15.373892] process_one_work+0x1e9/0x340 +[ 15.373956] worker_thread+0x4b/0x3f0 +[ 15.374017] ? process_one_work+0x340/0x340 +[ 15.374053] kthread+0x11f/0x140 +[ 15.374089] ? set_kthread_struct+0x30/0x30 +[ 15.374153] ret_from_fork+0x1f/0x30 +[ 15.374187] ---[ end trace 321ef0cb7e9c0be1 ]--- +wlan0 (phy #0): connected to 00:00:00:00:00:00 + +Add the fake bss just before the connect so that cfg80211_get_bss() +finds the virtual network. +As some code was duplicated, move it in a common function. + +Signed-off-by: Matteo Croce +Link: https://lore.kernel.org/r/20210706154423.11065-1-mcroce@linux.microsoft.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/virt_wifi.c | 52 ++++++++++++++++++++------------ + 1 file changed, 32 insertions(+), 20 deletions(-) + +diff --git a/drivers/net/wireless/virt_wifi.c b/drivers/net/wireless/virt_wifi.c +index 9d04ca53229b..4e906910f110 100644 +--- a/drivers/net/wireless/virt_wifi.c ++++ b/drivers/net/wireless/virt_wifi.c +@@ -136,6 +136,29 @@ static struct ieee80211_supported_band band_5ghz = { + /* Assigned at module init. Guaranteed locally-administered and unicast. */ + static u8 fake_router_bssid[ETH_ALEN] __ro_after_init = {}; + ++static void virt_wifi_inform_bss(struct wiphy *wiphy) ++{ ++ u64 tsf = div_u64(ktime_get_boottime_ns(), 1000); ++ struct cfg80211_bss *informed_bss; ++ static const struct { ++ u8 tag; ++ u8 len; ++ u8 ssid[8]; ++ } __packed ssid = { ++ .tag = WLAN_EID_SSID, ++ .len = 8, ++ .ssid = "VirtWifi", ++ }; ++ ++ informed_bss = cfg80211_inform_bss(wiphy, &channel_5ghz, ++ CFG80211_BSS_FTYPE_PRESP, ++ fake_router_bssid, tsf, ++ WLAN_CAPABILITY_ESS, 0, ++ (void *)&ssid, sizeof(ssid), ++ DBM_TO_MBM(-50), GFP_KERNEL); ++ cfg80211_put_bss(wiphy, informed_bss); ++} ++ + /* Called with the rtnl lock held. */ + static int virt_wifi_scan(struct wiphy *wiphy, + struct cfg80211_scan_request *request) +@@ -156,28 +179,13 @@ static int virt_wifi_scan(struct wiphy *wiphy, + /* Acquires and releases the rdev BSS lock. */ + static void virt_wifi_scan_result(struct work_struct *work) + { +- struct { +- u8 tag; +- u8 len; +- u8 ssid[8]; +- } __packed ssid = { +- .tag = WLAN_EID_SSID, .len = 8, .ssid = "VirtWifi", +- }; +- struct cfg80211_bss *informed_bss; + struct virt_wifi_wiphy_priv *priv = + container_of(work, struct virt_wifi_wiphy_priv, + scan_result.work); + struct wiphy *wiphy = priv_to_wiphy(priv); + struct cfg80211_scan_info scan_info = { .aborted = false }; +- u64 tsf = div_u64(ktime_get_boottime_ns(), 1000); + +- informed_bss = cfg80211_inform_bss(wiphy, &channel_5ghz, +- CFG80211_BSS_FTYPE_PRESP, +- fake_router_bssid, tsf, +- WLAN_CAPABILITY_ESS, 0, +- (void *)&ssid, sizeof(ssid), +- DBM_TO_MBM(-50), GFP_KERNEL); +- cfg80211_put_bss(wiphy, informed_bss); ++ virt_wifi_inform_bss(wiphy); + + /* Schedules work which acquires and releases the rtnl lock. */ + cfg80211_scan_done(priv->scan_request, &scan_info); +@@ -225,10 +233,12 @@ static int virt_wifi_connect(struct wiphy *wiphy, struct net_device *netdev, + if (!could_schedule) + return -EBUSY; + +- if (sme->bssid) ++ if (sme->bssid) { + ether_addr_copy(priv->connect_requested_bss, sme->bssid); +- else ++ } else { ++ virt_wifi_inform_bss(wiphy); + eth_zero_addr(priv->connect_requested_bss); ++ } + + wiphy_debug(wiphy, "connect\n"); + +@@ -241,11 +251,13 @@ static void virt_wifi_connect_complete(struct work_struct *work) + struct virt_wifi_netdev_priv *priv = + container_of(work, struct virt_wifi_netdev_priv, connect.work); + u8 *requested_bss = priv->connect_requested_bss; +- bool has_addr = !is_zero_ether_addr(requested_bss); + bool right_addr = ether_addr_equal(requested_bss, fake_router_bssid); + u16 status = WLAN_STATUS_SUCCESS; + +- if (!priv->is_up || (has_addr && !right_addr)) ++ if (is_zero_ether_addr(requested_bss)) ++ requested_bss = NULL; ++ ++ if (!priv->is_up || (requested_bss && !right_addr)) + status = WLAN_STATUS_UNSPECIFIED_FAILURE; + else + priv->is_connected = true; +-- +2.30.2 +