From 7a4f49fb25c9b1e603341f57cbc7612e0ab20280 Mon Sep 17 00:00:00 2001
From: coolsnowwolf <coolsnowwolf@gmail.com>
Date: Sat, 24 Jul 2021 15:49:58 +0800
Subject: [PATCH] ath11k: fix wifi drivers memory leak for AX6/AX3600 etc.

---
 package/kernel/mac80211/Makefile              |   2 +-
 ...1k-fix-ZERO-address-in-probe-request.patch |  38 +++
 ...ed-APIs-to-allocate-and-free-MHI-con.patch |  57 +++++
 ...addr-tx-failure-for-AP-and-STA-modes.patch | 219 ++++++++++++++++++
 ...ath11k-fix-4addr-multicast-packet-tx.patch | 199 ++++++++++++++++
 ...-Avoid-memcpy-over-reading-of-he_cap.patch |  47 ++++
 ...egister-access-length-for-MHI-driver.patch |  31 +++
 7 files changed, 592 insertions(+), 1 deletion(-)
 create mode 100644 package/kernel/mac80211/patches/ath11k/005-v5.11-ath11k-fix-ZERO-address-in-probe-request.patch
 create mode 100644 package/kernel/mac80211/patches/ath11k/006-v5.11-ath11k-use-MHI-provided-APIs-to-allocate-and-free-MHI-con.patch
 create mode 100644 package/kernel/mac80211/patches/ath11k/007-1-ath11k-fix-4-addr-tx-failure-for-AP-and-STA-modes.patch
 create mode 100644 package/kernel/mac80211/patches/ath11k/007-2-ath11k-fix-4addr-multicast-packet-tx.patch
 create mode 100644 package/kernel/mac80211/patches/ath11k/008-v5.14-ath11k-Avoid-memcpy-over-reading-of-he_cap.patch
 create mode 100644 package/kernel/mac80211/patches/ath11k/009-v5.15-ath11k-set-register-access-length-for-MHI-driver.patch

diff --git a/package/kernel/mac80211/Makefile b/package/kernel/mac80211/Makefile
index 3485ff118..cc9229450 100644
--- a/package/kernel/mac80211/Makefile
+++ b/package/kernel/mac80211/Makefile
@@ -11,7 +11,7 @@ include $(INCLUDE_DIR)/kernel.mk
 PKG_NAME:=mac80211
 
 PKG_VERSION:=5.10.42-1
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 PKG_SOURCE_URL:=@KERNEL/linux/kernel/projects/backports/stable/v5.10.42/
 PKG_HASH:=6876520105240844fdb32d1dcdf2bfdea291a37a96f16c892fda3776ba714fcb
 
diff --git a/package/kernel/mac80211/patches/ath11k/005-v5.11-ath11k-fix-ZERO-address-in-probe-request.patch b/package/kernel/mac80211/patches/ath11k/005-v5.11-ath11k-fix-ZERO-address-in-probe-request.patch
new file mode 100644
index 000000000..729aaca19
--- /dev/null
+++ b/package/kernel/mac80211/patches/ath11k/005-v5.11-ath11k-fix-ZERO-address-in-probe-request.patch
@@ -0,0 +1,38 @@
+From fa7572c2cfe081dff82f884fa05f1b067d4beaaa Mon Sep 17 00:00:00 2001
+From: Carl Huang <cjhuang@codeaurora.org>
+Date: Fri, 6 Nov 2020 08:55:48 +0200
+Subject: [PATCH] ath11k: fix ZERO address in probe request
+
+Host needs to pass at least on bssid with all 0xff to firmware in
+WMI_START_SCAN_CMDID, otherwise the bssid and receiver address
+in probe requeste are all ZEROs.
+
+This also fixed some hidden AP connection issue because some AP
+doesn't respond to probe request which receiver address are all
+ZEROs.
+
+Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1
+
+Signed-off-by: Carl Huang <cjhuang@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20201012101733.24137-1-cjhuang@codeaurora.org
+---
+ drivers/net/wireless/ath/ath11k/wmi.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/drivers/net/wireless/ath/ath11k/wmi.c b/drivers/net/wireless/ath/ath11k/wmi.c
+index 40032c2b497551..bca66c1d47ad57 100644
+--- a/drivers/net/wireless/ath/ath11k/wmi.c
++++ b/drivers/net/wireless/ath/ath11k/wmi.c
+@@ -1950,6 +1950,11 @@ void ath11k_wmi_start_scan_init(struct ath11k *ar,
+ 				  WMI_SCAN_EVENT_DEQUEUED;
+ 	arg->scan_flags |= WMI_SCAN_CHAN_STAT_EVENT;
+ 	arg->num_bssid = 1;
++
++	/* fill bssid_list[0] with 0xff, otherwise bssid and RA will be
++	 * ZEROs in probe request
++	 */
++	eth_broadcast_addr(arg->bssid_list[0].addr);
+ }
+ 
+ static inline void
diff --git a/package/kernel/mac80211/patches/ath11k/006-v5.11-ath11k-use-MHI-provided-APIs-to-allocate-and-free-MHI-con.patch b/package/kernel/mac80211/patches/ath11k/006-v5.11-ath11k-use-MHI-provided-APIs-to-allocate-and-free-MHI-con.patch
new file mode 100644
index 000000000..c82e7ccb6
--- /dev/null
+++ b/package/kernel/mac80211/patches/ath11k/006-v5.11-ath11k-use-MHI-provided-APIs-to-allocate-and-free-MHI-con.patch
@@ -0,0 +1,57 @@
+From 57449b07eafcc831343013b87b57e928c50d16b4 Mon Sep 17 00:00:00 2001
+From: Bhaumik Bhatt <bbhatt@codeaurora.org>
+Date: Tue, 17 Nov 2020 09:33:56 -0800
+Subject: [PATCH] ath11k: use MHI provided APIs to allocate and free MHI
+ controller
+
+Use MHI provided APIs to allocate and free MHI controller to
+improve MHI host driver handling. This also fixes a memory leak
+as the MHI controller was allocated but never freed.
+
+Signed-off-by: Bhaumik Bhatt <bbhatt@codeaurora.org>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/1605634436-36506-1-git-send-email-bbhatt@codeaurora.org
+---
+ drivers/net/wireless/ath/ath11k/mhi.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/mhi.c b/drivers/net/wireless/ath/ath11k/mhi.c
+index 47a1ce1bee4f4e..8a2068456a0975 100644
+--- a/drivers/net/wireless/ath/ath11k/mhi.c
++++ b/drivers/net/wireless/ath/ath11k/mhi.c
+@@ -214,7 +214,7 @@ int ath11k_mhi_register(struct ath11k_pci *ab_pci)
+ 	struct mhi_controller *mhi_ctrl;
+ 	int ret;
+ 
+-	mhi_ctrl = kzalloc(sizeof(*mhi_ctrl), GFP_KERNEL);
++	mhi_ctrl = mhi_alloc_controller();
+ 	if (!mhi_ctrl)
+ 		return -ENOMEM;
+ 
+@@ -230,7 +230,7 @@ int ath11k_mhi_register(struct ath11k_pci *ab_pci)
+ 	ret = ath11k_mhi_get_msi(ab_pci);
+ 	if (ret) {
+ 		ath11k_err(ab, "failed to get msi for mhi\n");
+-		kfree(mhi_ctrl);
++		mhi_free_controller(mhi_ctrl);
+ 		return ret;
+ 	}
+ 
+@@ -248,7 +248,7 @@ int ath11k_mhi_register(struct ath11k_pci *ab_pci)
+ 	ret = mhi_register_controller(mhi_ctrl, &ath11k_mhi_config);
+ 	if (ret) {
+ 		ath11k_err(ab, "failed to register to mhi bus, err = %d\n", ret);
+-		kfree(mhi_ctrl);
++		mhi_free_controller(mhi_ctrl);
+ 		return ret;
+ 	}
+ 
+@@ -261,6 +261,7 @@ void ath11k_mhi_unregister(struct ath11k_pci *ab_pci)
+ 
+ 	mhi_unregister_controller(mhi_ctrl);
+ 	kfree(mhi_ctrl->irq);
++	mhi_free_controller(mhi_ctrl);
+ }
+ 
+ static char *ath11k_mhi_state_to_str(enum ath11k_mhi_state mhi_state)
diff --git a/package/kernel/mac80211/patches/ath11k/007-1-ath11k-fix-4-addr-tx-failure-for-AP-and-STA-modes.patch b/package/kernel/mac80211/patches/ath11k/007-1-ath11k-fix-4-addr-tx-failure-for-AP-and-STA-modes.patch
new file mode 100644
index 000000000..58d3d026b
--- /dev/null
+++ b/package/kernel/mac80211/patches/ath11k/007-1-ath11k-fix-4-addr-tx-failure-for-AP-and-STA-modes.patch
@@ -0,0 +1,219 @@
+From mboxrd@z Thu Jan  1 00:00:00 1970
+Return-Path: <linux-wireless-owner@kernel.org>
+X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
+	aws-us-west-2-korg-lkml-1.web.codeaurora.org
+X-Spam-Level: 
+X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED,
+	DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH,
+	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT
+	autolearn=unavailable autolearn_force=no version=3.4.0
+Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
+	by smtp.lore.kernel.org (Postfix) with ESMTP id AE5DFC07E95
+	for <linux-wireless@archiver.kernel.org>; Tue, 20 Jul 2021 21:32:35 +0000 (UTC)
+Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
+	by mail.kernel.org (Postfix) with ESMTP id 8BCA960E0B
+	for <linux-wireless@archiver.kernel.org>; Tue, 20 Jul 2021 21:32:35 +0000 (UTC)
+Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
+        id S232037AbhGTUvp (ORCPT
+        <rfc822;linux-wireless@archiver.kernel.org>);
+        Tue, 20 Jul 2021 16:51:45 -0400
+Received: from so254-9.mailgun.net ([198.61.254.9]:51945 "EHLO
+        so254-9.mailgun.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
+        with ESMTP id S233404AbhGTUvb (ORCPT
+        <rfc822;linux-wireless@vger.kernel.org>);
+        Tue, 20 Jul 2021 16:51:31 -0400
+DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=mg.codeaurora.org; q=dns/txt;
+ s=smtp; t=1626816727; h=Content-Transfer-Encoding: MIME-Version:
+ Message-Id: Date: Subject: Cc: To: From: Sender;
+ bh=0NKtP900YLYCGbw3/GGjWWripcJNlTdjFgNVgginJt0=; b=abeQRnEIETDnBog8B8jC5dz4L/CByAwwAd4rRXQWAhj3mrSD3aI8lXlncgB6UaxCJ7IxwD7n
+ Jd43kUakxtbNRc2ljAhNOBgnVzUYc34DC9P8+cZCUyohmRMATXg9kMszaiWSrlwKfnFbNmhy
+ bB2QJmD4AKn90qUvNto1Rmu6PRY=
+X-Mailgun-Sending-Ip: 198.61.254.9
+X-Mailgun-Sid: WyI3YTAwOSIsICJsaW51eC13aXJlbGVzc0B2Z2VyLmtlcm5lbC5vcmciLCAiYmU5ZTRhIl0=
+Received: from smtp.codeaurora.org
+ (ec2-35-166-182-171.us-west-2.compute.amazonaws.com [35.166.182.171]) by
+ smtp-out-n07.prod.us-east-1.postgun.com with SMTP id
+ 60f740d4290ea35ee6638a2d (version=TLS1.2,
+ cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256); Tue, 20 Jul 2021 21:32:04
+ GMT
+Sender: jouni=codeaurora.org@mg.codeaurora.org
+Received: by smtp.codeaurora.org (Postfix, from userid 1001)
+        id 72C9CC43460; Tue, 20 Jul 2021 21:32:03 +0000 (UTC)
+Received: from jouni.codeaurora.org (85-76-67-217-nat.elisa-mobile.fi [85.76.67.217])
+        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
+        (No client certificate requested)
+        (Authenticated sender: jouni)
+        by smtp.codeaurora.org (Postfix) with ESMTPSA id 07C11C433F1;
+        Tue, 20 Jul 2021 21:32:00 +0000 (UTC)
+DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 07C11C433F1
+Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org
+Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; spf=fail smtp.mailfrom=jouni@codeaurora.org
+From:   Jouni Malinen <jouni@codeaurora.org>
+To:     Kalle Valo <kvalo@codeaurora.org>
+Cc:     ath11k@lists.infradead.org, linux-wireless@vger.kernel.org,
+        Sathishkumar Muruganandam <murugana@codeaurora.org>,
+        Jouni Malinen <jouni@codeaurora.org>
+Subject: [PATCH 1/2] ath11k: fix 4-addr tx failure for AP and STA modes
+Date:   Wed, 21 Jul 2021 00:31:46 +0300
+Message-Id: <20210720213147.90042-1-jouni@codeaurora.org>
+X-Mailer: git-send-email 2.25.1
+MIME-Version: 1.0
+Content-Transfer-Encoding: 8bit
+Precedence: bulk
+List-ID: <linux-wireless.vger.kernel.org>
+X-Mailing-List: linux-wireless@vger.kernel.org
+List-Archive: <https://lore.kernel.org/linux-wireless/>
+
+From: Sathishkumar Muruganandam <murugana@codeaurora.org>
+
+Ath11k FW requires peer parameter WMI_PEER_USE_4ADDR to be set for
+4-addr peers allowing 4-address frame transmission to those peers.
+
+Add ath11k driver callback for sta_set_4addr() to queue new workq
+set_4addr_wk only once based on new boolean, use_4addr_set.
+
+sta_set_4addr() will be called during 4-addr STA association cases
+applicable for both AP and STA modes.
+
+In ath11k_sta_set_4addr_wk(),
+
+AP mode:
+        WMI_PEER_USE_4ADDR will be set for the corresponding
+        associated 4-addr STA(s)
+
+STA mode:
+        WMI_PEER_USE_4ADDR will be set for the AP to which the
+        4-addr STA got associated.
+
+Tested-on: IPQ8074 WLAN.HK.2.1.0.1-01238-QCAHKSWPL_SILICONZ-1
+
+Signed-off-by: Sathishkumar Muruganandam <murugana@codeaurora.org>
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ drivers/net/wireless/ath/ath11k/core.h |  3 ++
+ drivers/net/wireless/ath/ath11k/mac.c  | 48 ++++++++++++++++++++++++--
+ 2 files changed, 49 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/core.h b/drivers/net/wireless/ath/ath11k/core.h
+index 018fb2385f2a..11c8dffd0236 100644
+--- a/drivers/net/wireless/ath/ath11k/core.h
++++ b/drivers/net/wireless/ath/ath11k/core.h
+@@ -362,6 +362,7 @@ struct ath11k_sta {
+ 	enum hal_pn_type pn_type;
+ 
+ 	struct work_struct update_wk;
++	struct work_struct set_4addr_wk;
+ 	struct rate_info txrate;
+ 	struct rate_info last_txrate;
+ 	u64 rx_duration;
+@@ -374,6 +375,8 @@ struct ath11k_sta {
+ 	/* protected by conf_mutex */
+ 	bool aggr_mode;
+ #endif
++
++	bool use_4addr_set;
+ };
+ 
+ #define ATH11K_MIN_5G_FREQ 4150
+diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
+index e9b3689331ec..d42637ecbf1e 100644
+--- a/drivers/net/wireless/ath/ath11k/mac.c
++++ b/drivers/net/wireless/ath/ath11k/mac.c
+@@ -3155,6 +3155,31 @@ static void ath11k_sta_rc_update_wk(struct work_struct *wk)
+ 	mutex_unlock(&ar->conf_mutex);
+ }
+ 
++static void ath11k_sta_set_4addr_wk(struct work_struct *wk)
++{
++	struct ath11k *ar;
++	struct ath11k_vif *arvif;
++	struct ath11k_sta *arsta;
++	struct ieee80211_sta *sta;
++	int ret = 0;
++
++	arsta = container_of(wk, struct ath11k_sta, set_4addr_wk);
++	sta = container_of((void *)arsta, struct ieee80211_sta, drv_priv);
++	arvif = arsta->arvif;
++	ar = arvif->ar;
++
++	ath11k_dbg(ar->ab, ATH11K_DBG_MAC,
++		   "setting USE_4ADDR for peer %pM\n", sta->addr);
++
++	ret = ath11k_wmi_set_peer_param(ar, sta->addr,
++					arvif->vdev_id,
++					WMI_PEER_USE_4ADDR, 1);
++
++	if (ret)
++		ath11k_warn(ar->ab, "failed to set peer %pM 4addr capability: %d\n",
++			    sta->addr, ret);
++}
++
+ static int ath11k_mac_inc_num_stations(struct ath11k_vif *arvif,
+ 				       struct ieee80211_sta *sta)
+ {
+@@ -3234,11 +3259,13 @@ static int ath11k_mac_station_add(struct ath11k *ar,
+ 	}
+ 
+ 	if (ieee80211_vif_is_mesh(vif)) {
++		ath11k_dbg(ab, ATH11K_DBG_MAC,
++			   "setting USE_4ADDR for mesh STA %pM\n", sta->addr);
+ 		ret = ath11k_wmi_set_peer_param(ar, sta->addr,
+ 						arvif->vdev_id,
+ 						WMI_PEER_USE_4ADDR, 1);
+ 		if (ret) {
+-			ath11k_warn(ab, "failed to STA %pM 4addr capability: %d\n",
++			ath11k_warn(ab, "failed to set mesh STA %pM 4addr capability: %d\n",
+ 				    sta->addr, ret);
+ 			goto free_tx_stats;
+ 		}
+@@ -3291,8 +3318,10 @@ static int ath11k_mac_op_sta_state(struct ieee80211_hw *hw,
+ 
+ 	/* cancel must be done outside the mutex to avoid deadlock */
+ 	if ((old_state == IEEE80211_STA_NONE &&
+-	     new_state == IEEE80211_STA_NOTEXIST))
++	     new_state == IEEE80211_STA_NOTEXIST)) {
+ 		cancel_work_sync(&arsta->update_wk);
++		cancel_work_sync(&arsta->set_4addr_wk);
++	}
+ 
+ 	mutex_lock(&ar->conf_mutex);
+ 
+@@ -3301,6 +3330,7 @@ static int ath11k_mac_op_sta_state(struct ieee80211_hw *hw,
+ 		memset(arsta, 0, sizeof(*arsta));
+ 		arsta->arvif = arvif;
+ 		INIT_WORK(&arsta->update_wk, ath11k_sta_rc_update_wk);
++		INIT_WORK(&arsta->set_4addr_wk, ath11k_sta_set_4addr_wk);
+ 
+ 		ret = ath11k_mac_station_add(ar, vif, sta);
+ 		if (ret)
+@@ -3395,6 +3425,19 @@ static int ath11k_mac_op_sta_set_txpwr(struct ieee80211_hw *hw,
+ 	return ret;
+ }
+ 
++static void ath11k_mac_op_sta_set_4addr(struct ieee80211_hw *hw,
++					struct ieee80211_vif *vif,
++					struct ieee80211_sta *sta, bool enabled)
++{
++	struct ath11k *ar = hw->priv;
++	struct ath11k_sta *arsta = (struct ath11k_sta *)sta->drv_priv;
++
++	if (enabled && !arsta->use_4addr_set) {
++		ieee80211_queue_work(ar->hw, &arsta->set_4addr_wk);
++		arsta->use_4addr_set = true;
++	}
++}
++
+ static void ath11k_mac_op_sta_rc_update(struct ieee80211_hw *hw,
+ 					struct ieee80211_vif *vif,
+ 					struct ieee80211_sta *sta,
+@@ -6180,6 +6223,7 @@ static const struct ieee80211_ops ath11k_ops = {
+ 	.cancel_hw_scan                 = ath11k_mac_op_cancel_hw_scan,
+ 	.set_key                        = ath11k_mac_op_set_key,
+ 	.sta_state                      = ath11k_mac_op_sta_state,
++	.sta_set_4addr                  = ath11k_mac_op_sta_set_4addr,
+ 	.sta_set_txpwr			= ath11k_mac_op_sta_set_txpwr,
+ 	.sta_rc_update			= ath11k_mac_op_sta_rc_update,
+ 	.conf_tx                        = ath11k_mac_op_conf_tx,
+-- 
+2.25.1
+
diff --git a/package/kernel/mac80211/patches/ath11k/007-2-ath11k-fix-4addr-multicast-packet-tx.patch b/package/kernel/mac80211/patches/ath11k/007-2-ath11k-fix-4addr-multicast-packet-tx.patch
new file mode 100644
index 000000000..f53fc571a
--- /dev/null
+++ b/package/kernel/mac80211/patches/ath11k/007-2-ath11k-fix-4addr-multicast-packet-tx.patch
@@ -0,0 +1,199 @@
+From mboxrd@z Thu Jan  1 00:00:00 1970
+Return-Path: <linux-wireless-owner@kernel.org>
+X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
+	aws-us-west-2-korg-lkml-1.web.codeaurora.org
+X-Spam-Level: 
+X-Spam-Status: No, score=-16.8 required=3.0 tests=BAYES_00,DKIM_SIGNED,
+	DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH,
+	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT
+	autolearn=unavailable autolearn_force=no version=3.4.0
+Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
+	by smtp.lore.kernel.org (Postfix) with ESMTP id 25420C07E9B
+	for <linux-wireless@archiver.kernel.org>; Tue, 20 Jul 2021 21:33:45 +0000 (UTC)
+Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
+	by mail.kernel.org (Postfix) with ESMTP id 01B6660E0B
+	for <linux-wireless@archiver.kernel.org>; Tue, 20 Jul 2021 21:33:44 +0000 (UTC)
+Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
+        id S231676AbhGTUw7 (ORCPT
+        <rfc822;linux-wireless@archiver.kernel.org>);
+        Tue, 20 Jul 2021 16:52:59 -0400
+Received: from so254-9.mailgun.net ([198.61.254.9]:51945 "EHLO
+        so254-9.mailgun.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
+        with ESMTP id S234001AbhGTUvt (ORCPT
+        <rfc822;linux-wireless@vger.kernel.org>);
+        Tue, 20 Jul 2021 16:51:49 -0400
+DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed; d=mg.codeaurora.org; q=dns/txt;
+ s=smtp; t=1626816747; h=Content-Transfer-Encoding: MIME-Version:
+ References: In-Reply-To: Message-Id: Date: Subject: Cc: To: From:
+ Sender; bh=pTgIsAFvKI5zaKS8j6HkCt9Dr4xbghRAApcXu+jUG8M=; b=ZAAksGTytroGGn4JtQ3J6nCBuDx5xyVpnhflyyy4ZihH6zkONxlfFzdmrU9OAB7jqgetM0bw
+ aodI6LSEYmEo+yYTMvYfRD+vtYNqbnEtj3Er8kXZA+EaraVr1rhQNUCootlK9BaqAyA+ckoS
+ iUediQZtUI3serWUbPDTPAUCDn8=
+X-Mailgun-Sending-Ip: 198.61.254.9
+X-Mailgun-Sid: WyI3YTAwOSIsICJsaW51eC13aXJlbGVzc0B2Z2VyLmtlcm5lbC5vcmciLCAiYmU5ZTRhIl0=
+Received: from smtp.codeaurora.org
+ (ec2-35-166-182-171.us-west-2.compute.amazonaws.com [35.166.182.171]) by
+ smtp-out-n01.prod.us-east-1.postgun.com with SMTP id
+ 60f740d74815712f3a66316d (version=TLS1.2,
+ cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256); Tue, 20 Jul 2021 21:32:07
+ GMT
+Sender: jouni=codeaurora.org@mg.codeaurora.org
+Received: by smtp.codeaurora.org (Postfix, from userid 1001)
+        id AE3D3C43217; Tue, 20 Jul 2021 21:32:06 +0000 (UTC)
+Received: from jouni.codeaurora.org (85-76-67-217-nat.elisa-mobile.fi [85.76.67.217])
+        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
+        (No client certificate requested)
+        (Authenticated sender: jouni)
+        by smtp.codeaurora.org (Postfix) with ESMTPSA id BA686C433D3;
+        Tue, 20 Jul 2021 21:32:04 +0000 (UTC)
+DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org BA686C433D3
+Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org
+Authentication-Results: aws-us-west-2-caf-mail-1.web.codeaurora.org; spf=fail smtp.mailfrom=jouni@codeaurora.org
+From:   Jouni Malinen <jouni@codeaurora.org>
+To:     Kalle Valo <kvalo@codeaurora.org>
+Cc:     ath11k@lists.infradead.org, linux-wireless@vger.kernel.org,
+        Karthikeyan Periyasamy <periyasa@codeaurora.org>,
+        Jouni Malinen <jouni@codeaurora.org>
+Subject: [PATCH 2/2] ath11k: fix 4addr multicast packet tx
+Date:   Wed, 21 Jul 2021 00:31:47 +0300
+Message-Id: <20210720213147.90042-2-jouni@codeaurora.org>
+X-Mailer: git-send-email 2.25.1
+In-Reply-To: <20210720213147.90042-1-jouni@codeaurora.org>
+References: <20210720213147.90042-1-jouni@codeaurora.org>
+MIME-Version: 1.0
+Content-Transfer-Encoding: 8bit
+Precedence: bulk
+List-ID: <linux-wireless.vger.kernel.org>
+X-Mailing-List: linux-wireless@vger.kernel.org
+List-Archive: <https://lore.kernel.org/linux-wireless/>
+
+From: Karthikeyan Periyasamy <periyasa@codeaurora.org>
+
+In 4addr, AP wired backbone to STA wired backbone ping fails due to ARP
+request not getting answered. Here 4addr ARP multicast packet is sent in
+3addr, so that 4addr STA not honouring the 3addr ARP multicast packet.
+Fix this issue by sending out multicast packet in 4addr format, firmware
+expects peer meta flag instead of vdev meta flag in Tx descriptor.
+
+Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.4.0.1-01641-QCAHKSWPL_SILICONZ-1
+
+Signed-off-by: Karthikeyan Periyasamy <periyasa@codeaurora.org>
+Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
+---
+ drivers/net/wireless/ath/ath11k/core.h  |  1 +
+ drivers/net/wireless/ath/ath11k/dp_tx.c | 12 ++++++++++--
+ drivers/net/wireless/ath/ath11k/dp_tx.h |  2 +-
+ drivers/net/wireless/ath/ath11k/mac.c   |  6 +++++-
+ drivers/net/wireless/ath/ath11k/peer.c  | 11 +++++++++++
+ 5 files changed, 28 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/core.h b/drivers/net/wireless/ath/ath11k/core.h
+index 11c8dffd0236..6a6cabdd3e30 100644
+--- a/drivers/net/wireless/ath/ath11k/core.h
++++ b/drivers/net/wireless/ath/ath11k/core.h
+@@ -377,6 +377,7 @@ struct ath11k_sta {
+ #endif
+ 
+ 	bool use_4addr_set;
++	u16 tcl_metadata;
+ };
+ 
+ #define ATH11K_MIN_5G_FREQ 4150
+diff --git a/drivers/net/wireless/ath/ath11k/dp_tx.c b/drivers/net/wireless/ath/ath11k/dp_tx.c
+index 8bba5234f81f..3acdd4050d5b 100644
+--- a/drivers/net/wireless/ath/ath11k/dp_tx.c
++++ b/drivers/net/wireless/ath/ath11k/dp_tx.c
+@@ -78,7 +78,7 @@ enum hal_encrypt_type ath11k_dp_tx_get_encrypt_type(u32 cipher)
+ }
+ 
+ int ath11k_dp_tx(struct ath11k *ar, struct ath11k_vif *arvif,
+-		 struct sk_buff *skb)
++		 struct ath11k_sta *arsta, struct sk_buff *skb)
+ {
+ 	struct ath11k_base *ab = ar->ab;
+ 	struct ath11k_dp *dp = &ab->dp;
+@@ -145,7 +145,15 @@ int ath11k_dp_tx(struct ath11k *ar, struct ath11k_vif *arvif,
+ 		     FIELD_PREP(DP_TX_DESC_ID_MSDU_ID, ret) |
+ 		     FIELD_PREP(DP_TX_DESC_ID_POOL_ID, pool_id);
+ 	ti.encap_type = ath11k_dp_tx_get_encap_type(arvif, skb);
+-	ti.meta_data_flags = arvif->tcl_metadata;
++
++	if (ieee80211_has_a4(hdr->frame_control) &&
++	    is_multicast_ether_addr(hdr->addr3) && arsta &&
++	    arsta->use_4addr_set) {
++		ti.meta_data_flags = arsta->tcl_metadata;
++		ti.flags0 |= FIELD_PREP(HAL_TCL_DATA_CMD_INFO1_TO_FW, 1);
++	} else {
++		ti.meta_data_flags = arvif->tcl_metadata;
++	}
+ 
+ 	if (ti.encap_type == HAL_TCL_ENCAP_TYPE_RAW) {
+ 		if (skb_cb->flags & ATH11K_SKB_CIPHER_SET) {
+diff --git a/drivers/net/wireless/ath/ath11k/dp_tx.h b/drivers/net/wireless/ath/ath11k/dp_tx.h
+index f8a9f9c8e444..698b907b878d 100644
+--- a/drivers/net/wireless/ath/ath11k/dp_tx.h
++++ b/drivers/net/wireless/ath/ath11k/dp_tx.h
+@@ -17,7 +17,7 @@ struct ath11k_dp_htt_wbm_tx_status {
+ 
+ int ath11k_dp_tx_htt_h2t_ver_req_msg(struct ath11k_base *ab);
+ int ath11k_dp_tx(struct ath11k *ar, struct ath11k_vif *arvif,
+-		 struct sk_buff *skb);
++		 struct ath11k_sta *arsta, struct sk_buff *skb);
+ void ath11k_dp_tx_completion_handler(struct ath11k_base *ab, int ring_id);
+ int ath11k_dp_tx_send_reo_cmd(struct ath11k_base *ab, struct dp_rx_tid *rx_tid,
+ 			      enum hal_reo_cmd_type type,
+diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
+index d42637ecbf1e..e8da4af82221 100644
+--- a/drivers/net/wireless/ath/ath11k/mac.c
++++ b/drivers/net/wireless/ath/ath11k/mac.c
+@@ -4356,6 +4356,7 @@ static void ath11k_mac_op_tx(struct ieee80211_hw *hw,
+ 	struct ath11k_vif *arvif = ath11k_vif_to_arvif(vif);
+ 	struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
+ 	struct ieee80211_key_conf *key = info->control.hw_key;
++	struct ath11k_sta *arsta = NULL;
+ 	u32 info_flags = info->flags;
+ 	bool is_prb_rsp;
+ 	int ret;
+@@ -4381,7 +4382,10 @@ static void ath11k_mac_op_tx(struct ieee80211_hw *hw,
+ 		return;
+ 	}
+ 
+-	ret = ath11k_dp_tx(ar, arvif, skb);
++	if (control->sta)
++		arsta = (struct ath11k_sta *)control->sta->drv_priv;
++
++	ret = ath11k_dp_tx(ar, arvif, arsta, skb);
+ 	if (ret) {
+ 		ath11k_warn(ar->ab, "failed to transmit frame %d\n", ret);
+ 		ieee80211_free_txskb(ar->hw, skb);
+diff --git a/drivers/net/wireless/ath/ath11k/peer.c b/drivers/net/wireless/ath/ath11k/peer.c
+index f49abefa9618..85471f8b3563 100644
+--- a/drivers/net/wireless/ath/ath11k/peer.c
++++ b/drivers/net/wireless/ath/ath11k/peer.c
+@@ -251,6 +251,7 @@ int ath11k_peer_create(struct ath11k *ar, struct ath11k_vif *arvif,
+ 		       struct ieee80211_sta *sta, struct peer_create_params *param)
+ {
+ 	struct ath11k_peer *peer;
++	struct ath11k_sta *arsta;
+ 	int ret;
+ 
+ 	lockdep_assert_held(&ar->conf_mutex);
+@@ -319,6 +320,16 @@ int ath11k_peer_create(struct ath11k *ar, struct ath11k_vif *arvif,
+ 	peer->sec_type = HAL_ENCRYPT_TYPE_OPEN;
+ 	peer->sec_type_grp = HAL_ENCRYPT_TYPE_OPEN;
+ 
++	if (sta) {
++		arsta = (struct ath11k_sta *)sta->drv_priv;
++		arsta->tcl_metadata |= FIELD_PREP(HTT_TCL_META_DATA_TYPE, 0) |
++				       FIELD_PREP(HTT_TCL_META_DATA_PEER_ID,
++						  peer->peer_id);
++
++		/* set HTT extension valid bit to 0 by default */
++		arsta->tcl_metadata &= ~HTT_TCL_META_DATA_VALID_HTT;
++	}
++
+ 	ar->num_peers++;
+ 
+ 	spin_unlock_bh(&ar->ab->base_lock);
+-- 
+2.25.1
+
diff --git a/package/kernel/mac80211/patches/ath11k/008-v5.14-ath11k-Avoid-memcpy-over-reading-of-he_cap.patch b/package/kernel/mac80211/patches/ath11k/008-v5.14-ath11k-Avoid-memcpy-over-reading-of-he_cap.patch
new file mode 100644
index 000000000..aad8dc65a
--- /dev/null
+++ b/package/kernel/mac80211/patches/ath11k/008-v5.14-ath11k-Avoid-memcpy-over-reading-of-he_cap.patch
@@ -0,0 +1,47 @@
+From c8bcd82a4efd053cdd5ce515a8b0003011a5f756 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Wed, 16 Jun 2021 12:54:10 -0700
+Subject: [PATCH] ath11k: Avoid memcpy() over-reading of he_cap
+
+In preparation for FORTIFY_SOURCE performing compile-time and run-time
+field bounds checking for memcpy(), memmove(), and memset(), avoid
+intentionally writing across neighboring array fields.
+
+Since peer_he_cap_{mac,phy}info and he_cap_elem.{mac,phy}_cap_info are not
+the same sizes, memcpy() was reading beyond field boundaries. Instead,
+correctly cap the copy length and pad out any difference in size
+(peer_he_cap_macinfo is 8 bytes whereas mac_cap_info is 6, and
+peer_he_cap_phyinfo is 12 bytes whereas phy_cap_info is 11).
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/20210616195410.1232119-1-keescook@chromium.org
+---
+ drivers/net/wireless/ath/ath11k/mac.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath11k/mac.c b/drivers/net/wireless/ath/ath11k/mac.c
+index eb52332dbe3f13..e9b3689331ec2a 100644
+--- a/drivers/net/wireless/ath/ath11k/mac.c
++++ b/drivers/net/wireless/ath/ath11k/mac.c
+@@ -1314,10 +1314,16 @@ static void ath11k_peer_assoc_h_he(struct ath11k *ar,
+ 
+ 	arg->he_flag = true;
+ 
+-	memcpy(&arg->peer_he_cap_macinfo, he_cap->he_cap_elem.mac_cap_info,
+-	       sizeof(arg->peer_he_cap_macinfo));
+-	memcpy(&arg->peer_he_cap_phyinfo, he_cap->he_cap_elem.phy_cap_info,
+-	       sizeof(arg->peer_he_cap_phyinfo));
++	memcpy_and_pad(&arg->peer_he_cap_macinfo,
++		       sizeof(arg->peer_he_cap_macinfo),
++		       he_cap->he_cap_elem.mac_cap_info,
++		       sizeof(he_cap->he_cap_elem.mac_cap_info),
++		       0);
++	memcpy_and_pad(&arg->peer_he_cap_phyinfo,
++		       sizeof(arg->peer_he_cap_phyinfo),
++		       he_cap->he_cap_elem.phy_cap_info,
++		       sizeof(he_cap->he_cap_elem.phy_cap_info),
++		       0);
+ 	arg->peer_he_ops = vif->bss_conf.he_oper.params;
+ 
+ 	/* the top most byte is used to indicate BSS color info */
diff --git a/package/kernel/mac80211/patches/ath11k/009-v5.15-ath11k-set-register-access-length-for-MHI-driver.patch b/package/kernel/mac80211/patches/ath11k/009-v5.15-ath11k-set-register-access-length-for-MHI-driver.patch
new file mode 100644
index 000000000..40942e4bb
--- /dev/null
+++ b/package/kernel/mac80211/patches/ath11k/009-v5.15-ath11k-set-register-access-length-for-MHI-driver.patch
@@ -0,0 +1,31 @@
+From fb359946c3effad77a3ac8ebc943ea5cac22d335 Mon Sep 17 00:00:00 2001
+From: Bhaumik Bhatt <bbhatt@codeaurora.org>
+Date: Thu, 6 May 2021 12:51:43 -0700
+Subject: [PATCH] ath11k: set register access length for MHI driver
+
+MHI driver requires register space length to add range checks and
+prevent memory region accesses outside of that for MMIO space.
+Set it before registering the MHI controller.
+
+Signed-off-by: Bhaumik Bhatt <bbhatt@codeaurora.org>
+Reviewed-by: Hemant Kumar <hemantk@codeaurora.org>
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Acked-by: Kalle Valo <kvalo@codeaurora.org>
+Link: https://lore.kernel.org/r/1620330705-40192-5-git-send-email-bbhatt@codeaurora.org
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+---
+ drivers/net/wireless/ath/ath11k/mhi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/ath/ath11k/mhi.c b/drivers/net/wireless/ath/ath11k/mhi.c
+index 27b394d115e26a..e097ae52e25733 100644
+--- a/drivers/net/wireless/ath/ath11k/mhi.c
++++ b/drivers/net/wireless/ath/ath11k/mhi.c
+@@ -330,6 +330,7 @@ int ath11k_mhi_register(struct ath11k_pci *ab_pci)
+ 	mhi_ctrl->cntrl_dev = ab->dev;
+ 	mhi_ctrl->fw_image = ab_pci->amss_path;
+ 	mhi_ctrl->regs = ab->mem;
++	mhi_ctrl->reg_len = ab->mem_len;
+ 
+ 	ret = ath11k_mhi_get_msi(ab_pci);
+ 	if (ret) {