From: Ben Greear Do not call iwl_mld_sta_from_mac80211(sta) unless we have verified sta is non NULL. Signed-off-by: Ben Greear --- drivers/net/wireless/intel/iwlwifi/mld/agg.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/intel/iwlwifi/mld/agg.c b/drivers/net/wireless/intel/iwlwifi/mld/agg.c index 3bf36f8f6874..a757077b0a7a 100644 --- a/drivers/net/wireless/intel/iwlwifi/mld/agg.c +++ b/drivers/net/wireless/intel/iwlwifi/mld/agg.c @@ -194,7 +194,7 @@ iwl_mld_reorder(struct iwl_mld *mld, struct napi_struct *napi, struct iwl_mld_baid_data *baid_data; struct iwl_mld_reorder_buffer *buffer; struct iwl_mld_reorder_buf_entry *entries; - struct iwl_mld_sta *mld_sta = iwl_mld_sta_from_mac80211(sta); + struct iwl_mld_sta *mld_sta; struct iwl_mld_link_sta *mld_link_sta; u32 reorder = le32_to_cpu(desc->reorder_data); bool amsdu, last_subframe, is_old_sn, is_dup; @@ -221,6 +221,8 @@ iwl_mld_reorder(struct iwl_mld *mld, struct napi_struct *napi, "Got valid BAID without a valid station assigned\n")) return IWL_MLD_PASS_SKB; + mld_sta = iwl_mld_sta_from_mac80211(sta); + /* not a data packet */ if (!ieee80211_is_data_qos(hdr->frame_control) || is_multicast_ether_addr(hdr->addr1)) -- 2.42.0 From: Ben Greear A crash was seen in this area, protect against null. Signed-off-by: Ben Greear --- drivers/net/wireless/intel/iwlwifi/mld/stats.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/intel/iwlwifi/mld/stats.c b/drivers/net/wireless/intel/iwlwifi/mld/stats.c index 7b8709716324..8d6bd7219b94 100644 --- a/drivers/net/wireless/intel/iwlwifi/mld/stats.c +++ b/drivers/net/wireless/intel/iwlwifi/mld/stats.c @@ -415,7 +415,7 @@ iwl_mld_process_per_link_stats(struct iwl_mld *mld, bss_conf = wiphy_dereference(mld->wiphy, mld->fw_id_to_bss_conf[fw_id]); - if (!bss_conf || bss_conf->vif->type != NL80211_IFTYPE_STATION) + if (!bss_conf || !bss_conf->vif || bss_conf->vif->type != NL80211_IFTYPE_STATION) continue; link_stats = &per_link[fw_id]; -- 2.42.0 From: Ben Greear Check for error pointers and warn and assign to NULL in that case so that mac80211 code does not try to use it to create debugfs objects inside the invalid wiphy debugfs inode. Signed-off-by: Ben Greear --- net/wireless/core.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/net/wireless/core.c b/net/wireless/core.c index 23afc250bc10..16cfc249fde6 100644 --- a/net/wireless/core.c +++ b/net/wireless/core.c @@ -1041,6 +1041,12 @@ int wiphy_register(struct wiphy *wiphy) /* add to debugfs */ rdev->wiphy.debugfsdir = debugfs_create_dir(wiphy_name(&rdev->wiphy), ieee80211_debugfs_dir); + if (IS_ERR(rdev->wiphy.debugfsdir)) { + pr_err("Failed to create wiphy.debugfsdir, rv: %ld phyd: 0x%px\n", + (long)(rdev->wiphy.debugfsdir), ieee80211_debugfs_dir); + rdev->wiphy.debugfsdir = NULL; + } + if (wiphy->n_radio > 0) { int idx; char radio_name[RADIO_DEBUGFSDIR_MAX_LEN]; @@ -1887,6 +1893,11 @@ static int __init cfg80211_init(void) goto out_fail_nl80211; ieee80211_debugfs_dir = debugfs_create_dir("ieee80211", NULL); + if (IS_ERR(ieee80211_debugfs_dir)) { + pr_info("Failed to create ieee80211 debugfs dir, rv: %ld\n", + (long)(ieee80211_debugfs_dir)); + ieee80211_debugfs_dir = NULL; + } err = regulatory_init(); if (err) -- 2.42.0 From: Ben Greear Add return error checking for the debugfs directory create calls. Assign error pointers to NULL instead of potential error codes that the create logic may return. Signed-off-by: Ben Greear --- net/mac80211/debugfs.c | 11 +++++++++++ net/mac80211/debugfs_key.c | 6 ++++++ net/mac80211/debugfs_netdev.c | 33 +++++++++++++++++++++++++++++++++ net/mac80211/debugfs_sta.c | 15 +++++++++++++++ 4 files changed, 65 insertions(+) diff --git a/net/mac80211/debugfs.c b/net/mac80211/debugfs.c index e8d0a8b71d59..1f428f8a7633 100644 --- a/net/mac80211/debugfs.c +++ b/net/mac80211/debugfs.c @@ -680,6 +680,12 @@ void debugfs_hw_add(struct ieee80211_local *local) return; local->debugfs.keys = debugfs_create_dir("keys", phyd); + if (IS_ERR(local->debugfs.keys)) { + pr_err("Failed to create local keys debugfs dir, rv: %ld phyd: 0x%px\n", + (long)(local->debugfs.keys), phyd); + local->debugfs.keys = NULL; + return; + } DEBUGFS_ADD(total_ps_buffered); DEBUGFS_ADD(wep_iv); @@ -705,6 +711,11 @@ void debugfs_hw_add(struct ieee80211_local *local) phyd, &local->aql_threshold); statsd = debugfs_create_dir("statistics", phyd); + if (IS_ERR(statsd)) { + pr_err("Failed to create local stats debugfs dir, rv: %ld phyd: 0x%px\n", + (long)(statsd), phyd); + return; + } #ifdef CONFIG_MAC80211_DEBUG_COUNTERS DEBUGFS_STATS_ADD(dot11TransmittedFragmentCount); diff --git a/net/mac80211/debugfs_key.c b/net/mac80211/debugfs_key.c index 117f58af5ff9..670bcfa8c4ed 100644 --- a/net/mac80211/debugfs_key.c +++ b/net/mac80211/debugfs_key.c @@ -335,6 +335,12 @@ void ieee80211_debugfs_key_add(struct ieee80211_key *key) keycount++; key->debugfs.dir = debugfs_create_dir(buf, key->local->debugfs.keys); + if (IS_ERR(key->debugfs.dir)) { + pr_err("Failed to create key debugfs dir, rv: %ld phyd: 0x%px\n", + (long)(key->debugfs.dir), key->local->debugfs.keys); + key->debugfs.dir = NULL; + return; + } sta = key->sta; if (sta) { diff --git a/net/mac80211/debugfs_netdev.c b/net/mac80211/debugfs_netdev.c index f3c6a41e4911..51d2ae232a85 100644 --- a/net/mac80211/debugfs_netdev.c +++ b/net/mac80211/debugfs_netdev.c @@ -882,6 +882,11 @@ static void add_mesh_stats(struct ieee80211_sub_if_data *sdata) { struct dentry *dir = debugfs_create_dir("mesh_stats", sdata->vif.debugfs_dir); + if (IS_ERR(dir)) { + sdata_err(sdata, "Failed to create mesh stats dir, rv: %ld vif dir: 0x%px\n", + (long)(dir), sdata->vif.debugfs_dir); + return; + } #define MESHSTATS_ADD(name)\ debugfs_create_file(#name, 0400, dir, sdata, &name##_ops) @@ -897,6 +902,11 @@ static void add_mesh_config(struct ieee80211_sub_if_data *sdata) { struct dentry *dir = debugfs_create_dir("mesh_config", sdata->vif.debugfs_dir); + if (IS_ERR(dir)) { + sdata_err(sdata, "Failed to create mesh config dir, rv: %ld vif dir: 0x%px\n", + (long)(dir), sdata->vif.debugfs_dir); + return; + } #define MESHPARAMS_ADD(name) \ debugfs_create_file(#name, 0600, dir, sdata, &name##_ops) @@ -1003,10 +1013,25 @@ static void ieee80211_debugfs_add_netdev(struct ieee80211_sub_if_data *sdata, sprintf(buf, "netdev:%s", sdata->name); sdata->vif.debugfs_dir = debugfs_create_dir(buf, sdata->local->hw.wiphy->debugfsdir); + + if (IS_ERR(sdata->vif.debugfs_dir)) { + sdata_err(sdata, "Failed to create netdev dir, rv: %ld name: %s wiphy dir: 0x%px\n", + (long)(sdata->vif.debugfs_dir), buf, sdata->local->hw.wiphy->debugfsdir); + sdata->vif.debugfs_dir = NULL; + return; + } + /* deflink also has this */ sdata->deflink.debugfs_dir = sdata->vif.debugfs_dir; + sdata->debugfs.subdir_stations = debugfs_create_dir("stations", sdata->vif.debugfs_dir); + if (IS_ERR(sdata->debugfs.subdir_stations)) { + sdata_err(sdata, "Failed to create netdev subdir-stations dir, rv: %ld wiphy dir: 0x%px\n", + (long)(sdata->debugfs.subdir_stations), sdata->vif.debugfs_dir); + sdata->debugfs.subdir_stations = NULL; + return; + } add_files(sdata); if (!mld_vif) add_link_files(&sdata->deflink, sdata->vif.debugfs_dir); @@ -1058,6 +1083,14 @@ void ieee80211_link_debugfs_add(struct ieee80211_link_data *link) debugfs_create_dir(link_dir_name, link->sdata->vif.debugfs_dir); + if (IS_ERR(link->debugfs_dir)) { + sdata_err(link->sdata, "Failed to create debugfs dir, rv: %ld link-dir-name: %s vif dir: 0x%px\n", + (long)(link->debugfs_dir), link_dir_name, + link->sdata->vif.debugfs_dir); + link->debugfs_dir = NULL; + return; + } + DEBUGFS_ADD(link->debugfs_dir, addr); add_link_files(link, link->debugfs_dir); } diff --git a/net/mac80211/debugfs_sta.c b/net/mac80211/debugfs_sta.c index ef75255d47d5..23cb2099e3b3 100644 --- a/net/mac80211/debugfs_sta.c +++ b/net/mac80211/debugfs_sta.c @@ -1250,6 +1250,12 @@ void ieee80211_sta_debugfs_add(struct sta_info *sta) * dir might still be around. */ sta->debugfs_dir = debugfs_create_dir(mac, stations_dir); + if (IS_ERR(sta->debugfs_dir)) { + sdata_err(sdata, "Failed to create sta debugfs dir, rv: %ld name: %s stations dir: 0x%px\n", + (long)(sta->debugfs_dir), mac, stations_dir); + sta->debugfs_dir = NULL; + return; + } DEBUGFS_ADD(flags); DEBUGFS_ADD(aid); @@ -1303,6 +1309,15 @@ void ieee80211_link_sta_debugfs_add(struct link_sta_info *link_sta) debugfs_create_dir(link_dir_name, link_sta->sta->debugfs_dir); + if (IS_ERR(link_sta->debugfs_dir)) { + sdata_err(link_sta->sta->sdata, + "Failed to create link-sta debugfs dir, rv: %ld name: %s stations dir: 0x%px\n", + (long)(link_sta->debugfs_dir), link_dir_name, + link_sta->sta->debugfs_dir); + link_sta->debugfs_dir = NULL; + return; + } + DEBUGFS_ADD(addr); } else { if (WARN_ON(link_sta != &link_sta->sta->deflink)) -- 2.42.0 From: Ben Greear If sdata-in-driver-check fails, then we assume STA is definitely not in the driver, and so going to less connected states should not fail. Signed-off-by: Ben Greear --- net/mac80211/driver-ops.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/net/mac80211/driver-ops.c b/net/mac80211/driver-ops.c index 49753b73aba2..59998d0af3ff 100644 --- a/net/mac80211/driver-ops.c +++ b/net/mac80211/driver-ops.c @@ -143,8 +143,12 @@ int drv_sta_state(struct ieee80211_local *local, lockdep_assert_wiphy(local->hw.wiphy); sdata = get_bss_sdata(sdata); - if (!check_sdata_in_driver(sdata)) + if (!check_sdata_in_driver(sdata)) { + /* Going down should not fail in this case. */ + if (new_state < old_state) + return 0; return -EIO; + } trace_drv_sta_state(local, sdata, &sta->sta, old_state, new_state); if (local->ops->sta_state) { -- 2.42.0 From: Ben Greear The hope is that this would allow cleanup code to run properly in case this fails halfway through. Signed-off-by: Ben Greear --- net/mac80211/sta_info.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c index 4259e9c13ed7..ad211c714dbb 100644 --- a/net/mac80211/sta_info.c +++ b/net/mac80211/sta_info.c @@ -836,18 +836,18 @@ static int sta_info_insert_drv_state(struct ieee80211_local *local, err = drv_sta_state(local, sdata, sta, state, state + 1); if (err) break; - } - - if (!err) { /* * Drivers using legacy sta_add/sta_remove callbacks only * get uploaded set to true after sta_add is called. + * We are at least somewhat added now. */ if (!local->ops->sta_add) sta->uploaded = true; - return 0; } + if (!err) + return 0; + if (sdata->vif.type == NL80211_IFTYPE_ADHOC) { sdata_info(sdata, "failed to move IBSS STA %pM to state %d (%d) - keeping it anyway\n", -- 2.42.0 From: Ben Greear When recursively removing debugfs files, clean up child link debugfs pointers since the recursive removal will have deleted their memory. This fixes use-after-free problem when those child links are eventually cleaned up. Signed-off-by: Ben Greear --- net/mac80211/debugfs_netdev.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/net/mac80211/debugfs_netdev.c b/net/mac80211/debugfs_netdev.c index 51d2ae232a85..bc2da35db4ae 100644 --- a/net/mac80211/debugfs_netdev.c +++ b/net/mac80211/debugfs_netdev.c @@ -1039,9 +1039,28 @@ static void ieee80211_debugfs_add_netdev(struct ieee80211_sub_if_data *sdata, void ieee80211_debugfs_remove_netdev(struct ieee80211_sub_if_data *sdata) { + struct ieee80211_link_data *link; + int i; + if (!sdata->vif.debugfs_dir) return; + /* In case where there were errors on station creation and maybe + * teardown, we may get here with some links still active. We are + * about to recursively delete debugfs, so remove any pointers the + * links may have. + */ + rcu_read_lock(); + + for (i = 0; i < IEEE80211_MLD_MAX_NUM_LINKS; i++) { + link = rcu_access_pointer(sdata->link[i]); + if (!link) + continue; + + link->debugfs_dir = NULL; + } + rcu_read_unlock(); + debugfs_remove_recursive(sdata->vif.debugfs_dir); sdata->vif.debugfs_dir = NULL; sdata->debugfs.subdir_stations = NULL; -- 2.42.0 From: Ben Greear Safety checks in case links are not be properly cleaned up at the time we are removing netdev debugfs. Since link debugfs is child of netdev debugfs, and we are about to recursively clean up the netdev tree, be sure to null out any debugfs inode pointers in the child links. Root cause of the inode use-after-free is something different, but this patch may also make system more resiliant. Signed-off-by: Ben Greear --- net/mac80211/debugfs_netdev.c | 30 ++++++++++++++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/net/mac80211/debugfs_netdev.c b/net/mac80211/debugfs_netdev.c index bc2da35db4ae..000859b8c005 100644 --- a/net/mac80211/debugfs_netdev.c +++ b/net/mac80211/debugfs_netdev.c @@ -1037,9 +1037,33 @@ static void ieee80211_debugfs_add_netdev(struct ieee80211_sub_if_data *sdata, add_link_files(&sdata->deflink, sdata->vif.debugfs_dir); } +static void +ieee80211_debugfs_clear_link_ptr(struct ieee80211_sub_if_data *sdata, + struct dentry *dir) +{ + struct ieee80211_link_data *link; + int i; + + rcu_read_lock(); + + if (sdata->vif.debugfs_dir == dir) + sdata->vif.debugfs_dir = NULL; + + for (i = 0; i < IEEE80211_MLD_MAX_NUM_LINKS; i++) { + link = rcu_access_pointer(sdata->link[i]); + if (!link) + continue; + + if (dir == link->debugfs_dir) + link->debugfs_dir = NULL; + } + rcu_read_unlock(); +} + void ieee80211_debugfs_remove_netdev(struct ieee80211_sub_if_data *sdata) { struct ieee80211_link_data *link; + struct dentry *dir; int i; if (!sdata->vif.debugfs_dir) @@ -1061,8 +1085,10 @@ void ieee80211_debugfs_remove_netdev(struct ieee80211_sub_if_data *sdata) } rcu_read_unlock(); - debugfs_remove_recursive(sdata->vif.debugfs_dir); + dir = sdata->vif.debugfs_dir; + debugfs_remove_recursive(dir); sdata->vif.debugfs_dir = NULL; + ieee80211_debugfs_clear_link_ptr(sdata, dir); sdata->debugfs.subdir_stations = NULL; } @@ -1151,7 +1177,7 @@ void ieee80211_link_debugfs_drv_remove(struct ieee80211_link_data *link) /* Recreate the directory excluding the driver data */ debugfs_remove_recursive(link->debugfs_dir); - link->debugfs_dir = NULL; + ieee80211_debugfs_clear_link_ptr(link->sdata, link->debugfs_dir); ieee80211_link_debugfs_add(link); } -- 2.42.0 From: Ben Greear But still log it to dmesg. Signed-off-by: Ben Greear --- net/mac80211/driver-ops.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/mac80211/driver-ops.h b/net/mac80211/driver-ops.h index 51bf3c7822a7..e2283d7dcd1e 100644 --- a/net/mac80211/driver-ops.h +++ b/net/mac80211/driver-ops.h @@ -1035,8 +1035,10 @@ static inline void drv_remove_chanctx(struct ieee80211_local *local, might_sleep(); lockdep_assert_wiphy(local->hw.wiphy); - if (WARN_ON(!ctx->driver_present)) + if (WARN_ON_ONCE(!ctx->driver_present)) { + pr_err("drv-remove-chanctx, NOT driver_present, not sending request to driver."); return; + } trace_drv_remove_chanctx(local, ctx); if (local->ops->remove_chanctx) -- 2.42.0 From: Ben Greear I saw an instance where use-after-free was found when attempting to delete sta's debugfs. Add check to netdev debugfs free logic to ensure any sta's that still exist have nulled out debugfs entries since netdev is going to do a recursive debugfs delete. Signed-off-by: Ben Greear --- net/mac80211/debugfs_netdev.c | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/net/mac80211/debugfs_netdev.c b/net/mac80211/debugfs_netdev.c index 000859b8c005..2e4bc34e6c5c 100644 --- a/net/mac80211/debugfs_netdev.c +++ b/net/mac80211/debugfs_netdev.c @@ -1063,6 +1063,8 @@ ieee80211_debugfs_clear_link_ptr(struct ieee80211_sub_if_data *sdata, void ieee80211_debugfs_remove_netdev(struct ieee80211_sub_if_data *sdata) { struct ieee80211_link_data *link; + struct rhashtable_iter hti; + struct sta_info *sta; struct dentry *dir; int i; @@ -1083,6 +1085,28 @@ void ieee80211_debugfs_remove_netdev(struct ieee80211_sub_if_data *sdata) link->debugfs_dir = NULL; } + + /* And, same for all stations. See ieee80211_sta_debugfs_add where + * they are added to the sdata->debugfs.subdir_stations directory + */ + rhashtable_walk_enter(&sdata->local->sta_hash.ht, &hti); + rhashtable_walk_start(&hti); + + while ((sta = rhashtable_walk_next(&hti))) { + if (IS_ERR(sta)) { + if (PTR_ERR(sta) != -EAGAIN) + break; + continue; + } + if (sta->sdata != sdata) + continue; + + sta->debugfs_dir = NULL; + } + + rhashtable_walk_stop(&hti); + rhashtable_walk_exit(&hti); + rcu_read_unlock(); dir = sdata->vif.debugfs_dir; -- 2.42.0 From: Ben Greear If memory cannot be allocated, clear the fw_id_to_link_sta so there is not a dangling pointer that may later be accessed and cause use-after-free. Signed-off-by: Ben Greear --- drivers/net/wireless/intel/iwlwifi/mld/sta.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/intel/iwlwifi/mld/sta.c b/drivers/net/wireless/intel/iwlwifi/mld/sta.c index 6b7a89e050e6..c478cee570a2 100644 --- a/drivers/net/wireless/intel/iwlwifi/mld/sta.c +++ b/drivers/net/wireless/intel/iwlwifi/mld/sta.c @@ -540,8 +540,10 @@ iwl_mld_add_link_sta(struct iwl_mld *mld, struct ieee80211_link_sta *link_sta) mld_link_sta = &mld_sta->deflink; } else { mld_link_sta = kzalloc_obj(*mld_link_sta); - if (!mld_link_sta) + if (!mld_link_sta) { + RCU_INIT_POINTER(mld->fw_id_to_link_sta[fw_id], NULL); return -ENOMEM; + } } mld_link_sta->fw_id = fw_id; -- 2.42.0 From: Ben Greear To give better understanding of how and when failures happen. Signed-off-by: Ben Greear --- drivers/net/wireless/intel/iwlwifi/mld/sta.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/drivers/net/wireless/intel/iwlwifi/mld/sta.c b/drivers/net/wireless/intel/iwlwifi/mld/sta.c index c478cee570a2..6338ca46f68e 100644 --- a/drivers/net/wireless/intel/iwlwifi/mld/sta.c +++ b/drivers/net/wireless/intel/iwlwifi/mld/sta.c @@ -574,7 +574,8 @@ static int iwl_mld_rm_sta_from_fw(struct iwl_mld *mld, u8 fw_sta_id) WIDE_ID(MAC_CONF_GROUP, STA_REMOVE_CMD), &cmd); if (ret) - IWL_ERR(mld, "Failed to remove station. Id=%d\n", fw_sta_id); + IWL_ERR(mld, "Failed to remove station. Id=%d ret: %d\n", + fw_sta_id, ret); return ret; } @@ -735,8 +736,10 @@ int iwl_mld_add_sta(struct iwl_mld *mld, struct ieee80211_sta *sta, int ret; ret = iwl_mld_init_sta(mld, sta, vif, type); - if (ret) + if (ret) { + IWL_ERR(mld, "iwl-mld-add-sta, mld-init-sta failed. ret=%d\n", ret); return ret; + } /* We could have add only the deflink link_sta, but it will not work * in the restart case if the single link that is active during @@ -744,8 +747,10 @@ int iwl_mld_add_sta(struct iwl_mld *mld, struct ieee80211_sta *sta, */ for_each_sta_active_link(mld_sta->vif, sta, link_sta, link_id) { ret = iwl_mld_add_link_sta(mld, link_sta); - if (ret) + if (ret) { + IWL_ERR(mld, "iwl-mld-add-sta, mld-add-link-sta failed. ret=%d\n", ret); goto destroy_sta; + } } return 0; -- 2.42.0 From: Ben Greear It seems to be expected behaviour, and is seen fairly often in testing in adverse conditions, so make it a one-line log message instead of WARN splat. Signed-off-by: Ben Greear --- drivers/net/wireless/intel/iwlwifi/mld/agg.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/drivers/net/wireless/intel/iwlwifi/mld/agg.c b/drivers/net/wireless/intel/iwlwifi/mld/agg.c index a757077b0a7a..23d55374ef8a 100644 --- a/drivers/net/wireless/intel/iwlwifi/mld/agg.c +++ b/drivers/net/wireless/intel/iwlwifi/mld/agg.c @@ -216,10 +216,16 @@ iwl_mld_reorder(struct iwl_mld *mld, struct napi_struct *napi, if (baid == IWL_RX_REORDER_DATA_INVALID_BAID) return IWL_MLD_PASS_SKB; - /* no sta yet */ - if (WARN_ONCE(!sta, - "Got valid BAID without a valid station assigned\n")) + /* no sta yet. This happens fairly often, don't WARN_ON about it. */ + if (!sta) { + static bool done_once; + + if (!done_once) { + IWL_ERR(mld, "Got valid BAID without a valid station assigned, will not log again.\n"); + done_once = true; + } return IWL_MLD_PASS_SKB; + } mld_sta = iwl_mld_sta_from_mac80211(sta); -- 2.42.0 From: Ben Greear And make it WARN_ON_ONCE. Signed-off-by: Ben Greear --- net/mac80211/driver-ops.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/mac80211/driver-ops.c b/net/mac80211/driver-ops.c index 59998d0af3ff..397a0281412a 100644 --- a/net/mac80211/driver-ops.c +++ b/net/mac80211/driver-ops.c @@ -38,8 +38,10 @@ void drv_stop(struct ieee80211_local *local, bool suspend) might_sleep(); lockdep_assert_wiphy(local->hw.wiphy); - if (WARN_ON(!local->started)) + if (WARN_ON_ONCE(!local->started)) { + pr_err("mac80211: drv-stop called but local is not started.\n"); return; + } trace_drv_stop(local, suspend); local->ops->stop(&local->hw, suspend); -- 2.42.0 From: Ben Greear In certain failure paths, the driver is not fully configured, and it fails to find the link object. We still need to remove pointers to the bss_conf to keep from crashing shortly afterwards. Search all indices for stale pointer if we cannot do the fast lookup by ID. Signed-off-by: Ben Greear --- drivers/net/wireless/intel/iwlwifi/mld/link.c | 42 +++++++++++++++---- 1 file changed, 34 insertions(+), 8 deletions(-) diff --git a/drivers/net/wireless/intel/iwlwifi/mld/link.c b/drivers/net/wireless/intel/iwlwifi/mld/link.c index b5430e8a73d6..1e4959ceb3db 100644 --- a/drivers/net/wireless/intel/iwlwifi/mld/link.c +++ b/drivers/net/wireless/intel/iwlwifi/mld/link.c @@ -504,23 +504,49 @@ void iwl_mld_remove_link(struct iwl_mld *mld, struct iwl_mld_vif *mld_vif = iwl_mld_vif_from_mac80211(bss_conf->vif); struct iwl_mld_link *link = iwl_mld_link_from_mac80211(bss_conf); bool is_deflink = link == &mld_vif->deflink; - u8 fw_id = link->fw_id; + u16 fw_id; - if (WARN_ON(!link || link->active)) - return; + if (WARN_ON_ONCE(!link)) { + IWL_ERR(mld, "Remove nonexistent link, bss_conf: 0x%px link-id: %d\n", + bss_conf, bss_conf->link_id); + fw_id = 0xffff; + } else { + fw_id = link->fw_id; + } + + /* Not cleaning it up seems worse than cleaning up an active link, + * so continue on even in warning case. + */ + if (link && WARN_ON_ONCE(link->active)) + IWL_ERR(mld, "Removing active link, id: %d\n", + bss_conf->link_id); iwl_mld_rm_link_from_fw(mld, bss_conf); /* Continue cleanup on failure */ - if (!is_deflink) + if (link && !is_deflink) kfree_rcu(link, rcu_head); + rcu_read_lock(); RCU_INIT_POINTER(mld_vif->link[bss_conf->link_id], NULL); - if (WARN_ON(fw_id >= mld->fw->ucode_capa.num_links)) - return; - - RCU_INIT_POINTER(mld->fw_id_to_bss_conf[fw_id], NULL); + if (fw_id >= mld->fw->ucode_capa.num_links) { + struct ieee80211_bss_conf *tmp_bss_conf; + int i; + + /* Search for any existing back-pointer */ + for (i = 0; i < ARRAY_SIZE(mld->fw_id_to_bss_conf); i++) { + tmp_bss_conf = rcu_dereference(mld->fw_id_to_bss_conf[i]); + if (tmp_bss_conf == bss_conf) { + IWL_ERR(mld, "WARNING: Found bss_conf in fw_id_to_bss_conf[%i], Nulling pointer.\n", + i); + RCU_INIT_POINTER(mld->fw_id_to_bss_conf[i], NULL); + } + } + } else { + RCU_INIT_POINTER(mld->fw_id_to_bss_conf[fw_id], NULL); + } + rcu_read_unlock(); } void iwl_mld_handle_missed_beacon_notif(struct iwl_mld *mld, -- 2.42.0 From: Ben Greear I saw some crashes here in eMLSR torture test, looks like mld_txq was NULL, so add check. Signed-off-by: Ben Greear --- drivers/net/wireless/intel/iwlwifi/mld/sta.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/intel/iwlwifi/mld/sta.c b/drivers/net/wireless/intel/iwlwifi/mld/sta.c index 6338ca46f68e..288fc4b7604e 100644 --- a/drivers/net/wireless/intel/iwlwifi/mld/sta.c +++ b/drivers/net/wireless/intel/iwlwifi/mld/sta.c @@ -789,7 +789,7 @@ void iwl_mld_wait_sta_txqs_empty(struct iwl_mld *mld, struct ieee80211_sta *sta) struct iwl_mld_txq *mld_txq = iwl_mld_txq_from_mac80211(sta->txq[i]); - if (!mld_txq->status.allocated) + if (!mld_txq || !mld_txq->status.allocated) continue; iwl_trans_wait_txq_empty(mld->trans, mld_txq->fw_id); -- 2.42.0 From: Ben Greear Just splat a WARNING once, and add debug output to indicate a bit about why it is hitting the warn path. Signed-off-by: Ben Greear --- drivers/net/wireless/intel/iwlwifi/mld/agg.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/intel/iwlwifi/mld/agg.c b/drivers/net/wireless/intel/iwlwifi/mld/agg.c index 23d55374ef8a..413a8688e4eb 100644 --- a/drivers/net/wireless/intel/iwlwifi/mld/agg.c +++ b/drivers/net/wireless/intel/iwlwifi/mld/agg.c @@ -496,7 +496,9 @@ static void iwl_mld_free_reorder_buffer(struct iwl_mld *mld, * sync internal DELBA notification should trigger a release * of all frames in the reorder buffer. */ - WARN_ON(1); + WARN_ON_ONCE(1); + IWL_ERR(mld, "free-reorder-buffer problem, rxq: %d num-stored: %d, will purge frames\n", + i, reorder_buf->num_stored); for (int j = 0; j < data->buf_size; j++) __skb_queue_purge(&entries[j].frames); -- 2.42.0 From: Ben Greear Only splat warning once, and improve logging to indicate more about why it is in the problem state. Signed-off-by: Ben Greear --- drivers/net/wireless/intel/iwlwifi/mld/mlo.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/intel/iwlwifi/mld/mlo.c b/drivers/net/wireless/intel/iwlwifi/mld/mlo.c index f842f5183223..7a37ca64a612 100644 --- a/drivers/net/wireless/intel/iwlwifi/mld/mlo.c +++ b/drivers/net/wireless/intel/iwlwifi/mld/mlo.c @@ -164,7 +164,10 @@ static void iwl_mld_check_emlsr_prevention(struct iwl_mld *mld, * The timeouts are chosen so that this will not happen, i.e. * IWL_MLD_EMLSR_PREVENT_LONG > IWL_MLD_PREVENT_EMLSR_TIMEOUT */ - WARN_ON(mld_vif->emlsr.exit_repeat_count > 3); + if (WARN_ON_ONCE(mld_vif->emlsr.exit_repeat_count > 3)) { + IWL_ERR(mld, "check-emlsr-prevention exit repeats: %d > 3, blocked-reasons: 0x%x\n", + mld_vif->emlsr.exit_repeat_count, mld_vif->emlsr.blocked_reasons); + } } IWL_DEBUG_EHT(mld, -- 2.42.0 From: Ben Greear Print return code that is causing the failure path. Signed-off-by: Ben Greear --- drivers/net/wireless/intel/iwlwifi/mld/rx.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/intel/iwlwifi/mld/rx.c b/drivers/net/wireless/intel/iwlwifi/mld/rx.c index 214dcfde2fb4..f5c20a3aa869 100644 --- a/drivers/net/wireless/intel/iwlwifi/mld/rx.c +++ b/drivers/net/wireless/intel/iwlwifi/mld/rx.c @@ -2204,8 +2204,8 @@ void iwl_mld_sync_rx_queues(struct iwl_mld *mld, ret = wait_event_timeout(mld->rxq_sync.waitq, READ_ONCE(mld->rxq_sync.state) == 0, SYNC_RX_QUEUE_TIMEOUT); - WARN_ONCE(!ret, "RXQ sync failed: state=0x%lx, cookie=%d\n", - mld->rxq_sync.state, mld->rxq_sync.cookie); + WARN_ONCE(!ret, "RXQ sync failed: state=0x%lx, cookie=%d, ret: %d\n", + mld->rxq_sync.state, mld->rxq_sync.cookie, ret); out: mld->rxq_sync.state = 0; -- 2.42.0 From: Ben Greear Indicate that the problem is being fixed. Signed-off-by: Ben Greear --- drivers/net/wireless/intel/iwlwifi/mld/mac80211.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/intel/iwlwifi/mld/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mld/mac80211.c index 0c53d6bd9651..1557aa2a4866 100644 --- a/drivers/net/wireless/intel/iwlwifi/mld/mac80211.c +++ b/drivers/net/wireless/intel/iwlwifi/mld/mac80211.c @@ -647,7 +647,7 @@ void iwl_mld_mac80211_stop(struct ieee80211_hw *hw, bool suspend) */ for (int i = 0; i < ARRAY_SIZE(mld->scan.uid_status); i++) if (WARN_ONCE(mld->scan.uid_status[i], - "UMAC scan UID %d status was not cleaned (0x%x 0x%x)\n", + "mac80211-stop: UMAC scan UID %d status was not cleaned (0x%x 0x%x), forcing to 0\n", i, mld->scan.uid_status[i], mld->scan.status)) mld->scan.uid_status[i] = 0; } -- 2.42.0 From: Ben Greear Torture tests were crashing here, protect against a null mld_sta. Signed-off-by: Ben Greear --- drivers/net/wireless/intel/iwlwifi/mld/mac80211.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/intel/iwlwifi/mld/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mld/mac80211.c index 1557aa2a4866..43bc73764dcd 100644 --- a/drivers/net/wireless/intel/iwlwifi/mld/mac80211.c +++ b/drivers/net/wireless/intel/iwlwifi/mld/mac80211.c @@ -1911,6 +1911,7 @@ static void iwl_mld_mac80211_flush(struct ieee80211_hw *hw, iwl_mld_add_txq_list(mld); for (int i = 0; i < mld->fw->ucode_capa.num_stations; i++) { + struct iwl_mld_sta *mld_sta; struct ieee80211_link_sta *link_sta = wiphy_dereference(mld->wiphy, mld->fw_id_to_link_sta[i]); @@ -1919,7 +1920,8 @@ static void iwl_mld_mac80211_flush(struct ieee80211_hw *hw, continue; /* Check that the sta belongs to the given vif */ - if (vif && vif != iwl_mld_sta_from_mac80211(link_sta->sta)->vif) + mld_sta = iwl_mld_sta_from_mac80211(link_sta->sta); + if (vif && (!mld_sta || vif != mld_sta->vif)) continue; if (drop) -- 2.42.0 From: Ben Greear When hardware is determined by mac80211 to be in non-recoverable state, then SDATA_IN_DRIVER flag is removed, and mac80211 will no longer do any 'graceful' teardown of the objects in the driver. This was causing use-after-free crashes in the iwlwifi driver since it's logic to do internal cleanup is not quite right for some reason. Add an explicit callback to the driver to tell it to clean up whatever it needs to clean up in case mac80211 considers it dead. Signed-off-by: Ben Greear --- include/net/mac80211.h | 7 +++++++ net/mac80211/driver-ops.h | 8 ++++++++ net/mac80211/util.c | 5 +++++ 3 files changed, 20 insertions(+) diff --git a/include/net/mac80211.h b/include/net/mac80211.h index 9cc482191ab9..d963f213863b 100644 --- a/include/net/mac80211.h +++ b/include/net/mac80211.h @@ -3934,6 +3934,12 @@ struct ieee80211_prep_tx_info { * you should ensure to cancel it on this callback. * Must be implemented and can sleep. * + * @force_cleanup: Called after mac80211 determines the + * driver/firmware/hardware has failed and cannot + * be restarted. SDATA_IN_DRIVER is false at this point, + * so normal cleanup will not happen. This force_cleanup + * operation lets the driver do any needed houskeeping. + * * @suspend: Suspend the device; mac80211 itself will quiesce before and * stop transmitting and doing any other configuration, and then * ask the device to suspend. This is only invoked when WoWLAN is @@ -4569,6 +4575,7 @@ struct ieee80211_ops { struct sk_buff *skb); int (*start)(struct ieee80211_hw *hw); void (*stop)(struct ieee80211_hw *hw, bool suspend); + void (*force_cleanup)(struct ieee80211_hw *hw); #ifdef CONFIG_PM int (*suspend)(struct ieee80211_hw *hw, struct cfg80211_wowlan *wowlan); int (*resume)(struct ieee80211_hw *hw); diff --git a/net/mac80211/driver-ops.h b/net/mac80211/driver-ops.h index e2283d7dcd1e..3bd3d078ce9b 100644 --- a/net/mac80211/driver-ops.h +++ b/net/mac80211/driver-ops.h @@ -300,6 +300,14 @@ static inline void drv_cancel_hw_scan(struct ieee80211_local *local, trace_drv_return_void(local); } +static inline void +drv_force_cleanup(struct ieee80211_local *local) +{ + lockdep_assert_wiphy(local->hw.wiphy); + if (local->ops->force_cleanup) + local->ops->force_cleanup(&local->hw); +} + static inline int drv_sched_scan_start(struct ieee80211_local *local, struct ieee80211_sub_if_data *sdata, diff --git a/net/mac80211/util.c b/net/mac80211/util.c index 55054de62508..ec11ee6b8752 100644 --- a/net/mac80211/util.c +++ b/net/mac80211/util.c @@ -1692,6 +1692,11 @@ static void ieee80211_handle_reconfig_failure(struct ieee80211_local *local) */ list_for_each_entry(ctx, &local->chanctx_list, list) ctx->driver_present = false; + + /* Tell driver to purge any remaining configuration it may have + * lingering around. + */ + drv_force_cleanup(local); } static void ieee80211_assign_chanctx(struct ieee80211_local *local, -- 2.42.0 From: Ben Greear This lets mac80211 force the driver to clean up any lingering configuration, fixing use-after-free in case of unrecoverable hardware failure. Signed-off-by: Ben Greear --- drivers/net/wireless/intel/iwlwifi/mld/mac80211.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/drivers/net/wireless/intel/iwlwifi/mld/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mld/mac80211.c index 43bc73764dcd..31a3818f32bc 100644 --- a/drivers/net/wireless/intel/iwlwifi/mld/mac80211.c +++ b/drivers/net/wireless/intel/iwlwifi/mld/mac80211.c @@ -560,6 +560,18 @@ iwl_mld_restart_cleanup(struct iwl_mld *mld) iwl_mld_ftm_restart_cleanup(mld); } +/* mac80211 thinks our driver/firmware/hardware has crashed + * and cannot be recovered. Force clean any existing configuration + * (stas, etc), as mac80211 will not attempt further cleanup. + */ +static void iwl_mld_mac80211_force_cleanup(struct ieee80211_hw *hw) +{ + struct iwl_mld *mld = IWL_MAC80211_GET_MLD(hw); + + IWL_ERR(mld, "mac80211-force-cleanup called, calling mld_restart_cleanup.\n"); + iwl_mld_restart_cleanup(mld); +} + static int iwl_mld_mac80211_start(struct ieee80211_hw *hw) { @@ -2717,6 +2729,7 @@ const struct ieee80211_ops iwl_mld_hw_ops = { .config = iwl_mld_mac80211_config, .get_antenna = iwl_mld_get_antenna, .set_antenna = iwl_mld_set_antenna, + .force_cleanup = iwl_mld_mac80211_force_cleanup, .add_interface = iwl_mld_mac80211_add_interface, .remove_interface = iwl_mld_mac80211_remove_interface, .conf_tx = iwl_mld_mac80211_conf_tx, -- 2.42.0 From: Ben Greear It appears that sometimes the sta can be NULL, so check for that and return early. Signed-off-by: Ben Greear --- drivers/net/wireless/intel/iwlwifi/mld/sta.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/net/wireless/intel/iwlwifi/mld/sta.c b/drivers/net/wireless/intel/iwlwifi/mld/sta.c index 288fc4b7604e..06e064466e3b 100644 --- a/drivers/net/wireless/intel/iwlwifi/mld/sta.c +++ b/drivers/net/wireless/intel/iwlwifi/mld/sta.c @@ -779,6 +779,9 @@ void iwl_mld_flush_sta_txqs(struct iwl_mld *mld, struct ieee80211_sta *sta) void iwl_mld_wait_sta_txqs_empty(struct iwl_mld *mld, struct ieee80211_sta *sta) { + if (!sta) + return; + /* Avoid a warning in iwl_trans_wait_txq_empty if are anyway on the way * to a restart. */ -- 2.42.0 From: Ben Greear iwl_mld_txq_from_mac80211 was returning the offset into txq without checking if txq was NULL. In case txq is NULL, this would return a small, but non NULL pointer. The safety check in calling code would then treat it as non-null and attempt to dereference. Signed-off-by: Ben Greear --- drivers/net/wireless/intel/iwlwifi/mld/tx.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/wireless/intel/iwlwifi/mld/tx.h b/drivers/net/wireless/intel/iwlwifi/mld/tx.h index 520f15f9d33c..8b0da098c25f 100644 --- a/drivers/net/wireless/intel/iwlwifi/mld/tx.h +++ b/drivers/net/wireless/intel/iwlwifi/mld/tx.h @@ -45,6 +45,8 @@ static inline void iwl_mld_init_txq(struct iwl_mld_txq *mld_txq) static inline struct iwl_mld_txq * iwl_mld_txq_from_mac80211(struct ieee80211_txq *txq) { + if (!txq) + return NULL; return (void *)txq->drv_priv; } -- 2.42.0 From: Ben Greear Re-initialization could cause corruption in work queues in case links were not properly stopped for some reason. Signed-off-by: Ben Greear --- net/mac80211/ieee80211_i.h | 1 + net/mac80211/link.c | 28 ++++++++++++++++++++-------- 2 files changed, 21 insertions(+), 8 deletions(-) diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h index d71e0c6d2165..ac4e10f16cd9 100644 --- a/net/mac80211/ieee80211_i.h +++ b/net/mac80211/ieee80211_i.h @@ -1079,6 +1079,7 @@ struct ieee80211_link_data { bool operating_11g_mode; + bool already_initialized; /* has ieee80211_link_init been called? */ struct { struct wiphy_work finalize_work; diff --git a/net/mac80211/link.c b/net/mac80211/link.c index 03bfca27d205..6125e79f67c9 100644 --- a/net/mac80211/link.c +++ b/net/mac80211/link.c @@ -110,14 +110,25 @@ void ieee80211_link_init(struct ieee80211_sub_if_data *sdata, link->user_power_level = sdata->local->user_power_level; link_conf->txpower = INT_MIN; - wiphy_work_init(&link->csa.finalize_work, - ieee80211_csa_finalize_work); - wiphy_work_init(&link->color_change_finalize_work, - ieee80211_color_change_finalize_work); - wiphy_delayed_work_init(&link->color_collision_detect_work, - ieee80211_color_collision_detection_work); - wiphy_hrtimer_work_init(&link->dfs_cac_timer_work, - ieee80211_dfs_cac_timer_work); + if (link->already_initialized) { + wiphy_delayed_work_cancel(link->sdata->local->hw.wiphy, + &link->color_collision_detect_work); + wiphy_work_cancel(link->sdata->local->hw.wiphy, + &link->color_change_finalize_work); + wiphy_work_cancel(link->sdata->local->hw.wiphy, + &link->csa.finalize_work); + wiphy_hrtimer_work_cancel(link->sdata->local->hw.wiphy, + &link->dfs_cac_timer_work); + } else { + wiphy_work_init(&link->csa.finalize_work, + ieee80211_csa_finalize_work); + wiphy_work_init(&link->color_change_finalize_work, + ieee80211_color_change_finalize_work); + wiphy_delayed_work_init(&link->color_collision_detect_work, + ieee80211_color_collision_detection_work); + wiphy_hrtimer_work_init(&link->dfs_cac_timer_work, + ieee80211_dfs_cac_timer_work); + } if (!deflink) { switch (sdata->vif.type) { @@ -138,6 +149,7 @@ void ieee80211_link_init(struct ieee80211_sub_if_data *sdata, ieee80211_link_debugfs_add(link); } + link->already_initialized = true; rcu_assign_pointer(sdata->vif.link_conf[link_id], link_conf); rcu_assign_pointer(sdata->link[link_id], link); } -- 2.42.0 From: Ben Greear While the comment indicates this should not happen, it does at least when firmware is being problematic. Change to WARN_ON_ONCE to decrease log spam. Signed-off-by: Ben Greear --- drivers/net/wireless/intel/iwlwifi/mld/sta.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/intel/iwlwifi/mld/sta.h b/drivers/net/wireless/intel/iwlwifi/mld/sta.h index 1897b121aae2..44c54e6d68e6 100644 --- a/drivers/net/wireless/intel/iwlwifi/mld/sta.h +++ b/drivers/net/wireless/intel/iwlwifi/mld/sta.h @@ -170,7 +170,7 @@ iwl_mld_cleanup_sta(void *data, struct ieee80211_sta *sta) continue; /* Should not happen as link removal should always succeed */ - WARN_ON(1); + WARN_ON_ONCE(1); RCU_INIT_POINTER(mld_sta->link[link_id], NULL); RCU_INIT_POINTER(mld_sta->mld->fw_id_to_link_sta[mld_link_sta->fw_id], NULL); -- 2.42.0 From: Ben Greear Comment one of them out, and make another WARN_ONCE. Signed-off-by: Ben Greear --- net/mac80211/link.c | 1 - net/mac80211/util.c | 3 ++- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/net/mac80211/link.c b/net/mac80211/link.c index 6125e79f67c9..e3a825ea3a04 100644 --- a/net/mac80211/link.c +++ b/net/mac80211/link.c @@ -544,7 +544,6 @@ static int _ieee80211_set_active_links(struct ieee80211_sub_if_data *sdata, ret = drv_change_sta_links(local, sdata, &sta->sta, old_active | active_links, active_links); - WARN_ON_ONCE(ret); /* * Do it again, just in case - the driver might very diff --git a/net/mac80211/util.c b/net/mac80211/util.c index ec11ee6b8752..df156f8b5211 100644 --- a/net/mac80211/util.c +++ b/net/mac80211/util.c @@ -1879,7 +1879,8 @@ int ieee80211_reconfig(struct ieee80211_local *local) if (suspended) WARN(1, "Hardware became unavailable upon resume. This could be a software issue prior to suspend or a hardware issue.\n"); else - WARN(1, "Hardware became unavailable during restart.\n"); + WARN_ONCE(1, "Hardware became unavailable during restart: %d\n", res); + ieee80211_wake_queues_by_reason(hw, IEEE80211_MAX_QUEUE_MAP, IEEE80211_QUEUE_STOP_REASON_SUSPEND, false); -- 2.42.0