linux-firmware: bb2d42d The monitor mode stopped working with iwlwifi. There is a warning from UBSAN: "UBSAN: shift-out-of-bounds in drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c:657:22". The root cause was this c6ce1c74ef292 which defaults the assignment to 0xFFFF and then that was being used for the shift. I have tried to fix the warning with the below patch (just for an experiment, not a proper one), the warning is gone, but no frames are seen in Wireshark. Below is the version information, any help is appreciated, monitor mode is important for me. ``` lspci: Network controller: Intel Corporation Wi-Fi 6 AX201 (rev 20) [ +0.003790] iwlwifi 0000:00:14.3: api flags index 2 larger than supported by driver [ +0.000046] iwlwifi 0000:00:14.3: TLV_FW_FSEQ_VERSION: FSEQ Version:89.3.35.37 [ +0.001519] iwlwifi 0000:00:14.3: loaded firmware version 72.daa05125.0 QuZ-a0-hr-b0-72.ucode op_mode iwlmvm [ +0.034887] iwlwifi 0000:00:14.3: Detected Intel(R) Wi-Fi 6 AX201 160MHz, REV=0x351 [ +0.000083] thermal thermal_zone7: failed to read out thermal zone (-61) [ +0.122144] iwlwifi 0000:00:14.3: Detected RF HR B3, rfid=0x10a100 [ +0.065701] iwlwifi 0000:00:14.3: base HW address: 4c:79:6e:90:94:71 [ +0.019826] iwlwifi 0000:00:14.3 wlp0s20f3: renamed from wlan0 [ +14.210987] device mon0 entered promiscuous mode [Jan24 18:20] device mon0 left promiscuous mode ``` ``` diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c index 83abfe996138..591f9fdd0ec4 100644 --- a/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c +++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac-ctxt.c @@ -654,9 +654,13 @@ static int iwl_mvm_mac_ctxt_cmd_listener(struct iwl_mvm *mvm, u32 action) { struct iwl_mac_ctx_cmd cmd = {}; - u32 tfd_queue_msk = BIT(mvm->snif_queue); + u32 tfd_queue_msk = 0; int ret; + if (mvm->snif_queue != IWL_MVM_INVALID_QUEUE) { + tfd_queue_msk = BIT(mvm->snif_queue); + } + WARN_ON(vif->type != NL80211_IFTYPE_MONITOR); iwl_mvm_mac_ctxt_cmd_common(mvm, vif, &cmd, NULL, action); diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c index 515dd3e0730d..784a7f72b819 100644 --- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c +++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c @@ -2084,6 +2084,7 @@ static int iwl_mvm_add_int_sta_with_queue(struct iwl_mvm *mvm, int macidx, } *queue = txq; + sta->tfd_queue_msk = BIT(*queue); } return 0; @@ -2092,11 +2093,15 @@ static int iwl_mvm_add_int_sta_with_queue(struct iwl_mvm *mvm, int macidx, int iwl_mvm_add_aux_sta(struct iwl_mvm *mvm, u32 lmac_id) { int ret; + u32 tfd_queue_msk = 0; lockdep_assert_held(&mvm->mutex); + if (mvm->aux_queue != IWL_MVM_INVALID_QUEUE) { + tfd_queue_msk = BIT(mvm->aux_queue); + } /* Allocate aux station and assign to it the aux queue */ - ret = iwl_mvm_allocate_int_sta(mvm, &mvm->aux_sta, BIT(mvm->aux_queue), + ret = iwl_mvm_allocate_int_sta(mvm, &mvm->aux_sta, tfd_queue_msk, NL80211_IFTYPE_UNSPECIFIED, IWL_STA_AUX_ACTIVITY); if (ret) ```
Based on suggestion from Gregory Greenman tried below: The driver in [1] was not building due to 20b0b53aca436 but it was simple to fix, after installation (and reboot) the warning is gone, but still unable to sniff. FW is now updated to: loaded firmware version 77.2dda880d.0 QuZ-a0-hr-b0-77.ucode op_mode iwlmvm [1] https://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/backport-iwlwifi.git
It looks like a firmware related problem. Can I ask you to provide two additional inputs: (1) what are the exact commands that you're using to enable sniffer (are you disabling NM/wpa_supplicant etc?) (2) firmware dump (how to do it is described at [1]) [1] [https://wireless.wiki.kernel.org/en/users/drivers/iwlwifi/debugging]
I use below script: $ cat /usr/sbin/set_monitor_mode #!/usr/bin/env bash set -eu # Check sudo access sudo -v IF_INDEX=${1:-0} FREQ=${2:-5180} BW=${3:-80} echo "Setting phy$IF_INDEX in monitoring mode: $FREQ" rfkill unblock all nmcli radio wifi off iw phy phy$IF_INDEX interface add mon0 type monitor || true # in case of previous iface ip link set dev mon0 down ip link set dev mon0 up iw dev mon0 set freq $FREQ $BW and run it like this: $ sudo set_monitor_mode 0 5745 80MHz Setting phy0 in monitoring mode: 5745
Created attachment 303807 [details] FW dump
And I disable network manager using `nmcli radio wifi off` and run the script manually.
Created attachment 303916 [details] LARI patch Can you try this patch? Maybe your BIOS has something that causes the LARI configuration.
Sure, but it works on older kernels, so, might not be BIOS.
Yes, I have applied that patch to the backports and *it worked*, to re-confirm have reverted and seen the issue, so, it's definitely LARI-related, so, thanks for the patch. Many of my colleagues and friends reported the same, even with ATH11k, so, is there a way to disable this from BIOS? (to avoid re-compilation). Just trying to understand the cause from the commit log, the monitor mode doesn't work even after waiting for some time i.e., after calibrations. IIUC, LARI is for LAR (location aware regulatory) with "I" standing for Intel? AFAIK, LAR shouldn't impact monitor mode, no?