The commit below introduced an unsafe dereference of
mvmvif->phy_ctxt. It can be NULL even if we hold the mutex.
We can be handling a BT Coex notification while the vif has
already been unassigned. This can happen since the BT Coex
notification is hanled asynchronuously: we can have started
to handle the BT Coex notification trying to acquire the
mutex while the unassign flow already got it. The BT Coex
notification handling will wait for the mutext. I'll get it
later, but then mvmvif->phy_ctxt will be NULL.
Panic log:
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [<f985180d>] iwl_mvm_bt_notif_iterator+0x9d/0x340 [iwlmvm]
*pdpt = 0000000000000000 *pde = f000eef300000007
Oops: 0000 [#1] SMP
Workqueue: events iwl_mvm_async_handlers_wk [iwlmvm]
task: ed719b20 ti: ec03e000 task.ti: ec03e000
EIP: 0060:[<f985180d>] EFLAGS: 00010202 CPU: 2
EIP is at iwl_mvm_bt_notif_iterator+0x9d/0x340 [iwlmvm]
EAX: 00000000 EBX: f6d3cb70 ECX: f6d3cb70 EDX: 00000000
ESI: ec03fe40 EDI: efeb8810 EBP: ec03fdf0 ESP: ec03fdac
DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
CR0: 80050033 CR2: 00000000 CR3: 01a1a000 CR4: 001407f0
Stack:
f743ca80 f744a404 ec03fdcc c10e3952 00003aba f743ca80 00000246 f743ca80
00000246 00000000 00000001 00000000 ebd45ff6 ebd458a4 f6d3c500 ebd45578
ebd44b01 ec03fe18 f99e1bc2 00000002 ebd44bc0 f9851770 00000000 f6d3c500
Call Trace:
[<c10e3952>] ? ring_buffer_unlock_commit+0xa2/0xd0
[<f99e1bc2>] __iterate_interfaces+0x82/0x110 [mac80211]
[<f9851770>] ? iwl_mvm_bt_coex_reduced_txp+0x140/0x140 [iwlmvm]
[<f99e1c6a>] ieee80211_iterate_active_interfaces_atomic+0x1a/0x20 [mac80211]
[<f9851427>] iwl_mvm_bt_coex_notif_handle+0x77/0x280 [iwlmvm]
[<f9852161>] iwl_mvm_rx_bt_coex_notif_old+0x211/0x220 [iwlmvm]
[<f9850b8b>] iwl_mvm_rx_bt_coex_notif+0x19b/0x1b0 [iwlmvm]
[<f983944f>] iwl_mvm_async_handlers_wk+0x7f/0xe0 [iwlmvm]
CC: <stable@vger.kernel.org> [3.19+]
Fixes: 123f515635 ("iwlwifi: mvm: BT Coex - add support for TTC / RRC")
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
With this value, we de-facto disable the feature. Since it
is not working yet, disable it completely.
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
There are a few places not using it, use it at those places.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
The TTC and RRC features are supported by the newer
firmwares. It allows to reach better overall WiFi and BT
performance. When the RRC is enabled, we don't need to force
the AP to send SISO frames, but it can keeps sending MIMO
frames.
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
When we need only one antenna, we should refrain from using
the antenna that is shared with BT if BT load is high.
Fix this.
Reviewed-by: Eyal Shapira <eyal@wizery.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Our legal structure changed at some point (see wikipedia), but
we forgot to immediately switch over to the new copyright
notice.
For files that we have modified in the time since the change,
add the proper copyright notice now.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
According to new requirements, the ACK / CTS kill mask is
not related to reduced TX power anymore. This allows to
remove the code that tracked reduced TX power enablement
across different interfaces.
The ACK / CTS kill mask is now fetch from a table. It
depends on the Activity grading (activity from BT) and on
the Look Up Table (LUT) type.
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
A new API is coming. This new API is not backward
compatible. So we need to keep the old commands to be able
to work with the former API.
Move all the current code into a new file: coex_legacy.
If a firmware with the new API is detected, we currently
just bail out since the implementation of the new API will
come in future patches.
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
