From: Lachlan Hodges lachlan.hodges@morsemicro.com
[ Upstream commit 7e2f3213e85eba00acb4cfe6d71647892d63c3a1 ]
Currently the S1G capability element is not taken into account for the scan_ies_len, which leads to a buffer length validation failure in ieee80211_prep_hw_scan() and subsequent WARN in __ieee80211_start_scan(). This prevents hw scanning from functioning. To fix ensure we accommodate for the S1G capability length.
Signed-off-by: Lachlan Hodges lachlan.hodges@morsemicro.com Link: https://patch.msgid.link/20250826085437.3493-1-lachlan.hodges@morsemicro.com Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Sasha Levin sashal@kernel.org ---
LLM Generated explanations, may be completely bogus:
Perfect! Now I have all the context I need. Let me provide my analysis:
## Backport Status: **YES**
### Extensive Analysis:
**This commit fixes a real bug that causes hardware scanning to fail for S1G (802.11ah) WiFi devices.**
#### The Bug Details:
1. **Root Cause**: When commit `0333a81bc8343` ("wifi: mac80211: S1G capabilities information element in probe request") was merged in February 2023, it added S1G capability elements to probe requests. However, it failed to update the buffer size calculation (`scan_ies_len`) to account for these additional 17 bytes (2 byte element header + 15 byte `struct ieee80211_s1g_cap`).
2. **Failure Mechanism**: - In `__ieee80211_start_scan()` at net/mac80211/scan.c:755, the buffer size is calculated as `local->scan_ies_len + req->ie_len` - When `ieee80211_prep_hw_scan()` is called at line 870, it attempts to build probe request IEs using `ieee80211_build_preq_ies()` - The function `ieee80211_build_preq_ies_band()` checks buffer space and adds S1G capability for S1G bands (lines 1963-1965 in util.c) - Without the fix, the buffer is 17 bytes too small, causing `-ENOBUFS` to be returned - This triggers the `WARN_ON(!ieee80211_prep_hw_scan(sdata))` at line 870, producing a kernel warning and aborting the scan
3. **User Impact**: - Produces a visible kernel WARNING in dmesg - Hardware scanning completely fails for S1G devices - The device cannot perform network discovery - This is a **functional regression** introduced in kernel 6.3 (when commit 0333a81bc8343 was merged)
#### Why This Should Be Backported:
1. **Fixes a Real Bug**: This is not a theoretical issue - it causes actual hardware scanning failures with kernel warnings for any S1G-capable hardware.
2. **Regression Fix**: This fixes a regression introduced by commit 0333a81bc8343 in kernel 6.3. Any stable kernel that includes that commit needs this fix.
3. **Small and Contained**: The fix is minimal - just 4 lines of actual code changes: - Adding `supp_s1g` boolean variable - Setting it based on S1G capability presence - Adding 17 bytes to buffer calculation when S1G is supported
4. **No Side Effects**: The change only affects S1G-capable devices and simply ensures adequate buffer space. It cannot negatively impact non-S1G devices.
5. **Clear Bug Pattern**: This is a classic "forgot to update buffer size calculation" bug that's straightforward to understand and verify.
6. **Vendor Support**: MorseMicro is actively developing S1G hardware and drivers, making this functionality important for emerging IoT/long-range WiFi deployments.
#### Stable Tree Considerations:
- Should be backported to **kernel 6.3 and later** (where commit 0333a81bc8343 exists) - The fix applies cleanly as it only adds to existing initialization code - No dependencies on other commits - Follows stable tree rules: fixes an important bug with minimal risk
The commit message could have been clearer by mentioning this was a regression from commit 0333a81bc8343, but the fix itself is correct and necessary for S1G hardware to function properly.
net/mac80211/main.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/net/mac80211/main.c b/net/mac80211/main.c index 1bad353d8a772..35c6755b817a8 100644 --- a/net/mac80211/main.c +++ b/net/mac80211/main.c @@ -1136,7 +1136,7 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) int result, i; enum nl80211_band band; int channels, max_bitrates; - bool supp_ht, supp_vht, supp_he, supp_eht; + bool supp_ht, supp_vht, supp_he, supp_eht, supp_s1g; struct cfg80211_chan_def dflt_chandef = {};
if (ieee80211_hw_check(hw, QUEUE_CONTROL) && @@ -1252,6 +1252,7 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) supp_vht = false; supp_he = false; supp_eht = false; + supp_s1g = false; for (band = 0; band < NUM_NL80211_BANDS; band++) { const struct ieee80211_sband_iftype_data *iftd; struct ieee80211_supported_band *sband; @@ -1299,6 +1300,7 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) max_bitrates = sband->n_bitrates; supp_ht = supp_ht || sband->ht_cap.ht_supported; supp_vht = supp_vht || sband->vht_cap.vht_supported; + supp_s1g = supp_s1g || sband->s1g_cap.s1g;
for_each_sband_iftype_data(sband, i, iftd) { u8 he_40_mhz_cap; @@ -1432,6 +1434,9 @@ int ieee80211_register_hw(struct ieee80211_hw *hw) local->scan_ies_len += 2 + sizeof(struct ieee80211_vht_cap);
+ if (supp_s1g) + local->scan_ies_len += 2 + sizeof(struct ieee80211_s1g_cap); + /* * HE cap element is variable in size - set len to allow max size */ if (supp_he) {