crypto_alloc_shash() allocates resources, which should be released by
crypto_free_shash(). When ath11k_peer_find() fails, there has memory
leak. Add missing crypto_free_shash() to fix this.
Fixes: 243874c64c81 ("ath11k: handle RX fragments")
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20230102081142.3937570-1-linmq006@gmail.com
Signed-off-by: Venkat Chimata <venkat@nearhop.com>
In the DP RX path, fast_rx is set to true by default.
Currently, if peer lookup fails in ath11k_dp_rx_h_mpdu(), the SKB is not sent
to the network stack or mac80211 because fast_rx remains true. This results
in a memory leak.
Fix this by setting fast_rx = false when peer lookup fails in
ath11k_dp_rx_h_mpdu(), ensuring the SKB is properly delivered to mac80211
via ath11k_dp_rx_deliver_msdu().
Fixes: WIFI-15202
Signed-off-by: Marek Kwaczynski <marek@shasta.cloud>
The num_peers counter becomes corrupted during peer deletion due to race
conditions between ath11k_peer_delete() and ath11k_peer_unmap_event().
The firmware may or may not send unmap events, and the timing varies,
causing the counter to either leak (increment without decrement) or
underflow (double decrement).
Root causes:
1. ath11k_peer_delete() doesn't decrement num_peers, relying on
ath11k_peer_unmap_event() to do it
2. Firmware sometimes doesn't send unmap events, leaving num_peers
inflated
3. When unmap events do arrive, timing races with ath11k_peer_delete()
can cause missed decrements
4. Cleanup paths may double-decrement if delete_in_progress not checked
5. num_peers modified outside proper locking in some paths
This fix:
- Moves num_peers decrement into ath11k_peer_delete() after successful
peer deletion wait, ensuring exactly one decrement per deletion
- Handles both cases: peer removed by unmap event, or peer still in list
- Removes num_peers decrement from ath11k_peer_unmap_event() to prevent
double-decrement when unmap event arrives
- Adds ath11k_dp_peer_cleanup() call before ath11k_peer_delete() in
roaming path to ensure datapath structures properly cleaned up
- Adds delete_in_progress checks in cleanup paths to prevent
double-delete
- Ensures all num_peers modifications happen under base_lock
- Adds comprehensive debug logging to track num_peers throughout peer
lifecycle
Signed-off-by: Arif Alam <arif.alam@netexperience.com>
Signed-off-by: John Crispin <john@phrozen.org>
1. When a connected client roams to another AP, the AP is trying to delete the peer
but for some reason the WMI command times out and while driver is waiting for
the response, we observed that the AP doesn't respond to any frames from STA
(probe requests, authentication etc) and once the response times out (3seconds default)
then AP starts responding to the older requets but client has already connected to
another AP. As the root cause for the response timing out is in the FW, we added
a WAR to reduce the timeout to minimize this blind period, with this AP responds
after 100ms and client connects successfully. And 100ms timeout is also reasonable
for this internal operation.
2. In case of peer deletion timeout, the driver peer database is not cleared, so,
if this happens often (which it is) then eventually we hit the max peers in the
driver and all subsequent operations fail, so, in case of timeout ignore the failure
and proceed with driver peer database cleanup.
Signed-off-by: Venkat Chimata <venkat@nearhop.com>
Add bind-dig package dependency required for CAA record lookups
in est_client, which uses the dig command to query DNS for EST
server discovery.
Signed-off-by: John Crispin <john@phrozen.org>
Change standard FQDN from 'openwifi.network' to 'openwifi.wlan.local'
to prevent DNS hijacking attacks. The .local TLD is reserved for local
network use (mDNS) and cannot be registered in public DNS, ensuring
that discovery traffic cannot be redirected to attacker-controlled
infrastructure.
Signed-off-by: John Crispin <john@phrozen.org>
Move EST client enrollment to occur immediately after successful DHCP
discovery and before starting the ucentral client. This ensures
controller-specific certificates are enrolled before attempting to
connect. If EST enrollment fails during DHCP discovery, the client
will not be started.
Adjust interval_handler to call EST enrollment after DHCP discovery
attempt rather than before, ensuring proper certificate handling for
DHCP-discovered controllers.
Signed-off-by: John Crispin <john@phrozen.org>
Replace resolv module usage with dig command for CAA record lookups
to simplify DNS query handling. Reorganise cert_prefix_determine() to
prioritise controller-specific FQDN from cloud.json before checking
discovery method.
Add extensive debug logging throughout to aid troubleshooting of EST
enrollment process, including curl commands and exit codes.
Signed-off-by: John Crispin <john@phrozen.org>
The air-gapped EST server uses a certificate signed by the OpenLAN
Server Issuing CA. This certificate is used to ensure mTLS
authentication when the device connects to the EST server.
Signed-off-by: John Crispin <john@phrozen.org>
Add dnsmasq_rebind_allow() function to automatically whitelist controller
FQDNs for private IP resolution in air-gapped deployments.
When dnsmasq's boguspriv option is enabled (default), it blocks DNS
responses containing private IP addresses (RFC 1918) as a security
measure. This prevents DHCP Option 224 from resolving controller FQDNs
to local private IPs in air-gapped networks.
Solution: Inject rebind-domain-ok directives into /tmp/dnsmasq.d/
directory, which dnsmasq automatically includes via --conf-dir option.
Behaviour:
- DHCP discovery: Whitelist FQDN from dhcp_server field
- Standard FQDN discovery: Whitelist openwifi.network
- Centralized discovery: No changes (public IPs not affected)
This maintains security by only allowing specific controller domains
to resolve to private IPs whilst filtering all other RFC 1918 responses.
Signed-off-by: John Crispin <john@phrozen.org>
Add cert_prefix_determine() function that reads discovery method from
/tmp/discovery.method and determines appropriate certificate naming:
- Centralized (OpenLAN redirector): operational.pem/operational.ca
- Air-gapped (DHCP/FQDN/Flash): <controller-fqdn>.pem/<controller-fqdn>.ca
The FQDN is extracted from the controller address in /tmp/cloud.json
(DHCP Option 224).
This enables APs to enrol and store separate operational certificates
for multiple controllers, supporting portability between centralized
and air-gapped deployments without certificate conflicts.
Signed-off-by: John Crispin <john@phrozen.org>
Extend gateway.json to include cert and ca fields specifying which
certificate files the client should use for the connection.
Certificate naming strategy:
- Centralized (redirector discovery): operational.pem/operational.ca
- Air-gapped (DHCP/FQDN/Flash): <fqdn>.pem/<fqdn>.ca
Write discovery method to /tmp/discovery.method so est_client can
determine appropriate certificate naming when enrolling.
This enables APs to maintain separate operational certificates for
multiple controllers and automatically select the correct certificates
based on which controller they're connecting to.
Signed-off-by: John Crispin <john@phrozen.org>
Modify early_boot init script to copy all .pem and .ca files from
/certificates/ to /etc/ucentral/ instead of only operational.pem
and operational.ca.
This enables support for multiple trust chains where certificates
are stored with FQDN-based names (e.g., controller.example.com.pem)
alongside the traditional operational.pem.
The simple wildcard copy allows air-gapped deployments to maintain
certificates for multiple controllers without complex logic.
Signed-off-by: John Crispin <john@phrozen.org>
Add discovery method that attempts to resolve a standard FQDN when DHCP
discovery fails. This enables zero-touch provisioning in environments
where administrators configure DNS without modifying DHCP infrastructure.
The standard FQDN is configurable via STANDARD_FQDN constant (defaults
to "openwifi.network"). Administrators can configure their local DNS to
resolve this FQDN to their controller, allowing APs to discover the
controller automatically.
Discovery priority order:
1. EST enrollment (blocking)
2. DHCP discovery (Option 224/138)
3. Flash-based configuration
4. Standard FQDN resolution (NEW)
5. Cloud redirector service (internet-connected only)
The implementation uses the resolv module for DNS queries, performing
A record lookups. If resolution fails, discovery continues to the next
method. The standard FQDN method integrates with the existing discovery
block list mechanism to prevent repeated failed attempts.
Note: The boguspriv dnsmasq option may prevent FQDNs from resolving to
private IPs. Administrators should either use CG NAT Safe IP addresses
(100.64.0.0/10) or configure dnsmasq with rebind-domain-ok exceptions.
Signed-off-by: John Crispin <john@phrozen.org>
Implement EST server discovery via CAA DNS records for air-gapped
deployments. When DHCP Option 224 provides a controller FQDN, query
CAA records to determine the appropriate EST server endpoint.
The discovery flow:
1. Read controller FQDN from /tmp/cloud.json (set by DHCP handler)
2. Query CAA records for the controller domain
3. Use EST server from CAA 'issue' tag if present
4. Fall back to certificate issuer-based selection if CAA lookup fails
This allows network administrators to configure local EST servers via
DNS rather than relying on hardcoded public endpoints. Air-gapped
deployments can now specify private EST servers through standard DNS
infrastructure.
Example DNS configuration:
controller.local. IN CAA 0 issue "est.local:8001"
When an AP receives controller.local via DHCP Option 224, it will
query CAA records and use est.local:8001 for certificate enrollment
instead of the public est.certificates.open-lan.org endpoint.
Signed-off-by: John Crispin <john@phrozen.org>
Add missing ';;' after edgecore,eap111/eap112 LED configuration to
prevent fall-through to subsequent case statements.
Signed-off-by: John Crispin <john@phrozen.org>
Allow configuring small values of duration time for passive
scanning in software scan.
Fixes: WIFI-14822
Signed-off-by: Marek Kwaczynski <marek@shasta.cloud>
**SPECIFICATIONS:**
SOC: Qualcomm IPQ6018 (64-bit quad-core ARM Cortex-A53 @ 1.8Ghz)
Flash: SPI NOR 8MB + NAND 128MB
Memory: 1GB
2.4GHz Frequency Band: 2.4GHz ~ 2.484GHz (802.11 b/g/n/ax)
5GHz Frequency Band: 5.150GHz~5.850GHz (802.11 a/n/ac/ax)
Wireless Speed: 2.4GHz: 574Mbps, 5GHz: 1201Mbps
**BACKUP YOUR STOCK FIRMWARE:**
- Put openwrt-*-initramfs-kernel.bin to your TFTP server and rename it to initramfs.bin
- Enable serial console and enter to u-boot cli and exec these commands:
```
tftpboot <your_tftp_server_ip>:initramfs.bin
bootm
```
- Once boot completed and you get the openwrt shell execute below commands:
```
device=<device_name>
mkdir -p /tmp/fw_backup; cd /tmp/fw_backup
rootfs=$(cat /proc/mtd | grep \"rootfs\" | cut -d: -f1)
rootfs_1=$(cat /proc/mtd | grep \"rootfs_1\" | cut -d: -f1)
dd if=/dev/${rootfs} of=rootfs_${rootfs} bs=1M
dd if=/dev/${rootfs_1} of=rootfs_1_${rootfs_1} bs=1M
cp /sys/firmware/fdt fdt.dtb
md5sum * > md5sum
tar -cvzf /tmp/${device}.tar.gz .
sum=$(md5sum /tmp/${device}.tar.gz | cut -d' ' -f1)
mv /tmp/${device}.tar.gz /tmp/${device}_${sum}.tar.gz
echo "stock fw backup saved to: /tmp/${device}_${sum}.tar.gz"
```
- Upload/save your backup to a safe place.
**STOCK FIRMWARE RECOVERY:**
- Boot initramfs image
- Upload your backed-up stock fw tarball to the device
using scp or download it from the device using wget.
- Enter device ssh cli or tty and exec:
```
cd /tmp && wget <your_web_server_ip>/${stock_fw_backup}.tar.gz`
tar -xpzf ${stock_fw_backup}.tar.gz
rootfs=$(cat /proc/mtd | grep \"rootfs\" | cut -d: -f1)
rootfs_1=$(cat /proc/mtd | grep \"rootfs_1\" | cut -d: -f1)
ubiformat /dev/${rootfs} -y -f /tmp/rootfs_${rootfs}
ubiformat /dev/${rootfs_1} -y -f /tmp/rootfs_1_${rootfs_1}
reboot
```
**INSTALLATION:**
1. initramfs method
- Put openwrt-*-initramfs-kernel.bin to your TFTP server and rename it to initramfs.bin
- Enable serial console and enter to u-boot cli and exec these commands:
```
tftpboot <your_tftp_server_ip>:initramfs.bin
bootm
```
- Once boot completed and you get the openwrt shell execute below commands:
```
cd /tmp && wget <your_web_server_ip>/factory.ubi`
export rootfs=$(cat /proc/mtd | grep rootfs | cut -d: -f1)
export rootfs_1=$(cat /proc/mtd | grep rootfs_1 | cut -d: -f1)
ubiformat /dev/${rootfs} -y -f factory.ubi
ubiformat /dev/${rootfs_1} -y -f factory.ubi
reboot
```
2. u-boot nand-factory.bin image method
- Put openwrt-*-squashfs-nand-factory.bin to your TFTP server and enter u-boot cli and exec these commands:
```
tftpboot <your_tftp_server_ip>:factory.bin
#After downloading is finished:
imxtract 0x44000000 ubi
flash rootfs
flash rootfs_1
reset
```
Signed-off-by: Shubham Vishwakarma <shubhamvis98@fossfrog.in>
During 802.11r Fast Transition roaming, when a client moves between
APs (e.g., wlan0 to wlan1) with the same dynamic VLAN assignment, the
vlan_add handler's refcount mechanism prevented the new WiFi interface
from being added to the bridge.
When wlan0-v100 and wlan1-v100 exist simultaneously with VLAN ID 100,
the refcount becomes 2, causing vlan_add to exit early for wlan1-v100.
This left wlan1-v100 out of the bridge VLAN table, breaking connectivity
after roaming despite correct VLAN assignment via RADIUS and RRB frames.
Fix by detecting WiFi VLAN interfaces (wlan*-v*) and always adding them
to the bridge regardless of refcount. The refcount mechanism now only
controls WAN port VLAN configuration, which should only occur once per
VLAN ID.
Also reorganise vlan_add/vlan_remove to check swconfig early for clarity.
Signed-off-by: John Crispin <john@phrozen.org>
Enable CONFIG_LEDS_TRIGGER_HEARTBEAT to allow LED heartbeat
functionality when device goes offline. Without this kernel option,
the LED trigger mechanism was unavailable, preventing the LED from
flashing to indicate offline status.
Fixes: WIFI-14646
Signed-off-by: John Crispin <john@phrozen.org>
When a station roams between bands on the same VLAN, the vlan_remove
event from the old band can arrive after the vlan_add event from the
new band, causing the VLAN to be incorrectly deleted whilst still in use.
Add reference counting that tracks how many interfaces are using each
VLAN ID. Only create VLAN devices on the first reference and only
remove them when the last reference is dropped.
On startup, initialise refcounts from current station state to handle
daemon restarts correctly.
Signed-off-by: John Crispin <john@phrozen.org>
676e155 dhcp_inject: fix a syntax issue in dhcp_inject
e594c44 captive.uam.mac-auth: the default was wrong
Signed-off-by: John Crispin <john@phrozen.org>
LAN switch exposes single eth1 instead of per-port interfaces for RAP750W-311A.
Using VLAN to separate LAN to each physical port for RAP750W-311A.
Fixes: WIFI-15163
Signed-off-by: jackcybertan <jack.tsai@cybertan.com.tw>
make openwrt/profiles relative so moving or renaming the repo directory won't break the symlink
Signed-off-by: Shubham Vishwakarma <shubhamvis98@fossfrog.in>
Changelog:
- Fix MAC address assignment for Ethernet ports
- Fix Ethernet port configuration (was not working in the current DTS
because GPIOs 23 and 24, used for LEDs, are RGMII2 pins)
- Add package kmod-7915-firmware to enable Wi-Fi
Signed-off-by: Shubham Vishwakarma <shubhamvis98@fossfrog.in>
