From ea2c2ca2ae0ecd243f753c5dc2cd57dcde05f9c5 Mon Sep 17 00:00:00 2001 From: Agustin Lorenzo Date: Mon, 13 Oct 2025 02:03:51 +0200 Subject: [PATCH] mac80211: ath11k: backport of the latest changes applied for ath11k in 6.16.12 This includes the following commits from upstream Linux between 6.16 and 6.16.12: wifi: ath11k: clear initialized flag for deinit-ed srng lists wifi: ath11k: fix sleeping-in-atomic in ath11k_mac_op_set_bitrate_mask() wifi: ath11k: fix dest ring-buffer corruption wifi: ath11k: fix source ring-buffer corruption wifi: ath11k: fix dest ring-buffer corruption when ring is full wifi: ath11k: fix group data packet drops during rekey [1] wifi: ath11k: fix NULL dereference in ath11k_qmi_m3_load() [1] The patch "940-ath11k-Revert-clear-the-keys-properly-when-DISABLE_K.patch" has been removed, as it has been fixed upstream in "wifi: ath11k: fix group data packet drops during rekey" and is added in 945 patch. Related: https://github.com/openwrt/openwrt/pull/18705 Related: https://github.com/openwrt/openwrt/issues/9555 Related: https://github.com/openwrt/openwrt/issues/14117 Signed-off-by: Agustin Lorenzo Link: https://github.com/openwrt/openwrt/pull/20395 Signed-off-by: Hauke Mehrtens --- ...ear-the-keys-properly-when-DISABLE_K.patch | 48 ---- ...alized_flag_for_deinit-ed_srng_lists.patch | 92 +++++++ ...ic_in_ath11k_mac_op_set_bitrate_mask.patch | 67 +++++ ...h11k-fix_dest_ring-buffer_corruption.patch | 83 ++++++ ...1k-fix_source_ring-buffer_corruption.patch | 56 +++++ ...-buffer_corruption_when_ring_is_full.patch | 61 +++++ ...group_data_packet_drops_during_rekey.patch | 237 ++++++++++++++++++ ...LL_dereference_in_ath11k_qmi_m3_load.patch | 40 +++ 8 files changed, 636 insertions(+), 48 deletions(-) delete mode 100644 package/kernel/mac80211/patches/ath11k/940-ath11k-Revert-clear-the-keys-properly-when-DISABLE_K.patch create mode 100644 package/kernel/mac80211/patches/ath11k/940-ath11k-clear_initialized_flag_for_deinit-ed_srng_lists.patch create mode 100644 package/kernel/mac80211/patches/ath11k/941-ath11k-fix_sleeping-in-atomic_in_ath11k_mac_op_set_bitrate_mask.patch create mode 100644 package/kernel/mac80211/patches/ath11k/942-ath11k-fix_dest_ring-buffer_corruption.patch create mode 100644 package/kernel/mac80211/patches/ath11k/943-ath11k-fix_source_ring-buffer_corruption.patch create mode 100644 package/kernel/mac80211/patches/ath11k/944-ath11k-fix_dest_ring-buffer_corruption_when_ring_is_full.patch create mode 100644 package/kernel/mac80211/patches/ath11k/945-ath11k-fix_group_data_packet_drops_during_rekey.patch create mode 100644 package/kernel/mac80211/patches/ath11k/946-ath11k-fix_NULL_dereference_in_ath11k_qmi_m3_load.patch diff --git a/package/kernel/mac80211/patches/ath11k/940-ath11k-Revert-clear-the-keys-properly-when-DISABLE_K.patch b/package/kernel/mac80211/patches/ath11k/940-ath11k-Revert-clear-the-keys-properly-when-DISABLE_K.patch deleted file mode 100644 index 1f0b63c81b7..00000000000 --- a/package/kernel/mac80211/patches/ath11k/940-ath11k-Revert-clear-the-keys-properly-when-DISABLE_K.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 52393e2ae12f18fb1a60578c24c46ebab292ddb6 Mon Sep 17 00:00:00 2001 -From: Rameshkumar Sundaram -Date: Mon, 28 Mar 2022 13:21:04 +0530 -Subject: [PATCH] ath11k: Revert: clear the keys properly when DISABLE_KEY -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Reverting the Upstream clear key change added as a part of -436a4e886598 ("ath11k: clear the keys properly -when DISABLE_KEY") -This change exposed a race in WLAN Firmware where target asserts -are seen frequently due FW not synchronizing ath11k host’s clear -key commands(CIPHER changes to NONE) with frames in TX queue. -Hence reverting this change untill FW fixes to synchronize -ath11k host’s clear key command are available. - -Signed-off-by: Rameshkumar Sundaram ---- - drivers/net/wireless/ath/ath11k/mac.c | 4 +++- - drivers/net/wireless/ath/ath11k/wmi.c | 3 +-- - 2 files changed, 4 insertions(+), 3 deletions(-) - ---- a/drivers/net/wireless/ath/ath11k/mac.c -+++ b/drivers/net/wireless/ath/ath11k/mac.c -@@ -4232,7 +4232,9 @@ static int ath11k_install_key(struct ath - return 0; - - if (cmd == DISABLE_KEY) { -- arg.key_cipher = WMI_CIPHER_NONE; -+ /* TODO: Check if FW expects value other than NONE for del */ -+ /* arg.key_cipher = WMI_CIPHER_NONE; */ -+ arg.key_len = 0; - arg.key_data = NULL; - goto install; - } ---- a/drivers/net/wireless/ath/ath11k/wmi.c -+++ b/drivers/net/wireless/ath/ath11k/wmi.c -@@ -1854,8 +1854,7 @@ int ath11k_wmi_vdev_install_key(struct a - tlv = (struct wmi_tlv *)(skb->data + sizeof(*cmd)); - tlv->header = FIELD_PREP(WMI_TLV_TAG, WMI_TAG_ARRAY_BYTE) | - FIELD_PREP(WMI_TLV_LEN, key_len_aligned); -- if (arg->key_data) -- memcpy(tlv->value, (u8 *)arg->key_data, key_len_aligned); -+ memcpy(tlv->value, (u8 *)arg->key_data, key_len_aligned); - - ret = ath11k_wmi_cmd_send(wmi, skb, WMI_VDEV_INSTALL_KEY_CMDID); - if (ret) { diff --git a/package/kernel/mac80211/patches/ath11k/940-ath11k-clear_initialized_flag_for_deinit-ed_srng_lists.patch b/package/kernel/mac80211/patches/ath11k/940-ath11k-clear_initialized_flag_for_deinit-ed_srng_lists.patch new file mode 100644 index 00000000000..e092e9d2aa5 --- /dev/null +++ b/package/kernel/mac80211/patches/ath11k/940-ath11k-clear_initialized_flag_for_deinit-ed_srng_lists.patch @@ -0,0 +1,92 @@ +From 16872194c80f2724472fc207991712895ac8a230 Mon Sep 17 00:00:00 2001 +From: Sergey Senozhatsky +Date: Thu, 12 Jun 2025 17:45:06 +0900 +Subject: wifi: ath11k: clear initialized flag for deinit-ed srng lists + +[ Upstream commit a5b46aa7cf5f05c213316a018e49a8e086efd98e ] + +In a number of cases we see kernel panics on resume due +to ath11k kernel page fault, which happens under the +following circumstances: + +1) First ath11k_hal_dump_srng_stats() call + + Last interrupt received for each group: + ath11k_pci 0000:01:00.0: group_id 0 22511ms before + ath11k_pci 0000:01:00.0: group_id 1 14440788ms before + [..] + ath11k_pci 0000:01:00.0: failed to receive control response completion, polling.. + ath11k_pci 0000:01:00.0: Service connect timeout + ath11k_pci 0000:01:00.0: failed to connect to HTT: -110 + ath11k_pci 0000:01:00.0: failed to start core: -110 + ath11k_pci 0000:01:00.0: firmware crashed: MHI_CB_EE_RDDM + ath11k_pci 0000:01:00.0: already resetting count 2 + ath11k_pci 0000:01:00.0: failed to wait wlan mode request (mode 4): -110 + ath11k_pci 0000:01:00.0: qmi failed to send wlan mode off: -110 + ath11k_pci 0000:01:00.0: failed to reconfigure driver on crash recovery + [..] + +2) At this point reconfiguration fails (we have 2 resets) and + ath11k_core_reconfigure_on_crash() calls ath11k_hal_srng_deinit() + which destroys srng lists. However, it does not reset per-list + ->initialized flag. + +3) Second ath11k_hal_dump_srng_stats() call sees stale ->initialized + flag and attempts to dump srng stats: + + Last interrupt received for each group: + ath11k_pci 0000:01:00.0: group_id 0 66785ms before + ath11k_pci 0000:01:00.0: group_id 1 14485062ms before + ath11k_pci 0000:01:00.0: group_id 2 14485062ms before + ath11k_pci 0000:01:00.0: group_id 3 14485062ms before + ath11k_pci 0000:01:00.0: group_id 4 14780845ms before + ath11k_pci 0000:01:00.0: group_id 5 14780845ms before + ath11k_pci 0000:01:00.0: group_id 6 14485062ms before + ath11k_pci 0000:01:00.0: group_id 7 66814ms before + ath11k_pci 0000:01:00.0: group_id 8 68997ms before + ath11k_pci 0000:01:00.0: group_id 9 67588ms before + ath11k_pci 0000:01:00.0: group_id 10 69511ms before + BUG: unable to handle page fault for address: ffffa007404eb010 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 100000067 P4D 100000067 PUD 10022d067 PMD 100b01067 PTE 0 + Oops: 0000 [#1] PREEMPT SMP NOPTI + RIP: 0010:ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k] + Call Trace: + + ? __die_body+0xae/0xb0 + ? page_fault_oops+0x381/0x3e0 + ? exc_page_fault+0x69/0xa0 + ? asm_exc_page_fault+0x22/0x30 + ? ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k (HASH:6cea 4)] + ath11k_qmi_driver_event_work+0xbd/0x1050 [ath11k (HASH:6cea 4)] + worker_thread+0x389/0x930 + kthread+0x149/0x170 + +Clear per-list ->initialized flag in ath11k_hal_srng_deinit(). + +Signed-off-by: Sergey Senozhatsky +Reviewed-by: Baochen Qiang +Fixes: 5118935b1bc2 ("ath11k: dump SRNG stats during FW assert") +Link: https://patch.msgid.link/20250612084551.702803-1-senozhatsky@chromium.org +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/hal.c | 4 ++++ + 1 file changed, 4 insertions(+) + +(limited to 'drivers/net/wireless/ath/ath11k') + +--- a/drivers/net/wireless/ath/ath11k/hal.c ++++ b/drivers/net/wireless/ath/ath11k/hal.c +@@ -1341,6 +1341,10 @@ EXPORT_SYMBOL(ath11k_hal_srng_init); + void ath11k_hal_srng_deinit(struct ath11k_base *ab) + { + struct ath11k_hal *hal = &ab->hal; ++ int i; ++ ++ for (i = 0; i < HAL_SRNG_RING_ID_MAX; i++) ++ ab->hal.srng_list[i].initialized = 0; + + ath11k_hal_unregister_srng_key(ab); + ath11k_hal_free_cont_rdp(ab); diff --git a/package/kernel/mac80211/patches/ath11k/941-ath11k-fix_sleeping-in-atomic_in_ath11k_mac_op_set_bitrate_mask.patch b/package/kernel/mac80211/patches/ath11k/941-ath11k-fix_sleeping-in-atomic_in_ath11k_mac_op_set_bitrate_mask.patch new file mode 100644 index 00000000000..83402161060 --- /dev/null +++ b/package/kernel/mac80211/patches/ath11k/941-ath11k-fix_sleeping-in-atomic_in_ath11k_mac_op_set_bitrate_mask.patch @@ -0,0 +1,67 @@ +From 6bdef22d540258ca06f079f7b6ae100669a19b47 Mon Sep 17 00:00:00 2001 +From: Baochen Qiang +Date: Tue, 3 Jun 2025 10:25:28 +0800 +Subject: wifi: ath11k: fix sleeping-in-atomic in + ath11k_mac_op_set_bitrate_mask() + +[ Upstream commit 65c12b104cb942d588a1a093acc4537fb3d3b129 ] + +ath11k_mac_disable_peer_fixed_rate() is passed as the iterator to +ieee80211_iterate_stations_atomic(). Note in this case the iterator is +required to be atomic, however ath11k_mac_disable_peer_fixed_rate() does +not follow it as it might sleep. Consequently below warning is seen: + +BUG: sleeping function called from invalid context at wmi.c:304 +Call Trace: + + dump_stack_lvl + __might_resched.cold + ath11k_wmi_cmd_send + ath11k_wmi_set_peer_param + ath11k_mac_disable_peer_fixed_rate + ieee80211_iterate_stations_atomic + ath11k_mac_op_set_bitrate_mask.cold + +Change to ieee80211_iterate_stations_mtx() to fix this issue. + +Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30 + +Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") +Signed-off-by: Baochen Qiang +Link: https://patch.msgid.link/20250603-ath11k-use-non-atomic-iterator-v1-1-d75762068d56@quicinc.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/mac.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +(limited to 'drivers/net/wireless/ath/ath11k') + +--- a/drivers/net/wireless/ath/ath11k/mac.c ++++ b/drivers/net/wireless/ath/ath11k/mac.c +@@ -8740,9 +8740,9 @@ ath11k_mac_op_set_bitrate_mask(struct ie + arvif->vdev_id, ret); + return ret; + } +- ieee80211_iterate_stations_atomic(ar->hw, +- ath11k_mac_disable_peer_fixed_rate, +- arvif); ++ ieee80211_iterate_stations_mtx(ar->hw, ++ ath11k_mac_disable_peer_fixed_rate, ++ arvif); + } else if (ath11k_mac_bitrate_mask_get_single_nss(ar, arvif, band, mask, + &single_nss)) { + rate = WMI_FIXED_RATE_NONE; +@@ -8809,9 +8809,9 @@ ath11k_mac_op_set_bitrate_mask(struct ie + } + + mutex_lock(&ar->conf_mutex); +- ieee80211_iterate_stations_atomic(ar->hw, +- ath11k_mac_disable_peer_fixed_rate, +- arvif); ++ ieee80211_iterate_stations_mtx(ar->hw, ++ ath11k_mac_disable_peer_fixed_rate, ++ arvif); + + arvif->bitrate_mask = *mask; + ieee80211_iterate_stations_atomic(ar->hw, diff --git a/package/kernel/mac80211/patches/ath11k/942-ath11k-fix_dest_ring-buffer_corruption.patch b/package/kernel/mac80211/patches/ath11k/942-ath11k-fix_dest_ring-buffer_corruption.patch new file mode 100644 index 00000000000..e477103050f --- /dev/null +++ b/package/kernel/mac80211/patches/ath11k/942-ath11k-fix_dest_ring-buffer_corruption.patch @@ -0,0 +1,83 @@ +From 0f708ced89758247f5d2d70def00e7c1c80ff557 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 4 Jun 2025 16:34:53 +0200 +Subject: wifi: ath11k: fix dest ring-buffer corruption + +commit 8c1ba5091fa9a2d1478da63173b16a701bdf86bb upstream. + +Add the missing memory barrier to make sure that destination ring +descriptors are read after the head pointers to avoid using stale data +on weakly ordered architectures like aarch64. + +The barrier is added to the ath11k_hal_srng_access_begin() helper for +symmetry with follow-on fixes for source ring buffer corruption which +will add barriers to ath11k_hal_srng_access_end(). + +Tested-on: WCN6855 hw2.1 WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41 + +Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") +Cc: stable@vger.kernel.org # 5.6 +Signed-off-by: Johan Hovold +Reviewed-by: Baochen Qiang +Link: https://patch.msgid.link/20250604143457.26032-2-johan+linaro@kernel.org +Signed-off-by: Jeff Johnson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath11k/ce.c | 3 --- + drivers/net/wireless/ath/ath11k/dp_rx.c | 3 --- + drivers/net/wireless/ath/ath11k/hal.c | 12 +++++++++++- + 3 files changed, 11 insertions(+), 7 deletions(-) + +(limited to 'drivers/net/wireless/ath/ath11k') + +--- a/drivers/net/wireless/ath/ath11k/ce.c ++++ b/drivers/net/wireless/ath/ath11k/ce.c +@@ -393,9 +393,6 @@ static int ath11k_ce_completed_recv_next + goto err; + } + +- /* Make sure descriptor is read after the head pointer. */ +- dma_rmb(); +- + *nbytes = ath11k_hal_ce_dst_status_get_length(desc); + + *skb = pipe->dest_ring->skb[sw_index]; +--- a/drivers/net/wireless/ath/ath11k/dp_rx.c ++++ b/drivers/net/wireless/ath/ath11k/dp_rx.c +@@ -2650,9 +2650,6 @@ int ath11k_dp_process_rx(struct ath11k_b + try_again: + ath11k_hal_srng_access_begin(ab, srng); + +- /* Make sure descriptor is read after the head pointer. */ +- dma_rmb(); +- + while (likely(desc = + (struct hal_reo_dest_ring *)ath11k_hal_srng_dst_get_next_entry(ab, + srng))) { +--- a/drivers/net/wireless/ath/ath11k/hal.c ++++ b/drivers/net/wireless/ath/ath11k/hal.c +@@ -823,13 +823,23 @@ u32 *ath11k_hal_srng_src_peek(struct ath + + void ath11k_hal_srng_access_begin(struct ath11k_base *ab, struct hal_srng *srng) + { ++ u32 hp; ++ + lockdep_assert_held(&srng->lock); + + if (srng->ring_dir == HAL_SRNG_DIR_SRC) { + srng->u.src_ring.cached_tp = + *(volatile u32 *)srng->u.src_ring.tp_addr; + } else { +- srng->u.dst_ring.cached_hp = READ_ONCE(*srng->u.dst_ring.hp_addr); ++ hp = READ_ONCE(*srng->u.dst_ring.hp_addr); ++ ++ if (hp != srng->u.dst_ring.cached_hp) { ++ srng->u.dst_ring.cached_hp = hp; ++ /* Make sure descriptor is read after the head ++ * pointer. ++ */ ++ dma_rmb(); ++ } + + /* Try to prefetch the next descriptor in the ring */ + if (srng->flags & HAL_SRNG_FLAGS_CACHED) diff --git a/package/kernel/mac80211/patches/ath11k/943-ath11k-fix_source_ring-buffer_corruption.patch b/package/kernel/mac80211/patches/ath11k/943-ath11k-fix_source_ring-buffer_corruption.patch new file mode 100644 index 00000000000..f9cbe10b6b5 --- /dev/null +++ b/package/kernel/mac80211/patches/ath11k/943-ath11k-fix_source_ring-buffer_corruption.patch @@ -0,0 +1,56 @@ +From eed5fcf4a3d20fdbd9af2e602eab2b581264822f Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 4 Jun 2025 16:34:56 +0200 +Subject: wifi: ath11k: fix source ring-buffer corruption + +commit 6efa0df54022c6c9fd4d294b87622c7fcdc418c8 upstream. + +Add the missing memory barrier to make sure that LMAC source ring +descriptors are written before updating the head pointer to avoid +passing stale data to the firmware on weakly ordered architectures like +aarch64. + +Note that non-LMAC rings use MMIO write accessors which have the +required write memory barrier. + +Tested-on: WCN6855 hw2.1 WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41 + +Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") +Cc: stable@vger.kernel.org # 5.6 +Signed-off-by: Johan Hovold +Reviewed-by: Baochen Qiang +Link: https://patch.msgid.link/20250604143457.26032-5-johan+linaro@kernel.org +Signed-off-by: Jeff Johnson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath11k/hal.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +(limited to 'drivers/net/wireless/ath/ath11k') + +--- a/drivers/net/wireless/ath/ath11k/hal.c ++++ b/drivers/net/wireless/ath/ath11k/hal.c +@@ -862,7 +862,11 @@ void ath11k_hal_srng_access_end(struct a + if (srng->ring_dir == HAL_SRNG_DIR_SRC) { + srng->u.src_ring.last_tp = + *(volatile u32 *)srng->u.src_ring.tp_addr; +- *srng->u.src_ring.hp_addr = srng->u.src_ring.hp; ++ /* Make sure descriptor is written before updating the ++ * head pointer. ++ */ ++ dma_wmb(); ++ WRITE_ONCE(*srng->u.src_ring.hp_addr, srng->u.src_ring.hp); + } else { + srng->u.dst_ring.last_hp = *srng->u.dst_ring.hp_addr; + *srng->u.dst_ring.tp_addr = srng->u.dst_ring.tp; +@@ -871,6 +875,10 @@ void ath11k_hal_srng_access_end(struct a + if (srng->ring_dir == HAL_SRNG_DIR_SRC) { + srng->u.src_ring.last_tp = + *(volatile u32 *)srng->u.src_ring.tp_addr; ++ /* Assume implementation use an MMIO write accessor ++ * which has the required wmb() so that the descriptor ++ * is written before the updating the head pointer. ++ */ + ath11k_hif_write32(ab, + (unsigned long)srng->u.src_ring.hp_addr - + (unsigned long)ab->mem, diff --git a/package/kernel/mac80211/patches/ath11k/944-ath11k-fix_dest_ring-buffer_corruption_when_ring_is_full.patch b/package/kernel/mac80211/patches/ath11k/944-ath11k-fix_dest_ring-buffer_corruption_when_ring_is_full.patch new file mode 100644 index 00000000000..e0e53483922 --- /dev/null +++ b/package/kernel/mac80211/patches/ath11k/944-ath11k-fix_dest_ring-buffer_corruption_when_ring_is_full.patch @@ -0,0 +1,61 @@ +From 6fc2589aae91818dd1183a589ab97d8e5c25364e Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 4 Jun 2025 16:34:57 +0200 +Subject: wifi: ath11k: fix dest ring-buffer corruption when ring is full + +commit aa6956150f820e6a6deba44be325ddfcb5b10f88 upstream. + +Add the missing memory barriers to make sure that destination ring +descriptors are read before updating the tail pointer (and passing +ownership to the device) to avoid memory corruption on weakly ordered +architectures like aarch64 when the ring is full. + +Tested-on: WCN6855 hw2.1 WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41 + +Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") +Cc: stable@vger.kernel.org # 5.6 +Signed-off-by: Johan Hovold +Reviewed-by: Baochen Qiang +Link: https://patch.msgid.link/20250604143457.26032-6-johan+linaro@kernel.org +Signed-off-by: Jeff Johnson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath11k/hal.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +(limited to 'drivers/net/wireless/ath/ath11k') + +--- a/drivers/net/wireless/ath/ath11k/hal.c ++++ b/drivers/net/wireless/ath/ath11k/hal.c +@@ -854,7 +854,6 @@ void ath11k_hal_srng_access_end(struct a + { + lockdep_assert_held(&srng->lock); + +- /* TODO: See if we need a write memory barrier here */ + if (srng->flags & HAL_SRNG_FLAGS_LMAC_RING) { + /* For LMAC rings, ring pointer updates are done through FW and + * hence written to a shared memory location that is read by FW +@@ -869,7 +868,11 @@ void ath11k_hal_srng_access_end(struct a + WRITE_ONCE(*srng->u.src_ring.hp_addr, srng->u.src_ring.hp); + } else { + srng->u.dst_ring.last_hp = *srng->u.dst_ring.hp_addr; +- *srng->u.dst_ring.tp_addr = srng->u.dst_ring.tp; ++ /* Make sure descriptor is read before updating the ++ * tail pointer. ++ */ ++ dma_mb(); ++ WRITE_ONCE(*srng->u.dst_ring.tp_addr, srng->u.dst_ring.tp); + } + } else { + if (srng->ring_dir == HAL_SRNG_DIR_SRC) { +@@ -885,6 +888,10 @@ void ath11k_hal_srng_access_end(struct a + srng->u.src_ring.hp); + } else { + srng->u.dst_ring.last_hp = *srng->u.dst_ring.hp_addr; ++ /* Make sure descriptor is read before updating the ++ * tail pointer. ++ */ ++ mb(); + ath11k_hif_write32(ab, + (unsigned long)srng->u.dst_ring.tp_addr - + (unsigned long)ab->mem, diff --git a/package/kernel/mac80211/patches/ath11k/945-ath11k-fix_group_data_packet_drops_during_rekey.patch b/package/kernel/mac80211/patches/ath11k/945-ath11k-fix_group_data_packet_drops_during_rekey.patch new file mode 100644 index 00000000000..b7b66ef5da7 --- /dev/null +++ b/package/kernel/mac80211/patches/ath11k/945-ath11k-fix_group_data_packet_drops_during_rekey.patch @@ -0,0 +1,237 @@ +From 9a394fd149502394c20dc2ebecb8acfde6f6aeac Mon Sep 17 00:00:00 2001 +From: Rameshkumar Sundaram +Date: Sun, 10 Aug 2025 22:30:18 +0530 +Subject: wifi: ath11k: fix group data packet drops during rekey +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 97acb0259cc9cbfbd7ab689e25684f3d8ce10e26 ] + +During GTK rekey, mac80211 issues a clear key (if the old key exists) +followed by an install key operation in the same context. This causes +ath11k to send two WMI commands in quick succession: one to clear the +old key and another to install the new key in the same slot. + +Under certain conditions—especially under high load or time sensitive +scenarios, firmware may process these commands asynchronously in a way +that firmware assumes the key is cleared whereas hardware has a valid key. +This inconsistency between hardware and firmware leads to group addressed +packet drops. Only setting the same key again can restore a valid key in +firmware and allow packets to be transmitted. + +This issue remained latent because the host's clear key commands were +not effective in firmware until commit 436a4e886598 ("ath11k: clear the +keys properly via DISABLE_KEY"). That commit enabled the host to +explicitly clear group keys, which inadvertently exposed the race. + +To mitigate this, restrict group key clearing across all modes (AP, STA, +MESH). During rekey, the new key can simply be set on top of the previous +one, avoiding the need for a clear followed by a set. + +However, in AP mode specifically, permit group key clearing when no +stations are associated. This exception supports transitions from secure +modes (e.g., WPA2/WPA3) to open mode, during which all associated peers +are removed and the group key is cleared as part of the transition. + +Add a per-BSS station counter to track the presence of stations during +set key operations. Also add a reset_group_keys flag to track the key +re-installation state and avoid repeated installation of the same key +when the number of connected stations transitions to non-zero within a +rekey period. + +Additionally, for AP and Mesh modes, when the first station associates, +reinstall the same group key that was last set. This ensures that the +firmware recovers from any race that may have occurred during a previous +key clear when no stations were associated. + +This change ensures that key clearing is permitted only when no clients +are connected, avoiding packet loss while enabling dynamic security mode +transitions. + +Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.9.0.1-02146-QCAHKSWPL_SILICONZ-1 +Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41 + +Reported-by: Steffen Moser +Closes: https://lore.kernel.org/linux-wireless/c6366409-9928-4dd7-bf7b-ba7fcf20eabf@steffen-moser.de +Fixes: 436a4e886598 ("ath11k: clear the keys properly via DISABLE_KEY") +Signed-off-by: Rameshkumar Sundaram +Tested-by: Nicolas Escande +Reviewed-by: Vasanthakumar Thiagarajan +Link: https://patch.msgid.link/20250810170018.1124014-1-rameshkumar.sundaram@oss.qualcomm.com +Signed-off-by: Jeff Johnson +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath11k/core.h | 2 + + drivers/net/wireless/ath/ath11k/mac.c | 111 ++++++++++++++++++++++++++++++--- + 2 files changed, 104 insertions(+), 9 deletions(-) + +(limited to 'drivers/net/wireless/ath/ath11k') + +--- a/drivers/net/wireless/ath/ath11k/core.h ++++ b/drivers/net/wireless/ath/ath11k/core.h +@@ -414,6 +414,8 @@ struct ath11k_vif { + bool do_not_send_tmpl; + struct ath11k_arp_ns_offload arp_ns_offload; + struct ath11k_rekey_data rekey_data; ++ u32 num_stations; ++ bool reinstall_group_keys; + + struct ath11k_reg_tpc_power_info reg_tpc_info; + +--- a/drivers/net/wireless/ath/ath11k/mac.c ++++ b/drivers/net/wireless/ath/ath11k/mac.c +@@ -4317,6 +4317,40 @@ static int ath11k_clear_peer_keys(struct + return first_errno; + } + ++static int ath11k_set_group_keys(struct ath11k_vif *arvif) ++{ ++ struct ath11k *ar = arvif->ar; ++ struct ath11k_base *ab = ar->ab; ++ const u8 *addr = arvif->bssid; ++ int i, ret, first_errno = 0; ++ struct ath11k_peer *peer; ++ ++ spin_lock_bh(&ab->base_lock); ++ peer = ath11k_peer_find(ab, arvif->vdev_id, addr); ++ spin_unlock_bh(&ab->base_lock); ++ ++ if (!peer) ++ return -ENOENT; ++ ++ for (i = 0; i < ARRAY_SIZE(peer->keys); i++) { ++ struct ieee80211_key_conf *key = peer->keys[i]; ++ ++ if (!key || (key->flags & IEEE80211_KEY_FLAG_PAIRWISE)) ++ continue; ++ ++ ret = ath11k_install_key(arvif, key, SET_KEY, addr, ++ WMI_KEY_GROUP); ++ if (ret < 0 && first_errno == 0) ++ first_errno = ret; ++ ++ if (ret < 0) ++ ath11k_warn(ab, "failed to set group key of idx %d for vdev %d: %d\n", ++ i, arvif->vdev_id, ret); ++ } ++ ++ return first_errno; ++} ++ + static int ath11k_mac_op_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd, + struct ieee80211_vif *vif, struct ieee80211_sta *sta, + struct ieee80211_key_conf *key) +@@ -4326,6 +4360,7 @@ static int ath11k_mac_op_set_key(struct + struct ath11k_vif *arvif = ath11k_vif_to_arvif(vif); + struct ath11k_peer *peer; + struct ath11k_sta *arsta; ++ bool is_ap_with_no_sta; + const u8 *peer_addr; + int ret = 0; + u32 flags = 0; +@@ -4386,16 +4421,57 @@ static int ath11k_mac_op_set_key(struct + else + flags |= WMI_KEY_GROUP; + +- ret = ath11k_install_key(arvif, key, cmd, peer_addr, flags); +- if (ret) { +- ath11k_warn(ab, "ath11k_install_key failed (%d)\n", ret); +- goto exit; +- } ++ ath11k_dbg(ar->ab, ATH11K_DBG_MAC, ++ "%s for peer %pM on vdev %d flags 0x%X, type = %d, num_sta %d\n", ++ cmd == SET_KEY ? "SET_KEY" : "DEL_KEY", peer_addr, arvif->vdev_id, ++ flags, arvif->vdev_type, arvif->num_stations); ++ ++ /* Allow group key clearing only in AP mode when no stations are ++ * associated. There is a known race condition in firmware where ++ * group addressed packets may be dropped if the key is cleared ++ * and immediately set again during rekey. ++ * ++ * During GTK rekey, mac80211 issues a clear key (if the old key ++ * exists) followed by an install key operation for same key ++ * index. This causes ath11k to send two WMI commands in quick ++ * succession: one to clear the old key and another to install the ++ * new key in the same slot. ++ * ++ * Under certain conditions—especially under high load or time ++ * sensitive scenarios, firmware may process these commands ++ * asynchronously in a way that firmware assumes the key is ++ * cleared whereas hardware has a valid key. This inconsistency ++ * between hardware and firmware leads to group addressed packet ++ * drops after rekey. ++ * Only setting the same key again can restore a valid key in ++ * firmware and allow packets to be transmitted. ++ * ++ * There is a use case where an AP can transition from Secure mode ++ * to open mode without a vdev restart by just deleting all ++ * associated peers and clearing key, Hence allow clear key for ++ * that case alone. Mark arvif->reinstall_group_keys in such cases ++ * and reinstall the same key when the first peer is added, ++ * allowing firmware to recover from the race if it had occurred. ++ */ + +- ret = ath11k_dp_peer_rx_pn_replay_config(arvif, peer_addr, cmd, key); +- if (ret) { +- ath11k_warn(ab, "failed to offload PN replay detection %d\n", ret); +- goto exit; ++ is_ap_with_no_sta = (vif->type == NL80211_IFTYPE_AP && ++ !arvif->num_stations); ++ if ((flags & WMI_KEY_PAIRWISE) || cmd == SET_KEY || is_ap_with_no_sta) { ++ ret = ath11k_install_key(arvif, key, cmd, peer_addr, flags); ++ if (ret) { ++ ath11k_warn(ab, "ath11k_install_key failed (%d)\n", ret); ++ goto exit; ++ } ++ ++ ret = ath11k_dp_peer_rx_pn_replay_config(arvif, peer_addr, cmd, key); ++ if (ret) { ++ ath11k_warn(ab, "failed to offload PN replay detection %d\n", ++ ret); ++ goto exit; ++ } ++ ++ if ((flags & WMI_KEY_GROUP) && cmd == SET_KEY && is_ap_with_no_sta) ++ arvif->reinstall_group_keys = true; + } + + spin_lock_bh(&ab->base_lock); +@@ -4994,6 +5070,7 @@ static int ath11k_mac_inc_num_stations(s + return -ENOBUFS; + + ar->num_stations++; ++ arvif->num_stations++; + + return 0; + } +@@ -5009,6 +5086,7 @@ static void ath11k_mac_dec_num_stations( + return; + + ar->num_stations--; ++ arvif->num_stations--; + } + + static u32 ath11k_mac_ieee80211_sta_bw_to_wmi(struct ath11k *ar, +@@ -9536,6 +9614,21 @@ static int ath11k_mac_station_add(struct + goto exit; + } + ++ /* Driver allows the DEL KEY followed by SET KEY sequence for ++ * group keys for only when there is no clients associated, if at ++ * all firmware has entered the race during that window, ++ * reinstalling the same key when the first sta connects will allow ++ * firmware to recover from the race. ++ */ ++ if (arvif->num_stations == 1 && arvif->reinstall_group_keys) { ++ ath11k_dbg(ab, ATH11K_DBG_MAC, "set group keys on 1st station add for vdev %d\n", ++ arvif->vdev_id); ++ ret = ath11k_set_group_keys(arvif); ++ if (ret) ++ goto dec_num_station; ++ arvif->reinstall_group_keys = false; ++ } ++ + arsta->rx_stats = kzalloc(sizeof(*arsta->rx_stats), GFP_KERNEL); + if (!arsta->rx_stats) { + ret = -ENOMEM; diff --git a/package/kernel/mac80211/patches/ath11k/946-ath11k-fix_NULL_dereference_in_ath11k_qmi_m3_load.patch b/package/kernel/mac80211/patches/ath11k/946-ath11k-fix_NULL_dereference_in_ath11k_qmi_m3_load.patch new file mode 100644 index 00000000000..258a94c8b7a --- /dev/null +++ b/package/kernel/mac80211/patches/ath11k/946-ath11k-fix_NULL_dereference_in_ath11k_qmi_m3_load.patch @@ -0,0 +1,40 @@ +From 888830b2cbc035838bebefe94502976da94332a5 Mon Sep 17 00:00:00 2001 +From: Matvey Kovalev +Date: Wed, 17 Sep 2025 22:20:01 +0300 +Subject: wifi: ath11k: fix NULL dereference in ath11k_qmi_m3_load() + +commit 3fd2ef2ae2b5c955584a3bee8e83ae7d7a98f782 upstream. + +If ab->fw.m3_data points to data, then fw pointer remains null. +Further, if m3_mem is not allocated, then fw is dereferenced to be +passed to ath11k_err function. + +Replace fw->size by m3_len. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 7db88b962f06 ("wifi: ath11k: add firmware-2.bin support") +Cc: stable@vger.kernel.org +Signed-off-by: Matvey Kovalev +Reviewed-by: Baochen Qiang +Reviewed-by: Vasanthakumar Thiagarajan +Link: https://patch.msgid.link/20250917192020.1340-1-matvey.kovalev@ispras.ru +Signed-off-by: Jeff Johnson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath11k/qmi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +(limited to 'drivers/net/wireless/ath/ath11k') + +--- a/drivers/net/wireless/ath/ath11k/qmi.c ++++ b/drivers/net/wireless/ath/ath11k/qmi.c +@@ -2576,7 +2576,7 @@ static int ath11k_qmi_m3_load(struct ath + GFP_KERNEL); + if (!m3_mem->vaddr) { + ath11k_err(ab, "failed to allocate memory for M3 with size %zu\n", +- fw->size); ++ m3_len); + ret = -ENOMEM; + goto out; + } -- 2.47.3