wifi: ath12k: prevent CSA counter to reach 0 and hit WARN_ON_ONCE

Currently, when the driver receives a channel switch count WMI event from
the firmware with a count greater than 1, it calls
ieee80211_beacon_update_cntdwn(). If the beacon transmission fails, the
event will be received again with the previous count value. In this
scenario, the host decrements the mac80211 counter again, causing it to
move ahead of the firmware counter. Ultimately, when the firmware count
reaches 1, the mac80211 counter will reach zero, triggering a
WARN_ON_ONCE(). Therefore, there is a need to check the count value in the
event.

Hence to fix this, maintain the current ongoing counter in arvif. If the
count in the event does not match the expected value, silently discard the
event.

Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1

Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
Link: https://patch.msgid.link/20250124-ath12k_mlo_csa-v2-4-420c42fcfecf@quicinc.com
Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>

diff --git a/drivers/net/wireless/ath/ath12k/core.h b/drivers/net/wireless/ath/ath12k/core.h
index 28db100cfac06e5b33c78f09e9ef1b6447150fec..407404e7abb75afc0bb133b17d17764d675e6feb 100644 (file)
--- a/drivers/net/wireless/ath/ath12k/core.h
+++ b/drivers/net/wireless/ath/ath12k/core.h
@@ -301,6 +301,8 @@ struct ath12k_link_vif {
        u8 link_id;
        struct ath12k_vif *ahvif;
        struct ath12k_rekey_data rekey_data;
+
+       u8 current_cntdown_counter;
 };
 
 struct ath12k_vif {

diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c
index fdbb604e4fb094d90785c58c453ca6302cd41eef..b43ab621a74e0a13a2b0bba1a0b720e69ee748f2 100644 (file)
--- a/drivers/net/wireless/ath/ath12k/wmi.c
+++ b/drivers/net/wireless/ath/ath12k/wmi.c
@@ -1973,6 +1973,7 @@ int ath12k_wmi_bcn_tmpl(struct ath12k_link_vif *arvif,
                cmd->ext_csa_switch_count_offset =
                                cpu_to_le32(offs->cntdwn_counter_offs[1]);
                cmd->csa_event_bitmap = cpu_to_le32(0xFFFFFFFF);
+               arvif->current_cntdown_counter = bcn->data[offs->cntdwn_counter_offs[0]];
        }
 
        cmd->buf_len = cpu_to_le32(bcn->len);
@@ -7532,10 +7533,22 @@ ath12k_wmi_process_csa_switch_count_event(struct ath12k_base *ab,
                        continue;
 
                /* Finish CSA when counter reaches zero */
-               if (!current_switch_count)
+               if (!current_switch_count) {
                        ieee80211_csa_finish(ahvif->vif, arvif->link_id);
-               else if (current_switch_count > 1)
-                       ieee80211_beacon_update_cntdwn(ahvif->vif, arvif->link_id);
+                       arvif->current_cntdown_counter = 0;
+               } else if (current_switch_count > 1) {
+                       /* If the count in event is not what we expect, don't update the
+                        * mac80211 count. Since during beacon Tx failure, count in the
+                        * firmware will not decrement and this event will come with the
+                        * previous count value again
+                        */
+                       if (current_switch_count != arvif->current_cntdown_counter)
+                               continue;
+
+                       arvif->current_cntdown_counter =
+                               ieee80211_beacon_update_cntdwn(ahvif->vif,
+                                                              arvif->link_id);
+               }
        }
        rcu_read_unlock();
 }