[DESIGN RFC] Critical Update handling in the kernel
Aditya Kumar Singh
aditya.kumar.singh at oss.qualcomm.com
Tue Jul 22 21:34:54 PDT 2025
On 7/22/2025 8:12 PM, Johannes Berg wrote:
> Hi,
>
> Thanks for writing this up! I really think Realtek and Mediatek should
> comment - CC'ing some folks.
>
>> "What about vendors whose firmware does not support this functionality?"
>> "What about mac80211_hwsim? How this is supposed to work with
>> mac80211_hwsim?"
>
> I really like the hwsim part because we really can't even test the
> client side right now ...
>
>> ===========================================================================
>> OPEN QUESTIONS
>> ===========================================================================
>> Before we move forward with implementation, we'd like to confirm whether
>> the proposed design looks sound. Are there any concerns or potential issues
>> we should be aware of?
>>
>> Out of curiosity, we're also interested in understanding how other vendors
>> are currently handling this feature in their downstream drivers. Is it
>> typically offloaded to firmware, or is the logic implemented in the kernel?
>> Just want to confirm whether all this will be used only by mac80211_hwsim
>> or will there be any actual users?
>
> I think Ping-Ke previously indicated that they were planning to do
> things host side? I'm not super familiar with the timing constraints
> though, so I'm not sure what that might imply.
>
>> Critical Update is a mechanism where, if a BSS parameter changes on one of
>> the links within a Multi-Link Device (MLD), that change is also signaled in
>> the beacons/probe response of its partner links. This allows the multi-link
>> client to be proactively informed of the update through any of the partner
>> links, rather than waiting to receive the updated beacon/probe responses
>> from the affected link itself.
>
> FWIW we also have some client side code for it already. It's probably
> broken ;-)
Yes, I’ve seen that. I’m not entirely sure if it’s broken, but it does
seem related to CSA parsing from the link—there is code handling that.
If anything turns out to be broken, we can fix it.
>
>> This ensures that multi-link clients monitoring Link B can be promptly
>> informed of the change on Link A, without needing to wait for Link A’s next
>> beacon.
>
> Btw, you make this a lot about "without needing to wait" and the whole
> timing, but another, I'd maybe even argue more important, aspect of this
> is that they don't have to be receiving the beacon at all. For example
> for EMLSR clients, or clients that aren't even active at all on a given
> link, they might not/cannot see the beacons for all links at all, even
> if they're nominally connected on those links.
Yes, that's true as well! I just wanted to keep the context
straightforward and avoid bringing in another feature that might cause
confusion. But you're absolutely right.
>
>> ===========================================================================
>> DESIGN PROPOSAL
>> ===========================================================================
>>
>> Assumptions:
>> ------------
>> The critical update procedure is highly timing-sensitive.
>
> There are two aspects here that I feel maybe you're conflating a bit. On
> the one hand, yes, some of it needs to have the precise information for
> the counters. OTOH, some of it is really not _that_ timing critical,
> e.g. whether or not you actually get the information live at exactly the
> right time. Though of course a frame that's transmitted after a beacon
> that advertised CSA should not suddenly _not_ advertise it even cross-
> link.
Absolutely! We acknowledge that achieving the ideal case may not be
possible. Keeping the logic in the kernel brings us closer to the
expected behavior, whereas shifting it to hostapd would likely result in
a much larger deviation.
>
>> This design introduces additional computational overhead, which could
>> potentially delay beacon processing. Since not all mac80211 drivers may
>> prefer this behavior, introduce a new extended feature flag -
>> CRITICAL_UPDATE_SELF_MANAGED. mac80211 will NOT perform these extra
>> computations if the driver advertises this feature support.
>
> Fair.
>
>> Parsing the beacon update:
>> --------------------------
>> During the ieee80211_assign_beacon() call (where link->u.ap.beacon is
>> updated whenever the beacon content is initially set using
>> ieee80211_start_ap(), modified through ieee80211_change_beacon(), or
>> changed as a result of channel or color switch events) -
>>
>> 1. Store the new beacon data in a new pointer, following the usual flow.
>> 2. Parse the beacon (using the head and tail pointers) and record the
>> starting offsets of each required Element (earlier referred to as IE i.e
>> Information element) in an array, indexed by element id or extended
>> element id. This is done per link object.
>> 3. If a previous beacon exists:
>> 3.1 For each element related to the critical update, perform a memcmp()
>> to detect changes compared to the previous contents.
>> 3.2 If any such element has changed, set the critical update flag in
>> some link-level object (e.g., link_conf). (this is for the affected
>> link)
>> 3.2.1 At the same time, set the critical update flag for all
>> partner links as well in the same object.
>> 3.3 Increment the BPCC[2] value (modulo 256 excluding 255) for the
>
> (as an aside, I think this is really funny - it's obviously the same as
> "modulo 255", but I guess I can also see why they worded it that way...)
>
>
>> current link.
>
> Wouldn't it be far simpler to have hostapd indicate the critical update,
> and even the BPCC value? It also has to include BPCC in RNR and other
> fields, do we really want to _parse_ all of that and update all those
> values?! Seems iffy at best.
The challenge is that if hostapd takes on this task, it would need to
send updates for all partner links. Theoretically, this could result in
up to 15 beacon NLs being transmitted. Processing these NLs and updating
the beacons would already be time-consuming. On top of that, managing
the additional offsets required to update the counters adds another
layer of complexity.
OTOH, the proposed design just takes 1 NL update and rest it does
automatically what is needed which will be less time consuming than
multiple NL commands flow.
>
>> 4. If critical update flag got set in previous step for partner links, call
>> link_info_changed() with CHANGED_BEACON to notify lower layer that
>> beacon has changed. This applies only in case when beacon is offloaded
>> to firmware. In case beacon is given to driver at every TBTT, there is
>> no need to notify since at next TBTT, driver will fetch the latest
>> beacon anyways.
>
> Sure.
>
>
>> Forming the new beacon:
>> -----------------------
>> In the __ieee80211_beacon_get() function, where the beacon SKBs are
>> constructed:
>>
>> 1. Allow the existing logic to generate all beacon SKBs (including multiple
>> SKBs in the case of MBSSID-EMA).
>> 2. For each beacon SKB:
>> 2.1 Parse the RNR (Reduced Neighbor Report) element.
>> 2.1.1 For each TBTT Info entry:
>> 2.1.1.1 Extract the BSSID
>> 2.1.1.2 Retrieve the corresponding link sdata from BSSID
>> 2.1.1.3 fetch the latest BPCC value.
>> 2.1.1.4 Update the frame with this latest BPCC value.
>
> Yeah, I really don't like that... Do you really do that in firmware
> today? That sounds all really painful.
Not exactly this way, but yeah firmware does all this in offloaded case.
>
>> 2.2 Parse the MBSSID profile element.
>> 2.2.1 For each non-Tx profile:
>> 2.2.1.1 Extract the BSSID
>> 2.2.1.2 Retrieve the corresponding link sdata from BSSID
>> 2.2.1.3 If the critical update flag is set in link object, set
>> the CU (Critical Update) bit in the capability element.
>> 2.2.1.4 Set non_tx_update = true.
>> 2.3 Parse the multi-link element.
>> 2.3.1 For the self link (already known), fetch the latest BPCC
>> value.
>> 2.3.2 Update the frame with this BPCC value.
>> 2.4 Update the capability element in the SKB:
>> 2.4.1 If the critical update flag is set, set the CU bit.
>> 2.4.2 If non_tx_update == true, also set the non-Tx CU bit.
>
> How much of that can we let hostapd do?
hostapd forms beacon so it can do all of this. The only bottleneck is
communicating all link's beacon update sequentially via NL. And if
another update happens in the meantime - for example link A started CSA
and then link B also started CSA, these will pile up the NL socket queue
with beacon updates.
>
>> This mechanism sufficiently handles critical updates due to modifications
>> of existing elements (elements related to the critical update which are
>> already present in the beacon and just one or more field is/are changing
>> its value). However, in the case of new element inclusion (elements related
>> to the critical update which are not alread present in the beacon, but is
>> getting added from next beacon), additional handling is required.
>> Specifically, the newly included elements related to the critical update
>> must be added to the per-STA profile within the Basic Multi-Link Element
>> (BMLE) [3].
>
> That seems almost like an over-optimisation? If I'm reading this
> correctly, this is basically describing a situation like this
>
> (x indicates a beacon TX)
>
> link 1 x x x x x x x
> link 2 x x x x x x x
>
> ^ link 1 starts channel switching
> (after its own bcn, before the next link 2 bcn)
>
> and saying that really the next link 2 beacon will already indicate the
> link 1 beacon will be switching channel.
>
> But is that really actually a case worth worrying about? You can always
> consider it as if this had happened:
>
> link 1 x x x x x x x
> link 2 x x x x x x x
>
> ^ link 1 starts channel switching
>
> i.e. as if link 1 had decided to do channel switch just _after_ link 2's
> beacon instead.
>
> Does that really significantly change anything? I'm not so sure?
You're right, but that's not quite what the original text is trying to
convey.
There are generally two types of critical updates:
1. Adding a new element, such as CSA or CCA.
2. Modifying an existing element, like VHT/HE/EHT Operation IE, TWT, etc.
In the second case, forming the beacon is relatively
straightforward—only the BPCC and the critical update flag need to be
set. However, in the first case, it's more complex. You need to insert
the new elements (e.g., CSA IE) into the per-STA profile of the affected
link within the reporting link, as shown in the earlier diagram.
-----
Link A started CSA and during CSA, the beaconing would look like -
┌──────────────────────────────┐ ┌──────────────────────────────┐
│ Link A's beacon │ │ Link B's beacon │
│ │ │ │
│┌────────────────────────────┐│ │┌────────────────────────────┐│
││Capabilities Info: ││ ││Capabilities Info: ││
││ BIT 6: CU Bit: True ││ ││ BIT 6: CU Bit: True ││
│└────────────────────────────┘│ │└────────────────────────────┘│
│┌────────────────────────────┐│ │ ...... │
││CSA: ││ │┌────────────────────────────┐│
││ CS Count: 5 ││ ││RNR Element: ││
│└────────────────────────────┘│ ││ TBTT INFO: ││
│...... │ ││ MLD INFO: ││
│┌────────────────────────────┐│ ││ LINK ID: A ││
││RNR Element: ││ ││ BPCC: 2 ││
││ TBTT INFO: ││ │└────────────────────────────┘│
││ MLD INFO: ││ │...... │
││ LINK ID: B ││ │┌────────────────────────────┐│
││ BPCC: 1 ││ ││MULTI LINK Element: ││
│└────────────────────────────┘│ ││ COMMON INFO: ││
│...... │ ││ LINK ID: B ││
│┌────────────────────────────┐│ ││ BPCC: 1 ││
││MULTI LINK Element: ││ ││ ││
││ COMMON INFO: ││ ││ Basic STA profile count: 1││
││ LINK ID: A ││ ││ Per STA Profile: ││
││ BPCC: 2 ││ ││ Link ID: A ││
││ ││ ││ ┌─────────────────────┐││
││ Basic STA profile count: 0││ ││ │CSA: *THIS ONE* │││
│└────────────────────────────┘│ ││ │ CS Count: 5 │││
└──────────────────────────────┘ ││ └─────────────────────┘││
│└────────────────────────────┘│
│...... │
└──────────────────────────────┘
(See the CSA element (marked with *THIS ONE* ) in link B's beacon due to
link A doing CSA).
-------
So to handle this case (additional of new element), the below steps are
additionally required on top of what was already explained above.
Does this make sense now?
>> To achieve this:
>>
>> 3. Allow the existing logic to form the beacon SKB as previously defined
>> (this already handles modification updates).
>> 4. Maintain an extra_len variable to track any additional space required
>> for including additional elements.
>> 5. While parsing:
>> 5.1 If critical update is going on in partner link due to inclusion of
>> elements, increment extra_len accordingly.
>> 5.2 The required length is determined using the eid/ext eid based
>> offset maintained in each beacon data structure.
>> 5.3 Since the element offset is known, and the next byte is the tag
>> length, the total length is tag_len + 2 (for EID and length
>> fields).
>> 5.4 Account for any additional fields that may be needed (e.g.,
>> sub-element ID and length in the Multi-Link IE).
>> 6. Compute the new beacon size:
>> new_size = current_size + extra_len
>> 7. Allocate a new SKB with the updated size.
>> 8. Copy the existing contents and insert the new or updated elements at the
>> appropriate offsets.
>> 9. Since IE offsets are cached in the beacon data structure, the entire IE
>> can be copied directly without re-parsing the full beacon from other
>> links.
>> 10. Free the original beacon SKB.
>> 11. Return the newly constructed beacon SKB.
>
> That kind of also seems like hostapd could just update the beacons?
Yes it can. Only thing is multiple NL beacon updates.
>
>> DTIM beacon handling:
>> ---------------------
>> As per requirement [4], the Critical Update (CU) bit in the capability
>> field must be cleared in the DTIM beacon.
>>
>> For Non-Offloaded Beacon Handling:
>> 1. The function __ieee80211_beacon_add_tim() is responsible for
>> updating the DTIM count.
>> 2. When the DTIM count reaches 1 (indicating that the next beacon will
>> be a DTIM beacon), the critical update flag in the corresponding
>> link object should be reset.
>>
>> For Offloaded Beacon Handling:
>> 1. If precise control is required:
>> 1.1 Since DTIM updates are managed by the lower layer (typically
>> the firmware or driver), an API will be provided to explicitly
>> reset the critical update flag.
>> 1.2 The driver, upon detecting that a DTIM beacon is about to be
>> transmitted, can invoke this API to perform the reset.
>> 2. If some timing inaccuracy is acceptable:
>> 2.1 mac80211 can maintain a timer to reset the critical update
>> flag after a DTIM interval.
>> 2.2 However, this approach may lead to synchronization issues, as
>> mac80211 cannot guarantee the exact timing of beacon
>> transmission handled by the hardware.
>
> I guess I can see where this is needed, yeah. I think I'd probably go
> for 1, it's simpler for mac80211 and worst case drivers can have a
> counter or something themselves and do that after pulling the DTIM
> beacon from mac80211.
sure.
>
>> Update BPCC back to NL:
>> -----------------------
>> After the kernel increments the BPCC value, it can emit a netlink event
>> containing the updated BPCC value. This allows hostapd to receive the
>> latest BPCC and include it in probe/association response frames, as
>> required by the specification.
>>
>> This coordination ensures that all - beacon, probe response, and
>> association response frames reflect consistent BPCC values, maintaining
>> compliance with spec-defined behavior for multi-link and critical update
>> handling.
>
> Yeah not liking this too much I guess... Why can't hostapd maintain
> BPCC?
It can only when everything is fully handled by hostapd. Otherwise
kernel should be owner of having the latest value. It can report the
latest value to hostap upon any change.
>
>> Counter offset handling of partner links:
>> -----------------------------------------
>> Note: This applies only in case of offloaded beacon case.
>>
>> Since not all links operate with the same beacon interval, the firmware
>> cannot simply decrement the counter on every self-beacon transmission.
>>
>> To handle this correctly:
>> Each BPCC counter will be associated with:
>> * An offset (location in the frame where the counter resides), and
>> * A periodicity value, indicating how often the counter should be
>> decremented.
>>
>> The firmware is expected to:
>> * Track the number of self-beacon transmissions per link.
>> * Decrement the counter only after the specified number of
>> transmissions, as defined by the periodicity value.
>> * This ensures that counter updates are aligned with each link’s
>> individual beacon schedule, maintaining spec compliance in multi-link
>> scenarios.
>
> True. Although I expect some devices might simply prevent different
> beacon intervals.
True, but in case if not, still it can be handled I guess.
>
>> Complexities:
>> -------------
>> When adding elements in per STA profile, the element length might exceed
>> hence fragmentation needs to be handled properly.
>
> We have fragmentation but all this parsing means also we need
> _defragmentation_ first, which is awkward?
I think de-fragmentation is already supported ? If not, we will have to
add it to support it.
>
>> memcmp vs hashing
>> =================
>> In the section where memcmp() is used to detect changes in beacon elements
>> (to determine if a critical update is needed), this logic could
>> alternatively be handled at the hostapd level.
>
> Yeah sounds better to me :P
Okay so only the link which is undergoing a change, hostapd will signal
to kernel about critical update? Rest kernel will handled parsing and
updating the partner links as per the need?
>
>> Since hostapd does not retain the previous beacon frame, it cannot perform
>> a direct memory comparison. However, it can compute and store hashes of the
>> required elements during beacon formation. On subsequent updates, it can
>> compare the new hashes with the previously stored ones to detect changes.
>
> It doesn't necessarily even have to do that - it could also track
> internally when it made changes. Like when something actually starts a
> channel switch. Or color switch maybe, or something.
True when adding, it can do easily. But when modifying, it has to have
some older value to compare with.
--
Aditya
More information about the ath12k
mailing list