[PATCH ath-current] wifi: ath12k: fix incorrect channel survey index

Tue Feb 10 07:38:46 PST 2026

On Tue, Feb 10, 2026 at 10:44:40AM +0800, Yingying Tang wrote:
> A wrong channel survey index was introduced in
> ath12k_mac_op_get_survey by [1], which can cause ACS to fail.
> 
> The index is decremented before being used, resulting in an
> incorrect value when accessing the channel survey data.
> 
> Fix the index handling to ensure the correct survey entry is
> used and avoid ACS failures.
> 
> Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.115823.3
> 
> Fixes: 4f242b1d6996 ("wifi: ath12k: support get_survey mac op for single wiphy") # [1]
> Signed-off-by: Yingying Tang <yingying.tang at oss.qualcomm.com>
> 
> ---
>  drivers/net/wireless/ath/ath12k/mac.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c
> index e0e49f782bf8..86ce7d87b5a5 100644
> --- a/drivers/net/wireless/ath/ath12k/mac.c
> +++ b/drivers/net/wireless/ath/ath12k/mac.c
> @@ -13086,6 +13086,7 @@ static int ath12k_mac_op_get_survey(struct ieee80211_hw *hw, int idx,
>  	struct ath12k *ar;
>  	struct ieee80211_supported_band *sband;
>  	struct survey_info *ar_survey;
> +	int orig_idx = idx;
>  
>  	lockdep_assert_wiphy(hw->wiphy);
>  
> @@ -13120,7 +13121,7 @@ static int ath12k_mac_op_get_survey(struct ieee80211_hw *hw, int idx,
>  		return -ENOENT;
>  	}
>  
> -	ar_survey = &ar->survey[idx];
> +	ar_survey = &ar->survey[orig_idx];
>  
>  	ath12k_mac_update_bss_chan_survey(ar, &sband->channels[idx]);
>  

This change appears to break channel survey data on the QCN9274 (a
dual-band device), because each radio has its own ar (ath12k_radio)
instance.

A proper fix, for both single and dual band, could need to fetch the
survey index info from the frequency. Maybe reusing the freq_to_idx()
from wmi.c that already does the conversion as below ?

  ar_survey = &ar->survey[freq_to_idx(ar, sband->channels[idx].center_freq)];

Another solution could be to keep your patch and just remove the
following bits from freq_to_idx() as below.

diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c
index 3ce5fcb0e460..d05b837f7d47 100644
--- a/drivers/net/wireless/ath/ath12k/wmi.c
+++ b/drivers/net/wireless/ath/ath12k/wmi.c
@@ -6568,9 +6568,6 @@ static int freq_to_idx(struct ath12k *ar, int freq)
 	int band, ch, idx = 0;
 
 	for (band = NL80211_BAND_2GHZ; band < NUM_NL80211_BANDS; band++) {
-		if (!ar->mac.sbands[band].channels)
-			continue;
-
 		sband = hw->wiphy->bands[band];
 		if (!sband)
 			continue;


With that being said, there might be cleaner ways to do that though
(e.g. keeping survey result in ath12k_hw instead of per radio, ...).

Thanks,

-- 
Remi

