[openwrt/openwrt] mac80211: ath11k: backport of the latest changes applied for ath11k in 6.16.12
LEDE Commits
lede-commits at lists.infradead.org
Sun Oct 19 15:24:20 PDT 2025
hauke pushed a commit to openwrt/openwrt.git, branch main:
https://git.openwrt.org/ea2c2ca2ae0ecd243f753c5dc2cd57dcde05f9c5
commit ea2c2ca2ae0ecd243f753c5dc2cd57dcde05f9c5
Author: Agustin Lorenzo <agustin.lorenzo at thinco.es>
AuthorDate: Mon Oct 13 02:03:51 2025 +0200
mac80211: ath11k: backport of the latest changes applied for ath11k in 6.16.12
This includes the following commits from upstream Linux between 6.16 and 6.16.12:
wifi: ath11k: clear initialized flag for deinit-ed srng lists
wifi: ath11k: fix sleeping-in-atomic in ath11k_mac_op_set_bitrate_mask()
wifi: ath11k: fix dest ring-buffer corruption
wifi: ath11k: fix source ring-buffer corruption
wifi: ath11k: fix dest ring-buffer corruption when ring is full
wifi: ath11k: fix group data packet drops during rekey [1]
wifi: ath11k: fix NULL dereference in ath11k_qmi_m3_load()
[1] The patch "940-ath11k-Revert-clear-the-keys-properly-when-DISABLE_K.patch" has been removed, as it has been fixed upstream in "wifi: ath11k: fix group data packet drops during rekey" and is added in 945 patch.
Related: https://github.com/openwrt/openwrt/pull/18705
Related: https://github.com/openwrt/openwrt/issues/9555
Related: https://github.com/openwrt/openwrt/issues/14117
Signed-off-by: Agustin Lorenzo <agustin.lorenzo at thinco.es>
Link: https://github.com/openwrt/openwrt/pull/20395
Signed-off-by: Hauke Mehrtens <hauke at hauke-m.de>
---
...rt-clear-the-keys-properly-when-DISABLE_K.patch | 48 -----
...initialized_flag_for_deinit-ed_srng_lists.patch | 92 ++++++++
...-atomic_in_ath11k_mac_op_set_bitrate_mask.patch | 67 ++++++
...42-ath11k-fix_dest_ring-buffer_corruption.patch | 83 ++++++++
...-ath11k-fix_source_ring-buffer_corruption.patch | 56 +++++
..._ring-buffer_corruption_when_ring_is_full.patch | 61 ++++++
...-fix_group_data_packet_drops_during_rekey.patch | 237 +++++++++++++++++++++
...ix_NULL_dereference_in_ath11k_qmi_m3_load.patch | 40 ++++
8 files changed, 636 insertions(+), 48 deletions(-)
diff --git a/package/kernel/mac80211/patches/ath11k/940-ath11k-Revert-clear-the-keys-properly-when-DISABLE_K.patch b/package/kernel/mac80211/patches/ath11k/940-ath11k-Revert-clear-the-keys-properly-when-DISABLE_K.patch
deleted file mode 100644
index 1f0b63c81b..0000000000
--- a/package/kernel/mac80211/patches/ath11k/940-ath11k-Revert-clear-the-keys-properly-when-DISABLE_K.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 52393e2ae12f18fb1a60578c24c46ebab292ddb6 Mon Sep 17 00:00:00 2001
-From: Rameshkumar Sundaram <quic_ramess at quicinc.com>
-Date: Mon, 28 Mar 2022 13:21:04 +0530
-Subject: [PATCH] ath11k: Revert: clear the keys properly when DISABLE_KEY
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Reverting the Upstream clear key change added as a part of
-436a4e886598 ("ath11k: clear the keys properly
-when DISABLE_KEY")
-This change exposed a race in WLAN Firmware where target asserts
-are seen frequently due FW not synchronizing ath11k host’s clear
-key commands(CIPHER changes to NONE) with frames in TX queue.
-Hence reverting this change untill FW fixes to synchronize
-ath11k host’s clear key command are available.
-
-Signed-off-by: Rameshkumar Sundaram <quic_ramess at quicinc.com>
----
- drivers/net/wireless/ath/ath11k/mac.c | 4 +++-
- drivers/net/wireless/ath/ath11k/wmi.c | 3 +--
- 2 files changed, 4 insertions(+), 3 deletions(-)
-
---- a/drivers/net/wireless/ath/ath11k/mac.c
-+++ b/drivers/net/wireless/ath/ath11k/mac.c
-@@ -4232,7 +4232,9 @@ static int ath11k_install_key(struct ath
- return 0;
-
- if (cmd == DISABLE_KEY) {
-- arg.key_cipher = WMI_CIPHER_NONE;
-+ /* TODO: Check if FW expects value other than NONE for del */
-+ /* arg.key_cipher = WMI_CIPHER_NONE; */
-+ arg.key_len = 0;
- arg.key_data = NULL;
- goto install;
- }
---- a/drivers/net/wireless/ath/ath11k/wmi.c
-+++ b/drivers/net/wireless/ath/ath11k/wmi.c
-@@ -1854,8 +1854,7 @@ int ath11k_wmi_vdev_install_key(struct a
- tlv = (struct wmi_tlv *)(skb->data + sizeof(*cmd));
- tlv->header = FIELD_PREP(WMI_TLV_TAG, WMI_TAG_ARRAY_BYTE) |
- FIELD_PREP(WMI_TLV_LEN, key_len_aligned);
-- if (arg->key_data)
-- memcpy(tlv->value, (u8 *)arg->key_data, key_len_aligned);
-+ memcpy(tlv->value, (u8 *)arg->key_data, key_len_aligned);
-
- ret = ath11k_wmi_cmd_send(wmi, skb, WMI_VDEV_INSTALL_KEY_CMDID);
- if (ret) {
diff --git a/package/kernel/mac80211/patches/ath11k/940-ath11k-clear_initialized_flag_for_deinit-ed_srng_lists.patch b/package/kernel/mac80211/patches/ath11k/940-ath11k-clear_initialized_flag_for_deinit-ed_srng_lists.patch
new file mode 100644
index 0000000000..e092e9d2aa
--- /dev/null
+++ b/package/kernel/mac80211/patches/ath11k/940-ath11k-clear_initialized_flag_for_deinit-ed_srng_lists.patch
@@ -0,0 +1,92 @@
+From 16872194c80f2724472fc207991712895ac8a230 Mon Sep 17 00:00:00 2001
+From: Sergey Senozhatsky <senozhatsky at chromium.org>
+Date: Thu, 12 Jun 2025 17:45:06 +0900
+Subject: wifi: ath11k: clear initialized flag for deinit-ed srng lists
+
+[ Upstream commit a5b46aa7cf5f05c213316a018e49a8e086efd98e ]
+
+In a number of cases we see kernel panics on resume due
+to ath11k kernel page fault, which happens under the
+following circumstances:
+
+1) First ath11k_hal_dump_srng_stats() call
+
+ Last interrupt received for each group:
+ ath11k_pci 0000:01:00.0: group_id 0 22511ms before
+ ath11k_pci 0000:01:00.0: group_id 1 14440788ms before
+ [..]
+ ath11k_pci 0000:01:00.0: failed to receive control response completion, polling..
+ ath11k_pci 0000:01:00.0: Service connect timeout
+ ath11k_pci 0000:01:00.0: failed to connect to HTT: -110
+ ath11k_pci 0000:01:00.0: failed to start core: -110
+ ath11k_pci 0000:01:00.0: firmware crashed: MHI_CB_EE_RDDM
+ ath11k_pci 0000:01:00.0: already resetting count 2
+ ath11k_pci 0000:01:00.0: failed to wait wlan mode request (mode 4): -110
+ ath11k_pci 0000:01:00.0: qmi failed to send wlan mode off: -110
+ ath11k_pci 0000:01:00.0: failed to reconfigure driver on crash recovery
+ [..]
+
+2) At this point reconfiguration fails (we have 2 resets) and
+ ath11k_core_reconfigure_on_crash() calls ath11k_hal_srng_deinit()
+ which destroys srng lists. However, it does not reset per-list
+ ->initialized flag.
+
+3) Second ath11k_hal_dump_srng_stats() call sees stale ->initialized
+ flag and attempts to dump srng stats:
+
+ Last interrupt received for each group:
+ ath11k_pci 0000:01:00.0: group_id 0 66785ms before
+ ath11k_pci 0000:01:00.0: group_id 1 14485062ms before
+ ath11k_pci 0000:01:00.0: group_id 2 14485062ms before
+ ath11k_pci 0000:01:00.0: group_id 3 14485062ms before
+ ath11k_pci 0000:01:00.0: group_id 4 14780845ms before
+ ath11k_pci 0000:01:00.0: group_id 5 14780845ms before
+ ath11k_pci 0000:01:00.0: group_id 6 14485062ms before
+ ath11k_pci 0000:01:00.0: group_id 7 66814ms before
+ ath11k_pci 0000:01:00.0: group_id 8 68997ms before
+ ath11k_pci 0000:01:00.0: group_id 9 67588ms before
+ ath11k_pci 0000:01:00.0: group_id 10 69511ms before
+ BUG: unable to handle page fault for address: ffffa007404eb010
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 100000067 P4D 100000067 PUD 10022d067 PMD 100b01067 PTE 0
+ Oops: 0000 [#1] PREEMPT SMP NOPTI
+ RIP: 0010:ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k]
+ Call Trace:
+ <TASK>
+ ? __die_body+0xae/0xb0
+ ? page_fault_oops+0x381/0x3e0
+ ? exc_page_fault+0x69/0xa0
+ ? asm_exc_page_fault+0x22/0x30
+ ? ath11k_hal_dump_srng_stats+0x2b4/0x3b0 [ath11k (HASH:6cea 4)]
+ ath11k_qmi_driver_event_work+0xbd/0x1050 [ath11k (HASH:6cea 4)]
+ worker_thread+0x389/0x930
+ kthread+0x149/0x170
+
+Clear per-list ->initialized flag in ath11k_hal_srng_deinit().
+
+Signed-off-by: Sergey Senozhatsky <senozhatsky at chromium.org>
+Reviewed-by: Baochen Qiang <quic_bqiang at quicinc.com>
+Fixes: 5118935b1bc2 ("ath11k: dump SRNG stats during FW assert")
+Link: https://patch.msgid.link/20250612084551.702803-1-senozhatsky@chromium.org
+Signed-off-by: Jeff Johnson <jeff.johnson at oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal at kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/hal.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+(limited to 'drivers/net/wireless/ath/ath11k')
+
+--- a/drivers/net/wireless/ath/ath11k/hal.c
++++ b/drivers/net/wireless/ath/ath11k/hal.c
+@@ -1341,6 +1341,10 @@ EXPORT_SYMBOL(ath11k_hal_srng_init);
+ void ath11k_hal_srng_deinit(struct ath11k_base *ab)
+ {
+ struct ath11k_hal *hal = &ab->hal;
++ int i;
++
++ for (i = 0; i < HAL_SRNG_RING_ID_MAX; i++)
++ ab->hal.srng_list[i].initialized = 0;
+
+ ath11k_hal_unregister_srng_key(ab);
+ ath11k_hal_free_cont_rdp(ab);
diff --git a/package/kernel/mac80211/patches/ath11k/941-ath11k-fix_sleeping-in-atomic_in_ath11k_mac_op_set_bitrate_mask.patch b/package/kernel/mac80211/patches/ath11k/941-ath11k-fix_sleeping-in-atomic_in_ath11k_mac_op_set_bitrate_mask.patch
new file mode 100644
index 0000000000..8340216106
--- /dev/null
+++ b/package/kernel/mac80211/patches/ath11k/941-ath11k-fix_sleeping-in-atomic_in_ath11k_mac_op_set_bitrate_mask.patch
@@ -0,0 +1,67 @@
+From 6bdef22d540258ca06f079f7b6ae100669a19b47 Mon Sep 17 00:00:00 2001
+From: Baochen Qiang <quic_bqiang at quicinc.com>
+Date: Tue, 3 Jun 2025 10:25:28 +0800
+Subject: wifi: ath11k: fix sleeping-in-atomic in
+ ath11k_mac_op_set_bitrate_mask()
+
+[ Upstream commit 65c12b104cb942d588a1a093acc4537fb3d3b129 ]
+
+ath11k_mac_disable_peer_fixed_rate() is passed as the iterator to
+ieee80211_iterate_stations_atomic(). Note in this case the iterator is
+required to be atomic, however ath11k_mac_disable_peer_fixed_rate() does
+not follow it as it might sleep. Consequently below warning is seen:
+
+BUG: sleeping function called from invalid context at wmi.c:304
+Call Trace:
+ <TASK>
+ dump_stack_lvl
+ __might_resched.cold
+ ath11k_wmi_cmd_send
+ ath11k_wmi_set_peer_param
+ ath11k_mac_disable_peer_fixed_rate
+ ieee80211_iterate_stations_atomic
+ ath11k_mac_op_set_bitrate_mask.cold
+
+Change to ieee80211_iterate_stations_mtx() to fix this issue.
+
+Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.30
+
+Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
+Signed-off-by: Baochen Qiang <quic_bqiang at quicinc.com>
+Link: https://patch.msgid.link/20250603-ath11k-use-non-atomic-iterator-v1-1-d75762068d56@quicinc.com
+Signed-off-by: Jeff Johnson <jeff.johnson at oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal at kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/mac.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+(limited to 'drivers/net/wireless/ath/ath11k')
+
+--- a/drivers/net/wireless/ath/ath11k/mac.c
++++ b/drivers/net/wireless/ath/ath11k/mac.c
+@@ -8740,9 +8740,9 @@ ath11k_mac_op_set_bitrate_mask(struct ie
+ arvif->vdev_id, ret);
+ return ret;
+ }
+- ieee80211_iterate_stations_atomic(ar->hw,
+- ath11k_mac_disable_peer_fixed_rate,
+- arvif);
++ ieee80211_iterate_stations_mtx(ar->hw,
++ ath11k_mac_disable_peer_fixed_rate,
++ arvif);
+ } else if (ath11k_mac_bitrate_mask_get_single_nss(ar, arvif, band, mask,
+ &single_nss)) {
+ rate = WMI_FIXED_RATE_NONE;
+@@ -8809,9 +8809,9 @@ ath11k_mac_op_set_bitrate_mask(struct ie
+ }
+
+ mutex_lock(&ar->conf_mutex);
+- ieee80211_iterate_stations_atomic(ar->hw,
+- ath11k_mac_disable_peer_fixed_rate,
+- arvif);
++ ieee80211_iterate_stations_mtx(ar->hw,
++ ath11k_mac_disable_peer_fixed_rate,
++ arvif);
+
+ arvif->bitrate_mask = *mask;
+ ieee80211_iterate_stations_atomic(ar->hw,
diff --git a/package/kernel/mac80211/patches/ath11k/942-ath11k-fix_dest_ring-buffer_corruption.patch b/package/kernel/mac80211/patches/ath11k/942-ath11k-fix_dest_ring-buffer_corruption.patch
new file mode 100644
index 0000000000..e477103050
--- /dev/null
+++ b/package/kernel/mac80211/patches/ath11k/942-ath11k-fix_dest_ring-buffer_corruption.patch
@@ -0,0 +1,83 @@
+From 0f708ced89758247f5d2d70def00e7c1c80ff557 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro at kernel.org>
+Date: Wed, 4 Jun 2025 16:34:53 +0200
+Subject: wifi: ath11k: fix dest ring-buffer corruption
+
+commit 8c1ba5091fa9a2d1478da63173b16a701bdf86bb upstream.
+
+Add the missing memory barrier to make sure that destination ring
+descriptors are read after the head pointers to avoid using stale data
+on weakly ordered architectures like aarch64.
+
+The barrier is added to the ath11k_hal_srng_access_begin() helper for
+symmetry with follow-on fixes for source ring buffer corruption which
+will add barriers to ath11k_hal_srng_access_end().
+
+Tested-on: WCN6855 hw2.1 WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41
+
+Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
+Cc: stable at vger.kernel.org # 5.6
+Signed-off-by: Johan Hovold <johan+linaro at kernel.org>
+Reviewed-by: Baochen Qiang <quic_bqiang at quicinc.com>
+Link: https://patch.msgid.link/20250604143457.26032-2-johan+linaro@kernel.org
+Signed-off-by: Jeff Johnson <jeff.johnson at oss.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath11k/ce.c | 3 ---
+ drivers/net/wireless/ath/ath11k/dp_rx.c | 3 ---
+ drivers/net/wireless/ath/ath11k/hal.c | 12 +++++++++++-
+ 3 files changed, 11 insertions(+), 7 deletions(-)
+
+(limited to 'drivers/net/wireless/ath/ath11k')
+
+--- a/drivers/net/wireless/ath/ath11k/ce.c
++++ b/drivers/net/wireless/ath/ath11k/ce.c
+@@ -393,9 +393,6 @@ static int ath11k_ce_completed_recv_next
+ goto err;
+ }
+
+- /* Make sure descriptor is read after the head pointer. */
+- dma_rmb();
+-
+ *nbytes = ath11k_hal_ce_dst_status_get_length(desc);
+
+ *skb = pipe->dest_ring->skb[sw_index];
+--- a/drivers/net/wireless/ath/ath11k/dp_rx.c
++++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
+@@ -2650,9 +2650,6 @@ int ath11k_dp_process_rx(struct ath11k_b
+ try_again:
+ ath11k_hal_srng_access_begin(ab, srng);
+
+- /* Make sure descriptor is read after the head pointer. */
+- dma_rmb();
+-
+ while (likely(desc =
+ (struct hal_reo_dest_ring *)ath11k_hal_srng_dst_get_next_entry(ab,
+ srng))) {
+--- a/drivers/net/wireless/ath/ath11k/hal.c
++++ b/drivers/net/wireless/ath/ath11k/hal.c
+@@ -823,13 +823,23 @@ u32 *ath11k_hal_srng_src_peek(struct ath
+
+ void ath11k_hal_srng_access_begin(struct ath11k_base *ab, struct hal_srng *srng)
+ {
++ u32 hp;
++
+ lockdep_assert_held(&srng->lock);
+
+ if (srng->ring_dir == HAL_SRNG_DIR_SRC) {
+ srng->u.src_ring.cached_tp =
+ *(volatile u32 *)srng->u.src_ring.tp_addr;
+ } else {
+- srng->u.dst_ring.cached_hp = READ_ONCE(*srng->u.dst_ring.hp_addr);
++ hp = READ_ONCE(*srng->u.dst_ring.hp_addr);
++
++ if (hp != srng->u.dst_ring.cached_hp) {
++ srng->u.dst_ring.cached_hp = hp;
++ /* Make sure descriptor is read after the head
++ * pointer.
++ */
++ dma_rmb();
++ }
+
+ /* Try to prefetch the next descriptor in the ring */
+ if (srng->flags & HAL_SRNG_FLAGS_CACHED)
diff --git a/package/kernel/mac80211/patches/ath11k/943-ath11k-fix_source_ring-buffer_corruption.patch b/package/kernel/mac80211/patches/ath11k/943-ath11k-fix_source_ring-buffer_corruption.patch
new file mode 100644
index 0000000000..f9cbe10b6b
--- /dev/null
+++ b/package/kernel/mac80211/patches/ath11k/943-ath11k-fix_source_ring-buffer_corruption.patch
@@ -0,0 +1,56 @@
+From eed5fcf4a3d20fdbd9af2e602eab2b581264822f Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro at kernel.org>
+Date: Wed, 4 Jun 2025 16:34:56 +0200
+Subject: wifi: ath11k: fix source ring-buffer corruption
+
+commit 6efa0df54022c6c9fd4d294b87622c7fcdc418c8 upstream.
+
+Add the missing memory barrier to make sure that LMAC source ring
+descriptors are written before updating the head pointer to avoid
+passing stale data to the firmware on weakly ordered architectures like
+aarch64.
+
+Note that non-LMAC rings use MMIO write accessors which have the
+required write memory barrier.
+
+Tested-on: WCN6855 hw2.1 WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41
+
+Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
+Cc: stable at vger.kernel.org # 5.6
+Signed-off-by: Johan Hovold <johan+linaro at kernel.org>
+Reviewed-by: Baochen Qiang <quic_bqiang at quicinc.com>
+Link: https://patch.msgid.link/20250604143457.26032-5-johan+linaro@kernel.org
+Signed-off-by: Jeff Johnson <jeff.johnson at oss.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath11k/hal.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+(limited to 'drivers/net/wireless/ath/ath11k')
+
+--- a/drivers/net/wireless/ath/ath11k/hal.c
++++ b/drivers/net/wireless/ath/ath11k/hal.c
+@@ -862,7 +862,11 @@ void ath11k_hal_srng_access_end(struct a
+ if (srng->ring_dir == HAL_SRNG_DIR_SRC) {
+ srng->u.src_ring.last_tp =
+ *(volatile u32 *)srng->u.src_ring.tp_addr;
+- *srng->u.src_ring.hp_addr = srng->u.src_ring.hp;
++ /* Make sure descriptor is written before updating the
++ * head pointer.
++ */
++ dma_wmb();
++ WRITE_ONCE(*srng->u.src_ring.hp_addr, srng->u.src_ring.hp);
+ } else {
+ srng->u.dst_ring.last_hp = *srng->u.dst_ring.hp_addr;
+ *srng->u.dst_ring.tp_addr = srng->u.dst_ring.tp;
+@@ -871,6 +875,10 @@ void ath11k_hal_srng_access_end(struct a
+ if (srng->ring_dir == HAL_SRNG_DIR_SRC) {
+ srng->u.src_ring.last_tp =
+ *(volatile u32 *)srng->u.src_ring.tp_addr;
++ /* Assume implementation use an MMIO write accessor
++ * which has the required wmb() so that the descriptor
++ * is written before the updating the head pointer.
++ */
+ ath11k_hif_write32(ab,
+ (unsigned long)srng->u.src_ring.hp_addr -
+ (unsigned long)ab->mem,
diff --git a/package/kernel/mac80211/patches/ath11k/944-ath11k-fix_dest_ring-buffer_corruption_when_ring_is_full.patch b/package/kernel/mac80211/patches/ath11k/944-ath11k-fix_dest_ring-buffer_corruption_when_ring_is_full.patch
new file mode 100644
index 0000000000..e0e5348392
--- /dev/null
+++ b/package/kernel/mac80211/patches/ath11k/944-ath11k-fix_dest_ring-buffer_corruption_when_ring_is_full.patch
@@ -0,0 +1,61 @@
+From 6fc2589aae91818dd1183a589ab97d8e5c25364e Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan+linaro at kernel.org>
+Date: Wed, 4 Jun 2025 16:34:57 +0200
+Subject: wifi: ath11k: fix dest ring-buffer corruption when ring is full
+
+commit aa6956150f820e6a6deba44be325ddfcb5b10f88 upstream.
+
+Add the missing memory barriers to make sure that destination ring
+descriptors are read before updating the tail pointer (and passing
+ownership to the device) to avoid memory corruption on weakly ordered
+architectures like aarch64 when the ring is full.
+
+Tested-on: WCN6855 hw2.1 WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41
+
+Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices")
+Cc: stable at vger.kernel.org # 5.6
+Signed-off-by: Johan Hovold <johan+linaro at kernel.org>
+Reviewed-by: Baochen Qiang <quic_bqiang at quicinc.com>
+Link: https://patch.msgid.link/20250604143457.26032-6-johan+linaro@kernel.org
+Signed-off-by: Jeff Johnson <jeff.johnson at oss.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath11k/hal.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+(limited to 'drivers/net/wireless/ath/ath11k')
+
+--- a/drivers/net/wireless/ath/ath11k/hal.c
++++ b/drivers/net/wireless/ath/ath11k/hal.c
+@@ -854,7 +854,6 @@ void ath11k_hal_srng_access_end(struct a
+ {
+ lockdep_assert_held(&srng->lock);
+
+- /* TODO: See if we need a write memory barrier here */
+ if (srng->flags & HAL_SRNG_FLAGS_LMAC_RING) {
+ /* For LMAC rings, ring pointer updates are done through FW and
+ * hence written to a shared memory location that is read by FW
+@@ -869,7 +868,11 @@ void ath11k_hal_srng_access_end(struct a
+ WRITE_ONCE(*srng->u.src_ring.hp_addr, srng->u.src_ring.hp);
+ } else {
+ srng->u.dst_ring.last_hp = *srng->u.dst_ring.hp_addr;
+- *srng->u.dst_ring.tp_addr = srng->u.dst_ring.tp;
++ /* Make sure descriptor is read before updating the
++ * tail pointer.
++ */
++ dma_mb();
++ WRITE_ONCE(*srng->u.dst_ring.tp_addr, srng->u.dst_ring.tp);
+ }
+ } else {
+ if (srng->ring_dir == HAL_SRNG_DIR_SRC) {
+@@ -885,6 +888,10 @@ void ath11k_hal_srng_access_end(struct a
+ srng->u.src_ring.hp);
+ } else {
+ srng->u.dst_ring.last_hp = *srng->u.dst_ring.hp_addr;
++ /* Make sure descriptor is read before updating the
++ * tail pointer.
++ */
++ mb();
+ ath11k_hif_write32(ab,
+ (unsigned long)srng->u.dst_ring.tp_addr -
+ (unsigned long)ab->mem,
diff --git a/package/kernel/mac80211/patches/ath11k/945-ath11k-fix_group_data_packet_drops_during_rekey.patch b/package/kernel/mac80211/patches/ath11k/945-ath11k-fix_group_data_packet_drops_during_rekey.patch
new file mode 100644
index 0000000000..b7b66ef5da
--- /dev/null
+++ b/package/kernel/mac80211/patches/ath11k/945-ath11k-fix_group_data_packet_drops_during_rekey.patch
@@ -0,0 +1,237 @@
+From 9a394fd149502394c20dc2ebecb8acfde6f6aeac Mon Sep 17 00:00:00 2001
+From: Rameshkumar Sundaram <rameshkumar.sundaram at oss.qualcomm.com>
+Date: Sun, 10 Aug 2025 22:30:18 +0530
+Subject: wifi: ath11k: fix group data packet drops during rekey
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+[ Upstream commit 97acb0259cc9cbfbd7ab689e25684f3d8ce10e26 ]
+
+During GTK rekey, mac80211 issues a clear key (if the old key exists)
+followed by an install key operation in the same context. This causes
+ath11k to send two WMI commands in quick succession: one to clear the
+old key and another to install the new key in the same slot.
+
+Under certain conditions—especially under high load or time sensitive
+scenarios, firmware may process these commands asynchronously in a way
+that firmware assumes the key is cleared whereas hardware has a valid key.
+This inconsistency between hardware and firmware leads to group addressed
+packet drops. Only setting the same key again can restore a valid key in
+firmware and allow packets to be transmitted.
+
+This issue remained latent because the host's clear key commands were
+not effective in firmware until commit 436a4e886598 ("ath11k: clear the
+keys properly via DISABLE_KEY"). That commit enabled the host to
+explicitly clear group keys, which inadvertently exposed the race.
+
+To mitigate this, restrict group key clearing across all modes (AP, STA,
+MESH). During rekey, the new key can simply be set on top of the previous
+one, avoiding the need for a clear followed by a set.
+
+However, in AP mode specifically, permit group key clearing when no
+stations are associated. This exception supports transitions from secure
+modes (e.g., WPA2/WPA3) to open mode, during which all associated peers
+are removed and the group key is cleared as part of the transition.
+
+Add a per-BSS station counter to track the presence of stations during
+set key operations. Also add a reset_group_keys flag to track the key
+re-installation state and avoid repeated installation of the same key
+when the number of connected stations transitions to non-zero within a
+rekey period.
+
+Additionally, for AP and Mesh modes, when the first station associates,
+reinstall the same group key that was last set. This ensures that the
+firmware recovers from any race that may have occurred during a previous
+key clear when no stations were associated.
+
+This change ensures that key clearing is permitted only when no clients
+are connected, avoiding packet loss while enabling dynamic security mode
+transitions.
+
+Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.9.0.1-02146-QCAHKSWPL_SILICONZ-1
+Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41
+
+Reported-by: Steffen Moser <lists at steffen-moser.de>
+Closes: https://lore.kernel.org/linux-wireless/c6366409-9928-4dd7-bf7b-ba7fcf20eabf@steffen-moser.de
+Fixes: 436a4e886598 ("ath11k: clear the keys properly via DISABLE_KEY")
+Signed-off-by: Rameshkumar Sundaram <rameshkumar.sundaram at oss.qualcomm.com>
+Tested-by: Nicolas Escande <nico.escande at gmail.com>
+Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan at oss.qualcomm.com>
+Link: https://patch.msgid.link/20250810170018.1124014-1-rameshkumar.sundaram@oss.qualcomm.com
+Signed-off-by: Jeff Johnson <jeff.johnson at oss.qualcomm.com>
+Signed-off-by: Sasha Levin <sashal at kernel.org>
+---
+ drivers/net/wireless/ath/ath11k/core.h | 2 +
+ drivers/net/wireless/ath/ath11k/mac.c | 111 ++++++++++++++++++++++++++++++---
+ 2 files changed, 104 insertions(+), 9 deletions(-)
+
+(limited to 'drivers/net/wireless/ath/ath11k')
+
+--- a/drivers/net/wireless/ath/ath11k/core.h
++++ b/drivers/net/wireless/ath/ath11k/core.h
+@@ -414,6 +414,8 @@ struct ath11k_vif {
+ bool do_not_send_tmpl;
+ struct ath11k_arp_ns_offload arp_ns_offload;
+ struct ath11k_rekey_data rekey_data;
++ u32 num_stations;
++ bool reinstall_group_keys;
+
+ struct ath11k_reg_tpc_power_info reg_tpc_info;
+
+--- a/drivers/net/wireless/ath/ath11k/mac.c
++++ b/drivers/net/wireless/ath/ath11k/mac.c
+@@ -4317,6 +4317,40 @@ static int ath11k_clear_peer_keys(struct
+ return first_errno;
+ }
+
++static int ath11k_set_group_keys(struct ath11k_vif *arvif)
++{
++ struct ath11k *ar = arvif->ar;
++ struct ath11k_base *ab = ar->ab;
++ const u8 *addr = arvif->bssid;
++ int i, ret, first_errno = 0;
++ struct ath11k_peer *peer;
++
++ spin_lock_bh(&ab->base_lock);
++ peer = ath11k_peer_find(ab, arvif->vdev_id, addr);
++ spin_unlock_bh(&ab->base_lock);
++
++ if (!peer)
++ return -ENOENT;
++
++ for (i = 0; i < ARRAY_SIZE(peer->keys); i++) {
++ struct ieee80211_key_conf *key = peer->keys[i];
++
++ if (!key || (key->flags & IEEE80211_KEY_FLAG_PAIRWISE))
++ continue;
++
++ ret = ath11k_install_key(arvif, key, SET_KEY, addr,
++ WMI_KEY_GROUP);
++ if (ret < 0 && first_errno == 0)
++ first_errno = ret;
++
++ if (ret < 0)
++ ath11k_warn(ab, "failed to set group key of idx %d for vdev %d: %d\n",
++ i, arvif->vdev_id, ret);
++ }
++
++ return first_errno;
++}
++
+ static int ath11k_mac_op_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
+ struct ieee80211_vif *vif, struct ieee80211_sta *sta,
+ struct ieee80211_key_conf *key)
+@@ -4326,6 +4360,7 @@ static int ath11k_mac_op_set_key(struct
+ struct ath11k_vif *arvif = ath11k_vif_to_arvif(vif);
+ struct ath11k_peer *peer;
+ struct ath11k_sta *arsta;
++ bool is_ap_with_no_sta;
+ const u8 *peer_addr;
+ int ret = 0;
+ u32 flags = 0;
+@@ -4386,16 +4421,57 @@ static int ath11k_mac_op_set_key(struct
+ else
+ flags |= WMI_KEY_GROUP;
+
+- ret = ath11k_install_key(arvif, key, cmd, peer_addr, flags);
+- if (ret) {
+- ath11k_warn(ab, "ath11k_install_key failed (%d)\n", ret);
+- goto exit;
+- }
++ ath11k_dbg(ar->ab, ATH11K_DBG_MAC,
++ "%s for peer %pM on vdev %d flags 0x%X, type = %d, num_sta %d\n",
++ cmd == SET_KEY ? "SET_KEY" : "DEL_KEY", peer_addr, arvif->vdev_id,
++ flags, arvif->vdev_type, arvif->num_stations);
++
++ /* Allow group key clearing only in AP mode when no stations are
++ * associated. There is a known race condition in firmware where
++ * group addressed packets may be dropped if the key is cleared
++ * and immediately set again during rekey.
++ *
++ * During GTK rekey, mac80211 issues a clear key (if the old key
++ * exists) followed by an install key operation for same key
++ * index. This causes ath11k to send two WMI commands in quick
++ * succession: one to clear the old key and another to install the
++ * new key in the same slot.
++ *
++ * Under certain conditions—especially under high load or time
++ * sensitive scenarios, firmware may process these commands
++ * asynchronously in a way that firmware assumes the key is
++ * cleared whereas hardware has a valid key. This inconsistency
++ * between hardware and firmware leads to group addressed packet
++ * drops after rekey.
++ * Only setting the same key again can restore a valid key in
++ * firmware and allow packets to be transmitted.
++ *
++ * There is a use case where an AP can transition from Secure mode
++ * to open mode without a vdev restart by just deleting all
++ * associated peers and clearing key, Hence allow clear key for
++ * that case alone. Mark arvif->reinstall_group_keys in such cases
++ * and reinstall the same key when the first peer is added,
++ * allowing firmware to recover from the race if it had occurred.
++ */
+
+- ret = ath11k_dp_peer_rx_pn_replay_config(arvif, peer_addr, cmd, key);
+- if (ret) {
+- ath11k_warn(ab, "failed to offload PN replay detection %d\n", ret);
+- goto exit;
++ is_ap_with_no_sta = (vif->type == NL80211_IFTYPE_AP &&
++ !arvif->num_stations);
++ if ((flags & WMI_KEY_PAIRWISE) || cmd == SET_KEY || is_ap_with_no_sta) {
++ ret = ath11k_install_key(arvif, key, cmd, peer_addr, flags);
++ if (ret) {
++ ath11k_warn(ab, "ath11k_install_key failed (%d)\n", ret);
++ goto exit;
++ }
++
++ ret = ath11k_dp_peer_rx_pn_replay_config(arvif, peer_addr, cmd, key);
++ if (ret) {
++ ath11k_warn(ab, "failed to offload PN replay detection %d\n",
++ ret);
++ goto exit;
++ }
++
++ if ((flags & WMI_KEY_GROUP) && cmd == SET_KEY && is_ap_with_no_sta)
++ arvif->reinstall_group_keys = true;
+ }
+
+ spin_lock_bh(&ab->base_lock);
+@@ -4994,6 +5070,7 @@ static int ath11k_mac_inc_num_stations(s
+ return -ENOBUFS;
+
+ ar->num_stations++;
++ arvif->num_stations++;
+
+ return 0;
+ }
+@@ -5009,6 +5086,7 @@ static void ath11k_mac_dec_num_stations(
+ return;
+
+ ar->num_stations--;
++ arvif->num_stations--;
+ }
+
+ static u32 ath11k_mac_ieee80211_sta_bw_to_wmi(struct ath11k *ar,
+@@ -9536,6 +9614,21 @@ static int ath11k_mac_station_add(struct
+ goto exit;
+ }
+
++ /* Driver allows the DEL KEY followed by SET KEY sequence for
++ * group keys for only when there is no clients associated, if at
++ * all firmware has entered the race during that window,
++ * reinstalling the same key when the first sta connects will allow
++ * firmware to recover from the race.
++ */
++ if (arvif->num_stations == 1 && arvif->reinstall_group_keys) {
++ ath11k_dbg(ab, ATH11K_DBG_MAC, "set group keys on 1st station add for vdev %d\n",
++ arvif->vdev_id);
++ ret = ath11k_set_group_keys(arvif);
++ if (ret)
++ goto dec_num_station;
++ arvif->reinstall_group_keys = false;
++ }
++
+ arsta->rx_stats = kzalloc(sizeof(*arsta->rx_stats), GFP_KERNEL);
+ if (!arsta->rx_stats) {
+ ret = -ENOMEM;
diff --git a/package/kernel/mac80211/patches/ath11k/946-ath11k-fix_NULL_dereference_in_ath11k_qmi_m3_load.patch b/package/kernel/mac80211/patches/ath11k/946-ath11k-fix_NULL_dereference_in_ath11k_qmi_m3_load.patch
new file mode 100644
index 0000000000..258a94c8b7
--- /dev/null
+++ b/package/kernel/mac80211/patches/ath11k/946-ath11k-fix_NULL_dereference_in_ath11k_qmi_m3_load.patch
@@ -0,0 +1,40 @@
+From 888830b2cbc035838bebefe94502976da94332a5 Mon Sep 17 00:00:00 2001
+From: Matvey Kovalev <matvey.kovalev at ispras.ru>
+Date: Wed, 17 Sep 2025 22:20:01 +0300
+Subject: wifi: ath11k: fix NULL dereference in ath11k_qmi_m3_load()
+
+commit 3fd2ef2ae2b5c955584a3bee8e83ae7d7a98f782 upstream.
+
+If ab->fw.m3_data points to data, then fw pointer remains null.
+Further, if m3_mem is not allocated, then fw is dereferenced to be
+passed to ath11k_err function.
+
+Replace fw->size by m3_len.
+
+Found by Linux Verification Center (linuxtesting.org) with SVACE.
+
+Fixes: 7db88b962f06 ("wifi: ath11k: add firmware-2.bin support")
+Cc: stable at vger.kernel.org
+Signed-off-by: Matvey Kovalev <matvey.kovalev at ispras.ru>
+Reviewed-by: Baochen Qiang <baochen.qiang at oss.qualcomm.com>
+Reviewed-by: Vasanthakumar Thiagarajan <vasanthakumar.thiagarajan at oss.qualcomm.com>
+Link: https://patch.msgid.link/20250917192020.1340-1-matvey.kovalev@ispras.ru
+Signed-off-by: Jeff Johnson <jeff.johnson at oss.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath11k/qmi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+(limited to 'drivers/net/wireless/ath/ath11k')
+
+--- a/drivers/net/wireless/ath/ath11k/qmi.c
++++ b/drivers/net/wireless/ath/ath11k/qmi.c
+@@ -2576,7 +2576,7 @@ static int ath11k_qmi_m3_load(struct ath
+ GFP_KERNEL);
+ if (!m3_mem->vaddr) {
+ ath11k_err(ab, "failed to allocate memory for M3 with size %zu\n",
+- fw->size);
++ m3_len);
+ ret = -ENOMEM;
+ goto out;
+ }
More information about the lede-commits
mailing list