[PATCH 14/16] carl9170: main: guard op_config and bss_info_changed against non-STARTED state

[PATCH 14/16] carl9170: main: guard op_config and bss_info_changed against non-STARTED state

[Masi Osmani]

During driver deregistration (USB unbind or restart), mac80211 calls
carl9170_op_config() and carl9170_op_bss_info_changed() which write
hardware registers such as AR9170_MAC_REG_SLOT_TIME (0x1c36f0) via
carl9170_set_slot_time().  At this point the firmware is already dead:
carl9170_restart() has transitioned the state machine from STARTED to
IDLE, and IS_ACCEPTING_CMD() returns true for IDLE (state >= IDLE),
so the USB command is attempted but times out with -EIO:

  ieee80211 phy31: writing reg 0x1c36f0 (val 0x2400) failed (-5)
  ieee80211 phy31: writing reg 0x1c36f0 (val 0x5000) failed (-5)

When wavemon or NetworkManager trigger rapid USB unbind/rebind
recovery cycles, each deregistration produces these -EIO errors.
Over 30+ cycles this exhausts mac80211 resources and causes a
kernel panic.

Add early returns if !IS_STARTED(ar) to both carl9170_op_config()
and carl9170_op_bss_info_changed() to prevent all hardware register
writes when the device is not fully operational.

Signed-off-by: Masi Osmani <mas-i@hotmail.de>
---
 drivers/net/wireless/ath/carl9170/main.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/drivers/net/wireless/ath/carl9170/main.c b/drivers/net/wireless/ath/carl9170/main.c
index dcedcb1..a1b2c3d 100644
--- a/drivers/net/wireless/ath/carl9170/main.c
+++ b/drivers/net/wireless/ath/carl9170/main.c
@@ -926,6 +926,13 @@ static int carl9170_op_config(struct ieee80211_hw *hw, int radio_idx, u32 change
 	struct ar9170 *ar = hw->priv;
 	int err = 0;

+	/*
+	 * All register writes below require running firmware.
+	 * Bail out early during teardown or restart (state != STARTED).
+	 */
+	if (!IS_STARTED(ar))
+		return 0;
+
 	mutex_lock(&ar->mutex);
 	if (changed & IEEE80211_CONF_CHANGE_LISTEN_INTERVAL) {
 		/* TODO */
@@ -1077,6 +1084,13 @@ static void carl9170_op_bss_info_changed(struct ieee80211_hw *hw,
 	struct carl9170_vif_info *vif_priv;
 	struct ieee80211_vif *main_vif;

+	/*
+	 * All register writes below require running firmware.
+	 * Bail out early during teardown or restart (state != STARTED).
+	 */
+	if (!IS_STARTED(ar))
+		return;
+
 	mutex_lock(&ar->mutex);
 	vif_priv = (void *) vif->drv_priv;
 	main_vif = carl9170_get_main_vif(ar);
--
2.51.0

[PATCH 15/16] carl9170: phy: warm BB reset and same-channel no-op

[Masi Osmani]

Three optimizations to carl9170_set_channel():

1. Same-channel no-op: return immediately if already on the
   requested channel and bandwidth. mac80211 sometimes sends
   redundant channel change requests.

2. Same-band warm BB reset: use AR9170_PWR_RESET_BB_WARM_RESET
   (BIT 10) instead of BB_COLD_RESET (BIT 11) for channel
   changes within the same band and HT mode. Warm reset
   preserves PHY state, skipping init_phy (20+ register writes)
   and init_rf_banks_0_7. Cross-band switches still use cold
   reset with full RF re-init.

3. Post-restart guard: null ar->channel and ar->chan_fail in
   carl9170_restart_work() to force cold reset after crash.

This replaces the previous cross-band scan skip approach
(BUG-003) which blocked all 5 GHz scanning while associated
on 2.4 GHz. The warm BB reset provides sufficient protection
against AGC calibration timeouts without preventing cross-band
scans.

Signed-off-by: Masi Osmani <mas-i@hotmail.de>
---
--- a/drivers/net/wireless/ath/carl9170/phy.c	2026-03-16 12:31:43.146715685 +0100
+++ b/drivers/net/wireless/ath/carl9170/phy.c	2026-03-16 12:32:14.020745785 +0100
@@ -1779,27 +1779,49 @@ int carl9170_set_channel(struct ar9170 *
 	/* may be NULL at first setup */
 	if (ar->channel) {
 		old_channel = ar->channel;
+
+		/* No-op if already on the requested channel and bandwidth */
+		if (old_channel == channel && ar->ht_settings == new_ht)
+			return 0;
+
 		ar->channel = NULL;
 	}
 
-	/* cold reset BB/ADDA */
-	err = carl9170_write_reg(ar, AR9170_PWR_REG_RESET,
-				 AR9170_PWR_RESET_BB_COLD_RESET);
-	if (err)
-		return err;
+	/*
+	 * Same-band warm path (inspired by ath9k FastCC):
+	 * Use warm BB reset to preserve PHY state, skipping
+	 * init_phy (20+ reg writes) and init_rf_banks_0_7.
+	 * Cold reset for first setup, cross-band, HT changes.
+	 */
+	if (old_channel && old_channel->band == channel->band &&
+	    ar->ht_settings == new_ht) {
+		err = carl9170_write_reg(ar, AR9170_PWR_REG_RESET,
+					 AR9170_PWR_RESET_BB_WARM_RESET);
+		if (err)
+			return err;
 
-	err = carl9170_write_reg(ar, AR9170_PWR_REG_RESET, 0x0);
-	if (err)
-		return err;
+		err = carl9170_write_reg(ar, AR9170_PWR_REG_RESET, 0x0);
+		if (err)
+			return err;
+	} else {
+		err = carl9170_write_reg(ar, AR9170_PWR_REG_RESET,
+					 AR9170_PWR_RESET_BB_COLD_RESET);
+		if (err)
+			return err;
 
-	err = carl9170_init_phy(ar, channel->band);
-	if (err)
-		return err;
+		err = carl9170_write_reg(ar, AR9170_PWR_REG_RESET, 0x0);
+		if (err)
+			return err;
 
-	err = carl9170_init_rf_banks_0_7(ar,
-					 channel->band == NL80211_BAND_5GHZ);
-	if (err)
-		return err;
+		err = carl9170_init_phy(ar, channel->band);
+		if (err)
+			return err;
+
+		err = carl9170_init_rf_banks_0_7(ar,
+						 channel->band == NL80211_BAND_5GHZ);
+		if (err)
+			return err;
+	}
 
 	err = carl9170_exec_cmd(ar, CARL9170_CMD_FREQ_START, 0, NULL, 0, NULL);
 	if (err)
--- a/drivers/net/wireless/ath/carl9170/main.c	2026-03-16 12:31:43.148358482 +0100
+++ b/drivers/net/wireless/ath/carl9170/main.c	2026-03-16 12:32:14.025829134 +0100
@@ -355,6 +355,8 @@ static int carl9170_op_start(struct ieee
 	/* "The first key is unique." */
 	ar->usedkeys = 1;
 	ar->filter_state = 0;
+	ar->channel = NULL;
+	ar->chan_fail = 0;
 	ar->ps.last_action = jiffies;
 	ar->ps.last_slept = jiffies;
 	ar->erp_mode = CARL9170_ERP_AUTO;
@@ -474,6 +476,8 @@ static void carl9170_restart_work(struct
 
 	ar->usedkeys = 0;
 	ar->filter_state = 0;
+	ar->channel = NULL;
+	ar->chan_fail = 0;
 	carl9170_cancel_worker(ar);
 
 	mutex_lock(&ar->mutex);

[PATCH 16/16] carl9170: cmd: downgrade transient register I/O errors to wiphy_dbg

[Masi Osmani]

Register read/write failures during deauth/teardown transitions are
harmless — mac80211 tries to read survey stats or write slot_time
while the firmware is in a transitional state.  The command times
out with -EIO but the adapter recovers and re-authenticates normally.

Downgrade both "writing reg ... failed" and "reading regs failed"
from wiphy_err to wiphy_dbg to reduce dmesg noise.  The errors are
still visible with dynamic debug enabled for investigation.

Signed-off-by: Masi Osmani <mas-i@hotmail.de>
---
 drivers/net/wireless/ath/carl9170/cmd.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/ath/carl9170/cmd.c b/drivers/net/wireless/ath/carl9170/cmd.c
--- a/drivers/net/wireless/ath/carl9170/cmd.c
+++ b/drivers/net/wireless/ath/carl9170/cmd.c
@@ -52,7 +52,7 @@
 				(u8 *) buf, 0, NULL);
 	if (err) {
 		if (net_ratelimit()) {
-			wiphy_err(ar->hw->wiphy, "writing reg %#x "
+			wiphy_dbg(ar->hw->wiphy, "writing reg %#x "
 				"(val %#x) failed (%d)\n", reg, val, err);
 		}
 	}
@@ -78,7 +78,7 @@
 				4 * nregs, (u8 *)res);
 	if (err) {
 		if (net_ratelimit()) {
-			wiphy_err(ar->hw->wiphy, "reading regs failed (%d)\n",
+			wiphy_dbg(ar->hw->wiphy, "reading regs failed (%d)\n",
 				  err);
 		}
 		return err;

Re: [PATCH 14/16] carl9170: main: guard op_config and bss_info_changed against non-STARTED state

[Christian Lamparter]

On 3/17/26 12:06 PM, Masi Osmani wrote:
> When wavemon or NetworkManager trigger rapid USB unbind/rebind
> recovery cycles, each deregistration produces these -EIO errors.
> Over 30+ cycles this exhausts mac80211 resources and causes a
> kernel panic.

Resources exhaustion? Kernel Panic? This does sound like an embedded device!

Have you checked for leaks? ( https://docs.kernel.org/dev-tools/kmemleak.html )
Can you please post such a panic? You could be looking at as of yet undiscovered,
bonafide bug.... that needs squashing.

Regards,
Christian

Re: [PATCH 16/16] carl9170: cmd: downgrade transient register I/O errors to wiphy_dbg

[Christian Lamparter]

On 3/17/26 12:06 PM, Masi Osmani wrote:
> Register read/write failures during deauth/teardown transitions are
> harmless — mac80211 tries to read survey stats or write slot_time
> while the firmware is in a transitional state.  The command times
> out with -EIO but the adapter recovers and re-authenticates normally.
> 
> Downgrade both "writing reg ... failed" and "reading regs failed"
> from wiphy_err to wiphy_dbg to reduce dmesg noise.  The errors are
> still visible with dynamic debug enabled for investigation.


Sure

Acked-By: Christian Lamparter <chunkeey@gmail.com>

> 
> Signed-off-by: Masi Osmani <mas-i@hotmail.de>
> ---
>   drivers/net/wireless/ath/carl9170/cmd.c | 4 ++--
>   1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/net/wireless/ath/carl9170/cmd.c b/drivers/net/wireless/ath/carl9170/cmd.c
> --- a/drivers/net/wireless/ath/carl9170/cmd.c
> +++ b/drivers/net/wireless/ath/carl9170/cmd.c
> @@ -52,7 +52,7 @@
>   				(u8 *) buf, 0, NULL);
>   	if (err) {
>   		if (net_ratelimit()) {
> -			wiphy_err(ar->hw->wiphy, "writing reg %#x "
> +			wiphy_dbg(ar->hw->wiphy, "writing reg %#x "
>   				"(val %#x) failed (%d)\n", reg, val, err);
>   		}
>   	}
> @@ -78,7 +78,7 @@
>   				4 * nregs, (u8 *)res);
>   	if (err) {
>   		if (net_ratelimit()) {
> -			wiphy_err(ar->hw->wiphy, "reading regs failed (%d)\n",
> +			wiphy_dbg(ar->hw->wiphy, "reading regs failed (%d)\n",
>   				  err);
>   		}
>   		return err;