* [PATCH wireless v3 1/3] wifi: mt76: initialize hw_key_idx2 in mt76_wcid_init
From: Joshua Klinesmith @ 2026-04-07 5:39 UTC (permalink / raw)
To: linux-wireless
Cc: nbd, lorenzo, ryder.lee, shayne.chen, sean.wang,
Joshua Klinesmith
In-Reply-To: <20260407053917.75898-1-joshuaklinesmith@gmail.com>
hw_key_idx is initialized to -1 (0xFF, meaning "no key") in
mt76_wcid_init(), but hw_key_idx2 (used for AES-CMAC/BIGTK key
tracking) is left at the kzalloc default of 0. This makes the
two key index slots inconsistent: code that checks whether all
group keys have been removed cannot use a uniform "== (u8)-1"
test on both slots.
Initialize hw_key_idx2 to -1 alongside hw_key_idx so both use
the same "no key installed" sentinel. This does not change
runtime behavior since all existing consumers compare
hw_key_idx2 against explicit key indices (6 or 7) which are
distinct from both 0 and 0xFF.
Fixes: 730d6d0da8d8 ("mt76: mt7615: fix key set/delete issues")
Signed-off-by: Joshua Klinesmith <joshuaklinesmith@gmail.com>
---
drivers/net/wireless/mediatek/mt76/mac80211.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/mediatek/mt76/mac80211.c b/drivers/net/wireless/mediatek/mt76/mac80211.c
index 75772979f438..5eea3b4f27dc 100644
--- a/drivers/net/wireless/mediatek/mt76/mac80211.c
+++ b/drivers/net/wireless/mediatek/mt76/mac80211.c
@@ -1690,6 +1690,7 @@ EXPORT_SYMBOL_GPL(mt76_sta_pre_rcu_remove);
void mt76_wcid_init(struct mt76_wcid *wcid, u8 band_idx)
{
wcid->hw_key_idx = -1;
+ wcid->hw_key_idx2 = -1;
wcid->phy_idx = band_idx;
INIT_LIST_HEAD(&wcid->tx_list);
--
2.43.0
^ permalink raw reply related
* [PATCH wireless v3 0/3] wifi: mt76: clear cipher state on key removal for WED offload
From: Joshua Klinesmith @ 2026-04-07 5:39 UTC (permalink / raw)
To: linux-wireless
Cc: nbd, lorenzo, ryder.lee, shayne.chen, sean.wang,
Joshua Klinesmith
Clear stale BSS cipher on group key removal so WED-offloaded
plaintext traffic is not dropped after switching from encrypted
to open/no-encryption mode.
Changes since v2:
- New patch 1/3: initialize hw_key_idx2 to -1 in mt76_wcid_init()
for consistent "no key" sentinel on both key index slots.
- Guard cipher clearing on both hw_key_idx == (u8)-1 AND
hw_key_idx2 == (u8)-1, so that GTK rotation (new key installed
before old removed) and BIGTK removal while another group key
is active do not trigger a premature zero-cipher BSS update.
Changes since v1:
- Rebased on current wireless tree.
Joshua Klinesmith (3):
wifi: mt76: initialize hw_key_idx2 in mt76_wcid_init
wifi: mt76: mt7915: clear cipher state on key removal for WED offload
wifi: mt76: mt7996: clear cipher state on key removal for WED offload
drivers/net/wireless/mediatek/mt76/mac80211.c | 1 +
.../net/wireless/mediatek/mt76/mt7915/main.c | 13 +++++++++++
.../net/wireless/mediatek/mt76/mt7996/main.c | 23 ++++++++++++++++---
3 files changed, 34 insertions(+), 3 deletions(-)
--
2.43.0
^ permalink raw reply
* [PATCH wireless v2 2/2] wifi: mt76: mt7996: validate WCID index before WTBL lookup
From: Joshua Klinesmith @ 2026-04-07 5:39 UTC (permalink / raw)
To: linux-wireless
Cc: nbd, lorenzo, ryder.lee, shayne.chen, sean.wang,
Joshua Klinesmith, stable
In-Reply-To: <20260407053903.75861-1-joshuaklinesmith@gmail.com>
Same class of bug as mt7915: the mt7996 driver does not validate
WCID indices from TX free events or TX status reports before
WTBL lookups. An out-of-range WCID causes invalid MMIO accesses
leading to a kernel data abort.
Add bounds checks in mt7996_mac_tx_free() and
mt7996_mac_add_txs() to match the pattern used by mt7615,
mt7921, and mt7925 drivers.
Additionally, clear the carried wcid and link_sta state when
a WCID pair lookup fails (either out of range or not a station),
so that subsequent header and MSDU entries in the same TX free
event do not attribute statistics or free tokens against a stale
WCID from a previous pair.
Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices")
Cc: stable@vger.kernel.org
Signed-off-by: Joshua Klinesmith <joshuaklinesmith@gmail.com>
---
drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
index 3d9648fb6773..f962ad398e04 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
@@ -1248,9 +1248,16 @@ mt7996_mac_tx_free(struct mt7996_dev *dev, void *data, int len)
u16 idx;
idx = FIELD_GET(MT_TXFREE_INFO_WLAN_ID, info);
+ if (idx >= mt7996_wtbl_size(dev)) {
+ wcid = NULL;
+ link_sta = NULL;
+ goto next;
+ }
+
wcid = mt76_wcid_ptr(dev, idx);
sta = wcid_to_sta(wcid);
if (!sta) {
+ wcid = NULL;
link_sta = NULL;
goto next;
}
@@ -1482,6 +1489,9 @@ static void mt7996_mac_add_txs(struct mt7996_dev *dev, void *data)
u8 pid;
wcidx = le32_get_bits(txs_data[2], MT_TXS2_WCID);
+ if (wcidx >= mt7996_wtbl_size(dev))
+ return;
+
pid = le32_get_bits(txs_data[3], MT_TXS3_PID);
if (pid < MT_PACKET_ID_NO_SKB)
--
2.43.0
^ permalink raw reply related
* [PATCH wireless v2 1/2] wifi: mt76: mt7915: validate WCID index before WTBL lookup
From: Joshua Klinesmith @ 2026-04-07 5:39 UTC (permalink / raw)
To: linux-wireless
Cc: nbd, lorenzo, ryder.lee, shayne.chen, sean.wang,
Joshua Klinesmith, stable
In-Reply-To: <20260407053903.75861-1-joshuaklinesmith@gmail.com>
The mt7915 driver does not validate WCID indices extracted from
hardware TX free events and TX status reports before using them
for WTBL MMIO register accesses. The hardware WCID field is 10
bits wide (max 1023) but actual WTBL capacity is only 288
(MT7915) or 544 (MT7916). An out-of-range index causes
mt7915_mac_wtbl_lmac_addr() to compute an invalid MMIO address,
leading to a kernel data abort:
Unable to handle kernel paging request at virtual address
ffffff88d5ab0010
The mt7615, mt7921, and mt7925 drivers already validate WCID
indices against their WTBL size before use. Add the same bounds
checks in mt7915_mac_tx_free() and mt7915_mac_add_txs().
Additionally, when a WCID pair lookup in the TX free path
resolves to a valid WCID that is not a station (wcid_to_sta()
returns NULL), or the WCID index is out of range, clear both
wcid and sta so that subsequent non-pair MSDU entries do not
attribute TX statistics or pass a stale station pointer to
mt76_connac2_txwi_free().
Fixes: c17780e7b21e ("mt76: mt7915: add txfree event v3")
Cc: stable@vger.kernel.org
Signed-off-by: Joshua Klinesmith <joshuaklinesmith@gmail.com>
---
drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
index 2f307c4caff1..19435f3c6fa5 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
@@ -913,10 +913,19 @@ mt7915_mac_tx_free(struct mt7915_dev *dev, void *data, int len)
u16 idx;
idx = FIELD_GET(MT_TX_FREE_WLAN_ID, info);
+ if (idx >= mt7915_wtbl_size(dev)) {
+ wcid = NULL;
+ sta = NULL;
+ continue;
+ }
+
wcid = mt76_wcid_ptr(dev, idx);
sta = wcid_to_sta(wcid);
- if (!sta)
+ if (!sta) {
+ wcid = NULL;
+ sta = NULL;
continue;
+ }
msta = container_of(wcid, struct mt7915_sta, wcid);
mt76_wcid_add_poll(&dev->mt76, &msta->wcid);
@@ -1004,6 +1013,9 @@ static void mt7915_mac_add_txs(struct mt7915_dev *dev, void *data)
u8 pid;
wcidx = le32_get_bits(txs_data[2], MT_TXS2_WCID);
+ if (wcidx >= mt7915_wtbl_size(dev))
+ return;
+
pid = le32_get_bits(txs_data[3], MT_TXS3_PID);
if (pid < MT_PACKET_ID_WED)
--
2.43.0
^ permalink raw reply related
* [PATCH wireless v2 0/2] wifi: mt76: validate WCID index before WTBL lookup
From: Joshua Klinesmith @ 2026-04-07 5:39 UTC (permalink / raw)
To: linux-wireless
Cc: nbd, lorenzo, ryder.lee, shayne.chen, sean.wang,
Joshua Klinesmith
Validate WCID indices from TX free events and TX status reports
before WTBL lookups in mt7915 and mt7996, matching the bounds
checks already present in mt7615/mt7921/mt7925 drivers.
Changes since v1:
- When a pair lookup fails (out-of-range or non-station WCID),
also clear the carried wcid/sta/link_sta state so that
subsequent non-pair MSDU and header entries in the same TX free
event do not attribute statistics or pass a stale station
pointer to mt76_connac2_txwi_free().
Joshua Klinesmith (2):
wifi: mt76: mt7915: validate WCID index before WTBL lookup
wifi: mt76: mt7996: validate WCID index before WTBL lookup
drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 14 +++++++++++++-
drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 10 ++++++++++
2 files changed, 23 insertions(+), 1 deletion(-)
--
2.43.0
^ permalink raw reply
* [PATCH wireless v2] wifi: mt76: mt7996: replace direct WTBL access with MCU for station statistics
From: Joshua Klinesmith @ 2026-04-07 5:38 UTC (permalink / raw)
To: linux-wireless
Cc: nbd, lorenzo, ryder.lee, shayne.chen, sean.wang,
Joshua Klinesmith
Direct MMIO access to WTBL entries for airtime and RSSI statistics in
mt7996_mac_sta_poll() races with firmware, causing warnings at
mt7996_mac_wtbl_lmac_addr, MCU message timeouts, and firmware
communication breakdown. The function was called from
mt7996_mac_tx_free() on every TX-Free-Done event, compounding the
issue with heavy CPU overhead.
Replace the direct WTBL polling with firmware MCU queries:
- Airtime: UNI_ALL_STA_TXRX_AIR_TIME via the existing all_sta_info
MCU command, with a new handler in mt7996_mcu_rx_all_sta_info_event()
- RSSI: UNI_PER_STA_RSSI via new mt7996_mcu_get_per_sta_info() using
MCU_WM_UNI_CMD(PER_STA_INFO)
Both queries run from mt7996_mac_work() every 5th tick under dev mutex,
matching the pattern already used for TX rate, admission stats, and
MSDU count reporting.
Remove mt7996_mac_sta_poll() and its airtime_ac tracking array entirely.
The per-sta-info response handler validates the firmware-returned entry
count against what was requested and against the skb payload length
before walking the response array, and uses bounds-checked
mt76_wcid_ptr() for WLAN ID lookup. RSSI polling is batched in groups
of PER_STA_INFO_MAX_NUM to cover the full WTBL capacity.
Vendor driver analysis (mt_wifi.ko from Xiaomi AX3000T MT7981 firmware)
confirms the RCPI-to-RSSI conversion formula (rcpi - 220) / 2 and that
the vendor never performs direct WTBL reads for statistics.
Fixes: 98686cd21624 ("wifi: mt76: mt7996: add driver for MediaTek Wi-Fi 7 (802.11be) devices")
Link: https://github.com/openwrt/openwrt/issues/21177
Signed-off-by: Joshua Klinesmith <joshuaklinesmith@gmail.com>
---
.../wireless/mediatek/mt76/mt76_connac_mcu.h | 7 +
.../net/wireless/mediatek/mt76/mt7996/mac.c | 117 +--------------
.../net/wireless/mediatek/mt76/mt7996/mcu.c | 135 ++++++++++++++++++
.../net/wireless/mediatek/mt76/mt7996/mcu.h | 25 ++++
.../wireless/mediatek/mt76/mt7996/mt7996.h | 2 +-
5 files changed, 170 insertions(+), 116 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h
index 8d59cf43f0e2..14d3ee7defa1 100644
--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h
+++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mcu.h
@@ -1392,6 +1392,13 @@ enum {
UNI_OFFLOAD_OFFLOAD_BMC_RPY_DETECT,
};
+#define PER_STA_INFO_MAX_NUM 90
+
+enum UNI_PER_STA_INFO_TAG {
+ UNI_PER_STA_RSSI,
+ UNI_PER_STA_MAX_NUM
+};
+
enum UNI_ALL_STA_INFO_TAG {
UNI_ALL_STA_TXRX_RATE,
UNI_ALL_STA_TX_STAT,
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
index d4f3ee943b47..3d9648fb6773 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
@@ -111,119 +111,6 @@ u32 mt7996_mac_wtbl_lmac_addr(struct mt7996_dev *dev, u16 wcid, u8 dw)
return MT_WTBL_LMAC_OFFS(wcid, dw);
}
-static void mt7996_mac_sta_poll(struct mt7996_dev *dev)
-{
- static const u8 ac_to_tid[] = {
- [IEEE80211_AC_BE] = 0,
- [IEEE80211_AC_BK] = 1,
- [IEEE80211_AC_VI] = 4,
- [IEEE80211_AC_VO] = 6
- };
- struct mt7996_sta_link *msta_link;
- struct mt76_vif_link *mlink;
- struct ieee80211_sta *sta;
- struct mt7996_sta *msta;
- u32 tx_time[IEEE80211_NUM_ACS], rx_time[IEEE80211_NUM_ACS];
- LIST_HEAD(sta_poll_list);
- struct mt76_wcid *wcid;
- int i;
-
- spin_lock_bh(&dev->mt76.sta_poll_lock);
- list_splice_init(&dev->mt76.sta_poll_list, &sta_poll_list);
- spin_unlock_bh(&dev->mt76.sta_poll_lock);
-
- rcu_read_lock();
-
- while (true) {
- bool clear = false;
- u32 addr, val;
- u16 idx;
- s8 rssi[4];
-
- spin_lock_bh(&dev->mt76.sta_poll_lock);
- if (list_empty(&sta_poll_list)) {
- spin_unlock_bh(&dev->mt76.sta_poll_lock);
- break;
- }
- msta_link = list_first_entry(&sta_poll_list,
- struct mt7996_sta_link,
- wcid.poll_list);
- msta = msta_link->sta;
- wcid = &msta_link->wcid;
- list_del_init(&wcid->poll_list);
- spin_unlock_bh(&dev->mt76.sta_poll_lock);
-
- idx = wcid->idx;
-
- /* refresh peer's airtime reporting */
- addr = mt7996_mac_wtbl_lmac_addr(dev, idx, 20);
-
- for (i = 0; i < IEEE80211_NUM_ACS; i++) {
- u32 tx_last = msta_link->airtime_ac[i];
- u32 rx_last = msta_link->airtime_ac[i + 4];
-
- msta_link->airtime_ac[i] = mt76_rr(dev, addr);
- msta_link->airtime_ac[i + 4] = mt76_rr(dev, addr + 4);
-
- tx_time[i] = msta_link->airtime_ac[i] - tx_last;
- rx_time[i] = msta_link->airtime_ac[i + 4] - rx_last;
-
- if ((tx_last | rx_last) & BIT(30))
- clear = true;
-
- addr += 8;
- }
-
- if (clear) {
- mt7996_mac_wtbl_update(dev, idx,
- MT_WTBL_UPDATE_ADM_COUNT_CLEAR);
- memset(msta_link->airtime_ac, 0,
- sizeof(msta_link->airtime_ac));
- }
-
- if (!wcid->sta)
- continue;
-
- sta = container_of((void *)msta, struct ieee80211_sta,
- drv_priv);
- for (i = 0; i < IEEE80211_NUM_ACS; i++) {
- u8 q = mt76_connac_lmac_mapping(i);
- u32 tx_cur = tx_time[q];
- u32 rx_cur = rx_time[q];
- u8 tid = ac_to_tid[i];
-
- if (!tx_cur && !rx_cur)
- continue;
-
- ieee80211_sta_register_airtime(sta, tid, tx_cur, rx_cur);
- }
-
- /* get signal strength of resp frames (CTS/BA/ACK) */
- addr = mt7996_mac_wtbl_lmac_addr(dev, idx, 34);
- val = mt76_rr(dev, addr);
-
- rssi[0] = to_rssi(GENMASK(7, 0), val);
- rssi[1] = to_rssi(GENMASK(15, 8), val);
- rssi[2] = to_rssi(GENMASK(23, 16), val);
- rssi[3] = to_rssi(GENMASK(31, 14), val);
-
- mlink = rcu_dereference(msta->vif->mt76.link[wcid->link_id]);
- if (mlink) {
- struct mt76_phy *mphy = mt76_vif_link_phy(mlink);
-
- if (mphy)
- msta_link->ack_signal =
- mt76_rx_signal(mphy->antenna_mask,
- rssi);
- }
-
- ewma_avg_signal_add(&msta_link->avg_ack_signal,
- -msta_link->ack_signal);
- }
-
- rcu_read_unlock();
-}
-
/* The HW does not translate the mac header to 802.3 for mesh point */
static int mt7996_reverse_frag0_hdr_trans(struct sk_buff *skb, u16 hdr_gap)
{
@@ -1424,8 +1311,6 @@ mt7996_mac_tx_free(struct mt7996_dev *dev, void *data, int len)
}
}
- mt7996_mac_sta_poll(dev);
-
if (wake)
mt76_set_tx_blocked(&dev->mt76, false);
@@ -2947,6 +2832,8 @@ void mt7996_mac_work(struct work_struct *work)
mt7996_mac_update_stats(phy);
mt7996_mcu_get_all_sta_info(phy, UNI_ALL_STA_TXRX_RATE);
+ mt7996_mcu_get_all_sta_info(phy, UNI_ALL_STA_TXRX_AIR_TIME);
+ mt7996_mcu_get_per_sta_info(phy, UNI_PER_STA_RSSI);
if (mtk_wed_device_active(&phy->dev->mt76.mmio.wed)) {
mt7996_mcu_get_all_sta_info(phy, UNI_ALL_STA_TXRX_ADM_STAT);
mt7996_mcu_get_all_sta_info(phy, UNI_ALL_STA_TXRX_MSDU_COUNT);
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
index c0c042de477b..bf95e1d9299d 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
@@ -616,6 +616,35 @@ mt7996_mcu_rx_all_sta_info_event(struct mt7996_dev *dev, struct sk_buff *skb)
wcid->stats.rx_packets +=
le32_to_cpu(res->msdu_cnt[i].rx_msdu_cnt);
break;
+ case UNI_ALL_STA_TXRX_AIR_TIME: {
+ static const u8 ac_to_tid[] = {
+ [IEEE80211_AC_BE] = 0,
+ [IEEE80211_AC_BK] = 1,
+ [IEEE80211_AC_VI] = 4,
+ [IEEE80211_AC_VO] = 6
+ };
+ struct ieee80211_sta *sta;
+
+ wlan_idx = le16_to_cpu(res->airtime[i].wlan_idx);
+ wcid = mt76_wcid_ptr(dev, wlan_idx);
+ sta = wcid_to_sta(wcid);
+ if (!sta)
+ break;
+
+ for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
+ u8 lmac_ac = mt76_connac_lmac_mapping(ac);
+ u32 tx_cur = le32_to_cpu(res->airtime[i].tx[lmac_ac]);
+ u32 rx_cur = le32_to_cpu(res->airtime[i].rx[lmac_ac]);
+
+ if (!tx_cur && !rx_cur)
+ continue;
+
+ ieee80211_sta_register_airtime(sta,
+ ac_to_tid[ac],
+ tx_cur, rx_cur);
+ }
+ break;
+ }
default:
break;
}
@@ -4755,6 +4784,112 @@ int mt7996_mcu_get_all_sta_info(struct mt7996_phy *phy, u16 tag)
&req, sizeof(req), false);
}
+int mt7996_mcu_get_per_sta_info(struct mt7996_phy *phy, u16 tag)
+{
+ struct mt7996_dev *dev = phy->dev;
+ struct mt7996_mcu_per_sta_info_event *res;
+ struct mt76_wcid *wcid;
+ struct sk_buff *skb;
+ int i, ret, sta_num, resp_sta_num;
+ int wcid_idx = 0;
+ struct {
+ u8 _rsv1;
+ u8 unsolicit;
+ u8 _rsv2[2];
+
+ __le16 tag;
+ __le16 len;
+ __le16 sta_num;
+ u8 _rsv3[2];
+ __le16 wlan_idx[PER_STA_INFO_MAX_NUM];
+ } __packed req = {
+ .tag = cpu_to_le16(tag),
+ .len = cpu_to_le16(sizeof(req) - 4),
+ };
+
+ while (wcid_idx < mt7996_wtbl_size(dev)) {
+ sta_num = 0;
+
+ rcu_read_lock();
+ for (i = wcid_idx;
+ i < mt7996_wtbl_size(dev) && sta_num < PER_STA_INFO_MAX_NUM;
+ i++) {
+ wcid = rcu_dereference(dev->mt76.wcid[i]);
+ if (!wcid || !wcid->sta)
+ continue;
+ req.wlan_idx[sta_num++] = cpu_to_le16(i);
+ }
+ rcu_read_unlock();
+ wcid_idx = i;
+
+ if (!sta_num)
+ continue;
+
+ req.sta_num = cpu_to_le16(sta_num);
+
+ ret = mt76_mcu_send_and_get_msg(&dev->mt76,
+ MCU_WM_UNI_CMD(PER_STA_INFO),
+ &req, sizeof(req), true, &skb);
+ if (ret)
+ return ret;
+
+ res = (struct mt7996_mcu_per_sta_info_event *)skb->data;
+
+ resp_sta_num = le16_to_cpu(res->sta_num);
+ if (resp_sta_num > sta_num ||
+ skb->len < struct_size(res, rssi, resp_sta_num)) {
+ dev_kfree_skb(skb);
+ return -EINVAL;
+ }
+
+ rcu_read_lock();
+ for (i = 0; i < resp_sta_num; i++) {
+ struct mt7996_sta_link *msta_link;
+ struct mt76_vif_link *mvif;
+ struct mt76_vif_link *mlink;
+ struct mt76_phy *mphy;
+ u16 wlan_idx;
+ s8 rssi[4];
+
+ switch (tag) {
+ case UNI_PER_STA_RSSI:
+ wlan_idx = le16_to_cpu(res->rssi[i].wlan_idx);
+ wcid = mt76_wcid_ptr(dev, wlan_idx);
+ if (!wcid || !wcid->sta)
+ break;
+
+ msta_link = container_of(wcid,
+ struct mt7996_sta_link,
+ wcid);
+
+ rssi[0] = (res->rssi[i].rcpi[0] - 220) / 2;
+ rssi[1] = (res->rssi[i].rcpi[1] - 220) / 2;
+ rssi[2] = (res->rssi[i].rcpi[2] - 220) / 2;
+ rssi[3] = (res->rssi[i].rcpi[3] - 220) / 2;
+
+ mvif = &msta_link->sta->vif->mt76;
+ mlink = rcu_dereference(mvif->link[wcid->link_id]);
+ if (mlink) {
+ mphy = mt76_vif_link_phy(mlink);
+ if (mphy)
+ msta_link->ack_signal =
+ mt76_rx_signal(mphy->antenna_mask,
+ rssi);
+ }
+
+ ewma_avg_signal_add(&msta_link->avg_ack_signal,
+ -msta_link->ack_signal);
+ break;
+ }
+ }
+ rcu_read_unlock();
+
+ dev_kfree_skb(skb);
+ }
+
+ return 0;
+}
+
int mt7996_mcu_wed_rro_reset_sessions(struct mt7996_dev *dev, u16 id)
{
struct {
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.h b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.h
index e0b83ac9f5e2..b5bad9a76c49 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.h
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.h
@@ -220,6 +220,31 @@ struct mt7996_mcu_all_sta_info_event {
__le32 tx_msdu_cnt;
__le32 rx_msdu_cnt;
} __packed, msdu_cnt);
+
+ DECLARE_FLEX_ARRAY(struct {
+ __le16 wlan_idx;
+ u8 rsv[2];
+ __le32 tx[IEEE80211_NUM_ACS];
+ __le32 rx[IEEE80211_NUM_ACS];
+ } __packed, airtime);
+ } __packed;
+} __packed;
+
+struct mt7996_mcu_per_sta_info_event {
+ u8 rsv[4];
+ __le16 tag;
+ __le16 len;
+ u8 more;
+ u8 rsv2;
+ __le16 sta_num;
+ u8 rsv3[4];
+
+ union {
+ DECLARE_FLEX_ARRAY(struct {
+ __le16 wlan_idx;
+ u8 rsv[2];
+ u8 rcpi[4];
+ } __packed, rssi);
} __packed;
} __packed;
diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h b/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h
index 7a884311800e..b523e971f78c 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h
+++ b/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h
@@ -222,7 +222,6 @@ struct mt7996_sta_link {
struct mt7996_sta *sta;
struct list_head rc_list;
- u32 airtime_ac[8];
int ack_signal;
struct ewma_avg_signal avg_ack_signal;
@@ -741,6 +740,7 @@ int mt7996_mcu_trigger_assert(struct mt7996_dev *dev);
void mt7996_mcu_rx_event(struct mt7996_dev *dev, struct sk_buff *skb);
void mt7996_mcu_exit(struct mt7996_dev *dev);
int mt7996_mcu_get_all_sta_info(struct mt7996_phy *phy, u16 tag);
+int mt7996_mcu_get_per_sta_info(struct mt7996_phy *phy, u16 tag);
int mt7996_mcu_wed_rro_reset_sessions(struct mt7996_dev *dev, u16 id);
int mt7996_mcu_set_sniffer_mode(struct mt7996_phy *phy, bool enabled);
--
2.43.0
^ permalink raw reply related
* [PATCH ath-next v5 6/6] wifi: ath12k: Enable IPQ5424 WiFi device support
From: Raj Kumar Bhagat @ 2026-04-07 5:26 UTC (permalink / raw)
To: Johannes Berg, Rob Herring, Krzysztof Kozlowski, Conor Dooley,
Jeff Johnson
Cc: linux-wireless, devicetree, linux-kernel, ath12k,
Raj Kumar Bhagat, Sowmiya Sree Elavalagan,
Saravanakumar Duraisamy, Baochen Qiang
In-Reply-To: <20260407-ath12k-ipq5424-v5-0-8e96aa660ec4@oss.qualcomm.com>
From: Sowmiya Sree Elavalagan <sowmiya.elavalagan@oss.qualcomm.com>
Currently, ath12k AHB (in IPQ5332) uses SCM calls to authenticate the
firmware image to bring up userpd. From IPQ5424 onwards, Q6 firmware can
directly communicate with the Trusted Management Engine - Lite (TME-L),
eliminating the need for SCM calls for userpd bring-up.
Hence, to enable IPQ5424 device support, use qcom_mdt_load_no_init() and
skip the SCM call as Q6 will directly authenticate the userpd firmware.
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.6-01243-QCAHKSWPL_SILICONZ-1
Tested-on: IPQ5332 hw1.0 AHB WLAN.WBE.1.6-01275-QCAHKSWPL_SILICONZ-1
Tested-on: IPQ5424 hw1.0 AHB WLAN.WBE.1.6-01275-QCAHKSWPL_SILICONZ-1
Signed-off-by: Sowmiya Sree Elavalagan <sowmiya.elavalagan@oss.qualcomm.com>
Co-developed-by: Saravanakumar Duraisamy <quic_saradura@quicinc.com>
Signed-off-by: Saravanakumar Duraisamy <quic_saradura@quicinc.com>
Co-developed-by: Raj Kumar Bhagat <raj.bhagat@oss.qualcomm.com>
Signed-off-by: Raj Kumar Bhagat <raj.bhagat@oss.qualcomm.com>
Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
---
drivers/net/wireless/ath/ath12k/ahb.c | 36 ++++++++++++++++++-----------
drivers/net/wireless/ath/ath12k/ahb.h | 1 +
drivers/net/wireless/ath/ath12k/wifi7/ahb.c | 8 +++++++
3 files changed, 31 insertions(+), 14 deletions(-)
diff --git a/drivers/net/wireless/ath/ath12k/ahb.c b/drivers/net/wireless/ath/ath12k/ahb.c
index 9a4d34e49104..2dcf0a52e4c1 100644
--- a/drivers/net/wireless/ath/ath12k/ahb.c
+++ b/drivers/net/wireless/ath/ath12k/ahb.c
@@ -382,8 +382,12 @@ static int ath12k_ahb_power_up(struct ath12k_base *ab)
ATH12K_AHB_UPD_SWID;
/* Load FW image to a reserved memory location */
- ret = qcom_mdt_load(dev, fw, fw_name, pasid, mem_region, mem_phys, mem_size,
- &mem_phys);
+ if (ab_ahb->scm_auth_enabled)
+ ret = qcom_mdt_load(dev, fw, fw_name, pasid, mem_region,
+ mem_phys, mem_size, &mem_phys);
+ else
+ ret = qcom_mdt_load_no_init(dev, fw, fw_name, mem_region,
+ mem_phys, mem_size, &mem_phys);
if (ret) {
ath12k_err(ab, "Failed to load MDT segments: %d\n", ret);
goto err_fw;
@@ -414,11 +418,13 @@ static int ath12k_ahb_power_up(struct ath12k_base *ab)
goto err_fw2;
}
- /* Authenticate FW image using peripheral ID */
- ret = qcom_scm_pas_auth_and_reset(pasid);
- if (ret) {
- ath12k_err(ab, "failed to boot the remote processor %d\n", ret);
- goto err_fw2;
+ if (ab_ahb->scm_auth_enabled) {
+ /* Authenticate FW image using peripheral ID */
+ ret = qcom_scm_pas_auth_and_reset(pasid);
+ if (ret) {
+ ath12k_err(ab, "failed to boot the remote processor %d\n", ret);
+ goto err_fw2;
+ }
}
/* Instruct Q6 to spawn userPD thread */
@@ -475,13 +481,15 @@ static void ath12k_ahb_power_down(struct ath12k_base *ab, bool is_suspend)
qcom_smem_state_update_bits(ab_ahb->stop_state, BIT(ab_ahb->stop_bit), 0);
- pasid = (u32_encode_bits(ab_ahb->userpd_id, ATH12K_USERPD_ID_MASK)) |
- ATH12K_AHB_UPD_SWID;
- /* Release the firmware */
- ret = qcom_scm_pas_shutdown(pasid);
- if (ret)
- ath12k_err(ab, "scm pas shutdown failed for userPD%d: %d\n",
- ab_ahb->userpd_id, ret);
+ if (ab_ahb->scm_auth_enabled) {
+ pasid = (u32_encode_bits(ab_ahb->userpd_id, ATH12K_USERPD_ID_MASK)) |
+ ATH12K_AHB_UPD_SWID;
+ /* Release the firmware */
+ ret = qcom_scm_pas_shutdown(pasid);
+ if (ret)
+ ath12k_err(ab, "scm pas shutdown failed for userPD%d\n",
+ ab_ahb->userpd_id);
+ }
}
static void ath12k_ahb_init_qmi_ce_config(struct ath12k_base *ab)
diff --git a/drivers/net/wireless/ath/ath12k/ahb.h b/drivers/net/wireless/ath/ath12k/ahb.h
index be9e31b3682d..0fa15daaa3e6 100644
--- a/drivers/net/wireless/ath/ath12k/ahb.h
+++ b/drivers/net/wireless/ath/ath12k/ahb.h
@@ -68,6 +68,7 @@ struct ath12k_ahb {
int userpd_irq_num[ATH12K_USERPD_MAX_IRQ];
const struct ath12k_ahb_ops *ahb_ops;
const struct ath12k_ahb_device_family_ops *device_family_ops;
+ bool scm_auth_enabled;
};
struct ath12k_ahb_driver {
diff --git a/drivers/net/wireless/ath/ath12k/wifi7/ahb.c b/drivers/net/wireless/ath/ath12k/wifi7/ahb.c
index a6c5f7689edd..6a8b8b2a56f9 100644
--- a/drivers/net/wireless/ath/ath12k/wifi7/ahb.c
+++ b/drivers/net/wireless/ath/ath12k/wifi7/ahb.c
@@ -19,6 +19,9 @@ static const struct of_device_id ath12k_wifi7_ahb_of_match[] = {
{ .compatible = "qcom,ipq5332-wifi",
.data = (void *)ATH12K_HW_IPQ5332_HW10,
},
+ { .compatible = "qcom,ipq5424-wifi",
+ .data = (void *)ATH12K_HW_IPQ5424_HW10,
+ },
{ }
};
@@ -38,6 +41,11 @@ static int ath12k_wifi7_ahb_probe(struct platform_device *pdev)
switch (hw_rev) {
case ATH12K_HW_IPQ5332_HW10:
ab_ahb->userpd_id = ATH12K_IPQ5332_USERPD_ID;
+ ab_ahb->scm_auth_enabled = true;
+ break;
+ case ATH12K_HW_IPQ5424_HW10:
+ ab_ahb->userpd_id = ATH12K_IPQ5332_USERPD_ID;
+ ab_ahb->scm_auth_enabled = false;
break;
default:
return -EOPNOTSUPP;
--
2.34.1
^ permalink raw reply related
* [PATCH ath-next v5 5/6] wifi: ath12k: Add CE remap hardware parameters for IPQ5424
From: Raj Kumar Bhagat @ 2026-04-07 5:26 UTC (permalink / raw)
To: Johannes Berg, Rob Herring, Krzysztof Kozlowski, Conor Dooley,
Jeff Johnson
Cc: linux-wireless, devicetree, linux-kernel, ath12k,
Raj Kumar Bhagat, Saravanakumar Duraisamy, Baochen Qiang
In-Reply-To: <20260407-ath12k-ipq5424-v5-0-8e96aa660ec4@oss.qualcomm.com>
From: Saravanakumar Duraisamy <quic_saradura@quicinc.com>
Add CE remap hardware parameters for Ath12k AHB device IPQ5424.
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.6-01243-QCAHKSWPL_SILICONZ-1
Tested-on: IPQ5332 hw1.0 AHB WLAN.WBE.1.6-01275-QCAHKSWPL_SILICONZ-1
Tested-on: IPQ5424 hw1.0 AHB WLAN.WBE.1.6-01275-QCAHKSWPL_SILICONZ-1
Signed-off-by: Saravanakumar Duraisamy <quic_saradura@quicinc.com>
Signed-off-by: Raj Kumar Bhagat <raj.bhagat@oss.qualcomm.com>
Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
---
drivers/net/wireless/ath/ath12k/ce.h | 13 +++++++++----
drivers/net/wireless/ath/ath12k/wifi7/hw.c | 22 +++++++++++++++++-----
2 files changed, 26 insertions(+), 9 deletions(-)
diff --git a/drivers/net/wireless/ath/ath12k/ce.h b/drivers/net/wireless/ath/ath12k/ce.h
index df4f2a4f8480..009cddf2d68d 100644
--- a/drivers/net/wireless/ath/ath12k/ce.h
+++ b/drivers/net/wireless/ath/ath12k/ce.h
@@ -38,10 +38,15 @@
#define PIPEDIR_INOUT 3 /* bidirectional */
#define PIPEDIR_INOUT_H2H 4 /* bidirectional, host to host */
-/* CE address/mask */
-#define CE_HOST_IE_ADDRESS 0x75804C
-#define CE_HOST_IE_2_ADDRESS 0x758050
-#define CE_HOST_IE_3_ADDRESS CE_HOST_IE_ADDRESS
+/* IPQ5332 CE address/mask */
+#define CE_HOST_IPQ5332_IE_ADDRESS 0x75804C
+#define CE_HOST_IPQ5332_IE_2_ADDRESS 0x758050
+#define CE_HOST_IPQ5332_IE_3_ADDRESS CE_HOST_IPQ5332_IE_ADDRESS
+
+/* IPQ5424 CE address/mask */
+#define CE_HOST_IPQ5424_IE_ADDRESS 0x21804C
+#define CE_HOST_IPQ5424_IE_2_ADDRESS 0x218050
+#define CE_HOST_IPQ5424_IE_3_ADDRESS CE_HOST_IPQ5424_IE_ADDRESS
#define CE_HOST_IE_3_SHIFT 0xC
diff --git a/drivers/net/wireless/ath/ath12k/wifi7/hw.c b/drivers/net/wireless/ath/ath12k/wifi7/hw.c
index 2b5d1f7e9e04..cb3185850439 100644
--- a/drivers/net/wireless/ath/ath12k/wifi7/hw.c
+++ b/drivers/net/wireless/ath/ath12k/wifi7/hw.c
@@ -329,9 +329,15 @@ static const struct ath12k_hw_ring_mask ath12k_wifi7_hw_ring_mask_wcn7850 = {
};
static const struct ce_ie_addr ath12k_wifi7_ce_ie_addr_ipq5332 = {
- .ie1_reg_addr = CE_HOST_IE_ADDRESS - HAL_IPQ5332_CE_WFSS_REG_BASE,
- .ie2_reg_addr = CE_HOST_IE_2_ADDRESS - HAL_IPQ5332_CE_WFSS_REG_BASE,
- .ie3_reg_addr = CE_HOST_IE_3_ADDRESS - HAL_IPQ5332_CE_WFSS_REG_BASE,
+ .ie1_reg_addr = CE_HOST_IPQ5332_IE_ADDRESS - HAL_IPQ5332_CE_WFSS_REG_BASE,
+ .ie2_reg_addr = CE_HOST_IPQ5332_IE_2_ADDRESS - HAL_IPQ5332_CE_WFSS_REG_BASE,
+ .ie3_reg_addr = CE_HOST_IPQ5332_IE_3_ADDRESS - HAL_IPQ5332_CE_WFSS_REG_BASE,
+};
+
+static const struct ce_ie_addr ath12k_wifi7_ce_ie_addr_ipq5424 = {
+ .ie1_reg_addr = CE_HOST_IPQ5424_IE_ADDRESS - HAL_IPQ5424_CE_WFSS_REG_BASE,
+ .ie2_reg_addr = CE_HOST_IPQ5424_IE_2_ADDRESS - HAL_IPQ5424_CE_WFSS_REG_BASE,
+ .ie3_reg_addr = CE_HOST_IPQ5424_IE_3_ADDRESS - HAL_IPQ5424_CE_WFSS_REG_BASE,
};
static const struct ce_remap ath12k_wifi7_ce_remap_ipq5332 = {
@@ -340,6 +346,12 @@ static const struct ce_remap ath12k_wifi7_ce_remap_ipq5332 = {
.cmem_offset = HAL_SEQ_WCSS_CMEM_OFFSET,
};
+static const struct ce_remap ath12k_wifi7_ce_remap_ipq5424 = {
+ .base = HAL_IPQ5424_CE_WFSS_REG_BASE,
+ .size = HAL_IPQ5424_CE_SIZE,
+ .cmem_offset = HAL_SEQ_WCSS_CMEM_OFFSET,
+};
+
static const struct ath12k_hw_params ath12k_wifi7_hw_params[] = {
{
.name = "qcn9274 hw1.0",
@@ -824,8 +836,8 @@ static const struct ath12k_hw_params ath12k_wifi7_hw_params[] = {
.iova_mask = 0,
.supports_aspm = false,
- .ce_ie_addr = NULL,
- .ce_remap = NULL,
+ .ce_ie_addr = &ath12k_wifi7_ce_ie_addr_ipq5424,
+ .ce_remap = &ath12k_wifi7_ce_remap_ipq5424,
.bdf_addr_offset = 0x940000,
.current_cc_support = false,
--
2.34.1
^ permalink raw reply related
* [PATCH ath-next v5 4/6] wifi: ath12k: add ath12k_hw_regs for IPQ5424
From: Raj Kumar Bhagat @ 2026-04-07 5:26 UTC (permalink / raw)
To: Johannes Berg, Rob Herring, Krzysztof Kozlowski, Conor Dooley,
Jeff Johnson
Cc: linux-wireless, devicetree, linux-kernel, ath12k,
Raj Kumar Bhagat, Saravanakumar Duraisamy, Baochen Qiang
In-Reply-To: <20260407-ath12k-ipq5424-v5-0-8e96aa660ec4@oss.qualcomm.com>
From: Saravanakumar Duraisamy <quic_saradura@quicinc.com>
Add register addresses (ath12k_hw_regs) for ath12k AHB based
WiFi 7 device IPQ5424.
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.6-01243-QCAHKSWPL_SILICONZ-1
Tested-on: IPQ5332 hw1.0 AHB WLAN.WBE.1.6-01275-QCAHKSWPL_SILICONZ-1
Tested-on: IPQ5424 hw1.0 AHB WLAN.WBE.1.6-01275-QCAHKSWPL_SILICONZ-1
Signed-off-by: Saravanakumar Duraisamy <quic_saradura@quicinc.com>
Signed-off-by: Raj Kumar Bhagat <raj.bhagat@oss.qualcomm.com>
Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
---
drivers/net/wireless/ath/ath12k/wifi7/hal.c | 2 +-
drivers/net/wireless/ath/ath12k/wifi7/hal.h | 3 +
.../net/wireless/ath/ath12k/wifi7/hal_qcn9274.c | 88 ++++++++++++++++++++++
.../net/wireless/ath/ath12k/wifi7/hal_qcn9274.h | 1 +
4 files changed, 93 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/ath12k/wifi7/hal.c b/drivers/net/wireless/ath/ath12k/wifi7/hal.c
index c2cc99a83f09..a0a1902fb491 100644
--- a/drivers/net/wireless/ath/ath12k/wifi7/hal.c
+++ b/drivers/net/wireless/ath/ath12k/wifi7/hal.c
@@ -55,7 +55,7 @@ static const struct ath12k_hw_version_map ath12k_wifi7_hw_ver_map[] = {
.hal_desc_sz = sizeof(struct hal_rx_desc_qcn9274_compact),
.tcl_to_wbm_rbm_map = ath12k_hal_tcl_to_wbm_rbm_map_qcn9274,
.hal_params = &ath12k_hw_hal_params_ipq5332,
- .hw_regs = NULL,
+ .hw_regs = &ipq5424_regs,
},
};
diff --git a/drivers/net/wireless/ath/ath12k/wifi7/hal.h b/drivers/net/wireless/ath/ath12k/wifi7/hal.h
index 9337225a5253..3d9386198893 100644
--- a/drivers/net/wireless/ath/ath12k/wifi7/hal.h
+++ b/drivers/net/wireless/ath/ath12k/wifi7/hal.h
@@ -364,6 +364,9 @@
#define HAL_IPQ5332_CE_WFSS_REG_BASE 0x740000
#define HAL_IPQ5332_CE_SIZE 0x100000
+#define HAL_IPQ5424_CE_WFSS_REG_BASE 0x200000
+#define HAL_IPQ5424_CE_SIZE 0x100000
+
#define HAL_RX_MAX_BA_WINDOW 256
#define HAL_DEFAULT_BE_BK_VI_REO_TIMEOUT_USEC (100 * 1000)
diff --git a/drivers/net/wireless/ath/ath12k/wifi7/hal_qcn9274.c b/drivers/net/wireless/ath/ath12k/wifi7/hal_qcn9274.c
index 41c918eb1767..ba9ce1e718e8 100644
--- a/drivers/net/wireless/ath/ath12k/wifi7/hal_qcn9274.c
+++ b/drivers/net/wireless/ath/ath12k/wifi7/hal_qcn9274.c
@@ -484,6 +484,94 @@ const struct ath12k_hw_regs ipq5332_regs = {
HAL_IPQ5332_CE_WFSS_REG_BASE,
};
+const struct ath12k_hw_regs ipq5424_regs = {
+ /* SW2TCL(x) R0 ring configuration address */
+ .tcl1_ring_id = 0x00000918,
+ .tcl1_ring_misc = 0x00000920,
+ .tcl1_ring_tp_addr_lsb = 0x0000092c,
+ .tcl1_ring_tp_addr_msb = 0x00000930,
+ .tcl1_ring_consumer_int_setup_ix0 = 0x00000940,
+ .tcl1_ring_consumer_int_setup_ix1 = 0x00000944,
+ .tcl1_ring_msi1_base_lsb = 0x00000958,
+ .tcl1_ring_msi1_base_msb = 0x0000095c,
+ .tcl1_ring_base_lsb = 0x00000910,
+ .tcl1_ring_base_msb = 0x00000914,
+ .tcl1_ring_msi1_data = 0x00000960,
+ .tcl2_ring_base_lsb = 0x00000988,
+ .tcl_ring_base_lsb = 0x00000b68,
+
+ /* TCL STATUS ring address */
+ .tcl_status_ring_base_lsb = 0x00000d48,
+
+ /* REO DEST ring address */
+ .reo2_ring_base = 0x00000578,
+ .reo1_misc_ctrl_addr = 0x00000b9c,
+ .reo1_sw_cookie_cfg0 = 0x0000006c,
+ .reo1_sw_cookie_cfg1 = 0x00000070,
+ .reo1_qdesc_lut_base0 = 0x00000074,
+ .reo1_qdesc_lut_base1 = 0x00000078,
+ .reo1_ring_base_lsb = 0x00000500,
+ .reo1_ring_base_msb = 0x00000504,
+ .reo1_ring_id = 0x00000508,
+ .reo1_ring_misc = 0x00000510,
+ .reo1_ring_hp_addr_lsb = 0x00000514,
+ .reo1_ring_hp_addr_msb = 0x00000518,
+ .reo1_ring_producer_int_setup = 0x00000524,
+ .reo1_ring_msi1_base_lsb = 0x00000548,
+ .reo1_ring_msi1_base_msb = 0x0000054C,
+ .reo1_ring_msi1_data = 0x00000550,
+ .reo1_aging_thres_ix0 = 0x00000B28,
+ .reo1_aging_thres_ix1 = 0x00000B2C,
+ .reo1_aging_thres_ix2 = 0x00000B30,
+ .reo1_aging_thres_ix3 = 0x00000B34,
+
+ /* REO Exception ring address */
+ .reo2_sw0_ring_base = 0x000008c0,
+
+ /* REO Reinject ring address */
+ .sw2reo_ring_base = 0x00000320,
+ .sw2reo1_ring_base = 0x00000398,
+
+ /* REO cmd ring address */
+ .reo_cmd_ring_base = 0x000002A8,
+
+ /* REO status ring address */
+ .reo_status_ring_base = 0x00000aa0,
+
+ /* WBM idle link ring address */
+ .wbm_idle_ring_base_lsb = 0x00000d3c,
+ .wbm_idle_ring_misc_addr = 0x00000d4c,
+ .wbm_r0_idle_list_cntl_addr = 0x00000240,
+ .wbm_r0_idle_list_size_addr = 0x00000244,
+ .wbm_scattered_ring_base_lsb = 0x00000250,
+ .wbm_scattered_ring_base_msb = 0x00000254,
+ .wbm_scattered_desc_head_info_ix0 = 0x00000260,
+ .wbm_scattered_desc_head_info_ix1 = 0x00000264,
+ .wbm_scattered_desc_tail_info_ix0 = 0x00000270,
+ .wbm_scattered_desc_tail_info_ix1 = 0x00000274,
+ .wbm_scattered_desc_ptr_hp_addr = 0x0000027c,
+
+ /* SW2WBM release ring address */
+ .wbm_sw_release_ring_base_lsb = 0x0000037c,
+
+ /* WBM2SW release ring address */
+ .wbm0_release_ring_base_lsb = 0x00000e08,
+ .wbm1_release_ring_base_lsb = 0x00000e80,
+
+ /* PPE release ring address */
+ .ppe_rel_ring_base = 0x0000046c,
+
+ /* CE address */
+ .umac_ce0_src_reg_base = 0x00200000 -
+ HAL_IPQ5424_CE_WFSS_REG_BASE,
+ .umac_ce0_dest_reg_base = 0x00201000 -
+ HAL_IPQ5424_CE_WFSS_REG_BASE,
+ .umac_ce1_src_reg_base = 0x00202000 -
+ HAL_IPQ5424_CE_WFSS_REG_BASE,
+ .umac_ce1_dest_reg_base = 0x00203000 -
+ HAL_IPQ5424_CE_WFSS_REG_BASE,
+};
+
static inline
bool ath12k_hal_rx_desc_get_first_msdu_qcn9274(struct hal_rx_desc *desc)
{
diff --git a/drivers/net/wireless/ath/ath12k/wifi7/hal_qcn9274.h b/drivers/net/wireless/ath/ath12k/wifi7/hal_qcn9274.h
index 08c0a0469474..03cf3792d523 100644
--- a/drivers/net/wireless/ath/ath12k/wifi7/hal_qcn9274.h
+++ b/drivers/net/wireless/ath/ath12k/wifi7/hal_qcn9274.h
@@ -17,6 +17,7 @@ extern const struct hal_ops hal_qcn9274_ops;
extern const struct ath12k_hw_regs qcn9274_v1_regs;
extern const struct ath12k_hw_regs qcn9274_v2_regs;
extern const struct ath12k_hw_regs ipq5332_regs;
+extern const struct ath12k_hw_regs ipq5424_regs;
extern const struct ath12k_hal_tcl_to_wbm_rbm_map
ath12k_hal_tcl_to_wbm_rbm_map_qcn9274[DP_TCL_NUM_RING_MAX];
extern const struct ath12k_hw_hal_params ath12k_hw_hal_params_qcn9274;
--
2.34.1
^ permalink raw reply related
* [PATCH ath-next v5 3/6] wifi: ath12k: add ath12k_hw_version_map entry for IPQ5424
From: Raj Kumar Bhagat @ 2026-04-07 5:26 UTC (permalink / raw)
To: Johannes Berg, Rob Herring, Krzysztof Kozlowski, Conor Dooley,
Jeff Johnson
Cc: linux-wireless, devicetree, linux-kernel, ath12k,
Raj Kumar Bhagat, Baochen Qiang
In-Reply-To: <20260407-ath12k-ipq5424-v5-0-8e96aa660ec4@oss.qualcomm.com>
Add a new ath12k_hw_version_map entry for the AHB based WiFi 7 device
IPQ5424.
Reuse most of the ath12k_hw_version_map fields such as hal_ops,
hal_desc_sz, tcl_to_wbm_rbm_map, and hal_params from IPQ5332. The
register addresses differ on IPQ5424, hence set hw_regs temporarily
to NULL and populated it in a subsequent patch.
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.6-01243-QCAHKSWPL_SILICONZ-1
Tested-on: IPQ5332 hw1.0 AHB WLAN.WBE.1.6-01275-QCAHKSWPL_SILICONZ-1
Tested-on: IPQ5424 hw1.0 AHB WLAN.WBE.1.6-01275-QCAHKSWPL_SILICONZ-1
Signed-off-by: Raj Kumar Bhagat <raj.bhagat@oss.qualcomm.com>
Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
---
drivers/net/wireless/ath/ath12k/wifi7/hal.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/net/wireless/ath/ath12k/wifi7/hal.c b/drivers/net/wireless/ath/ath12k/wifi7/hal.c
index bd1753ca0db6..c2cc99a83f09 100644
--- a/drivers/net/wireless/ath/ath12k/wifi7/hal.c
+++ b/drivers/net/wireless/ath/ath12k/wifi7/hal.c
@@ -50,6 +50,13 @@ static const struct ath12k_hw_version_map ath12k_wifi7_hw_ver_map[] = {
.hal_params = &ath12k_hw_hal_params_wcn7850,
.hw_regs = &qcc2072_regs,
},
+ [ATH12K_HW_IPQ5424_HW10] = {
+ .hal_ops = &hal_qcn9274_ops,
+ .hal_desc_sz = sizeof(struct hal_rx_desc_qcn9274_compact),
+ .tcl_to_wbm_rbm_map = ath12k_hal_tcl_to_wbm_rbm_map_qcn9274,
+ .hal_params = &ath12k_hw_hal_params_ipq5332,
+ .hw_regs = NULL,
+ },
};
int ath12k_wifi7_hal_init(struct ath12k_base *ab)
--
2.34.1
^ permalink raw reply related
* [PATCH ath-next v5 2/6] wifi: ath12k: Add ath12k_hw_params for IPQ5424
From: Raj Kumar Bhagat @ 2026-04-07 5:26 UTC (permalink / raw)
To: Johannes Berg, Rob Herring, Krzysztof Kozlowski, Conor Dooley,
Jeff Johnson
Cc: linux-wireless, devicetree, linux-kernel, ath12k,
Raj Kumar Bhagat, Saravanakumar Duraisamy, Baochen Qiang
In-Reply-To: <20260407-ath12k-ipq5424-v5-0-8e96aa660ec4@oss.qualcomm.com>
From: Saravanakumar Duraisamy <quic_saradura@quicinc.com>
Add ath12k_hw_params for the ath12k AHB-based WiFi 7 device IPQ5424.
The WiFi device IPQ5424 is similar to IPQ5332. Most of the hardware
parameters like hw_ops, wmi_init, ring_mask, etc., are the same between
IPQ5424 and IPQ5332, hence use these same parameters for IPQ5424.
Some parameters are specific to IPQ5424; initially set these to
0 or NULL, and populate them in subsequent patches.
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.6-01243-QCAHKSWPL_SILICONZ-1
Tested-on: IPQ5332 hw1.0 AHB WLAN.WBE.1.6-01275-QCAHKSWPL_SILICONZ-1
Tested-on: IPQ5424 hw1.0 AHB WLAN.WBE.1.6-01275-QCAHKSWPL_SILICONZ-1
Signed-off-by: Saravanakumar Duraisamy <quic_saradura@quicinc.com>
Signed-off-by: Raj Kumar Bhagat <raj.bhagat@oss.qualcomm.com>
Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
---
drivers/net/wireless/ath/ath12k/core.h | 1 +
drivers/net/wireless/ath/ath12k/wifi7/hw.c | 79 ++++++++++++++++++++++++++++++
2 files changed, 80 insertions(+)
diff --git a/drivers/net/wireless/ath/ath12k/core.h b/drivers/net/wireless/ath/ath12k/core.h
index 59c193b24764..68453594eba8 100644
--- a/drivers/net/wireless/ath/ath12k/core.h
+++ b/drivers/net/wireless/ath/ath12k/core.h
@@ -157,6 +157,7 @@ enum ath12k_hw_rev {
ATH12K_HW_WCN7850_HW20,
ATH12K_HW_IPQ5332_HW10,
ATH12K_HW_QCC2072_HW10,
+ ATH12K_HW_IPQ5424_HW10,
};
enum ath12k_firmware_mode {
diff --git a/drivers/net/wireless/ath/ath12k/wifi7/hw.c b/drivers/net/wireless/ath/ath12k/wifi7/hw.c
index ec6dba96640b..2b5d1f7e9e04 100644
--- a/drivers/net/wireless/ath/ath12k/wifi7/hw.c
+++ b/drivers/net/wireless/ath/ath12k/wifi7/hw.c
@@ -753,6 +753,85 @@ static const struct ath12k_hw_params ath12k_wifi7_hw_params[] = {
.dp_primary_link_only = false,
},
+ {
+ .name = "ipq5424 hw1.0",
+ .hw_rev = ATH12K_HW_IPQ5424_HW10,
+ .fw = {
+ .dir = "IPQ5424/hw1.0",
+ .board_size = 256 * 1024,
+ .cal_offset = 128 * 1024,
+ .m3_loader = ath12k_m3_fw_loader_remoteproc,
+ .download_aux_ucode = false,
+ },
+ .max_radios = 1,
+ .single_pdev_only = false,
+ .qmi_service_ins_id = ATH12K_QMI_WLFW_SERVICE_INS_ID_V01_IPQ5332,
+ .internal_sleep_clock = false,
+
+ .hw_ops = &qcn9274_ops,
+ .ring_mask = &ath12k_wifi7_hw_ring_mask_ipq5332,
+
+ .host_ce_config = ath12k_wifi7_host_ce_config_ipq5332,
+ .ce_count = 12,
+ .target_ce_config = ath12k_wifi7_target_ce_config_wlan_ipq5332,
+ .target_ce_count = 12,
+ .svc_to_ce_map =
+ ath12k_wifi7_target_service_to_ce_map_wlan_ipq5332,
+ .svc_to_ce_map_len = 18,
+
+ .rxdma1_enable = true,
+ .num_rxdma_per_pdev = 1,
+ .num_rxdma_dst_ring = 0,
+ .rx_mac_buf_ring = false,
+ .vdev_start_delay = false,
+
+ .interface_modes = BIT(NL80211_IFTYPE_STATION) |
+ BIT(NL80211_IFTYPE_AP) |
+ BIT(NL80211_IFTYPE_MESH_POINT),
+ .supports_monitor = true,
+
+ .idle_ps = false,
+ .download_calib = true,
+ .supports_suspend = false,
+ .tcl_ring_retry = true,
+ .reoq_lut_support = false,
+ .supports_shadow_regs = false,
+
+ .num_tcl_banks = 48,
+ .max_tx_ring = 4,
+
+ .mhi_config = NULL,
+
+ .wmi_init = &ath12k_wifi7_wmi_init_qcn9274,
+
+ .qmi_cnss_feature_bitmap = BIT(CNSS_QDSS_CFG_MISS_V01),
+
+ .rfkill_pin = 0,
+ .rfkill_cfg = 0,
+ .rfkill_on_level = 0,
+
+ .rddm_size = 0,
+
+ .def_num_link = 0,
+ .max_mlo_peer = 256,
+
+ .otp_board_id_register = 0,
+
+ .supports_sta_ps = false,
+
+ .acpi_guid = NULL,
+ .supports_dynamic_smps_6ghz = false,
+ .iova_mask = 0,
+ .supports_aspm = false,
+
+ .ce_ie_addr = NULL,
+ .ce_remap = NULL,
+ .bdf_addr_offset = 0x940000,
+
+ .current_cc_support = false,
+
+ .dp_primary_link_only = true,
+ },
};
/* Note: called under rcu_read_lock() */
--
2.34.1
^ permalink raw reply related
* [PATCH ath-next v5 1/6] dt-bindings: net: wireless: add ath12k wifi device IPQ5424
From: Raj Kumar Bhagat @ 2026-04-07 5:26 UTC (permalink / raw)
To: Johannes Berg, Rob Herring, Krzysztof Kozlowski, Conor Dooley,
Jeff Johnson
Cc: linux-wireless, devicetree, linux-kernel, ath12k,
Raj Kumar Bhagat, Krzysztof Kozlowski
In-Reply-To: <20260407-ath12k-ipq5424-v5-0-8e96aa660ec4@oss.qualcomm.com>
Add the device-tree bindings for the ATH12K AHB wifi device IPQ5424.
Signed-off-by: Raj Kumar Bhagat <raj.bhagat@oss.qualcomm.com>
Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
---
Documentation/devicetree/bindings/net/wireless/qcom,ipq5332-wifi.yaml | 1 +
1 file changed, 1 insertion(+)
diff --git a/Documentation/devicetree/bindings/net/wireless/qcom,ipq5332-wifi.yaml b/Documentation/devicetree/bindings/net/wireless/qcom,ipq5332-wifi.yaml
index 363a0ecb6ad9..37d8a0da7780 100644
--- a/Documentation/devicetree/bindings/net/wireless/qcom,ipq5332-wifi.yaml
+++ b/Documentation/devicetree/bindings/net/wireless/qcom,ipq5332-wifi.yaml
@@ -17,6 +17,7 @@ properties:
compatible:
enum:
- qcom,ipq5332-wifi
+ - qcom,ipq5424-wifi
reg:
maxItems: 1
--
2.34.1
^ permalink raw reply related
* [PATCH ath-next v5 0/6] wifi: ath12k: Enable IPQ5424 AHB WiFi device
From: Raj Kumar Bhagat @ 2026-04-07 5:26 UTC (permalink / raw)
To: Johannes Berg, Rob Herring, Krzysztof Kozlowski, Conor Dooley,
Jeff Johnson
Cc: linux-wireless, devicetree, linux-kernel, ath12k,
Raj Kumar Bhagat, Saravanakumar Duraisamy, Baochen Qiang,
Sowmiya Sree Elavalagan, Krzysztof Kozlowski
Add support for the new ath12k AHB device IPQ5424, as currently, Ath12k
AHB only supports IPQ5332 WiFi devices.
The IPQ5424 is an IEEE 802.11be 2 GHz WiFi device, supporting 4x4
configurations. To enable the IPQ5424 device:
- Add the necessary hardware parameters for IPQ5424.
- Modify the boot-up sequence for ath12k AHB to accommodate the
requirements of the IPQ5424 device.
---
Changes in v5:
- The mhi_config and current_cc_support hardware parameters are explicitly
initialized to default values.
- Link to v4: https://lore.kernel.org/r/20260402-ath12k-ipq5424-v4-0-cd1e0f0a6c88@oss.qualcomm.com
Changes in v4:
- DT binding: dropped copyright update as per discussion in v3.
- DT binding: Used DT binding from v2 and retained Acked-by tag.
- Link to v3: https://patch.msgid.link/20260331-ath12k-ipq5424-v3-0-1455b9cae29c@oss.qualcomm.com
Changes in v3:
- DT binding: updated copyright.
- DT binding: Dropped Acked-by tag as copyright is updated.
- Rebased on latest ToT.
- Dropped ath12k_ahb_ops because qcom_mdt_load() and
qcom_mdt_load_no_init() now have different number of arguments.
- Link to v2: https://lore.kernel.org/all/20250518-ath12k-ipq5424-v2-0-ef81b833dc97@quicinc.com/
Changes in v2:
- DT binding: Removed the redundant example for IPQ5424, as it is similar
to IPQ5332.
- Added driver probe data structure to eliminate the redundant switch-case
logic in the ath12k_ahb_probe() function.
- Validation completed, hence changed from RFC to PATCH.
- Link to v1: https://lore.kernel.org/all/20250130051838.1924079-1-quic_rajkbhag@quicinc.com/
Signed-off-by: Raj Kumar Bhagat <raj.bhagat@oss.qualcomm.com>
---
Raj Kumar Bhagat (2):
dt-bindings: net: wireless: add ath12k wifi device IPQ5424
wifi: ath12k: add ath12k_hw_version_map entry for IPQ5424
Saravanakumar Duraisamy (3):
wifi: ath12k: Add ath12k_hw_params for IPQ5424
wifi: ath12k: add ath12k_hw_regs for IPQ5424
wifi: ath12k: Add CE remap hardware parameters for IPQ5424
Sowmiya Sree Elavalagan (1):
wifi: ath12k: Enable IPQ5424 WiFi device support
.../bindings/net/wireless/qcom,ipq5332-wifi.yaml | 1 +
drivers/net/wireless/ath/ath12k/ahb.c | 36 ++++----
drivers/net/wireless/ath/ath12k/ahb.h | 1 +
drivers/net/wireless/ath/ath12k/ce.h | 13 ++-
drivers/net/wireless/ath/ath12k/core.h | 1 +
drivers/net/wireless/ath/ath12k/wifi7/ahb.c | 8 ++
drivers/net/wireless/ath/ath12k/wifi7/hal.c | 7 ++
drivers/net/wireless/ath/ath12k/wifi7/hal.h | 3 +
.../net/wireless/ath/ath12k/wifi7/hal_qcn9274.c | 88 ++++++++++++++++++++
.../net/wireless/ath/ath12k/wifi7/hal_qcn9274.h | 1 +
drivers/net/wireless/ath/ath12k/wifi7/hw.c | 97 +++++++++++++++++++++-
11 files changed, 235 insertions(+), 21 deletions(-)
---
base-commit: 15551ababf6d4e857f2101366a0c3eaa86dd822c
change-id: 20260331-ath12k-ipq5424-cddb63a46a97
^ permalink raw reply
* Re: [PATCH v3 00/15] firmware: qcom: Add OP-TEE PAS service support
From: Sumit Garg @ 2026-04-07 4:54 UTC (permalink / raw)
To: Bjorn Andersson
Cc: linux-arm-msm, devicetree, dri-devel, freedreno, linux-media,
netdev, linux-wireless, ath12k, linux-remoteproc, konradybcio,
robh, krzk+dt, conor+dt, robin.clark, sean, akhilpo, lumag,
abhinav.kumar, jesszhan0024, marijn.suijten, airlied, simona,
vikash.garodia, dikshita.agarwal, bod, mchehab, elder,
andrew+netdev, davem, edumazet, kuba, pabeni, jjohnson,
mathieu.poirier, trilokkumar.soni, mukesh.ojha, pavan.kondeti,
jorge.ramirez, tonyh, vignesh.viswanathan, srinivas.kandagatla,
amirreza.zarrabi, jens.wiklander, op-tee, apurupa, skare,
harshal.dev, linux-kernel, Sumit Garg
In-Reply-To: <adPLx3nCBb8IHz2b@baldur>
Hi Bjorn,
On Mon, Apr 06, 2026 at 10:09:27AM -0500, Bjorn Andersson wrote:
> On Fri, Mar 27, 2026 at 06:40:28PM +0530, Sumit Garg wrote:
> > From: Sumit Garg <sumit.garg@oss.qualcomm.com>
> >
> > Qcom platforms has the legacy of using non-standard SCM calls
> > splintered over the various kernel drivers. These SCM calls aren't
> > compliant with the standard SMC calling conventions which is a
> > prerequisite to enable migration to the FF-A specifications from Arm.
> >
>
> Please get our colleagues involved in this discussion, because this
> non-SCM interface does not match the direction we are taking.
I thought I have already involved folks from QTEE perspective (Apurupa
and Sree) actively working on FF-A implementation aligned to this
interface. It would have been better if you could let me know where is
the direction mismatch here. In case there is a better alternative
design proposal for PAS service with FF-A, I would be happy to hear
that.
Anyhow for the legacy SoCs like KLMT, we really don't have any
alternative but have to stick to existing QTEE PAS design with OP-TEE
providing as an alternative backend. Surely we want to support loading
of existing signed firmware present in linux-firmware repo for KLMT with
OP-TEE being the TZ.
-Sumit
^ permalink raw reply
* Re: [PATCH ath-next v4 0/6] wifi: ath12k: Enable IPQ5424 AHB WiFi device
From: Raj Kumar Bhagat @ 2026-04-07 4:09 UTC (permalink / raw)
To: Baochen Qiang, Krzysztof Kozlowski, Johannes Berg, Rob Herring,
Krzysztof Kozlowski, Conor Dooley, Jeff Johnson
Cc: linux-wireless, devicetree, linux-kernel, ath12k,
Saravanakumar Duraisamy, Sowmiya Sree Elavalagan
In-Reply-To: <09fb6efd-646b-4d0d-a0f3-9f6ce4b38442@oss.qualcomm.com>
On 07-04-2026 07:53, Baochen Qiang wrote:
>
>
> On 4/4/2026 1:23 PM, Krzysztof Kozlowski wrote:
>> On 03/04/2026 11:13, Baochen Qiang wrote:
>>>>
>>>> .../bindings/net/wireless/qcom,ipq5332-wifi.yaml | 1 +
>>>> drivers/net/wireless/ath/ath12k/ahb.c | 36 +++++----
>>>> drivers/net/wireless/ath/ath12k/ahb.h | 1 +
>>>> drivers/net/wireless/ath/ath12k/ce.h | 13 ++-
>>>> drivers/net/wireless/ath/ath12k/core.h | 1 +
>>>> drivers/net/wireless/ath/ath12k/wifi7/ahb.c | 8 ++
>>>> drivers/net/wireless/ath/ath12k/wifi7/hal.c | 7 ++
>>>> drivers/net/wireless/ath/ath12k/wifi7/hal.h | 3 +
>>>> .../net/wireless/ath/ath12k/wifi7/hal_qcn9274.c | 88 ++++++++++++++++++++
>>>> .../net/wireless/ath/ath12k/wifi7/hal_qcn9274.h | 1 +
>>>> drivers/net/wireless/ath/ath12k/wifi7/hw.c | 93 +++++++++++++++++++++-
>>>> 11 files changed, 231 insertions(+), 21 deletions(-)
>>>> ---
>>>> base-commit: 15551ababf6d4e857f2101366a0c3eaa86dd822c
>>>> change-id: 20260331-ath12k-ipq5424-cddb63a46a97
>>>>
>>>
>>> only nit in patch 2/6, so for patches 2-6/6:
>>>
>>> Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
>>
>> It does not work like this. Replying to cover letter causes that all
>> patches will get it. Provide detailed review and response to each email
>> in such case.
>
> Got it, thank you!
will address the nit in patch 2/6.
As intended in next version, will have your Reviewed-by tag for patches
2-6/6.
^ permalink raw reply
* Re: [PATCH ath-next v4 2/6] wifi: ath12k: Add ath12k_hw_params for IPQ5424
From: Raj Kumar Bhagat @ 2026-04-07 4:06 UTC (permalink / raw)
To: Baochen Qiang, Johannes Berg, Rob Herring, Krzysztof Kozlowski,
Conor Dooley, Jeff Johnson
Cc: linux-wireless, devicetree, linux-kernel, ath12k,
Saravanakumar Duraisamy
In-Reply-To: <5fff7189-fee7-4d73-a9a1-728389900678@oss.qualcomm.com>
On 03-04-2026 14:31, Baochen Qiang wrote:
>> + {
>> + .name = "ipq5424 hw1.0",
>> + .hw_rev = ATH12K_HW_IPQ5424_HW10,
>> + .fw = {
>> + .dir = "IPQ5424/hw1.0",
>> + .board_size = 256 * 1024,
>> + .cal_offset = 128 * 1024,
>> + .m3_loader = ath12k_m3_fw_loader_remoteproc,
>> + .download_aux_ucode = false,
>> + },
>> + .max_radios = 1,
>> + .single_pdev_only = false,
>> + .qmi_service_ins_id = ATH12K_QMI_WLFW_SERVICE_INS_ID_V01_IPQ5332,
>> + .internal_sleep_clock = false,
>> +
>> + .hw_ops = &qcn9274_ops,
>> + .ring_mask = &ath12k_wifi7_hw_ring_mask_ipq5332,
>> +
>> + .host_ce_config = ath12k_wifi7_host_ce_config_ipq5332,
>> + .ce_count = 12,
>> + .target_ce_config = ath12k_wifi7_target_ce_config_wlan_ipq5332,
>> + .target_ce_count = 12,
>> + .svc_to_ce_map =
>> + ath12k_wifi7_target_service_to_ce_map_wlan_ipq5332,
>> + .svc_to_ce_map_len = 18,
>> +
>> + .rxdma1_enable = true,
>> + .num_rxdma_per_pdev = 1,
>> + .num_rxdma_dst_ring = 0,
>> + .rx_mac_buf_ring = false,
>> + .vdev_start_delay = false,
>> +
>> + .interface_modes = BIT(NL80211_IFTYPE_STATION) |
>> + BIT(NL80211_IFTYPE_AP) |
>> + BIT(NL80211_IFTYPE_MESH_POINT),
>> + .supports_monitor = true,
>> +
>> + .idle_ps = false,
>> + .download_calib = true,
>> + .supports_suspend = false,
>> + .tcl_ring_retry = true,
>> + .reoq_lut_support = false,
>> + .supports_shadow_regs = false,
>> +
>> + .num_tcl_banks = 48,
>> + .max_tx_ring = 4,
>> +
>> + .wmi_init = &ath12k_wifi7_wmi_init_qcn9274,
>> +
>> + .qmi_cnss_feature_bitmap = BIT(CNSS_QDSS_CFG_MISS_V01),
>> +
>> + .rfkill_pin = 0,
>> + .rfkill_cfg = 0,
>> + .rfkill_on_level = 0,
>> +
>> + .rddm_size = 0,
>> +
>> + .def_num_link = 0,
>> + .max_mlo_peer = 256,
>> +
>> + .otp_board_id_register = 0,
>> +
>> + .supports_sta_ps = false,
>> +
>> + .acpi_guid = NULL,
>> + .supports_dynamic_smps_6ghz = false,
>> + .iova_mask = 0,
>> + .supports_aspm = false,
>> +
>> + .ce_ie_addr = NULL,
>> + .ce_remap = NULL,
>> + .bdf_addr_offset = 0x940000,
>> +
>> + .dp_primary_link_only = true,
>> + },
>> };
> mhi_config and current_cc_support are missing, please explicitly set them.
Sure will update in next version.
^ permalink raw reply
* [PATCH wireless] wifi: mt76: mt7915: fix WED WCID for MT7986/MT7981 wmac
From: Joshua Klinesmith @ 2026-04-07 4:02 UTC (permalink / raw)
To: linux-wireless
Cc: nbd, lorenzo, ryder.lee, shayne.chen, sean.wang,
Joshua Klinesmith
The WED forward path sets the WCID to 0x3ff for all non-MT7915 chips,
relying on firmware DA lookup. This works for MT7916 PCIe cards where
the WED firmware can resolve the station by destination address, but
fails on MT7986/MT7981 wmac where WED requires the real station WCID.
As a result, WED hardware offload is completely non-functional on
MT7986-based devices (GL-MT6000, BPI-R3, etc.) and MT7981-based
devices (AX3000T, etc.) even when WED is enabled. The CPU handles
all TX traffic without any hardware acceleration.
Add is_mt798x() to the WCID check so MT7986/MT7981 wmac passes the
real station WCID, matching the behavior of the mt7996 driver which
unconditionally uses the real WCID.
Fixes: f68d67623dec ("mt76: mt7915: add Wireless Ethernet Dispatch support")
Link: https://github.com/openwrt/mt76/issues/815
Assisted-by: Claude:claude-opus-4-6 ghidra
Signed-off-by: Joshua Klinesmith <joshuaklinesmith@gmail.com>
---
drivers/net/wireless/mediatek/mt76/mt7915/main.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/main.c b/drivers/net/wireless/mediatek/mt76/mt7915/main.c
index a47b9cca3b46..116dff49c104 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/main.c
@@ -1729,7 +1729,8 @@ mt7915_net_fill_forward_path(struct ieee80211_hw *hw,
path->dev = ctx->dev;
path->mtk_wdma.wdma_idx = wed->wdma_idx;
path->mtk_wdma.bss = mvif->mt76.idx;
- path->mtk_wdma.wcid = is_mt7915(&dev->mt76) ? msta->wcid.idx : 0x3ff;
+ path->mtk_wdma.wcid = (is_mt7915(&dev->mt76) || is_mt798x(&dev->mt76)) ?
+ msta->wcid.idx : 0x3ff;
path->mtk_wdma.queue = phy != &dev->phy;
ctx->dev = NULL;
--
2.43.0
^ permalink raw reply related
* Re: [PATCH ath-next] wifi: ath12k: Skip adding inactive partner vdev info
From: Rameshkumar Sundaram @ 2026-04-07 3:52 UTC (permalink / raw)
To: Roopni Devanathan, ath12k; +Cc: linux-wireless, Avula Sri Charan
In-Reply-To: <20260330040732.1847263-1-roopni.devanathan@oss.qualcomm.com>
On 3/30/2026 9:37 AM, Roopni Devanathan wrote:
> From: Avula Sri Charan <quic_asrichar@quicinc.com>
>
> Currently, a vdev that is created is considered active for partner link
> population. In case of an MLD station, non-associated link vdevs can be
> created but not started. Yet, they are added as partner links. This leads
> to the creation of stale FW partner entries which accumulate and cause
> assertions.
>
> To resolve this issue, check if the vdev is started and operating on a
> chosen frequency, i.e., arvif->is_started, instead of checking if the vdev
> is created, i.e., arvif->is_created. This determines if the vdev is active
> or not and skips adding it as a partner link if it's inactive.
>
> Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.6-01181-QCAHKSWPL_SILICONZ-1
>
> Signed-off-by: Avula Sri Charan <quic_asrichar@quicinc.com>
> Signed-off-by: Roopni Devanathan <roopni.devanathan@oss.qualcomm.com>
> ---
> drivers/net/wireless/ath/ath12k/mac.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c
> index 553ec28b6aaa..c1a1b220f4dd 100644
> --- a/drivers/net/wireless/ath/ath12k/mac.c
> +++ b/drivers/net/wireless/ath/ath12k/mac.c
> @@ -11131,7 +11131,7 @@ ath12k_mac_mlo_get_vdev_args(struct ath12k_link_vif *arvif,
> if (arvif == arvif_p)
> continue;
>
> - if (!arvif_p->is_created)
> + if (!arvif_p->is_started)
> continue;
>
> link_conf = wiphy_dereference(ahvif->ah->hw->wiphy,
>
> base-commit: 15551ababf6d4e857f2101366a0c3eaa86dd822c
Reviewed-by: Rameshkumar Sundaram <rameshkumar.sundaram@oss.qualcomm.com>
^ permalink raw reply
* Re: [PATCH v4 2/3] ath10k: Add device-tree quirk to skip host cap QMI requests
From: Baochen Qiang @ 2026-04-07 3:36 UTC (permalink / raw)
To: david, Johannes Berg, Rob Herring, Krzysztof Kozlowski,
Conor Dooley, Jeff Johnson, Bjorn Andersson, Konrad Dybcio,
Paul Sajna
Cc: Amit Pundir, linux-wireless, devicetree, ath10k, linux-kernel,
linux-arm-msm, phone-devel
In-Reply-To: <20260325-skip-host-cam-qmi-req-v4-2-bc08538487aa@ixit.cz>
On 3/26/2026 1:57 AM, David Heidelberg via B4 Relay wrote:
> From: Amit Pundir <amit.pundir@linaro.org>
>
> Some firmware versions do not support the host capability QMI request.
> Since this request occurs before firmware-N.bin and board-M.bin are
> loaded, the quirk cannot be expressed in the firmware itself.
>
> The root cause is unclear, but there appears to be a generation of
> firmware that lacks host capability support.
>
> Without this quirk, ath10k_qmi_host_cap_send_sync() returns
> QMI_ERR_MALFORMED_MSG_V01 before loading the firmware. This error is not
> fatal - Wi-Fi services still come up successfully if the request is simply
> skipped.
>
> Add a device-tree quirk to skip the host capability QMI request on devices
> whose firmware does not support it.
>
> For example, firmware build
> "QC_IMAGE_VERSION_STRING=WLAN.HL.2.0.c3-00257-QCAHLSWMTPLZ-1"
> on Xiaomi Poco F1 phone requires this quirk.
>
> Suggested-by: Bjorn Andersson <andersson@kernel.org>
> Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
> Signed-off-by: David Heidelberg <david@ixit.cz>
> ---
> drivers/net/wireless/ath/ath10k/qmi.c | 13 ++++++++++---
> drivers/net/wireless/ath/ath10k/snoc.c | 3 +++
> drivers/net/wireless/ath/ath10k/snoc.h | 1 +
> 3 files changed, 14 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/net/wireless/ath/ath10k/qmi.c b/drivers/net/wireless/ath/ath10k/qmi.c
> index eebd78e7ff6bc..e7f90fd9e9b83 100644
> --- a/drivers/net/wireless/ath/ath10k/qmi.c
> +++ b/drivers/net/wireless/ath/ath10k/qmi.c
> @@ -808,6 +808,7 @@ ath10k_qmi_ind_register_send_sync_msg(struct ath10k_qmi *qmi)
> static void ath10k_qmi_event_server_arrive(struct ath10k_qmi *qmi)
> {
> struct ath10k *ar = qmi->ar;
> + struct ath10k_snoc *ar_snoc = ath10k_snoc_priv(ar);
> int ret;
>
> ret = ath10k_qmi_ind_register_send_sync_msg(qmi);
> @@ -819,9 +820,15 @@ static void ath10k_qmi_event_server_arrive(struct ath10k_qmi *qmi)
> return;
> }
>
> - ret = ath10k_qmi_host_cap_send_sync(qmi);
> - if (ret)
> - return;
> + /*
> + * Skip the host capability request for the firmware versions which
> + * do not support this feature.
> + */
> + if (!test_bit(ATH10K_SNOC_FLAG_SKIP_HOST_CAP_QUIRK, &ar_snoc->flags)) {
> + ret = ath10k_qmi_host_cap_send_sync(qmi);
> + if (ret)
> + return;
> + }
>
> ret = ath10k_qmi_msa_mem_info_send_sync_msg(qmi);
> if (ret)
> diff --git a/drivers/net/wireless/ath/ath10k/snoc.c b/drivers/net/wireless/ath/ath10k/snoc.c
> index f72f236fb9eb3..3106502275781 100644
> --- a/drivers/net/wireless/ath/ath10k/snoc.c
> +++ b/drivers/net/wireless/ath/ath10k/snoc.c
> @@ -1362,6 +1362,9 @@ static void ath10k_snoc_quirks_init(struct ath10k *ar)
>
> if (of_property_read_bool(dev->of_node, "qcom,snoc-host-cap-8bit-quirk"))
> set_bit(ATH10K_SNOC_FLAG_8BIT_HOST_CAP_QUIRK, &ar_snoc->flags);
> +
> + if (of_property_read_bool(dev->of_node, "qcom,snoc-host-cap-skip-quirk"))
> + set_bit(ATH10K_SNOC_FLAG_SKIP_HOST_CAP_QUIRK, &ar_snoc->flags);
> }
>
> int ath10k_snoc_fw_indication(struct ath10k *ar, u64 type)
> diff --git a/drivers/net/wireless/ath/ath10k/snoc.h b/drivers/net/wireless/ath/ath10k/snoc.h
> index 1ecae34687c21..46574fd8f84ee 100644
> --- a/drivers/net/wireless/ath/ath10k/snoc.h
> +++ b/drivers/net/wireless/ath/ath10k/snoc.h
> @@ -51,6 +51,7 @@ enum ath10k_snoc_flags {
> ATH10K_SNOC_FLAG_MODEM_STOPPED,
> ATH10K_SNOC_FLAG_RECOVERY,
> ATH10K_SNOC_FLAG_8BIT_HOST_CAP_QUIRK,
> + ATH10K_SNOC_FLAG_SKIP_HOST_CAP_QUIRK,
> };
>
> struct clk_bulk_data;
>
Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
^ permalink raw reply
* Re: [PATCH ath-next] wifi: ath12k: Rename hw_link_id to radio_idx in ath12k_ah_to_ar()
From: Baochen Qiang @ 2026-04-07 3:33 UTC (permalink / raw)
To: Roopni Devanathan, ath12k; +Cc: linux-wireless
In-Reply-To: <20260331045834.1181924-1-roopni.devanathan@oss.qualcomm.com>
On 3/31/2026 12:58 PM, Roopni Devanathan wrote:
> ath12k_ah_to_ar() is returning radio from the given hardware based on the
> radio index passed. But, the variable that radio index is received at is
> wrongly named 'hw_link_id', which points to the hardware link index that
> comes from the firmware. This affects readability.
>
> Resolve this by renaming 'hw_link_id' to 'radio_idx'.
>
> Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1
>
> Signed-off-by: Roopni Devanathan <roopni.devanathan@oss.qualcomm.com>
> ---
> drivers/net/wireless/ath/ath12k/core.h | 10 +++++-----
> 1 file changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/drivers/net/wireless/ath/ath12k/core.h b/drivers/net/wireless/ath/ath12k/core.h
> index 59c193b24764..5eff86827e9c 100644
> --- a/drivers/net/wireless/ath/ath12k/core.h
> +++ b/drivers/net/wireless/ath/ath12k/core.h
> @@ -1366,13 +1366,13 @@ static inline struct ath12k_hw *ath12k_hw_to_ah(struct ieee80211_hw *hw)
> return hw->priv;
> }
>
> -static inline struct ath12k *ath12k_ah_to_ar(struct ath12k_hw *ah, u8 hw_link_id)
> +static inline struct ath12k *ath12k_ah_to_ar(struct ath12k_hw *ah, u8 radio_idx)
> {
> - if (WARN(hw_link_id >= ah->num_radio,
> - "bad hw link id %d, so switch to default link\n", hw_link_id))
> - hw_link_id = 0;
> + if (WARN(radio_idx >= ah->num_radio,
> + "bad radio index %d, use default radio\n", radio_idx))
> + radio_idx = 0;
>
> - return &ah->radio[hw_link_id];
> + return &ah->radio[radio_idx];
> }
>
> static inline struct ath12k_hw *ath12k_ar_to_ah(struct ath12k *ar)
>
> base-commit: 15551ababf6d4e857f2101366a0c3eaa86dd822c
Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
^ permalink raw reply
* Re: [PATCH ath-next] wifi: ath12k: Create symlink for each radio in a wiphy
From: Baochen Qiang @ 2026-04-07 3:29 UTC (permalink / raw)
To: Roopni Devanathan, ath12k; +Cc: linux-wireless, Harshitha Prem
In-Reply-To: <20260402051402.3903795-1-roopni.devanathan@oss.qualcomm.com>
On 4/2/2026 1:14 PM, Roopni Devanathan wrote:
> In single-wiphy design, when more than one radio is registered as a
> single-wiphy in the mac80211 layer, the following warnings are seen:
>
> 1. debugfs: File 'ath12k' in directory 'phy0' already present!
> 2. debugfs: File 'simulate_fw_crash' in directory 'pci-0000:57:00.0' already present!
> debugfs: File 'device_dp_stats' in directory 'pci-01777777777777777777777:57:00.0' already present!
>
> When more than one radio is registered as a single-wiphy, symlinks for
> all the radios are created in the same debugfs directory:
> /sys/kernel/debug/ieee80211/phyX/ath12k, resulting in warning 1. When a
> symlink is created for the first radio, since the 'ath12k' directory is
> not present, it will be created and no warning will be thrown. But when
> symlink is created for more than one radio, since the 'ath12k'
> directory was already created for symlink for radio 1, a warning is
> thrown complaining that 'ath12k' directory is already present. To resolve
> warning 1, create symlink for each radio in separate debugfs directories.
> For the first radio, the symlink will always be the 'ath12k' directory.
> This ensures that the existing directory structure is retained for
> single-wiphy and multi-wiphy architectures. In single-wiphy architecture
> with multiple radios, create symlink in separate debugfs directories
> introduced by mac80211.
>
> Existing debugfs directory in single-wiphy architecture:
> /sys/kernel/debug/ieee80211/phyX/ath12k is a symlink to
> /sys/kernel/debug/ath12k/pci-0001:01:00.0/macY
>
> Proposed debugfs directory in single-wiphy architecture with one radio:
> /sys/kernel/debug/ieee80211/phyX/ath12k is a symlink to
> /sys/kernel/debug/ath12k/pci-0001:01:00.0/mac0
>
> Proposed debugfs directory in single-wiphy architecture with more than
> one radio:
> /sys/kernel/debug/ieee80211/phyX/radio0/ath12k is a symlink to
> /sys/kernel/debug/ath12k/pci-0001:01:00.0/mac0 and
> /sys/kernel/debug/ieee80211/phyX/radioY/ath12k is a symlink to
> /sys/kernel/debug/ath12k/pci-0001:01:00.0/macY
>
> Where X is phy index and Y is radio index, seen in
> 'iw phyX info | grep Idx'. Two symlinks for the first radio are to ensure
> compatibility with the existing design. Add radio_idx inside ar, to track
> the radio index in probing order.
>
> API ath12k_debugfs_pdev_create() that creates SoC entries is called more
> than once when hardware group starts up, resulting in warning 2. To
> resolve this warning, remove all other calls to this API and add one
> inside the ath12k_core_pdev_create(). This API carries all pdev-specific
> initializations and can conveniently hold a call to
> ath12k_debugfs_pdev_create().
>
> Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ-1
> Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3
>
> Co-developed-by: Harshitha Prem <harshitha.prem@oss.qualcomm.com>
> Signed-off-by: Harshitha Prem <harshitha.prem@oss.qualcomm.com>
> Signed-off-by: Roopni Devanathan <roopni.devanathan@oss.qualcomm.com>
> ---
> drivers/net/wireless/ath/ath12k/core.c | 4 ++--
> drivers/net/wireless/ath/ath12k/core.h | 2 ++
> drivers/net/wireless/ath/ath12k/debugfs.c | 29 +++++++++++++++++++----
> drivers/net/wireless/ath/ath12k/mac.c | 2 +-
> 4 files changed, 29 insertions(+), 8 deletions(-)
>
> diff --git a/drivers/net/wireless/ath/ath12k/core.c b/drivers/net/wireless/ath/ath12k/core.c
> index c31c47fb5a73..2519e2400d58 100644
> --- a/drivers/net/wireless/ath/ath12k/core.c
> +++ b/drivers/net/wireless/ath/ath12k/core.c
> @@ -835,8 +835,6 @@ static int ath12k_core_soc_create(struct ath12k_base *ab)
> goto err_qmi_deinit;
> }
>
> - ath12k_debugfs_pdev_create(ab);
> -
> return 0;
>
> err_qmi_deinit:
> @@ -869,6 +867,8 @@ static int ath12k_core_pdev_create(struct ath12k_base *ab)
> goto err_dp_pdev_free;
> }
>
> + ath12k_debugfs_pdev_create(ab);
> +
> return 0;
>
> err_dp_pdev_free:
> diff --git a/drivers/net/wireless/ath/ath12k/core.h b/drivers/net/wireless/ath/ath12k/core.h
> index 59c193b24764..046249c8763e 100644
> --- a/drivers/net/wireless/ath/ath12k/core.h
> +++ b/drivers/net/wireless/ath/ath12k/core.h
> @@ -588,6 +588,7 @@ struct ath12k_dbg_htt_stats {
> struct ath12k_debug {
> struct dentry *debugfs_pdev;
> struct dentry *debugfs_pdev_symlink;
> + struct dentry *debugfs_pdev_symlink_default;
> struct ath12k_dbg_htt_stats htt_stats;
> enum wmi_halphy_ctrl_path_stats_id tpc_stats_type;
> bool tpc_request;
> @@ -673,6 +674,7 @@ struct ath12k {
> u8 pdev_idx;
> u8 lmac_id;
> u8 hw_link_id;
> + u8 radio_idx;
>
> struct completion peer_assoc_done;
> struct completion peer_delete_done;
> diff --git a/drivers/net/wireless/ath/ath12k/debugfs.c b/drivers/net/wireless/ath/ath12k/debugfs.c
> index 358031fa14eb..8c81a1c22449 100644
> --- a/drivers/net/wireless/ath/ath12k/debugfs.c
> +++ b/drivers/net/wireless/ath/ath12k/debugfs.c
> @@ -1473,18 +1473,35 @@ void ath12k_debugfs_register(struct ath12k *ar)
> {
> struct ath12k_base *ab = ar->ab;
> struct ieee80211_hw *hw = ar->ah->hw;
> - char pdev_name[5];
> + struct ath12k_hw *ah = ath12k_hw_to_ah(hw);
> + struct dentry *ath12k_fs;
> char buf[100] = {};
> + char pdev_name[5];
>
> scnprintf(pdev_name, sizeof(pdev_name), "%s%d", "mac", ar->pdev_idx);
>
> ar->debug.debugfs_pdev = debugfs_create_dir(pdev_name, ab->debugfs_soc);
>
> /* Create a symlink under ieee80211/phy* */
> - scnprintf(buf, sizeof(buf), "../../ath12k/%pd2", ar->debug.debugfs_pdev);
> - ar->debug.debugfs_pdev_symlink = debugfs_create_symlink("ath12k",
> - hw->wiphy->debugfsdir,
> - buf);
> + if (ar->radio_idx == 0) {
> + scnprintf(buf, sizeof(buf), "../../ath12k/%pd2",
> + ar->debug.debugfs_pdev);
> + ath12k_fs = hw->wiphy->debugfsdir;
> +
> + /* symbolic link for compatibility */
> + ar->debug.debugfs_pdev_symlink_default = debugfs_create_symlink("ath12k",
> + ath12k_fs,
> + buf);
> + }
> +
> + if (ah->num_radio > 1) {
> + scnprintf(buf, sizeof(buf), "../../../ath12k/%pd2",
> + ar->debug.debugfs_pdev);
> + ath12k_fs = hw->wiphy->radio_cfg[ar->radio_idx].radio_debugfsdir;
> + ar->debug.debugfs_pdev_symlink = debugfs_create_symlink("ath12k",
> + ath12k_fs,
> + buf);
> + }
>
> if (ar->mac.sbands[NL80211_BAND_5GHZ].channels) {
> debugfs_create_file("dfs_simulate_radar", 0200,
> @@ -1513,7 +1530,9 @@ void ath12k_debugfs_unregister(struct ath12k *ar)
>
> /* Remove symlink under ieee80211/phy* */
> debugfs_remove(ar->debug.debugfs_pdev_symlink);
> + debugfs_remove(ar->debug.debugfs_pdev_symlink_default);
> debugfs_remove_recursive(ar->debug.debugfs_pdev);
> ar->debug.debugfs_pdev_symlink = NULL;
> + ar->debug.debugfs_pdev_symlink_default = NULL;
> ar->debug.debugfs_pdev = NULL;
> }
> diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c
> index 553ec28b6aaa..c2b747f1b9f5 100644
> --- a/drivers/net/wireless/ath/ath12k/mac.c
> +++ b/drivers/net/wireless/ath/ath12k/mac.c
> @@ -15065,6 +15065,7 @@ static struct ath12k_hw *ath12k_mac_hw_allocate(struct ath12k_hw_group *ag,
> ar->hw_link_id = pdev->hw_link_id;
> ar->pdev = pdev;
> ar->pdev_idx = pdev_idx;
> + ar->radio_idx = i;
> pdev->ar = ar;
>
> ag->hw_links[ar->hw_link_id].device_id = ab->device_id;
> @@ -15132,7 +15133,6 @@ int ath12k_mac_allocate(struct ath12k_hw_group *ag)
> if (!ab)
> continue;
>
> - ath12k_debugfs_pdev_create(ab);
> ath12k_mac_set_device_defaults(ab);
> total_radio += ab->num_radios;
> }
>
> base-commit: 15551ababf6d4e857f2101366a0c3eaa86dd822c
Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
^ permalink raw reply
* [PATCH wireless-next] wifi: mt76: use wait_event_interruptible in worker thread for PREEMPT_RT
From: Joshua Klinesmith @ 2026-04-07 3:27 UTC (permalink / raw)
To: linux-wireless; +Cc: nbd, lorenzo, Joshua Klinesmith
The mt76 worker thread uses a manual set_current_state(TASK_INTERRUPTIBLE)
/ schedule() loop. On PREEMPT_RT kernels, this pattern triggers:
BUG: scheduling while atomic: mt76-usb-rx phy/2852/0x00000002
The manual task state manipulation interacts poorly with RT's preemption
model, where different locking and state transition semantics apply.
Replace the open-coded sleep loop with wait_event_interruptible() on a
new wait_queue_head embedded in struct mt76_worker. The schedule point
becomes an RT-safe wait_event that properly handles the task state
transitions. Update mt76_worker_schedule() to use wake_up() to signal
the wait queue.
This follows the standard kernel pattern for kthread wait loops and
eliminates the need for manual set_current_state() calls entirely.
Link: https://github.com/openwrt/mt76/issues/1053
Signed-off-by: Joshua Klinesmith <joshuaklinesmith@gmail.com>
---
drivers/net/wireless/mediatek/mt76/util.c | 8 ++++----
drivers/net/wireless/mediatek/mt76/util.h | 5 ++++-
2 files changed, 8 insertions(+), 5 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/util.c b/drivers/net/wireless/mediatek/mt76/util.c
index 83d3dc42e534..452c303d8a68 100644
--- a/drivers/net/wireless/mediatek/mt76/util.c
+++ b/drivers/net/wireless/mediatek/mt76/util.c
@@ -111,20 +111,20 @@ int __mt76_worker_fn(void *ptr)
struct mt76_worker *w = ptr;
while (!kthread_should_stop()) {
- set_current_state(TASK_INTERRUPTIBLE);
-
if (kthread_should_park()) {
kthread_parkme();
continue;
}
if (!test_and_clear_bit(MT76_WORKER_SCHEDULED, &w->state)) {
- schedule();
+ wait_event_interruptible(w->wq,
+ test_bit(MT76_WORKER_SCHEDULED, &w->state) ||
+ kthread_should_stop() ||
+ kthread_should_park());
continue;
}
set_bit(MT76_WORKER_RUNNING, &w->state);
- set_current_state(TASK_RUNNING);
w->fn(w);
cond_resched();
clear_bit(MT76_WORKER_RUNNING, &w->state);
diff --git a/drivers/net/wireless/mediatek/mt76/util.h b/drivers/net/wireless/mediatek/mt76/util.h
index 617966e8de76..a1ac52753a3f 100644
--- a/drivers/net/wireless/mediatek/mt76/util.h
+++ b/drivers/net/wireless/mediatek/mt76/util.h
@@ -9,12 +9,14 @@
#include <linux/skbuff.h>
#include <linux/bitops.h>
#include <linux/bitfield.h>
+#include <linux/wait.h>
#include <net/mac80211.h>
struct mt76_worker
{
struct task_struct *task;
void (*fn)(struct mt76_worker *);
+ wait_queue_head_t wq;
unsigned long state;
};
@@ -63,6 +65,7 @@ mt76_worker_setup(struct ieee80211_hw *hw, struct mt76_worker *w,
if (fn)
w->fn = fn;
+ init_waitqueue_head(&w->wq);
w->task = kthread_run(__mt76_worker_fn, w,
"mt76-%s %s", name, dev_name);
@@ -82,7 +85,7 @@ static inline void mt76_worker_schedule(struct mt76_worker *w)
if (!test_and_set_bit(MT76_WORKER_SCHEDULED, &w->state) &&
!test_bit(MT76_WORKER_RUNNING, &w->state))
- wake_up_process(w->task);
+ wake_up(&w->wq);
}
static inline void mt76_worker_disable(struct mt76_worker *w)
--
2.43.0
^ permalink raw reply related
* Re: [PATCH ath-next] wifi: ath12k: Skip adding inactive partner vdev info
From: Baochen Qiang @ 2026-04-07 3:25 UTC (permalink / raw)
To: Roopni Devanathan, ath12k; +Cc: linux-wireless, Avula Sri Charan
In-Reply-To: <20260330040732.1847263-1-roopni.devanathan@oss.qualcomm.com>
On 3/30/2026 12:07 PM, Roopni Devanathan wrote:
> From: Avula Sri Charan <quic_asrichar@quicinc.com>
>
> Currently, a vdev that is created is considered active for partner link
> population. In case of an MLD station, non-associated link vdevs can be
> created but not started. Yet, they are added as partner links. This leads
> to the creation of stale FW partner entries which accumulate and cause
> assertions.
>
> To resolve this issue, check if the vdev is started and operating on a
> chosen frequency, i.e., arvif->is_started, instead of checking if the vdev
> is created, i.e., arvif->is_created. This determines if the vdev is active
> or not and skips adding it as a partner link if it's inactive.
>
> Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.6-01181-QCAHKSWPL_SILICONZ-1
>
> Signed-off-by: Avula Sri Charan <quic_asrichar@quicinc.com>
> Signed-off-by: Roopni Devanathan <roopni.devanathan@oss.qualcomm.com>
> ---
> drivers/net/wireless/ath/ath12k/mac.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c
> index 553ec28b6aaa..c1a1b220f4dd 100644
> --- a/drivers/net/wireless/ath/ath12k/mac.c
> +++ b/drivers/net/wireless/ath/ath12k/mac.c
> @@ -11131,7 +11131,7 @@ ath12k_mac_mlo_get_vdev_args(struct ath12k_link_vif *arvif,
> if (arvif == arvif_p)
> continue;
>
> - if (!arvif_p->is_created)
> + if (!arvif_p->is_started)
> continue;
>
> link_conf = wiphy_dereference(ahvif->ah->hw->wiphy,
>
> base-commit: 15551ababf6d4e857f2101366a0c3eaa86dd822c
Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
^ permalink raw reply
* Re: [PATCH ath-next] wifi: ath12k: Support channel change stats
From: Baochen Qiang @ 2026-04-07 3:23 UTC (permalink / raw)
To: Roopni Devanathan, ath12k; +Cc: linux-wireless, Harish Rachakonda
In-Reply-To: <20260326050641.3066562-1-roopni.devanathan@oss.qualcomm.com>
On 3/26/2026 1:06 PM, Roopni Devanathan wrote:
> From: Harish Rachakonda <quic_rachakon@quicinc.com>
>
> Add support to request channel change stats from the firmware through
> HTT stats type 76. These stats give channel switch details like the
> channel that the radio changed to, its center frequency, time taken
> for the switch, chainmask details, etc.
>
> Sample output:
> echo 76 > /sys/kernel/debug/ath12k/pci-0000\:06\:00.0/mac0/htt_stats_type
> cat /sys/kernel/debug/ath12k/pci-0000\:06\:00.0/mac0/htt_stats
> Channel Change Timings:
> |PRIMARY CHANNEL FREQ|BANDWIDTH CENTER FREQ|PHYMODE|TX_CHAINMASK|RX_CHAINMASK|SWITCH TIME(us)|INI(us)|TPC+CTL(us)|CAL(us)|MISC(us)|CTL(us)|SW PROFILE|
> | 5200| 5200| 24| 15| 15| 448850| 2410| 10546| 434593| 1071| 1100| 4|
> | 5240| 5240| 24| 15| 15| 450730| 4106| 10524| 434528| 1306| 1150| 4|
> | 5180| 5210| 26| 15| 15| 467894| 4764| 10438| 451101| 1337| 1508| 4|
> | 5200| 5200| 0| 15| 15| 13838| 2692| 1736| 8558| 686| 802| 6|
> | 5180| 5180| 0| 15| 15| 13465| 3207| 855| 8579| 578| 760| 6|
> | 5200| 5200| 24| 15| 15| 570321| 2441| 10439| 555661| 1574| 949| 4|
>
> Note: WCN7850 firmware does not support HTT stats type 76.
this note also applies to QCC2072.
>
> Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.6-01181-QCAHKSWPL_SILICONZ-1
>
> Signed-off-by: Harish Rachakonda <quic_rachakon@quicinc.com>
> Signed-off-by: Roopni Devanathan <roopni.devanathan@oss.qualcomm.com>
> ---
> .../wireless/ath/ath12k/debugfs_htt_stats.c | 72 +++++++++++++++++++
> .../wireless/ath/ath12k/debugfs_htt_stats.h | 26 +++++++
> 2 files changed, 98 insertions(+)
>
> diff --git a/drivers/net/wireless/ath/ath12k/debugfs_htt_stats.c b/drivers/net/wireless/ath/ath12k/debugfs_htt_stats.c
> index 7f6ca07fb335..b772181a496e 100644
> --- a/drivers/net/wireless/ath/ath12k/debugfs_htt_stats.c
> +++ b/drivers/net/wireless/ath/ath12k/debugfs_htt_stats.c
> @@ -5722,6 +5722,75 @@ ath12k_htt_print_tx_hwq_stats_cmn_tlv(const void *tag_buf, u16 tag_len,
> stats_req->buf_len = len;
> }
>
> +static void
> +ath12k_htt_print_chan_switch_stats_tlv(const void *tag_buf, u16 tag_len,
> + struct debug_htt_stats_req *stats_req)
> +{
> + const struct ath12k_htt_chan_switch_stats_tlv *sbuf = tag_buf;
> + u32 buf_len = ATH12K_HTT_STATS_BUF_SIZE;
> + u32 switch_freq, switch_profile;
> + u32 len = stats_req->buf_len;
> + u8 *buf = stats_req->buf;
> + u8 i;
> +
> + if (tag_len < sizeof(*sbuf))
> + return;
> +
> + i = min(le32_to_cpu(sbuf->switch_count), ATH12K_HTT_CHAN_SWITCH_STATS_BUF_LEN);
> + if (!i)
> + return;
> +
> + len += scnprintf(buf + len, buf_len - len, "Channel Change Timings:\n");
> + len += scnprintf(buf + len, buf_len - len,
> + "|%-20s|%-21s|%-7s|%-12s|%-12s|%-15s|",
> + "PRIMARY CHANNEL FREQ", "BANDWIDTH CENTER FREQ", "PHYMODE",
> + "TX_CHAINMASK", "RX_CHAINMASK", "SWITCH TIME(us)");
> + len += scnprintf(buf + len, buf_len - len,
> + "%-7s|%-11s|%-7s|%-8s|%-7s|%-10s|\n",
> + "INI(us)", "TPC+CTL(us)", "CAL(us)", "MISC(us)", "CTL(us)",
> + "SW PROFILE");
> +
> + /*
> + * sbuf->switch_count has the number of successful channel changes. The firmware
> + * sends the record of channel change in such a way that sbuf->chan_stats[0] will
> + * point to the channel change that occurred first and the recent channel change
> + * records will be stored in sbuf->chan_stats[9]. As and when new channel change
> + * occurs, sbuf->chan_stats[0] will be replaced by records from the next index,
> + * sbuf->chan_stats[1]. While printing the records, reverse chronological order
> + * is followed, i.e., the most recent channel change records are printed first
> + * and the oldest one, last.
> + */
> + while (i--) {
> + switch_freq = le32_to_cpu(sbuf->chan_stats[i].chan_switch_freq);
> + switch_profile = le32_to_cpu(sbuf->chan_stats[i].chan_switch_profile);
> +
> + len += scnprintf(buf + len, buf_len - len,
> + "|%20u|%21u|%7u|%12u|%12u|%15u|",
> + u32_get_bits(switch_freq,
> + ATH12K_HTT_STATS_CHAN_SWITCH_BW_MHZ),
> + u32_get_bits(switch_freq,
> + ATH12K_HTT_STATS_CHAN_SWITCH_BAND_FREQ),
> + u32_get_bits(switch_profile,
> + ATH12K_HTT_STATS_CHAN_SWITCH_PHY_MODE),
> + u32_get_bits(switch_profile,
> + ATH12K_HTT_STATS_CHAN_SWITCH_TX_CHAINMASK),
> + u32_get_bits(switch_profile,
> + ATH12K_HTT_STATS_CHAN_SWITCH_RX_CHAINMASK),
> + le32_to_cpu(sbuf->chan_stats[i].chan_switch_time));
> + len += scnprintf(buf + len, buf_len - len,
> + "%7u|%11u|%7u|%8u|%7u|%10u|\n",
> + le32_to_cpu(sbuf->chan_stats[i].ini_module_time),
> + le32_to_cpu(sbuf->chan_stats[i].tpc_module_time),
> + le32_to_cpu(sbuf->chan_stats[i].cal_module_time),
> + le32_to_cpu(sbuf->chan_stats[i].misc_module_time),
> + le32_to_cpu(sbuf->chan_stats[i].ctl_module_time),
> + u32_get_bits(switch_profile,
> + ATH12K_HTT_STATS_CHAN_SWITCH_SW_PROFILE));
> + }
> +
> + stats_req->buf_len = len;
> +}
> +
> static int ath12k_dbg_htt_ext_stats_parse(struct ath12k_base *ab,
> u16 tag, u16 len, const void *tag_buf,
> void *user_data)
> @@ -6024,6 +6093,9 @@ static int ath12k_dbg_htt_ext_stats_parse(struct ath12k_base *ab,
> case HTT_STATS_TX_HWQ_CMN_TAG:
> ath12k_htt_print_tx_hwq_stats_cmn_tlv(tag_buf, len, stats_req);
> break;
> + case HTT_STATS_CHAN_SWITCH_STATS_TAG:
> + ath12k_htt_print_chan_switch_stats_tlv(tag_buf, len, stats_req);
> + break;
> default:
> break;
> }
> diff --git a/drivers/net/wireless/ath/ath12k/debugfs_htt_stats.h b/drivers/net/wireless/ath/ath12k/debugfs_htt_stats.h
> index bfabe6500d44..82ab7b9e4db9 100644
> --- a/drivers/net/wireless/ath/ath12k/debugfs_htt_stats.h
> +++ b/drivers/net/wireless/ath/ath12k/debugfs_htt_stats.h
> @@ -164,6 +164,7 @@ enum ath12k_dbg_htt_ext_stats_type {
> ATH12K_DBG_HTT_PDEV_MLO_IPC_STATS = 64,
> ATH12K_DBG_HTT_EXT_PDEV_RTT_RESP_STATS = 65,
> ATH12K_DBG_HTT_EXT_PDEV_RTT_INITIATOR_STATS = 66,
> + ATH12K_DBG_HTT_EXT_CHAN_SWITCH_STATS = 76,
>
> /* keep this last */
> ATH12K_DBG_HTT_NUM_EXT_STATS,
> @@ -267,6 +268,7 @@ enum ath12k_dbg_htt_tlv_tag {
> HTT_STATS_PDEV_RTT_HW_STATS_TAG = 196,
> HTT_STATS_PDEV_RTT_TBR_SELFGEN_QUEUED_STATS_TAG = 197,
> HTT_STATS_PDEV_RTT_TBR_CMD_RESULT_STATS_TAG = 198,
> + HTT_STATS_CHAN_SWITCH_STATS_TAG = 213,
>
> HTT_STATS_MAX_TAG,
> };
> @@ -2156,4 +2158,28 @@ struct htt_tx_hwq_stats_cmn_tlv {
> __le32 txq_timeout;
> } __packed;
>
> +#define ATH12K_HTT_CHAN_SWITCH_STATS_BUF_LEN 10
> +
> +#define ATH12K_HTT_STATS_CHAN_SWITCH_BW_MHZ GENMASK(15, 0)
> +#define ATH12K_HTT_STATS_CHAN_SWITCH_BAND_FREQ GENMASK(31, 16)
> +#define ATH12K_HTT_STATS_CHAN_SWITCH_PHY_MODE GENMASK(7, 0)
> +#define ATH12K_HTT_STATS_CHAN_SWITCH_TX_CHAINMASK GENMASK(15, 8)
> +#define ATH12K_HTT_STATS_CHAN_SWITCH_RX_CHAINMASK GENMASK(23, 16)
> +#define ATH12K_HTT_STATS_CHAN_SWITCH_SW_PROFILE GENMASK(31, 24)
> +
> +struct ath12k_htt_chan_switch_stats_tlv {
> + struct {
> + __le32 chan_switch_freq;
> + __le32 chan_switch_profile;
> + __le32 chan_switch_time;
> + __le32 cal_module_time;
> + __le32 ini_module_time;
> + __le32 tpc_module_time;
> + __le32 misc_module_time;
> + __le32 ctl_module_time;
> + __le32 reserved;
> + } chan_stats[ATH12K_HTT_CHAN_SWITCH_STATS_BUF_LEN];
> + __le32 switch_count; /* shows how many channel changes have occurred */
> +} __packed;
> +
> #endif
>
> base-commit: 37538641dac955f6690372f0ebb94e5e14a23418
Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
^ permalink raw reply
* [PATCH wireless] wifi: mt76: mt7915: move sta_poll from tx_free to mac_work
From: Joshua Klinesmith @ 2026-04-07 3:15 UTC (permalink / raw)
To: linux-wireless
Cc: nbd, lorenzo, ryder.lee, shayne.chen, sean.wang,
Joshua Klinesmith
mt7915_mac_sta_poll() performs direct MMIO reads of WTBL entries for
airtime accounting, GI reporting, and RSSI. It is called from
mt7915_mac_tx_free_done(), which runs in NAPI context on every
TX-Free-Done event. The high-frequency WTBL access races with firmware
WTBL operations, causing kernel warnings and panics at
mt7915_mac_wtbl_lmac_addr, followed by MCU message timeouts and
firmware communication breakdown.
Move mt7915_mac_sta_poll() into mt7915_mac_work() at the periodic 5th
tick, under the device mutex. This reduces the access frequency from
thousands of times per second to once every ~5 seconds, serializes it
with other driver operations, and eliminates the NAPI-context WTBL
access that triggers the race.
Vendor driver analysis (mt_wifi.ko from MT7981 firmware) confirms the
vendor's TX-free handler (red_tx_free_handle) performs no WTBL reads
or station polling.
Fixes: e57b7901469f ("mt76: add mac80211 driver for MT7915 PCIe-based chipsets")
Link: https://github.com/openwrt/mt76/issues/1067
Signed-off-by: Joshua Klinesmith <joshuaklinesmith@gmail.com>
---
drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
index 34a0690c5864..2f307c4caff1 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
@@ -864,8 +864,6 @@ mt7915_mac_tx_free_done(struct mt7915_dev *dev,
{
struct sk_buff *skb, *tmp;
- mt7915_mac_sta_poll(dev);
-
if (wake)
mt76_set_tx_blocked(&dev->mt76, false);
@@ -2012,6 +2010,7 @@ void mt7915_mac_work(struct work_struct *work)
if (++mphy->mac_work_count == 5) {
mphy->mac_work_count = 0;
+ mt7915_mac_sta_poll(phy->dev);
mt7915_mac_update_stats(phy);
mt7915_mac_severe_check(phy);
--
2.43.0
^ permalink raw reply related
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox