* [PATCH 5/7] arm64: dts: qcom: sm8350: expand UART18 to 4 pins config
From: Dmitry Baryshkov @ 2026-06-01 9:46 UTC (permalink / raw)
To: Manivannan Sadhasivam, Lorenzo Pieralisi,
Krzysztof Wilczyński, Rob Herring, Bjorn Helgaas,
Konrad Dybcio, Qiang Yu, Jeff Johnson, Liam Girdwood, Mark Brown,
Krzysztof Kozlowski, Conor Dooley, Bartosz Golaszewski,
Marcel Holtmann, Luiz Augusto von Dentz, Balakrishna Godavarthi,
Rocky Liao, Bjorn Andersson, Konrad Dybcio
Cc: linux-arm-msm, linux-pci, linux-kernel, linux-wireless, ath11k,
devicetree, Bartosz Golaszewski, linux-bluetooth
In-Reply-To: <20260601-sm8350-wifi-v1-0-242917d88031@oss.qualcomm.com>
On SM8350 platforms the primary use of UART18 is a 4-pin UART (targeting
Bluetooth or other similar applications). Add all 4 pins to the default
pinctrl entry for the UART.
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
---
arch/arm64/boot/dts/qcom/sm8350.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/qcom/sm8350.dtsi b/arch/arm64/boot/dts/qcom/sm8350.dtsi
index c830953156ec..eb2a795d8edb 100644
--- a/arch/arm64/boot/dts/qcom/sm8350.dtsi
+++ b/arch/arm64/boot/dts/qcom/sm8350.dtsi
@@ -3309,7 +3309,7 @@ qup_uart6_default: qup-uart6-default-state {
};
qup_uart18_default: qup-uart18-default-state {
- pins = "gpio68", "gpio69";
+ pins = "gpio68", "gpio69", "gpio70", "gpio71";
function = "qup18";
drive-strength = <2>;
bias-disable;
--
2.47.3
^ permalink raw reply related
* [PATCH 4/7] dt-bindings: bluetooth: qcom,wcn6855-bt: document WCN6851
From: Dmitry Baryshkov @ 2026-06-01 9:46 UTC (permalink / raw)
To: Manivannan Sadhasivam, Lorenzo Pieralisi,
Krzysztof Wilczyński, Rob Herring, Bjorn Helgaas,
Konrad Dybcio, Qiang Yu, Jeff Johnson, Liam Girdwood, Mark Brown,
Krzysztof Kozlowski, Conor Dooley, Bartosz Golaszewski,
Marcel Holtmann, Luiz Augusto von Dentz, Balakrishna Godavarthi,
Rocky Liao, Bjorn Andersson, Konrad Dybcio
Cc: linux-arm-msm, linux-pci, linux-kernel, linux-wireless, ath11k,
devicetree, Bartosz Golaszewski, linux-bluetooth
In-Reply-To: <20260601-sm8350-wifi-v1-0-242917d88031@oss.qualcomm.com>
WCN6851 is an earlier version of WCN6855 WiFi/BT chip, compatible with
it. Add a device-specific compat string with the fallback to WCN6855
one.
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
---
.../devicetree/bindings/net/bluetooth/qcom,wcn6855-bt.yaml | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/Documentation/devicetree/bindings/net/bluetooth/qcom,wcn6855-bt.yaml b/Documentation/devicetree/bindings/net/bluetooth/qcom,wcn6855-bt.yaml
index 0beda26ae8bb..ec766f40a042 100644
--- a/Documentation/devicetree/bindings/net/bluetooth/qcom,wcn6855-bt.yaml
+++ b/Documentation/devicetree/bindings/net/bluetooth/qcom,wcn6855-bt.yaml
@@ -13,8 +13,12 @@ maintainers:
properties:
compatible:
- enum:
- - qcom,wcn6855-bt
+ oneOf:
+ - items:
+ - const: qcom,wcn6851-bt
+ - const: qcom,wcn6855-bt
+ - enum:
+ - qcom,wcn6855-bt
enable-gpios:
maxItems: 1
--
2.47.3
^ permalink raw reply related
* [PATCH 3/7] regulator: dt-bindings: qcom,qca6390-pmu: document WCN6851
From: Dmitry Baryshkov @ 2026-06-01 9:46 UTC (permalink / raw)
To: Manivannan Sadhasivam, Lorenzo Pieralisi,
Krzysztof Wilczyński, Rob Herring, Bjorn Helgaas,
Konrad Dybcio, Qiang Yu, Jeff Johnson, Liam Girdwood, Mark Brown,
Krzysztof Kozlowski, Conor Dooley, Bartosz Golaszewski,
Marcel Holtmann, Luiz Augusto von Dentz, Balakrishna Godavarthi,
Rocky Liao, Bjorn Andersson, Konrad Dybcio
Cc: linux-arm-msm, linux-pci, linux-kernel, linux-wireless, ath11k,
devicetree, Bartosz Golaszewski, linux-bluetooth
In-Reply-To: <20260601-sm8350-wifi-v1-0-242917d88031@oss.qualcomm.com>
WCN6851 is an earlier version of WCN6855 WiFi/BT chip, compatible with
it. Add a device-specific compat string with the fallback to WCN6855
one.
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
---
Documentation/devicetree/bindings/regulator/qcom,qca6390-pmu.yaml | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/Documentation/devicetree/bindings/regulator/qcom,qca6390-pmu.yaml b/Documentation/devicetree/bindings/regulator/qcom,qca6390-pmu.yaml
index 105174df7df2..3d3c6fa7ecbc 100644
--- a/Documentation/devicetree/bindings/regulator/qcom,qca6390-pmu.yaml
+++ b/Documentation/devicetree/bindings/regulator/qcom,qca6390-pmu.yaml
@@ -21,6 +21,10 @@ properties:
- enum:
- qcom,wcn6755-pmu
- const: qcom,wcn6750-pmu
+ - items:
+ - enum:
+ - qcom,wcn6851-pmu
+ - const: qcom,wcn6855-pmu
- enum:
- qcom,qca6390-pmu
--
2.47.3
^ permalink raw reply related
* [PATCH 2/7] wifi: ath11k: enable support for WCN6851
From: Dmitry Baryshkov @ 2026-06-01 9:46 UTC (permalink / raw)
To: Manivannan Sadhasivam, Lorenzo Pieralisi,
Krzysztof Wilczyński, Rob Herring, Bjorn Helgaas,
Konrad Dybcio, Qiang Yu, Jeff Johnson, Liam Girdwood, Mark Brown,
Krzysztof Kozlowski, Conor Dooley, Bartosz Golaszewski,
Marcel Holtmann, Luiz Augusto von Dentz, Balakrishna Godavarthi,
Rocky Liao, Bjorn Andersson, Konrad Dybcio
Cc: linux-arm-msm, linux-pci, linux-kernel, linux-wireless, ath11k,
devicetree, Bartosz Golaszewski, linux-bluetooth
In-Reply-To: <20260601-sm8350-wifi-v1-0-242917d88031@oss.qualcomm.com>
The WCN6851, found e.g. on SM8350 platforms, is an earlier version of
WCN6855 platform. It identifies itself as hw1.1. Copy WCN6855 hw 2.0
configuration to support hw1.1 version.
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
---
drivers/net/wireless/ath/ath11k/core.c | 92 ++++++++++++++++++++++++++++++++++
drivers/net/wireless/ath/ath11k/core.h | 1 +
drivers/net/wireless/ath/ath11k/mhi.c | 1 +
drivers/net/wireless/ath/ath11k/pci.c | 9 ++++
drivers/net/wireless/ath/ath11k/pcic.c | 11 ++++
5 files changed, 114 insertions(+)
diff --git a/drivers/net/wireless/ath/ath11k/core.c b/drivers/net/wireless/ath/ath11k/core.c
index 3f6f4db5b7ee..7e997016cf6e 100644
--- a/drivers/net/wireless/ath/ath11k/core.c
+++ b/drivers/net/wireless/ath/ath11k/core.c
@@ -393,6 +393,98 @@ static const struct ath11k_hw_params ath11k_hw_params[] = {
.cfr_num_stream_bufs = 0,
.cfr_stream_buf_size = 0,
},
+ {
+ .name = "wcn6855 hw1.1",
+ .hw_rev = ATH11K_HW_WCN6855_HW11,
+ .fw = {
+ .dir = "WCN6855/hw1.1",
+ .board_size = 256 * 1024,
+ .cal_offset = 128 * 1024,
+ },
+ .max_radios = 3,
+ .bdf_addr = 0x4B0C0000,
+ .hw_ops = &wcn6855_ops,
+ .ring_mask = &ath11k_hw_ring_mask_qca6390,
+ .internal_sleep_clock = true,
+ .regs = &wcn6855_regs,
+ .qmi_service_ins_id = ATH11K_QMI_WLFW_SERVICE_INS_ID_V01_QCA6390,
+ .host_ce_config = ath11k_host_ce_config_qca6390,
+ .ce_count = 9,
+ .target_ce_config = ath11k_target_ce_config_wlan_qca6390,
+ .target_ce_count = 9,
+ .svc_to_ce_map = ath11k_target_service_to_ce_map_wlan_qca6390,
+ .svc_to_ce_map_len = 14,
+ .ce_ie_addr = &ath11k_ce_ie_addr_ipq8074,
+ .single_pdev_only = true,
+ .rxdma1_enable = false,
+ .num_rxdma_per_pdev = 2,
+ .rx_mac_buf_ring = true,
+ .vdev_start_delay = true,
+ .htt_peer_map_v2 = false,
+
+ .spectral = {
+ .fft_sz = 0,
+ .fft_pad_sz = 0,
+ .summary_pad_sz = 0,
+ .fft_hdr_len = 0,
+ .max_fft_bins = 0,
+ .fragment_160mhz = false,
+ },
+
+ .interface_modes = BIT(NL80211_IFTYPE_STATION) |
+ BIT(NL80211_IFTYPE_AP) |
+ BIT(NL80211_IFTYPE_P2P_DEVICE) |
+ BIT(NL80211_IFTYPE_P2P_CLIENT) |
+ BIT(NL80211_IFTYPE_P2P_GO),
+ .supports_monitor = false,
+ .full_monitor_mode = false,
+ .supports_shadow_regs = true,
+ .idle_ps = true,
+ .supports_sta_ps = true,
+ .coldboot_cal_mm = false,
+ .coldboot_cal_ftm = false,
+ .cbcal_restart_fw = false,
+ .fw_mem_mode = 0,
+ .num_vdevs = 2 + 1,
+ .num_peers = 512,
+ .supports_suspend = true,
+ .hal_desc_sz = sizeof(struct hal_rx_desc_wcn6855),
+ .supports_regdb = true,
+ .fix_l1ss = false,
+ .credit_flow = true,
+ .hal_params = &ath11k_hw_hal_params_qca6390,
+ .supports_dynamic_smps_6ghz = false,
+ .alloc_cacheable_memory = false,
+ .supports_rssi_stats = true,
+ .fw_wmi_diag_event = true,
+ .current_cc_support = true,
+ .dbr_debug_support = false,
+ .global_reset = true,
+ .bios_sar_capa = &ath11k_hw_sar_capa_wcn6855,
+ .m3_fw_support = true,
+ .fixed_bdf_addr = false,
+ .fixed_mem_region = false,
+ .static_window_map = false,
+ .hybrid_bus_type = false,
+ .fixed_fw_mem = false,
+ .support_off_channel_tx = true,
+ .supports_multi_bssid = true,
+
+ .sram_dump = {
+ .start = 0x01400000,
+ .end = 0x0177ffff,
+ },
+
+ .tcl_ring_retry = true,
+ .tx_ring_size = DP_TCL_DATA_RING_SIZE,
+ .smp2p_wow_exit = false,
+ .support_fw_mac_sequence = true,
+ .support_dual_stations = true,
+ .pdev_suspend = false,
+ .cfr_support = false,
+ .cfr_num_stream_bufs = 0,
+ .cfr_stream_buf_size = 0,
+ },
{
.name = "wcn6855 hw2.0",
.hw_rev = ATH11K_HW_WCN6855_HW20,
diff --git a/drivers/net/wireless/ath/ath11k/core.h b/drivers/net/wireless/ath/ath11k/core.h
index a0d725923ef2..29727ee94bfc 100644
--- a/drivers/net/wireless/ath/ath11k/core.h
+++ b/drivers/net/wireless/ath/ath11k/core.h
@@ -147,6 +147,7 @@ enum ath11k_hw_rev {
ATH11K_HW_QCA6390_HW20,
ATH11K_HW_IPQ6018_HW10,
ATH11K_HW_QCN9074_HW10,
+ ATH11K_HW_WCN6855_HW11,
ATH11K_HW_WCN6855_HW20,
ATH11K_HW_WCN6855_HW21,
ATH11K_HW_WCN6750_HW10,
diff --git a/drivers/net/wireless/ath/ath11k/mhi.c b/drivers/net/wireless/ath/ath11k/mhi.c
index a6c9ff112c68..c94546c367a7 100644
--- a/drivers/net/wireless/ath/ath11k/mhi.c
+++ b/drivers/net/wireless/ath/ath11k/mhi.c
@@ -393,6 +393,7 @@ int ath11k_mhi_register(struct ath11k_pci *ab_pci)
ath11k_mhi_config = &ath11k_mhi_config_qcn9074;
break;
case ATH11K_HW_QCA6390_HW20:
+ case ATH11K_HW_WCN6855_HW11:
case ATH11K_HW_WCN6855_HW20:
case ATH11K_HW_WCN6855_HW21:
case ATH11K_HW_QCA2066_HW21:
diff --git a/drivers/net/wireless/ath/ath11k/pci.c b/drivers/net/wireless/ath/ath11k/pci.c
index 35bb9e7a63a2..dc1dfd219d88 100644
--- a/drivers/net/wireless/ath/ath11k/pci.c
+++ b/drivers/net/wireless/ath/ath11k/pci.c
@@ -1031,6 +1031,15 @@ static int ath11k_pci_probe(struct pci_dev *pdev,
ath11k_pci_read_hw_version(ab, &soc_hw_version_major,
&soc_hw_version_minor);
switch (soc_hw_version_major) {
+ case 1:
+ switch (soc_hw_version_minor) {
+ case 0x10:
+ ab->hw_rev = ATH11K_HW_WCN6855_HW11;
+ break;
+ default:
+ goto unsupported_wcn6855_soc;
+ }
+ break;
case 2:
switch (soc_hw_version_minor) {
case 0x00:
diff --git a/drivers/net/wireless/ath/ath11k/pcic.c b/drivers/net/wireless/ath/ath11k/pcic.c
index fc6e7da05c60..0f4dc05cc5b5 100644
--- a/drivers/net/wireless/ath/ath11k/pcic.c
+++ b/drivers/net/wireless/ath/ath11k/pcic.c
@@ -86,6 +86,17 @@ static const struct ath11k_msi_config ath11k_msi_config[] = {
},
.hw_rev = ATH11K_HW_QCN9074_HW10,
},
+ {
+ .total_vectors = 32,
+ .total_users = 4,
+ .users = (struct ath11k_msi_user[]) {
+ { .name = "MHI", .num_vectors = 3, .base_vector = 0 },
+ { .name = "CE", .num_vectors = 10, .base_vector = 3 },
+ { .name = "WAKE", .num_vectors = 1, .base_vector = 13 },
+ { .name = "DP", .num_vectors = 18, .base_vector = 14 },
+ },
+ .hw_rev = ATH11K_HW_WCN6855_HW11,
+ },
{
.total_vectors = 32,
.total_users = 4,
--
2.47.3
^ permalink raw reply related
* [PATCH 1/7] PCI: qcom: fix parsing of PERST# in the legacy case
From: Dmitry Baryshkov @ 2026-06-01 9:46 UTC (permalink / raw)
To: Manivannan Sadhasivam, Lorenzo Pieralisi,
Krzysztof Wilczyński, Rob Herring, Bjorn Helgaas,
Konrad Dybcio, Qiang Yu, Jeff Johnson, Liam Girdwood, Mark Brown,
Krzysztof Kozlowski, Conor Dooley, Bartosz Golaszewski,
Marcel Holtmann, Luiz Augusto von Dentz, Balakrishna Godavarthi,
Rocky Liao, Bjorn Andersson, Konrad Dybcio
Cc: linux-arm-msm, linux-pci, linux-kernel, linux-wireless, ath11k,
devicetree, Bartosz Golaszewski, linux-bluetooth
In-Reply-To: <20260601-sm8350-wifi-v1-0-242917d88031@oss.qualcomm.com>
Commit deed8aec62dc ("PCI: qcom: Handle mixed PERST#/PHY DT
configuration") fixed support for the "mixed" platforms which declare
PERST# pin the RC node and the PHY in the RP node, however it also broke
support for a majority of existing platforms, which declare both PERST#
and PHY in the RC node, because now PERST# is first acquired in
qcom_pcie_parse_ports(), which then returns -ENODEV (as there are no
PHYs in the RP nodes). Later qcom_pcie_parse_legacy_binding() tries to
acquire the PERST# GPIO again and fails with -EBUSY (as the GPIO has
already been requested).
Move parsing of RC's perst-gpios to qcom_pcie_probe(), making it obvious
that it's shared for both cases and skip parsing it in both functions.
Fixes: deed8aec62dc ("PCI: qcom: Handle mixed PERST#/PHY DT configuration")
Closes: https://lore.kernel.org/r/gieaybsg2ckxpctvqj77nlwu7utama2yeyvebkonmexsxrra3v@v3fobqasxnmy/
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
---
drivers/pci/controller/dwc/pcie-qcom.c | 25 ++++++++++---------------
1 file changed, 10 insertions(+), 15 deletions(-)
diff --git a/drivers/pci/controller/dwc/pcie-qcom.c b/drivers/pci/controller/dwc/pcie-qcom.c
index 11fc60489892..7664c7c28c0e 100644
--- a/drivers/pci/controller/dwc/pcie-qcom.c
+++ b/drivers/pci/controller/dwc/pcie-qcom.c
@@ -1907,15 +1907,6 @@ static int qcom_pcie_parse_ports(struct qcom_pcie *pcie)
struct device *dev = pcie->pci->dev;
int ret = -ENODEV;
- if (of_find_property(dev->of_node, "perst-gpios", NULL)) {
- pcie->reset = devm_gpiod_get_optional(dev, "perst",
- GPIOD_OUT_HIGH);
- if (IS_ERR(pcie->reset))
- return PTR_ERR(pcie->reset);
-
- dev_warn(dev, "Reusing PERST# from Root Complex node. DT needs to be fixed!\n");
- }
-
for_each_available_child_of_node_scoped(dev->of_node, of_port) {
if (!of_node_is_type(of_port, "pci"))
continue;
@@ -1942,7 +1933,6 @@ static int qcom_pcie_parse_legacy_binding(struct qcom_pcie *pcie)
struct device *dev = pcie->pci->dev;
struct qcom_pcie_perst *perst;
struct qcom_pcie_port *port;
- struct gpio_desc *reset;
struct phy *phy;
int ret;
@@ -1950,10 +1940,6 @@ static int qcom_pcie_parse_legacy_binding(struct qcom_pcie *pcie)
if (IS_ERR(phy))
return PTR_ERR(phy);
- reset = devm_gpiod_get_optional(dev, "perst", GPIOD_OUT_HIGH);
- if (IS_ERR(reset))
- return PTR_ERR(reset);
-
ret = phy_init(phy);
if (ret)
return ret;
@@ -1970,7 +1956,7 @@ static int qcom_pcie_parse_legacy_binding(struct qcom_pcie *pcie)
INIT_LIST_HEAD(&port->list);
list_add_tail(&port->list, &pcie->ports);
- perst->desc = reset;
+ perst->desc = pcie->reset;
INIT_LIST_HEAD(&port->perst);
INIT_LIST_HEAD(&perst->list);
list_add_tail(&perst->list, &port->perst);
@@ -2107,6 +2093,15 @@ static int qcom_pcie_probe(struct platform_device *pdev)
pp->ops = &qcom_pcie_dw_ops;
+ if (of_find_property(dev->of_node, "perst-gpios", NULL)) {
+ pcie->reset = devm_gpiod_get_optional(dev, "perst",
+ GPIOD_OUT_HIGH);
+ if (IS_ERR(pcie->reset))
+ return PTR_ERR(pcie->reset);
+
+ dev_warn(dev, "Reusing PERST# from Root Complex node. DT needs to be updated!\n");
+ }
+
ret = qcom_pcie_parse_ports(pcie);
if (ret) {
if (ret != -ENODEV) {
--
2.47.3
^ permalink raw reply related
* [PATCH 0/7] arm64: dts: qcom: enable WiFi/BT on SM8350 HDK
From: Dmitry Baryshkov @ 2026-06-01 9:46 UTC (permalink / raw)
To: Manivannan Sadhasivam, Lorenzo Pieralisi,
Krzysztof Wilczyński, Rob Herring, Bjorn Helgaas,
Konrad Dybcio, Qiang Yu, Jeff Johnson, Liam Girdwood, Mark Brown,
Krzysztof Kozlowski, Conor Dooley, Bartosz Golaszewski,
Marcel Holtmann, Luiz Augusto von Dentz, Balakrishna Godavarthi,
Rocky Liao, Bjorn Andersson, Konrad Dybcio
Cc: linux-arm-msm, linux-pci, linux-kernel, linux-wireless, ath11k,
devicetree, Bartosz Golaszewski, linux-bluetooth
The SM8350 HDK has an onboard WCN6851 WiFi/BT chip, which for a long
time was not supported. Bring up different pieces required to enable
this SoC.
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@oss.qualcomm.com>
---
Dmitry Baryshkov (7):
PCI: qcom: fix parsing of PERST# in the legacy case
wifi: ath11k: enable support for WCN6851
regulator: dt-bindings: qcom,qca6390-pmu: document WCN6851
dt-bindings: bluetooth: qcom,wcn6855-bt: document WCN6851
arm64: dts: qcom: sm8350: expand UART18 to 4 pins config
arm64: dts: qcom: sm8350: modernize PCIe entries
arm64: dts: qcom: sm8350-hdk: describe WiFi/BT chip
.../bindings/net/bluetooth/qcom,wcn6855-bt.yaml | 8 +-
.../bindings/regulator/qcom,qca6390-pmu.yaml | 4 +
arch/arm64/boot/dts/qcom/sm8350-hdk.dts | 142 ++++++++++++++++++++-
arch/arm64/boot/dts/qcom/sm8350.dtsi | 14 +-
drivers/net/wireless/ath/ath11k/core.c | 92 +++++++++++++
drivers/net/wireless/ath/ath11k/core.h | 1 +
drivers/net/wireless/ath/ath11k/mhi.c | 1 +
drivers/net/wireless/ath/ath11k/pci.c | 9 ++
drivers/net/wireless/ath/ath11k/pcic.c | 11 ++
drivers/pci/controller/dwc/pcie-qcom.c | 25 ++--
10 files changed, 275 insertions(+), 32 deletions(-)
---
base-commit: 7da7f07112610a520567421dd2ffcb51beaefbcc
change-id: 20260531-sm8350-wifi-3b0659bc183a
Best regards,
--
With best wishes
Dmitry
^ permalink raw reply
* [PATCH v2] wifi: fix leak if split 6 GHz scanning fails
From: Fedor Pchelkin @ 2026-06-01 9:41 UTC (permalink / raw)
To: Johannes Berg
Cc: Fedor Pchelkin, linux-wireless, Tova Mussai, linux-kernel,
lvc-project
rdev->int_scan_req is leaked if cfg80211_scan() fails. Note that it's
supposed to be released at ___cfg80211_scan_done() but this doesn't happen
as rdev->scan_req is NULL at that point, too, leading to the early return
from the freeing function.
unreferenced object 0xffff8881161d0800 (size 512):
comm "wpa_supplicant", pid 379, jiffies 4294749765
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 f0 81 13 16 81 88 ff ff ................
backtrace (crc c867fdb6):
kmemleak_alloc+0x89/0x90
__kmalloc_noprof+0x2fd/0x410
cfg80211_scan+0x133/0x730
nl80211_trigger_scan+0xc69/0x1cc0
genl_family_rcv_msg_doit+0x204/0x2f0
genl_rcv_msg+0x431/0x6b0
netlink_rcv_skb+0x143/0x3f0
genl_rcv+0x27/0x40
netlink_unicast+0x4f6/0x820
netlink_sendmsg+0x797/0xce0
__sock_sendmsg+0xc4/0x160
____sys_sendmsg+0x5e4/0x890
___sys_sendmsg+0xf8/0x180
__sys_sendmsg+0x136/0x1e0
__x64_sys_sendmsg+0x76/0xc0
x64_sys_call+0x13f0/0x17d0
Found by Linux Verification Center (linuxtesting.org).
Fixes: c8cb5b854b40 ("nl80211/cfg80211: support 6 GHz scanning")
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
---
v2: move ->int_scan_req assignment after rdev_scan() (Johannes)
net/wireless/scan.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 358cbc9e43d8..27a56ee2e8f0 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -1071,6 +1071,7 @@ int cfg80211_scan(struct cfg80211_registered_device *rdev)
struct cfg80211_scan_request_int *request;
struct cfg80211_scan_request_int *rdev_req = rdev->scan_req;
u32 n_channels = 0, idx, i;
+ int err;
if (!(rdev->wiphy.flags & WIPHY_FLAG_SPLIT_SCAN_6GHZ)) {
rdev_req->req.first_part = true;
@@ -1100,8 +1101,14 @@ int cfg80211_scan(struct cfg80211_registered_device *rdev)
rdev_req->req.scan_6ghz = false;
rdev_req->req.first_part = true;
+ err = rdev_scan(rdev, request);
+ if (err) {
+ kfree(request);
+ return err;
+ }
+
rdev->int_scan_req = request;
- return rdev_scan(rdev, request);
+ return 0;
}
void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev,
--
2.53.0
^ permalink raw reply related
* Re: [PATCH] wifi: cfg80211: fix leak if split 6 GHz scanning fails
From: Fedor Pchelkin @ 2026-06-01 9:25 UTC (permalink / raw)
To: Johannes Berg; +Cc: linux-wireless, Tova Mussai, linux-kernel, lvc-project
In-Reply-To: <21b5dc35ef16217adce0ef726a603a11951da4d2.camel@sipsolutions.net>
On Thu, 28. May 10:42, Johannes Berg wrote:
> On Sun, 2026-05-24 at 19:53 +0300, Fedor Pchelkin wrote:
> >
> > @@ -1101,7 +1102,12 @@ int cfg80211_scan(struct cfg80211_registered_device *rdev)
> > rdev_req->req.scan_6ghz = false;
> > rdev_req->req.first_part = true;
> > rdev->int_scan_req = request;
> > - return rdev_scan(rdev, request);
> > + err = rdev_scan(rdev, request);
> > + if (err) {
> > + kfree(rdev->int_scan_req);
> > + rdev->int_scan_req = NULL;
> > + }
> > + return err;
>
> Given that rdev isn't accessible to the driver call in rdev_scan(), I
> think it'd be nicer to do kfree(request) and defer the int_scan_req
> assignment to after the rdev_scan() call?
It would differ now (at least visually) from the similar scheme used at
the end of cfg80211_scan_6ghz(). I'd go for that all this request
initialization stuff should be done before calling rdev_scan(), taking
that rdev_scan() may be changed in future or whatever. But I don't have a
strong opinion here - will send v2 so that you may choose the eventually
preferred one between these versions.
^ permalink raw reply
* Re: [PATCH 2/2] wifi: mt76: mt7996: always fill txwi for 802.3 packets
From: Felix Fietkau @ 2026-06-01 9:02 UTC (permalink / raw)
To: Dmitry Gomzyakov, linux-wireless
In-Reply-To: <20260510102911.1883849-3-kyoto1337@protonmail.com>
On 10.05.26 12:29, Dmitry Gomzyakov wrote:
> From: Dmitry Gomzyakov <nicerok11@gmail.com>
>
> Commit 55218e636092 reverted host-driven TXD filling to rely on
> Software Defined Offload (SDO). However, SDO cannot correctly parse
> IPv4 packets modified by NAT (changed TTL and recalculated IP/TCP
> checksums), leaving TXWI mostly zero-filled.
>
> This causes the firmware to misinterpret or drop packets,
> resulting in severe throughput degradation (30-40 Mbps limit on
> WiFi IPv4 download through NAT).
>
> Always fill TXWI via mt7996_mac_write_txwi() and always set
> MT_CT_INFO_APPLY_TXD, matching the behavior of mt7915 and the
> proprietary driver.
In what way are IPv4 packets modified by NAT different for the device?
Is this issue something that might be fixed by newer firmware?
- Felix
^ permalink raw reply
* Re: [PATCH ath-current] wifi: ath12k: fix memory leak in ath12k_wifi7_dp_rx_h_verify_tkip_mic()
From: Tamizh Raja @ 2026-06-01 6:18 UTC (permalink / raw)
To: Miaoqing Pan; +Cc: jjohnson, ath12k, linux-wireless, linux-kernel
In-Reply-To: <20260512021108.2031651-1-miaoqing.pan@oss.qualcomm.com>
On Tue, May 12, 2026 at 7:41 AM Miaoqing Pan
<miaoqing.pan@oss.qualcomm.com> wrote:
>
> In ath12k_wifi7_dp_rx_h_verify_tkip_mic(), the call to
> ath12k_dp_rx_check_nwifi_hdr_len_valid() may return false when the
> NWIFI header length is invalid, causing the function to abort early with
> -EINVAL.
>
> When this happens, the error propagates to
> ath12k_wifi7_dp_rx_h_defrag(), which clears first_frag by setting it
> to NULL. As a result, the corresponding MSDU is no longer referenced
> by the defragmentation path and is never freed.
>
> This leads to a memory leak for the affected MSDU on this error path.
> Proper cleanup is required to ensure the MSDU is released when header
> validation fails during TKIP MIC verification.
>
> Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.115823.3
>
> Fixes: 9a0dddfb30f1 ("wifi: ath12k: Fix invalid data access in ath12k_dp_rx_h_undecap_nwifi")
> Signed-off-by: Miaoqing Pan <miaoqing.pan@oss.qualcomm.com>
> ---
> drivers/net/wireless/ath/ath12k/wifi7/dp_rx.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/net/wireless/ath/ath12k/wifi7/dp_rx.c b/drivers/net/wireless/ath/ath12k/wifi7/dp_rx.c
> index 945680b3ebdf..a5e290edaa89 100644
> --- a/drivers/net/wireless/ath/ath12k/wifi7/dp_rx.c
> +++ b/drivers/net/wireless/ath/ath12k/wifi7/dp_rx.c
> @@ -1028,8 +1028,10 @@ static int ath12k_wifi7_dp_rx_h_verify_tkip_mic(struct ath12k_pdev_dp *dp_pdev,
> skb_pull(msdu, hal_rx_desc_sz);
>
> if (unlikely(!ath12k_dp_rx_check_nwifi_hdr_len_valid(dp, msdu,
> - rx_info)))
> + rx_info))) {
> + dev_kfree_skb_any(msdu);
> return -EINVAL;
> + }
>
> ath12k_dp_rx_h_ppdu(dp_pdev, rx_info);
> ath12k_dp_rx_h_undecap(dp_pdev, msdu, HAL_ENCRYPT_TYPE_TKIP_MIC, true,
> --
> 2.34.1
>
>
Reviewed-by: Tamizh Chelvam Raja <tamizh.raja@oss.qualcomm.com>
^ permalink raw reply
* RE: [PATCH rtw-next v2 1/5] wifi: rtw89: 8831bu: Add support for ELECOM WD{B,C}-X600DU2M-B
From: Ping-Ke Shih @ 2026-06-01 6:10 UTC (permalink / raw)
To: Zenm Chen, linux-wireless@vger.kernel.org,
rtl8821cerfe2@gmail.com
In-Reply-To: <20260531232914.4406-1-zenmchen@gmail.com>
Zenm Chen <zenmchen@gmail.com> wrote:
> Add the ids 056e:4027 and 056e:4028 into the device table to support
> ELECOM WD{B,C}-X600DU2M-B, two new 8831bu-based adapters.
>
> Compile tested only.
>
> Link: https://github.com/morrownr/rtw89/commit/9e2db2834b37c6adfc4b872a9ef56c927df22bea
As I saw surface of this Link ".../commit/...", I'd ask you to remove
the Link, because a github commit isn't so important to be a commit message.
Look deeper.... The Link's content (the comment part) is to indicate where
you got these USB devices ID, right?
If so, maybe you can just mention that you collected these ID from [1].
(change to this style instead of formal Link)
[1] https://github.com/morrownr/rtw89/commit/9e2db2834b37c6adfc4b872a9ef56c927df22bea
Then, if a reviewer wants to save himself time, he can just ignore the link.
Please apply it to this patchset. Thanks.
Ping-Ke
^ permalink raw reply
* Re: [PATCH v2] wifi: mt76: mt7996: fix reading zeroed info->control.flags after mt76_tx_status_skb_add()
From: lorenzo @ 2026-06-01 5:56 UTC (permalink / raw)
To: Ryder Lee
Cc: Shayne Chen (陳軒丞), nbd@nbd.name, Roy-CH Luo,
Chui-hao Chiu (邱垂浩),
AngeloGioacchino Del Regno, linux-kernel@vger.kernel.org,
linux-wireless@vger.kernel.org, Sean Wang,
Bo Jiao (焦波), linux-mediatek@lists.infradead.org,
matthias.bgg@gmail.com, linux-arm-kernel@lists.infradead.org
In-Reply-To: <7f02be7c4f919413718a0218b3792d4b0a222ca3.camel@mediatek.com>
[-- Attachment #1: Type: text/plain, Size: 10719 bytes --]
On May 31, Ryder Lee wrote:
> On Sun, 2026-05-31 at 15:12 +0200, lorenzo@kernel.org wrote:
> > On May 31, Ryder Lee wrote:
> > > On Sun, 2026-05-31 at 14:11 +0200, lorenzo@kernel.org wrote:
> > > > > On Sun, 2026-05-31 at 10:55 +0200, Lorenzo Bianconi wrote:
> > > > > > mt76_tx_status_skb_add() zeroes the mt76_tx_cb struct stored
> > > > > > at
> > > > > > info->status.status_driver_data via memset(). Since info-
> > > > > > >control
> > > > > > and
> > > > > > info->status are members of the same union in
> > > > > > ieee80211_tx_info,
> > > > > > this overwrites info->control.flags.
> > > > > > In mt7996_tx_prepare_skb(), mt76_tx_status_skb_add() is
> > > > > > called
> > > > > > before
> > > > > > mt7996_mac_write_txwi(), which re-reads info->control.flags
> > > > > > to
> > > > > > extract
> > > > > > IEEE80211_TX_CTRL_MLO_LINK. Because the field has been
> > > > > > zeroed,
> > > > > > the
> > > > > > link_id always resolves to 0 for frames using global_wcid,
> > > > > > leading to
> > > > > > incorrect TXWI configuration.
> > > > > > Fix this by passing link_id as an explicit parameter to
> > > > > > mt7996_mac_write_txwi(). In mt7996_tx_prepare_skb(), the
> > > > > > link_id
> > > > > > is
> > > > > > already extracted from info->control.flags before the
> > > > > > destructive
> > > > > > mt76_tx_status_skb_add() call. For the beacon and inband
> > > > > > discovery
> > > > > > callers in mcu.c, use link_conf->link_id directly.
> > > > > >
> > > > > > Fixes: f0b0b239b8f36 ("wifi: mt76: mt7996: rework
> > > > > > mt7996_mac_write_txwi() for MLO support")
> > > > > > Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
> > > > > > ---
> > > > > > Changes in v2:
> > > > > > - Do not use link_id in mt7996_mac_write_txwi if it is
> > > > > > IEEE80211_LINK_UNSPECIFIED
> > > > > > - In mt7996_mac_write_txwi() rely on link_id calculated in
> > > > > > mt7996_tx_prepare_skb().
> > > > > > - Link to v1:
> > > > > > https://lore.kernel.org/r/20260530-mt76_tx_status_skb_add-overwrite-fix-v1-1-e2c3151c391a@kernel.org
> > > > > >
> > > > > > ---
> > > > > > drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 14
> > > > > > ++++----
> > > > > > ----
> > > > > > --
> > > > > > drivers/net/wireless/mediatek/mt76/mt7996/mcu.c | 5 +++-
> > > > > > -
> > > > > > drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h | 3 ++-
> > > > > > 3 files changed, 9 insertions(+), 13 deletions(-)
> > > > > >
> > > > > > diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
> > > > > > b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
> > > > > > index c98446057282..95b3078d9667 100644
> > > > > > --- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
> > > > > > +++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c
> > > > > > @@ -856,7 +856,8 @@ mt7996_mac_write_txwi_80211(struct
> > > > > > mt7996_dev
> > > > > > *dev, __le32 *txwi,
> > > > > > void mt7996_mac_write_txwi(struct mt7996_dev *dev, __le32
> > > > > > *txwi,
> > > > > > struct sk_buff *skb, struct
> > > > > > mt76_wcid
> > > > > > *wcid,
> > > > > > struct ieee80211_key_conf *key,
> > > > > > int
> > > > > > pid,
> > > > > > - enum mt76_txq_id qid, u32
> > > > > > changed)
> > > > > > + enum mt76_txq_id qid, u32
> > > > > > changed,
> > > > > > + unsigned int link_id)
> > > > > > {
> > > > > > struct ieee80211_hdr *hdr = (struct ieee80211_hdr
> > > > > > *)skb-
> > > > > > > data;
> > > > > > struct ieee80211_tx_info *info =
> > > > > > IEEE80211_SKB_CB(skb);
> > > > > > @@ -866,7 +867,6 @@ void mt7996_mac_write_txwi(struct
> > > > > > mt7996_dev
> > > > > > *dev, __le32 *txwi,
> > > > > > bool is_8023 = info->flags &
> > > > > > IEEE80211_TX_CTL_HW_80211_ENCAP;
> > > > > > struct mt76_vif_link *mlink = NULL;
> > > > > > struct mt7996_vif *mvif;
> > > > > > - unsigned int link_id;
> > > > > > u16 tx_count = 15;
> > > > > > u32 val;
> > > > > > bool inband_disc = !!(changed &
> > > > > > (BSS_CHANGED_UNSOL_BCAST_PROBE_RESP |
> > > > > > @@ -874,17 +874,11 @@ void mt7996_mac_write_txwi(struct
> > > > > > mt7996_dev
> > > > > > *dev, __le32 *txwi,
> > > > > > bool beacon = !!(changed & (BSS_CHANGED_BEACON |
> > > > > >
> > > > > > BSS_CHANGED_BEACON_ENABLED))
> > > > > > &&
> > > > > > (!inband_disc);
> > > > > >
> > > > > > - if (wcid != &dev->mt76.global_wcid)
> > > > > > - link_id = wcid->link_id;
> > > > > > - else
> > > > > > - link_id = u32_get_bits(info->control.flags,
> > > > > > -
> > > > > > IEEE80211_TX_CTRL_MLO_LINK);
> > > > > > -
> > > > > > mvif = vif ? (struct mt7996_vif *)vif->drv_priv :
> > > > > > NULL;
> > > > > > if (mvif) {
> > > > > > if (wcid->offchannel)
> > > > > > mlink = rcu_dereference(mvif-
> > > > > > > mt76.offchannel_link);
> > > > > > - if (!mlink)
> > > > > > + if (!mlink && link_id !=
> > > > > > IEEE80211_LINK_UNSPECIFIED)
> > > > > > mlink = rcu_dereference(mvif-
> > > > > > > mt76.link[link_id]);
> > > > > > }
> > > > > >
> > > > > > @@ -1096,7 +1090,7 @@ int mt7996_tx_prepare_skb(struct
> > > > > > mt76_dev
> > > > > > *mdev, void *txwi_ptr,
> > > > > > /* Transmit non qos data by 802.11 header and need
> > > > > > to
> > > > > > fill
> > > > > > txd by host*/
> > > > > > if (!is_8023 || pid >= MT_PACKET_ID_FIRST)
> > > > > > mt7996_mac_write_txwi(dev, txwi_ptr,
> > > > > > tx_info-
> > > > > > > skb,
> > > > > > wcid, key,
> > > > > > - pid, qid, 0);
> > > > > > + pid, qid, 0, link_id);
> > > > > >
> > > > > > /* MT7996 and MT7992 require driver to provide the
> > > > > > MAC
> > > > > > TXP
> > > > > > for AddBA
> > > > > > * req
> > > > > > diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
> > > > > > b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
> > > > > > index 8be40d60ad29..a14c63438923 100644
> > > > > > --- a/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
> > > > > > +++ b/drivers/net/wireless/mediatek/mt76/mt7996/mcu.c
> > > > > > @@ -3103,7 +3103,7 @@ mt7996_mcu_beacon_cont(struct
> > > > > > mt7996_dev
> > > > > > *dev,
> > > > > >
> > > > > > buf = (u8 *)bcn + sizeof(*bcn);
> > > > > > mt7996_mac_write_txwi(dev, (__le32 *)buf, skb, wcid,
> > > > > > NULL,
> > > > > > 0, 0,
> > > > > > - BSS_CHANGED_BEACON);
> > > > > > + BSS_CHANGED_BEACON, link_conf-
> > > > > > > link_id);
> > > > > >
> > > > > > memcpy(buf + MT_TXD_SIZE, skb->data, skb->len);
> > > > > > }
> > > > > > @@ -3249,7 +3249,8 @@ int
> > > > > > mt7996_mcu_beacon_inband_discov(struct
> > > > > > mt7996_dev *dev,
> > > > > >
> > > > > > buf = (u8 *)tlv + sizeof(*discov);
> > > > > >
> > > > > > - mt7996_mac_write_txwi(dev, (__le32 *)buf, skb, wcid,
> > > > > > NULL,
> > > > > > 0, 0, changed);
> > > > > > + mt7996_mac_write_txwi(dev, (__le32 *)buf, skb, wcid,
> > > > > > NULL,
> > > > > > 0, 0,
> > > > > > + changed, link_conf->link_id);
> > > > > >
> > > > > > memcpy(buf + MT_TXD_SIZE, skb->data, skb->len);
> > > > > >
> > > > > > diff --git
> > > > > > a/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h
> > > > > > b/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h
> > > > > > index 0dc4198fcf8b..0d6488522ba7 100644
> > > > > > --- a/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h
> > > > > > +++ b/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h
> > > > > > @@ -874,7 +874,8 @@ void mt7996_mac_enable_nf(struct
> > > > > > mt7996_dev
> > > > > > *dev,
> > > > > > u8 band);
> > > > > > void mt7996_mac_write_txwi(struct mt7996_dev *dev, __le32
> > > > > > *txwi,
> > > > > > struct sk_buff *skb, struct
> > > > > > mt76_wcid
> > > > > > *wcid,
> > > > > > struct ieee80211_key_conf *key,
> > > > > > int
> > > > > > pid,
> > > > > > - enum mt76_txq_id qid, u32
> > > > > > changed);
> > > > > > + enum mt76_txq_id qid, u32
> > > > > > changed,
> > > > > > + unsigned int link_id);
> > > > > > void mt7996_mac_update_beacons(struct mt7996_phy *phy);
> > > > > > void mt7996_mac_set_coverage_class(struct mt7996_phy *phy);
> > > > > > void mt7996_mac_work(struct work_struct *work);
> > > > > >
> > > > > > ---
> > > > > > base-commit: 4913f44167cf35a9536e9eec7352e15b2de0c573
> > > > > > change-id: 20260530-mt76_tx_status_skb_add-overwrite-fix-
> > > > > > 85818a9bb31f
> > > > > >
> > > > > > Best regards,
> > > > > >
> > > > > >
> > > > > We might expand flags further so this still doesn't solve the
> > > > > issue
> > > > > of
> > > > > flags being cleared - it only works for MLO flag. And the
> > > > > developers
> > > > > still won't easily notice that the flags are being cleared.
> > > >
> > > > My opinion is we should consider just upstream code and then
> > > > change
> > > > it as soon
> > > > as you post this new feature upstream, but I will let Felix
> > > > comments
> > > > on it.
> > > > Moreover, the proposed approach aligns link_id used in
> > > > mt7996_tx_prepare_skb()
> > > > to the one used in mt7996_mac_write_txwi() and fix a possible OOB
> > > > bug
> > > > in
> > > > mt7996_mac_write_txwi().
> > > >
> > > > Regards,
> > > > Lorenzo
> > > >
> > > > >
> > >
> > > Just to tie in with this patch subject - I'm just thinking of a way
> > > to
> > > solve this once and for all. If the problem is reading zeroed info-
> > > > control.flags, wouldn't it be better to just pass a u32 flags,
> > > something like this:
> > >
> > > u32 flags = info->control.flags
> > >
> > > mt7996_mac_write_txwi(dev, (__le32 *)buf, skb, wcid, NULL, 0, 0,
> > > changed, flags);
> > >
> > > We can use all flags then.
> >
> > what about link_id? Should it be the same between
> > mt7996_tx_prepare_skb()
> > and mt7996_mac_write_txwi()?
> >
> >
>
> I mean the link_id is only corresponds to one specific flags bit of
> mac80211_tx_control_flags. But there are other bits that aren't
> handled. Wouldn't u32 flags make it more cleaner?
Yes, I got your point, but my concern is if we need to sync link_id between
mt7996_tx_prepare_skb() and mt7996_mac_write_txwi(). If so, I guess it is
much better to pass link_id explicitly to mt7996_mac_write_txwi() since it
does not just depended on mac80211_tx_control_flags and I think we should
not duplicate the logic in mt7996_mac_write_txwi(). Got my point?
If in the future (not required now) we need to pass mac80211_tx_control_flags
to mt7996_mac_write_txwi(), we will do it easily.
Regards,
Lorenzo
>
> Ryder
>
>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply
* Re: [PATCH ath-next 0/6] wifi: ath12k: Add driver support for WDS mode
From: Baochen Qiang @ 2026-06-01 5:55 UTC (permalink / raw)
To: Tamizh Chelvam Raja, ath12k; +Cc: linux-wireless
In-Reply-To: <20260525110942.2890212-1-tamizh.raja@oss.qualcomm.com>
On 5/25/2026 7:09 PM, Tamizh Chelvam Raja wrote:
> This patch series introduces support for WDS in the driver by adding
> below changes
>
> Handling of 4-address frame formats required for WDS operation.
> Proper setting of peer 4-address WMI param to ensure correct transmission
> and reception of multicast and unicast frames in WDS mode.
> Conversion of eth offload Rx frame to 802.11 frame for mac80211 to
> detect 4address frame and initiate AP_VLAN creation.
>
> Tamizh Chelvam Raja (6):
> wifi: ath12k: Set WDS vdev parameter for 4-address station interface
> wifi: ath12k: Add support for 4-address mode
> wifi: ath12k: Add 4-address mode support for eth offload
> wifi: ath12k: Add support for 4-address NULL frame handling
> wifi: ath12k: Add support for 4-address frame notification
> wifi: ath12k: Handle 4-address EAPOL frames from WBM error path
>
> drivers/net/wireless/ath/ath12k/core.h | 9 ++
> drivers/net/wireless/ath/ath12k/dp_peer.h | 2 +
> drivers/net/wireless/ath/ath12k/dp_rx.c | 10 +-
> drivers/net/wireless/ath/ath12k/dp_rx.h | 3 +-
> drivers/net/wireless/ath/ath12k/hal.h | 4 +-
> drivers/net/wireless/ath/ath12k/mac.c | 124 +++++++++++++++++-
> drivers/net/wireless/ath/ath12k/mac.h | 3 +
> drivers/net/wireless/ath/ath12k/peer.c | 11 +-
> drivers/net/wireless/ath/ath12k/wifi7/dp_rx.c | 91 +++++++++++--
> drivers/net/wireless/ath/ath12k/wifi7/dp_tx.c | 41 +++++-
> drivers/net/wireless/ath/ath12k/wifi7/dp_tx.h | 4 +-
> .../wireless/ath/ath12k/wifi7/hal_qcc2072.c | 16 +++
> .../wireless/ath/ath12k/wifi7/hal_qcn9274.c | 16 +++
> .../net/wireless/ath/ath12k/wifi7/hal_tx.c | 4 +-
> .../net/wireless/ath/ath12k/wifi7/hal_tx.h | 1 +
> .../wireless/ath/ath12k/wifi7/hal_wcn7850.c | 16 +++
> drivers/net/wireless/ath/ath12k/wifi7/hw.c | 18 ++-
> drivers/net/wireless/ath/ath12k/wmi.c | 47 ++++++-
> drivers/net/wireless/ath/ath12k/wmi.h | 17 +++
> 19 files changed, 409 insertions(+), 28 deletions(-)
>
>
> base-commit: 30d516006fa1f72f957c18c6171f5680dcdebfb0
Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
^ permalink raw reply
* Re: [PATCH ath-next] wifi: ath12k: add hardware parameters for maximum supported clients
From: Baochen Qiang @ 2026-06-01 5:50 UTC (permalink / raw)
To: Aaradhana Sahu, ath12k; +Cc: linux-wireless
In-Reply-To: <20260515030909.3312511-1-aaradhana.sahu@oss.qualcomm.com>
On 5/15/2026 11:09 AM, Aaradhana Sahu wrote:
> Currently, the driver uses memory profile parameters to determine the
> maximum number of supported clients, with a default limit of 512 for
> single-radio and 128 for DBS and DBS+SBS configurations. However,
> some devices have lower hardware limits depending on the radio
> configuration. Exceeding these hardware-specific limits can lead to
> firmware crashes.
>
> Add hardware parameters in ath12k_hw_params to define the maximum supported
> clients for each radio configuration. The driver uses the minimum of the
> memory profile limit and the hardware capability limit to prevent exceeding
> hardware constraints.
>
> Tested-on: IPQ5332 hw1.0 AHB WLAN.WBE.1.6-01275-QCAHKSWPL_SILICONZ-1
> Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.6-01243-QCAHKSWPL_SILICONZ-1
>
> Signed-off-by: Aaradhana Sahu <aaradhana.sahu@oss.qualcomm.com>
Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
^ permalink raw reply
* Re: [PATCH ath-current] wifi: ath12k: fix memory leak in ath12k_wifi7_dp_rx_h_verify_tkip_mic()
From: Baochen Qiang @ 2026-06-01 5:48 UTC (permalink / raw)
To: Miaoqing Pan, jjohnson; +Cc: ath12k, linux-wireless, linux-kernel
In-Reply-To: <20260512021108.2031651-1-miaoqing.pan@oss.qualcomm.com>
On 5/12/2026 10:11 AM, Miaoqing Pan wrote:
> In ath12k_wifi7_dp_rx_h_verify_tkip_mic(), the call to
> ath12k_dp_rx_check_nwifi_hdr_len_valid() may return false when the
> NWIFI header length is invalid, causing the function to abort early with
> -EINVAL.
>
> When this happens, the error propagates to
> ath12k_wifi7_dp_rx_h_defrag(), which clears first_frag by setting it
> to NULL. As a result, the corresponding MSDU is no longer referenced
> by the defragmentation path and is never freed.
>
> This leads to a memory leak for the affected MSDU on this error path.
> Proper cleanup is required to ensure the MSDU is released when header
> validation fails during TKIP MIC verification.
>
> Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.115823.3
>
> Fixes: 9a0dddfb30f1 ("wifi: ath12k: Fix invalid data access in ath12k_dp_rx_h_undecap_nwifi")
> Signed-off-by: Miaoqing Pan <miaoqing.pan@oss.qualcomm.com>
Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
^ permalink raw reply
* Re: [PATCH v3] wifi: ath12k: fix incorrect HT/VHT/HE/EHT MCS reporting in monitor mode
From: Baochen Qiang @ 2026-06-01 5:44 UTC (permalink / raw)
To: kwan1996, ath12k, linux-wireless
In-Reply-To: <20260507015336.14636-1-laicheehou9@gmail.com>
On 5/7/2026 9:53 AM, kwan1996 wrote:
> From: Kwan Lai Chee Hou <laicheehou9@gmail.com>
>
> In monitor mode, the driver incorrectly assigns the legacy rate
> to the rate_idx field of the radiotap header for HT/VHT/HE/EHT
> frames, ignoring the actual MCS value parsed from the hardware.
>
> This causes packet analyzers (like Wireshark) to display incorrect
> MCS values (e.g., legacy base rates instead of the true MCS).
>
> Fix this by assigning ppdu_info->mcs as the default rate_mcs
> in ath12k_dp_mon_fill_rx_rate(), and remove rate_idx assignments in
> ath12k_dp_mon_update_radiotap() to preserve
> the previously calculated MCS values (including the HT NSS offset).
>
> Link: https://bugzilla.kernel.org/show_bug.cgi?id=220864
>
> Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.4.1-00199-QCAHKSWPL_SILICONZ
>
Fixes: 5393dcb45209 ("wifi: ath12k: change the status update in the monitor Rx") ?
> Signed-off-by: Kwan Lai Chee Hou <laicheehou9@gmail.com>
>
> ---
> v3:
> - Simplify rate_mcs assignment logic in ath12k_dp_mon_fill_rx_rate.
> - remove rate_idx assignments in ath12k_dp_mon_update_radiotap to avoid overwriting the HT (802.11n) MCS calculated earlier.
>
> v2: Fix indentation and formatting issues in v1.
> ---
> drivers/net/wireless/ath/ath12k/dp_mon.c | 6 ++----
> 1 file changed, 2 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/net/wireless/ath/ath12k/dp_mon.c b/drivers/net/wireless/ath/ath12k/dp_mon.c
> index 39d1967..79347c3 100644
> --- a/drivers/net/wireless/ath/ath12k/dp_mon.c
> +++ b/drivers/net/wireless/ath/ath12k/dp_mon.c
> @@ -1910,13 +1910,14 @@ ath12k_dp_mon_fill_rx_rate(struct ath12k *ar,
> bool is_cck;
>
> pkt_type = ppdu_info->preamble_type;
> - rate_mcs = ppdu_info->rate;
> + rate_mcs = ppdu_info->mcs;
> nss = ppdu_info->nss;
> sgi = ppdu_info->gi;
>
> switch (pkt_type) {
> case RX_MSDU_START_PKT_TYPE_11A:
> case RX_MSDU_START_PKT_TYPE_11B:
> + rate_mcs = ppdu_info->rate;
> is_cck = (pkt_type == RX_MSDU_START_PKT_TYPE_11B);
> if (rx_status->band < NUM_NL80211_BANDS) {
> sband = &ar->mac.sbands[rx_status->band];
> @@ -2259,13 +2260,10 @@ static void ath12k_dp_mon_update_radiotap(struct ath12k *ar,
> rxs->encoding = RX_ENC_HE;
> ptr = skb_push(mon_skb, sizeof(struct ieee80211_radiotap_he));
> ath12k_dp_mon_rx_update_radiotap_he(ppduinfo, ptr);
> - rxs->rate_idx = ppduinfo->rate;
> } else if (ppduinfo->vht_flags) {
> rxs->encoding = RX_ENC_VHT;
> - rxs->rate_idx = ppduinfo->rate;
> } else if (ppduinfo->ht_flags) {
> rxs->encoding = RX_ENC_HT;
> - rxs->rate_idx = ppduinfo->rate;
> } else {
> rxs->encoding = RX_ENC_LEGACY;
> sband = &ar->mac.sbands[rxs->band];
Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
^ permalink raw reply
* Re: [PATCH ath-next] wifi: ath11k: raise max vdevs to 4 on hardware with P2P and dual-station support
From: Baochen Qiang @ 2026-06-01 3:48 UTC (permalink / raw)
To: Wei Zhang, jeff.johnson; +Cc: ath11k, linux-wireless, linux-kernel
In-Reply-To: <20260525020711.2590815-1-wei.zhang@oss.qualcomm.com>
On 5/25/2026 10:07 AM, Wei Zhang wrote:
> When P2P support is enabled, wpa_supplicant creates a p2p-device
> interface by default, which implicitly consumes one vdev. On systems
> managed by NetworkManager, this interface cannot be reliably disabled,
> leaving only two usable interfaces for user configurations.
>
> Increase num_vdevs to four for QCA6390 hw2.0, WCN6855 hw2.0/hw2.1,
> QCA2066 hw2.1, and QCA6698AQ hw2.1 to account for the implicit
> p2p-device and enable common concurrency scenarios such as AP + AP + STA.
>
> This change increases interface concurrency in the two-channel scenario
> by raising the maximum vdev limit, while keeping other combination rules
> unchanged.
>
> Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-05266-QCAHSTSWPLZ_V2_TO_X86-1
> Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.41
> Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-04685-QCAHSPSWPL_V1_V2_SILICONZ_IOE-1
> Tested-on: QCA2066 hw2.1 PCI WLAN.HSP.1.1-03926.13-QCAHSPSWPL_V2_SILICONZ_CE-2.52297.9
> Tested-on: QCA6698AQ hw2.1 PCI WLAN.HSP.1.1-04685-QCAHSPSWPL_V1_V2_SILICONZ_IOE-1
>
> Signed-off-by: Wei Zhang <wei.zhang@oss.qualcomm.com>
Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
^ permalink raw reply
* Re: [PATCH ath-next 0/2] wifi: ath11k: dp rx sanity checks for invalid length in error paths
From: Baochen Qiang @ 2026-06-01 3:47 UTC (permalink / raw)
To: Miaoqing Pan, jjohnson; +Cc: ath11k, linux-wireless, linux-kernel
In-Reply-To: <20260512022351.2033155-1-miaoqing.pan@oss.qualcomm.com>
On 5/12/2026 10:23 AM, Miaoqing Pan wrote:
> This patch series adds two defensive sanity checks in ath11k DP RX
> handling to prevent invalid memory access when hardware/descriptor
> contents are unexpected, especially in WBM error scenarios.
>
> Signed-off-by: Miaoqing Pan <miaoqing.pan@oss.qualcomm.com>
> ---
> Miaoqing Pan (2):
> wifi: ath11k: fix invalid data access in ath11k_dp_rx_h_undecap_nwifi
> wifi: ath11k: add MSDU length validation for TKIP MIC error
>
> drivers/net/wireless/ath/ath11k/dp_rx.c | 59 +++++++++++++++++++++++--
> 1 file changed, 56 insertions(+), 3 deletions(-)
>
>
> base-commit: 7b25796f571fc09a7aa6fe7efb23edccd326917d
only nit in patch 1/2, so
Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
^ permalink raw reply
* Re: [PATCH ath-next 1/2] wifi: ath11k: fix invalid data access in ath11k_dp_rx_h_undecap_nwifi
From: Baochen Qiang @ 2026-06-01 3:47 UTC (permalink / raw)
To: Miaoqing Pan, jjohnson; +Cc: ath11k, linux-wireless, linux-kernel
In-Reply-To: <20260512022351.2033155-2-miaoqing.pan@oss.qualcomm.com>
On 5/12/2026 10:23 AM, Miaoqing Pan wrote:
> In certain cases, hardware might provide packets with a
> length greater than the maximum native Wi-Fi header length.
> This can lead to accessing and modifying fields in the header
> within the ath11k_dp_rx_h_undecap_nwifi() function for the
> DP_RX_DECAP_TYPE_NATIVE_WIFI decap type and
> potentially result in invalid data access and memory corruption.
>
> Kernel stack is corrupted in: ath11k_dp_rx_h_undecap+0x6b0/0x6b0 [ath11k]
> Call trace:
> ath11k_dp_rx_h_mpdu+0x0/0x2e8 [ath11k]
> ath11k_dp_rx_h_mpdu+0x1e0/0x2e8 [ath11k]
> ath11k_dp_rx_wbm_err+0x1e0/0x450 [ath11k]
> ath11k_dp_rx_process_wbm_err+0x2fc/0x460 [ath11k]
> ath11k_dp_service_srng+0x2e0/0x348 [ath11k]
>
> Add a sanity check before processing the SKB to prevent invalid
> data access in the undecap native Wi-Fi function for the
> DP_RX_DECAP_TYPE_NATIVE_WIFI decap type.
>
> This adapted from the discussion/patch of the ath12k driver [1].
>
> Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-04685-QCAHSPSWPL_V1_V2_SILICONZ_IOE-1
>
> Link: https://lore.kernel.org/linux-wireless/20250211090302.4105141-1-tamizh.raja@oss.qualcomm.com/ # [1]
> Signed-off-by: Miaoqing Pan <miaoqing.pan@oss.qualcomm.com>
> ---
> drivers/net/wireless/ath/ath11k/dp_rx.c | 50 +++++++++++++++++++++++--
> 1 file changed, 47 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c
> index fe79109adc70..fbe2061a544d 100644
> --- a/drivers/net/wireless/ath/ath11k/dp_rx.c
> +++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
> @@ -2502,6 +2502,29 @@ static void ath11k_dp_rx_deliver_msdu(struct ath11k *ar, struct napi_struct *nap
> ieee80211_rx_napi(ar->hw, pubsta, msdu, napi);
> }
>
> +static bool ath11k_dp_rx_check_nwifi_hdr_len_valid(struct ath11k_base *ab,
> + struct hal_rx_desc *rx_desc,
> + struct sk_buff *msdu)
> +{
> + struct ieee80211_hdr *hdr;
> + u8 decap_type;
> + u32 hdr_len;
> +
> + decap_type = ath11k_dp_rx_h_msdu_start_decap_type(ab, rx_desc);
> + if (decap_type != DP_RX_DECAP_TYPE_NATIVE_WIFI)
> + return true;
> +
> + hdr = (struct ieee80211_hdr *)msdu->data;
> + hdr_len = ieee80211_hdrlen(hdr->frame_control);
> +
> + if ((likely(hdr_len <= DP_MAX_NWIFI_HDR_LEN)))
nit: Double parentheses on likely()
^ permalink raw reply
* Re: [PATCHv3 ath-next] wifi: ath11k: use kzalloc_flex
From: Baochen Qiang @ 2026-06-01 3:24 UTC (permalink / raw)
To: Rosen Penev, linux-wireless
Cc: Jeff Johnson, Kees Cook, Gustavo A. R. Silva,
open list:QUALCOMM ATHEROS ATH11K WIRELESS DRIVER, open list,
open list:KERNEL HARDENING (not covered by other areas):Keyword:b__counted_by(_le|_be)?b
In-Reply-To: <20260428205017.26288-1-rosenp@gmail.com>
On 4/29/2026 4:50 AM, Rosen Penev wrote:
> Convert kzalloc_obj + kcalloc to kzalloc_flex to save an allocation.
>
> Add __counted_by to get extra runtime analysis. Move counting variable
> assignment immediately after allocation before any potential accesses.
> kzalloc_flex does this anyway for GCC >= 15.
>
> Signed-off-by: Rosen Penev <rosenp@gmail.com>
Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
^ permalink raw reply
* [PATCH ath-next] wifi: ath12k: add QMI capability negotiation for dynamic memory mode
From: Aaradhana Sahu @ 2026-06-01 3:18 UTC (permalink / raw)
To: ath12k; +Cc: linux-wireless, Aaradhana Sahu
On AHB platforms, firmware operates in two modes: fixed-memory mode where
firmware uses hardcoded addresses for memory regions such as BDF and does
not request HOST_DDR memory from the host, and dynamic-memory mode where
firmware expects the host to provide memory addresses including HOST_DDR
after the Q6 read-only region and relies on host allocation for all memory
types.
Introduce QMI capability negotiation to support both modes. Add a new QMI
PHY capability flag dynamic_ddr_support which is advertised by firmware to
indicate it supports dynamic memory mode. When the host detects this
capability, set the dynamic_mem_support flag in the host capability message
to signal the host is ready to provide dynamic memory allocation. This
triggers firmware to send the HOST_DDR memory request and use the
host-provided address.
For backward compatibility, if firmware doesn't advertise
dynamic_ddr_support, the firmware continues to operate in fixed-memory mode
where firmware uses predefined addresses.
Tested-on: IPQ5332 hw1.0 AHB WLAN.WBE.1.6-01275-QCAHKSWPL_SILICONZ-1
Signed-off-by: Aaradhana Sahu <aaradhana.sahu@oss.qualcomm.com>
---
drivers/net/wireless/ath/ath12k/qmi.c | 50 +++++++++++++++++++++++++--
drivers/net/wireless/ath/ath12k/qmi.h | 10 ++++--
2 files changed, 54 insertions(+), 6 deletions(-)
diff --git a/drivers/net/wireless/ath/ath12k/qmi.c b/drivers/net/wireless/ath/ath12k/qmi.c
index fd762b5d7bb5..85406d6e6da1 100644
--- a/drivers/net/wireless/ath/ath12k/qmi.c
+++ b/drivers/net/wireless/ath/ath12k/qmi.c
@@ -506,6 +506,24 @@ static const struct qmi_elem_info qmi_wlanfw_host_cap_req_msg_v01_ei[] = {
.offset = offsetof(struct qmi_wlanfw_host_cap_req_msg_v01,
feature_list),
},
+ {
+ .data_type = QMI_OPT_FLAG,
+ .elem_len = 1,
+ .elem_size = sizeof(u8),
+ .array_type = NO_ARRAY,
+ .tlv_type = 0x33,
+ .offset = offsetof(struct qmi_wlanfw_host_cap_req_msg_v01,
+ dynamic_mem_support_valid),
+ },
+ {
+ .data_type = QMI_UNSIGNED_1_BYTE,
+ .elem_len = 1,
+ .elem_size = sizeof(u8),
+ .array_type = NO_ARRAY,
+ .tlv_type = 0x33,
+ .offset = offsetof(struct qmi_wlanfw_host_cap_req_msg_v01,
+ dynamic_mem_support),
+ },
{
.data_type = QMI_EOTI,
.array_type = NO_ARRAY,
@@ -602,6 +620,24 @@ static const struct qmi_elem_info qmi_wlanfw_phy_cap_resp_msg_v01_ei[] = {
.offset = offsetof(struct qmi_wlanfw_phy_cap_resp_msg_v01,
single_chip_mlo_support),
},
+ {
+ .data_type = QMI_OPT_FLAG,
+ .elem_len = 1,
+ .elem_size = sizeof(u8),
+ .array_type = NO_ARRAY,
+ .tlv_type = 0x17,
+ .offset = offsetof(struct qmi_wlanfw_phy_cap_resp_msg_v01,
+ dynamic_ddr_support_valid),
+ },
+ {
+ .data_type = QMI_UNSIGNED_1_BYTE,
+ .elem_len = 1,
+ .elem_size = sizeof(u8),
+ .array_type = NO_ARRAY,
+ .tlv_type = 0x17,
+ .offset = offsetof(struct qmi_wlanfw_phy_cap_resp_msg_v01,
+ dynamic_ddr_support),
+ },
{
.data_type = QMI_EOTI,
.array_type = NO_ARRAY,
@@ -2248,6 +2284,11 @@ int ath12k_qmi_host_cap_send(struct ath12k_base *ab)
if (ret < 0)
goto out;
+ if (ab->qmi.dynamic_ddr_support) {
+ req.dynamic_mem_support_valid = 1;
+ req.dynamic_mem_support = 1;
+ }
+
ret = qmi_txn_init(&ab->qmi.handle, &txn,
qmi_wlanfw_host_cap_resp_msg_v01_ei, &resp);
if (ret < 0)
@@ -2319,11 +2360,14 @@ static void ath12k_qmi_phy_cap_send(struct ath12k_base *ab)
ab->qmi.num_radios = resp.num_phy;
+ if (resp.dynamic_ddr_support_valid)
+ ab->qmi.dynamic_ddr_support = resp.dynamic_ddr_support;
+
ath12k_dbg(ab, ATH12K_DBG_QMI,
- "phy capability resp valid %d single_chip_mlo_support %d valid %d num_phy %d valid %d board_id %d\n",
+ "phy capability resp valid %d single_chip_mlo_support %d valid %d num_phy %d valid %d board_id %d dynamic_ddr_valid %d dynamic_ddr_support %d\n",
resp.single_chip_mlo_support_valid, resp.single_chip_mlo_support,
- resp.num_phy_valid, resp.num_phy,
- resp.board_id_valid, resp.board_id);
+ resp.num_phy_valid, resp.num_phy, resp.board_id_valid, resp.board_id,
+ resp.dynamic_ddr_support_valid, resp.dynamic_ddr_support);
return;
diff --git a/drivers/net/wireless/ath/ath12k/qmi.h b/drivers/net/wireless/ath/ath12k/qmi.h
index 2a63e214eb42..dbde76e5a78d 100644
--- a/drivers/net/wireless/ath/ath12k/qmi.h
+++ b/drivers/net/wireless/ath/ath12k/qmi.h
@@ -156,9 +156,10 @@ struct ath12k_qmi {
struct m3_mem_region aux_uc_mem;
unsigned int service_ins_id;
struct dev_mem_info dev_mem[ATH12K_QMI_WLFW_MAX_DEV_MEM_NUM_V01];
+ u8 dynamic_ddr_support;
};
-#define QMI_WLANFW_HOST_CAP_REQ_MSG_V01_MAX_LEN 261
+#define QMI_WLANFW_HOST_CAP_REQ_MSG_V01_MAX_LEN 265
#define QMI_WLANFW_HOST_CAP_REQ_V01 0x0034
#define QMI_WLANFW_HOST_CAP_RESP_MSG_V01_MAX_LEN 7
#define QMI_WLFW_HOST_CAP_RESP_V01 0x0034
@@ -258,7 +259,8 @@ struct qmi_wlanfw_host_cap_req_msg_v01 {
struct wlfw_host_mlo_chip_info_s_v01 mlo_chip_info[QMI_WLFW_MAX_NUM_MLO_CHIPS_V01];
u8 feature_list_valid;
u64 feature_list;
-
+ u8 dynamic_mem_support_valid;
+ u8 dynamic_mem_support;
};
struct qmi_wlanfw_host_cap_resp_msg_v01 {
@@ -267,7 +269,7 @@ struct qmi_wlanfw_host_cap_resp_msg_v01 {
#define QMI_WLANFW_PHY_CAP_REQ_MSG_V01_MAX_LEN 0
#define QMI_WLANFW_PHY_CAP_REQ_V01 0x0057
-#define QMI_WLANFW_PHY_CAP_RESP_MSG_V01_MAX_LEN 18
+#define QMI_WLANFW_PHY_CAP_RESP_MSG_V01_MAX_LEN 22
#define QMI_WLANFW_PHY_CAP_RESP_V01 0x0057
struct qmi_wlanfw_phy_cap_req_msg_v01 {
@@ -281,6 +283,8 @@ struct qmi_wlanfw_phy_cap_resp_msg_v01 {
u32 board_id;
u8 single_chip_mlo_support_valid;
u8 single_chip_mlo_support;
+ u8 dynamic_ddr_support_valid;
+ u8 dynamic_ddr_support;
};
#define QMI_WLANFW_IND_REGISTER_REQ_MSG_V01_MAX_LEN 54
base-commit: e6b476e4ea19919b4c06ba2f5504258ab5d5d9aa
--
2.34.1
^ permalink raw reply related
* Re: [PATCH ath-next 0/2] wifi: ath12k: fix NULL deref when MLO link activation fails
From: Baochen Qiang @ 2026-06-01 2:56 UTC (permalink / raw)
To: Wei Zhang, jeff.johnson; +Cc: ath12k, linux-wireless, linux-kernel
In-Reply-To: <20260512044906.1735821-1-wei.zhang@oss.qualcomm.com>
On 5/12/2026 12:49 PM, Wei Zhang wrote:
> ath12k_mac_op_change_sta_links() adds a link to ahsta->links_map
> before verifying that the link's vdev is ready, allowing broken links
> to be processed by subsequent operations and causing NULL dereferences.
>
> Patch 1 fixes three error path inconsistencies in ath12k_mac_vdev_create()
> that leave arvif state or vdev resources inconsistent: a direct return on
> wmi_vdev_create failure bypasses err: which clears arvif->ar; and both
> failure paths in err_peer_del skip the DP peer cleanup and vdev rollback.
>
> Patch 2 uses arvif->is_created (made reliable by patch 1) to guard
> against links with no vdev before allocating a link station, preventing
> broken links from entering links_map.
>
> Wei Zhang (2):
> wifi: ath12k: fix inconsistent arvif state in vdev_create error paths
> wifi: ath12k: fix NULL deref in change_sta_links for unready link
>
> drivers/net/wireless/ath/ath12k/mac.c | 17 ++++++++---------
> 1 file changed, 8 insertions(+), 9 deletions(-)
>
> base-commit: 7b25796f571fc09a7aa6fe7efb23edccd326917d
Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
^ permalink raw reply
* RE: [PATCH] rtw88: usb: retry control message on -EPROTO error
From: Ping-Ke Shih @ 2026-06-01 1:27 UTC (permalink / raw)
To: Bitterblue Smith, VolcomIlluminated; +Cc: Linux Wireless
In-Reply-To: <b434e6cb-fe51-49a7-ae66-d6ec833d5b8b@gmail.com>
Bitterblue Smith <rtl8821cerfe2@gmail.com> wrote:
> On 29/05/2026 04:09, Ping-Ke Shih wrote:
> >
> > VolcomIlluminated <volcomilluminated@tuta.com> wrote:
> >> --- /tmp/linux-6.18/drivers/net/wireless/realtek/rtw88/usb.c 2025-11-30 17:42:10.000000000 -0500
> >> +++ /home/ptpx86mm1/kernelbuild/linux-6.18/drivers/net/wireless/realtek/rtw88/usb.c 2026-05-24
> 20:06:27.798337237 -0400
> >
> > Your git repository looks weird.
> >
> > Please clone https://github.com/pkshih/rtw.git and switch to rtw-next branch.
> >
> > By the way, the subject prefix should be "[PATCH rtw-next] wifi: rtw88: ...".
> >
> >> @@ -140,6 +140,16 @@
> >> ret = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
> >> RTW_USB_CMD_REQ, RTW_USB_CMD_WRITE,
> >> addr, 0, data, len, 500);
> >> + if (ret == -EPROTO) {
> >> + int retry;
> >> +
> >> + for (retry = 0; retry < 3 && ret == -EPROTO; retry++) {
> >> + msleep(10);
> >> + ret = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
> >> + RTW_USB_CMD_REQ, RTW_USB_CMD_WRITE,
> >> + addr, 0, data, len, 500);
> >
> > Don't duplicate the code of identical usb_control_msg(...).
> >
> > Just
> >
> > for (retry = 0; retry < 3; retry++) {
> > ret = usb_control_msg(...);
> > if (ret != -EPROTO)
> > break;
> >
> > msleep(10); /* delay before retrying */
> > }
> >
> > Bitterblue, could you have some inputs about this retry, since I don't have
> > much knowledge about USB?
> >
>
> I think it's a good idea to retry in case of errors. The vendor drivers
> try the control messages up to 10 times, both reads and writes, and not
> just in case of -EPROTO.
>
> Except when writing the firmware for the 8051 chips (address range
> 0x1000..0x1fff). Those writes are not retried, instead the entire
> firmware download process is retried if it fails.
>
> Also, they don't sleep between attempts.
Thanks for the info.
VolcomIlluminated, please follow Bitterblue's suggestions as vendor driver does.
>
> But I would like to know more about the problem fixed by this patch.
> What register writes fail with -EPROTO? How often does it happen?
> How many times was this patch tested?
>
> I wonder if the problem is simply the write to register 0xc4
> (REG_PAD_CTRL2) which triggers the switch to USB 3? Like with the
> wifi 6 and 7 chips, that call to usb_control_msg() always returns
> -EPROTO. I assume it's because it makes the USB device disappear.
The commit message of original patch doesn't point out "write register 0x%x".
VolcomIlluminated, please share this info too.
>
> >> + }
> >> + }
> >> if (ret < 0 && ret != -ENODEV && count++ < 4)
> >> rtw_err(rtwdev, "write register 0x%x failed with %d\n",
> >> addr, ret);
> >
^ permalink raw reply
* RE: [PATCH] wifi: rtw88: extend USB TX report timeout to RTL8822BU
From: Ping-Ke Shih @ 2026-06-01 0:56 UTC (permalink / raw)
To: VolcomIlluminated
Cc: kvalo@kernel.org, luka.gejak@linux.dev,
linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org
In-Reply-To: <20260531223349.5952-1-Volcomilluminated@airmail.cc>
VolcomIlluminated <Volcomilluminated@airmail.cc> wrote:
> Luka Gejak's patch increased the TX report timeout for RTL8723DU to
> accommodate off-channel dwell time during background scans. The same
> issue affects RTL8822BU (tested on Edimax EW-7822ULC) where background
> scans cause the firmware to stay off-channel for periods exceeding the
> default 500ms timeout, causing the purge timer to fire prematurely and
> drop TX tracking skbs.
>
> Extend the 2500ms timeout to also cover RTL8822BU USB devices.
>
> Tested on RTL8822BU (Edimax EW-7822ULC) with 17,706 packets over 24+
> hours with zero drops.
>
> Fixes: a82dfd33d123 ("wifi: rtw88: Add common USB chip support")
> Cc: stable@vger.kernel.org
> Signed-off-by: VolcomIlluminated <Volcomilluminated@airmail.cc>
> ---
> --- /tmp/linux-6.18/drivers/net/wireless/realtek/rtw88/tx.c 2025-11-30 17:42:10.000000000 -0500
> +++ /home/ptpx86mm1/kernelbuild/linux-6.18/drivers/net/wireless/realtek/rtw88/tx.c 2026-05-31
Just clone git repository and use 'git format-patch' to generate patch file
and send out.
> 16:00:37.125645594 -0400
> @@ -196,6 +196,7 @@
> void rtw_tx_report_enqueue(struct rtw_dev *rtwdev, struct sk_buff *skb, u8 sn)
> {
> struct rtw_tx_report *tx_report = &rtwdev->tx_report;
> + unsigned long timeout = RTW_TX_PROBE_TIMEOUT;
> unsigned long flags;
> u8 *drv_data;
>
> @@ -207,7 +208,12 @@
> __skb_queue_tail(&tx_report->queue, skb);
> spin_unlock_irqrestore(&tx_report->q_lock, flags);
>
> - mod_timer(&tx_report->purge_timer, jiffies + RTW_TX_PROBE_TIMEOUT);
> + if ((rtwdev->chip->id == RTW_CHIP_TYPE_8723D ||
> + rtwdev->chip->id == RTW_CHIP_TYPE_8822B) &&
Please use https://github.com/pkshih/rtw.git rtw-next branch as your base.
> + rtwdev->hci.type == RTW_HCI_TYPE_USB)
> + timeout = msecs_to_jiffies(2500);
> +
> + mod_timer(&tx_report->purge_timer, jiffies + timeout);
> }
> EXPORT_SYMBOL(rtw_tx_report_enqueue);
>
^ permalink raw reply
* [PATCH rtw-next v2 5/5] wifi: rtw89: 8912au: Add support for Mercusys MA37BEH
From: Zenm Chen @ 2026-05-31 23:29 UTC (permalink / raw)
To: linux-wireless, pkshih, rtl8821cerfe2; +Cc: zenmchen
In-Reply-To: <20260531232914.4406-1-zenmchen@gmail.com>
Add the id 2c4e:0125 into the device table to support Mercusys MA37BEH,
a new 8912au-based adapter.
Compile tested only.
Link: https://github.com/morrownr/rtw89/commit/73cd715afee2dda3f670cdae5e40fbeba7d9be36
Signed-off-by: Zenm Chen <zenmchen@gmail.com>
---
v2:
- Add missing "Link: "
---
drivers/net/wireless/realtek/rtw89/rtw8922au.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/wireless/realtek/rtw89/rtw8922au.c b/drivers/net/wireless/realtek/rtw89/rtw8922au.c
index 347bde171..8d22bb387 100644
--- a/drivers/net/wireless/realtek/rtw89/rtw8922au.c
+++ b/drivers/net/wireless/realtek/rtw89/rtw8922au.c
@@ -56,6 +56,8 @@ static const struct usb_device_id rtw_8922au_id_table[] = {
.driver_info = (kernel_ulong_t)&rtw89_8922au_info },
{ USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x332b, 0xff, 0xff, 0xff),
.driver_info = (kernel_ulong_t)&rtw89_8922au_info },
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2c4e, 0x0125, 0xff, 0xff, 0xff),
+ .driver_info = (kernel_ulong_t)&rtw89_8922au_info },
{ USB_DEVICE_AND_INTERFACE_INFO(0x3625, 0x010a, 0xff, 0xff, 0xff),
.driver_info = (kernel_ulong_t)&rtw89_8922au_info },
{ USB_DEVICE_AND_INTERFACE_INFO(0x37ad, 0x0100, 0xff, 0xff, 0xff),
--
2.53.0
^ permalink raw reply related
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox