1. 01 Nov, 2021 5 commits
    • Benjamin Li's avatar
      wcn36xx: ensure pairing of init_scan/finish_scan and start_scan/end_scan · 8f1ba8b0
      Benjamin Li authored
      An SMD capture from the downstream prima driver on WCN3680B shows the
      following command sequence for connected scans:
      
      - init_scan_req
          - start_scan_req, channel 1
          - end_scan_req, channel 1
          - start_scan_req, channel 2
          - ...
          - end_scan_req, channel 3
      - finish_scan_req
      - init_scan_req
          - start_scan_req, channel 4
          - ...
          - end_scan_req, channel 6
      - finish_scan_req
      - ...
          - end_scan_req, channel 165
      - finish_scan_req
      
      Upstream currently never calls wcn36xx_smd_end_scan, and in some cases[1]
      still sends finish_scan_req twice in a row or before init_scan_req. A
      typical connected scan looks like this:
      
      - init_scan_req
          - start_scan_req, channel 1
      - finish_scan_req
      - init_scan_req
          - start_scan_req, channel 2
      - ...
          - start_scan_req, channel 165
      - finish_scan_req
      - finish_scan_req
      
      This patch cleans up scanning so that init/finish and start/end are always
      paired together and correctly nested.
      
      - init_scan_req
          - start_scan_req, channel 1
          - end_scan_req, channel 1
      - finish_scan_req
      - init_scan_req
          - start_scan_req, channel 2
          - end_scan_req, channel 2
      - ...
          - start_scan_req, channel 165
          - end_scan_req, channel 165
      - finish_scan_req
      
      Note that upstream will not do batching of 3 active-probe scans before
      returning to the operating channel, and this patch does not change that.
      To match downstream in this aspect, adjust IEEE80211_PROBE_DELAY and/or
      the 125ms max off-channel time in ieee80211_scan_state_decision.
      
      [1]: commit d195d7aa ("wcn36xx: Ensure finish scan is not requested
      before start scan") addressed one case of finish_scan_req being sent
      without a preceding init_scan_req (the case of the operating channel
      coinciding with the first scan channel); two other cases are:
      1) if SW scan is started and aborted immediately, without scanning any
         channels, we send a finish_scan_req without ever sending init_scan_req,
         and
      2) as SW scan logic always returns us to the operating channel before
         calling wcn36xx_sw_scan_complete, finish_scan_req is always sent twice
         at the end of a SW scan
      
      Fixes: 8e84c258 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680 hardware")
      Signed-off-by: default avatarBenjamin Li <benl@squareup.com>
      Tested-by: default avatarBryan O'Donoghue <bryan.odonoghue@linaro.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Link: https://lore.kernel.org/r/20211027170306.555535-4-benl@squareup.com
      8f1ba8b0
    • Benjamin Li's avatar
      wcn36xx: implement flush op to speed up connected scan · f02e1cc2
      Benjamin Li authored
      Without ieee80211_ops->flush implemented to empty HW queues, mac80211 will
      do a 100ms dead wait after stopping SW queues, before leaving the operating
      channel to resume a software connected scan[1].
      (see ieee80211_scan_state_resume)
      
      This wait is correctly included in the calculation for whether or not
      we've exceeded max off-channel time, as it occurs after sending the null
      frame with PS bit set. Thus, with 125 ms max off-channel time we only
      have 25 ms of scan time, which technically isn't even enough to scan one
      channel (although mac80211 always scans at least one channel per off-
      channel window).
      
      Moreover, for passive probes we end up spending at least 100 ms + 111 ms
      (IEEE80211_PASSIVE_CHANNEL_TIME) "off-channel"[2], which exceeds the listen
      interval of 200 ms that we provide in our association request frame. That's
      technically out-of-spec.
      
      [1]: Until recently, wcn36xx performed software (rather than FW-offloaded)
      scanning when 5GHz channels are requested. This apparent limitation is now
      resolved -- see commit 1395f8a6a4d5 ("wcn36xx: Enable hardware scan offload
      for 5Ghz band").
      [2]: in quotes because about 100 ms of it is still on-channel but with PS
      set
      Signed-off-by: default avatarBenjamin Li <benl@squareup.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Link: https://lore.kernel.org/r/20211027170306.555535-3-benl@squareup.com
      f02e1cc2
    • Benjamin Li's avatar
      wcn36xx: add debug prints for sw_scan start/complete · df008741
      Benjamin Li authored
      Add some MAC debug prints for more easily demarcating a software scan
      when parsing logs.
      Signed-off-by: default avatarBenjamin Li <benl@squareup.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Link: https://lore.kernel.org/r/20211027170306.555535-2-benl@squareup.com
      df008741
    • Christian Lamparter's avatar
      ath10k: fetch (pre-)calibration data via nvmem subsystem · 27deb0f1
      Christian Lamparter authored
      ATH10K chips are used it wide range of routers,
      accesspoints, range extenders, network appliances.
      On these embedded devices, calibration data is often
      stored on the main system's flash and was out of reach
      for the driver.
      
      To bridge this gap, ath10k is getting extended to pull
      the (pre-)calibration data through nvmem subsystem.
      To do this, a nvmem-cell containing the information can
      either be specified in the platform data or via device-tree.
      
      Tested with:
              Netgear EX6150v2 (IPQ4018 - pre-calibration method)
              TP-Link Archer C7 v2 (QCA9880v2 - old calibration method)
      
      Cc: Robert Marko <robimarko@gmail.com>
      Cc: Thibaut VARÈNE <hacks@slashdirt.org>
      Signed-off-by: default avatarChristian Lamparter <chunkeey@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Link: https://lore.kernel.org/r/20211016234609.1568317-1-chunkeey@gmail.com
      27deb0f1
    • Wen Gong's avatar
      ath11k: set correct NL80211_FEATURE_DYNAMIC_SMPS for WCN6855 · 82c434c1
      Wen Gong authored
      Commit 6f4d7030 ("ath11k: support SMPS configuration for 6 GHz") changed
      "if (ht_cap & WMI_HT_CAP_DYNAMIC_SMPS)" to "if (ht_cap &
      WMI_HT_CAP_DYNAMIC_SMPS || ar->supports_6ghz)" which means
      NL80211_FEATURE_DYNAMIC_SMPS is enabled for all chips which support 6 GHz.
      However, WCN6855 supports 6 GHz but it does not support feature
      NL80211_FEATURE_DYNAMIC_SMPS, and this can lead to MU-MIMO test failures for
      WCN6855.
      
      Disable NL80211_FEATURE_DYNAMIC_SMPS for WCN6855 since its ht_cap does not
      support WMI_HT_CAP_DYNAMIC_SMPS. Enable the feature only on QCN9074 as that's
      the only other device supporting 6 GHz band.
      
      Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-01720.1-QCAHSPSWPL_V1_V2_SILICONZ_LITE-1
      Signed-off-by: default avatarWen Gong <wgong@codeaurora.org>
      Signed-off-by: default avatarJouni Malinen <jouni@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Link: https://lore.kernel.org/r/20210914163726.38604-3-jouni@codeaurora.org
      82c434c1
  2. 28 Oct, 2021 7 commits
  3. 27 Oct, 2021 10 commits
  4. 25 Oct, 2021 5 commits
    • Loic Poulain's avatar
      wcn36xx: Fix tx_status mechanism · a9e79b11
      Loic Poulain authored
      This change fix the TX ack mechanism in various ways:
      
      - For NO_ACK tagged packets, we don't need to wait for TX_ACK indication
      and so are not subject to the single packet ack limitation. So we don't
      have to stop the tx queue, and can call the tx status callback as soon
      as DMA transfer has completed.
      
      - Fix skb ownership/reference. Only start status indication timeout
      once the DMA transfer has been completed. This avoids the skb to be
      both referenced in the DMA tx ring and by the tx_ack_skb pointer,
      preventing any use-after-free or double-free.
      
      - This adds a sanity (paranoia?) check on the skb tx ack pointer.
      
      - Resume TX queue if TX status tagged packet TX fails.
      
      Cc: stable@vger.kernel.org
      Fixes: fdf21cc3 ("wcn36xx: Add TX ack support")
      Signed-off-by: default avatarLoic Poulain <loic.poulain@linaro.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Link: https://lore.kernel.org/r/1634567281-28997-1-git-send-email-loic.poulain@linaro.org
      a9e79b11
    • Loic Poulain's avatar
      wcn36xx: Fix (QoS) null data frame bitrate/modulation · d3fd2c95
      Loic Poulain authored
      We observe unexpected connection drops with some APs due to
      non-acked mac80211 generated null data frames (keep-alive).
      After debugging and capture, we noticed that null frames are
      submitted at standard data bitrate and that the given APs are
      in trouble with that.
      
      After setting the null frame bitrate to control bitrate, all
      null frames are acked as expected and connection is maintained.
      
      Not sure if it's a requirement of the specification, but it seems
      the right thing to do anyway, null frames are mostly used for control
      purpose (power-saving, keep-alive...), and submitting them with
      a slower/simpler bitrate/modulation is more robust.
      
      Cc: stable@vger.kernel.org
      Fixes: 512b191d ("wcn36xx: Fix TX data path")
      Signed-off-by: default avatarLoic Poulain <loic.poulain@linaro.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Link: https://lore.kernel.org/r/1634560399-15290-1-git-send-email-loic.poulain@linaro.org
      d3fd2c95
    • Abinaya Kalaiselvan's avatar
      ath10k: fix module load regression with iram-recovery feature · 6f8c8bf4
      Abinaya Kalaiselvan authored
      Commit 9af7c32c ("ath10k: add target IRAM recovery feature support")
      introduced a new firmware feature flag ATH10K_FW_FEATURE_IRAM_RECOVERY. But
      this caused ath10k_pci module load to fail if ATH10K_FW_CRASH_DUMP_RAM_DATA bit
      was not enabled in the ath10k coredump_mask module parameter:
      
      [ 2209.328190] ath10k_pci 0000:02:00.0: qca9984/qca9994 hw1.0 target 0x01000000 chip_id 0x00000000 sub 168c:cafe
      [ 2209.434414] ath10k_pci 0000:02:00.0: kconfig debug 1 debugfs 1 tracing 1 dfs 1 testmode 1
      [ 2209.547191] ath10k_pci 0000:02:00.0: firmware ver 10.4-3.9.0.2-00099 api 5 features no-p2p,mfp,peer-flow-ctrl,btcoex-param,allows-mesh-bcast,no-ps,peer-fixed-rate,iram-recovery crc32 cbade90a
      [ 2210.896485] ath10k_pci 0000:02:00.0: board_file api 1 bmi_id 0:1 crc32 a040efc2
      [ 2213.603339] ath10k_pci 0000:02:00.0: failed to copy target iram contents: -12
      [ 2213.839027] ath10k_pci 0000:02:00.0: could not init core (-12)
      [ 2213.933910] ath10k_pci 0000:02:00.0: could not probe fw (-12)
      
      And by default coredump_mask does not have ATH10K_FW_CRASH_DUMP_RAM_DATA
      enabled so anyone using a firmware with iram-recovery feature would fail. To my
      knowledge only QCA9984 firmwares starting from release 10.4-3.9.0.2-00099
      enabled the feature.
      
      The reason for regression was that ath10k_core_copy_target_iram() used
      ath10k_coredump_get_mem_layout() to get the memory layout, but when
      ATH10K_FW_CRASH_DUMP_RAM_DATA was disabled it would get just NULL and bail out
      with an error.
      
      While looking at all this I noticed another bug: if CONFIG_DEV_COREDUMP is
      disabled but the firmware has iram-recovery enabled the module load fails with
      similar error messages. I fixed that by returning 0 from
      ath10k_core_copy_target_iram() when _ath10k_coredump_get_mem_layout() returns
      NULL.
      
      Tested-on: QCA9984 hw2.0 PCI 10.4-3.9.0.2-00139
      
      Fixes: 9af7c32c ("ath10k: add target IRAM recovery feature support")
      Signed-off-by: default avatarAbinaya Kalaiselvan <akalaise@codeaurora.org>
      Signed-off-by: default avatarJouni Malinen <jouni@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Link: https://lore.kernel.org/r/20211020075054.23061-1-kvalo@codeaurora.org
      6f8c8bf4
    • Arnd Bergmann's avatar
      ath10k: fix invalid dma_addr_t token assignment · 937e79c6
      Arnd Bergmann authored
      Using a kernel pointer in place of a dma_addr_t token can
      lead to undefined behavior if that makes it into cache
      management functions. The compiler caught one such attempt
      in a cast:
      
      drivers/net/wireless/ath/ath10k/mac.c: In function 'ath10k_add_interface':
      drivers/net/wireless/ath/ath10k/mac.c:5586:47: error: cast from pointer to integer of different size [-Werror=pointer-to-int-cast]
       5586 |                         arvif->beacon_paddr = (dma_addr_t)arvif->beacon_buf;
            |                                               ^
      
      Looking through how this gets used down the way, I'm fairly
      sure that beacon_paddr is never accessed again for ATH10K_DEV_TYPE_HL
      devices, and if it was accessed, that would be a bug.
      
      Change the assignment to use a known-invalid address token
      instead, which avoids the warning and makes it easier to catch
      bugs if it does end up getting used.
      
      Fixes: e263bdab ("ath10k: high latency fixes for beacon buffer")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Link: https://lore.kernel.org/r/20211014075153.3655910-1-arnd@kernel.org
      937e79c6
    • Baochen Qiang's avatar
      ath11k: change return buffer manager for QCA6390 · 734223d7
      Baochen Qiang authored
      QCA6390 firmware uses HAL_RX_BUF_RBM_SW1_BM, not HAL_RX_BUF_RBM_SW3_BM. This is
      needed to fix a case where an A-MSDU has an unexpected LLC/SNAP header in the
      first subframe (CVE-2020-24588).
      
      Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-01740-QCAHSTSWPLZ_V2_TO_X86-1
      Signed-off-by: default avatarBaochen Qiang <bqiang@codeaurora.org>
      Signed-off-by: default avatarJouni Malinen <jouni@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Link: https://lore.kernel.org/r/20210914163726.38604-2-jouni@codeaurora.org
      734223d7
  5. 20 Oct, 2021 11 commits
  6. 18 Oct, 2021 2 commits