From: Mikhail Limarenko freq_to_idx() currently returns a trailing synthetic index when the requested channel frequency is not found. chan-info handlers already bound-check survey index, but an explicit error on no-match keeps semantics clear and avoids propagating a fake index value. Keep matched-frequency index progression unchanged, return -ENOENT on no match, and make callers reject negative indexes. Tested-on: QCNFA765 (WCN785x), kernel 6.18.5+deb13-amd64 Signed-off-by: Mikhail Limarenko --- v2: - drop out-of-bounds claim from commit message - keep original index progression for matched frequencies - return explicit -ENOENT on no-match and reject negative idx in callers drivers/net/wireless/ath/ath12k/wmi.c | 9 +++------ 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/drivers/net/wireless/ath/ath12k/wmi.c b/drivers/net/wireless/ath/ath12k/wmi.c index e647b84..a2f8a7c 100644 --- a/drivers/net/wireless/ath/ath12k/wmi.c +++ b/drivers/net/wireless/ath/ath12k/wmi.c @@ -6528,12 +6528,11 @@ static int freq_to_idx(struct ath12k *ar, int freq) continue; if (sband->channels[ch].center_freq == freq) - goto exit; + return idx; } } -exit: - return idx; + return -ENOENT; } static int ath12k_pull_chan_info_ev(struct ath12k_base *ab, struct sk_buff *skb, @@ -7475,7 +7474,7 @@ static void ath12k_chan_info_event(struct ath12k_base *ab, struct sk_buff *skb) } idx = freq_to_idx(ar, le32_to_cpu(ch_info_ev.freq)); - if (idx >= ARRAY_SIZE(ar->survey)) { + if (idx < 0 || idx >= ARRAY_SIZE(ar->survey)) { ath12k_warn(ab, "chan info: invalid frequency %d (idx %d out of bounds)\n", ch_info_ev.freq, idx); goto exit; @@ -7550,7 +7549,7 @@ ath12k_pdev_bss_chan_info_event(struct ath12k_base *ab, struct sk_buff *skb) spin_lock_bh(&ar->data_lock); idx = freq_to_idx(ar, le32_to_cpu(bss_ch_info_ev.freq)); - if (idx >= ARRAY_SIZE(ar->survey)) { + if (idx < 0 || idx >= ARRAY_SIZE(ar->survey)) { ath12k_warn(ab, "bss chan info: invalid frequency %d (idx %d out of bounds)\n", bss_ch_info_ev.freq, idx); goto exit; -- 2.47.3 From: Mikhail Limarenko Station info requests can trigger frequent VDEV stat pulls from user space (iw/NM polling). On affected firmware, waiting 3 seconds for fw_stats_done causes repeated stalls and visible hitches. Use a short timeout for VDEV_STAT requests and skip unnecessary waits for stats types that do not need completion synchronization. Tested-on: QCNFA765 (WCN785x), kernel 6.18.5+deb13-amd64 Signed-off-by: Mikhail Limarenko --- drivers/net/wireless/ath/ath12k/mac.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/ath/ath12k/mac.c b/drivers/net/wireless/ath/ath12k/mac.c index 095b49a..1b550e9 100644 --- a/drivers/net/wireless/ath/ath12k/mac.c +++ b/drivers/net/wireless/ath/ath12k/mac.c @@ -4829,6 +4829,7 @@ int ath12k_mac_get_fw_stats(struct ath12k *ar, { struct ath12k_base *ab = ar->ab; struct ath12k_hw *ah = ath12k_ar_to_ah(ar); + unsigned long done_timeout = 3 * HZ; unsigned long time_left; int ret; @@ -4859,15 +4860,32 @@ int ath12k_mac_get_fw_stats(struct ath12k *ar, return -ETIMEDOUT; } + /* VDEV stats are queried frequently from station info paths (e.g. iw/NM). + * On buggy firmware this path can timeout repeatedly and block callers for + * multiple seconds; keep the hot path responsive while preserving behavior + * for other stats types. + */ + if (param->stats_id & WMI_REQUEST_VDEV_STAT) + done_timeout = msecs_to_jiffies(200); + + /* Non-vdev/bcn stats are handled in a single event. */ + if (!(param->stats_id & (WMI_REQUEST_VDEV_STAT | WMI_REQUEST_BCN_STAT))) + return 0; + /* Firmware sends WMI_UPDATE_STATS_EVENTID back-to-back * when stats data buffer limit is reached. fw_stats_complete * is completed once host receives first event from firmware, but * still there could be more events following. Below is to wait * until firmware completes sending all the events. */ - time_left = wait_for_completion_timeout(&ar->fw_stats_done, 3 * HZ); + time_left = wait_for_completion_timeout(&ar->fw_stats_done, done_timeout); if (!time_left) { - ath12k_warn(ab, "time out while waiting for fw stats done\n"); + if (param->stats_id & WMI_REQUEST_VDEV_STAT) + ath12k_dbg(ab, ATH12K_DBG_WMI, + "time out while waiting for fw stats done (stats_id 0x%x)\n", + param->stats_id); + else + ath12k_warn(ab, "time out while waiting for fw stats done\n"); return -ETIMEDOUT; } -- 2.47.3 From: Mikhail Limarenko Malformed or unsupported rate metadata from firmware can carry invalid MCS values into mac80211 status handling. This was observed with HE MCS=12 and coincided with ieee80211_rx_list warnings. When MCS is out of range, fall back to legacy metadata and use ratelimited diagnostics. Tested-on: QCNFA765 (WCN785x), kernel 6.18.5+deb13-amd64 Signed-off-by: Mikhail Limarenko --- drivers/net/wireless/ath/ath12k/dp_rx.c | 39 +++++++++++++++---------- 1 file changed, 23 insertions(+), 16 deletions(-) diff --git a/drivers/net/wireless/ath/ath12k/dp_rx.c b/drivers/net/wireless/ath/ath12k/dp_rx.c index 99d29ed..f0c56a9 100644 --- a/drivers/net/wireless/ath/ath12k/dp_rx.c +++ b/drivers/net/wireless/ath/ath12k/dp_rx.c @@ -2534,9 +2534,11 @@ static void ath12k_dp_rx_h_rate(struct ath12k *ar, struct ath12k_dp_rx_info *rx_ case RX_MSDU_START_PKT_TYPE_11N: rx_status->encoding = RX_ENC_HT; if (rate_mcs > ATH12K_HT_MCS_MAX) { - ath12k_warn(ar->ab, - "Received with invalid mcs in HT mode %d\n", - rate_mcs); + dev_warn_ratelimited(ar->ab->dev, + "ath12k: invalid HT mcs %u, forcing legacy rate metadata\n", + rate_mcs); + rx_status->encoding = RX_ENC_LEGACY; + rx_status->rate_idx = 0; break; } rx_status->rate_idx = rate_mcs + (8 * (nss - 1)); @@ -2546,42 +2548,47 @@ static void ath12k_dp_rx_h_rate(struct ath12k *ar, struct ath12k_dp_rx_info *rx_ break; case RX_MSDU_START_PKT_TYPE_11AC: rx_status->encoding = RX_ENC_VHT; - rx_status->rate_idx = rate_mcs; if (rate_mcs > ATH12K_VHT_MCS_MAX) { - ath12k_warn(ar->ab, - "Received with invalid mcs in VHT mode %d\n", - rate_mcs); + dev_warn_ratelimited(ar->ab->dev, + "ath12k: invalid VHT mcs %u, forcing legacy rate metadata\n", + rate_mcs); + rx_status->encoding = RX_ENC_LEGACY; + rx_status->rate_idx = 0; break; } + rx_status->rate_idx = rate_mcs; rx_status->nss = nss; if (sgi) rx_status->enc_flags |= RX_ENC_FLAG_SHORT_GI; rx_status->bw = ath12k_mac_bw_to_mac80211_bw(bw); break; case RX_MSDU_START_PKT_TYPE_11AX: - rx_status->rate_idx = rate_mcs; if (rate_mcs > ATH12K_HE_MCS_MAX) { - ath12k_warn(ar->ab, - "Received with invalid mcs in HE mode %d\n", - rate_mcs); + dev_warn_ratelimited(ar->ab->dev, + "ath12k: invalid HE mcs %u, forcing legacy rate metadata\n", + rate_mcs); + rx_status->encoding = RX_ENC_LEGACY; + rx_status->rate_idx = 0; break; } rx_status->encoding = RX_ENC_HE; + rx_status->rate_idx = rate_mcs; rx_status->nss = nss; rx_status->he_gi = ath12k_he_gi_to_nl80211_he_gi(sgi); rx_status->bw = ath12k_mac_bw_to_mac80211_bw(bw); break; case RX_MSDU_START_PKT_TYPE_11BE: - rx_status->rate_idx = rate_mcs; - if (rate_mcs > ATH12K_EHT_MCS_MAX) { - ath12k_warn(ar->ab, - "Received with invalid mcs in EHT mode %d\n", - rate_mcs); + dev_warn_ratelimited(ar->ab->dev, + "ath12k: invalid EHT mcs %u, forcing legacy rate metadata\n", + rate_mcs); + rx_status->encoding = RX_ENC_LEGACY; + rx_status->rate_idx = 0; break; } rx_status->encoding = RX_ENC_EHT; + rx_status->rate_idx = rate_mcs; rx_status->nss = nss; rx_status->eht.gi = ath12k_mac_eht_gi_to_nl80211_eht_gi(sgi); rx_status->bw = ath12k_mac_bw_to_mac80211_bw(bw); -- 2.47.3 From: Mikhail Limarenko Apply the same invalid-MCS hardening in monitor path status conversion to keep metadata handling consistent in both data and monitor pipelines. Tested-on: QCNFA765 (WCN785x), kernel 6.18.5+deb13-amd64 Signed-off-by: Mikhail Limarenko --- drivers/net/wireless/ath/ath12k/dp_mon.c | 38 ++++++++++++++---------- 1 file changed, 23 insertions(+), 15 deletions(-) diff --git a/drivers/net/wireless/ath/ath12k/dp_mon.c b/drivers/net/wireless/ath/ath12k/dp_mon.c index 009c495..6e894ef 100644 --- a/drivers/net/wireless/ath/ath12k/dp_mon.c +++ b/drivers/net/wireless/ath/ath12k/dp_mon.c @@ -1922,9 +1922,11 @@ ath12k_dp_mon_fill_rx_rate(struct ath12k *ar, case RX_MSDU_START_PKT_TYPE_11N: rx_status->encoding = RX_ENC_HT; if (rate_mcs > ATH12K_HT_MCS_MAX) { - ath12k_warn(ar->ab, - "Received with invalid mcs in HT mode %d\n", - rate_mcs); + dev_warn_ratelimited(ar->ab->dev, + "ath12k: invalid HT mcs %u in monitor path, forcing legacy rate metadata\n", + rate_mcs); + rx_status->encoding = RX_ENC_LEGACY; + rx_status->rate_idx = 0; break; } rx_status->rate_idx = rate_mcs + (8 * (nss - 1)); @@ -1933,35 +1935,41 @@ ath12k_dp_mon_fill_rx_rate(struct ath12k *ar, break; case RX_MSDU_START_PKT_TYPE_11AC: rx_status->encoding = RX_ENC_VHT; - rx_status->rate_idx = rate_mcs; if (rate_mcs > ATH12K_VHT_MCS_MAX) { - ath12k_warn(ar->ab, - "Received with invalid mcs in VHT mode %d\n", - rate_mcs); + dev_warn_ratelimited(ar->ab->dev, + "ath12k: invalid VHT mcs %u in monitor path, forcing legacy rate metadata\n", + rate_mcs); + rx_status->encoding = RX_ENC_LEGACY; + rx_status->rate_idx = 0; break; } + rx_status->rate_idx = rate_mcs; if (sgi) rx_status->enc_flags |= RX_ENC_FLAG_SHORT_GI; break; case RX_MSDU_START_PKT_TYPE_11AX: - rx_status->rate_idx = rate_mcs; if (rate_mcs > ATH12K_HE_MCS_MAX) { - ath12k_warn(ar->ab, - "Received with invalid mcs in HE mode %d\n", - rate_mcs); + dev_warn_ratelimited(ar->ab->dev, + "ath12k: invalid HE mcs %u in monitor path, forcing legacy rate metadata\n", + rate_mcs); + rx_status->encoding = RX_ENC_LEGACY; + rx_status->rate_idx = 0; break; } + rx_status->rate_idx = rate_mcs; rx_status->encoding = RX_ENC_HE; rx_status->he_gi = ath12k_he_gi_to_nl80211_he_gi(sgi); break; case RX_MSDU_START_PKT_TYPE_11BE: - rx_status->rate_idx = rate_mcs; if (rate_mcs > ATH12K_EHT_MCS_MAX) { - ath12k_warn(ar->ab, - "Received with invalid mcs in EHT mode %d\n", - rate_mcs); + dev_warn_ratelimited(ar->ab->dev, + "ath12k: invalid EHT mcs %u in monitor path, forcing legacy rate metadata\n", + rate_mcs); + rx_status->encoding = RX_ENC_LEGACY; + rx_status->rate_idx = 0; break; } + rx_status->rate_idx = rate_mcs; rx_status->encoding = RX_ENC_EHT; rx_status->he_gi = ath12k_he_gi_to_nl80211_he_gi(sgi); break; -- 2.47.3