aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--package/kernel/mac80211/patches/ath11k/0048-wifi-ath11k-fix-BUFFER_DONE-read-on-monitor-ring-rx-.patch130
-rw-r--r--package/kernel/mac80211/patches/ath11k/0049-wifi-ath11k-Optimize-6-GHz-scan-time.patch101
-rw-r--r--package/kernel/mac80211/patches/ath11k/0050-wifi-ath11k-Configure-the-FTM-responder-role-using-f.patch117
-rw-r--r--package/kernel/mac80211/patches/ath11k/0051-wifi-ath11k-fix-rssi-station-dump-not-updated-in-QCN.patch158
-rw-r--r--package/kernel/mac80211/patches/ath11k/0052-wifi-ath11k-Fix-invalid-management-rx-frame-length-i.patch115
-rw-r--r--package/kernel/mac80211/patches/ath11k/0053-wifi-ath11k-fix-writing-to-unintended-memory-region.patch43
-rw-r--r--package/kernel/mac80211/patches/ath11k/0054-wifi-ath11k-Send-11d-scan-start-before-WMI_START_SCA.patch61
-rw-r--r--package/kernel/mac80211/patches/ath11k/101-Fix-invalid-management-rx-frame-length-issue.patch202
-rw-r--r--package/kernel/mac80211/patches/ath11k/903-ath11k-support-setting-FW-memory-mode-via-DT.patch4
-rw-r--r--package/kernel/mac80211/patches/ath11k/904-wifi-ath11k-restore-160MHz-support.patch2
10 files changed, 728 insertions, 205 deletions
diff --git a/package/kernel/mac80211/patches/ath11k/0048-wifi-ath11k-fix-BUFFER_DONE-read-on-monitor-ring-rx-.patch b/package/kernel/mac80211/patches/ath11k/0048-wifi-ath11k-fix-BUFFER_DONE-read-on-monitor-ring-rx-.patch
new file mode 100644
index 0000000000..3e22645331
--- /dev/null
+++ b/package/kernel/mac80211/patches/ath11k/0048-wifi-ath11k-fix-BUFFER_DONE-read-on-monitor-ring-rx-.patch
@@ -0,0 +1,130 @@
+From 68e93ac5a31d4975b25f819b2dfe914c72abc3bb Mon Sep 17 00:00:00 2001
+From: Harshitha Prem <quic_hprem@quicinc.com>
+Date: Wed, 15 Mar 2023 12:24:43 +0200
+Subject: [PATCH] wifi: ath11k: fix BUFFER_DONE read on monitor ring rx buffer
+
+Perform dma_sync_single_for_cpu() on monitor ring rx buffer before
+reading BUFFER_DONE tag and do dma_unmap_single() only after device
+had set BUFFER_DONE tag to the buffer.
+
+Also when BUFFER_DONE tag is not set, allow the buffer to get read
+next time without freeing skb.
+
+This helps to fix AP+Monitor VAP with flood traffic scenario to see
+monitor ring rx buffer overrun missing BUFFER_DONE tag to be set.
+
+Also remove redundant rx dma buf free performed on DP
+rx_mon_status_refill_ring.
+
+Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1
+
+Signed-off-by: Sathishkumar Muruganandam <quic_murugana@quicinc.com>
+Signed-off-by: Harshitha Prem <quic_hprem@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20230309164434.32660-1-quic_hprem@quicinc.com
+---
+ drivers/net/wireless/ath/ath11k/dp_rx.c | 57 ++++++++++---------------
+ 1 file changed, 23 insertions(+), 34 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath11k/dp_rx.c
++++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
+@@ -435,7 +435,6 @@ fail_free_skb:
+ static int ath11k_dp_rxdma_buf_ring_free(struct ath11k *ar,
+ struct dp_rxdma_ring *rx_ring)
+ {
+- struct ath11k_pdev_dp *dp = &ar->dp;
+ struct sk_buff *skb;
+ int buf_id;
+
+@@ -453,28 +452,6 @@ static int ath11k_dp_rxdma_buf_ring_free
+ idr_destroy(&rx_ring->bufs_idr);
+ spin_unlock_bh(&rx_ring->idr_lock);
+
+- /* if rxdma1_enable is false, mon_status_refill_ring
+- * isn't setup, so don't clean.
+- */
+- if (!ar->ab->hw_params.rxdma1_enable)
+- return 0;
+-
+- rx_ring = &dp->rx_mon_status_refill_ring[0];
+-
+- spin_lock_bh(&rx_ring->idr_lock);
+- idr_for_each_entry(&rx_ring->bufs_idr, skb, buf_id) {
+- idr_remove(&rx_ring->bufs_idr, buf_id);
+- /* XXX: Understand where internal driver does this dma_unmap
+- * of rxdma_buffer.
+- */
+- dma_unmap_single(ar->ab->dev, ATH11K_SKB_RXCB(skb)->paddr,
+- skb->len + skb_tailroom(skb), DMA_BIDIRECTIONAL);
+- dev_kfree_skb_any(skb);
+- }
+-
+- idr_destroy(&rx_ring->bufs_idr);
+- spin_unlock_bh(&rx_ring->idr_lock);
+-
+ return 0;
+ }
+
+@@ -3029,39 +3006,51 @@ static int ath11k_dp_rx_reap_mon_status_
+
+ spin_lock_bh(&rx_ring->idr_lock);
+ skb = idr_find(&rx_ring->bufs_idr, buf_id);
++ spin_unlock_bh(&rx_ring->idr_lock);
++
+ if (!skb) {
+ ath11k_warn(ab, "rx monitor status with invalid buf_id %d\n",
+ buf_id);
+- spin_unlock_bh(&rx_ring->idr_lock);
+ pmon->buf_state = DP_MON_STATUS_REPLINISH;
+ goto move_next;
+ }
+
+- idr_remove(&rx_ring->bufs_idr, buf_id);
+- spin_unlock_bh(&rx_ring->idr_lock);
+-
+ rxcb = ATH11K_SKB_RXCB(skb);
+
+- dma_unmap_single(ab->dev, rxcb->paddr,
+- skb->len + skb_tailroom(skb),
+- DMA_FROM_DEVICE);
++ dma_sync_single_for_cpu(ab->dev, rxcb->paddr,
++ skb->len + skb_tailroom(skb),
++ DMA_FROM_DEVICE);
+
+ tlv = (struct hal_tlv_hdr *)skb->data;
+ if (FIELD_GET(HAL_TLV_HDR_TAG, tlv->tl) !=
+ HAL_RX_STATUS_BUFFER_DONE) {
+- ath11k_warn(ab, "mon status DONE not set %lx\n",
++ ath11k_warn(ab, "mon status DONE not set %lx, buf_id %d\n",
+ FIELD_GET(HAL_TLV_HDR_TAG,
+- tlv->tl));
+- dev_kfree_skb_any(skb);
++ tlv->tl), buf_id);
++ /* If done status is missing, hold onto status
++ * ring until status is done for this status
++ * ring buffer.
++ * Keep HP in mon_status_ring unchanged,
++ * and break from here.
++ * Check status for same buffer for next time
++ */
+ pmon->buf_state = DP_MON_STATUS_NO_DMA;
+- goto move_next;
++ break;
+ }
+
++ spin_lock_bh(&rx_ring->idr_lock);
++ idr_remove(&rx_ring->bufs_idr, buf_id);
++ spin_unlock_bh(&rx_ring->idr_lock);
+ if (ab->hw_params.full_monitor_mode) {
+ ath11k_dp_rx_mon_update_status_buf_state(pmon, tlv);
+ if (paddr == pmon->mon_status_paddr)
+ pmon->buf_state = DP_MON_STATUS_MATCH;
+ }
++
++ dma_unmap_single(ab->dev, rxcb->paddr,
++ skb->len + skb_tailroom(skb),
++ DMA_FROM_DEVICE);
++
+ __skb_queue_tail(skb_list, skb);
+ } else {
+ pmon->buf_state = DP_MON_STATUS_REPLINISH;
diff --git a/package/kernel/mac80211/patches/ath11k/0049-wifi-ath11k-Optimize-6-GHz-scan-time.patch b/package/kernel/mac80211/patches/ath11k/0049-wifi-ath11k-Optimize-6-GHz-scan-time.patch
new file mode 100644
index 0000000000..f468990feb
--- /dev/null
+++ b/package/kernel/mac80211/patches/ath11k/0049-wifi-ath11k-Optimize-6-GHz-scan-time.patch
@@ -0,0 +1,101 @@
+From 8b4d2f080afbd4280ecca0f4b3ceea943a7a86d0 Mon Sep 17 00:00:00 2001
+From: Manikanta Pubbisetty <quic_mpubbise@quicinc.com>
+Date: Thu, 23 Mar 2023 11:39:13 +0530
+Subject: [PATCH] wifi: ath11k: Optimize 6 GHz scan time
+
+Currently, time taken to scan all supported channels on WCN6750
+is ~8 seconds and connection time is almost 10 seconds. WCN6750
+supports three Wi-Fi bands (i.e., 2.4/5/6 GHz) and the numbers of
+channels for scan come around ~100 channels (default case).
+Since the chip doesn't have support for DBS (Dual Band Simultaneous),
+scans cannot be parallelized resulting in longer scan times.
+
+Among the 100 odd channels, ~60 channels are in 6 GHz band. Therefore,
+optimizing the scan for 6 GHz channels will bring down the overall
+scan time.
+
+WCN6750 firmware has support to scan a 6 GHz channel based on co-located
+AP information i.e., RNR IE which is found in the legacy 2.4/5 GHz scan
+results. When a scan request with all supported channel list is enqueued
+to the firmware, then based on WMI_SCAN_CHAN_FLAG_SCAN_ONLY_IF_RNR_FOUND
+scan channel flag, firmware will scan only those 6 GHz channels for which
+RNR IEs are found in the legacy scan results.
+
+In the proposed design, based on NL80211_SCAN_FLAG_COLOCATED_6GHZ scan
+flag, driver will set the WMI_SCAN_CHAN_FLAG_SCAN_ONLY_IF_RNR_FOUND flag
+for non-PSC channels. Since there is high probability to find 6 GHz APs
+on PSC channels, these channels are always scanned. Only non-PSC channels
+are selectively scanned based on cached RNR information from the legacy
+scan results.
+
+If NL80211_SCAN_FLAG_COLOCATED_6GHZ is not set in the scan flags,
+then scan will happen on all supported channels (default behavior).
+
+With these optimizations, scan time is improved by 1.5-1.8 seconds on
+WCN6750. Similar savings have been observed on WCN6855.
+
+Tested-on: WCN6750 hw1.0 AHB WLAN.MSL.1.0.1-00887-QCAMSLSWPLZ-1
+Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.16
+
+Signed-off-by: Manikanta Pubbisetty <quic_mpubbise@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20230323060913.10097-1-quic_mpubbise@quicinc.com
+---
+ drivers/net/wireless/ath/ath11k/mac.c | 25 +++++++++++++++++++++++--
+ drivers/net/wireless/ath/ath11k/wmi.h | 4 ++++
+ 2 files changed, 27 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath11k/mac.c
++++ b/drivers/net/wireless/ath/ath11k/mac.c
+@@ -3819,8 +3819,29 @@ static int ath11k_mac_op_hw_scan(struct
+ goto exit;
+ }
+
+- for (i = 0; i < arg->num_chan; i++)
+- arg->chan_list[i] = req->channels[i]->center_freq;
++ for (i = 0; i < arg->num_chan; i++) {
++ if (test_bit(WMI_TLV_SERVICE_SCAN_CONFIG_PER_CHANNEL,
++ ar->ab->wmi_ab.svc_map)) {
++ arg->chan_list[i] =
++ u32_encode_bits(req->channels[i]->center_freq,
++ WMI_SCAN_CONFIG_PER_CHANNEL_MASK);
++
++ /* If NL80211_SCAN_FLAG_COLOCATED_6GHZ is set in scan
++ * flags, then scan all PSC channels in 6 GHz band and
++ * those non-PSC channels where RNR IE is found during
++ * the legacy 2.4/5 GHz scan.
++ * If NL80211_SCAN_FLAG_COLOCATED_6GHZ is not set,
++ * then all channels in 6 GHz will be scanned.
++ */
++ if (req->channels[i]->band == NL80211_BAND_6GHZ &&
++ req->flags & NL80211_SCAN_FLAG_COLOCATED_6GHZ &&
++ !cfg80211_channel_is_psc(req->channels[i]))
++ arg->chan_list[i] |=
++ WMI_SCAN_CH_FLAG_SCAN_ONLY_IF_RNR_FOUND;
++ } else {
++ arg->chan_list[i] = req->channels[i]->center_freq;
++ }
++ }
+ }
+
+ if (req->flags & NL80211_SCAN_FLAG_RANDOM_ADDR) {
+--- a/drivers/net/wireless/ath/ath11k/wmi.h
++++ b/drivers/net/wireless/ath/ath11k/wmi.h
+@@ -2100,6 +2100,7 @@ enum wmi_tlv_service {
+
+ /* The second 128 bits */
+ WMI_MAX_EXT_SERVICE = 256,
++ WMI_TLV_SERVICE_SCAN_CONFIG_PER_CHANNEL = 265,
+ WMI_TLV_SERVICE_REG_CC_EXT_EVENT_SUPPORT = 281,
+ WMI_TLV_SERVICE_BIOS_SAR_SUPPORT = 326,
+
+@@ -3249,6 +3250,9 @@ struct wmi_start_scan_cmd {
+ #define WMI_SCAN_DWELL_MODE_SHIFT 21
+ #define WMI_SCAN_FLAG_EXT_PASSIVE_SCAN_START_TIME_ENHANCE 0x00000800
+
++#define WMI_SCAN_CONFIG_PER_CHANNEL_MASK GENMASK(19, 0)
++#define WMI_SCAN_CH_FLAG_SCAN_ONLY_IF_RNR_FOUND BIT(20)
++
+ enum {
+ WMI_SCAN_DWELL_MODE_DEFAULT = 0,
+ WMI_SCAN_DWELL_MODE_CONSERVATIVE = 1,
diff --git a/package/kernel/mac80211/patches/ath11k/0050-wifi-ath11k-Configure-the-FTM-responder-role-using-f.patch b/package/kernel/mac80211/patches/ath11k/0050-wifi-ath11k-Configure-the-FTM-responder-role-using-f.patch
new file mode 100644
index 0000000000..bca08b177f
--- /dev/null
+++ b/package/kernel/mac80211/patches/ath11k/0050-wifi-ath11k-Configure-the-FTM-responder-role-using-f.patch
@@ -0,0 +1,117 @@
+From 813968c24126cc5c8320cd5db0e262069a535063 Mon Sep 17 00:00:00 2001
+From: Ganesh Babu Jothiram <quic_gjothira@quicinc.com>
+Date: Fri, 24 Mar 2023 16:57:00 +0200
+Subject: [PATCH] wifi: ath11k: Configure the FTM responder role using firmware
+ capability flag
+
+Fine Time Measurement(FTM) is offloaded feature to firmware.
+Hence, the configuration of FTM responder role is done using
+firmware capability flag instead of hw param.
+
+Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1
+
+Signed-off-by: Ganesh Babu Jothiram <quic_gjothira@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20230317072034.8217-1-quic_gjothira@quicinc.com
+---
+ drivers/net/wireless/ath/ath11k/core.c | 8 --------
+ drivers/net/wireless/ath/ath11k/hw.h | 1 -
+ drivers/net/wireless/ath/ath11k/mac.c | 4 ++--
+ 3 files changed, 2 insertions(+), 11 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath11k/core.c
++++ b/drivers/net/wireless/ath/ath11k/core.c
+@@ -116,7 +116,6 @@ static const struct ath11k_hw_params ath
+ .tcl_ring_retry = true,
+ .tx_ring_size = DP_TCL_DATA_RING_SIZE,
+ .smp2p_wow_exit = false,
+- .ftm_responder = true,
+ },
+ {
+ .hw_rev = ATH11K_HW_IPQ6018_HW10,
+@@ -199,7 +198,6 @@ static const struct ath11k_hw_params ath
+ .tx_ring_size = DP_TCL_DATA_RING_SIZE,
+ .smp2p_wow_exit = false,
+ .support_fw_mac_sequence = false,
+- .ftm_responder = true,
+ },
+ {
+ .name = "qca6390 hw2.0",
+@@ -284,7 +282,6 @@ static const struct ath11k_hw_params ath
+ .tx_ring_size = DP_TCL_DATA_RING_SIZE,
+ .smp2p_wow_exit = false,
+ .support_fw_mac_sequence = true,
+- .ftm_responder = false,
+ },
+ {
+ .name = "qcn9074 hw1.0",
+@@ -366,7 +363,6 @@ static const struct ath11k_hw_params ath
+ .tx_ring_size = DP_TCL_DATA_RING_SIZE,
+ .smp2p_wow_exit = false,
+ .support_fw_mac_sequence = false,
+- .ftm_responder = true,
+ },
+ {
+ .name = "wcn6855 hw2.0",
+@@ -451,7 +447,6 @@ static const struct ath11k_hw_params ath
+ .tx_ring_size = DP_TCL_DATA_RING_SIZE,
+ .smp2p_wow_exit = false,
+ .support_fw_mac_sequence = true,
+- .ftm_responder = false,
+ },
+ {
+ .name = "wcn6855 hw2.1",
+@@ -534,7 +529,6 @@ static const struct ath11k_hw_params ath
+ .tx_ring_size = DP_TCL_DATA_RING_SIZE,
+ .smp2p_wow_exit = false,
+ .support_fw_mac_sequence = true,
+- .ftm_responder = false,
+ },
+ {
+ .name = "wcn6750 hw1.0",
+@@ -615,7 +609,6 @@ static const struct ath11k_hw_params ath
+ .tx_ring_size = DP_TCL_DATA_RING_SIZE_WCN6750,
+ .smp2p_wow_exit = true,
+ .support_fw_mac_sequence = true,
+- .ftm_responder = false,
+ },
+ {
+ .hw_rev = ATH11K_HW_IPQ5018_HW10,
+@@ -695,7 +688,6 @@ static const struct ath11k_hw_params ath
+ .tx_ring_size = DP_TCL_DATA_RING_SIZE,
+ .smp2p_wow_exit = false,
+ .support_fw_mac_sequence = false,
+- .ftm_responder = true,
+ },
+ };
+
+--- a/drivers/net/wireless/ath/ath11k/hw.h
++++ b/drivers/net/wireless/ath/ath11k/hw.h
+@@ -224,7 +224,6 @@ struct ath11k_hw_params {
+ u32 tx_ring_size;
+ bool smp2p_wow_exit;
+ bool support_fw_mac_sequence;
+- bool ftm_responder;
+ };
+
+ struct ath11k_hw_ops {
+--- a/drivers/net/wireless/ath/ath11k/mac.c
++++ b/drivers/net/wireless/ath/ath11k/mac.c
+@@ -3538,7 +3538,7 @@ static void ath11k_mac_op_bss_info_chang
+
+ if (changed & BSS_CHANGED_FTM_RESPONDER &&
+ arvif->ftm_responder != info->ftm_responder &&
+- ar->ab->hw_params.ftm_responder &&
++ test_bit(WMI_TLV_SERVICE_RTT, ar->ab->wmi_ab.svc_map) &&
+ (vif->type == NL80211_IFTYPE_AP ||
+ vif->type == NL80211_IFTYPE_MESH_POINT)) {
+ arvif->ftm_responder = info->ftm_responder;
+@@ -9234,7 +9234,7 @@ static int __ath11k_mac_register(struct
+ wiphy_ext_feature_set(ar->hw->wiphy,
+ NL80211_EXT_FEATURE_SET_SCAN_DWELL);
+
+- if (ab->hw_params.ftm_responder)
++ if (test_bit(WMI_TLV_SERVICE_RTT, ar->ab->wmi_ab.svc_map))
+ wiphy_ext_feature_set(ar->hw->wiphy,
+ NL80211_EXT_FEATURE_ENABLE_FTM_RESPONDER);
+
diff --git a/package/kernel/mac80211/patches/ath11k/0051-wifi-ath11k-fix-rssi-station-dump-not-updated-in-QCN.patch b/package/kernel/mac80211/patches/ath11k/0051-wifi-ath11k-fix-rssi-station-dump-not-updated-in-QCN.patch
new file mode 100644
index 0000000000..835dece1fe
--- /dev/null
+++ b/package/kernel/mac80211/patches/ath11k/0051-wifi-ath11k-fix-rssi-station-dump-not-updated-in-QCN.patch
@@ -0,0 +1,158 @@
+From 031ffa6c2cd305a57ccc6d610f2decd956b2e7f6 Mon Sep 17 00:00:00 2001
+From: P Praneesh <quic_ppranees@quicinc.com>
+Date: Fri, 24 Mar 2023 16:57:00 +0200
+Subject: [PATCH] wifi: ath11k: fix rssi station dump not updated in QCN9074
+
+In QCN9074, station dump signal values display default value which
+is -95 dbm, since there is firmware header change for HAL_RX_MPDU_START
+between QCN9074 and IPQ8074 which cause wrong peer_id fetch from msdu.
+Fix this by updating hal_rx_mpdu_info with corresponding QCN9074 tlv
+format.
+
+Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1
+Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.4.0.1-01695-QCAHKSWPL_SILICONZ-1
+
+Signed-off-by: P Praneesh <quic_ppranees@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20230320110312.20639-1-quic_ppranees@quicinc.com
+---
+ drivers/net/wireless/ath/ath11k/hal_rx.c | 10 ++++++++-
+ drivers/net/wireless/ath/ath11k/hal_rx.h | 18 +++++++++++++++-
+ drivers/net/wireless/ath/ath11k/hw.c | 27 ++++++++++++++++--------
+ drivers/net/wireless/ath/ath11k/hw.h | 2 +-
+ 4 files changed, 45 insertions(+), 12 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath11k/hal_rx.c
++++ b/drivers/net/wireless/ath/ath11k/hal_rx.c
+@@ -865,6 +865,12 @@ ath11k_hal_rx_populate_mu_user_info(void
+ ath11k_hal_rx_populate_byte_count(rx_tlv, ppdu_info, rx_user_status);
+ }
+
++static u16 ath11k_hal_rx_mpduinfo_get_peerid(struct ath11k_base *ab,
++ struct hal_rx_mpdu_info *mpdu_info)
++{
++ return ab->hw_params.hw_ops->mpdu_info_get_peerid(mpdu_info);
++}
++
+ static enum hal_rx_mon_status
+ ath11k_hal_rx_parse_mon_status_tlv(struct ath11k_base *ab,
+ struct hal_rx_mon_ppdu_info *ppdu_info,
+@@ -1459,9 +1465,11 @@ ath11k_hal_rx_parse_mon_status_tlv(struc
+ break;
+ }
+ case HAL_RX_MPDU_START: {
++ struct hal_rx_mpdu_info *mpdu_info =
++ (struct hal_rx_mpdu_info *)tlv_data;
+ u16 peer_id;
+
+- peer_id = ab->hw_params.hw_ops->mpdu_info_get_peerid(tlv_data);
++ peer_id = ath11k_hal_rx_mpduinfo_get_peerid(ab, mpdu_info);
+ if (peer_id)
+ ppdu_info->peer_id = peer_id;
+ break;
+--- a/drivers/net/wireless/ath/ath11k/hal_rx.h
++++ b/drivers/net/wireless/ath/ath11k/hal_rx.h
+@@ -405,7 +405,7 @@ struct hal_rx_phyrx_rssi_legacy_info {
+ #define HAL_RX_MPDU_INFO_INFO0_PEERID_WCN6855 GENMASK(15, 0)
+ #define HAL_RX_MPDU_INFO_INFO1_MPDU_LEN GENMASK(13, 0)
+
+-struct hal_rx_mpdu_info {
++struct hal_rx_mpdu_info_ipq8074 {
+ __le32 rsvd0;
+ __le32 info0;
+ __le32 rsvd1[11];
+@@ -413,12 +413,28 @@ struct hal_rx_mpdu_info {
+ __le32 rsvd2[9];
+ } __packed;
+
++struct hal_rx_mpdu_info_qcn9074 {
++ __le32 rsvd0[10];
++ __le32 info0;
++ __le32 rsvd1[2];
++ __le32 info1;
++ __le32 rsvd2[9];
++} __packed;
++
+ struct hal_rx_mpdu_info_wcn6855 {
+ __le32 rsvd0[8];
+ __le32 info0;
+ __le32 rsvd1[14];
+ } __packed;
+
++struct hal_rx_mpdu_info {
++ union {
++ struct hal_rx_mpdu_info_ipq8074 ipq8074;
++ struct hal_rx_mpdu_info_qcn9074 qcn9074;
++ struct hal_rx_mpdu_info_wcn6855 wcn6855;
++ } u;
++} __packed;
++
+ #define HAL_RX_PPDU_END_DURATION GENMASK(23, 0)
+ struct hal_rx_ppdu_end_duration {
+ __le32 rsvd0[9];
+--- a/drivers/net/wireless/ath/ath11k/hw.c
++++ b/drivers/net/wireless/ath/ath11k/hw.c
+@@ -835,26 +835,35 @@ static void ath11k_hw_ipq5018_reo_setup(
+ ring_hash_map);
+ }
+
+-static u16 ath11k_hw_ipq8074_mpdu_info_get_peerid(u8 *tlv_data)
++static u16
++ath11k_hw_ipq8074_mpdu_info_get_peerid(struct hal_rx_mpdu_info *mpdu_info)
+ {
+ u16 peer_id = 0;
+- struct hal_rx_mpdu_info *mpdu_info =
+- (struct hal_rx_mpdu_info *)tlv_data;
+
+ peer_id = FIELD_GET(HAL_RX_MPDU_INFO_INFO0_PEERID,
+- __le32_to_cpu(mpdu_info->info0));
++ __le32_to_cpu(mpdu_info->u.ipq8074.info0));
+
+ return peer_id;
+ }
+
+-static u16 ath11k_hw_wcn6855_mpdu_info_get_peerid(u8 *tlv_data)
++static u16
++ath11k_hw_qcn9074_mpdu_info_get_peerid(struct hal_rx_mpdu_info *mpdu_info)
++{
++ u16 peer_id = 0;
++
++ peer_id = FIELD_GET(HAL_RX_MPDU_INFO_INFO0_PEERID,
++ __le32_to_cpu(mpdu_info->u.qcn9074.info0));
++
++ return peer_id;
++}
++
++static u16
++ath11k_hw_wcn6855_mpdu_info_get_peerid(struct hal_rx_mpdu_info *mpdu_info)
+ {
+ u16 peer_id = 0;
+- struct hal_rx_mpdu_info_wcn6855 *mpdu_info =
+- (struct hal_rx_mpdu_info_wcn6855 *)tlv_data;
+
+ peer_id = FIELD_GET(HAL_RX_MPDU_INFO_INFO0_PEERID_WCN6855,
+- __le32_to_cpu(mpdu_info->info0));
++ __le32_to_cpu(mpdu_info->u.wcn6855.info0));
+ return peer_id;
+ }
+
+@@ -1042,7 +1051,7 @@ const struct ath11k_hw_ops qcn9074_ops =
+ .rx_desc_get_attention = ath11k_hw_qcn9074_rx_desc_get_attention,
+ .rx_desc_get_msdu_payload = ath11k_hw_qcn9074_rx_desc_get_msdu_payload,
+ .reo_setup = ath11k_hw_ipq8074_reo_setup,
+- .mpdu_info_get_peerid = ath11k_hw_ipq8074_mpdu_info_get_peerid,
++ .mpdu_info_get_peerid = ath11k_hw_qcn9074_mpdu_info_get_peerid,
+ .rx_desc_mac_addr2_valid = ath11k_hw_ipq9074_rx_desc_mac_addr2_valid,
+ .rx_desc_mpdu_start_addr2 = ath11k_hw_ipq9074_rx_desc_mpdu_start_addr2,
+ .get_ring_selector = ath11k_hw_ipq8074_get_tcl_ring_selector,
+--- a/drivers/net/wireless/ath/ath11k/hw.h
++++ b/drivers/net/wireless/ath/ath11k/hw.h
+@@ -263,7 +263,7 @@ struct ath11k_hw_ops {
+ struct rx_attention *(*rx_desc_get_attention)(struct hal_rx_desc *desc);
+ u8 *(*rx_desc_get_msdu_payload)(struct hal_rx_desc *desc);
+ void (*reo_setup)(struct ath11k_base *ab);
+- u16 (*mpdu_info_get_peerid)(u8 *tlv_data);
++ u16 (*mpdu_info_get_peerid)(struct hal_rx_mpdu_info *mpdu_info);
+ bool (*rx_desc_mac_addr2_valid)(struct hal_rx_desc *desc);
+ u8* (*rx_desc_mpdu_start_addr2)(struct hal_rx_desc *desc);
+ u32 (*get_ring_selector)(struct sk_buff *skb);
diff --git a/package/kernel/mac80211/patches/ath11k/0052-wifi-ath11k-Fix-invalid-management-rx-frame-length-i.patch b/package/kernel/mac80211/patches/ath11k/0052-wifi-ath11k-Fix-invalid-management-rx-frame-length-i.patch
new file mode 100644
index 0000000000..0c1637fb04
--- /dev/null
+++ b/package/kernel/mac80211/patches/ath11k/0052-wifi-ath11k-Fix-invalid-management-rx-frame-length-i.patch
@@ -0,0 +1,115 @@
+From 447b0398a9cd41ca343dfd43e555af92d6214487 Mon Sep 17 00:00:00 2001
+From: Bhagavathi Perumal S <quic_bperumal@quicinc.com>
+Date: Fri, 24 Mar 2023 16:57:00 +0200
+Subject: [PATCH] wifi: ath11k: Fix invalid management rx frame length issue
+
+The WMI management rx event has multiple arrays of TLVs, however the common
+WMI TLV parser won't handle multiple TLV tags of same type.
+So the multiple array tags of WMI management rx TLV is parsed incorrectly
+and the length calculated becomes wrong when the target sends multiple
+array tags.
+
+Add separate TLV parser to handle multiple arrays for WMI management rx
+TLV. This fixes invalid length issue when the target sends multiple array
+tags.
+
+Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1
+
+Signed-off-by: Bhagavathi Perumal S <quic_bperumal@quicinc.com>
+Co-developed-by: Nagarajan Maran <quic_nmaran@quicinc.com>
+Signed-off-by: Nagarajan Maran <quic_nmaran@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20230320133840.30162-1-quic_nmaran@quicinc.com
+---
+ drivers/net/wireless/ath/ath11k/wmi.c | 45 +++++++++++++++++++++------
+ 1 file changed, 35 insertions(+), 10 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath11k/wmi.c
++++ b/drivers/net/wireless/ath/ath11k/wmi.c
+@@ -82,6 +82,12 @@ struct wmi_tlv_fw_stats_parse {
+ bool chain_rssi_done;
+ };
+
++struct wmi_tlv_mgmt_rx_parse {
++ const struct wmi_mgmt_rx_hdr *fixed;
++ const u8 *frame_buf;
++ bool frame_buf_done;
++};
++
+ static const struct wmi_tlv_policy wmi_tlv_policies[] = {
+ [WMI_TAG_ARRAY_BYTE]
+ = { .min_len = 0 },
+@@ -5633,28 +5639,49 @@ static int ath11k_pull_vdev_stopped_para
+ return 0;
+ }
+
++static int ath11k_wmi_tlv_mgmt_rx_parse(struct ath11k_base *ab,
++ u16 tag, u16 len,
++ const void *ptr, void *data)
++{
++ struct wmi_tlv_mgmt_rx_parse *parse = data;
++
++ switch (tag) {
++ case WMI_TAG_MGMT_RX_HDR:
++ parse->fixed = ptr;
++ break;
++ case WMI_TAG_ARRAY_BYTE:
++ if (!parse->frame_buf_done) {
++ parse->frame_buf = ptr;
++ parse->frame_buf_done = true;
++ }
++ break;
++ }
++ return 0;
++}
++
+ static int ath11k_pull_mgmt_rx_params_tlv(struct ath11k_base *ab,
+ struct sk_buff *skb,
+ struct mgmt_rx_event_params *hdr)
+ {
+- const void **tb;
++ struct wmi_tlv_mgmt_rx_parse parse = { };
+ const struct wmi_mgmt_rx_hdr *ev;
+ const u8 *frame;
+ int ret;
+
+- tb = ath11k_wmi_tlv_parse_alloc(ab, skb->data, skb->len, GFP_ATOMIC);
+- if (IS_ERR(tb)) {
+- ret = PTR_ERR(tb);
+- ath11k_warn(ab, "failed to parse tlv: %d\n", ret);
++ ret = ath11k_wmi_tlv_iter(ab, skb->data, skb->len,
++ ath11k_wmi_tlv_mgmt_rx_parse,
++ &parse);
++ if (ret) {
++ ath11k_warn(ab, "failed to parse mgmt rx tlv %d\n",
++ ret);
+ return ret;
+ }
+
+- ev = tb[WMI_TAG_MGMT_RX_HDR];
+- frame = tb[WMI_TAG_ARRAY_BYTE];
++ ev = parse.fixed;
++ frame = parse.frame_buf;
+
+ if (!ev || !frame) {
+ ath11k_warn(ab, "failed to fetch mgmt rx hdr");
+- kfree(tb);
+ return -EPROTO;
+ }
+
+@@ -5673,7 +5700,6 @@ static int ath11k_pull_mgmt_rx_params_tl
+
+ if (skb->len < (frame - skb->data) + hdr->buf_len) {
+ ath11k_warn(ab, "invalid length in mgmt rx hdr ev");
+- kfree(tb);
+ return -EPROTO;
+ }
+
+@@ -5685,7 +5711,6 @@ static int ath11k_pull_mgmt_rx_params_tl
+
+ ath11k_ce_byte_swap(skb->data, hdr->buf_len);
+
+- kfree(tb);
+ return 0;
+ }
+
diff --git a/package/kernel/mac80211/patches/ath11k/0053-wifi-ath11k-fix-writing-to-unintended-memory-region.patch b/package/kernel/mac80211/patches/ath11k/0053-wifi-ath11k-fix-writing-to-unintended-memory-region.patch
new file mode 100644
index 0000000000..7b8a7d4543
--- /dev/null
+++ b/package/kernel/mac80211/patches/ath11k/0053-wifi-ath11k-fix-writing-to-unintended-memory-region.patch
@@ -0,0 +1,43 @@
+From 756a7f90878f0866fd2fe167ef37e90b47326b96 Mon Sep 17 00:00:00 2001
+From: P Praneesh <quic_ppranees@quicinc.com>
+Date: Fri, 24 Mar 2023 16:57:01 +0200
+Subject: [PATCH] wifi: ath11k: fix writing to unintended memory region
+
+While initializing spectral, the magic value is getting written to the
+invalid memory address leading to random boot-up crash. This occurs
+due to the incorrect index increment in ath11k_dbring_fill_magic_value
+function. Fix it by replacing the existing logic with memset32 to ensure
+there is no invalid memory access.
+
+Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.4.0.1-01838-QCAHKSWPL_SILICONZ-1
+
+Fixes: d3d358efc553 ("ath11k: add spectral/CFR buffer validation support")
+Signed-off-by: P Praneesh <quic_ppranees@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20230321052900.16895-1-quic_ppranees@quicinc.com
+---
+ drivers/net/wireless/ath/ath11k/dbring.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath11k/dbring.c
++++ b/drivers/net/wireless/ath/ath11k/dbring.c
+@@ -26,13 +26,13 @@ int ath11k_dbring_validate_buffer(struct
+ static void ath11k_dbring_fill_magic_value(struct ath11k *ar,
+ void *buffer, u32 size)
+ {
+- u32 *temp;
+- int idx;
++ /* memset32 function fills buffer payload with the ATH11K_DB_MAGIC_VALUE
++ * and the variable size is expected to be the number of u32 values
++ * to be stored, not the number of bytes.
++ */
++ size = size / sizeof(u32);
+
+- size = size >> 2;
+-
+- for (idx = 0, temp = buffer; idx < size; idx++, temp++)
+- *temp++ = ATH11K_DB_MAGIC_VALUE;
++ memset32(buffer, ATH11K_DB_MAGIC_VALUE, size);
+ }
+
+ static int ath11k_dbring_bufs_replenish(struct ath11k *ar,
diff --git a/package/kernel/mac80211/patches/ath11k/0054-wifi-ath11k-Send-11d-scan-start-before-WMI_START_SCA.patch b/package/kernel/mac80211/patches/ath11k/0054-wifi-ath11k-Send-11d-scan-start-before-WMI_START_SCA.patch
new file mode 100644
index 0000000000..0f8e637592
--- /dev/null
+++ b/package/kernel/mac80211/patches/ath11k/0054-wifi-ath11k-Send-11d-scan-start-before-WMI_START_SCA.patch
@@ -0,0 +1,61 @@
+From e89a51aedf380bc60219dc9afa96c36507060fb3 Mon Sep 17 00:00:00 2001
+From: Manikanta Pubbisetty <quic_mpubbise@quicinc.com>
+Date: Wed, 15 Mar 2023 21:48:17 +0530
+Subject: [PATCH] wifi: ath11k: Send 11d scan start before WMI_START_SCAN_CMDID
+
+Firmwares advertising the support of triggering 11d algorithm on the
+scan results of a regular scan expects driver to send
+WMI_11D_SCAN_START_CMDID before sending WMI_START_SCAN_CMDID.
+Triggering 11d algorithm on the scan results of a normal scan helps
+in completely avoiding a separate 11d scan for determining regdomain.
+This indirectly helps in speeding up connections on station
+interfaces on the chipsets supporting 11D scan.
+
+To enable this feature, send WMI_11D_SCAN_START_CMDID just before
+sending WMI_START_SCAN_CMDID if the firmware advertises
+WMI_TLV_SERVICE_SUPPORT_11D_FOR_HOST_SCAN service flag.
+
+WCN6750 & WCN6855 supports this feature.
+
+Tested-on: WCN6750 hw1.0 AHB WLAN.MSL.1.0.1-01160-QCAMSLSWPLZ-1
+Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.23
+
+Signed-off-by: Manikanta Pubbisetty <quic_mpubbise@quicinc.com>
+Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
+Link: https://lore.kernel.org/r/20230315161817.29627-1-quic_mpubbise@quicinc.com
+---
+ drivers/net/wireless/ath/ath11k/mac.c | 12 ++++++++++++
+ drivers/net/wireless/ath/ath11k/wmi.h | 1 +
+ 2 files changed, 13 insertions(+)
+
+--- a/drivers/net/wireless/ath/ath11k/mac.c
++++ b/drivers/net/wireless/ath/ath11k/mac.c
+@@ -3755,6 +3755,18 @@ static int ath11k_mac_op_hw_scan(struct
+ int i;
+ u32 scan_timeout;
+
++ /* Firmwares advertising the support of triggering 11D algorithm
++ * on the scan results of a regular scan expects driver to send
++ * WMI_11D_SCAN_START_CMDID before sending WMI_START_SCAN_CMDID.
++ * With this feature, separate 11D scan can be avoided since
++ * regdomain can be determined with the scan results of the
++ * regular scan.
++ */
++ if (ar->state_11d == ATH11K_11D_PREPARING &&
++ test_bit(WMI_TLV_SERVICE_SUPPORT_11D_FOR_HOST_SCAN,
++ ar->ab->wmi_ab.svc_map))
++ ath11k_mac_11d_scan_start(ar, arvif->vdev_id);
++
+ mutex_lock(&ar->conf_mutex);
+
+ spin_lock_bh(&ar->data_lock);
+--- a/drivers/net/wireless/ath/ath11k/wmi.h
++++ b/drivers/net/wireless/ath/ath11k/wmi.h
+@@ -2103,6 +2103,7 @@ enum wmi_tlv_service {
+ WMI_TLV_SERVICE_SCAN_CONFIG_PER_CHANNEL = 265,
+ WMI_TLV_SERVICE_REG_CC_EXT_EVENT_SUPPORT = 281,
+ WMI_TLV_SERVICE_BIOS_SAR_SUPPORT = 326,
++ WMI_TLV_SERVICE_SUPPORT_11D_FOR_HOST_SCAN = 357,
+
+ /* The third 128 bits */
+ WMI_MAX_EXT2_SERVICE = 384
diff --git a/package/kernel/mac80211/patches/ath11k/101-Fix-invalid-management-rx-frame-length-issue.patch b/package/kernel/mac80211/patches/ath11k/101-Fix-invalid-management-rx-frame-length-issue.patch
deleted file mode 100644
index 7b650a5342..0000000000
--- a/package/kernel/mac80211/patches/ath11k/101-Fix-invalid-management-rx-frame-length-issue.patch
+++ /dev/null
@@ -1,202 +0,0 @@
-From patchwork Mon Mar 20 13:38:40 2023
-Content-Type: text/plain; charset="utf-8"
-MIME-Version: 1.0
-Content-Transfer-Encoding: 7bit
-X-Patchwork-Submitter: Nagarajan Maran <quic_nmaran@quicinc.com>
-X-Patchwork-Id: 13181272
-X-Patchwork-Delegate: kvalo@adurom.com
-Return-Path: <linux-wireless-owner@vger.kernel.org>
-X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
- aws-us-west-2-korg-lkml-1.web.codeaurora.org
-Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
- by smtp.lore.kernel.org (Postfix) with ESMTP id 6F899C6FD1D
- for <linux-wireless@archiver.kernel.org>;
- Mon, 20 Mar 2023 13:39:52 +0000 (UTC)
-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
- id S231824AbjCTNjm (ORCPT
- <rfc822;linux-wireless@archiver.kernel.org>);
- Mon, 20 Mar 2023 09:39:42 -0400
-Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44860 "EHLO
- lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
- with ESMTP id S231795AbjCTNjT (ORCPT
- <rfc822;linux-wireless@vger.kernel.org>);
- Mon, 20 Mar 2023 09:39:19 -0400
-Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com
- [205.220.180.131])
- by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CD4CC1A66C
- for <linux-wireless@vger.kernel.org>;
- Mon, 20 Mar 2023 06:39:10 -0700 (PDT)
-Received: from pps.filterd (m0279872.ppops.net [127.0.0.1])
- by mx0a-0031df01.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id
- 32KBvFZ2004731;
- Mon, 20 Mar 2023 13:39:05 GMT
-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quicinc.com;
- h=from : to : cc :
- subject : date : message-id : mime-version : content-type; s=qcppdkim1;
- bh=jMz2u2+gyjJJcj5tuRPYVv0di+sn1S5ni8sqhMu/9Kg=;
- b=BNz+KGi99iSZhDkes9KWF52w7CzSYjHOAYXTfBPlCQk7pM1ZZAIsxB8H3zGnapUkas/r
- 1FfSr/9GpQ+5F6LsOEhJ4KF4Us8wsGi/jZnw25FoCqH4jPqhHPQzcC4jaVzVtNdjiA/0
- PlEKhMhP6ULKuRkpbM7RDNigSEYSRmhgqbWkVUL69mwPEJi2oHbhQgxFGFO75Rmfk+Gt
- 8w4fd4JPJXA1PNOxL3X8nGYxxzxTsUvQi80R1Tm683dJg7fwBKlNOyD/BlmnrBGBeIqv
- CMVmf/KTnEUEFt7WWsvQInmEBZG+JH8TvwUAZ9ndRKqA4kCNXqS5+79KGzUuBP80f3yv ow==
-Received: from nalasppmta01.qualcomm.com (Global_NAT1.qualcomm.com
- [129.46.96.20])
- by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 3pen6hrh12-1
- (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
- verify=NOT);
- Mon, 20 Mar 2023 13:39:05 +0000
-Received: from nalasex01a.na.qualcomm.com (nalasex01a.na.qualcomm.com
- [10.47.209.196])
- by NALASPPMTA01.qualcomm.com (8.17.1.5/8.17.1.5) with ESMTPS id
- 32KDd4H6010152
- (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
- verify=NOT);
- Mon, 20 Mar 2023 13:39:04 GMT
-Received: from nmaran-linux.qualcomm.com (10.80.80.8) by
- nalasex01a.na.qualcomm.com (10.47.209.196) with Microsoft SMTP Server
- (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
- 15.2.986.41; Mon, 20 Mar 2023 06:39:02 -0700
-From: Nagarajan Maran <quic_nmaran@quicinc.com>
-To: <ath11k@lists.infradead.org>
-CC: <linux-wireless@vger.kernel.org>,
- Bhagavathi Perumal S <quic_bperumal@quicinc.com>,
- Nagarajan Maran <quic_nmaran@quicinc.com>
-Subject: [PATCH] wifi: ath11k: Fix invalid management rx frame length issue
-Date: Mon, 20 Mar 2023 19:08:40 +0530
-Message-ID: <20230320133840.30162-1-quic_nmaran@quicinc.com>
-X-Mailer: git-send-email 2.17.1
-MIME-Version: 1.0
-X-Originating-IP: [10.80.80.8]
-X-ClientProxiedBy: nasanex01a.na.qualcomm.com (10.52.223.231) To
- nalasex01a.na.qualcomm.com (10.47.209.196)
-X-QCInternal: smtphost
-X-Proofpoint-Virus-Version: vendor=nai engine=6200 definitions=5800
- signatures=585085
-X-Proofpoint-ORIG-GUID: 8NkXcGNm6eXVpjTaeMT1e0VxZ9FeT59R
-X-Proofpoint-GUID: 8NkXcGNm6eXVpjTaeMT1e0VxZ9FeT59R
-X-Proofpoint-Virus-Version: vendor=baseguard
- engine=ICAP:2.0.254,Aquarius:18.0.942,Hydra:6.0.573,FMLib:17.11.170.22
- definitions=2023-03-20_09,2023-03-20_02,2023-02-09_01
-X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
- mlxlogscore=999
- malwarescore=0 priorityscore=1501 mlxscore=0 bulkscore=0 adultscore=0
- spamscore=0 impostorscore=0 phishscore=0 clxscore=1011 suspectscore=0
- lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1
- engine=8.12.0-2303150002 definitions=main-2303200115
-Precedence: bulk
-List-ID: <linux-wireless.vger.kernel.org>
-X-Mailing-List: linux-wireless@vger.kernel.org
-
-From: Bhagavathi Perumal S <quic_bperumal@quicinc.com>
-
-The WMI management rx event has multiple arrays of TLVs, however the common
-WMI TLV parser won't handle multiple TLV tags of same type.
-So the multiple array tags of WMI management rx TLV is parsed incorrectly
-and the length calculated becomes wrong when the target sends multiple
-array tags.
-
-Add separate TLV parser to handle multiple arrays for WMI management rx
-TLV. This fixes invalid length issue when the target sends multiple array
-tags.
-
-Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1
-
-Signed-off-by: Bhagavathi Perumal S <quic_bperumal@quicinc.com>
-Co-developed-by: Nagarajan Maran <quic_nmaran@quicinc.com>
-Signed-off-by: Nagarajan Maran <quic_nmaran@quicinc.com>
----
- drivers/net/wireless/ath/ath11k/wmi.c | 45 +++++++++++++++++++++------
- 1 file changed, 35 insertions(+), 10 deletions(-)
-
-
-base-commit: 3df3715e556027e94246b2cb30986563362a65f4
-
---- a/drivers/net/wireless/ath/ath11k/wmi.c
-+++ b/drivers/net/wireless/ath/ath11k/wmi.c
-@@ -82,6 +82,12 @@ struct wmi_tlv_fw_stats_parse {
- bool chain_rssi_done;
- };
-
-+struct wmi_tlv_mgmt_rx_parse {
-+ const struct wmi_mgmt_rx_hdr *fixed;
-+ const u8 *frame_buf;
-+ bool frame_buf_done;
-+};
-+
- static const struct wmi_tlv_policy wmi_tlv_policies[] = {
- [WMI_TAG_ARRAY_BYTE]
- = { .min_len = 0 },
-@@ -5633,28 +5639,49 @@ static int ath11k_pull_vdev_stopped_para
- return 0;
- }
-
-+static int ath11k_wmi_tlv_mgmt_rx_parse(struct ath11k_base *ab,
-+ u16 tag, u16 len,
-+ const void *ptr, void *data)
-+{
-+ struct wmi_tlv_mgmt_rx_parse *parse = data;
-+
-+ switch (tag) {
-+ case WMI_TAG_MGMT_RX_HDR:
-+ parse->fixed = ptr;
-+ break;
-+ case WMI_TAG_ARRAY_BYTE:
-+ if (!parse->frame_buf_done) {
-+ parse->frame_buf = ptr;
-+ parse->frame_buf_done = true;
-+ }
-+ break;
-+ }
-+ return 0;
-+}
-+
- static int ath11k_pull_mgmt_rx_params_tlv(struct ath11k_base *ab,
- struct sk_buff *skb,
- struct mgmt_rx_event_params *hdr)
- {
-- const void **tb;
-+ struct wmi_tlv_mgmt_rx_parse parse = { };
- const struct wmi_mgmt_rx_hdr *ev;
- const u8 *frame;
- int ret;
-
-- tb = ath11k_wmi_tlv_parse_alloc(ab, skb->data, skb->len, GFP_ATOMIC);
-- if (IS_ERR(tb)) {
-- ret = PTR_ERR(tb);
-- ath11k_warn(ab, "failed to parse tlv: %d\n", ret);
-+ ret = ath11k_wmi_tlv_iter(ab, skb->data, skb->len,
-+ ath11k_wmi_tlv_mgmt_rx_parse,
-+ &parse);
-+ if (ret) {
-+ ath11k_warn(ab, "failed to parse mgmt rx tlv %d\n",
-+ ret);
- return ret;
- }
-
-- ev = tb[WMI_TAG_MGMT_RX_HDR];
-- frame = tb[WMI_TAG_ARRAY_BYTE];
-+ ev = parse.fixed;
-+ frame = parse.frame_buf;
-
- if (!ev || !frame) {
- ath11k_warn(ab, "failed to fetch mgmt rx hdr");
-- kfree(tb);
- return -EPROTO;
- }
-
-@@ -5673,7 +5700,6 @@ static int ath11k_pull_mgmt_rx_params_tl
-
- if (skb->len < (frame - skb->data) + hdr->buf_len) {
- ath11k_warn(ab, "invalid length in mgmt rx hdr ev");
-- kfree(tb);
- return -EPROTO;
- }
-
-@@ -5685,7 +5711,6 @@ static int ath11k_pull_mgmt_rx_params_tl
-
- ath11k_ce_byte_swap(skb->data, hdr->buf_len);
-
-- kfree(tb);
- return 0;
- }
-
diff --git a/package/kernel/mac80211/patches/ath11k/903-ath11k-support-setting-FW-memory-mode-via-DT.patch b/package/kernel/mac80211/patches/ath11k/903-ath11k-support-setting-FW-memory-mode-via-DT.patch
index 87cbcbe315..a93871eca5 100644
--- a/package/kernel/mac80211/patches/ath11k/903-ath11k-support-setting-FW-memory-mode-via-DT.patch
+++ b/package/kernel/mac80211/patches/ath11k/903-ath11k-support-setting-FW-memory-mode-via-DT.patch
@@ -31,7 +31,7 @@ Signed-off-by: Robert Marko <robimarko@gmail.com>
{
.hw_rev = ATH11K_HW_IPQ8074,
.name = "ipq8074 hw2.0",
-@@ -1919,7 +1919,8 @@ static void ath11k_core_reset(struct wor
+@@ -1911,7 +1911,8 @@ static void ath11k_core_reset(struct wor
static int ath11k_init_hw_params(struct ath11k_base *ab)
{
const struct ath11k_hw_params *hw_params = NULL;
@@ -41,7 +41,7 @@ Signed-off-by: Robert Marko <robimarko@gmail.com>
for (i = 0; i < ARRAY_SIZE(ath11k_hw_params); i++) {
hw_params = &ath11k_hw_params[i];
-@@ -1935,7 +1936,30 @@ static int ath11k_init_hw_params(struct
+@@ -1927,7 +1928,30 @@ static int ath11k_init_hw_params(struct
ab->hw_params = *hw_params;
diff --git a/package/kernel/mac80211/patches/ath11k/904-wifi-ath11k-restore-160MHz-support.patch b/package/kernel/mac80211/patches/ath11k/904-wifi-ath11k-restore-160MHz-support.patch
index 61abb847d0..b5d9473597 100644
--- a/package/kernel/mac80211/patches/ath11k/904-wifi-ath11k-restore-160MHz-support.patch
+++ b/package/kernel/mac80211/patches/ath11k/904-wifi-ath11k-restore-160MHz-support.patch
@@ -16,7 +16,7 @@ Signed-off-by: Robert Marko <robimarko@gmail.com>
--- a/drivers/net/wireless/ath/ath11k/mac.c
+++ b/drivers/net/wireless/ath/ath11k/mac.c
-@@ -5552,10 +5552,6 @@ static int ath11k_mac_copy_he_cap(struct
+@@ -5585,10 +5585,6 @@ static int ath11k_mac_copy_he_cap(struct
he_cap_elem->mac_cap_info[1] &=
IEEE80211_HE_MAC_CAP1_TF_MAC_PAD_DUR_MASK;