Index | Thread | Search

From:
Kirill A. Korinsky <kirill@korins.ky>
Subject:
Re: qwz: enable WPA2 association on WCN7850
To:
Marcus Glocker <marcus@nazgul.ch>
Cc:
tech@openbsd.org, Mark Kettenis <mark.kettenis@xs4all.nl>, Stefan Sperling <stsp@stsp.name>, Patrick Wildt <mail@patrick-wildt.de>
Date:
Sun, 26 Apr 2026 14:04:41 +0200

Download raw body.

Thread 
On Sat, 25 Apr 2026 23:56:07 +0200,
Marcus Glocker <marcus@nazgul.ch> wrote:
> 
> Bring the qwz driver up to a working WPA2 client connection on the
> Qualcomm WCN7850 chip.  Tested on the Samsung Galaxy Book4 Edge.
> 
> Major changes:
> 
> 1. Fix the RX path.
>    Wire up the WCN7850 descriptor accesses that were unset; override
>    the descriptor size to match what the FW actually writes (512 bytes
>    instead of struct sizeof 472); add the first-line filters that drop
>    FW-injected garbage frames before net80211 mistakes them for fake
>    auth/deauth.
> 
> 2. Fix the TX path.
>    Port Linux's WiFi7 "TX bank" infrastructure: a per-VDEV register
>    that holds encap/encrypt/search settings the descriptor used to
>    carry inline.  Rewrite the TX descriptor builder for the WiFi7 wire
>    format.  Fix an encrypt_type default that was making the FW try to
>    WEP-encrypt plain-text EAPOL frames.
> 
> 3. Fix MSI interrupt routing.
>    Correct the DP IRQ group's MSI vector calculation, and free the
>    vector DP group 0 needs (was being held by an unused pktlog
>    interrupt).  Without these, RX completions never fired regardless
>    of how correct the rest of the path was.
> 
> 4. Make the WPA2 4-way handshake complete.
>    Move WMI_PEER_AUTHORIZE to fire after key install, not before; the
>    old order told the FW crypto was up while plain-text EAPOL was still
>    in flight, crashing the FW.  Mask the AID to its 14-bit value before
>    handing it to the FW.  Add the missing REO queue setup for non-QoS
>    frames, which is where EAPOL lives.
> 
> 5. Add non-coherent DMA cache sync on RX and TX.
>    Without explicit flushes the CPU and FW see different bytes for
>    the same buffer.  This was the root cause of "garbage RX frames":
>    they were always real EAPOL Msg 1 frames torn by stale CPU cache
>    lines.
> 
> 6. Update register/descriptor defines from ath11k to ath12k WiFi7.
>    The TX descriptor wire format changed completely between
>    generations: bit positions, field set, even the number of 32-bit
>    words.  Partial updates wouldn't have worked.
> 
> 7. Cleanup.
>    Remove some debug printfs and the diagnostic counters added during
>    the bring-up to verify the path was working.
> 
> Known limitations:
> 
>   - Firmware occasionally crashes after sustained traffic; driver
>     recovers via the existing RDDM path in if_qwz_pci.c without a
>     system reboot.  Root-causing this is the next follow-up.
>   - One PN-replay loop in qwz_dp_peer_rx_pn_replay_config doesn't
>     iterate the non-QoS TID slot.  Cosmetic for normal use; will
>     land as a separate small commit.
> 
> Further testing, feedback, OKs, welcome.
> 

I can't join my WiFi network by qwz0 on Honor, firmare crashed like that:

Apr 26 14:01:41 honor /bsd: qwz_pcic_get_user_msi_vector: MSI assignment DP num_vectors 8 user_base_data 8 base_vector 8
Apr 26 14:01:41 honor /bsd: qwz0: type 0 ring_num 3 target_reg 0xa3b064 shadow 0x908
Apr 26 14:01:41 honor /bsd: qwz_wmi_tlv_op_rx: 0x16005: update fw mem dump
Apr 26 14:01:41 honor /bsd: qwz_wmi_tlv_op_rx: unsupported event id 0xb00b
Apr 26 14:01:41 honor /bsd: qwz_pull_reg_chan_list_ext_update_ev: not implemented
Apr 26 14:01:41 honor /bsd: qwz0: failed to extract regulatory info from received event
Apr 26 14:01:41 honor /bsd: qwz_pull_reg_chan_list_ext_update_ev: not implemented
Apr 26 14:01:41 honor /bsd: qwz0: failed to extract regulatory info from received event
Apr 26 14:01:41 honor /bsd: qwz_wmi_tlv_op_rx: unsupported event id 0x1d021
Apr 26 14:01:41 honor /bsd: qwz_dp_htt_htc_t2h_msg_handler: dp_htt rx msg type: 0x0
Apr 26 14:01:41 honor /bsd: qwz_dp_htt_htc_t2h_msg_handler: dp_htt rx msg type: 0x30
Apr 26 14:01:43 honor /bsd: qwz_dp_htt_htc_t2h_msg_handler: dp_htt rx msg type: 0x1e
Apr 26 14:01:43 honor /bsd: qwz_wmi_tlv_op_rx: unsupported event id 0x601a
Apr 26 14:01:43 honor /bsd: qwz_wmi_tlv_op_rx: unsupported event id 0x4011
Apr 26 14:01:43 honor /bsd: qwz_pcic_ext_irq_enable not implemented
Apr 26 14:01:44 honor /bsd: qwz_wmi_tlv_op_rx: 0x1d00a: wlan freq avoid event
Apr 26 14:01:45 honor /bsd: qwz_rddm_task: txvec state is 0x0
Apr 26 14:01:45 honor last message repeated 39 times
Apr 26 14:01:45 honor /bsd: qwz_rddm_task: txvec state is 0x2
Apr 26 14:01:45 honor /bsd: qwz_rddm_task: RDDM snippet:
Apr 26 14:01:45 honor /bsd: qwz_rddm_task: RDDM snippet:
Apr 26 14:01:45 honor /bsd:  01 00 00 00 08 02 00 00 f8 7c 56 01 00 00 00 00
Apr 26 14:01:45 honor /bsd:  f8 7c 56 01 00 00 00 00 50 00 00 00 00 00 00 00
Apr 26 14:01:45 honor /bsd:  51 36 2d 53 46 52 00 00 00 00 00 00 00 00 00 00
Apr 26 14:01:45 honor /bsd:  00 00 00 00 51 36 2d 53 46 52 2e 62 69 6e 00 00
Apr 26 14:01:45 honor /bsd: qwz_rddm_task: sleeping for 30 seconds to allow userland to boot
Apr 26 14:02:15 honor /bsd: qwz_rddm_task: saving RDDM to /root/qwz0-rddm.bin
Apr 26 14:02:15 honor /bsd: qwz_rddm_task: done, error 0

and inside qwz0-rddm.bin via strings I see that I never saw before:

dlpager_main.c:147:0x8Non Page Fault Exception cause code : 0x 23 at Address :


-- 
wbr, Kirill