From: Kirill A. Korinsky Subject: Re: qwz: enable WPA2 association on WCN7850 To: Marcus Glocker Cc: tech@openbsd.org, Mark Kettenis , Stefan Sperling , Patrick Wildt Date: Sun, 26 Apr 2026 14:04:41 +0200 On Sat, 25 Apr 2026 23:56:07 +0200, Marcus Glocker wrote: > > Bring the qwz driver up to a working WPA2 client connection on the > Qualcomm WCN7850 chip. Tested on the Samsung Galaxy Book4 Edge. > > Major changes: > > 1. Fix the RX path. > Wire up the WCN7850 descriptor accesses that were unset; override > the descriptor size to match what the FW actually writes (512 bytes > instead of struct sizeof 472); add the first-line filters that drop > FW-injected garbage frames before net80211 mistakes them for fake > auth/deauth. > > 2. Fix the TX path. > Port Linux's WiFi7 "TX bank" infrastructure: a per-VDEV register > that holds encap/encrypt/search settings the descriptor used to > carry inline. Rewrite the TX descriptor builder for the WiFi7 wire > format. Fix an encrypt_type default that was making the FW try to > WEP-encrypt plain-text EAPOL frames. > > 3. Fix MSI interrupt routing. > Correct the DP IRQ group's MSI vector calculation, and free the > vector DP group 0 needs (was being held by an unused pktlog > interrupt). Without these, RX completions never fired regardless > of how correct the rest of the path was. > > 4. Make the WPA2 4-way handshake complete. > Move WMI_PEER_AUTHORIZE to fire after key install, not before; the > old order told the FW crypto was up while plain-text EAPOL was still > in flight, crashing the FW. Mask the AID to its 14-bit value before > handing it to the FW. Add the missing REO queue setup for non-QoS > frames, which is where EAPOL lives. > > 5. Add non-coherent DMA cache sync on RX and TX. > Without explicit flushes the CPU and FW see different bytes for > the same buffer. This was the root cause of "garbage RX frames": > they were always real EAPOL Msg 1 frames torn by stale CPU cache > lines. > > 6. Update register/descriptor defines from ath11k to ath12k WiFi7. > The TX descriptor wire format changed completely between > generations: bit positions, field set, even the number of 32-bit > words. Partial updates wouldn't have worked. > > 7. Cleanup. > Remove some debug printfs and the diagnostic counters added during > the bring-up to verify the path was working. > > Known limitations: > > - Firmware occasionally crashes after sustained traffic; driver > recovers via the existing RDDM path in if_qwz_pci.c without a > system reboot. Root-causing this is the next follow-up. > - One PN-replay loop in qwz_dp_peer_rx_pn_replay_config doesn't > iterate the non-QoS TID slot. Cosmetic for normal use; will > land as a separate small commit. > > Further testing, feedback, OKs, welcome. > I can't join my WiFi network by qwz0 on Honor, firmare crashed like that: Apr 26 14:01:41 honor /bsd: qwz_pcic_get_user_msi_vector: MSI assignment DP num_vectors 8 user_base_data 8 base_vector 8 Apr 26 14:01:41 honor /bsd: qwz0: type 0 ring_num 3 target_reg 0xa3b064 shadow 0x908 Apr 26 14:01:41 honor /bsd: qwz_wmi_tlv_op_rx: 0x16005: update fw mem dump Apr 26 14:01:41 honor /bsd: qwz_wmi_tlv_op_rx: unsupported event id 0xb00b Apr 26 14:01:41 honor /bsd: qwz_pull_reg_chan_list_ext_update_ev: not implemented Apr 26 14:01:41 honor /bsd: qwz0: failed to extract regulatory info from received event Apr 26 14:01:41 honor /bsd: qwz_pull_reg_chan_list_ext_update_ev: not implemented Apr 26 14:01:41 honor /bsd: qwz0: failed to extract regulatory info from received event Apr 26 14:01:41 honor /bsd: qwz_wmi_tlv_op_rx: unsupported event id 0x1d021 Apr 26 14:01:41 honor /bsd: qwz_dp_htt_htc_t2h_msg_handler: dp_htt rx msg type: 0x0 Apr 26 14:01:41 honor /bsd: qwz_dp_htt_htc_t2h_msg_handler: dp_htt rx msg type: 0x30 Apr 26 14:01:43 honor /bsd: qwz_dp_htt_htc_t2h_msg_handler: dp_htt rx msg type: 0x1e Apr 26 14:01:43 honor /bsd: qwz_wmi_tlv_op_rx: unsupported event id 0x601a Apr 26 14:01:43 honor /bsd: qwz_wmi_tlv_op_rx: unsupported event id 0x4011 Apr 26 14:01:43 honor /bsd: qwz_pcic_ext_irq_enable not implemented Apr 26 14:01:44 honor /bsd: qwz_wmi_tlv_op_rx: 0x1d00a: wlan freq avoid event Apr 26 14:01:45 honor /bsd: qwz_rddm_task: txvec state is 0x0 Apr 26 14:01:45 honor last message repeated 39 times Apr 26 14:01:45 honor /bsd: qwz_rddm_task: txvec state is 0x2 Apr 26 14:01:45 honor /bsd: qwz_rddm_task: RDDM snippet: Apr 26 14:01:45 honor /bsd: qwz_rddm_task: RDDM snippet: Apr 26 14:01:45 honor /bsd: 01 00 00 00 08 02 00 00 f8 7c 56 01 00 00 00 00 Apr 26 14:01:45 honor /bsd: f8 7c 56 01 00 00 00 00 50 00 00 00 00 00 00 00 Apr 26 14:01:45 honor /bsd: 51 36 2d 53 46 52 00 00 00 00 00 00 00 00 00 00 Apr 26 14:01:45 honor /bsd: 00 00 00 00 51 36 2d 53 46 52 2e 62 69 6e 00 00 Apr 26 14:01:45 honor /bsd: qwz_rddm_task: sleeping for 30 seconds to allow userland to boot Apr 26 14:02:15 honor /bsd: qwz_rddm_task: saving RDDM to /root/qwz0-rddm.bin Apr 26 14:02:15 honor /bsd: qwz_rddm_task: done, error 0 and inside qwz0-rddm.bin via strings I see that I never saw before: dlpager_main.c:147:0x8Non Page Fault Exception cause code : 0x 23 at Address : -- wbr, Kirill