mt76: stop rx aggregation on station removal

Fixes use-after-free issues on forced station removal during hardware restart
on MT76x02

Fixes: aee5b8cf2477 ("mt76: implement A-MPDU rx reordering in the driver code")
Signed-off-by: Felix Fietkau <nbd@nbd.name>

diff --git a/drivers/net/wireless/mediatek/mt76/mac80211.c b/drivers/net/wireless/mediatek/mt76/mac80211.c
index aeb535204c4d0c340ac6d2a4f4fed611a598a210..32ddbf0888176f0785f93def912f9cd3873f1258 100644 (file)
--- a/drivers/net/wireless/mediatek/mt76/mac80211.c
+++ b/drivers/net/wireless/mediatek/mt76/mac80211.c
@@ -708,6 +708,9 @@ void __mt76_sta_remove(struct mt76_dev *dev, struct ieee80211_vif *vif,
        rcu_assign_pointer(dev->wcid[idx], NULL);
        synchronize_rcu();
 
+       for (i = 0; i < ARRAY_SIZE(wcid->aggr); i++)
+               mt76_rx_aggr_stop(dev, wcid, i);
+
        if (dev->drv->sta_remove)
                dev->drv->sta_remove(dev, vif, sta);