--- /dev/null
+From: Felix Fietkau <nbd@nbd.name>
+Date: Wed, 24 Nov 2021 10:30:41 +0100
+Subject: [PATCH] mac80211: fix regression in SSN handling of addba tx
+
+Some drivers that do their own sequence number allocation (e.g. ath9k) rely
+on being able to modify params->ssn on starting tx ampdu sessions.
+This was broken by a change that modified it to use sta->tid_seq[tid] instead.
+
+Cc: stable@vger.kernel.org
+Fixes: 31d8bb4e07f8 ("mac80211: agg-tx: refactor sending addba")
+Reported-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+---
+
+--- a/net/mac80211/agg-tx.c
++++ b/net/mac80211/agg-tx.c
+@@ -480,8 +480,7 @@ static void ieee80211_send_addba_with_ti
+
+ /* send AddBA request */
+ ieee80211_send_addba_request(sdata, sta->sta.addr, tid,
+- tid_tx->dialog_token,
+- sta->tid_seq[tid] >> 4,
++ tid_tx->dialog_token, tid_tx->ssn,
+ buf_size, tid_tx->timeout);
+
+ WARN_ON(test_and_set_bit(HT_AGG_STATE_SENT_ADDBA, &tid_tx->state));
+@@ -523,6 +522,7 @@ void ieee80211_tx_ba_session_handle_star
+
+ params.ssn = sta->tid_seq[tid] >> 4;
+ ret = drv_ampdu_action(local, sdata, ¶ms);
++ tid_tx->ssn = params.ssn;
+ if (ret == IEEE80211_AMPDU_TX_START_DELAY_ADDBA) {
+ return;
+ } else if (ret == IEEE80211_AMPDU_TX_START_IMMEDIATE) {
+--- a/net/mac80211/sta_info.h
++++ b/net/mac80211/sta_info.h
+@@ -190,6 +190,7 @@ struct tid_ampdu_tx {
+ u8 stop_initiator;
+ bool tx_stop;
+ u16 buf_size;
++ u16 ssn;
+
+ u16 failed_bar_ssn;
+ bool bar_pending;
struct sta_info;
-@@ -515,7 +522,6 @@ struct ieee80211_fragment_cache {
+@@ -516,7 +523,6 @@ struct ieee80211_fragment_cache {
* @tid_seq: per-TID sequence numbers for sending to this STA
* @airtime: per-AC struct airtime_info describing airtime statistics for this
* station
* @ampdu_mlme: A-MPDU state machine state
* @mesh: mesh STA information
* @debugfs_dir: debug filesystem directory dentry
-@@ -646,7 +652,6 @@ struct sta_info {
+@@ -647,7 +653,6 @@ struct sta_info {
u16 tid_seq[IEEE80211_QOS_CTL_TID_MASK + 1];
struct airtime_info airtime[IEEE80211_NUM_ACS];