mac80211: fix crash in drivers relying on mac80211 retransmitting packets for powersa...
authorFelix Fietkau <nbd@nbd.name>
Tue, 23 Nov 2021 12:18:03 +0000 (13:18 +0100)
committerFelix Fietkau <nbd@nbd.name>
Tue, 23 Nov 2021 17:30:04 +0000 (18:30 +0100)
This showed up primarily on rt2x00

Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit d1ea575baa1b53bb477a020974afcec1b1193edc)

package/kernel/mac80211/patches/subsys/394-mac80211-fix-rate-control-for-retransmitted-frames.patch [new file with mode: 0644]

diff --git a/package/kernel/mac80211/patches/subsys/394-mac80211-fix-rate-control-for-retransmitted-frames.patch b/package/kernel/mac80211/patches/subsys/394-mac80211-fix-rate-control-for-retransmitted-frames.patch
new file mode 100644 (file)
index 0000000..cd91a92
--- /dev/null
@@ -0,0 +1,35 @@
+From: Felix Fietkau <nbd@nbd.name>
+Date: Mon, 22 Nov 2021 21:39:38 +0100
+Subject: [PATCH] mac80211: fix rate control for retransmitted frames
+
+Since retransmission clears info->control, rate control needs to be called
+again, otherwise the driver might crash due to invalid rates.
+
+Cc: stable@vger.kernel.org # 5.14+
+Reported-by: Aaro Koskinen <aaro.koskinen@iki.fi>
+Reported-by: Robert W <rwbugreport@lost-in-the-void.net>
+Fixes: 03c3911d2d67 ("mac80211: call ieee80211_tx_h_rate_ctrl() when dequeue")
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+---
+
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -1835,15 +1835,15 @@ static int invoke_tx_handlers_late(struc
+       struct ieee80211_tx_info *info = IEEE80211_SKB_CB(tx->skb);
+       ieee80211_tx_result res = TX_CONTINUE;
++      if (!ieee80211_hw_check(&tx->local->hw, HAS_RATE_CONTROL))
++              CALL_TXH(ieee80211_tx_h_rate_ctrl);
++
+       if (unlikely(info->flags & IEEE80211_TX_INTFL_RETRANSMISSION)) {
+               __skb_queue_tail(&tx->skbs, tx->skb);
+               tx->skb = NULL;
+               goto txh_done;
+       }
+-      if (!ieee80211_hw_check(&tx->local->hw, HAS_RATE_CONTROL))
+-              CALL_TXH(ieee80211_tx_h_rate_ctrl);
+-
+       CALL_TXH(ieee80211_tx_h_michael_mic_add);
+       CALL_TXH(ieee80211_tx_h_sequence);
+       CALL_TXH(ieee80211_tx_h_fragment);