From 2a752ff0281a0a060175f660895630804e2b95b7 Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Wed, 21 Feb 2024 15:28:31 +0100 Subject: [PATCH] mac80211: add a fix for racy drv_sta_rc_update calls Fixes potential crash issues in mt76 and other drivers Signed-off-by: Felix Fietkau --- ...ly-call-drv_sta_rc_update-for-upload.patch | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 package/kernel/mac80211/patches/subsys/331-wifi-mac80211-only-call-drv_sta_rc_update-for-upload.patch diff --git a/package/kernel/mac80211/patches/subsys/331-wifi-mac80211-only-call-drv_sta_rc_update-for-upload.patch b/package/kernel/mac80211/patches/subsys/331-wifi-mac80211-only-call-drv_sta_rc_update-for-upload.patch new file mode 100644 index 000000000000..167b9e3f7769 --- /dev/null +++ b/package/kernel/mac80211/patches/subsys/331-wifi-mac80211-only-call-drv_sta_rc_update-for-upload.patch @@ -0,0 +1,25 @@ +From: Felix Fietkau +Date: Wed, 21 Feb 2024 14:41:40 +0100 +Subject: [PATCH] wifi: mac80211: only call drv_sta_rc_update for uploaded + stations + +When a station has not been uploaded yet, receiving SMPS or channel width +notification action frames can lead to rate_control_rate_update calling +drv_sta_rc_update with uninitialized driver private data. +Fix this by adding a missing check for sta->uploaded. + +Signed-off-by: Felix Fietkau +--- + +--- a/net/mac80211/rate.c ++++ b/net/mac80211/rate.c +@@ -119,7 +119,8 @@ void rate_control_rate_update(struct iee + rcu_read_unlock(); + } + +- drv_sta_rc_update(local, sta->sdata, &sta->sta, changed); ++ if (sta->uploaded) ++ drv_sta_rc_update(local, sta->sdata, &sta->sta, changed); + } + + int ieee80211_rate_control_register(const struct rate_control_ops *ops) -- 2.30.2