| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20260116010519.37001-22-zac@zacbowling.com> Date: Thu, 15 Jan 2026 17:05:19 -0800 From: Zac <zac@...bowling.com> To: sean.wang@...nel.org Cc: deren.wu@...iatek.com, kvalo@...nel.org, linux-kernel@...r.kernel.org, linux-mediatek@...ts.infradead.org, linux-wireless@...r.kernel.org, lorenzo@...nel.org, nbd@....name, linux@...me.work, ryder.lee@...iatek.com, sean.wang@...iatek.com, Zac <zac@...bowling.com>, Zac Bowling <zbowling@...il.com> Subject: [PATCH v4 21/21] wifi: mt76: mt7925: fix BA session teardown during beacon loss The ieee80211_stop_tx_ba_cb_irqsafe() callback was conditionally called only when the MCU command succeeded. However, during beacon connection loss, the MCU command may fail because the AP is no longer reachable. If the callback is not called, mac80211's BA session state machine gets stuck in an intermediate state. When mac80211 later tries to tear down all BA sessions during disconnection, it hits a WARN in __ieee80211_stop_tx_ba_session() due to the inconsistent state. Fix by making the callback unconditional, matching the behavior of mt7921 and mt7996 drivers. The MCU command failure is acceptable during disconnection - what matters is that mac80211 is notified to complete the session teardown. Reported-by: Sean Wang <sean.wang@...iatek.com> Signed-off-by: Zac Bowling <zbowling@...il.com> --- drivers/net/wireless/mediatek/mt76/mt7925/main.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7925/main.c b/drivers/net/wireless/mediatek/mt76/mt7925/main.c index 81373e479a..cc7ef2c170 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7925/main.c +++ b/drivers/net/wireless/mediatek/mt76/mt7925/main.c @@ -1323,9 +1323,13 @@ mt7925_ampdu_action(struct ieee80211_hw *hw, struct ieee80211_vif *vif, case IEEE80211_AMPDU_TX_STOP_CONT: mtxq->aggr = false; clear_bit(tid, &msta->deflink.wcid.ampdu_state); - ret = mt7925_mcu_uni_tx_ba(dev, params, false); - if (!ret) - ieee80211_stop_tx_ba_cb_irqsafe(vif, sta->addr, tid); + /* MCU command may fail during beacon loss, but callback must + * always be called to complete the BA session teardown in + * mac80211. Otherwise the state machine gets stuck and triggers + * WARN in __ieee80211_stop_tx_ba_session(). + */ + mt7925_mcu_uni_tx_ba(dev, params, false); + ieee80211_stop_tx_ba_cb_irqsafe(vif, sta->addr, tid); break; } mt792x_mutex_release(dev); -- 2.52.0
Powered by blists - more mailing lists