mac80211: add a fix for racy drv_sta_rc_update calls

Fixes potential crash issues in mt76 and other drivers Signed-off-by: Felix Fietkau <nbd@nbd.name>
2025-01-18 02:40:19 +00:00 · 2024-02-21 15:28:31 +01:00 · 2024-02-21 15:28:31 +01:00 · 2a752ff028
commit 2a752ff028
parent 01996b785d
1 changed files with 25 additions and 0 deletions
--- a/package/kernel/mac80211/patches/subsys/331-wifi-mac80211-only-call-drv_sta_rc_update-for-upload.patch
+++ b/package/kernel/mac80211/patches/subsys/331-wifi-mac80211-only-call-drv_sta_rc_update-for-upload.patch
@ -0,0 +1,25 @@
+From: Felix Fietkau <nbd@nbd.name>
+Date: Wed, 21 Feb 2024 14:41:40 +0100
+Subject: [PATCH] wifi: mac80211: only call drv_sta_rc_update for uploaded
+ stations
+
+When a station has not been uploaded yet, receiving SMPS or channel width
+notification action frames can lead to rate_control_rate_update calling
+drv_sta_rc_update with uninitialized driver private data.
+Fix this by adding a missing check for sta->uploaded.
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+---
+
+--- a/net/mac80211/rate.c
+++ b/net/mac80211/rate.c
+@@ -119,7 +119,8 @@ void rate_control_rate_update(struct iee
+ 		rcu_read_unlock();
+ 	}
+ 
+-	drv_sta_rc_update(local, sta->sdata, &sta->sta, changed);
+	if (sta->uploaded)
+		drv_sta_rc_update(local, sta->sdata, &sta->sta, changed);
+ }
+ 
+ int ieee80211_rate_control_register(const struct rate_control_ops *ops)