git: 65de0f1855f3 - stable/14 - LinuxKPI: 802.11: fix ieee80211_schedule_txq() to avoid rtw89 panic
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 17 Oct 2024 09:16:42 UTC
The branch stable/14 has been updated by bz:
URL: https://cgit.FreeBSD.org/src/commit/?id=65de0f1855f3e2e49413dfa03ffbfd6735d3e738
commit 65de0f1855f3e2e49413dfa03ffbfd6735d3e738
Author: Austin Shafer <ashafer@badland.io>
AuthorDate: 2024-10-10 15:31:07 +0000
Commit: Bjoern A. Zeeb <bz@FreeBSD.org>
CommitDate: 2024-10-16 21:46:19 +0000
LinuxKPI: 802.11: fix ieee80211_schedule_txq() to avoid rtw89 panic
rtw89 TX path was faulting in linuxkpi_ieee80211_next_txq() due to a
"double scheduling" check in linuxkpI_ieee80211_schedule_txq() being
incorrect:
the next pointer may be NULL there if the element is the last in the
tailq, so correctly check tqe_prev. Without the fix we may have queued
the same element to the tailq twice, and because it was the last element
and had a NULL tqe_next, that NULL value would get propogated into
another node's tqe_prev on removal, and other such nastiness.
With this rtw89 no longer panics.
Reviewed by: bz
Differential Revision: https://reviews.freebsd.org/D47006
(cherry picked from commit 41b746e05231b44c87f3a3087a7fe29966af6d0f)
---
sys/compat/linuxkpi/common/src/linux_80211.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/sys/compat/linuxkpi/common/src/linux_80211.c b/sys/compat/linuxkpi/common/src/linux_80211.c
index 56bc9252511a..ff257bf32766 100644
--- a/sys/compat/linuxkpi/common/src/linux_80211.c
+++ b/sys/compat/linuxkpi/common/src/linux_80211.c
@@ -6075,8 +6075,12 @@ void linuxkpi_ieee80211_schedule_txq(struct ieee80211_hw *hw,
if (!withoutpkts && ltxq_empty)
goto out;
- /* Make sure we do not double-schedule. */
- if (ltxq->txq_entry.tqe_next != NULL)
+ /*
+ * Make sure we do not double-schedule. We do this by checking tqe_prev,
+ * the previous entry in our tailq. tqe_prev is always valid if this entry
+ * is queued, tqe_next may be NULL if this is the only element in the list.
+ */
+ if (ltxq->txq_entry.tqe_prev != NULL)
goto out;
lhw = HW_TO_LHW(hw);