git: 41b746e05231 - main - LinuxKPI: 802.11: fix ieee80211_schedule_txq() to avoid rtw89 panic

From: Bjoern A. Zeeb <bz_at_FreeBSD.org>
Date: Thu, 10 Oct 2024 17:42:43 UTC
The branch main has been updated by bz:

URL: https://cgit.FreeBSD.org/src/commit/?id=41b746e05231b44c87f3a3087a7fe29966af6d0f

commit 41b746e05231b44c87f3a3087a7fe29966af6d0f
Author:     Austin Shafer <ashafer@badland.io>
AuthorDate: 2024-10-10 15:31:07 +0000
Commit:     Bjoern A. Zeeb <bz@FreeBSD.org>
CommitDate: 2024-10-10 17:42:06 +0000

    LinuxKPI: 802.11: fix ieee80211_schedule_txq() to avoid rtw89 panic
    
    rtw89 TX path was faulting in linuxkpi_ieee80211_next_txq() due to a
    "double scheduling" check in linuxkpI_ieee80211_schedule_txq() being
    incorrect:
    the next pointer may be NULL there if the element is the last in the
    tailq, so correctly check tqe_prev.  Without the fix we may have queued
    the same element to the tailq twice, and because it was the last element
    and had a NULL tqe_next, that NULL value would get propogated into
    another node's tqe_prev on removal, and other such nastiness.
    
    With this rtw89 no longer panics.
    
    Reviewed by:    bz
    MFC after:      3 days
    Differential Revision: https://reviews.freebsd.org/D47006
---
 sys/compat/linuxkpi/common/src/linux_80211.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/sys/compat/linuxkpi/common/src/linux_80211.c b/sys/compat/linuxkpi/common/src/linux_80211.c
index ae765cda5781..4171f0789977 100644
--- a/sys/compat/linuxkpi/common/src/linux_80211.c
+++ b/sys/compat/linuxkpi/common/src/linux_80211.c
@@ -6074,8 +6074,12 @@ void linuxkpi_ieee80211_schedule_txq(struct ieee80211_hw *hw,
 	if (!withoutpkts && ltxq_empty)
 		goto out;
 
-	/* Make sure we do not double-schedule. */
-	if (ltxq->txq_entry.tqe_next != NULL)
+	/*
+	 * Make sure we do not double-schedule. We do this by checking tqe_prev,
+	 * the previous entry in our tailq. tqe_prev is always valid if this entry
+	 * is queued, tqe_next may be NULL if this is the only element in the list.
+	 */
+	if (ltxq->txq_entry.tqe_prev != NULL)
 		goto out;
 
 	lhw = HW_TO_LHW(hw);