Hello Toke,
On Wed, 30 Mar 2022 18:44:09 +0200, Toke Høiland-Jørgensen <toke@xxxxxxx> wrote:
> The ath9k driver was not properly clearing the status area in the
> ieee80211_tx_info struct before reporting TX status to mac80211. Instead,
> it was manually filling in fields, which meant that fields introduced later
> were left as-is.
>
> Conveniently, mac80211 actually provides a helper to zero out the status
> area, so use that to make sure we zero everything.
>
> The last commit touching the driver function writing the status information
> seems to have actually been fixing an issue that was also caused by the
> area being uninitialised; but it only added clearing of a single field
> instead of the whole struct. That is now redundant, though, so revert that
> commit and use it as a convenient Fixes tag.
>
> Fixes: cc591d77aba1 ("ath9k: Make sure to zero status.tx_time before reporting TX status")
> Reported-by: Bagas Sanjaya <bagasdotme@xxxxxxxxx>
> Signed-off-by: Toke Høiland-Jørgensen <toke@xxxxxxx>
> ---
> drivers/net/wireless/ath/ath9k/xmit.c | 5 ++---
> 1 file changed, 2 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/net/wireless/ath/ath9k/xmit.c b/drivers/net/wireless/ath/ath9k/xmit.c
> index d0caf1de2bde..cbcf96ac303e 100644
> --- a/drivers/net/wireless/ath/ath9k/xmit.c
> +++ b/drivers/net/wireless/ath/ath9k/xmit.c
> @@ -2553,6 +2553,8 @@ static void ath_tx_rc_status(struct ath_softc *sc, struct ath_buf *bf,
> struct ath_hw *ah = sc->sc_ah;
> u8 i, tx_rateindex;
>
> + ieee80211_tx_info_clear_status(tx_info);
> +
As this also clears the status.rates[].count, see include/net/mac80211.h:
1195 static inline void
1196 ieee80211_tx_info_clear_status(struct ieee80211_tx_info *info)
1197 {
1198 int i;
1199
1200 BUILD_BUG_ON(offsetof(struct ieee80211_tx_info, status.rates) !=
1201 offsetof(struct ieee80211_tx_info, control.rates));
1202 BUILD_BUG_ON(offsetof(struct ieee80211_tx_info, status.rates) !=
1203 offsetof(struct ieee80211_tx_info, driver_rates));
1204 BUILD_BUG_ON(offsetof(struct ieee80211_tx_info, status.rates) != 8) ;
1205 /* clear the rate counts */
1206 for (i = 0; i < IEEE80211_TX_MAX_RATES; i++)
1207 info->status.rates[i].count = 0;
1208 memset_after(&info->status, 0, rates);
1209 }
I would have expected some lines added to restore the count (for the
rates with index < tx_rateindex), e.g. as done in
drivers/net/wireless/ath/ath5k/base.c:
1731 ieee80211_tx_info_clear_status(info);
1732
1733 for (i = 0; i < ts->ts_final_idx; i++) {
1734 struct ieee80211_tx_rate *r =
1735 &info->status.rates[i];
1736
1737 r->count = tries[i];
1738 }
In drivers/net/wireless/ath/ath9k/xmit.c this is only done/changed for
the tx_rateindex index (which is often zero in case the first suggested rate
succeeds, but in noisy environment is sometimes > 0)...
> if (txok)
> tx_info->status.ack_signal = ts->ts_rssi;
>
> @@ -2595,9 +2597,6 @@ static void ath_tx_rc_status(struct ath_softc *sc, struct ath_buf *bf,
> }
>
> tx_info->status.rates[)].count = ts->ts_longretry + 1;
> -
> - /* we report airtime in ath_tx_count_airtime(), don't report twice */
> - tx_info->status.tx_time = 0;
> }
>
> static void ath_tx_processq(struct ath_softc *sc, struct ath_txq *txq)
And from drivers/net/wireless/ath/ath9k/xmit.c:
2592 for (i = tx_rateindex + 1; i < hw->max_rates; i++) {
2593 tx_info->status.rates[i].count = 0;
2594 tx_info->status.rates[i].idx = -1;
2595 }
Line 2593 can be deleted as status.rates[].count is already zeroed through the
ieee80211_tx_info_clear_status() call...
And it should be sufficient to do:
if (tx_rateindex + 1 < hw->max_rates)
tx_info->status.rates[tx_rateindex + 1].idx = -1;
Regards,
Peter
