Sven Eckelmann <sven@xxxxxxxxxxxxx> wrote:
> When a station idles for a long time, hostapd will try to send a QoS Null
> frame to the station as "poll". NL80211_CMD_PROBE_CLIENT is used for this
> purpose. And the skb will be added to ack_status_frame - waiting for a
> completion via ieee80211_report_ack_skb().
>
> But when the peer was already removed before the tx_complete arrives, the
> peer will be missing. And when using dev_kfree_skb_any (instead of going
> through mac80211), the entry will stay inside ack_status_frames. This IDR
> will therefore run full after 8K request were generated for such clients.
> At this point, the access point will then just stall and not allow any new
> clients because idr_alloc() for ack_status_frame will fail.
>
> ieee80211_free_txskb() on the other hand will (when required) call
> ieee80211_report_ack_skb() and make sure that (when required) remove the
> entry from the ack_status_frame.
>
> Tested-on: IPQ6018 hw1.0 WLAN.HK.2.5.0.1-01100-QCAHKSWPL_SILICONZ-1
>
> Fixes: 6257c702264c ("wifi: ath11k: fix tx status reporting in encap offload mode")
> Fixes: 94739d45c388 ("ath11k: switch to using ieee80211_tx_status_ext()")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Sven Eckelmann <sven@xxxxxxxxxxxxx>
> Signed-off-by: Kalle Valo <quic_kvalo@xxxxxxxxxxx>
2 patches applied to ath-next branch of ath.git, thanks.
400ece6c7f34 wifi: ath11k: Don't drop tx_status when peer cannot be found
29d15589f084 wifi: ath11k: Cleanup mac80211 references on failure during tx_complete
--
https://patchwork.kernel.org/project/linux-wireless/patch/20230802-ath11k-ack_status_leak-v2-1-c0af729d6229@xxxxxxxxxxxxx/
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
