This is a note to let you know that I've just added the patch titled wifi: iwlwifi: mvm: drop wrong STA selection in TX to the 6.6-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: wifi-iwlwifi-mvm-drop-wrong-sta-selection-in-tx.patch and it can be found in the queue-6.6 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. commit 50e8e035ca78b92009629a72c2e9db178a693c7e Author: Johannes Berg <johannes.berg@xxxxxxxxx> Date: Thu Aug 8 23:22:48 2024 +0300 wifi: iwlwifi: mvm: drop wrong STA selection in TX [ Upstream commit 1c7e1068a7c9c39ed27636db93e71911e0045419 ] This shouldn't happen at all, since in station mode all MMPDUs go through the TXQ for the STA, and not this function. There may or may not be a race in mac80211 through which this might happen for some frames while a station is being added, but in that case we can also just drop the frame and pretend the STA didn't exist yet. Also, the code is simply wrong since it uses deflink, and it's not easy to fix it since the mvmvif->ap_sta pointer cannot be used without the mutex, and perhaps the right link might not even be known. Just drop the frame at that point instead of trying to fix it up. Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx> Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@xxxxxxxxx> Link: https://patch.msgid.link/20240808232017.45ad105dc7fe.I6d45c82e5758395d9afb8854057ded03c7dc81d7@changeid Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c index d2daea3b1f38a..2d35a8865d00b 100644 --- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c +++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c @@ -766,20 +766,10 @@ void iwl_mvm_mac_tx(struct ieee80211_hw *hw, if (ieee80211_is_mgmt(hdr->frame_control)) sta = NULL; - /* If there is no sta, and it's not offchannel - send through AP */ + /* this shouldn't even happen: just drop */ if (!sta && info->control.vif->type == NL80211_IFTYPE_STATION && - !offchannel) { - struct iwl_mvm_vif *mvmvif = - iwl_mvm_vif_from_mac80211(info->control.vif); - u8 ap_sta_id = READ_ONCE(mvmvif->deflink.ap_sta_id); - - if (ap_sta_id < mvm->fw->ucode_capa.num_stations) { - /* mac80211 holds rcu read lock */ - sta = rcu_dereference(mvm->fw_id_to_mac_id[ap_sta_id]); - if (IS_ERR_OR_NULL(sta)) - goto drop; - } - } + !offchannel) + goto drop; if (tmp_sta && !sta && link_id != IEEE80211_LINK_UNSPECIFIED && !ieee80211_is_probe_resp(hdr->frame_control)) {