From: Alexander Wetzel <alexander@xxxxxxxxxxxxxx> commit 592234e941f1addaa598601c9227e3b72d608625 upstream. mac80211 must not enable aggregation wile transmitting a fragmented MPDU. Enforce that for mac80211 internal TX queues (iTXQs). Reported-by: kernel test robot <oliver.sang@xxxxxxxxx> Link: https://lore.kernel.org/oe-lkp/202301021738.7cd3e6ae-oliver.sang@xxxxxxxxx Signed-off-by: Alexander Wetzel <alexander@xxxxxxxxxxxxxx> Link: https://lore.kernel.org/r/20230106223141.98696-1-alexander@xxxxxxxxxxxxxx Cc: stable@xxxxxxxxxxxxxxx Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- net/mac80211/agg-tx.c | 2 -- net/mac80211/ht.c | 37 +++++++++++++++++++++++++++++++++++++ net/mac80211/tx.c | 13 +++++++------ 3 files changed, 44 insertions(+), 8 deletions(-) --- a/net/mac80211/agg-tx.c +++ b/net/mac80211/agg-tx.c @@ -511,8 +511,6 @@ void ieee80211_tx_ba_session_handle_star */ clear_bit(HT_AGG_STATE_WANT_START, &tid_tx->state); - ieee80211_agg_stop_txq(sta, tid); - /* * Make sure no packets are being processed. This ensures that * we have a valid starting sequence number and that in-flight --- a/net/mac80211/ht.c +++ b/net/mac80211/ht.c @@ -391,6 +391,43 @@ void ieee80211_ba_session_work(struct wo tid_tx = sta->ampdu_mlme.tid_start_tx[tid]; if (!blocked && tid_tx) { + struct ieee80211_sub_if_data *sdata = sta->sdata; + struct ieee80211_local *local = sdata->local; + + if (local->ops->wake_tx_queue) { + struct txq_info *txqi = + to_txq_info(sta->sta.txq[tid]); + struct fq *fq = &local->fq; + + spin_lock_bh(&fq->lock); + + /* Allow only frags to be dequeued */ + set_bit(IEEE80211_TXQ_STOP, &txqi->flags); + + if (!skb_queue_empty(&txqi->frags)) { + /* Fragmented Tx is ongoing, wait for it + * to finish. Reschedule worker to retry + * later. + */ + + spin_unlock_bh(&fq->lock); + spin_unlock_bh(&sta->lock); + + /* Give the task working on the txq a + * chance to send out the queued frags + */ + synchronize_net(); + + mutex_unlock(&sta->ampdu_mlme.mtx); + + ieee80211_queue_work(&sdata->local->hw, + work); + return; + } + + spin_unlock_bh(&fq->lock); + } + /* * Assign it over to the normal tid_tx array * where it "goes live". --- a/net/mac80211/tx.c +++ b/net/mac80211/tx.c @@ -1295,7 +1295,8 @@ ieee80211_tx_prepare(struct ieee80211_su if (!(info->flags & IEEE80211_TX_CTL_DONTFRAG)) { if (!(tx->flags & IEEE80211_TX_UNICAST) || skb->len + FCS_LEN <= local->hw.wiphy->frag_threshold || - info->flags & IEEE80211_TX_CTL_AMPDU) + (info->flags & IEEE80211_TX_CTL_AMPDU && + !local->ops->wake_tx_queue)) info->flags |= IEEE80211_TX_CTL_DONTFRAG; } @@ -3725,7 +3726,6 @@ struct sk_buff *ieee80211_tx_dequeue(str return NULL; begin: - skb = NULL; spin_lock(&local->queue_stop_reason_lock); q_stopped = local->queue_stop_reasons[q]; spin_unlock(&local->queue_stop_reason_lock); @@ -3738,9 +3738,6 @@ begin: spin_lock_bh(&fq->lock); - if (unlikely(test_bit(IEEE80211_TXQ_STOP, &txqi->flags))) - goto out; - /* Make sure fragments stay together. */ skb = __skb_dequeue(&txqi->frags); if (unlikely(skb)) { @@ -3750,6 +3747,9 @@ begin: IEEE80211_SKB_CB(skb)->control.flags &= ~IEEE80211_TX_INTCFL_NEED_TXPROCESSING; } else { + if (unlikely(test_bit(IEEE80211_TXQ_STOP, &txqi->flags))) + goto out; + skb = fq_tin_dequeue(fq, tin, fq_tin_dequeue_func); } @@ -3800,7 +3800,8 @@ begin: } if (test_bit(IEEE80211_TXQ_AMPDU, &txqi->flags)) - info->flags |= IEEE80211_TX_CTL_AMPDU; + info->flags |= (IEEE80211_TX_CTL_AMPDU | + IEEE80211_TX_CTL_DONTFRAG); else info->flags &= ~IEEE80211_TX_CTL_AMPDU;