From: Felix Fietkau nbd@nbd.name
commit 4856bfd230985e43e84c26473c91028ff0a533bd upstream.
There are several scenarios in which mac80211 can call drv_wake_tx_queue after ieee80211_restart_hw has been called and has not yet completed. Driver private structs are considered uninitialized until mac80211 has uploaded the vifs, stations and keys again, so using private tx queue data during that time is not safe.
The driver can also not rely on drv_reconfig_complete to figure out when it is safe to accept drv_wake_tx_queue calls again, because it is only called after all tx queues are woken again.
To fix this, bail out early in drv_wake_tx_queue if local->in_reconfig is set.
Cc: stable@vger.kernel.org Signed-off-by: Felix Fietkau nbd@nbd.name Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- net/mac80211/driver-ops.h | 3 +++ 1 file changed, 3 insertions(+)
--- a/net/mac80211/driver-ops.h +++ b/net/mac80211/driver-ops.h @@ -1163,6 +1163,9 @@ static inline void drv_wake_tx_queue(str { struct ieee80211_sub_if_data *sdata = vif_to_sdata(txq->txq.vif);
+ if (local->in_reconfig) + return; + if (!check_sdata_in_driver(sdata)) return;