From: Felix Fietkau nbd@nbd.name
commit 18688c80ad8a8dd50523dc9276e929932cac86d4 upstream.
Since retransmission clears info->control, rate control needs to be called again, otherwise the driver might crash due to invalid rates.
Cc: stable@vger.kernel.org # 5.14+ Reported-by: Aaro Koskinen aaro.koskinen@iki.fi Reported-by: Robert W rwbugreport@lost-in-the-void.net Fixes: 03c3911d2d67 ("mac80211: call ieee80211_tx_h_rate_ctrl() when dequeue") Signed-off-by: Felix Fietkau nbd@nbd.name Tested-by: Aaro Koskinen aaro.koskinen@iki.fi Link: https://lore.kernel.org/r/20211122204323.9787-1-nbd@nbd.name Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- net/mac80211/tx.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
--- a/net/mac80211/tx.c +++ b/net/mac80211/tx.c @@ -1821,15 +1821,15 @@ static int invoke_tx_handlers_late(struc struct ieee80211_tx_info *info = IEEE80211_SKB_CB(tx->skb); ieee80211_tx_result res = TX_CONTINUE;
+ if (!ieee80211_hw_check(&tx->local->hw, HAS_RATE_CONTROL)) + CALL_TXH(ieee80211_tx_h_rate_ctrl); + if (unlikely(info->flags & IEEE80211_TX_INTFL_RETRANSMISSION)) { __skb_queue_tail(&tx->skbs, tx->skb); tx->skb = NULL; goto txh_done; }
- if (!ieee80211_hw_check(&tx->local->hw, HAS_RATE_CONTROL)) - CALL_TXH(ieee80211_tx_h_rate_ctrl); - CALL_TXH(ieee80211_tx_h_michael_mic_add); CALL_TXH(ieee80211_tx_h_sequence); CALL_TXH(ieee80211_tx_h_fragment);