mt76_tx_status_skb_add uses memset on status.status_driver_data, which overwrite info->control.flags in ieee80211_tx_info. Copy tx_info before calling mt76_tx_status_skb_add to ensure control fields are preserved and remain valid for later processing. Reported-By: Roy Luo Signed-off-by: Ryder Lee --- drivers/net/wireless/mediatek/mt76/mt7996/mac.c | 17 +++++++++-------- .../net/wireless/mediatek/mt76/mt7996/mt7996.h | 2 +- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c index e2a83da3a09c..a59c14c8f2af 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7996/mac.c +++ b/drivers/net/wireless/mediatek/mt76/mt7996/mac.c @@ -855,11 +855,12 @@ mt7996_mac_write_txwi_80211(struct mt7996_dev *dev, __le32 *txwi, void mt7996_mac_write_txwi(struct mt7996_dev *dev, __le32 *txwi, struct sk_buff *skb, struct mt76_wcid *wcid, - struct ieee80211_key_conf *key, int pid, + struct ieee80211_tx_info *tx_info, int pid, enum mt76_txq_id qid, u32 changed) { struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; - struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); + struct ieee80211_key_conf *key = tx_info ? tx_info->control.hw_key : NULL; + struct ieee80211_tx_info *info = tx_info ? tx_info : IEEE80211_SKB_CB(skb); struct ieee80211_vif *vif = info->control.vif; u8 band_idx = (info->hw_queue & MT_TX_HW_QUEUE_PHY) >> 2; u8 p_fmt, q_idx, omac_idx = 0, wmm_idx = 0; @@ -1006,15 +1007,15 @@ int mt7996_tx_prepare_skb(struct mt76_dev *mdev, void *txwi_ptr, { struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)tx_info->skb->data; struct mt7996_dev *dev = container_of(mdev, struct mt7996_dev, mt76); - struct ieee80211_tx_info *info = IEEE80211_SKB_CB(tx_info->skb); - struct ieee80211_key_conf *key = info->control.hw_key; - struct ieee80211_vif *vif = info->control.vif; + struct ieee80211_tx_info info = *IEEE80211_SKB_CB(tx_info->skb); + struct ieee80211_key_conf *key = info.control.hw_key; + struct ieee80211_vif *vif = info.control.vif; struct mt7996_vif *mvif = vif ? (struct mt7996_vif *)vif->drv_priv : NULL; struct mt7996_sta *msta = sta ? (struct mt7996_sta *)sta->drv_priv : NULL; struct mt76_vif_link *mlink = NULL; struct mt76_txwi_cache *t; int id, i, pid, nbuf = tx_info->nbuf - 1; - bool is_8023 = info->flags & IEEE80211_TX_CTL_HW_80211_ENCAP; + bool is_8023 = info.flags & IEEE80211_TX_CTL_HW_80211_ENCAP; __le32 *ptr = (__le32 *)txwi_ptr; u8 *txwi = (u8 *)txwi_ptr; u8 link_id; @@ -1031,7 +1032,7 @@ int mt7996_tx_prepare_skb(struct mt76_dev *mdev, void *txwi_ptr, link_id = (tid % 2) ? msta->seclink_id : msta->deflink_id; } else { - link_id = u32_get_bits(info->control.flags, + link_id = u32_get_bits(info.control.flags, IEEE80211_TX_CTRL_MLO_LINK); } @@ -1095,7 +1096,7 @@ int mt7996_tx_prepare_skb(struct mt76_dev *mdev, void *txwi_ptr, memset(txwi_ptr, 0, MT_TXD_SIZE); /* Transmit non qos data by 802.11 header and need to fill txd by host*/ if (!is_8023 || pid >= MT_PACKET_ID_FIRST) - mt7996_mac_write_txwi(dev, txwi_ptr, tx_info->skb, wcid, key, + mt7996_mac_write_txwi(dev, txwi_ptr, tx_info->skb, wcid, &info, pid, qid, 0); /* MT7996 and MT7992 require driver to provide the MAC TXP for AddBA diff --git a/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h b/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h index bdcf72457954..319fcc4fb469 100644 --- a/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h +++ b/drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h @@ -854,7 +854,7 @@ void mt7996_mac_cca_stats_reset(struct mt7996_phy *phy); void mt7996_mac_enable_nf(struct mt7996_dev *dev, u8 band); void mt7996_mac_write_txwi(struct mt7996_dev *dev, __le32 *txwi, struct sk_buff *skb, struct mt76_wcid *wcid, - struct ieee80211_key_conf *key, int pid, + struct ieee80211_tx_info *tx_info, int pid, enum mt76_txq_id qid, u32 changed); void mt7996_mac_update_beacons(struct mt7996_phy *phy); void mt7996_mac_set_coverage_class(struct mt7996_phy *phy); -- 2.45.2