Commit 7a7c0a6438b8 ("mac80211: fix TX aggregation start/stop callback race")
added a cancellation of the ampdu work after the loop that stopped the
Tx and Rx BA sessions. However, in some cases, e.g., during HW reconfig,
the low level driver might call mac80211 APIs to complete the stopping
of the BA sessions, which would queue the ampdu work to handle the actual
completion. This work needs to be performed as otherwise mac80211 data
structures would not be properly synced.
Fix this by checking if BA session STOP_CB bit is set after the BA session
cancellation and properly clean the session.
type=bugfix
ticket=jira:WIFILNX-1267
fixes=Ia3e7824a35ea15e7d36db45c6ada65f9c059c0d6
Change-Id: Ib872bb24e3921fdd44787bface7f2ecbf0cf215d
Signed-off-by: Ilan Peer <[email protected]>
Reviewed-on: https://git-amr-3.devtools.intel.com/gerrit/133919
Tested-by: ec ger unix iil jenkins <[email protected]>
Reviewed-by: Coelho, Luciano <[email protected]>
---
net/mac80211/ht.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/net/mac80211/ht.c b/net/mac80211/ht.c
index c92df49..11d691c 100644
--- a/net/mac80211/ht.c
+++ b/net/mac80211/ht.c
@@ -300,6 +300,23 @@ void ieee80211_sta_tear_down_BA_sessions(struct sta_info *sta,
/* stopping might queue the work again - so cancel only afterwards */
cancel_work_sync(&sta->ampdu_mlme.work);
+
+ /* In case the tear down is part of a reconfigure due to HW restart
+ * request, it is possible that the low level driver requested to stop
+ * the BA session, so handle it to properly clean tid_tx data.
+ */
+ mutex_lock(&sta->ampdu_mlme.mtx);
+ for (i = 0; i < IEEE80211_NUM_TIDS; i++) {
+ struct tid_ampdu_tx *tid_tx =
+ rcu_dereference_protected_tid_tx(sta, i);
+
+ if (!tid_tx)
+ continue;
+
+ if (test_and_clear_bit(HT_AGG_STATE_STOP_CB, &tid_tx->state))
+ ieee80211_stop_tx_ba_cb(sta, i, tid_tx);
+ }
+ mutex_unlock(&sta->ampdu_mlme.mtx);
}
void ieee80211_ba_session_work(struct work_struct *work)
--
1.9.1