git: 8475942ca8e8 - main - LinuxKPI: 802.11: add guards to lkpi_ic_ampdu_rx_{start,stop}

[Bjoern A. Zeeb]

The branch main has been updated by bz:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=8475942ca8e887287959ec2671266a210f41ed86

commit 8475942ca8e887287959ec2671266a210f41ed86
Author:     Bjoern A. Zeeb <b...@freebsd.org>
AuthorDate: 2025-07-20 15:03:42 +0000
Commit:     Bjoern A. Zeeb <b...@freebsd.org>
CommitDate: 2025-08-24 10:26:38 +0000

    LinuxKPI: 802.11: add guards to lkpi_ic_ampdu_rx_{start,stop}
    
    After updating calls into lkpi_ic_ampdu_rx_stop() were seen along
    with panics.
    Working backwards adding checks to each level we lastly ended up fighting
    a lsta which is NULL.  Simply return in any error cases as there is
    nothing we can do and just leave it to net80211.
    
    Sponsored by:   The FreeBSD Foundation
    MFC after:      3 days
---
 sys/compat/linuxkpi/common/src/linux_80211.c | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/sys/compat/linuxkpi/common/src/linux_80211.c 
b/sys/compat/linuxkpi/common/src/linux_80211.c
index 7ea7622744db..7e1430ccdbd1 100644
--- a/sys/compat/linuxkpi/common/src/linux_80211.c
+++ b/sys/compat/linuxkpi/common/src/linux_80211.c
@@ -5575,6 +5575,12 @@ lkpi_ic_ampdu_rx_start(struct ieee80211_node *ni, struct 
ieee80211_rx_ampdu *rap
                return (-ENXIO);
        }
 
+       if (lsta->state != IEEE80211_STA_AUTHORIZED) {
+               ic_printf(ic, "%s: lsta %p ni %p vap %p, sta %p state %d not 
AUTHORIZED\n",
+                   __func__, lsta, ni, vap, sta, lsta->state);
+               return (-ENXIO);
+       }
+
        params.sta = sta;
        params.action = IEEE80211_AMPDU_RX_START;
        params.buf_size = _IEEE80211_MASKSHIFT(le16toh(baparamset), 
IEEE80211_BAPS_BUFSIZ);
@@ -5651,13 +5657,35 @@ lkpi_ic_ampdu_rx_stop(struct ieee80211_node *ni, struct 
ieee80211_rx_ampdu *rap)
        lvif = VAP_TO_LVIF(vap);
        vif = LVIF_TO_VIF(lvif);
        lsta = ni->ni_drv_data;
+       if (lsta == NULL) {
+               ic_printf(ic, "%s: lsta %p ni %p vap %p, lsta is NULL\n",
+                   __func__, lsta, ni, vap);
+               goto net80211_only;
+       }
        sta = LSTA_TO_STA(lsta);
 
+       if (!lsta->added_to_drv) {
+               ic_printf(ic, "%s: lsta %p ni %p vap %p, sta %p not added to 
firmware\n",
+                   __func__, lsta, ni, vap, sta);
+               goto net80211_only;
+       }
+
+       if (lsta->state != IEEE80211_STA_AUTHORIZED) {
+               ic_printf(ic, "%s: lsta %p ni %p vap %p, sta %p state %d not 
AUTHORIZED\n",
+                   __func__, lsta, ni, vap, sta, lsta->state);
+               goto net80211_only;
+       }
+
        IMPROVE_HT("This really should be passed from 
ht_recv_action_ba_delba.");
        for (tid = 0; tid < WME_NUM_TID; tid++) {
                if (&ni->ni_rx_ampdu[tid] == rap)
                        break;
        }
+       if (tid == WME_NUM_TID) {
+               ic_printf(ic, "%s: lsta %p ni %p vap %p, sta %p TID not 
found\n",
+                   __func__, lsta, ni, vap, sta);
+               goto net80211_only;
+       }
 
        params.sta = sta;
        params.action = IEEE80211_AMPDU_RX_STOP;