net/mac80211/rx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but
its per-invocation rx_result is declared static. Concurrent callers then
share one instance and can overwrite each other's result between
ieee80211_rx_mesh_data() and the switch on res.
That can make a packet that was queued or consumed by
ieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make
a packet that should continue return as queued.
Make res an automatic variable so each invocation keeps its own result.
Fixes: 3468e1e0c639 ("wifi: mac80211: add mesh fast-rx support")
Cc: stable@vger.kernel.org
Signed-off-by: Catherine <enderaoelyther@gmail.com>
---
net/mac80211/rx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 3e5d1c47a..8719db8f3 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -4971,7 +4971,7 @@ static bool ieee80211_invoke_fast_rx(struct ieee80211_rx_data *rx,
struct sk_buff *skb = rx->skb;
struct ieee80211_hdr *hdr = (void *)skb->data;
struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
- static ieee80211_rx_result res;
+ ieee80211_rx_result res;
int orig_len = skb->len;
int hdrlen = ieee80211_hdrlen(hdr->frame_control);
int snap_offs = hdrlen;
--
2.50.1 (Apple Git-155)On 4/24/2026 6:14 AM, Catherine wrote:
> ieee80211_invoke_fast_rx() is documented as safe for parallel RX, but
> its per-invocation rx_result is declared static. Concurrent callers then
> share one instance and can overwrite each other's result between
> ieee80211_rx_mesh_data() and the switch on res.
>
> That can make a packet that was queued or consumed by
> ieee80211_rx_mesh_data() fall through into ieee80211_rx_8023(), or make
> a packet that should continue return as queued.
>
> Make res an automatic variable so each invocation keeps its own result.
>
> Fixes: 3468e1e0c639 ("wifi: mac80211: add mesh fast-rx support")
@Felix: Any recollection why this was static in your original patch?
> Cc: stable@vger.kernel.org
> Signed-off-by: Catherine <enderaoelyther@gmail.com>
Is this an identity you commonly use? Note that anonymous contributions are
not allowed:
https://www.kernel.org/doc/html/latest/process/submitting-patches.html#developer-s-certificate-of-origin-1-1
> ---
> net/mac80211/rx.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
> index 3e5d1c47a..8719db8f3 100644
> --- a/net/mac80211/rx.c
> +++ b/net/mac80211/rx.c
> @@ -4971,7 +4971,7 @@ static bool ieee80211_invoke_fast_rx(struct ieee80211_rx_data *rx,
> struct sk_buff *skb = rx->skb;
> struct ieee80211_hdr *hdr = (void *)skb->data;
> struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
> - static ieee80211_rx_result res;
> + ieee80211_rx_result res;
> int orig_len = skb->len;
> int hdrlen = ieee80211_hdrlen(hdr->frame_control);
> int snap_offs = hdrlen;
Actual patch seem reasonable..
Reviewed-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
On Tue, Apr 28, 2026 at 07:23:30AM -0700, Jeff Johnson wrote: > Is this an identity you commonly use? Note that anonymous > contributions are not allowed: > > https://www.kernel.org/doc/html/latest/process/submitting-patches.html#developer-s-certificate-of-origin-1-1 Apologies for the truncated From line. My full name is Zhao Li; I sign other kernel contributions the same way. For DCO purposes, please treat this patch as: Signed-off-by: Zhao Li <enderaoelyther@gmail.com> I will use the full name on resends and follow-up patches. Thanks for the review. -- Zhao Li
© 2016 - 2026 Red Hat, Inc.