1. Patchew
  2. linux
  3. View series

[PATCH ath-current] wifi: ath12k: fix peer_id usage in normal RX path

Baochen Qiang posted 1 patch 1 month, 3 weeks ago 
drivers/net/wireless/ath/ath12k/dp_rx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
[PATCH ath-current] wifi: ath12k: fix peer_id usage in normal RX path
Posted by Baochen Qiang 1 month, 3 weeks ago 
ath12k_dp_rx_deliver_msdu() currently uses hal_rx_desc_data::peer_id
parsed from mpdu_start descriptor to do peer lookup. However In an A-MSDU
aggregation scenario, hardware only populates mpdu_start descriptor for
the first sub-msdu, but not the following ones. In that case peer_id could
be invalid, leading to peer lookup failure:

ath12k_wifi7_pci 0000:06:00.0: rx skb 00000000c391c041 len 1532 peer (null) 0 ucast sn 0 eht320 rate_idx 12 vht_nss 2 freq 6105 band 3 flag 0x40d1a fcs-err 0 mic-err 0 amsdu-more 0

As a result pubsta is NULL and parts of ieee80211_rx_status structure are
left uninitialized, which may cause unexpected behavior.

Fix it by switching the normal RX path to use ath12k_skb_rxcb::peer_id
which is parsed from REO ring's rx_mpdu_desc and is always valid.

hal_rx_desc_data::peer_id is still used in
ath12k_wifi7_dp_rx_frag_h_mpdu(), which is safe since A-MSDU
aggregation does not occur for fragmented frames. Similarly,
ath12k_skb_rxcb::peer_id may be overwritten by hal_rx_desc_data::peer_id
in ath12k_wifi7_dp_rx_h_mpdu(), which only handles non-aggregated
multicast/broadcast traffic.

Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.115823.3

Fixes: 11157e0910fd ("wifi: ath12k: Use ath12k_dp_peer in per packet Tx & Rx paths")
Signed-off-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>
---
 drivers/net/wireless/ath/ath12k/dp_rx.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ath/ath12k/dp_rx.c b/drivers/net/wireless/ath/ath12k/dp_rx.c
index 25557dea5826..b108ccd0f637 100644
--- a/drivers/net/wireless/ath/ath12k/dp_rx.c
+++ b/drivers/net/wireless/ath/ath12k/dp_rx.c
@@ -1340,7 +1340,7 @@ void ath12k_dp_rx_deliver_msdu(struct ath12k_pdev_dp *dp_pdev, struct napi_struc
 	bool is_mcbc = rxcb->is_mcbc;
 	bool is_eapol = rxcb->is_eapol;
 
-	peer = ath12k_dp_peer_find_by_peerid(dp_pdev, rx_info->peer_id);
+	peer = ath12k_dp_peer_find_by_peerid(dp_pdev, rxcb->peer_id);
 
 	pubsta = peer ? peer->sta : NULL;
 

---
base-commit: 7aa24d964a04648b547197c22364e2b76aec096e
change-id: 20260416-ath12k-fix-peer-id-source-140c23f17d8a

Best regards,
-- 
Baochen Qiang <baochen.qiang@oss.qualcomm.com>
Re: [PATCH ath-current] wifi: ath12k: fix peer_id usage in normal RX path
Posted by Jeff Johnson 1 month, 1 week ago 
On Mon, 27 Apr 2026 13:51:41 +0800, Baochen Qiang wrote:
> ath12k_dp_rx_deliver_msdu() currently uses hal_rx_desc_data::peer_id
> parsed from mpdu_start descriptor to do peer lookup. However In an A-MSDU
> aggregation scenario, hardware only populates mpdu_start descriptor for
> the first sub-msdu, but not the following ones. In that case peer_id could
> be invalid, leading to peer lookup failure:
> 
> ath12k_wifi7_pci 0000:06:00.0: rx skb 00000000c391c041 len 1532 peer (null) 0 ucast sn 0 eht320 rate_idx 12 vht_nss 2 freq 6105 band 3 flag 0x40d1a fcs-err 0 mic-err 0 amsdu-more 0
> 
> [...]

Applied, thanks!

[1/1] wifi: ath12k: fix peer_id usage in normal RX path
      commit: 0e1308803d2c3fd365a6d21e6be355ec1e28eaaf

Best regards,
-- 
Jeff Johnson <jeff.johnson@oss.qualcomm.com>
Re: [PATCH ath-current] wifi: ath12k: fix peer_id usage in normal RX path
Posted by Rameshkumar Sundaram 1 month, 2 weeks ago 
On 4/27/2026 11:21 AM, Baochen Qiang wrote:
> ath12k_dp_rx_deliver_msdu() currently uses hal_rx_desc_data::peer_id
> parsed from mpdu_start descriptor to do peer lookup. However In an A-MSDU
> aggregation scenario, hardware only populates mpdu_start descriptor for
> the first sub-msdu, but not the following ones. In that case peer_id could
> be invalid, leading to peer lookup failure:
> 
> ath12k_wifi7_pci 0000:06:00.0: rx skb 00000000c391c041 len 1532 peer (null) 0 ucast sn 0 eht320 rate_idx 12 vht_nss 2 freq 6105 band 3 flag 0x40d1a fcs-err 0 mic-err 0 amsdu-more 0
> 
> As a result pubsta is NULL and parts of ieee80211_rx_status structure are
> left uninitialized, which may cause unexpected behavior.
> 
> Fix it by switching the normal RX path to use ath12k_skb_rxcb::peer_id
> which is parsed from REO ring's rx_mpdu_desc and is always valid.
> 
> hal_rx_desc_data::peer_id is still used in
> ath12k_wifi7_dp_rx_frag_h_mpdu(), which is safe since A-MSDU
> aggregation does not occur for fragmented frames. Similarly,
> ath12k_skb_rxcb::peer_id may be overwritten by hal_rx_desc_data::peer_id
> in ath12k_wifi7_dp_rx_h_mpdu(), which only handles non-aggregated
> multicast/broadcast traffic.
> 
> Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.1.c5-00302-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.115823.3
> 
> Fixes: 11157e0910fd ("wifi: ath12k: Use ath12k_dp_peer in per packet Tx & Rx paths")
> Signed-off-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com>

Reviewed-by: Rameshkumar Sundaram <rameshkumar.sundaram@oss.qualcomm.com>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.