From nobody Fri Feb 27 02:30:17 2026
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fMXNp16c5z6T7q6
	for <dev-commits-src-branches@mlmmj.nyi.freebsd.org>; Fri, 27 Feb 2026 02:30:18 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4fMXNn5YPDz41py
	for <dev-commits-src-branches@FreeBSD.org>; Fri, 27 Feb 2026 02:30:17 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1772159417;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=OfKeaDtIzxw4x5gW+vcV6AmfK8Brj/LqEdgBakg7OEY=;
	b=MfxeZTuiKafxYRr7LVfUI/entgtn4OqUOkFP4CV1cYyt/wA1ikkZjacjyRaF0pC7b/bT39
	0TqO2C0Lmlz8SVzVA/lyX/XSy+P1OKH/LxeooIqIQ7Yr6+0XsmsKIF+0DjW09938jijlOD
	Keh4jKJ7z+f7Desbxd6FRJoCGYlgYHhGyozHRjgxnI1Iz6fl4SuoYA3GaJ+R7/IhJhPCz8
	QseHNQcv0QqeQ0KLo3ZzK3pfzJh4SkjQYeo1dNghf9yS5whp2mz1z8hk3VWBZeRHy6g0EP
	CBXKcOZ0riFTe1/c7ogsSQ9vF4M6Q/L8V2Jysotxe+g31pGqa3/hgz+ZprpLUw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1772159417; a=rsa-sha256; cv=none;
	b=pGDUoCK91lN5/ZGSXoTzEuZNoMv1QLBTyq90VPW85eabaAkFsV9vM6z2146WBsKr7ZcdGu
	iGpk3KdY4e4tCw2/8bwCd6ozvRKkASBPWa7WAd1GJsh4tgTI6s3PM3D0AYjxicJYZAW6ul
	vgHC3iHJXOAr3SPt0tEhIbjJgJXROUSEkahEQoGqR0O5/SgtzSpAZshkbSlVhQm5z5/6+1
	69VwvI07NS3oDHLszQl31Q7yT8Qrf7eWb7eR8x7C3EyY8B/omK7KD0tZEQXmxa7V0c9JFW
	jqPXpr6EYlkbtjc3QR0Tl08U6UrVj2BWQZWhXXdf6W2W7m0lhIhKZxjTXYymZQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1772159417;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=OfKeaDtIzxw4x5gW+vcV6AmfK8Brj/LqEdgBakg7OEY=;
	b=JOOt0aw87sovoRlZsItexHtHLEMWEUxffrsWTze8Y0O+pgjgmTVxtzo4wdgVS0Xgt/64b0
	1QiRXZ7pjyDzcF9I4oh6Kq5boyySiLL5nWObJORL38jjLkSun5OZYIpottfnaqtEu378oh
	ofJ2kZgiF+fpeZ3fNuu3aeyJeoDQk11hLHnIvXHzpC3lBkH24YVo5zrPBos7mio6botLS1
	TPJG+/icDtSePnlKbEg1potWbKoDhB6LRpPnrReJBfaoSwfDMweP0d9h5t7FrYRTiM+f+Q
	xXQq6p+/atr/pI0rOSO2gJ9CKLs6syouHrZyrtINNb5vL9/WT+rtBs31Ri2cLw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4fMXNn4pdyzyJ6
	for <dev-commits-src-branches@FreeBSD.org>; Fri, 27 Feb 2026 02:30:17 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 204f5
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Fri, 27 Feb 2026 02:30:17 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
From: Bjoern A. Zeeb <bz@FreeBSD.org>
Subject: git: b07c75928028 - stable/15 - LinuxKPI: 802.11: do not leak BA sessions when tearing down state
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-branches@freebsd.org
Sender: owner-dev-commits-src-branches@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: bz
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/15
X-Git-Reftype: branch
X-Git-Commit: b07c75928028e5cf6bfc3d76e6ade4123dc052b7
Auto-Submitted: auto-generated
Date: Fri, 27 Feb 2026 02:30:17 +0000
Message-Id: <69a101b9.204f5.5876fb35@gitrepo.freebsd.org>

The branch stable/15 has been updated by bz:

URL: https://cgit.FreeBSD.org/src/commit/?id=b07c75928028e5cf6bfc3d76e6ade4123dc052b7

commit b07c75928028e5cf6bfc3d76e6ade4123dc052b7
Author:     Bjoern A. Zeeb <bz@FreeBSD.org>
AuthorDate: 2026-02-24 12:55:48 +0000
Commit:     Bjoern A. Zeeb <bz@FreeBSD.org>
CommitDate: 2026-02-26 23:09:28 +0000

    LinuxKPI: 802.11: do not leak BA sessions when tearing down state
    
    In certain cases we may tear down state of a node with 'ongoing'
    BA sessions.  This can trigger a firmware crash with iwlwifi as
    reported in [1] when trying to remove the sta from the firmware.
    
       0x2010303A | ADVANCED_SYSASSERT
       ..
       0x00000000 | umac data1 (sta id=0)
       ..
       0x0088030C | last host cmd (STA_RM)
    
    [1] https://lists.freebsd.org/archives/freebsd-wireless/2025-November/003901.html
    
    I hit the same problem while running regression tests after
    reworking some LinuxKPI 802.11 sta state machine bits.
    
    Add the missing calls to lkpi_sta_run_to_assoc() and lkpi_sta_run_to_init()
    to make sure (through net80211) we call (*ampdu_action) with
    IEEE80211_AMPDU_RX_STOP to avoid the firmware crash.
    
    Note: this specific patch was not excessively tested.  The upcoming
    change to the state machine including this fix has seen more testing
    but also only needed the change in one place.
    The reason for putting this in upfront is to document the case well.
    
    Reported by:    Mohammad Amin (the.madamin20 gmail.com) [1]
    Sponsored by:   The FreeBSSD Foundation
    
    (cherry picked from commit fc9369abef6b6993e79b08de832e1d49f81a17b9)
---
 sys/compat/linuxkpi/common/src/linux_80211.c | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/sys/compat/linuxkpi/common/src/linux_80211.c b/sys/compat/linuxkpi/common/src/linux_80211.c
index 0b732cb691c6..e80cf9436b3a 100644
--- a/sys/compat/linuxkpi/common/src/linux_80211.c
+++ b/sys/compat/linuxkpi/common/src/linux_80211.c
@@ -3256,6 +3256,7 @@ lkpi_sta_run_to_assoc(struct ieee80211vap *vap, enum ieee80211_state nstate, int
 #if 0
 	enum ieee80211_bss_changed bss_changed;
 #endif
+	struct ieee80211_rx_ampdu *rap;
 	int error;
 
 	lhw = vap->iv_ic->ic_softc;
@@ -3311,6 +3312,16 @@ lkpi_sta_run_to_assoc(struct ieee80211vap *vap, enum ieee80211_state nstate, int
 		goto outni;
 	}
 
+	/* Stop any BA sessions if still active. */
+	for (int rapn = 0; rapn < WME_NUM_TID; rapn++) {
+		rap = &ni->ni_rx_ampdu[rapn];
+
+		if ((rap->rxa_flags & IEEE80211_AGGR_RUNNING) == 0)
+			continue;
+
+		vap->iv_ic->ic_ampdu_rx_stop(ni, rap);
+	}
+
 	IEEE80211_UNLOCK(vap->iv_ic);
 
 	/* Ensure the packets get out. */
@@ -3412,6 +3423,7 @@ lkpi_sta_run_to_init(struct ieee80211vap *vap, enum ieee80211_state nstate, int
 	struct ieee80211_sta *sta;
 	struct ieee80211_prep_tx_info prep_tx_info;
 	enum ieee80211_bss_changed bss_changed;
+	struct ieee80211_rx_ampdu *rap;
 	int error;
 
 	lhw = vap->iv_ic->ic_softc;
@@ -3467,6 +3479,16 @@ lkpi_sta_run_to_init(struct ieee80211vap *vap, enum ieee80211_state nstate, int
 		goto outni;
 	}
 
+	/* Stop any BA sessions if still active. */
+	for (int rapn = 0; rapn < WME_NUM_TID; rapn++) {
+		rap = &ni->ni_rx_ampdu[rapn];
+
+		if ((rap->rxa_flags & IEEE80211_AGGR_RUNNING) == 0)
+			continue;
+
+		vap->iv_ic->ic_ampdu_rx_stop(ni, rap);
+	}
+
 	IEEE80211_UNLOCK(vap->iv_ic);
 
 	/* Ensure the packets get out. */