From nobody Tue Feb 24 22:09:10 2026
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4fLBhQ4W8gz6T4wZ
	for <dev-commits-src-main@mlmmj.nyi.freebsd.org>; Tue, 24 Feb 2026 22:09:10 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4fLBhQ22NRz45JN
	for <dev-commits-src-main@FreeBSD.org>; Tue, 24 Feb 2026 22:09:10 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1771970950;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=CbcSuZ4NINzugGM4jkI6Cm32z4EYGw+01MI8PKnTGpE=;
	b=KeW0CDoPuKGlF5rbn2XTCpEKcKjnm5qZAmsBqW2SS6ExlI/VmLqKeFxON5xSkgaV634JHj
	c4LeqYMfyqmr7KqS4Ax9YFrsQF/78uW1uqoI5z1nL8Q/zQ/fpKAThKldhV/u3bnWJ5RzgV
	VFgN9Jm3n+juT6Mjri4G0HrQn9bRtG4oFrsjMnGV6WaLBDax3QcvyFOYhVmnLdiO70hXbX
	jaLkq4dkz1ycoF5/If1N+kkSBM5B+86mHpw0d4zQ1Ucx4zwpLcIdT8e+MuOsrsYDndHabQ
	VFm6N38l/dqTZIVebHNgt3yrlPtv8obI+agOddlTU2nnIQ5EyopNdhuX/vf+rw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1771970950; a=rsa-sha256; cv=none;
	b=ddptrQk9f31WHKQTUF7sNOqYG1AE/xwouNIWuz0MqjyXMzCtqXRzFupOQ5y+oZ/lqWOq6q
	6wDBlhOrP5QarwyxRAlxcKUPxsv+pPDq8l2OvqcDe03fTULJuxfPJ5RDKpCOMP0H3+t/wj
	utFHMiwtNQ/7LFyKtvoVlZQcuN6gClOjXDBbu/6ObyzI4pPL/3uzgTVAXZxSiTLixWztxK
	/FmqXLOmi7W9BvdxCKBAlXWOzpfuiEnxrmj1xNHrcbmLy2rakJbUORO3XC1PdSA8Mpejo4
	GdeqhnsCK8I/oesUMcRpTay+YU7/5APJx0wcyGwmq6pqAo7xSkNPRktL2HJFQQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1771970950;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=CbcSuZ4NINzugGM4jkI6Cm32z4EYGw+01MI8PKnTGpE=;
	b=elL6fNyGSl1GYHbk+3asJJZVA3oCGHjqnh3CocyEI2xteXUs99Iu1/AhNaY2YbBsfH9DfM
	bAkMmlvuE3UmZGz+9ue4XLiN586Auhb3EOkJnxFMY17ElBuviawSpdB/9ff5FAEXzmBI1+
	Xp7PUsj8LsEKnc9IqhF9XE2lNgidlLZMqV+GYtyRfNEqRg9QrVJCzRyHm+fMJ0Fhez9jqk
	T//kBbid7WMbi69Z5mLc5DQ4t9WiZm8xpQPx2+/VEYmxwml0UvZ8pCVq7jVQuWWGoG0uBh
	Sp6XFxxGKsnnGWJnY+zV+uF7Z/JPZ0a9w1NR6IiplPwwUBDKZixmO28IziNRug==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4fLBhQ1LvPzbTG
	for <dev-commits-src-main@FreeBSD.org>; Tue, 24 Feb 2026 22:09:10 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 3483e
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Tue, 24 Feb 2026 22:09:10 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
From: Bjoern A. Zeeb <bz@FreeBSD.org>
Subject: git: fc9369abef6b - main - LinuxKPI: 802.11: do not leak BA sessions when tearing down state
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: bz
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: fc9369abef6b6993e79b08de832e1d49f81a17b9
Auto-Submitted: auto-generated
Date: Tue, 24 Feb 2026 22:09:10 +0000
Message-Id: <699e2186.3483e.4e53180e@gitrepo.freebsd.org>

The branch main has been updated by bz:

URL: https://cgit.FreeBSD.org/src/commit/?id=fc9369abef6b6993e79b08de832e1d49f81a17b9

commit fc9369abef6b6993e79b08de832e1d49f81a17b9
Author:     Bjoern A. Zeeb <bz@FreeBSD.org>
AuthorDate: 2026-02-24 12:55:48 +0000
Commit:     Bjoern A. Zeeb <bz@FreeBSD.org>
CommitDate: 2026-02-24 22:06:18 +0000

    LinuxKPI: 802.11: do not leak BA sessions when tearing down state
    
    In certain cases we may tear down state of a node with 'ongoing'
    BA sessions.  This can trigger a firmware crash with iwlwifi as
    reported in [1] when trying to remove the sta from the firmware.
    
       0x2010303A | ADVANCED_SYSASSERT
       ..
       0x00000000 | umac data1 (sta id=0)
       ..
       0x0088030C | last host cmd (STA_RM)
    
    [1] https://lists.freebsd.org/archives/freebsd-wireless/2025-November/003901.html
    
    I hit the same problem while running regression tests after
    reworking some LinuxKPI 802.11 sta state machine bits.
    
    Add the missing calls to lkpi_sta_run_to_assoc() and lkpi_sta_run_to_init()
    to make sure (through net80211) we call (*ampdu_action) with
    IEEE80211_AMPDU_RX_STOP to avoid the firmware crash.
    
    Note: this specific patch was not excessively tested.  The upcoming
    change to the state machine including this fix has seen more testing
    but also only needed the change in one place.
    The reason for putting this in upfront is to document the case well.
    
    Reported by:    Mohammad Amin (the.madamin20 gmail.com) [1]
    Sponsored by:   The FreeBSSD Foundation
    MFC after:      3 days
---
 sys/compat/linuxkpi/common/src/linux_80211.c | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/sys/compat/linuxkpi/common/src/linux_80211.c b/sys/compat/linuxkpi/common/src/linux_80211.c
index 0b732cb691c6..e80cf9436b3a 100644
--- a/sys/compat/linuxkpi/common/src/linux_80211.c
+++ b/sys/compat/linuxkpi/common/src/linux_80211.c
@@ -3256,6 +3256,7 @@ lkpi_sta_run_to_assoc(struct ieee80211vap *vap, enum ieee80211_state nstate, int
 #if 0
 	enum ieee80211_bss_changed bss_changed;
 #endif
+	struct ieee80211_rx_ampdu *rap;
 	int error;
 
 	lhw = vap->iv_ic->ic_softc;
@@ -3311,6 +3312,16 @@ lkpi_sta_run_to_assoc(struct ieee80211vap *vap, enum ieee80211_state nstate, int
 		goto outni;
 	}
 
+	/* Stop any BA sessions if still active. */
+	for (int rapn = 0; rapn < WME_NUM_TID; rapn++) {
+		rap = &ni->ni_rx_ampdu[rapn];
+
+		if ((rap->rxa_flags & IEEE80211_AGGR_RUNNING) == 0)
+			continue;
+
+		vap->iv_ic->ic_ampdu_rx_stop(ni, rap);
+	}
+
 	IEEE80211_UNLOCK(vap->iv_ic);
 
 	/* Ensure the packets get out. */
@@ -3412,6 +3423,7 @@ lkpi_sta_run_to_init(struct ieee80211vap *vap, enum ieee80211_state nstate, int
 	struct ieee80211_sta *sta;
 	struct ieee80211_prep_tx_info prep_tx_info;
 	enum ieee80211_bss_changed bss_changed;
+	struct ieee80211_rx_ampdu *rap;
 	int error;
 
 	lhw = vap->iv_ic->ic_softc;
@@ -3467,6 +3479,16 @@ lkpi_sta_run_to_init(struct ieee80211vap *vap, enum ieee80211_state nstate, int
 		goto outni;
 	}
 
+	/* Stop any BA sessions if still active. */
+	for (int rapn = 0; rapn < WME_NUM_TID; rapn++) {
+		rap = &ni->ni_rx_ampdu[rapn];
+
+		if ((rap->rxa_flags & IEEE80211_AGGR_RUNNING) == 0)
+			continue;
+
+		vap->iv_ic->ic_ampdu_rx_stop(ni, rap);
+	}
+
 	IEEE80211_UNLOCK(vap->iv_ic);
 
 	/* Ensure the packets get out. */