git.ipfire.org Git - thirdparty/linux.git/commit

author	Lorenzo Bianconi <lorenzo@kernel.org>
	Sun, 31 May 2026 08:55:04 +0000 (10:55 +0200)
committer	Felix Fietkau <nbd@nbd.name>
	Tue, 9 Jun 2026 10:15:22 +0000 (10:15 +0000)
commit	729c83a3330c0a56662cd0d8e40db96d41c00a54
tree	f937d894c0f1e640b0f0d1589cc48fe1bfa881b2	tree \| snapshot
parent	61370e6674b5253de5686813ceeceebc35a7d3e5	commit \| diff

wifi: mt76: mt7996: fix reading zeroed info->control.flags after mt76_tx_status_skb_add()

mt76_tx_status_skb_add() zeroes the mt76_tx_cb struct stored at
info->status.status_driver_data via memset(). Since info->control and
info->status are members of the same union in ieee80211_tx_info,
this overwrites info->control.flags.
In mt7996_tx_prepare_skb(), mt76_tx_status_skb_add() is called before
mt7996_mac_write_txwi(), which re-reads info->control.flags to extract
IEEE80211_TX_CTRL_MLO_LINK. Because the field has been zeroed, the
link_id always resolves to 0 for frames using global_wcid, leading to
incorrect TXWI configuration.
Fix this by passing link_id as an explicit parameter to
mt7996_mac_write_txwi(). In mt7996_tx_prepare_skb(), the link_id is
already extracted from info->control.flags before the destructive
mt76_tx_status_skb_add() call. For the beacon and inband discovery
callers in mcu.c, use link_conf->link_id directly.

Fixes: f0b0b239b8f36 ("wifi: mt76: mt7996: rework mt7996_mac_write_txwi() for MLO support")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://patch.msgid.link/20260531-mt76_tx_status_skb_add-overwrite-fix-v2-1-b73c4b4a9798@kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>

drivers/net/wireless/mediatek/mt76/mt7996/mac.c		diff \| blob \| blame \| history
drivers/net/wireless/mediatek/mt76/mt7996/mcu.c		diff \| blob \| blame \| history
drivers/net/wireless/mediatek/mt76/mt7996/mt7996.h		diff \| blob \| blame \| history