From: Felix Fietkau <nbd@nbd.name>
Date: Wed, 3 Jan 2024 15:10:18 +0100
Subject: [PATCH] wifi: mac80211: fix race condition on enabling fast-xmit

fast-xmit must only be enabled after the sta has been uploaded to the driver,
otherwise it could end up passing the not-yet-uploaded sta via drv_tx calls
to the driver, leading to potential crashes because of uninitialized drv_priv
data.
Add a missing sta->uploaded check and re-check fast xmit after inserting a sta.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
---

--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -918,6 +918,7 @@ static int sta_info_insert_finish(struct
 
 	if (ieee80211_vif_is_mesh(&sdata->vif))
 		mesh_accept_plinks_update(sdata);
+	ieee80211_check_fast_xmit(sta);
 
 	return 0;
  out_remove:
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -3034,7 +3034,7 @@ void ieee80211_check_fast_xmit(struct st
 	    sdata->vif.type == NL80211_IFTYPE_STATION)
 		goto out;
 
-	if (!test_sta_flag(sta, WLAN_STA_AUTHORIZED))
+	if (!test_sta_flag(sta, WLAN_STA_AUTHORIZED) || !sta->uploaded)
 		goto out;
 
 	if (test_sta_flag(sta, WLAN_STA_PS_STA) ||