wifi: mt76: fix linked list corruption

Never leave scheduled wcid entries on the temporary on-stack list

Fixes: 0b3be9d1d34e ("wifi: mt76: add separate tx scheduling queue for off-channel tx")
Link: https://patch.msgid.link/20250827085352.51636-6-nbd@nbd.name
Signed-off-by: Felix Fietkau <nbd@nbd.name>

diff --git a/drivers/net/wireless/mediatek/mt76/tx.c b/drivers/net/wireless/mediatek/mt76/tx.c
index 03b042fdf997fca8eb4977321abcd98a8c7452a0..8ab5840fee57f990e251abdcf82dad1adfc090f7 100644 (file)
--- a/drivers/net/wireless/mediatek/mt76/tx.c
+++ b/drivers/net/wireless/mediatek/mt76/tx.c
@@ -646,6 +646,7 @@ mt76_txq_schedule_pending_wcid(struct mt76_phy *phy, struct mt76_wcid *wcid,
 static void mt76_txq_schedule_pending(struct mt76_phy *phy)
 {
        LIST_HEAD(tx_list);
+       int ret = 0;
 
        if (list_empty(&phy->tx_list))
                return;
@@ -657,13 +658,13 @@ static void mt76_txq_schedule_pending(struct mt76_phy *phy)
        list_splice_init(&phy->tx_list, &tx_list);
        while (!list_empty(&tx_list)) {
                struct mt76_wcid *wcid;
-               int ret;
 
                wcid = list_first_entry(&tx_list, struct mt76_wcid, tx_list);
                list_del_init(&wcid->tx_list);
 
                spin_unlock(&phy->tx_lock);
-               ret = mt76_txq_schedule_pending_wcid(phy, wcid, &wcid->tx_offchannel);
+               if (ret >= 0)
+                       ret = mt76_txq_schedule_pending_wcid(phy, wcid, &wcid->tx_offchannel);
                if (ret >= 0 && !phy->offchannel)
                        ret = mt76_txq_schedule_pending_wcid(phy, wcid, &wcid->tx_pending);
                spin_lock(&phy->tx_lock);
@@ -672,9 +673,6 @@ static void mt76_txq_schedule_pending(struct mt76_phy *phy)
                    !skb_queue_empty(&wcid->tx_offchannel) &&
                    list_empty(&wcid->tx_list))
                        list_add_tail(&wcid->tx_list, &phy->tx_list);
-
-               if (ret < 0)
-                       break;
        }
        spin_unlock(&phy->tx_lock);