There's a hardware bug in the flow handler (DMA engine), if the
address + len of some TB wraps around a 2^32 boundary, the carry
bit is then carried over into the next TB.

Work around this by copying the data to a new page when we find
this situation, and then copy it in a way that we cannot hit the
very end of the page.

To be able to free the new page again later we need to chain it
to the TSO page, use the last pointer there to make sure we can
never use the page fully for DMA, and thus cannot cause the same
overflow situation on this page.

This leaves a few potential places (where we didn't observe the
problem) unaddressed:
 * The second TB could reach or cross the end of a page (and thus
   2^32) due to the way we allocate the dev_cmd for the header
 * For host commands, a similar thing could happen since they're
   just kmalloc().
We'll address these in further commits.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
Signed-off-by: NLuca Coelho <luciano.coelho@intel.com>

Move the tracking that records the page in the SKB for later
free (refcount decrement) into the get_page_hdr() function
for better code reuse.

While at it, also add an assertion that this doesn't overwrite
any existing page pointer in the skb.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
Signed-off-by: NLuca Coelho <luciano.coelho@intel.com>

we should not send the PPAG (Per-Platform Antenna Gain)
command to FW unless the platform has this ACPI table and it was
read and validated during the init flow. also no need to send the
command if the feature is disabled, so check if enabled before
sending, as if there is no valid table the feature is disabled.
Signed-off-by: NGil Adam <gil.adam@intel.com>
Signed-off-by: NLuca Coelho <luciano.coelho@intel.com>

add_ie_rates() copys rates without checking the length
in bss descriptor from remote AP.when victim connects to
remote attacker, this may trigger buffer overflow.
lbs_ibss_join_existing() copys rates without checking the length
in bss descriptor from remote IBSS node.when victim connects to
remote attacker, this may trigger buffer overflow.
Fix them by putting the length check before performing copy.

This fix addresses CVE-2019-14896 and CVE-2019-14897.
This also fix build warning of mixed declarations and code.
Reported-by: Nkbuild test robot <lkp@intel.com>
Signed-off-by: NWen Huang <huangwenabc@gmail.com>
Signed-off-by: NKalle Valo <kvalo@codeaurora.org>

The sband->bitrates[] array has "sband->n_bitrates" elements so this
check needs to be >= instead of > or we could read beyond the end of the
array.

These values come from when we call mt76_register_device():

	ret = mt76_register_device(&dev->mt76, true, mt7603_rates,
				   ARRAY_SIZE(mt7603_rates));

Here sband->bitrates[] is mt7603_rates[] and ->n_bitrates is the
ARRAY_SIZE()

Fixes: 5ce09c1a ("mt76: track rx airtime for airtime fairness and survey")
Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: NKalle Valo <kvalo@codeaurora.org>

The mt76_led_cleanup() function is called unconditionally, which
leads to a link error when CONFIG_LEDS is a loadable module or
disabled but mt76 is built-in:

drivers/net/wireless/mediatek/mt76/mac80211.o: In function `mt76_unregister_device':
mac80211.c:(.text+0x2ac): undefined reference to `led_classdev_unregister'

Use the same trick that is guarding the registration, using an
IS_ENABLED() check for the CONFIG_MT76_LEDS symbol that indicates
whether LEDs can be used or not.

Fixes: 36f7e2b2 ("mt76: do not use devm API for led classdev")
Signed-off-by: NArnd Bergmann <arnd@arndb.de>
Acked-by: NFelix Fietkau <nbd@nbd.name>
Signed-off-by: NKalle Valo <kvalo@codeaurora.org>

Instead of just having an airtime flag in debugfs, turn AQL into a proper
NL80211_EXT_FEATURE, so drivers can turn it on when they are ready, and so
we also expose the presence of the feature to userspace.

This also has the effect of flipping the default, so drivers have to opt in
to using AQL instead of getting it by default with TXQs. To keep
functionality the same as pre-patch, we set this feature for ath10k (which
is where it is needed the most).

While we're at it, split out the debugfs interface so AQL gets its own
per-station debugfs file instead of using the 'airtime' file.

[Johannes:]
This effectively disables AQL for iwlwifi, where it fixes a number of
issues:
 * TSO in iwlwifi is causing underflows and associated warnings in AQL
 * HE (802.11ax) rates aren't reported properly so at HE rates, AQL could
   never have a valid estimate (it'd use 6 Mbps instead of up to 2400!)
Signed-off-by: NToke Høiland-Jørgensen <toke@redhat.com>
Link: https://lore.kernel.org/r/20191212111437.224294-1-toke@redhat.com
Fixes: 3ace10f5 ("mac80211: Implement Airtime-based Queue Limit (AQL)")
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

We need to reset the NIC after setting the bits to enable power
gating and that cannot be done too late in the flow otherwise it
cleans other registers and things that were already configured,
causing initialization to fail.

In order to fix this, move the function to the common code in trans.c
so it can be called directly from there at an earlier point, just
after the reset we already do during initialization.

Fixes: 9a47cb98 ("iwlwifi: pcie: add workaround for power gating in integrated 22000")
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=205719
Cc: stable@ver.kernel.org # 5.4+
Reported-by: NAnders Kaseorg <andersk@mit.edu>
Signed-off-by: NLuca Coelho <luciano.coelho@intel.com>
Signed-off-by: NKalle Valo <kvalo@codeaurora.org>

This reverts commit 968dcfb4.

Both that commit and commit 809805a8
attempted to fix the same bug (dead assignments to the local variable
cfg), but they did so in incompatible ways. When they were both merged,
independently of each other, the combination actually caused the bug to
reappear, leading to a firmware crash on boot for some cards.

https://bugzilla.kernel.org/show_bug.cgi?id=205719Signed-off-by: NAnders Kaseorg <andersk@mit.edu>
Acked-by: NLuca Coelho <luciano.coelho@intel.com>
Signed-off-by: NKalle Valo <kvalo@codeaurora.org>

mwifiex_process_tdls_action_frame() without checking
the incoming tdls infomation element's vality before use it,
this may cause multi heap buffer overflows.

Fix them by putting vality check before use it.

IE is TLV struct, but ht_cap and  ht_oper aren’t TLV struct.
the origin marvell driver code is wrong:

memcpy(&sta_ptr->tdls_cap.ht_oper, pos,....
memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos,...

Fix the bug by changing pos(the address of IE) to
pos+2 ( the address of IE value ).
Signed-off-by: Nqize wang <wangqize888888888@gmail.com>
Signed-off-by: NKalle Valo <kvalo@codeaurora.org>

Current implementation always use default eeprom mac address to
configure device registers even if it is updated using
mt76_eeprom_override. Fix it initializing macaddr filed of mt76_dev data
structure with eeprom mac address and running mt76_eeprom_override
before mt76x02_mac_setaddr

Fixes: d1bc9bf2 ("mt76: mt76x0: eeprom: add support for MAC address from OF")
Tested-by: NKevin Schmidt <kevin.patrick.schmidt@googlemail.com>
Signed-off-by: NLorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: NKalle Valo <kvalo@codeaurora.org>

This patch changes the ath9k_pci_owl_loader to use the
same iowrite32 memory accessor that ath9k_pci is using
to communicate with the PCI(e) chip.

This will fix endian issues that came up during testing
with loaned AVM Fritz!Box 7360 (Lantiq MIPS SoCs + AR9287).

Fixes: 5a4f2040 ("ath9k: add loader for AR92XX (and older) pci(e)")
Signed-off-by: NChristian Lamparter <chunkeey@gmail.com>
Signed-off-by: NKalle Valo <kvalo@codeaurora.org>

mwifiex_process_country_ie() function parse elements of bss
descriptor in beacon packet. When processing WLAN_EID_COUNTRY
element, there is no upper limit check for country_ie_len before
calling memcpy. The destination buffer domain_info->triplet is an
array of length MWIFIEX_MAX_TRIPLET_802_11D(83). The remote
attacker can build a fake AP with the same ssid as real AP, and
send malicous beacon packet with long WLAN_EID_COUNTRY elemen
(country_ie_len > 83). Attacker can  force STA connect to fake AP
on a different channel. When the victim STA connects to fake AP,
will trigger the heap buffer overflow. Fix this by checking for
length and if found invalid, don not connect to the AP.

This fix addresses CVE-2019-14895.
Reported-by: Nhuangwen <huangwenabc@gmail.com>
Signed-off-by: NGanapathi Bhat <gbhat@marvell.com>
Signed-off-by: NKalle Valo <kvalo@codeaurora.org>

Commit 6570bc79 ("net: core: use listified Rx for GRO_NORMAL in
napi_gro_receive()") has applied batched GRO_NORMAL packets processing
to all napi_gro_receive() users, including mac80211-based drivers.

However, this change has led to a regression in iwlwifi driver [1][2] as
it is required for NAPI users to call napi_complete_done() or
napi_complete() and the end of every polling iteration, whilst iwlwifi
doesn't use NAPI scheduling at all and just calls napi_gro_flush().
In that particular case, packets which have not been already flushed
from napi->rx_list stall in it until at least next Rx cycle.

Fix this by adding a manual flushing of the list to iwlwifi driver right
before napi_gro_flush() call to mimic napi_complete() logics.

I prefer to open-code gro_normal_list() rather than exporting it for 2
reasons:
* to prevent from using it and napi_gro_flush() in any new drivers,
  as it is the *really* bad way to use NAPI that should be avoided;
* to keep gro_normal_list() static and don't lose any CC optimizations.

I also don't add the "Fixes:" tag as the mentioned commit was only a
trigger that only exposed an improper usage of NAPI in this particular
driver.

[1] https://lore.kernel.org/netdev/PSXP216MB04388962C411CD0B17A86F47804A0@PSXP216MB0438.KORP216.PROD.OUTLOOK.COM
[2] https://bugzilla.kernel.org/show_bug.cgi?id=205647Signed-off-by: NAlexander Lobakin <alobakin@dlink.ru>
Acked-by: NLuca Coelho <luciano.coelho@intel.com>
Reported-by: NNicholas Johnson <nicholas.johnson-opensource@outlook.com.au>
Tested-by: NNicholas Johnson <nicholas.johnson-opensource@outlook.com.au>
Reviewed-by: NEdward Cree <ecree@solarflare.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

When virt_wifi interface is created, virt_wifi_newlink() is called and
it calls register_netdevice().
if register_netdevice() fails, it internally would call
->priv_destructor(), which is virt_wifi_net_device_destructor() and
it frees netdev. but virt_wifi_newlink() still use netdev.
So, use-after-free would occur in virt_wifi_newlink().

Test commands:
    ip link add dummy0 type dummy
    modprobe bonding
    ip link add bonding_masters link dummy0 type virt_wifi

Splat looks like:
[  202.220554] BUG: KASAN: use-after-free in virt_wifi_newlink+0x88b/0x9a0 [virt_wifi]
[  202.221659] Read of size 8 at addr ffff888061629cb8 by task ip/852

[  202.222896] CPU: 1 PID: 852 Comm: ip Not tainted 5.4.0-rc5 #3
[  202.223765] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[  202.225073] Call Trace:
[  202.225532]  dump_stack+0x7c/0xbb
[  202.226869]  print_address_description.constprop.5+0x1be/0x360
[  202.229362]  __kasan_report+0x12a/0x16f
[  202.230714]  kasan_report+0xe/0x20
[  202.232595]  virt_wifi_newlink+0x88b/0x9a0 [virt_wifi]
[  202.233370]  __rtnl_newlink+0xb9f/0x11b0
[  202.244909]  rtnl_newlink+0x65/0x90
[ ... ]

Cc: stable@vger.kernel.org
Fixes: c7cdba31 ("mac80211-next: rtnetlink wifi simulation device")
Signed-off-by: NTaehee Yoo <ap420073@gmail.com>
Link: https://lore.kernel.org/r/20191121122645.9355-1-ap420073@gmail.com
[trim stack dump a bit]
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

Adjust indentation from spaces to tab (+optional two spaces) as in
coding style.  This fixes various indentation mixups (seven spaces,
tab+one space, etc).
Signed-off-by: NKrzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

The current ampdu locking code does not unlock its mutex in the early
return case. This patch fixes it.
Signed-off-by: NMarkus Theil <markus.theil@tu-ilmenau.de>
Acked-by: NFelix Fietkau <nbd@nbd.name>
Signed-off-by: NKalle Valo <kvalo@codeaurora.org>

Even if they are not currently used fix BK/BE endpoint definition order.

Fixes: b40b15e1 ("mt76: add usb support to mt76 layer")
Signed-off-by: NLorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: NFelix Fietkau <nbd@nbd.name>

Parse configured {tx,rx} mask from eeprom data instead of just setting it
to four tx-rx streams
Signed-off-by: NLorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: NFelix Fietkau <nbd@nbd.name>

Move mt76_get_antenna in mac80211.c in order to be reused by all
drivers. Initialize .get_antenna function pointer for mt76x0, mt7603,
mt7615 and mt76x2u drivers
Signed-off-by: NLorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: NFelix Fietkau <nbd@nbd.name>

Fix possible out-of-bound access of status rates array in
mt7615_fill_txs/mt7603_fill_txs routines

Fixes: c5211e99 ("mt76: mt7603: rework and fix tx status reporting")
Fixes: 4af81f02 ("mt76: mt7615: sync with mt7603 rate control changes")
Signed-off-by: NLorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: NFelix Fietkau <nbd@nbd.name>

This reverts commit 34b0e9b7.

Since commit 7bd0650b ("mt76: dma: fix buffer unmap with non-linear skbs")
is no longer necessary to disable HW encryption for MT7630E.

Disabling HW encryption helped previously because somehow fragmented
skb's are not created if mac80211 encrypt frames, so buffer unmap bug
of non-linear skbs was not triggered. Now since this bug is properly
fixed by commit 7bd0650b ("mt76: dma: fix buffer unmap with
non-linear skbs") , we can enable HW encryption back.
Signed-off-by: NStanislaw Gruszka <sgruszka@redhat.com>
Acked-by: NLorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: NFelix Fietkau <nbd@nbd.name>

Set switch_reason to CH_SWITCH_SCAN_BYPASS_DPD during frequency scanning
in order to disable radar pattern detector
Signed-off-by: NLorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: NFelix Fietkau <nbd@nbd.name>

Move interface modes declaration in common code since now mt76
chipsets support all modes (NL80211_IFTYPE_STATION, NL80211_IFTYPE_AP,
NL80211_IFTYPE_MESH_POINT and NL80211_IFTYPE_ADHOC)
Signed-off-by: NLorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: NFelix Fietkau <nbd@nbd.name>

Enable IFTYPE_ADHOC support on 7615 devices. The feature has been tested
using a mt76x2 device as wireless peer.
Signed-off-by: NLorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: NFelix Fietkau <nbd@nbd.name>

Move SUPPORTS_REORDERING_BUFFER hw property configuration from chip
specific code to mt76_register_device since it is supported by all mt76
drivers
Signed-off-by: NLorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: NFelix Fietkau <nbd@nbd.name>

Convert mt76_is_mmio and mt76_is_usb to rely on mt76_dev instead of
mt76x02_dev since this is a property not strictly related to hw chipset
and it will be more reusable
Signed-off-by: NLorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: NFelix Fietkau <nbd@nbd.name>

Fixes gcc '-Wunused-but-set-variable' warning:

drivers/net/wireless/mediatek/mt76/dma.c: In function mt76_dma_rx_fill:
drivers/net/wireless/mediatek/mt76/dma.c:377:6: warning: variable idx set but not used [-Wunused-but-set-variable]

It is not used since commit 17f1de56 ("mt76:
add common code shared between multiple chipsets")
Reported-by: NHulk Robot <hulkci@huawei.com>
Signed-off-by: Nzhengbin <zhengbin13@huawei.com>
Signed-off-by: NFelix Fietkau <nbd@nbd.name>

rate controller and throughput are very sensitive to tx status timing.
In order to improve performances when the system is heavily loaded,
substitute stat_work delayed_work with a regular work_struct and create
a mt76u dedicated workqueue for tx status reporting
Signed-off-by: NLorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: NFelix Fietkau <nbd@nbd.name>

usb drivers are supposed to communicate using usb_interface instead
mt76x{0,2}u is now registering through usb_device. Fix it by passing
usb_intf device to mt76_alloc_device routine.

Fixes: 112f980a ("mt76usb: use usb_dev private data")
Signed-off-by: NLorenzo Bianconi <lorenzo@kernel.org>
Tested-By: NZero_Chaos <sidhayn@gmail.com>
Signed-off-by: NFelix Fietkau <nbd@nbd.name>

remove unneeded semicolon.
This is detected by coccinelle.
Signed-off-by: NYueHaibing <yuehaibing@huawei.com>
Signed-off-by: NFelix Fietkau <nbd@nbd.name>

Since mt76x0 does not save the phy calibration data it is not necessary
to wait 350ms in mt76x0_phy_calibrate
Tested-by: NSid Hayn <sidhayn@gmail.com>
Signed-off-by: NLorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: NFelix Fietkau <nbd@nbd.name>

Update ewma packet length in mt76x02u_tx_prepare_skb as it is
done for pci counterpart in order to properly estimate tx time on
current channel
Signed-off-by: NLorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: NFelix Fietkau <nbd@nbd.name>

It hasn't been used in a while
Signed-off-by: NFelix Fietkau <nbd@nbd.name>

Avoid dereferencing invalid ids
Signed-off-by: NFelix Fietkau <nbd@nbd.name>

Read busy counters not holding cc_lock spinlock since usb read can't be
performed in interrupt context. Move cc_active and cc_rx counters out of
cc_lock since they are not modified in interrupt context.
Grab cc_lock updating cur_cc_bss_rx in mt76_airtime_report and do not
hold rx_lock in mt76_update_survey.
Moreover grab mt76 mutex in mt76_get_survey before running
mt76_update_survey. This patch fixes the following 'schedule while
atomic'

[  291.790866] BUG: scheduling while atomic: iw/2161/0x00000202
[  291.791002] Preemption disabled at:
[  291.791007] [<0000000000000000>] 0x0
[  291.791015] CPU: 0 PID: 2161 Comm: iw Tainted: G W 5.4.= 0-rc2-3-ARCH-00104-g9e208aa0 #1
[  291.791017] Hardware name: LENOVO 2349QM6/2349QM6, BIOS G1ETC2WW (2.82=) 08/07/2019
[  291.791019] Call Trace:
[  291.791042]  dump_stack+0x5c/0x80
[  291.791049]  __schedule_bug.cold+0x8e/0x9b
[  291.791055]  __schedule+0x5f8/0x770
[  291.791062]  schedule+0x43/0xd0
[  291.791068]  schedule_preempt_disabled+0x14/0x20
[  291.791074]  __mutex_lock.isra.0+0x18a/0x530
[  291.791099]  mt76u_rr+0x1f/0x40 [mt76_usb]
[  291.791113]  mt76x02_update_channel+0x22/0x40 [mt76x02_lib]
[  291.791122]  mt76_update_survey+0x42/0xe0 [mt76]
[  291.791129]  mt76_get_survey+0x2f/0x1b0 [mt76]
[  291.791170]  ieee80211_dump_survey+0x5e/0x140 [mac80211]
[  291.791217]  nl80211_dump_survey+0x13c/0x2f0 [cfg80211]
[  291.791222]  ? __kmalloc_reserve.isra.0+0x2d/0x70
[  291.791225]  ? __alloc_skb+0x96/0x1d0
[  291.791229]  netlink_dump+0x17b/0x370
[  291.791247]  __netlink_dump_start+0x16f/0x1e0
[  291.791253]  genl_family_rcv_msg+0x396/0x410
[  291.791290]  ? nl80211_prepare_wdev_dump+0x1b0/0x1b0 [cfg80211]
[  291.791297]  ? _raw_spin_unlock_irqrestore+0x20/0x40
[  291.791312]  ? __wake_up_common_lock+0x8a/0xc0
[  291.791316]  genl_rcv_msg+0x47/0x90
[  291.791320]  ? genl_family_rcv_msg+0x410/0x410
[  291.791323]  netlink_rcv_skb+0x49/0x110
[  291.791329]  genl_rcv+0x24/0x40
[  291.791333]  netlink_unicast+0x171/0x200
[  291.791340]  netlink_sendmsg+0x208/0x3d0
[  291.791358]  sock_sendmsg+0x5e/0x60
[  291.791361]  ___sys_sendmsg+0x2ae/0x330
[  291.791368]  ? filemap_map_pages+0x272/0x390
[  291.791374]  ? _raw_spin_unlock+0x16/0x30
[  291.791379]  ? __handle_mm_fault+0x112f/0x1390
[  291.791388]  __sys_sendmsg+0x59/0xa0
[  291.791396]  do_syscall_64+0x5b/0x1a0
[  291.791400]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[  291.791404] RIP: 0033:0x7f5d0c7f37b7
[  291.791418] Code: 64 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 0=
0 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 2e 00 00 00 0f 05=
 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 89 54 24 1c 48 89 74 24 10
[  291.791421] RSP: 002b:00007ffe8b5d0538 EFLAGS: 00000246 ORIG_RAX: 0000= 00000000002e
[  291.791426] RAX: ffffffffffffffda RBX: 000055a038e6c390 RCX: 00007f5d0= c7f37b7
[  291.791430] RDX: 0000000000000000 RSI: 00007ffe8b5d0570 RDI: 000000000= 0000003
[  291.791434] RBP: 000055a038e718c0 R08: 000055a038e6c02a R09: 000000000= 0000002
[  291.791438] R10: 000055a03808cb00 R11: 0000000000000246 R12: 000055a03= 8e71780
[  291.791440] R13: 00007ffe8b5d0570 R14: 000055a038e717d0 R15: 000055a03= 8e718c0
[  291.791480] NOHZ: local_softirq_pending 202

Fixes: 168aea24 ("mt76: mt76x02u: enable survey support")
Tested-by: NMarkus Theil <markus.theil@tu-ilmenau.de>
Signed-off-by: NLorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: NFelix Fietkau <nbd@nbd.name>

mt76x0e driver only supports MAC addresses from
calibration data eeprom. Many routers however do not
have a valid stock address set in this field.

This patch makes it possible to take a MAC address
from OF (e.g. from mtd).
Signed-off-by: NPawel Dembicki <paweldembicki@gmail.com>
[adjusted for kernel submission]
Signed-off-by: NAdrian Schmutzler <freifunk@adrianschmutzler.de>
Signed-off-by: NFelix Fietkau <nbd@nbd.name>

if napi_complete() returns false, it means that polling is still pending.
Interrupts should not fire until the polling is no longer scheduled
Signed-off-by: NFelix Fietkau <nbd@nbd.name>

Cancel the workqueue after the tid has been cleaned up, in order to
avoid a possible rescheduling from within the work function.
Signed-off-by: NFelix Fietkau <nbd@nbd.name>

A rcu read locked section is not allowed to sleep, and the rcu lock here
isn't actually necessary, because we're holding dev->mutex.
Fixes an issue when the tid work item is still running while freeing
a station or stopping the aggregation session
Signed-off-by: NFelix Fietkau <nbd@nbd.name>