LinuxKPI: 802.11: fix ieee80211_schedule_txq() to avoid rtw89 panic

rtw89 TX path was faulting in linuxkpi_ieee80211_next_txq() due to a
"double scheduling" check in linuxkpI_ieee80211_schedule_txq() being
incorrect:
the next pointer may be NULL there if the element is the last in the
tailq, so correctly check tqe_prev.  Without the fix we may have queued
the same element to the tailq twice, and because it was the last element
and had a NULL tqe_next, that NULL value would get propogated into
another node's tqe_prev on removal, and other such nastiness.

With this rtw89 no longer panics.

Reviewed by:	bz
MFC after:	3 days
Differential Revision: https://reviews.freebsd.org/D47006

1 files changed, 6 insertions, 2 deletions

diff --git a/sys/compat/linuxkpi/common/src/linux_80211.c b/sys/compat/linuxkpi/common/src/linux_80211.c
index ae765cda5781..4171f0789977 100644
--- a/sys/compat/linuxkpi/common/src/linux_80211.c
+++ b/sys/compat/linuxkpi/common/src/linux_80211.c
@@ -6074,8 +6074,12 @@ void linuxkpi_ieee80211_schedule_txq(struct ieee80211_hw *hw,
 	if (!withoutpkts && ltxq_empty)
 		goto out;
 
-	/* Make sure we do not double-schedule. */
-	if (ltxq->txq_entry.tqe_next != NULL)
+	/*
+	 * Make sure we do not double-schedule. We do this by checking tqe_prev,
+	 * the previous entry in our tailq. tqe_prev is always valid if this entry
+	 * is queued, tqe_next may be NULL if this is the only element in the list.
+	 */
+	if (ltxq->txq_entry.tqe_prev != NULL)
 		goto out;
 
 	lhw = HW_TO_LHW(hw);