]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
7.1-stable patches master
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 1 Jul 2026 13:53:34 +0000 (15:53 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Wed, 1 Jul 2026 13:53:34 +0000 (15:53 +0200)
added patches:
wifi-mt76-add-wcid-publish-check-in-mt76_sta_add.patch

queue-7.1/series
queue-7.1/wifi-mt76-add-wcid-publish-check-in-mt76_sta_add.patch [new file with mode: 0644]

index 3d5bec69ae8924c1cd191ea9345e457cf2aeaf52..3443ebc53d2278c69576b3e3fe511315cad6332c 100644 (file)
@@ -28,3 +28,4 @@ batman-adv-tvlv-avoid-race-of-cifsnotfound-handler-s.patch
 ipv6-account-for-fraggap-on-the-paged-allocation-path.patch
 ipv4-account-for-fraggap-on-the-paged-allocation-pat.patch
 ntfs3-reject-direct-userspace-writes-to-reserved-lx-xattrs.patch
+wifi-mt76-add-wcid-publish-check-in-mt76_sta_add.patch
diff --git a/queue-7.1/wifi-mt76-add-wcid-publish-check-in-mt76_sta_add.patch b/queue-7.1/wifi-mt76-add-wcid-publish-check-in-mt76_sta_add.patch
new file mode 100644 (file)
index 0000000..ab58c67
--- /dev/null
@@ -0,0 +1,68 @@
+From 20b126920a259df4d7dcae19fcfe2c57a74d6b2e Mon Sep 17 00:00:00 2001
+From: Jiajia Liu <liujiajia@kylinos.cn>
+Date: Thu, 28 May 2026 11:38:14 +0800
+Subject: wifi: mt76: add wcid publish check in mt76_sta_add
+
+From: Jiajia Liu <liujiajia@kylinos.cn>
+
+commit 20b126920a259df4d7dcae19fcfe2c57a74d6b2e upstream.
+
+Since mt7925_mac_sta_add publishes wcid, add publish check in mt76_sta_add
+to avoid reinitializing the wcid->poll_list.
+
+Found dev->sta_poll_list corruption when using mt7925 and 7.1-rc4.
+According to the corruption information, prev->next was changed to itself.
+
+wlan0: disconnect from AP 90:fb:5d:94:8b:e3 for new auth to 90:fb:5d:94:8b:e2
+wlan0: authenticate with 90:fb:5d:94:8b:e2 (local address=84:9e:56:9c:7e:6b)
+wlan0: send auth to 90:fb:5d:94:8b:e2 (try 1/3)
+ slab kmalloc-8k start ffff8c80958a6000 pointer offset 4160 size 8192
+list_add corruption. prev->next should be next (ffff8c808a7488f8), but was ffff8c80958a7040. (prev=ffff8c80958a7040).
+
+ mt76_wcid_add_poll+0x95/0xd0 [mt76]
+ mt7925_mac_add_txs.part.0+0xa5/0xe0 [mt7925_common]
+ mt7925_rx_check+0xa7/0xc0 [mt7925_common]
+ mt76_dma_rx_poll+0x50d/0x790 [mt76]
+ mt792x_poll_rx+0x52/0xe0 [mt792x_lib]
+
+Signed-off-by: Jiajia Liu <liujiajia@kylinos.cn>
+Link: https://patch.msgid.link/20260528033814.46418-1-liujiajia@kylinos.cn
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mediatek/mt76/mac80211.c |   15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/drivers/net/wireless/mediatek/mt76/mac80211.c
++++ b/drivers/net/wireless/mediatek/mt76/mac80211.c
+@@ -1576,6 +1576,7 @@ mt76_sta_add(struct mt76_phy *phy, struc
+ {
+       struct mt76_wcid *wcid = (struct mt76_wcid *)sta->drv_priv;
+       struct mt76_dev *dev = phy->dev;
++      struct mt76_wcid *published;
+       int ret;
+       int i;
+@@ -1595,11 +1596,19 @@ mt76_sta_add(struct mt76_phy *phy, struc
+               mtxq->wcid = wcid->idx;
+       }
+-      ewma_signal_init(&wcid->rssi);
+-      rcu_assign_pointer(dev->wcid[wcid->idx], wcid);
++      published = rcu_dereference_protected(dev->wcid[wcid->idx],
++                                            lockdep_is_held(&dev->mutex));
++      if (published != wcid) {
++              WARN_ON_ONCE(published);
++              ewma_signal_init(&wcid->rssi);
++              rcu_assign_pointer(dev->wcid[wcid->idx], wcid);
++              mt76_wcid_init(wcid, phy->band_idx);
++      } else {
++              wcid->phy_idx = phy->band_idx;
++      }
++
+       phy->num_sta++;
+-      mt76_wcid_init(wcid, phy->band_idx);
+ out:
+       mutex_unlock(&dev->mutex);