6.1-stable patches

added patches:
	wifi-mac80211-avoid-lockdep-checking-when-removing-deflink.patch
	wifi-mac80211-check-basic-rates-validity-in-sta_link_apply_parameters.patch

diff --git a/queue-6.1/series b/queue-6.1/series
index e11577c83136da48bd305a4f4d912f2d36c214b0..9caadd41bb9b2efb5eab330250750bd2013e82a4 100644 (file)
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -440,3 +440,5 @@ mmc-sdhci-pci-gli-gl9763e-mask-the-replay-timer-timeout-of-aer.patch
 mm-memory-failure-fix-infinite-uce-for-vm_pfnmap-pfn.patch
 drm-amd-display-don-t-overclock-dce-6-by-15.patch
 selftests-mptcp-pm-check-flush-doesn-t-reset-limits.patch
+wifi-mac80211-avoid-lockdep-checking-when-removing-deflink.patch
+wifi-mac80211-check-basic-rates-validity-in-sta_link_apply_parameters.patch

diff --git a/queue-6.1/wifi-mac80211-avoid-lockdep-checking-when-removing-deflink.patch b/queue-6.1/wifi-mac80211-avoid-lockdep-checking-when-removing-deflink.patch
new file mode 100644 (file)
index 0000000..f3c3eb3
--- /dev/null
+++ b/queue-6.1/wifi-mac80211-avoid-lockdep-checking-when-removing-deflink.patch
@@ -0,0 +1,39 @@
+From b8b80770b26c4591f20f1cde3328e5f1489c4488 Mon Sep 17 00:00:00 2001
+From: Benjamin Berg <benjamin.berg@intel.com>
+Date: Mon, 19 Jun 2023 16:26:50 +0300
+Subject: wifi: mac80211: avoid lockdep checking when removing deflink
+
+From: Benjamin Berg <benjamin.berg@intel.com>
+
+commit b8b80770b26c4591f20f1cde3328e5f1489c4488 upstream.
+
+struct sta_info may be removed without holding sta_mtx if it has not
+yet been inserted. To support this, only assert that the lock is held
+for links other than the deflink.
+
+This fixes lockdep issues that may be triggered in error cases.
+
+Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
+Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
+Link: https://lore.kernel.org/r/20230619161906.cdd81377dea0.If5a6734b4b85608a2275a09b4f99b5564d82997f@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Hanne-Lotta Mäenpää <hannelotta@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/sta_info.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/mac80211/sta_info.c
++++ b/net/mac80211/sta_info.c
+@@ -357,8 +357,9 @@ static void sta_remove_link(struct sta_i
+       struct sta_link_alloc *alloc = NULL;
+       struct link_sta_info *link_sta;
+ 
+-      link_sta = rcu_dereference_protected(sta->link[link_id],
+-                                           lockdep_is_held(&sta->local->sta_mtx));
++      link_sta = rcu_access_pointer(sta->link[link_id]);
++      if (link_sta != &sta->deflink)
++              lockdep_assert_held(&sta->local->sta_mtx);
+ 
+       if (WARN_ON(!link_sta))
+               return;

diff --git a/queue-6.1/wifi-mac80211-check-basic-rates-validity-in-sta_link_apply_parameters.patch b/queue-6.1/wifi-mac80211-check-basic-rates-validity-in-sta_link_apply_parameters.patch
new file mode 100644 (file)
index 0000000..4aa48ae
--- /dev/null
+++ b/queue-6.1/wifi-mac80211-check-basic-rates-validity-in-sta_link_apply_parameters.patch
@@ -0,0 +1,61 @@
+From 16ee3ea8faef8ff042acc15867a6c458c573de61 Mon Sep 17 00:00:00 2001
+From: Mikhail Lobanov <m.lobanov@rosa.ru>
+Date: Mon, 17 Mar 2025 13:31:37 +0300
+Subject: wifi: mac80211: check basic rates validity in sta_link_apply_parameters
+
+From: Mikhail Lobanov <m.lobanov@rosa.ru>
+
+commit 16ee3ea8faef8ff042acc15867a6c458c573de61 upstream.
+
+When userspace sets supported rates for a new station via
+NL80211_CMD_NEW_STATION, it might send a list that's empty
+or contains only invalid values. Currently, we process these
+values in sta_link_apply_parameters() without checking the result of
+ieee80211_parse_bitrates(), which can lead to an empty rates bitmap.
+
+A similar issue was addressed for NL80211_CMD_SET_BSS in commit
+ce04abc3fcc6 ("wifi: mac80211: check basic rates validity").
+This patch applies the same approach in sta_link_apply_parameters()
+for NL80211_CMD_NEW_STATION, ensuring there is at least one valid
+rate by inspecting the result of ieee80211_parse_bitrates().
+
+Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
+
+Fixes: b95eb7f0eee4 ("wifi: cfg80211/mac80211: separate link params from station params")
+Signed-off-by: Mikhail Lobanov <m.lobanov@rosa.ru>
+Link: https://patch.msgid.link/20250317103139.17625-1-m.lobanov@rosa.ru
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+[ Summary of conflict resolutions:
+  - The function ieee80211_parse_bitrates() takes channel width as
+    its first parameter, and the chandef struct has been refactored
+    in kernel version 6.9, in commit
+    6092077ad09ce880c61735c314060f0bd79ae4aa so that the width is
+    contained in chanreq.oper.width. In kernel version 6.1 the
+    width parameter is defined directly in the chandef struct. ]
+Signed-off-by: Hanne-Lotta Mäenpää <hannelotta@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/cfg.c |   12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1735,12 +1735,12 @@ static int sta_link_apply_parameters(str
+       }
+ 
+       if (params->supported_rates &&
+-          params->supported_rates_len) {
+-              ieee80211_parse_bitrates(link->conf->chandef.width,
+-                                       sband, params->supported_rates,
+-                                       params->supported_rates_len,
+-                                       &link_sta->pub->supp_rates[sband->band]);
+-      }
++          params->supported_rates_len &&
++          !ieee80211_parse_bitrates(link->conf->chandef.width,
++                                    sband, params->supported_rates,
++                                    params->supported_rates_len,
++                                    &link_sta->pub->supp_rates[sband->band]))
++              return -EINVAL;
+ 
+       if (params->ht_capa)
+               ieee80211_ht_cap_ie_to_sta_ht_cap(sdata, sband,