--- /dev/null
+From 865ed67ab955428b9aa771d8b4f1e4fb7fd08945 Mon Sep 17 00:00:00 2001
+From: Sudeep Holla <sudeep.holla@arm.com>
+Date: Thu, 9 Dec 2021 12:04:56 +0000
+Subject: firmware: arm_scpi: Fix string overflow in SCPI genpd driver
+
+From: Sudeep Holla <sudeep.holla@arm.com>
+
+commit 865ed67ab955428b9aa771d8b4f1e4fb7fd08945 upstream.
+
+Without the bound checks for scpi_pd->name, it could result in the buffer
+overflow when copying the SCPI device name from the corresponding device
+tree node as the name string is set at maximum size of 30.
+
+Let us fix it by using devm_kasprintf so that the string buffer is
+allocated dynamically.
+
+Fixes: 8bec4337ad40 ("firmware: scpi: add device power domain support using genpd")
+Reported-by: Pedro Batista <pedbap.g@gmail.com>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Cc: stable@vger.kernel.org
+Cc: Cristian Marussi <cristian.marussi@arm.com>
+Link: https://lore.kernel.org/r/20211209120456.696879-1-sudeep.holla@arm.com'
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/scpi_pm_domain.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/firmware/scpi_pm_domain.c
++++ b/drivers/firmware/scpi_pm_domain.c
+@@ -16,7 +16,6 @@ struct scpi_pm_domain {
+ struct generic_pm_domain genpd;
+ struct scpi_ops *ops;
+ u32 domain;
+- char name[30];
+ };
+
+ /*
+@@ -110,8 +109,13 @@ static int scpi_pm_domain_probe(struct p
+
+ scpi_pd->domain = i;
+ scpi_pd->ops = scpi_ops;
+- sprintf(scpi_pd->name, "%pOFn.%d", np, i);
+- scpi_pd->genpd.name = scpi_pd->name;
++ scpi_pd->genpd.name = devm_kasprintf(dev, GFP_KERNEL,
++ "%pOFn.%d", np, i);
++ if (!scpi_pd->genpd.name) {
++ dev_err(dev, "Failed to allocate genpd name:%pOFn.%d\n",
++ np, i);
++ continue;
++ }
+ scpi_pd->genpd.power_off = scpi_pd_power_off;
+ scpi_pd->genpd.power_on = scpi_pd_power_on;
+
--- /dev/null
+From db7205af049d230e7e0abf61c1e74c1aab40f390 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Mon, 29 Nov 2021 15:32:39 +0200
+Subject: mac80211: mark TX-during-stop for TX in in_reconfig
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit db7205af049d230e7e0abf61c1e74c1aab40f390 upstream.
+
+Mark TXQs as having seen transmit while they were stopped if
+we bail out of drv_wake_tx_queue() due to reconfig, so that
+the queue wake after this will make them catch up. This is
+particularly necessary for when TXQs are used for management
+packets since those TXQs won't see a lot of traffic that'd
+make them catch up later.
+
+Cc: stable@vger.kernel.org
+Fixes: 4856bfd23098 ("mac80211: do not call driver wake_tx_queue op during reconfig")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20211129152938.4573a221c0e1.I0d1d5daea3089be3fc0dccc92991b0f8c5677f0c@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/driver-ops.h | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/mac80211/driver-ops.h
++++ b/net/mac80211/driver-ops.h
+@@ -1202,8 +1202,11 @@ static inline void drv_wake_tx_queue(str
+ {
+ struct ieee80211_sub_if_data *sdata = vif_to_sdata(txq->txq.vif);
+
+- if (local->in_reconfig)
++ /* In reconfig don't transmit now, but mark for waking later */
++ if (local->in_reconfig) {
++ set_bit(IEEE80211_TXQ_STOP_NETIF_TX, &txq->flags);
+ return;
++ }
+
+ if (!check_sdata_in_driver(sdata))
+ return;
--- /dev/null
+From 1fe98f5690c4219d419ea9cc190f94b3401cf324 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Thu, 2 Dec 2021 13:45:33 +0100
+Subject: mac80211: send ADDBA requests using the tid/queue of the aggregation session
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit 1fe98f5690c4219d419ea9cc190f94b3401cf324 upstream.
+
+Sending them out on a different queue can cause a race condition where a
+number of packets in the queue may be discarded by the receiver, because
+the ADDBA request is sent too early.
+This affects any driver with software A-MPDU setup which does not allocate
+packet seqno in hardware on tx, regardless of whether iTXQ is used or not.
+The only driver I've seen that explicitly deals with this issue internally
+is mwl8k.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Link: https://lore.kernel.org/r/20211202124533.80388-1-nbd@nbd.name
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/agg-tx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac80211/agg-tx.c
++++ b/net/mac80211/agg-tx.c
+@@ -106,7 +106,7 @@ static void ieee80211_send_addba_request
+ mgmt->u.action.u.addba_req.start_seq_num =
+ cpu_to_le16(start_seq_num << 4);
+
+- ieee80211_tx_skb(sdata, skb);
++ ieee80211_tx_skb_tid(sdata, skb, tid);
+ }
+
+ void ieee80211_send_bar(struct ieee80211_vif *vif, u8 *ra, u16 tid, u16 ssn)
kvm-selftests-make-sure-kvm_create_max_vcpus-test-wo.patch
+mac80211-mark-tx-during-stop-for-tx-in-in_reconfig.patch
+mac80211-send-addba-requests-using-the-tid-queue-of-the-aggregation-session.patch
+firmware-arm_scpi-fix-string-overflow-in-scpi-genpd-driver.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
