From: Greg Kroah-Hartman Date: Sun, 24 Aug 2025 07:14:36 +0000 (+0200) Subject: 6.1-stable patches X-Git-Tag: v5.4.297~41 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c834ac9ab424ba77cdb8e606fd095f5cf44b1b77;p=thirdparty%2Fkernel%2Fstable-queue.git 6.1-stable patches added patches: wifi-mac80211-avoid-lockdep-checking-when-removing-deflink.patch wifi-mac80211-check-basic-rates-validity-in-sta_link_apply_parameters.patch --- diff --git a/queue-6.1/series b/queue-6.1/series index e11577c831..9caadd41bb 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -440,3 +440,5 @@ mmc-sdhci-pci-gli-gl9763e-mask-the-replay-timer-timeout-of-aer.patch mm-memory-failure-fix-infinite-uce-for-vm_pfnmap-pfn.patch drm-amd-display-don-t-overclock-dce-6-by-15.patch selftests-mptcp-pm-check-flush-doesn-t-reset-limits.patch +wifi-mac80211-avoid-lockdep-checking-when-removing-deflink.patch +wifi-mac80211-check-basic-rates-validity-in-sta_link_apply_parameters.patch diff --git a/queue-6.1/wifi-mac80211-avoid-lockdep-checking-when-removing-deflink.patch b/queue-6.1/wifi-mac80211-avoid-lockdep-checking-when-removing-deflink.patch new file mode 100644 index 0000000000..f3c3eb3e1e --- /dev/null +++ b/queue-6.1/wifi-mac80211-avoid-lockdep-checking-when-removing-deflink.patch @@ -0,0 +1,39 @@ +From b8b80770b26c4591f20f1cde3328e5f1489c4488 Mon Sep 17 00:00:00 2001 +From: Benjamin Berg +Date: Mon, 19 Jun 2023 16:26:50 +0300 +Subject: wifi: mac80211: avoid lockdep checking when removing deflink + +From: Benjamin Berg + +commit b8b80770b26c4591f20f1cde3328e5f1489c4488 upstream. + +struct sta_info may be removed without holding sta_mtx if it has not +yet been inserted. To support this, only assert that the lock is held +for links other than the deflink. + +This fixes lockdep issues that may be triggered in error cases. + +Signed-off-by: Benjamin Berg +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20230619161906.cdd81377dea0.If5a6734b4b85608a2275a09b4f99b5564d82997f@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Hanne-Lotta Mäenpää +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/sta_info.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -357,8 +357,9 @@ static void sta_remove_link(struct sta_i + struct sta_link_alloc *alloc = NULL; + struct link_sta_info *link_sta; + +- link_sta = rcu_dereference_protected(sta->link[link_id], +- lockdep_is_held(&sta->local->sta_mtx)); ++ link_sta = rcu_access_pointer(sta->link[link_id]); ++ if (link_sta != &sta->deflink) ++ lockdep_assert_held(&sta->local->sta_mtx); + + if (WARN_ON(!link_sta)) + return; diff --git a/queue-6.1/wifi-mac80211-check-basic-rates-validity-in-sta_link_apply_parameters.patch b/queue-6.1/wifi-mac80211-check-basic-rates-validity-in-sta_link_apply_parameters.patch new file mode 100644 index 0000000000..4aa48ae0eb --- /dev/null +++ b/queue-6.1/wifi-mac80211-check-basic-rates-validity-in-sta_link_apply_parameters.patch @@ -0,0 +1,61 @@ +From 16ee3ea8faef8ff042acc15867a6c458c573de61 Mon Sep 17 00:00:00 2001 +From: Mikhail Lobanov +Date: Mon, 17 Mar 2025 13:31:37 +0300 +Subject: wifi: mac80211: check basic rates validity in sta_link_apply_parameters + +From: Mikhail Lobanov + +commit 16ee3ea8faef8ff042acc15867a6c458c573de61 upstream. + +When userspace sets supported rates for a new station via +NL80211_CMD_NEW_STATION, it might send a list that's empty +or contains only invalid values. Currently, we process these +values in sta_link_apply_parameters() without checking the result of +ieee80211_parse_bitrates(), which can lead to an empty rates bitmap. + +A similar issue was addressed for NL80211_CMD_SET_BSS in commit +ce04abc3fcc6 ("wifi: mac80211: check basic rates validity"). +This patch applies the same approach in sta_link_apply_parameters() +for NL80211_CMD_NEW_STATION, ensuring there is at least one valid +rate by inspecting the result of ieee80211_parse_bitrates(). + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: b95eb7f0eee4 ("wifi: cfg80211/mac80211: separate link params from station params") +Signed-off-by: Mikhail Lobanov +Link: https://patch.msgid.link/20250317103139.17625-1-m.lobanov@rosa.ru +Signed-off-by: Johannes Berg +[ Summary of conflict resolutions: + - The function ieee80211_parse_bitrates() takes channel width as + its first parameter, and the chandef struct has been refactored + in kernel version 6.9, in commit + 6092077ad09ce880c61735c314060f0bd79ae4aa so that the width is + contained in chanreq.oper.width. In kernel version 6.1 the + width parameter is defined directly in the chandef struct. ] +Signed-off-by: Hanne-Lotta Mäenpää +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/cfg.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1735,12 +1735,12 @@ static int sta_link_apply_parameters(str + } + + if (params->supported_rates && +- params->supported_rates_len) { +- ieee80211_parse_bitrates(link->conf->chandef.width, +- sband, params->supported_rates, +- params->supported_rates_len, +- &link_sta->pub->supp_rates[sband->band]); +- } ++ params->supported_rates_len && ++ !ieee80211_parse_bitrates(link->conf->chandef.width, ++ sband, params->supported_rates, ++ params->supported_rates_len, ++ &link_sta->pub->supp_rates[sband->band])) ++ return -EINVAL; + + if (params->ht_capa) + ieee80211_ht_cap_ie_to_sta_ht_cap(sdata, sband,