From 8704fee09eadb945a49ce5cedc2cb2d506a50b9c Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Wed, 15 Apr 2026 09:46:56 -0400 Subject: [PATCH] drop 1 patch from queue-5.15 and queue-5.10 based on RC review feedback MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Dropped patches: - "wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down" Queues: 5.15, 5.10 Reason: deadlock — cancel_work_sync(&wdev->pmsr_free_wk) called while holding wdev->mtx, but the work function cfg80211_pmsr_free_wk() also acquires wdev->mtx via wdev_lock(). The locking model differs between 5.10/5.15 (wdev mutex) and mainline (wiphy lock), making this backport unsafe. Report: https://lore.kernel.org/stable/db073c5606570f9dc898275785583a7d32031294.camel@decadent.org.uk/ --- queue-5.10/series | 1 - ...ncel-pmsr_free_wk-in-cfg80211_pmsr_w.patch | 51 ------------------- queue-5.15/series | 1 - ...ncel-pmsr_free_wk-in-cfg80211_pmsr_w.patch | 51 ------------------- 4 files changed, 104 deletions(-) delete mode 100644 queue-5.10/wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch delete mode 100644 queue-5.15/wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch diff --git a/queue-5.10/series b/queue-5.10/series index b5d28df026..551a46b794 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -191,7 +191,6 @@ smb-client-compare-macs-in-constant-time.patch net-tcp-md5-fix-mac-comparison-to-be-constant-time.patch staging-rtl8723bs-fix-null-dereference-in-find_network.patch soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch -wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch bluetooth-le-l2cap-disconnect-if-sum-of-payload-size.patch bluetooth-smp-make-sm-per-kdu-bi-04-c-happy.patch diff --git a/queue-5.10/wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch b/queue-5.10/wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch deleted file mode 100644 index f116c56cf9..0000000000 --- a/queue-5.10/wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 977d9797a52ca13070255a1410548206c5872985 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 5 Mar 2026 21:36:59 +0530 -Subject: wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down - -From: Peddolla Harshavardhan Reddy - -[ Upstream commit 6dccbc9f3e1d38565dff7730d2b7d1e8b16c9b09 ] - -When the nl80211 socket that originated a PMSR request is -closed, cfg80211_release_pmsr() sets the request's nl_portid -to zero and schedules pmsr_free_wk to process the abort -asynchronously. If the interface is concurrently torn down -before that work runs, cfg80211_pmsr_wdev_down() calls -cfg80211_pmsr_process_abort() directly. However, the already- -scheduled pmsr_free_wk work item remains pending and may run -after the interface has been removed from the driver. This -could cause the driver's abort_pmsr callback to operate on a -torn-down interface, leading to undefined behavior and -potential crashes. - -Cancel pmsr_free_wk synchronously in cfg80211_pmsr_wdev_down() -before calling cfg80211_pmsr_process_abort(). This ensures any -pending or in-progress work is drained before interface teardown -proceeds, preventing the work from invoking the driver abort -callback after the interface is gone. - -Fixes: 9bb7e0f24e7e ("cfg80211: add peer measurement with FTM initiator API") -Signed-off-by: Peddolla Harshavardhan Reddy -Link: https://patch.msgid.link/20260305160712.1263829-3-peddolla.reddy@oss.qualcomm.com -Signed-off-by: Johannes Berg -Signed-off-by: Sasha Levin ---- - net/wireless/pmsr.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/net/wireless/pmsr.c b/net/wireless/pmsr.c -index 7503c7dd71ab5..32cea07b98fd1 100644 ---- a/net/wireless/pmsr.c -+++ b/net/wireless/pmsr.c -@@ -620,6 +620,7 @@ void cfg80211_pmsr_wdev_down(struct wireless_dev *wdev) - } - spin_unlock_bh(&wdev->pmsr_lock); - -+ cancel_work_sync(&wdev->pmsr_free_wk); - if (found) - cfg80211_pmsr_process_abort(wdev); - --- -2.51.0 - diff --git a/queue-5.15/series b/queue-5.15/series index aab2db463d..0e63f9690d 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -234,7 +234,6 @@ batman-adv-avoid-ogm-aggregation-when-skb-tailroom-is-insufficient.patch btrfs-tree-checker-fix-misleading-root-drop_level-er.patch soc-fsl-qbman-fix-race-condition-in-qman_destroy_fq.patch wifi-mac80211-fix-static_branch_dec-underflow-for-aq.patch -wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch of-add-cleanup.h-based-auto-release-via-__free-devic.patch firmware-arm_scpi-fix-device_node-reference-leak-in-.patch bluetooth-le-l2cap-disconnect-if-received-packet-s-s.patch diff --git a/queue-5.15/wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch b/queue-5.15/wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch deleted file mode 100644 index 3aeb67d8ae..0000000000 --- a/queue-5.15/wifi-cfg80211-cancel-pmsr_free_wk-in-cfg80211_pmsr_w.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 207026b86ae5c8a0e40ea5a7bcce8527742803c1 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 5 Mar 2026 21:36:59 +0530 -Subject: wifi: cfg80211: cancel pmsr_free_wk in cfg80211_pmsr_wdev_down - -From: Peddolla Harshavardhan Reddy - -[ Upstream commit 6dccbc9f3e1d38565dff7730d2b7d1e8b16c9b09 ] - -When the nl80211 socket that originated a PMSR request is -closed, cfg80211_release_pmsr() sets the request's nl_portid -to zero and schedules pmsr_free_wk to process the abort -asynchronously. If the interface is concurrently torn down -before that work runs, cfg80211_pmsr_wdev_down() calls -cfg80211_pmsr_process_abort() directly. However, the already- -scheduled pmsr_free_wk work item remains pending and may run -after the interface has been removed from the driver. This -could cause the driver's abort_pmsr callback to operate on a -torn-down interface, leading to undefined behavior and -potential crashes. - -Cancel pmsr_free_wk synchronously in cfg80211_pmsr_wdev_down() -before calling cfg80211_pmsr_process_abort(). This ensures any -pending or in-progress work is drained before interface teardown -proceeds, preventing the work from invoking the driver abort -callback after the interface is gone. - -Fixes: 9bb7e0f24e7e ("cfg80211: add peer measurement with FTM initiator API") -Signed-off-by: Peddolla Harshavardhan Reddy -Link: https://patch.msgid.link/20260305160712.1263829-3-peddolla.reddy@oss.qualcomm.com -Signed-off-by: Johannes Berg -Signed-off-by: Sasha Levin ---- - net/wireless/pmsr.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/net/wireless/pmsr.c b/net/wireless/pmsr.c -index 65fa39275f73f..92c62d36e9525 100644 ---- a/net/wireless/pmsr.c -+++ b/net/wireless/pmsr.c -@@ -642,6 +642,7 @@ void cfg80211_pmsr_wdev_down(struct wireless_dev *wdev) - } - spin_unlock_bh(&wdev->pmsr_lock); - -+ cancel_work_sync(&wdev->pmsr_free_wk); - if (found) - cfg80211_pmsr_process_abort(wdev); - --- -2.51.0 - -- 2.47.3