From cf218a55eee790253c3ba62c916f949cd8536148 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 21 Mar 2022 10:15:45 +0100 Subject: [PATCH] 5.16-stable patches added patches: arm64-errata-avoid-duplicate-field-initializer.patch input-aiptek-properly-check-endpoint-type.patch perf-symbols-fix-symbol-size-calculation-condition.patch revert-arm64-dts-freescale-fix-interrupt-map-parent-address-cells.patch revert-ath10k-drop-beacon-and-probe-response-which-leak-from-other-channel.patch --- ...ta-avoid-duplicate-field-initializer.patch | 49 ++++++ ...-aiptek-properly-check-endpoint-type.patch | 63 +++++++ ...ix-symbol-size-calculation-condition.patch | 71 ++++++++ ...x-interrupt-map-parent-address-cells.patch | 162 ++++++++++++++++++ ...sponse-which-leak-from-other-channel.patch | 69 ++++++++ queue-5.16/series | 5 + 6 files changed, 419 insertions(+) create mode 100644 queue-5.16/arm64-errata-avoid-duplicate-field-initializer.patch create mode 100644 queue-5.16/input-aiptek-properly-check-endpoint-type.patch create mode 100644 queue-5.16/perf-symbols-fix-symbol-size-calculation-condition.patch create mode 100644 queue-5.16/revert-arm64-dts-freescale-fix-interrupt-map-parent-address-cells.patch create mode 100644 queue-5.16/revert-ath10k-drop-beacon-and-probe-response-which-leak-from-other-channel.patch diff --git a/queue-5.16/arm64-errata-avoid-duplicate-field-initializer.patch b/queue-5.16/arm64-errata-avoid-duplicate-field-initializer.patch new file mode 100644 index 00000000000..a1e1a55c5e6 --- /dev/null +++ b/queue-5.16/arm64-errata-avoid-duplicate-field-initializer.patch @@ -0,0 +1,49 @@ +From 316e46f65a5497839857db08b6fbf60f568b165a Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Wed, 16 Mar 2022 19:37:45 +0100 +Subject: arm64: errata: avoid duplicate field initializer + +From: Arnd Bergmann + +commit 316e46f65a5497839857db08b6fbf60f568b165a upstream. + +The '.type' field is initialized both in place and in the macro +as reported by this W=1 warning: + +arch/arm64/include/asm/cpufeature.h:281:9: error: initialized field overwritten [-Werror=override-init] + 281 | (ARM64_CPUCAP_SCOPE_LOCAL_CPU | ARM64_CPUCAP_OPTIONAL_FOR_LATE_CPU) + | ^ +arch/arm64/kernel/cpu_errata.c:136:17: note: in expansion of macro 'ARM64_CPUCAP_LOCAL_CPU_ERRATUM' + 136 | .type = ARM64_CPUCAP_LOCAL_CPU_ERRATUM, \ + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +arch/arm64/kernel/cpu_errata.c:145:9: note: in expansion of macro 'ERRATA_MIDR_RANGE' + 145 | ERRATA_MIDR_RANGE(m, var, r_min, var, r_max) + | ^~~~~~~~~~~~~~~~~ +arch/arm64/kernel/cpu_errata.c:613:17: note: in expansion of macro 'ERRATA_MIDR_REV_RANGE' + 613 | ERRATA_MIDR_REV_RANGE(MIDR_CORTEX_A510, 0, 0, 2), + | ^~~~~~~~~~~~~~~~~~~~~ +arch/arm64/include/asm/cpufeature.h:281:9: note: (near initialization for 'arm64_errata[18].type') + 281 | (ARM64_CPUCAP_SCOPE_LOCAL_CPU | ARM64_CPUCAP_OPTIONAL_FOR_LATE_CPU) + | ^ + +Remove the extranous initializer. + +Signed-off-by: Arnd Bergmann +Fixes: 1dd498e5e26a ("KVM: arm64: Workaround Cortex-A510's single-step and PAC trap errata") +Link: https://lore.kernel.org/r/20220316183800.1546731-1-arnd@kernel.org +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/kernel/cpu_errata.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/arch/arm64/kernel/cpu_errata.c ++++ b/arch/arm64/kernel/cpu_errata.c +@@ -611,7 +611,6 @@ const struct arm64_cpu_capabilities arm6 + { + .desc = "ARM erratum 2077057", + .capability = ARM64_WORKAROUND_2077057, +- .type = ARM64_CPUCAP_LOCAL_CPU_ERRATUM, + ERRATA_MIDR_REV_RANGE(MIDR_CORTEX_A510, 0, 0, 2), + }, + #endif diff --git a/queue-5.16/input-aiptek-properly-check-endpoint-type.patch b/queue-5.16/input-aiptek-properly-check-endpoint-type.patch new file mode 100644 index 00000000000..420a57e1dff --- /dev/null +++ b/queue-5.16/input-aiptek-properly-check-endpoint-type.patch @@ -0,0 +1,63 @@ +From 5600f6986628dde8881734090588474f54a540a8 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Sun, 13 Mar 2022 22:56:32 -0700 +Subject: Input: aiptek - properly check endpoint type + +From: Pavel Skripkin + +commit 5600f6986628dde8881734090588474f54a540a8 upstream. + +Syzbot reported warning in usb_submit_urb() which is caused by wrong +endpoint type. There was a check for the number of endpoints, but not +for the type of endpoint. + +Fix it by replacing old desc.bNumEndpoints check with +usb_find_common_endpoints() helper for finding endpoints + +Fail log: + +usb 5-1: BOGUS urb xfer, pipe 1 != type 3 +WARNING: CPU: 2 PID: 48 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502 +Modules linked in: +CPU: 2 PID: 48 Comm: kworker/2:2 Not tainted 5.17.0-rc6-syzkaller-00226-g07ebd38a0da2 #0 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 +Workqueue: usb_hub_wq hub_event +... +Call Trace: + + aiptek_open+0xd5/0x130 drivers/input/tablet/aiptek.c:830 + input_open_device+0x1bb/0x320 drivers/input/input.c:629 + kbd_connect+0xfe/0x160 drivers/tty/vt/keyboard.c:1593 + +Fixes: 8e20cf2bce12 ("Input: aiptek - fix crash on detecting device without endpoints") +Reported-and-tested-by: syzbot+75cccf2b7da87fb6f84b@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Link: https://lore.kernel.org/r/20220308194328.26220-1-paskripkin@gmail.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/tablet/aiptek.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/drivers/input/tablet/aiptek.c ++++ b/drivers/input/tablet/aiptek.c +@@ -1787,15 +1787,13 @@ aiptek_probe(struct usb_interface *intf, + input_set_abs_params(inputdev, ABS_TILT_Y, AIPTEK_TILT_MIN, AIPTEK_TILT_MAX, 0, 0); + input_set_abs_params(inputdev, ABS_WHEEL, AIPTEK_WHEEL_MIN, AIPTEK_WHEEL_MAX - 1, 0, 0); + +- /* Verify that a device really has an endpoint */ +- if (intf->cur_altsetting->desc.bNumEndpoints < 1) { ++ err = usb_find_common_endpoints(intf->cur_altsetting, ++ NULL, NULL, &endpoint, NULL); ++ if (err) { + dev_err(&intf->dev, +- "interface has %d endpoints, but must have minimum 1\n", +- intf->cur_altsetting->desc.bNumEndpoints); +- err = -EINVAL; ++ "interface has no int in endpoints, but must have minimum 1\n"); + goto fail3; + } +- endpoint = &intf->cur_altsetting->endpoint[0].desc; + + /* Go set up our URB, which is called when the tablet receives + * input. diff --git a/queue-5.16/perf-symbols-fix-symbol-size-calculation-condition.patch b/queue-5.16/perf-symbols-fix-symbol-size-calculation-condition.patch new file mode 100644 index 00000000000..9bca6c75fcd --- /dev/null +++ b/queue-5.16/perf-symbols-fix-symbol-size-calculation-condition.patch @@ -0,0 +1,71 @@ +From 3cf6a32f3f2a45944dd5be5c6ac4deb46bcd3bee Mon Sep 17 00:00:00 2001 +From: Michael Petlan +Date: Thu, 17 Mar 2022 14:55:36 +0100 +Subject: perf symbols: Fix symbol size calculation condition + +From: Michael Petlan + +commit 3cf6a32f3f2a45944dd5be5c6ac4deb46bcd3bee upstream. + +Before this patch, the symbol end address fixup to be called, needed two +conditions being met: + + if (prev->end == prev->start && prev->end != curr->start) + +Where + "prev->end == prev->start" means that prev is zero-long + (and thus needs a fixup) +and + "prev->end != curr->start" means that fixup hasn't been applied yet + +However, this logic is incorrect in the following situation: + +*curr = {rb_node = {__rb_parent_color = 278218928, + rb_right = 0x0, rb_left = 0x0}, + start = 0xc000000000062354, + end = 0xc000000000062354, namelen = 40, type = 2 '\002', + binding = 0 '\000', idle = 0 '\000', ignore = 0 '\000', + inlined = 0 '\000', arch_sym = 0 '\000', annotate2 = false, + name = 0x1159739e "kprobe_optinsn_page\t[__builtin__kprobes]"} + +*prev = {rb_node = {__rb_parent_color = 278219041, + rb_right = 0x109548b0, rb_left = 0x109547c0}, + start = 0xc000000000062354, + end = 0xc000000000062354, namelen = 12, type = 2 '\002', + binding = 1 '\001', idle = 0 '\000', ignore = 0 '\000', + inlined = 0 '\000', arch_sym = 0 '\000', annotate2 = false, + name = 0x1095486e "optinsn_slot"} + +In this case, prev->start == prev->end == curr->start == curr->end, +thus the condition above thinks that "we need a fixup due to zero +length of prev symbol, but it has been probably done, since the +prev->end == curr->start", which is wrong. + +After the patch, the execution path proceeds to arch__symbols__fixup_end +function which fixes up the size of prev symbol by adding page_size to +its end offset. + +Fixes: 3b01a413c196c910 ("perf symbols: Improve kallsyms symbol end addr calculation") +Signed-off-by: Michael Petlan +Cc: Athira Jajeev +Cc: Jiri Olsa +Cc: Kajol Jain +Cc: Madhavan Srinivasan +Link: http://lore.kernel.org/lkml/20220317135536.805-1-mpetlan@redhat.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/symbol.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/perf/util/symbol.c ++++ b/tools/perf/util/symbol.c +@@ -231,7 +231,7 @@ void symbols__fixup_end(struct rb_root_c + prev = curr; + curr = rb_entry(nd, struct symbol, rb_node); + +- if (prev->end == prev->start && prev->end != curr->start) ++ if (prev->end == prev->start || prev->end != curr->start) + arch__symbols__fixup_end(prev, curr); + } + diff --git a/queue-5.16/revert-arm64-dts-freescale-fix-interrupt-map-parent-address-cells.patch b/queue-5.16/revert-arm64-dts-freescale-fix-interrupt-map-parent-address-cells.patch new file mode 100644 index 00000000000..a3d5ba2b1c0 --- /dev/null +++ b/queue-5.16/revert-arm64-dts-freescale-fix-interrupt-map-parent-address-cells.patch @@ -0,0 +1,162 @@ +From 1447c635802fd0f5e213ad5277753108d56a4db3 Mon Sep 17 00:00:00 2001 +From: Vladimir Oltean +Date: Tue, 14 Dec 2021 15:58:52 +0200 +Subject: Revert "arm64: dts: freescale: Fix 'interrupt-map' parent address cells" + +From: Vladimir Oltean + +commit 1447c635802fd0f5e213ad5277753108d56a4db3 upstream. + +This reverts commit 869f0ec048dc8fd88c0b2003373bd985795179fb. That +updated the expected device tree binding format for the ls-extirq +driver, without also updating the parsing code (ls_extirq_parse_map) +to the new format. + +The context is that the ls-extirq driver uses the standard +"interrupt-map" OF property in a non-standard way, as suggested by +Rob Herring during review: +https://lore.kernel.org/lkml/20190927161118.GA19333@bogus/ + +This has turned out to be problematic, as Marc Zyngier discovered +through commit 041284181226 ("of/irq: Allow matching of an interrupt-map +local to an interrupt controller"), later fixed through commit +de4adddcbcc2 ("of/irq: Add a quirk for controllers with their own +definition of interrupt-map"). Marc's position, expressed on multiple +opportunities, is that: + +(a) [ making private use of the reserved "interrupt-map" name in a + driver ] "is wrong, by the very letter of what an interrupt-map + means. If the interrupt map points to an interrupt controller, + that's the target for the interrupt." +https://lore.kernel.org/lkml/87k0g8jlmg.wl-maz@kernel.org/ + +(b) [ updating the driver's bindings to accept a non-reserved name for + this property, as an alternative, is ] "is totally pointless. These + machines have been in the wild for years, and existing DTs will be + there *forever*." +https://lore.kernel.org/lkml/87ilvrk1r0.wl-maz@kernel.org/ + +Considering the above, the Linux kernel has quirks in place to deal with +the ls-extirq's non-standard use of the "interrupt-map". These quirks +may be needed in other operating systems that consume this device tree, +yet this is seen as the only viable solution. + +Therefore, the premise of the patch being reverted here is invalid. +It doesn't matter whether the driver, in its non-standard use of the +property, complies to the standard format or not, since this property +isn't expected to be used for interrupt translation by the core. + +This change restores LS1088A, LS2088A/LS2085A and LX2160A to their +previous bindings, which allows these systems to continue to use +external interrupt lines with the correct polarity. + +Fixes: 869f0ec048dc ("arm64: dts: freescale: Fix 'interrupt-map' parent address cells") +Signed-off-by: Vladimir Oltean +Acked-by: Marc Zyngier +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/boot/dts/freescale/fsl-ls1088a.dtsi | 24 ++++++++++++------------ + arch/arm64/boot/dts/freescale/fsl-ls208xa.dtsi | 24 ++++++++++++------------ + arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi | 24 ++++++++++++------------ + 3 files changed, 36 insertions(+), 36 deletions(-) + +--- a/arch/arm64/boot/dts/freescale/fsl-ls1088a.dtsi ++++ b/arch/arm64/boot/dts/freescale/fsl-ls1088a.dtsi +@@ -241,18 +241,18 @@ + interrupt-controller; + reg = <0x14 4>; + interrupt-map = +- <0 0 &gic 0 0 GIC_SPI 0 IRQ_TYPE_LEVEL_HIGH>, +- <1 0 &gic 0 0 GIC_SPI 1 IRQ_TYPE_LEVEL_HIGH>, +- <2 0 &gic 0 0 GIC_SPI 2 IRQ_TYPE_LEVEL_HIGH>, +- <3 0 &gic 0 0 GIC_SPI 3 IRQ_TYPE_LEVEL_HIGH>, +- <4 0 &gic 0 0 GIC_SPI 4 IRQ_TYPE_LEVEL_HIGH>, +- <5 0 &gic 0 0 GIC_SPI 5 IRQ_TYPE_LEVEL_HIGH>, +- <6 0 &gic 0 0 GIC_SPI 6 IRQ_TYPE_LEVEL_HIGH>, +- <7 0 &gic 0 0 GIC_SPI 7 IRQ_TYPE_LEVEL_HIGH>, +- <8 0 &gic 0 0 GIC_SPI 8 IRQ_TYPE_LEVEL_HIGH>, +- <9 0 &gic 0 0 GIC_SPI 9 IRQ_TYPE_LEVEL_HIGH>, +- <10 0 &gic 0 0 GIC_SPI 10 IRQ_TYPE_LEVEL_HIGH>, +- <11 0 &gic 0 0 GIC_SPI 11 IRQ_TYPE_LEVEL_HIGH>; ++ <0 0 &gic GIC_SPI 0 IRQ_TYPE_LEVEL_HIGH>, ++ <1 0 &gic GIC_SPI 1 IRQ_TYPE_LEVEL_HIGH>, ++ <2 0 &gic GIC_SPI 2 IRQ_TYPE_LEVEL_HIGH>, ++ <3 0 &gic GIC_SPI 3 IRQ_TYPE_LEVEL_HIGH>, ++ <4 0 &gic GIC_SPI 4 IRQ_TYPE_LEVEL_HIGH>, ++ <5 0 &gic GIC_SPI 5 IRQ_TYPE_LEVEL_HIGH>, ++ <6 0 &gic GIC_SPI 6 IRQ_TYPE_LEVEL_HIGH>, ++ <7 0 &gic GIC_SPI 7 IRQ_TYPE_LEVEL_HIGH>, ++ <8 0 &gic GIC_SPI 8 IRQ_TYPE_LEVEL_HIGH>, ++ <9 0 &gic GIC_SPI 9 IRQ_TYPE_LEVEL_HIGH>, ++ <10 0 &gic GIC_SPI 10 IRQ_TYPE_LEVEL_HIGH>, ++ <11 0 &gic GIC_SPI 11 IRQ_TYPE_LEVEL_HIGH>; + interrupt-map-mask = <0xffffffff 0x0>; + }; + }; +--- a/arch/arm64/boot/dts/freescale/fsl-ls208xa.dtsi ++++ b/arch/arm64/boot/dts/freescale/fsl-ls208xa.dtsi +@@ -293,18 +293,18 @@ + interrupt-controller; + reg = <0x14 4>; + interrupt-map = +- <0 0 &gic 0 0 GIC_SPI 0 IRQ_TYPE_LEVEL_HIGH>, +- <1 0 &gic 0 0 GIC_SPI 1 IRQ_TYPE_LEVEL_HIGH>, +- <2 0 &gic 0 0 GIC_SPI 2 IRQ_TYPE_LEVEL_HIGH>, +- <3 0 &gic 0 0 GIC_SPI 3 IRQ_TYPE_LEVEL_HIGH>, +- <4 0 &gic 0 0 GIC_SPI 4 IRQ_TYPE_LEVEL_HIGH>, +- <5 0 &gic 0 0 GIC_SPI 5 IRQ_TYPE_LEVEL_HIGH>, +- <6 0 &gic 0 0 GIC_SPI 6 IRQ_TYPE_LEVEL_HIGH>, +- <7 0 &gic 0 0 GIC_SPI 7 IRQ_TYPE_LEVEL_HIGH>, +- <8 0 &gic 0 0 GIC_SPI 8 IRQ_TYPE_LEVEL_HIGH>, +- <9 0 &gic 0 0 GIC_SPI 9 IRQ_TYPE_LEVEL_HIGH>, +- <10 0 &gic 0 0 GIC_SPI 10 IRQ_TYPE_LEVEL_HIGH>, +- <11 0 &gic 0 0 GIC_SPI 11 IRQ_TYPE_LEVEL_HIGH>; ++ <0 0 &gic GIC_SPI 0 IRQ_TYPE_LEVEL_HIGH>, ++ <1 0 &gic GIC_SPI 1 IRQ_TYPE_LEVEL_HIGH>, ++ <2 0 &gic GIC_SPI 2 IRQ_TYPE_LEVEL_HIGH>, ++ <3 0 &gic GIC_SPI 3 IRQ_TYPE_LEVEL_HIGH>, ++ <4 0 &gic GIC_SPI 4 IRQ_TYPE_LEVEL_HIGH>, ++ <5 0 &gic GIC_SPI 5 IRQ_TYPE_LEVEL_HIGH>, ++ <6 0 &gic GIC_SPI 6 IRQ_TYPE_LEVEL_HIGH>, ++ <7 0 &gic GIC_SPI 7 IRQ_TYPE_LEVEL_HIGH>, ++ <8 0 &gic GIC_SPI 8 IRQ_TYPE_LEVEL_HIGH>, ++ <9 0 &gic GIC_SPI 9 IRQ_TYPE_LEVEL_HIGH>, ++ <10 0 &gic GIC_SPI 10 IRQ_TYPE_LEVEL_HIGH>, ++ <11 0 &gic GIC_SPI 11 IRQ_TYPE_LEVEL_HIGH>; + interrupt-map-mask = <0xffffffff 0x0>; + }; + }; +--- a/arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi ++++ b/arch/arm64/boot/dts/freescale/fsl-lx2160a.dtsi +@@ -680,18 +680,18 @@ + interrupt-controller; + reg = <0x14 4>; + interrupt-map = +- <0 0 &gic 0 0 GIC_SPI 0 IRQ_TYPE_LEVEL_HIGH>, +- <1 0 &gic 0 0 GIC_SPI 1 IRQ_TYPE_LEVEL_HIGH>, +- <2 0 &gic 0 0 GIC_SPI 2 IRQ_TYPE_LEVEL_HIGH>, +- <3 0 &gic 0 0 GIC_SPI 3 IRQ_TYPE_LEVEL_HIGH>, +- <4 0 &gic 0 0 GIC_SPI 4 IRQ_TYPE_LEVEL_HIGH>, +- <5 0 &gic 0 0 GIC_SPI 5 IRQ_TYPE_LEVEL_HIGH>, +- <6 0 &gic 0 0 GIC_SPI 6 IRQ_TYPE_LEVEL_HIGH>, +- <7 0 &gic 0 0 GIC_SPI 7 IRQ_TYPE_LEVEL_HIGH>, +- <8 0 &gic 0 0 GIC_SPI 8 IRQ_TYPE_LEVEL_HIGH>, +- <9 0 &gic 0 0 GIC_SPI 9 IRQ_TYPE_LEVEL_HIGH>, +- <10 0 &gic 0 0 GIC_SPI 10 IRQ_TYPE_LEVEL_HIGH>, +- <11 0 &gic 0 0 GIC_SPI 11 IRQ_TYPE_LEVEL_HIGH>; ++ <0 0 &gic GIC_SPI 0 IRQ_TYPE_LEVEL_HIGH>, ++ <1 0 &gic GIC_SPI 1 IRQ_TYPE_LEVEL_HIGH>, ++ <2 0 &gic GIC_SPI 2 IRQ_TYPE_LEVEL_HIGH>, ++ <3 0 &gic GIC_SPI 3 IRQ_TYPE_LEVEL_HIGH>, ++ <4 0 &gic GIC_SPI 4 IRQ_TYPE_LEVEL_HIGH>, ++ <5 0 &gic GIC_SPI 5 IRQ_TYPE_LEVEL_HIGH>, ++ <6 0 &gic GIC_SPI 6 IRQ_TYPE_LEVEL_HIGH>, ++ <7 0 &gic GIC_SPI 7 IRQ_TYPE_LEVEL_HIGH>, ++ <8 0 &gic GIC_SPI 8 IRQ_TYPE_LEVEL_HIGH>, ++ <9 0 &gic GIC_SPI 9 IRQ_TYPE_LEVEL_HIGH>, ++ <10 0 &gic GIC_SPI 10 IRQ_TYPE_LEVEL_HIGH>, ++ <11 0 &gic GIC_SPI 11 IRQ_TYPE_LEVEL_HIGH>; + interrupt-map-mask = <0xffffffff 0x0>; + }; + }; diff --git a/queue-5.16/revert-ath10k-drop-beacon-and-probe-response-which-leak-from-other-channel.patch b/queue-5.16/revert-ath10k-drop-beacon-and-probe-response-which-leak-from-other-channel.patch new file mode 100644 index 00000000000..9d9a8df7b14 --- /dev/null +++ b/queue-5.16/revert-ath10k-drop-beacon-and-probe-response-which-leak-from-other-channel.patch @@ -0,0 +1,69 @@ +From 45b4eb7ee6aa1a55a50831b328aa5f46ac3a7187 Mon Sep 17 00:00:00 2001 +From: Kalle Valo +Date: Tue, 15 Mar 2022 17:54:55 +0200 +Subject: Revert "ath10k: drop beacon and probe response which leak from other channel" + +From: Kalle Valo + +commit 45b4eb7ee6aa1a55a50831b328aa5f46ac3a7187 upstream. + +This reverts commit 3bf2537ec2e33310b431b53fd84be8833736c256. + +I was reported privately that this commit breaks AP and mesh mode on QCA9984 +(firmware 10.4-3.9.0.2-00156). So revert the commit to fix the regression. + +There was a conflict due to cfg80211 API changes but that was easy to fix. + +Fixes: 3bf2537ec2e3 ("ath10k: drop beacon and probe response which leak from other channel") +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220315155455.20446-1-kvalo@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath10k/wmi.c | 27 +-------------------------- + 1 file changed, 1 insertion(+), 26 deletions(-) + +--- a/drivers/net/wireless/ath/ath10k/wmi.c ++++ b/drivers/net/wireless/ath/ath10k/wmi.c +@@ -2611,30 +2611,9 @@ int ath10k_wmi_event_mgmt_rx(struct ath1 + ath10k_mac_handle_beacon(ar, skb); + + if (ieee80211_is_beacon(hdr->frame_control) || +- ieee80211_is_probe_resp(hdr->frame_control)) { +- struct ieee80211_mgmt *mgmt = (void *)skb->data; +- u8 *ies; +- int ies_ch; +- ++ ieee80211_is_probe_resp(hdr->frame_control)) + status->boottime_ns = ktime_get_boottime_ns(); + +- if (!ar->scan_channel) +- goto drop; +- +- ies = mgmt->u.beacon.variable; +- +- ies_ch = cfg80211_get_ies_channel_number(mgmt->u.beacon.variable, +- skb_tail_pointer(skb) - ies, +- sband->band); +- +- if (ies_ch > 0 && ies_ch != channel) { +- ath10k_dbg(ar, ATH10K_DBG_MGMT, +- "channel mismatched ds channel %d scan channel %d\n", +- ies_ch, channel); +- goto drop; +- } +- } +- + ath10k_dbg(ar, ATH10K_DBG_MGMT, + "event mgmt rx skb %pK len %d ftype %02x stype %02x\n", + skb, skb->len, +@@ -2648,10 +2627,6 @@ int ath10k_wmi_event_mgmt_rx(struct ath1 + ieee80211_rx_ni(ar->hw, skb); + + return 0; +- +-drop: +- dev_kfree_skb(skb); +- return 0; + } + + static int freq_to_idx(struct ath10k *ar, int freq) diff --git a/queue-5.16/series b/queue-5.16/series index 079ea880c92..cf0148aa0f0 100644 --- a/queue-5.16/series +++ b/queue-5.16/series @@ -29,3 +29,8 @@ usb-gadget-rndis-prevent-integer-overflow-in-rndis_set_response.patch usb-gadget-fix-use-after-free-bug-by-not-setting-udc-dev.driver.patch usb-usbtmc-fix-bug-in-pipe-direction-for-control-transfers.patch scsi-mpt3sas-page-fault-in-reply-q-processing.patch +input-aiptek-properly-check-endpoint-type.patch +arm64-errata-avoid-duplicate-field-initializer.patch +perf-symbols-fix-symbol-size-calculation-condition.patch +revert-arm64-dts-freescale-fix-interrupt-map-parent-address-cells.patch +revert-ath10k-drop-beacon-and-probe-response-which-leak-from-other-channel.patch -- 2.47.3