From ec06f976cdcde0d4251e0cb5da974a1fb133da61 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 17 Dec 2021 14:08:52 +0100
Subject: [PATCH] 5.4-stable patches

added patches:
	firmware-arm_scpi-fix-string-overflow-in-scpi-genpd-driver.patch
	mac80211-mark-tx-during-stop-for-tx-in-in_reconfig.patch
	mac80211-send-addba-requests-using-the-tid-queue-of-the-aggregation-session.patch
---
 ...string-overflow-in-scpi-genpd-driver.patch | 54 +++++++++++++++++++
 ...tx-during-stop-for-tx-in-in_reconfig.patch | 42 +++++++++++++++
 ...tid-queue-of-the-aggregation-session.patch | 37 +++++++++++++
 queue-5.4/series                              |  3 ++
 4 files changed, 136 insertions(+)
 create mode 100644 queue-5.4/firmware-arm_scpi-fix-string-overflow-in-scpi-genpd-driver.patch
 create mode 100644 queue-5.4/mac80211-mark-tx-during-stop-for-tx-in-in_reconfig.patch
 create mode 100644 queue-5.4/mac80211-send-addba-requests-using-the-tid-queue-of-the-aggregation-session.patch

diff --git a/queue-5.4/firmware-arm_scpi-fix-string-overflow-in-scpi-genpd-driver.patch b/queue-5.4/firmware-arm_scpi-fix-string-overflow-in-scpi-genpd-driver.patch
new file mode 100644
index 00000000000..b87ea15b62a
--- /dev/null
+++ b/queue-5.4/firmware-arm_scpi-fix-string-overflow-in-scpi-genpd-driver.patch
@@ -0,0 +1,54 @@
+From 865ed67ab955428b9aa771d8b4f1e4fb7fd08945 Mon Sep 17 00:00:00 2001
+From: Sudeep Holla <sudeep.holla@arm.com>
+Date: Thu, 9 Dec 2021 12:04:56 +0000
+Subject: firmware: arm_scpi: Fix string overflow in SCPI genpd driver
+
+From: Sudeep Holla <sudeep.holla@arm.com>
+
+commit 865ed67ab955428b9aa771d8b4f1e4fb7fd08945 upstream.
+
+Without the bound checks for scpi_pd->name, it could result in the buffer
+overflow when copying the SCPI device name from the corresponding device
+tree node as the name string is set at maximum size of 30.
+
+Let us fix it by using devm_kasprintf so that the string buffer is
+allocated dynamically.
+
+Fixes: 8bec4337ad40 ("firmware: scpi: add device power domain support using genpd")
+Reported-by: Pedro Batista <pedbap.g@gmail.com>
+Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
+Cc: stable@vger.kernel.org
+Cc: Cristian Marussi <cristian.marussi@arm.com>
+Link: https://lore.kernel.org/r/20211209120456.696879-1-sudeep.holla@arm.com'
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/scpi_pm_domain.c |   10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/firmware/scpi_pm_domain.c
++++ b/drivers/firmware/scpi_pm_domain.c
+@@ -16,7 +16,6 @@ struct scpi_pm_domain {
+ 	struct generic_pm_domain genpd;
+ 	struct scpi_ops *ops;
+ 	u32 domain;
+-	char name[30];
+ };
+ 
+ /*
+@@ -110,8 +109,13 @@ static int scpi_pm_domain_probe(struct p
+ 
+ 		scpi_pd->domain = i;
+ 		scpi_pd->ops = scpi_ops;
+-		sprintf(scpi_pd->name, "%pOFn.%d", np, i);
+-		scpi_pd->genpd.name = scpi_pd->name;
++		scpi_pd->genpd.name = devm_kasprintf(dev, GFP_KERNEL,
++						     "%pOFn.%d", np, i);
++		if (!scpi_pd->genpd.name) {
++			dev_err(dev, "Failed to allocate genpd name:%pOFn.%d\n",
++				np, i);
++			continue;
++		}
+ 		scpi_pd->genpd.power_off = scpi_pd_power_off;
+ 		scpi_pd->genpd.power_on = scpi_pd_power_on;
+ 
diff --git a/queue-5.4/mac80211-mark-tx-during-stop-for-tx-in-in_reconfig.patch b/queue-5.4/mac80211-mark-tx-during-stop-for-tx-in-in_reconfig.patch
new file mode 100644
index 00000000000..ca279670950
--- /dev/null
+++ b/queue-5.4/mac80211-mark-tx-during-stop-for-tx-in-in_reconfig.patch
@@ -0,0 +1,42 @@
+From db7205af049d230e7e0abf61c1e74c1aab40f390 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Mon, 29 Nov 2021 15:32:39 +0200
+Subject: mac80211: mark TX-during-stop for TX in in_reconfig
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit db7205af049d230e7e0abf61c1e74c1aab40f390 upstream.
+
+Mark TXQs as having seen transmit while they were stopped if
+we bail out of drv_wake_tx_queue() due to reconfig, so that
+the queue wake after this will make them catch up. This is
+particularly necessary for when TXQs are used for management
+packets since those TXQs won't see a lot of traffic that'd
+make them catch up later.
+
+Cc: stable@vger.kernel.org
+Fixes: 4856bfd23098 ("mac80211: do not call driver wake_tx_queue op during reconfig")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20211129152938.4573a221c0e1.I0d1d5daea3089be3fc0dccc92991b0f8c5677f0c@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/driver-ops.h |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/mac80211/driver-ops.h
++++ b/net/mac80211/driver-ops.h
+@@ -1202,8 +1202,11 @@ static inline void drv_wake_tx_queue(str
+ {
+ 	struct ieee80211_sub_if_data *sdata = vif_to_sdata(txq->txq.vif);
+ 
+-	if (local->in_reconfig)
++	/* In reconfig don't transmit now, but mark for waking later */
++	if (local->in_reconfig) {
++		set_bit(IEEE80211_TXQ_STOP_NETIF_TX, &txq->flags);
+ 		return;
++	}
+ 
+ 	if (!check_sdata_in_driver(sdata))
+ 		return;
diff --git a/queue-5.4/mac80211-send-addba-requests-using-the-tid-queue-of-the-aggregation-session.patch b/queue-5.4/mac80211-send-addba-requests-using-the-tid-queue-of-the-aggregation-session.patch
new file mode 100644
index 00000000000..a2c7b1a8dbe
--- /dev/null
+++ b/queue-5.4/mac80211-send-addba-requests-using-the-tid-queue-of-the-aggregation-session.patch
@@ -0,0 +1,37 @@
+From 1fe98f5690c4219d419ea9cc190f94b3401cf324 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Thu, 2 Dec 2021 13:45:33 +0100
+Subject: mac80211: send ADDBA requests using the tid/queue of the aggregation session
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit 1fe98f5690c4219d419ea9cc190f94b3401cf324 upstream.
+
+Sending them out on a different queue can cause a race condition where a
+number of packets in the queue may be discarded by the receiver, because
+the ADDBA request is sent too early.
+This affects any driver with software A-MPDU setup which does not allocate
+packet seqno in hardware on tx, regardless of whether iTXQ is used or not.
+The only driver I've seen that explicitly deals with this issue internally
+is mwl8k.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Link: https://lore.kernel.org/r/20211202124533.80388-1-nbd@nbd.name
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/agg-tx.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac80211/agg-tx.c
++++ b/net/mac80211/agg-tx.c
+@@ -106,7 +106,7 @@ static void ieee80211_send_addba_request
+ 	mgmt->u.action.u.addba_req.start_seq_num =
+ 					cpu_to_le16(start_seq_num << 4);
+ 
+-	ieee80211_tx_skb(sdata, skb);
++	ieee80211_tx_skb_tid(sdata, skb, tid);
+ }
+ 
+ void ieee80211_send_bar(struct ieee80211_vif *vif, u8 *ra, u16 tid, u16 ssn)
diff --git a/queue-5.4/series b/queue-5.4/series
index 143c8c96f4c..1cb176948a1 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -1 +1,4 @@
 kvm-selftests-make-sure-kvm_create_max_vcpus-test-wo.patch
+mac80211-mark-tx-during-stop-for-tx-in-in_reconfig.patch
+mac80211-send-addba-requests-using-the-tid-queue-of-the-aggregation-session.patch
+firmware-arm_scpi-fix-string-overflow-in-scpi-genpd-driver.patch
-- 
2.47.2