--- /dev/null
+From stable+bounces-164533-greg=kroah.com@vger.kernel.org Thu Jul 24 04:54:33 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 22:54:19 -0400
+Subject: crypto: powerpc/poly1305 - add depends on BROKEN for now
+To: stable@vger.kernel.org
+Cc: Eric Biggers <ebiggers@google.com>, Herbert Xu <herbert@gondor.apana.org.au>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250724025419.1277524-1-sashal@kernel.org>
+
+From: Eric Biggers <ebiggers@google.com>
+
+[ Upstream commit bc8169003b41e89fe7052e408cf9fdbecb4017fe ]
+
+As discussed in the thread containing
+https://lore.kernel.org/linux-crypto/20250510053308.GB505731@sol/, the
+Power10-optimized Poly1305 code is currently not safe to call in softirq
+context. Disable it for now. It can be re-enabled once it is fixed.
+
+Fixes: ba8f8624fde2 ("crypto: poly1305-p10 - Glue code for optmized Poly1305 implementation for ppc64le")
+Cc: stable@vger.kernel.org
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+[ applied to arch/powerpc/crypto/Kconfig ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/crypto/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/powerpc/crypto/Kconfig
++++ b/arch/powerpc/crypto/Kconfig
+@@ -129,6 +129,7 @@ config CRYPTO_CHACHA20_P10
+ config CRYPTO_POLY1305_P10
+ tristate "Hash functions: Poly1305 (P10 or later)"
+ depends on PPC64 && CPU_LITTLE_ENDIAN && VSX
++ depends on BROKEN # Needs to be fixed to work in softirq context
+ select CRYPTO_HASH
+ select CRYPTO_LIB_POLY1305_GENERIC
+ help
--- /dev/null
+From stable+bounces-164822-greg=kroah.com@vger.kernel.org Sat Jul 26 04:27:21 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 25 Jul 2025 22:27:05 -0400
+Subject: crypto: qat - add shutdown handler to qat_dh895xcc
+To: stable@vger.kernel.org
+Cc: Giovanni Cabiddu <giovanni.cabiddu@intel.com>, Ahsan Atta <ahsan.atta@intel.com>, Andy Shevchenko <andriy.shevchenko@linux.intel.com>, Herbert Xu <herbert@gondor.apana.org.au>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250726022705.2024714-1-sashal@kernel.org>
+
+From: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+
+[ Upstream commit 2c4e8b228733bfbcaf49408fdf94d220f6eb78fc ]
+
+During a warm reset via kexec, the system bypasses the driver removal
+sequence, meaning that the remove() callback is not invoked.
+If a QAT device is not shutdown properly, the device driver will fail to
+load in a newly rebooted kernel.
+
+This might result in output like the following after the kexec reboot:
+
+ QAT: AE0 is inactive!!
+ QAT: failed to get device out of reset
+ dh895xcc 0000:3f:00.0: qat_hal_clr_reset error
+ dh895xcc 0000:3f:00.0: Failed to init the AEs
+ dh895xcc 0000:3f:00.0: Failed to initialise Acceleration Engine
+ dh895xcc 0000:3f:00.0: Resetting device qat_dev0
+ dh895xcc 0000:3f:00.0: probe with driver dh895xcc failed with error -14
+
+Implement the shutdown() handler that hooks into the reboot notifier
+list. This brings down the QAT device and ensures it is shut down
+properly.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 7afa232e76ce ("crypto: qat - Intel(R) QAT DH895xcc accelerator")
+Reviewed-by: Ahsan Atta <ahsan.atta@intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+[ added false parameter to adf_dev_down() call ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/intel/qat/qat_dh895xcc/adf_drv.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/crypto/intel/qat/qat_dh895xcc/adf_drv.c
++++ b/drivers/crypto/intel/qat/qat_dh895xcc/adf_drv.c
+@@ -27,12 +27,14 @@ MODULE_DEVICE_TABLE(pci, adf_pci_tbl);
+
+ static int adf_probe(struct pci_dev *dev, const struct pci_device_id *ent);
+ static void adf_remove(struct pci_dev *dev);
++static void adf_shutdown(struct pci_dev *dev);
+
+ static struct pci_driver adf_driver = {
+ .id_table = adf_pci_tbl,
+ .name = ADF_DH895XCC_DEVICE_NAME,
+ .probe = adf_probe,
+ .remove = adf_remove,
++ .shutdown = adf_shutdown,
+ .sriov_configure = adf_sriov_configure,
+ .err_handler = &adf_err_handler,
+ };
+@@ -227,6 +229,13 @@ static void adf_remove(struct pci_dev *p
+ kfree(accel_dev);
+ }
+
++static void adf_shutdown(struct pci_dev *pdev)
++{
++ struct adf_accel_dev *accel_dev = adf_devmgr_pci_to_accel_dev(pdev);
++
++ adf_dev_down(accel_dev, false);
++}
++
+ static int __init adfdrv_init(void)
+ {
+ request_module("intel_qat");
--- /dev/null
+From stable+bounces-164629-greg=kroah.com@vger.kernel.org Thu Jul 24 17:36:52 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jul 2025 11:36:40 -0400
+Subject: iio: hid-sensor-prox: Fix incorrect OFFSET calculation
+To: stable@vger.kernel.org
+Cc: Zhang Lixu <lixu.zhang@intel.com>, Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>, Jonathan Cameron <Jonathan.Cameron@huawei.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250724153640.1367316-1-sashal@kernel.org>
+
+From: Zhang Lixu <lixu.zhang@intel.com>
+
+[ Upstream commit 79dabbd505210e41c88060806c92c052496dd61c ]
+
+The OFFSET calculation in the prox_read_raw() was incorrectly using the
+unit exponent, which is intended for SCALE calculations.
+
+Remove the incorrect OFFSET calculation and set it to a fixed value of 0.
+
+Cc: stable@vger.kernel.org
+Fixes: 39a3a0138f61 ("iio: hid-sensors: Added Proximity Sensor Driver")
+Signed-off-by: Zhang Lixu <lixu.zhang@intel.com>
+Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Link: https://patch.msgid.link/20250331055022.1149736-4-lixu.zhang@intel.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+[ adapted prox_attr array access to single structure member access ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/light/hid-sensor-prox.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/iio/light/hid-sensor-prox.c
++++ b/drivers/iio/light/hid-sensor-prox.c
+@@ -102,8 +102,7 @@ static int prox_read_raw(struct iio_dev
+ ret_type = prox_state->scale_precision;
+ break;
+ case IIO_CHAN_INFO_OFFSET:
+- *val = hid_sensor_convert_exponent(
+- prox_state->prox_attr.unit_expo);
++ *val = 0;
+ ret_type = IIO_VAL_INT;
+ break;
+ case IIO_CHAN_INFO_SAMP_FREQ:
--- /dev/null
+From stable+bounces-164630-greg=kroah.com@vger.kernel.org Thu Jul 24 17:36:53 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jul 2025 11:36:37 -0400
+Subject: iio: hid-sensor-prox: Restore lost scale assignments
+To: stable@vger.kernel.org
+Cc: Zhang Lixu <lixu.zhang@intel.com>, Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>, Jonathan Cameron <Jonathan.Cameron@huawei.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250724153637.1367298-1-sashal@kernel.org>
+
+From: Zhang Lixu <lixu.zhang@intel.com>
+
+[ Upstream commit 83ded7cfaccccd2f4041769c313b58b4c9e265ad ]
+
+The variables `scale_pre_decml`, `scale_post_decml`, and `scale_precision`
+were assigned in commit d68c592e02f6 ("iio: hid-sensor-prox: Fix scale not
+correct issue"), but due to a merge conflict in
+commit 9c15db92a8e5 ("Merge tag 'iio-for-5.13a' of
+https://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-next"),
+these assignments were lost.
+
+Add back lost assignments and replace `st->prox_attr` with
+`st->prox_attr[0]` because commit 596ef5cf654b ("iio: hid-sensor-prox: Add
+support for more channels") changed `prox_attr` to an array.
+
+Cc: stable@vger.kernel.org # 5.13+
+Fixes: 9c15db92a8e5 ("Merge tag 'iio-for-5.13a' of https://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-next")
+Signed-off-by: Zhang Lixu <lixu.zhang@intel.com>
+Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
+Link: https://patch.msgid.link/20250331055022.1149736-2-lixu.zhang@intel.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+[ changed st->prox_attr[0] array access to st->prox_attr single struct member ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/light/hid-sensor-prox.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/iio/light/hid-sensor-prox.c
++++ b/drivers/iio/light/hid-sensor-prox.c
+@@ -226,6 +226,11 @@ static int prox_parse_report(struct plat
+ dev_dbg(&pdev->dev, "prox %x:%x\n", st->prox_attr.index,
+ st->prox_attr.report_id);
+
++ st->scale_precision = hid_sensor_format_scale(hsdev->usage,
++ &st->prox_attr,
++ &st->scale_pre_decml,
++ &st->scale_post_decml);
++
+ return ret;
+ }
+
--- /dev/null
+From stable+bounces-164833-greg=kroah.com@vger.kernel.org Sat Jul 26 17:52:29 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 26 Jul 2025 11:52:17 -0400
+Subject: ksmbd: fix use-after-free in __smb2_lease_break_noti()
+To: stable@vger.kernel.org
+Cc: Namjae Jeon <linkinjeon@kernel.org>, Norbert Szetei <norbert@doyensec.com>, Steve French <stfrench@microsoft.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250726155217.2083648-1-sashal@kernel.org>
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+[ Upstream commit 21a4e47578d44c6b37c4fc4aba8ed7cc8dbb13de ]
+
+Move tcp_transport free to ksmbd_conn_free. If ksmbd connection is
+referenced when ksmbd server thread terminates, It will not be freed,
+but conn->tcp_transport is freed. __smb2_lease_break_noti can be performed
+asynchronously when the connection is disconnected. __smb2_lease_break_noti
+calls ksmbd_conn_write, which can cause use-after-free
+when conn->ksmbd_transport is already freed.
+
+Cc: stable@vger.kernel.org
+Reported-by: Norbert Szetei <norbert@doyensec.com>
+Tested-by: Norbert Szetei <norbert@doyensec.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+[ Removed declaration of non-existent function ksmbd_find_netdev_name_iface_list() from transport_tcp.h. ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/smb/server/connection.c | 4 +++-
+ fs/smb/server/transport_tcp.c | 14 +++++++++-----
+ fs/smb/server/transport_tcp.h | 1 +
+ 3 files changed, 13 insertions(+), 6 deletions(-)
+
+--- a/fs/smb/server/connection.c
++++ b/fs/smb/server/connection.c
+@@ -39,8 +39,10 @@ void ksmbd_conn_free(struct ksmbd_conn *
+ xa_destroy(&conn->sessions);
+ kvfree(conn->request_buf);
+ kfree(conn->preauth_info);
+- if (atomic_dec_and_test(&conn->refcnt))
++ if (atomic_dec_and_test(&conn->refcnt)) {
++ ksmbd_free_transport(conn->transport);
+ kfree(conn);
++ }
+ }
+
+ /**
+--- a/fs/smb/server/transport_tcp.c
++++ b/fs/smb/server/transport_tcp.c
+@@ -93,17 +93,21 @@ static struct tcp_transport *alloc_trans
+ return t;
+ }
+
+-static void free_transport(struct tcp_transport *t)
++void ksmbd_free_transport(struct ksmbd_transport *kt)
+ {
+- kernel_sock_shutdown(t->sock, SHUT_RDWR);
+- sock_release(t->sock);
+- t->sock = NULL;
++ struct tcp_transport *t = TCP_TRANS(kt);
+
+- ksmbd_conn_free(KSMBD_TRANS(t)->conn);
++ sock_release(t->sock);
+ kfree(t->iov);
+ kfree(t);
+ }
+
++static void free_transport(struct tcp_transport *t)
++{
++ kernel_sock_shutdown(t->sock, SHUT_RDWR);
++ ksmbd_conn_free(KSMBD_TRANS(t)->conn);
++}
++
+ /**
+ * kvec_array_init() - initialize a IO vector segment
+ * @new: IO vector to be initialized
+--- a/fs/smb/server/transport_tcp.h
++++ b/fs/smb/server/transport_tcp.h
+@@ -7,6 +7,7 @@
+ #define __KSMBD_TRANSPORT_TCP_H__
+
+ int ksmbd_tcp_set_interfaces(char *ifc_list, int ifc_list_sz);
++void ksmbd_free_transport(struct ksmbd_transport *kt);
+ int ksmbd_tcp_init(void);
+ void ksmbd_tcp_destroy(void);
+
--- /dev/null
+From stable+bounces-164530-greg=kroah.com@vger.kernel.org Thu Jul 24 04:31:17 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 22:31:05 -0400
+Subject: mtd: rawnand: qcom: Fix last codeword read in qcom_param_page_type_exec()
+To: stable@vger.kernel.org
+Cc: Md Sadre Alam <quic_mdalam@quicinc.com>, Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>, Lakshmi Sowjanya D <quic_laksd@quicinc.com>, Miquel Raynal <miquel.raynal@bootlin.com>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250724023105.1267926-1-sashal@kernel.org>
+
+From: Md Sadre Alam <quic_mdalam@quicinc.com>
+
+[ Upstream commit 47bddabbf69da50999ec68be92b58356c687e1d6 ]
+
+For QPIC V2 onwards there is a separate register to read
+last code word "QPIC_NAND_READ_LOCATION_LAST_CW_n".
+
+qcom_param_page_type_exec() is used to read only one code word
+If it configures the number of code words to 1 in QPIC_NAND_DEV0_CFG0
+register then QPIC controller thinks its reading the last code word,
+since we are having separate register to read the last code word,
+we have to configure "QPIC_NAND_READ_LOCATION_LAST_CW_n" register
+to fetch data from QPIC buffer to system memory.
+
+Without this change page read was failing with timeout error
+
+/ # hexdump -C /dev/mtd1
+[ 129.206113] qcom-nandc 1cc8000.nand-controller: failure to read page/oob
+hexdump: /dev/mtd1: Connection timed out
+
+This issue only seen on SDX targets since SDX target used QPICv2. But
+same working on IPQ targets since IPQ used QPICv1.
+
+Cc: stable@vger.kernel.org
+Fixes: 89550beb098e ("mtd: rawnand: qcom: Implement exec_op()")
+Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Tested-by: Lakshmi Sowjanya D <quic_laksd@quicinc.com>
+Signed-off-by: Md Sadre Alam <quic_mdalam@quicinc.com>
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mtd/nand/raw/qcom_nandc.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+--- a/drivers/mtd/nand/raw/qcom_nandc.c
++++ b/drivers/mtd/nand/raw/qcom_nandc.c
+@@ -2858,7 +2858,12 @@ static int qcom_param_page_type_exec(str
+ const struct nand_op_instr *instr = NULL;
+ unsigned int op_id = 0;
+ unsigned int len = 0;
+- int ret;
++ int ret, reg_base;
++
++ reg_base = NAND_READ_LOCATION_0;
++
++ if (nandc->props->qpic_v2)
++ reg_base = NAND_READ_LOCATION_LAST_CW_0;
+
+ ret = qcom_parse_instructions(chip, subop, &q_op);
+ if (ret)
+@@ -2910,7 +2915,10 @@ static int qcom_param_page_type_exec(str
+ op_id = q_op.data_instr_idx;
+ len = nand_subop_get_data_len(subop, op_id);
+
+- nandc_set_read_loc(chip, 0, 0, 0, len, 1);
++ if (nandc->props->qpic_v2)
++ nandc_set_read_loc_last(chip, reg_base, 0, len, 1);
++ else
++ nandc_set_read_loc_first(chip, reg_base, 0, len, 1);
+
+ if (!nandc->props->qpic_v2) {
+ write_reg_dma(nandc, NAND_DEV_CMD_VLD, 1, 0);
--- /dev/null
+From stable+bounces-164557-greg=kroah.com@vger.kernel.org Thu Jul 24 06:06:29 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 24 Jul 2025 00:06:12 -0400
+Subject: perf/x86/intel: Fix crash in icl_update_topdown_event()
+To: stable@vger.kernel.org
+Cc: Kan Liang <kan.liang@linux.intel.com>, Vince Weaver <vincent.weaver@maine.edu>, Peter Zijlstra <peterz@infradead.org>, Ingo Molnar <mingo@kernel.org>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250724040612.1296188-1-sashal@kernel.org>
+
+From: Kan Liang <kan.liang@linux.intel.com>
+
+[ Upstream commit b0823d5fbacb1c551d793cbfe7af24e0d1fa45ed ]
+
+The perf_fuzzer found a hard-lockup crash on a RaptorLake machine:
+
+ Oops: general protection fault, maybe for address 0xffff89aeceab400: 0000
+ CPU: 23 UID: 0 PID: 0 Comm: swapper/23
+ Tainted: [W]=WARN
+ Hardware name: Dell Inc. Precision 9660/0VJ762
+ RIP: 0010:native_read_pmc+0x7/0x40
+ Code: cc e8 8d a9 01 00 48 89 03 5b cd cc cc cc cc 0f 1f ...
+ RSP: 000:fffb03100273de8 EFLAGS: 00010046
+ ....
+ Call Trace:
+ <TASK>
+ icl_update_topdown_event+0x165/0x190
+ ? ktime_get+0x38/0xd0
+ intel_pmu_read_event+0xf9/0x210
+ __perf_event_read+0xf9/0x210
+
+CPUs 16-23 are E-core CPUs that don't support the perf metrics feature.
+The icl_update_topdown_event() should not be invoked on these CPUs.
+
+It's a regression of commit:
+
+ f9bdf1f95339 ("perf/x86/intel: Avoid disable PMU if !cpuc->enabled in sample read")
+
+The bug introduced by that commit is that the is_topdown_event() function
+is mistakenly used to replace the is_topdown_count() call to check if the
+topdown functions for the perf metrics feature should be invoked.
+
+Fix it.
+
+Fixes: f9bdf1f95339 ("perf/x86/intel: Avoid disable PMU if !cpuc->enabled in sample read")
+Closes: https://lore.kernel.org/lkml/352f0709-f026-cd45-e60c-60dfd97f73f3@maine.edu/
+Reported-by: Vince Weaver <vincent.weaver@maine.edu>
+Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
+Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Tested-by: Vince Weaver <vincent.weaver@maine.edu>
+Cc: stable@vger.kernel.org # v6.15+
+Link: https://lore.kernel.org/r/20250612143818.2889040-1-kan.liang@linux.intel.com
+[ omitted PEBS check ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/events/intel/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/events/intel/core.c
++++ b/arch/x86/events/intel/core.c
+@@ -2734,7 +2734,7 @@ static void intel_pmu_read_event(struct
+ if (pmu_enabled)
+ intel_pmu_disable_all();
+
+- if (is_topdown_event(event))
++ if (is_topdown_count(event))
+ static_call(intel_pmu_update_topdown_event)(event);
+ else
+ intel_pmu_drain_pebs_buffer();
drm-i915-dp-fix-2.7-gbps-dp_link_bw-value-on-g4x.patch
mm-khugepaged-fix-call-hpage_collapse_scan_file-for-anonymous-vma.patch
erofs-address-d-cache-aliasing.patch
+crypto-powerpc-poly1305-add-depends-on-broken-for-now.patch
+crypto-qat-add-shutdown-handler-to-qat_dh895xcc.patch
+iio-hid-sensor-prox-fix-incorrect-offset-calculation.patch
+iio-hid-sensor-prox-restore-lost-scale-assignments.patch
+ksmbd-fix-use-after-free-in-__smb2_lease_break_noti.patch
+mtd-rawnand-qcom-fix-last-codeword-read-in-qcom_param_page_type_exec.patch
+perf-x86-intel-fix-crash-in-icl_update_topdown_event.patch
+wifi-mt76-mt7921-prevent-decap-offload-config-before-sta-initialization.patch
--- /dev/null
+From stable+bounces-164500-greg=kroah.com@vger.kernel.org Wed Jul 23 20:28:03 2025
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 23 Jul 2025 14:27:51 -0400
+Subject: wifi: mt76: mt7921: prevent decap offload config before STA initialization
+To: stable@vger.kernel.org
+Cc: Deren Wu <deren.wu@mediatek.com>, Felix Fietkau <nbd@nbd.name>, Sasha Levin <sashal@kernel.org>
+Message-ID: <20250723182751.1096863-1-sashal@kernel.org>
+
+From: Deren Wu <deren.wu@mediatek.com>
+
+[ Upstream commit 7035a082348acf1d43ffb9ff735899f8e3863f8f ]
+
+The decap offload configuration should only be applied after the STA has
+been successfully initialized. Attempting to configure it earlier can lead
+to corruption of the MAC configuration in the chip's hardware state.
+
+Add an early check for `msta->deflink.wcid.sta` to ensure the station peer
+is properly initialized before proceeding with decapsulation offload
+configuration.
+
+Cc: stable@vger.kernel.org
+Fixes: 24299fc869f7 ("mt76: mt7921: enable rx header traslation offload")
+Signed-off-by: Deren Wu <deren.wu@mediatek.com>
+Link: https://patch.msgid.link/f23a72ba7a3c1ad38ba9e13bb54ef21d6ef44ffb.1748149855.git.deren.wu@mediatek.com
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+[ Changed msta->deflink.wcid.sta to msta->wcid.sta ]
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7921/main.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
+@@ -1087,6 +1087,9 @@ static void mt7921_sta_set_decap_offload
+ struct mt792x_sta *msta = (struct mt792x_sta *)sta->drv_priv;
+ struct mt792x_dev *dev = mt792x_hw_dev(hw);
+
++ if (!msta->wcid.sta)
++ return;
++
+ mt792x_mutex_acquire(dev);
+
+ if (enabled)
projects / thirdparty / kernel / stable-queue.git / commitdiff
