From: Greg Kroah-Hartman Date: Wed, 30 Jul 2025 09:01:04 +0000 (+0200) Subject: 6.6-stable patches X-Git-Tag: v6.6.101~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3fc8e294d8d30730fd64329349275b7720fca0b7;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: crypto-powerpc-poly1305-add-depends-on-broken-for-now.patch crypto-qat-add-shutdown-handler-to-qat_dh895xcc.patch iio-hid-sensor-prox-fix-incorrect-offset-calculation.patch iio-hid-sensor-prox-restore-lost-scale-assignments.patch ksmbd-fix-use-after-free-in-__smb2_lease_break_noti.patch mtd-rawnand-qcom-fix-last-codeword-read-in-qcom_param_page_type_exec.patch perf-x86-intel-fix-crash-in-icl_update_topdown_event.patch wifi-mt76-mt7921-prevent-decap-offload-config-before-sta-initialization.patch --- diff --git a/queue-6.6/crypto-powerpc-poly1305-add-depends-on-broken-for-now.patch b/queue-6.6/crypto-powerpc-poly1305-add-depends-on-broken-for-now.patch new file mode 100644 index 0000000000..fcabe6e2e8 --- /dev/null +++ b/queue-6.6/crypto-powerpc-poly1305-add-depends-on-broken-for-now.patch @@ -0,0 +1,38 @@ +From stable+bounces-164533-greg=kroah.com@vger.kernel.org Thu Jul 24 04:54:33 2025 +From: Sasha Levin +Date: Wed, 23 Jul 2025 22:54:19 -0400 +Subject: crypto: powerpc/poly1305 - add depends on BROKEN for now +To: stable@vger.kernel.org +Cc: Eric Biggers , Herbert Xu , Sasha Levin +Message-ID: <20250724025419.1277524-1-sashal@kernel.org> + +From: Eric Biggers + +[ Upstream commit bc8169003b41e89fe7052e408cf9fdbecb4017fe ] + +As discussed in the thread containing +https://lore.kernel.org/linux-crypto/20250510053308.GB505731@sol/, the +Power10-optimized Poly1305 code is currently not safe to call in softirq +context. Disable it for now. It can be re-enabled once it is fixed. + +Fixes: ba8f8624fde2 ("crypto: poly1305-p10 - Glue code for optmized Poly1305 implementation for ppc64le") +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +[ applied to arch/powerpc/crypto/Kconfig ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/crypto/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/powerpc/crypto/Kconfig ++++ b/arch/powerpc/crypto/Kconfig +@@ -129,6 +129,7 @@ config CRYPTO_CHACHA20_P10 + config CRYPTO_POLY1305_P10 + tristate "Hash functions: Poly1305 (P10 or later)" + depends on PPC64 && CPU_LITTLE_ENDIAN && VSX ++ depends on BROKEN # Needs to be fixed to work in softirq context + select CRYPTO_HASH + select CRYPTO_LIB_POLY1305_GENERIC + help diff --git a/queue-6.6/crypto-qat-add-shutdown-handler-to-qat_dh895xcc.patch b/queue-6.6/crypto-qat-add-shutdown-handler-to-qat_dh895xcc.patch new file mode 100644 index 0000000000..55979f05d6 --- /dev/null +++ b/queue-6.6/crypto-qat-add-shutdown-handler-to-qat_dh895xcc.patch @@ -0,0 +1,75 @@ +From stable+bounces-164822-greg=kroah.com@vger.kernel.org Sat Jul 26 04:27:21 2025 +From: Sasha Levin +Date: Fri, 25 Jul 2025 22:27:05 -0400 +Subject: crypto: qat - add shutdown handler to qat_dh895xcc +To: stable@vger.kernel.org +Cc: Giovanni Cabiddu , Ahsan Atta , Andy Shevchenko , Herbert Xu , Sasha Levin +Message-ID: <20250726022705.2024714-1-sashal@kernel.org> + +From: Giovanni Cabiddu + +[ Upstream commit 2c4e8b228733bfbcaf49408fdf94d220f6eb78fc ] + +During a warm reset via kexec, the system bypasses the driver removal +sequence, meaning that the remove() callback is not invoked. +If a QAT device is not shutdown properly, the device driver will fail to +load in a newly rebooted kernel. + +This might result in output like the following after the kexec reboot: + + QAT: AE0 is inactive!! + QAT: failed to get device out of reset + dh895xcc 0000:3f:00.0: qat_hal_clr_reset error + dh895xcc 0000:3f:00.0: Failed to init the AEs + dh895xcc 0000:3f:00.0: Failed to initialise Acceleration Engine + dh895xcc 0000:3f:00.0: Resetting device qat_dev0 + dh895xcc 0000:3f:00.0: probe with driver dh895xcc failed with error -14 + +Implement the shutdown() handler that hooks into the reboot notifier +list. This brings down the QAT device and ensures it is shut down +properly. + +Cc: +Fixes: 7afa232e76ce ("crypto: qat - Intel(R) QAT DH895xcc accelerator") +Reviewed-by: Ahsan Atta +Reviewed-by: Andy Shevchenko +Signed-off-by: Giovanni Cabiddu +Signed-off-by: Herbert Xu +[ added false parameter to adf_dev_down() call ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/intel/qat/qat_dh895xcc/adf_drv.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/crypto/intel/qat/qat_dh895xcc/adf_drv.c ++++ b/drivers/crypto/intel/qat/qat_dh895xcc/adf_drv.c +@@ -27,12 +27,14 @@ MODULE_DEVICE_TABLE(pci, adf_pci_tbl); + + static int adf_probe(struct pci_dev *dev, const struct pci_device_id *ent); + static void adf_remove(struct pci_dev *dev); ++static void adf_shutdown(struct pci_dev *dev); + + static struct pci_driver adf_driver = { + .id_table = adf_pci_tbl, + .name = ADF_DH895XCC_DEVICE_NAME, + .probe = adf_probe, + .remove = adf_remove, ++ .shutdown = adf_shutdown, + .sriov_configure = adf_sriov_configure, + .err_handler = &adf_err_handler, + }; +@@ -227,6 +229,13 @@ static void adf_remove(struct pci_dev *p + kfree(accel_dev); + } + ++static void adf_shutdown(struct pci_dev *pdev) ++{ ++ struct adf_accel_dev *accel_dev = adf_devmgr_pci_to_accel_dev(pdev); ++ ++ adf_dev_down(accel_dev, false); ++} ++ + static int __init adfdrv_init(void) + { + request_module("intel_qat"); diff --git a/queue-6.6/iio-hid-sensor-prox-fix-incorrect-offset-calculation.patch b/queue-6.6/iio-hid-sensor-prox-fix-incorrect-offset-calculation.patch new file mode 100644 index 0000000000..e9b7654f97 --- /dev/null +++ b/queue-6.6/iio-hid-sensor-prox-fix-incorrect-offset-calculation.patch @@ -0,0 +1,42 @@ +From stable+bounces-164629-greg=kroah.com@vger.kernel.org Thu Jul 24 17:36:52 2025 +From: Sasha Levin +Date: Thu, 24 Jul 2025 11:36:40 -0400 +Subject: iio: hid-sensor-prox: Fix incorrect OFFSET calculation +To: stable@vger.kernel.org +Cc: Zhang Lixu , Srinivas Pandruvada , Jonathan Cameron , Sasha Levin +Message-ID: <20250724153640.1367316-1-sashal@kernel.org> + +From: Zhang Lixu + +[ Upstream commit 79dabbd505210e41c88060806c92c052496dd61c ] + +The OFFSET calculation in the prox_read_raw() was incorrectly using the +unit exponent, which is intended for SCALE calculations. + +Remove the incorrect OFFSET calculation and set it to a fixed value of 0. + +Cc: stable@vger.kernel.org +Fixes: 39a3a0138f61 ("iio: hid-sensors: Added Proximity Sensor Driver") +Signed-off-by: Zhang Lixu +Acked-by: Srinivas Pandruvada +Link: https://patch.msgid.link/20250331055022.1149736-4-lixu.zhang@intel.com +Signed-off-by: Jonathan Cameron +[ adapted prox_attr array access to single structure member access ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/light/hid-sensor-prox.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/iio/light/hid-sensor-prox.c ++++ b/drivers/iio/light/hid-sensor-prox.c +@@ -102,8 +102,7 @@ static int prox_read_raw(struct iio_dev + ret_type = prox_state->scale_precision; + break; + case IIO_CHAN_INFO_OFFSET: +- *val = hid_sensor_convert_exponent( +- prox_state->prox_attr.unit_expo); ++ *val = 0; + ret_type = IIO_VAL_INT; + break; + case IIO_CHAN_INFO_SAMP_FREQ: diff --git a/queue-6.6/iio-hid-sensor-prox-restore-lost-scale-assignments.patch b/queue-6.6/iio-hid-sensor-prox-restore-lost-scale-assignments.patch new file mode 100644 index 0000000000..c6b06908ac --- /dev/null +++ b/queue-6.6/iio-hid-sensor-prox-restore-lost-scale-assignments.patch @@ -0,0 +1,50 @@ +From stable+bounces-164630-greg=kroah.com@vger.kernel.org Thu Jul 24 17:36:53 2025 +From: Sasha Levin +Date: Thu, 24 Jul 2025 11:36:37 -0400 +Subject: iio: hid-sensor-prox: Restore lost scale assignments +To: stable@vger.kernel.org +Cc: Zhang Lixu , Srinivas Pandruvada , Jonathan Cameron , Sasha Levin +Message-ID: <20250724153637.1367298-1-sashal@kernel.org> + +From: Zhang Lixu + +[ Upstream commit 83ded7cfaccccd2f4041769c313b58b4c9e265ad ] + +The variables `scale_pre_decml`, `scale_post_decml`, and `scale_precision` +were assigned in commit d68c592e02f6 ("iio: hid-sensor-prox: Fix scale not +correct issue"), but due to a merge conflict in +commit 9c15db92a8e5 ("Merge tag 'iio-for-5.13a' of +https://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-next"), +these assignments were lost. + +Add back lost assignments and replace `st->prox_attr` with +`st->prox_attr[0]` because commit 596ef5cf654b ("iio: hid-sensor-prox: Add +support for more channels") changed `prox_attr` to an array. + +Cc: stable@vger.kernel.org # 5.13+ +Fixes: 9c15db92a8e5 ("Merge tag 'iio-for-5.13a' of https://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-next") +Signed-off-by: Zhang Lixu +Acked-by: Srinivas Pandruvada +Link: https://patch.msgid.link/20250331055022.1149736-2-lixu.zhang@intel.com +Signed-off-by: Jonathan Cameron +[ changed st->prox_attr[0] array access to st->prox_attr single struct member ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/light/hid-sensor-prox.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/iio/light/hid-sensor-prox.c ++++ b/drivers/iio/light/hid-sensor-prox.c +@@ -226,6 +226,11 @@ static int prox_parse_report(struct plat + dev_dbg(&pdev->dev, "prox %x:%x\n", st->prox_attr.index, + st->prox_attr.report_id); + ++ st->scale_precision = hid_sensor_format_scale(hsdev->usage, ++ &st->prox_attr, ++ &st->scale_pre_decml, ++ &st->scale_post_decml); ++ + return ret; + } + diff --git a/queue-6.6/ksmbd-fix-use-after-free-in-__smb2_lease_break_noti.patch b/queue-6.6/ksmbd-fix-use-after-free-in-__smb2_lease_break_noti.patch new file mode 100644 index 0000000000..618bfa4068 --- /dev/null +++ b/queue-6.6/ksmbd-fix-use-after-free-in-__smb2_lease_break_noti.patch @@ -0,0 +1,86 @@ +From stable+bounces-164833-greg=kroah.com@vger.kernel.org Sat Jul 26 17:52:29 2025 +From: Sasha Levin +Date: Sat, 26 Jul 2025 11:52:17 -0400 +Subject: ksmbd: fix use-after-free in __smb2_lease_break_noti() +To: stable@vger.kernel.org +Cc: Namjae Jeon , Norbert Szetei , Steve French , Sasha Levin +Message-ID: <20250726155217.2083648-1-sashal@kernel.org> + +From: Namjae Jeon + +[ Upstream commit 21a4e47578d44c6b37c4fc4aba8ed7cc8dbb13de ] + +Move tcp_transport free to ksmbd_conn_free. If ksmbd connection is +referenced when ksmbd server thread terminates, It will not be freed, +but conn->tcp_transport is freed. __smb2_lease_break_noti can be performed +asynchronously when the connection is disconnected. __smb2_lease_break_noti +calls ksmbd_conn_write, which can cause use-after-free +when conn->ksmbd_transport is already freed. + +Cc: stable@vger.kernel.org +Reported-by: Norbert Szetei +Tested-by: Norbert Szetei +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +[ Removed declaration of non-existent function ksmbd_find_netdev_name_iface_list() from transport_tcp.h. ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + fs/smb/server/connection.c | 4 +++- + fs/smb/server/transport_tcp.c | 14 +++++++++----- + fs/smb/server/transport_tcp.h | 1 + + 3 files changed, 13 insertions(+), 6 deletions(-) + +--- a/fs/smb/server/connection.c ++++ b/fs/smb/server/connection.c +@@ -39,8 +39,10 @@ void ksmbd_conn_free(struct ksmbd_conn * + xa_destroy(&conn->sessions); + kvfree(conn->request_buf); + kfree(conn->preauth_info); +- if (atomic_dec_and_test(&conn->refcnt)) ++ if (atomic_dec_and_test(&conn->refcnt)) { ++ ksmbd_free_transport(conn->transport); + kfree(conn); ++ } + } + + /** +--- a/fs/smb/server/transport_tcp.c ++++ b/fs/smb/server/transport_tcp.c +@@ -93,17 +93,21 @@ static struct tcp_transport *alloc_trans + return t; + } + +-static void free_transport(struct tcp_transport *t) ++void ksmbd_free_transport(struct ksmbd_transport *kt) + { +- kernel_sock_shutdown(t->sock, SHUT_RDWR); +- sock_release(t->sock); +- t->sock = NULL; ++ struct tcp_transport *t = TCP_TRANS(kt); + +- ksmbd_conn_free(KSMBD_TRANS(t)->conn); ++ sock_release(t->sock); + kfree(t->iov); + kfree(t); + } + ++static void free_transport(struct tcp_transport *t) ++{ ++ kernel_sock_shutdown(t->sock, SHUT_RDWR); ++ ksmbd_conn_free(KSMBD_TRANS(t)->conn); ++} ++ + /** + * kvec_array_init() - initialize a IO vector segment + * @new: IO vector to be initialized +--- a/fs/smb/server/transport_tcp.h ++++ b/fs/smb/server/transport_tcp.h +@@ -7,6 +7,7 @@ + #define __KSMBD_TRANSPORT_TCP_H__ + + int ksmbd_tcp_set_interfaces(char *ifc_list, int ifc_list_sz); ++void ksmbd_free_transport(struct ksmbd_transport *kt); + int ksmbd_tcp_init(void); + void ksmbd_tcp_destroy(void); + diff --git a/queue-6.6/mtd-rawnand-qcom-fix-last-codeword-read-in-qcom_param_page_type_exec.patch b/queue-6.6/mtd-rawnand-qcom-fix-last-codeword-read-in-qcom_param_page_type_exec.patch new file mode 100644 index 0000000000..22607e5eae --- /dev/null +++ b/queue-6.6/mtd-rawnand-qcom-fix-last-codeword-read-in-qcom_param_page_type_exec.patch @@ -0,0 +1,71 @@ +From stable+bounces-164530-greg=kroah.com@vger.kernel.org Thu Jul 24 04:31:17 2025 +From: Sasha Levin +Date: Wed, 23 Jul 2025 22:31:05 -0400 +Subject: mtd: rawnand: qcom: Fix last codeword read in qcom_param_page_type_exec() +To: stable@vger.kernel.org +Cc: Md Sadre Alam , Manivannan Sadhasivam , Lakshmi Sowjanya D , Miquel Raynal , Sasha Levin +Message-ID: <20250724023105.1267926-1-sashal@kernel.org> + +From: Md Sadre Alam + +[ Upstream commit 47bddabbf69da50999ec68be92b58356c687e1d6 ] + +For QPIC V2 onwards there is a separate register to read +last code word "QPIC_NAND_READ_LOCATION_LAST_CW_n". + +qcom_param_page_type_exec() is used to read only one code word +If it configures the number of code words to 1 in QPIC_NAND_DEV0_CFG0 +register then QPIC controller thinks its reading the last code word, +since we are having separate register to read the last code word, +we have to configure "QPIC_NAND_READ_LOCATION_LAST_CW_n" register +to fetch data from QPIC buffer to system memory. + +Without this change page read was failing with timeout error + +/ # hexdump -C /dev/mtd1 +[ 129.206113] qcom-nandc 1cc8000.nand-controller: failure to read page/oob +hexdump: /dev/mtd1: Connection timed out + +This issue only seen on SDX targets since SDX target used QPICv2. But +same working on IPQ targets since IPQ used QPICv1. + +Cc: stable@vger.kernel.org +Fixes: 89550beb098e ("mtd: rawnand: qcom: Implement exec_op()") +Reviewed-by: Manivannan Sadhasivam +Tested-by: Lakshmi Sowjanya D +Signed-off-by: Md Sadre Alam +Signed-off-by: Miquel Raynal +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/qcom_nandc.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/mtd/nand/raw/qcom_nandc.c ++++ b/drivers/mtd/nand/raw/qcom_nandc.c +@@ -2858,7 +2858,12 @@ static int qcom_param_page_type_exec(str + const struct nand_op_instr *instr = NULL; + unsigned int op_id = 0; + unsigned int len = 0; +- int ret; ++ int ret, reg_base; ++ ++ reg_base = NAND_READ_LOCATION_0; ++ ++ if (nandc->props->qpic_v2) ++ reg_base = NAND_READ_LOCATION_LAST_CW_0; + + ret = qcom_parse_instructions(chip, subop, &q_op); + if (ret) +@@ -2910,7 +2915,10 @@ static int qcom_param_page_type_exec(str + op_id = q_op.data_instr_idx; + len = nand_subop_get_data_len(subop, op_id); + +- nandc_set_read_loc(chip, 0, 0, 0, len, 1); ++ if (nandc->props->qpic_v2) ++ nandc_set_read_loc_last(chip, reg_base, 0, len, 1); ++ else ++ nandc_set_read_loc_first(chip, reg_base, 0, len, 1); + + if (!nandc->props->qpic_v2) { + write_reg_dma(nandc, NAND_DEV_CMD_VLD, 1, 0); diff --git a/queue-6.6/perf-x86-intel-fix-crash-in-icl_update_topdown_event.patch b/queue-6.6/perf-x86-intel-fix-crash-in-icl_update_topdown_event.patch new file mode 100644 index 0000000000..32879886e3 --- /dev/null +++ b/queue-6.6/perf-x86-intel-fix-crash-in-icl_update_topdown_event.patch @@ -0,0 +1,69 @@ +From stable+bounces-164557-greg=kroah.com@vger.kernel.org Thu Jul 24 06:06:29 2025 +From: Sasha Levin +Date: Thu, 24 Jul 2025 00:06:12 -0400 +Subject: perf/x86/intel: Fix crash in icl_update_topdown_event() +To: stable@vger.kernel.org +Cc: Kan Liang , Vince Weaver , Peter Zijlstra , Ingo Molnar , Sasha Levin +Message-ID: <20250724040612.1296188-1-sashal@kernel.org> + +From: Kan Liang + +[ Upstream commit b0823d5fbacb1c551d793cbfe7af24e0d1fa45ed ] + +The perf_fuzzer found a hard-lockup crash on a RaptorLake machine: + + Oops: general protection fault, maybe for address 0xffff89aeceab400: 0000 + CPU: 23 UID: 0 PID: 0 Comm: swapper/23 + Tainted: [W]=WARN + Hardware name: Dell Inc. Precision 9660/0VJ762 + RIP: 0010:native_read_pmc+0x7/0x40 + Code: cc e8 8d a9 01 00 48 89 03 5b cd cc cc cc cc 0f 1f ... + RSP: 000:fffb03100273de8 EFLAGS: 00010046 + .... + Call Trace: + + icl_update_topdown_event+0x165/0x190 + ? ktime_get+0x38/0xd0 + intel_pmu_read_event+0xf9/0x210 + __perf_event_read+0xf9/0x210 + +CPUs 16-23 are E-core CPUs that don't support the perf metrics feature. +The icl_update_topdown_event() should not be invoked on these CPUs. + +It's a regression of commit: + + f9bdf1f95339 ("perf/x86/intel: Avoid disable PMU if !cpuc->enabled in sample read") + +The bug introduced by that commit is that the is_topdown_event() function +is mistakenly used to replace the is_topdown_count() call to check if the +topdown functions for the perf metrics feature should be invoked. + +Fix it. + +Fixes: f9bdf1f95339 ("perf/x86/intel: Avoid disable PMU if !cpuc->enabled in sample read") +Closes: https://lore.kernel.org/lkml/352f0709-f026-cd45-e60c-60dfd97f73f3@maine.edu/ +Reported-by: Vince Weaver +Signed-off-by: Kan Liang +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Ingo Molnar +Tested-by: Vince Weaver +Cc: stable@vger.kernel.org # v6.15+ +Link: https://lore.kernel.org/r/20250612143818.2889040-1-kan.liang@linux.intel.com +[ omitted PEBS check ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/events/intel/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/events/intel/core.c ++++ b/arch/x86/events/intel/core.c +@@ -2734,7 +2734,7 @@ static void intel_pmu_read_event(struct + if (pmu_enabled) + intel_pmu_disable_all(); + +- if (is_topdown_event(event)) ++ if (is_topdown_count(event)) + static_call(intel_pmu_update_topdown_event)(event); + else + intel_pmu_drain_pebs_buffer(); diff --git a/queue-6.6/series b/queue-6.6/series index db0ccbac3c..1c9cc37435 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -57,3 +57,11 @@ alsa-hda-add-missing-nvidia-hda-codec-ids.patch drm-i915-dp-fix-2.7-gbps-dp_link_bw-value-on-g4x.patch mm-khugepaged-fix-call-hpage_collapse_scan_file-for-anonymous-vma.patch erofs-address-d-cache-aliasing.patch +crypto-powerpc-poly1305-add-depends-on-broken-for-now.patch +crypto-qat-add-shutdown-handler-to-qat_dh895xcc.patch +iio-hid-sensor-prox-fix-incorrect-offset-calculation.patch +iio-hid-sensor-prox-restore-lost-scale-assignments.patch +ksmbd-fix-use-after-free-in-__smb2_lease_break_noti.patch +mtd-rawnand-qcom-fix-last-codeword-read-in-qcom_param_page_type_exec.patch +perf-x86-intel-fix-crash-in-icl_update_topdown_event.patch +wifi-mt76-mt7921-prevent-decap-offload-config-before-sta-initialization.patch diff --git a/queue-6.6/wifi-mt76-mt7921-prevent-decap-offload-config-before-sta-initialization.patch b/queue-6.6/wifi-mt76-mt7921-prevent-decap-offload-config-before-sta-initialization.patch new file mode 100644 index 0000000000..5013a7e9a1 --- /dev/null +++ b/queue-6.6/wifi-mt76-mt7921-prevent-decap-offload-config-before-sta-initialization.patch @@ -0,0 +1,44 @@ +From stable+bounces-164500-greg=kroah.com@vger.kernel.org Wed Jul 23 20:28:03 2025 +From: Sasha Levin +Date: Wed, 23 Jul 2025 14:27:51 -0400 +Subject: wifi: mt76: mt7921: prevent decap offload config before STA initialization +To: stable@vger.kernel.org +Cc: Deren Wu , Felix Fietkau , Sasha Levin +Message-ID: <20250723182751.1096863-1-sashal@kernel.org> + +From: Deren Wu + +[ Upstream commit 7035a082348acf1d43ffb9ff735899f8e3863f8f ] + +The decap offload configuration should only be applied after the STA has +been successfully initialized. Attempting to configure it earlier can lead +to corruption of the MAC configuration in the chip's hardware state. + +Add an early check for `msta->deflink.wcid.sta` to ensure the station peer +is properly initialized before proceeding with decapsulation offload +configuration. + +Cc: stable@vger.kernel.org +Fixes: 24299fc869f7 ("mt76: mt7921: enable rx header traslation offload") +Signed-off-by: Deren Wu +Link: https://patch.msgid.link/f23a72ba7a3c1ad38ba9e13bb54ef21d6ef44ffb.1748149855.git.deren.wu@mediatek.com +Signed-off-by: Felix Fietkau +[ Changed msta->deflink.wcid.sta to msta->wcid.sta ] +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/mt7921/main.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c +@@ -1087,6 +1087,9 @@ static void mt7921_sta_set_decap_offload + struct mt792x_sta *msta = (struct mt792x_sta *)sta->drv_priv; + struct mt792x_dev *dev = mt792x_hw_dev(hw); + ++ if (!msta->wcid.sta) ++ return; ++ + mt792x_mutex_acquire(dev); + + if (enabled)