From: Sasha Levin Date: Fri, 1 Nov 2024 19:19:37 +0000 (-0400) Subject: Fixes for 5.4 X-Git-Tag: v4.19.323~119 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9ddf4dfe2b6d4b36e09de61cbd802af011ca9526;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.4 Signed-off-by: Sasha Levin --- diff --git a/queue-5.4/asoc-cs42l51-fix-some-error-handling-paths-in-cs42l5.patch b/queue-5.4/asoc-cs42l51-fix-some-error-handling-paths-in-cs42l5.patch new file mode 100644 index 00000000000..0ad4243edd6 --- /dev/null +++ b/queue-5.4/asoc-cs42l51-fix-some-error-handling-paths-in-cs42l5.patch @@ -0,0 +1,56 @@ +From 1e40caf9b2220c65feb59aa9f71ae55bca9d1048 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Oct 2024 22:46:34 +0200 +Subject: ASoC: cs42l51: Fix some error handling paths in cs42l51_probe() + +From: Christophe JAILLET + +[ Upstream commit d221b844ee79823ffc29b7badc4010bdb0960224 ] + +If devm_gpiod_get_optional() fails, we need to disable previously enabled +regulators, as done in the other error handling path of the function. + +Also, gpiod_set_value_cansleep(, 1) needs to be called to undo a +potential gpiod_set_value_cansleep(, 0). +If the "reset" gpio is not defined, this additional call is just a no-op. + +This behavior is the same as the one already in the .remove() function. + +Fixes: 11b9cd748e31 ("ASoC: cs42l51: add reset management") +Signed-off-by: Christophe JAILLET +Reviewed-by: Charles Keepax +Link: https://patch.msgid.link/a5e5f4b9fb03f46abd2c93ed94b5c395972ce0d1.1729975570.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs42l51.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/cs42l51.c b/sound/soc/codecs/cs42l51.c +index 07371e32167c8..7fa0a849e65f4 100644 +--- a/sound/soc/codecs/cs42l51.c ++++ b/sound/soc/codecs/cs42l51.c +@@ -740,8 +740,10 @@ int cs42l51_probe(struct device *dev, struct regmap *regmap) + + cs42l51->reset_gpio = devm_gpiod_get_optional(dev, "reset", + GPIOD_OUT_LOW); +- if (IS_ERR(cs42l51->reset_gpio)) +- return PTR_ERR(cs42l51->reset_gpio); ++ if (IS_ERR(cs42l51->reset_gpio)) { ++ ret = PTR_ERR(cs42l51->reset_gpio); ++ goto error; ++ } + + if (cs42l51->reset_gpio) { + dev_dbg(dev, "Release reset gpio\n"); +@@ -773,6 +775,7 @@ int cs42l51_probe(struct device *dev, struct regmap *regmap) + return 0; + + error: ++ gpiod_set_value_cansleep(cs42l51->reset_gpio, 1); + regulator_bulk_disable(ARRAY_SIZE(cs42l51->supplies), + cs42l51->supplies); + return ret; +-- +2.43.0 + diff --git a/queue-5.4/bpf-fix-out-of-bounds-write-in-trie_get_next_key.patch b/queue-5.4/bpf-fix-out-of-bounds-write-in-trie_get_next_key.patch new file mode 100644 index 00000000000..50b75c3ae0e --- /dev/null +++ b/queue-5.4/bpf-fix-out-of-bounds-write-in-trie_get_next_key.patch @@ -0,0 +1,47 @@ +From 65f7ced88c219aebad2eb1799dce6316f6d0dba5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Oct 2024 14:02:43 +0900 +Subject: bpf: Fix out-of-bounds write in trie_get_next_key() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Byeonguk Jeong + +[ Upstream commit 13400ac8fb80c57c2bfb12ebd35ee121ce9b4d21 ] + +trie_get_next_key() allocates a node stack with size trie->max_prefixlen, +while it writes (trie->max_prefixlen + 1) nodes to the stack when it has +full paths from the root to leaves. For example, consider a trie with +max_prefixlen is 8, and the nodes with key 0x00/0, 0x00/1, 0x00/2, ... +0x00/8 inserted. Subsequent calls to trie_get_next_key with _key with +.prefixlen = 8 make 9 nodes be written on the node stack with size 8. + +Fixes: b471f2f1de8b ("bpf: implement MAP_GET_NEXT_KEY command for LPM_TRIE map") +Signed-off-by: Byeonguk Jeong +Reviewed-by: Toke Høiland-Jørgensen +Tested-by: Hou Tao +Acked-by: Hou Tao +Link: https://lore.kernel.org/r/Zxx384ZfdlFYnz6J@localhost.localdomain +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + kernel/bpf/lpm_trie.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/bpf/lpm_trie.c b/kernel/bpf/lpm_trie.c +index d78c1afe12737..c372be6df264e 100644 +--- a/kernel/bpf/lpm_trie.c ++++ b/kernel/bpf/lpm_trie.c +@@ -660,7 +660,7 @@ static int trie_get_next_key(struct bpf_map *map, void *_key, void *_next_key) + if (!key || key->prefixlen > trie->max_prefixlen) + goto find_leftmost; + +- node_stack = kmalloc_array(trie->max_prefixlen, ++ node_stack = kmalloc_array(trie->max_prefixlen + 1, + sizeof(struct lpm_trie_node *), + GFP_ATOMIC | __GFP_NOWARN); + if (!node_stack) +-- +2.43.0 + diff --git a/queue-5.4/dt-bindings-gpu-convert-samsung-image-rotator-to-dt-.patch b/queue-5.4/dt-bindings-gpu-convert-samsung-image-rotator-to-dt-.patch new file mode 100644 index 00000000000..b30c03561e9 --- /dev/null +++ b/queue-5.4/dt-bindings-gpu-convert-samsung-image-rotator-to-dt-.patch @@ -0,0 +1,114 @@ +From 25cb1f1f53fe137aefdc5e54bb1392098c4200ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Sep 2019 12:37:27 +0200 +Subject: dt-bindings: gpu: Convert Samsung Image Rotator to dt-schema + +From: Maciej Falkowski + +[ Upstream commit 6e3ffcd592060403ee2d956c9b1704775898db79 ] + +Convert Samsung Image Rotator to newer dt-schema format. + +Signed-off-by: Maciej Falkowski +Signed-off-by: Marek Szyprowski +Signed-off-by: Rob Herring +Stable-dep-of: 338c4d3902fe ("igb: Disable threaded IRQ for igb_msix_other") +Signed-off-by: Sasha Levin +--- + .../bindings/gpu/samsung-rotator.txt | 28 ----------- + .../bindings/gpu/samsung-rotator.yaml | 48 +++++++++++++++++++ + 2 files changed, 48 insertions(+), 28 deletions(-) + delete mode 100644 Documentation/devicetree/bindings/gpu/samsung-rotator.txt + create mode 100644 Documentation/devicetree/bindings/gpu/samsung-rotator.yaml + +diff --git a/Documentation/devicetree/bindings/gpu/samsung-rotator.txt b/Documentation/devicetree/bindings/gpu/samsung-rotator.txt +deleted file mode 100644 +index 3aca2578da0bd..0000000000000 +--- a/Documentation/devicetree/bindings/gpu/samsung-rotator.txt ++++ /dev/null +@@ -1,28 +0,0 @@ +-* Samsung Image Rotator +- +-Required properties: +- - compatible : value should be one of the following: +- * "samsung,s5pv210-rotator" for Rotator IP in S5PV210 +- * "samsung,exynos4210-rotator" for Rotator IP in Exynos4210 +- * "samsung,exynos4212-rotator" for Rotator IP in Exynos4212/4412 +- * "samsung,exynos5250-rotator" for Rotator IP in Exynos5250 +- +- - reg : Physical base address of the IP registers and length of memory +- mapped region. +- +- - interrupts : Interrupt specifier for rotator interrupt, according to format +- specific to interrupt parent. +- +- - clocks : Clock specifier for rotator clock, according to generic clock +- bindings. (See Documentation/devicetree/bindings/clock/exynos*.txt) +- +- - clock-names : Names of clocks. For exynos rotator, it should be "rotator". +- +-Example: +- rotator@12810000 { +- compatible = "samsung,exynos4210-rotator"; +- reg = <0x12810000 0x1000>; +- interrupts = <0 83 0>; +- clocks = <&clock 278>; +- clock-names = "rotator"; +- }; +diff --git a/Documentation/devicetree/bindings/gpu/samsung-rotator.yaml b/Documentation/devicetree/bindings/gpu/samsung-rotator.yaml +new file mode 100644 +index 0000000000000..45ce562435fa7 +--- /dev/null ++++ b/Documentation/devicetree/bindings/gpu/samsung-rotator.yaml +@@ -0,0 +1,48 @@ ++# SPDX-License-Identifier: GPL-2.0 ++%YAML 1.2 ++--- ++$id: http://devicetree.org/schemas/gpu/samsung-rotator.yaml# ++$schema: http://devicetree.org/meta-schemas/core.yaml# ++ ++title: Samsung SoC Image Rotator ++ ++maintainers: ++ - Inki Dae ++ ++properties: ++ compatible: ++ enum: ++ - "samsung,s5pv210-rotator" ++ - "samsung,exynos4210-rotator" ++ - "samsung,exynos4212-rotator" ++ - "samsung,exynos5250-rotator" ++ reg: ++ maxItems: 1 ++ ++ interrupts: ++ maxItems: 1 ++ ++ clocks: ++ maxItems: 1 ++ ++ clock-names: ++ items: ++ - const: rotator ++ ++required: ++ - compatible ++ - reg ++ - interrupts ++ - clocks ++ - clock-names ++ ++examples: ++ - | ++ rotator@12810000 { ++ compatible = "samsung,exynos4210-rotator"; ++ reg = <0x12810000 0x1000>; ++ interrupts = <0 83 0>; ++ clocks = <&clock 278>; ++ clock-names = "rotator"; ++ }; ++ +-- +2.43.0 + diff --git a/queue-5.4/gtp-allow-1-to-be-specified-as-file-description-from.patch b/queue-5.4/gtp-allow-1-to-be-specified-as-file-description-from.patch new file mode 100644 index 00000000000..207a3a97006 --- /dev/null +++ b/queue-5.4/gtp-allow-1-to-be-specified-as-file-description-from.patch @@ -0,0 +1,68 @@ +From d4a08e3d599fb56118de27499d2c6a4e0815e920 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Oct 2024 16:48:25 +0200 +Subject: gtp: allow -1 to be specified as file description from userspace + +From: Pablo Neira Ayuso + +[ Upstream commit 7515e37bce5c428a56a9b04ea7e96b3f53f17150 ] + +Existing user space applications maintained by the Osmocom project are +breaking since a recent fix that addresses incorrect error checking. + +Restore operation for user space programs that specify -1 as file +descriptor to skip GTPv0 or GTPv1 only sockets. + +Fixes: defd8b3c37b0 ("gtp: fix a potential NULL pointer dereference") +Reported-by: Pau Espin Pedrol +Signed-off-by: Pablo Neira Ayuso +Tested-by: Oliver Smith +Reviewed-by: Simon Horman +Link: https://patch.msgid.link/20241022144825.66740-1-pablo@netfilter.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/gtp.c | 22 +++++++++++++--------- + 1 file changed, 13 insertions(+), 9 deletions(-) + +diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c +index 9c62bc277ae86..f85f4e3d28215 100644 +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -848,20 +848,24 @@ static int gtp_encap_enable(struct gtp_dev *gtp, struct nlattr *data[]) + unsigned int role = GTP_ROLE_GGSN; + + if (data[IFLA_GTP_FD0]) { +- u32 fd0 = nla_get_u32(data[IFLA_GTP_FD0]); ++ int fd0 = nla_get_u32(data[IFLA_GTP_FD0]); + +- sk0 = gtp_encap_enable_socket(fd0, UDP_ENCAP_GTP0, gtp); +- if (IS_ERR(sk0)) +- return PTR_ERR(sk0); ++ if (fd0 >= 0) { ++ sk0 = gtp_encap_enable_socket(fd0, UDP_ENCAP_GTP0, gtp); ++ if (IS_ERR(sk0)) ++ return PTR_ERR(sk0); ++ } + } + + if (data[IFLA_GTP_FD1]) { +- u32 fd1 = nla_get_u32(data[IFLA_GTP_FD1]); ++ int fd1 = nla_get_u32(data[IFLA_GTP_FD1]); + +- sk1u = gtp_encap_enable_socket(fd1, UDP_ENCAP_GTP1U, gtp); +- if (IS_ERR(sk1u)) { +- gtp_encap_disable_sock(sk0); +- return PTR_ERR(sk1u); ++ if (fd1 >= 0) { ++ sk1u = gtp_encap_enable_socket(fd1, UDP_ENCAP_GTP1U, gtp); ++ if (IS_ERR(sk1u)) { ++ gtp_encap_disable_sock(sk0); ++ return PTR_ERR(sk1u); ++ } + } + } + +-- +2.43.0 + diff --git a/queue-5.4/gtp-simplify-error-handling-code-in-gtp_encap_enable.patch b/queue-5.4/gtp-simplify-error-handling-code-in-gtp_encap_enable.patch new file mode 100644 index 00000000000..2a1e2ab21bb --- /dev/null +++ b/queue-5.4/gtp-simplify-error-handling-code-in-gtp_encap_enable.patch @@ -0,0 +1,53 @@ +From 5375275dba809e124a311703b265d4398732990d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Jan 2020 18:36:07 +0100 +Subject: gtp: simplify error handling code in 'gtp_encap_enable()' + +From: Christophe JAILLET + +[ Upstream commit b289ba5e07105548b8219695e5443d807a825eb8 ] + +'gtp_encap_disable_sock(sk)' handles the case where sk is NULL, so there +is no need to test it before calling the function. + +This saves a few line of code. + +Signed-off-by: Christophe JAILLET +Reviewed-by: Simon Horman +Signed-off-by: David S. Miller +Stable-dep-of: 7515e37bce5c ("gtp: allow -1 to be specified as file description from userspace") +Signed-off-by: Sasha Levin +--- + drivers/net/gtp.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c +index c868f4ffa240f..9c62bc277ae86 100644 +--- a/drivers/net/gtp.c ++++ b/drivers/net/gtp.c +@@ -860,8 +860,7 @@ static int gtp_encap_enable(struct gtp_dev *gtp, struct nlattr *data[]) + + sk1u = gtp_encap_enable_socket(fd1, UDP_ENCAP_GTP1U, gtp); + if (IS_ERR(sk1u)) { +- if (sk0) +- gtp_encap_disable_sock(sk0); ++ gtp_encap_disable_sock(sk0); + return PTR_ERR(sk1u); + } + } +@@ -869,10 +868,8 @@ static int gtp_encap_enable(struct gtp_dev *gtp, struct nlattr *data[]) + if (data[IFLA_GTP_ROLE]) { + role = nla_get_u32(data[IFLA_GTP_ROLE]); + if (role > GTP_ROLE_SGSN) { +- if (sk0) +- gtp_encap_disable_sock(sk0); +- if (sk1u) +- gtp_encap_disable_sock(sk1u); ++ gtp_encap_disable_sock(sk0); ++ gtp_encap_disable_sock(sk1u); + return -EINVAL; + } + } +-- +2.43.0 + diff --git a/queue-5.4/igb-disable-threaded-irq-for-igb_msix_other.patch b/queue-5.4/igb-disable-threaded-irq-for-igb_msix_other.patch new file mode 100644 index 00000000000..b21633002f0 --- /dev/null +++ b/queue-5.4/igb-disable-threaded-irq-for-igb_msix_other.patch @@ -0,0 +1,79 @@ +From d1dffef8369f0cb64bd73346249409b206f6f762 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Oct 2024 16:26:24 -0700 +Subject: igb: Disable threaded IRQ for igb_msix_other + +From: Wander Lairson Costa + +[ Upstream commit 338c4d3902feb5be49bfda530a72c7ab860e2c9f ] + +During testing of SR-IOV, Red Hat QE encountered an issue where the +ip link up command intermittently fails for the igbvf interfaces when +using the PREEMPT_RT variant. Investigation revealed that +e1000_write_posted_mbx returns an error due to the lack of an ACK +from e1000_poll_for_ack. + +The underlying issue arises from the fact that IRQs are threaded by +default under PREEMPT_RT. While the exact hardware details are not +available, it appears that the IRQ handled by igb_msix_other must +be processed before e1000_poll_for_ack times out. However, +e1000_write_posted_mbx is called with preemption disabled, leading +to a scenario where the IRQ is serviced only after the failure of +e1000_write_posted_mbx. + +To resolve this, we set IRQF_NO_THREAD for the affected interrupt, +ensuring that the kernel handles it immediately, thereby preventing +the aforementioned error. + +Reproducer: + + #!/bin/bash + + # echo 2 > /sys/class/net/ens14f0/device/sriov_numvfs + ipaddr_vlan=3 + nic_test=ens14f0 + vf=${nic_test}v0 + + while true; do + ip link set ${nic_test} mtu 1500 + ip link set ${vf} mtu 1500 + ip link set $vf up + ip link set ${nic_test} vf 0 vlan ${ipaddr_vlan} + ip addr add 172.30.${ipaddr_vlan}.1/24 dev ${vf} + ip addr add 2021:db8:${ipaddr_vlan}::1/64 dev ${vf} + if ! ip link show $vf | grep 'state UP'; then + echo 'Error found' + break + fi + ip link set $vf down + done + +Signed-off-by: Wander Lairson Costa +Fixes: 9d5c824399de ("igb: PCI-Express 82575 Gigabit Ethernet driver") +Reported-by: Yuying Ma +Reviewed-by: Przemek Kitszel +Tested-by: Rafal Romanowski +Signed-off-by: Jacob Keller +Reviewed-by: Simon Horman +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 1e9967657248a..ebe216647c495 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -945,7 +945,7 @@ static int igb_request_msix(struct igb_adapter *adapter) + int i, err = 0, vector = 0, free_vector = 0; + + err = request_irq(adapter->msix_entries[vector].vector, +- igb_msix_other, 0, netdev->name, adapter); ++ igb_msix_other, IRQF_NO_THREAD, netdev->name, adapter); + if (err) + goto err_out; + +-- +2.43.0 + diff --git a/queue-5.4/mac80211-add-support-to-trigger-sta-disconnect-on-ha.patch b/queue-5.4/mac80211-add-support-to-trigger-sta-disconnect-on-ha.patch new file mode 100644 index 00000000000..be3096607cb --- /dev/null +++ b/queue-5.4/mac80211-add-support-to-trigger-sta-disconnect-on-ha.patch @@ -0,0 +1,197 @@ +From 0e00ce6c398c6199d8af87fa097d7ee59711a64c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 17:23:24 +0530 +Subject: mac80211: Add support to trigger sta disconnect on hardware restart + +From: Youghandhar Chintala + +[ Upstream commit 7d352ccf1e9935b5222ca84e8baeb07a0c8f94b9 ] + +Currently in case of target hardware restart, we just reconfig and +re-enable the security keys and enable the network queues to start +data traffic back from where it was interrupted. + +Many ath10k wifi chipsets have sequence numbers for the data +packets assigned by firmware and the mac sequence number will +restart from zero after target hardware restart leading to mismatch +in the sequence number expected by the remote peer vs the sequence +number of the frame sent by the target firmware. + +This mismatch in sequence number will cause out-of-order packets +on the remote peer and all the frames sent by the device are dropped +until we reach the sequence number which was sent before we restarted +the target hardware + +In order to fix this, we trigger a sta disconnect, in case of target +hw restart. After this there will be a fresh connection and thereby +avoiding the dropping of frames by remote peer. + +The right fix would be to pull the entire data path into the host +which is not feasible or would need lots of complex changes and +will still be inefficient. + +Tested on ath10k using WCN3990, QCA6174 + +Signed-off-by: Youghandhar Chintala +Link: https://lore.kernel.org/r/20220308115325.5246-2-youghand@codeaurora.org +Signed-off-by: Johannes Berg +Stable-dep-of: 07a6e3b78a65 ("wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd()") +Signed-off-by: Sasha Levin +--- + include/net/mac80211.h | 10 ++++++++++ + net/mac80211/ieee80211_i.h | 3 +++ + net/mac80211/mlme.c | 12 ++++++++++++ + net/mac80211/util.c | 33 ++++++++++++++++++++++++++++++--- + 4 files changed, 55 insertions(+), 3 deletions(-) + +diff --git a/include/net/mac80211.h b/include/net/mac80211.h +index cb5cf6bf19867..4d641580e5db4 100644 +--- a/include/net/mac80211.h ++++ b/include/net/mac80211.h +@@ -5700,6 +5700,16 @@ void ieee80211_connection_loss(struct ieee80211_vif *vif); + */ + void ieee80211_resume_disconnect(struct ieee80211_vif *vif); + ++/** ++ * ieee80211_hw_restart_disconnect - disconnect from AP after ++ * hardware restart ++ * @vif: &struct ieee80211_vif pointer from the add_interface callback. ++ * ++ * Instructs mac80211 to disconnect from the AP after ++ * hardware restart. ++ */ ++void ieee80211_hw_restart_disconnect(struct ieee80211_vif *vif); ++ + /** + * ieee80211_cqm_rssi_notify - inform a configured connection quality monitoring + * rssi threshold triggered +diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h +index e26368fab65d6..a9d064c75a15b 100644 +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -750,6 +750,8 @@ struct ieee80211_if_mesh { + * back to wireless media and to the local net stack. + * @IEEE80211_SDATA_DISCONNECT_RESUME: Disconnect after resume. + * @IEEE80211_SDATA_IN_DRIVER: indicates interface was added to driver ++ * @IEEE80211_SDATA_DISCONNECT_HW_RESTART: Disconnect after hardware restart ++ * recovery + */ + enum ieee80211_sub_if_data_flags { + IEEE80211_SDATA_ALLMULTI = BIT(0), +@@ -757,6 +759,7 @@ enum ieee80211_sub_if_data_flags { + IEEE80211_SDATA_DONT_BRIDGE_PACKETS = BIT(3), + IEEE80211_SDATA_DISCONNECT_RESUME = BIT(4), + IEEE80211_SDATA_IN_DRIVER = BIT(5), ++ IEEE80211_SDATA_DISCONNECT_HW_RESTART = BIT(6), + }; + + /** +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index b48a09043663a..fe6ada0d79217 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -4584,6 +4584,18 @@ void ieee80211_sta_restart(struct ieee80211_sub_if_data *sdata) + sdata_unlock(sdata); + return; + } ++ ++ if (sdata->flags & IEEE80211_SDATA_DISCONNECT_HW_RESTART) { ++ sdata->flags &= ~IEEE80211_SDATA_DISCONNECT_HW_RESTART; ++ mlme_dbg(sdata, "driver requested disconnect after hardware restart\n"); ++ ieee80211_sta_connection_lost(sdata, ++ ifmgd->associated->bssid, ++ WLAN_REASON_UNSPECIFIED, ++ true); ++ sdata_unlock(sdata); ++ return; ++ } ++ + sdata_unlock(sdata); + } + #endif +diff --git a/net/mac80211/util.c b/net/mac80211/util.c +index 8d3069c93a60a..63b66fd0a1ce6 100644 +--- a/net/mac80211/util.c ++++ b/net/mac80211/util.c +@@ -2148,6 +2148,7 @@ int ieee80211_reconfig(struct ieee80211_local *local) + struct cfg80211_sched_scan_request *sched_scan_req; + bool sched_scan_stopped = false; + bool suspended = local->suspended; ++ bool in_reconfig = false; + + /* nothing to do if HW shouldn't run */ + if (!local->open_count) +@@ -2499,6 +2500,7 @@ int ieee80211_reconfig(struct ieee80211_local *local) + drv_reconfig_complete(local, IEEE80211_RECONFIG_TYPE_RESTART); + + if (local->in_reconfig) { ++ in_reconfig = local->in_reconfig; + local->in_reconfig = false; + barrier(); + +@@ -2516,6 +2518,15 @@ int ieee80211_reconfig(struct ieee80211_local *local) + IEEE80211_QUEUE_STOP_REASON_SUSPEND, + false); + ++ if (in_reconfig) { ++ list_for_each_entry(sdata, &local->interfaces, list) { ++ if (!ieee80211_sdata_running(sdata)) ++ continue; ++ if (sdata->vif.type == NL80211_IFTYPE_STATION) ++ ieee80211_sta_restart(sdata); ++ } ++ } ++ + if (!suspended) + return 0; + +@@ -2545,7 +2556,7 @@ int ieee80211_reconfig(struct ieee80211_local *local) + return 0; + } + +-void ieee80211_resume_disconnect(struct ieee80211_vif *vif) ++static void ieee80211_reconfig_disconnect(struct ieee80211_vif *vif, u8 flag) + { + struct ieee80211_sub_if_data *sdata; + struct ieee80211_local *local; +@@ -2557,19 +2568,35 @@ void ieee80211_resume_disconnect(struct ieee80211_vif *vif) + sdata = vif_to_sdata(vif); + local = sdata->local; + +- if (WARN_ON(!local->resuming)) ++ if (WARN_ON(flag & IEEE80211_SDATA_DISCONNECT_RESUME && ++ !local->resuming)) ++ return; ++ ++ if (WARN_ON(flag & IEEE80211_SDATA_DISCONNECT_HW_RESTART && ++ !local->in_reconfig)) + return; + + if (WARN_ON(vif->type != NL80211_IFTYPE_STATION)) + return; + +- sdata->flags |= IEEE80211_SDATA_DISCONNECT_RESUME; ++ sdata->flags |= flag; + + mutex_lock(&local->key_mtx); + list_for_each_entry(key, &sdata->key_list, list) + key->flags |= KEY_FLAG_TAINTED; + mutex_unlock(&local->key_mtx); + } ++ ++void ieee80211_hw_restart_disconnect(struct ieee80211_vif *vif) ++{ ++ ieee80211_reconfig_disconnect(vif, IEEE80211_SDATA_DISCONNECT_HW_RESTART); ++} ++EXPORT_SYMBOL_GPL(ieee80211_hw_restart_disconnect); ++ ++void ieee80211_resume_disconnect(struct ieee80211_vif *vif) ++{ ++ ieee80211_reconfig_disconnect(vif, IEEE80211_SDATA_DISCONNECT_RESUME); ++} + EXPORT_SYMBOL_GPL(ieee80211_resume_disconnect); + + void ieee80211_recalc_smps(struct ieee80211_sub_if_data *sdata) +-- +2.43.0 + diff --git a/queue-5.4/mac80211-do-drv_reconfig_complete-before-restarting-.patch b/queue-5.4/mac80211-do-drv_reconfig_complete-before-restarting-.patch new file mode 100644 index 00000000000..d15b6d9b90d --- /dev/null +++ b/queue-5.4/mac80211-do-drv_reconfig_complete-before-restarting-.patch @@ -0,0 +1,68 @@ +From cec26c98fb4699ef9d456af02cb00829edbca680 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Nov 2021 15:32:40 +0200 +Subject: mac80211: do drv_reconfig_complete() before restarting all + +From: Johannes Berg + +[ Upstream commit 13dee10b30c058ee2c58c5da00339cc0d4201aa6 ] + +When we reconfigure, the driver might do some things to complete +the reconfiguration. It's strange and could be broken in some +cases because we restart other works (e.g. remain-on-channel and +TX) before this happens, yet only start queues later. + +Change this to do the reconfig complete when reconfiguration is +actually complete, not when we've already started doing other +things again. + +For iwlwifi, this should fix a race where the reconfig can race +with TX, for ath10k and ath11k that also use this it won't make +a difference because they just start queues there, and mac80211 +also stopped the queues and will restart them later as before. + +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Link: https://lore.kernel.org/r/iwlwifi.20211129152938.cab99f22fe19.Iefe494687f15fd85f77c1b989d1149c8efdfdc36@changeid +Signed-off-by: Johannes Berg +Stable-dep-of: 07a6e3b78a65 ("wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd()") +Signed-off-by: Sasha Levin +--- + net/mac80211/util.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/net/mac80211/util.c b/net/mac80211/util.c +index 6223af1c3457a..8d3069c93a60a 100644 +--- a/net/mac80211/util.c ++++ b/net/mac80211/util.c +@@ -2491,6 +2491,13 @@ int ieee80211_reconfig(struct ieee80211_local *local) + mutex_unlock(&local->sta_mtx); + } + ++ /* ++ * If this is for hw restart things are still running. ++ * We may want to change that later, however. ++ */ ++ if (local->open_count && (!suspended || reconfig_due_to_wowlan)) ++ drv_reconfig_complete(local, IEEE80211_RECONFIG_TYPE_RESTART); ++ + if (local->in_reconfig) { + local->in_reconfig = false; + barrier(); +@@ -2509,13 +2516,6 @@ int ieee80211_reconfig(struct ieee80211_local *local) + IEEE80211_QUEUE_STOP_REASON_SUSPEND, + false); + +- /* +- * If this is for hw restart things are still running. +- * We may want to change that later, however. +- */ +- if (local->open_count && (!suspended || reconfig_due_to_wowlan)) +- drv_reconfig_complete(local, IEEE80211_RECONFIG_TYPE_RESTART); +- + if (!suspended) + return 0; + +-- +2.43.0 + diff --git a/queue-5.4/net-sched-stop-qdisc_tree_reduce_backlog-on-tc_h_roo.patch b/queue-5.4/net-sched-stop-qdisc_tree_reduce_backlog-on-tc_h_roo.patch new file mode 100644 index 00000000000..582a3fb7c6a --- /dev/null +++ b/queue-5.4/net-sched-stop-qdisc_tree_reduce_backlog-on-tc_h_roo.patch @@ -0,0 +1,59 @@ +From 4709cea136c08aa5f7753d423198b627dabc1d7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Oct 2024 12:55:47 -0400 +Subject: net/sched: stop qdisc_tree_reduce_backlog on TC_H_ROOT + +From: Pedro Tammela + +[ Upstream commit 2e95c4384438adeaa772caa560244b1a2efef816 ] + +In qdisc_tree_reduce_backlog, Qdiscs with major handle ffff: are assumed +to be either root or ingress. This assumption is bogus since it's valid +to create egress qdiscs with major handle ffff: +Budimir Markovic found that for qdiscs like DRR that maintain an active +class list, it will cause a UAF with a dangling class pointer. + +In 066a3b5b2346, the concern was to avoid iterating over the ingress +qdisc since its parent is itself. The proper fix is to stop when parent +TC_H_ROOT is reached because the only way to retrieve ingress is when a +hierarchy which does not contain a ffff: major handle call into +qdisc_lookup with TC_H_MAJ(TC_H_ROOT). + +In the scenario where major ffff: is an egress qdisc in any of the tree +levels, the updates will also propagate to TC_H_ROOT, which then the +iteration must stop. + +Fixes: 066a3b5b2346 ("[NET_SCHED] sch_api: fix qdisc_tree_decrease_qlen() loop") +Reported-by: Budimir Markovic +Suggested-by: Jamal Hadi Salim +Tested-by: Victor Nogueira +Signed-off-by: Pedro Tammela +Signed-off-by: Jamal Hadi Salim + + net/sched/sch_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) +Reviewed-by: Simon Horman + +Link: https://patch.msgid.link/20241024165547.418570-1-jhs@mojatatu.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/sch_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sched/sch_api.c b/net/sched/sch_api.c +index 069d0d8a89397..b8dc03a7487e3 100644 +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -770,7 +770,7 @@ void qdisc_tree_reduce_backlog(struct Qdisc *sch, int n, int len) + drops = max_t(int, n, 0); + rcu_read_lock(); + while ((parentid = sch->parent)) { +- if (TC_H_MAJ(parentid) == TC_H_MAJ(TC_H_INGRESS)) ++ if (parentid == TC_H_ROOT) + break; + + if (sch->flags & TCQ_F_NOPARENT) +-- +2.43.0 + diff --git a/queue-5.4/net-skip-offload-for-netif_f_ipv6_csum-if-ipv6-heade.patch b/queue-5.4/net-skip-offload-for-netif_f_ipv6_csum-if-ipv6-heade.patch new file mode 100644 index 00000000000..5f13ed6eccf --- /dev/null +++ b/queue-5.4/net-skip-offload-for-netif_f_ipv6_csum-if-ipv6-heade.patch @@ -0,0 +1,73 @@ +From 653231808bc085e3eac9c98a80872eb73e0ec590 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Oct 2024 16:01:54 +0200 +Subject: net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains + extension +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Benoît Monin + +[ Upstream commit 04c20a9356f283da623903e81e7c6d5df7e4dc3c ] + +As documented in skbuff.h, devices with NETIF_F_IPV6_CSUM capability +can only checksum TCP and UDP over IPv6 if the IP header does not +contains extension. + +This is enforced for UDP packets emitted from user-space to an IPv6 +address as they go through ip6_make_skb(), which calls +__ip6_append_data() where a check is done on the header size before +setting CHECKSUM_PARTIAL. + +But the introduction of UDP encapsulation with fou6 added a code-path +where it is possible to get an skb with a partial UDP checksum and an +IPv6 header with extension: +* fou6 adds a UDP header with a partial checksum if the inner packet +does not contains a valid checksum. +* ip6_tunnel adds an IPv6 header with a destination option extension +header if encap_limit is non-zero (the default value is 4). + +The thread linked below describes in more details how to reproduce the +problem with GRE-in-UDP tunnel. + +Add a check on the network header size in skb_csum_hwoffload_help() to +make sure no IPv6 packet with extension header is handed to a network +device with NETIF_F_IPV6_CSUM capability. + +Link: https://lore.kernel.org/netdev/26548921.1r3eYUQgxm@benoit.monin/T/#u +Fixes: aa3463d65e7b ("fou: Add encap ops for IPv6 tunnels") +Signed-off-by: Benoît Monin +Reviewed-by: Willem de Bruijn +Link: https://patch.msgid.link/5fbeecfc311ea182aa1d1c771725ab8b4cac515e.1729778144.git.benoit.monin@gmx.fr +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/core/dev.c b/net/core/dev.c +index ff62b0027d600..b75c9bebd5c6e 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -3267,6 +3267,9 @@ int skb_csum_hwoffload_help(struct sk_buff *skb, + return 0; + + if (features & (NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM)) { ++ if (vlan_get_protocol(skb) == htons(ETH_P_IPV6) && ++ skb_network_header_len(skb) != sizeof(struct ipv6hdr)) ++ goto sw_checksum; + switch (skb->csum_offset) { + case offsetof(struct tcphdr, check): + case offsetof(struct udphdr, check): +@@ -3274,6 +3277,7 @@ int skb_csum_hwoffload_help(struct sk_buff *skb, + } + } + ++sw_checksum: + return skb_checksum_help(skb); + } + EXPORT_SYMBOL(skb_csum_hwoffload_help); +-- +2.43.0 + diff --git a/queue-5.4/net-support-ip-generic-csum-processing-in-skb_csum_h.patch b/queue-5.4/net-support-ip-generic-csum-processing-in-skb_csum_h.patch new file mode 100644 index 00000000000..8b9da5169ce --- /dev/null +++ b/queue-5.4/net-support-ip-generic-csum-processing-in-skb_csum_h.patch @@ -0,0 +1,72 @@ +From 738e8d416d2ecc2b41da223a8debda5a4a54a8cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Jan 2021 17:18:31 +0800 +Subject: net: support ip generic csum processing in skb_csum_hwoffload_help + +From: Xin Long + +[ Upstream commit 62fafcd63139920eb25b3fbf154177ce3e6f3232 ] + +NETIF_F_IP|IPV6_CSUM feature flag indicates UDP and TCP csum offload +while NETIF_F_HW_CSUM feature flag indicates ip generic csum offload +for HW, which includes not only for TCP/UDP csum, but also for other +protocols' csum like GRE's. + +However, in skb_csum_hwoffload_help() it only checks features against +NETIF_F_CSUM_MASK(NETIF_F_HW|IP|IPV6_CSUM). So if it's a non TCP/UDP +packet and the features doesn't support NETIF_F_HW_CSUM, but supports +NETIF_F_IP|IPV6_CSUM only, it would still return 0 and leave the HW +to do csum. + +This patch is to support ip generic csum processing by checking +NETIF_F_HW_CSUM for all protocols, and check (NETIF_F_IP_CSUM | +NETIF_F_IPV6_CSUM) only for TCP and UDP. + +Note that we're using skb->csum_offset to check if it's a TCP/UDP +proctol, this might be fragile. However, as Alex said, for now we +only have a few L4 protocols that are requesting Tx csum offload, +we'd better fix this until a new protocol comes with a same csum +offset. + +v1->v2: + - not extend skb->csum_not_inet, but use skb->csum_offset to tell + if it's an UDP/TCP csum packet. +v2->v3: + - add a note in the changelog, as Willem suggested. + +Suggested-by: Alexander Duyck +Signed-off-by: Xin Long +Signed-off-by: Jakub Kicinski +Stable-dep-of: 04c20a9356f2 ("net: skip offload for NETIF_F_IPV6_CSUM if ipv6 header contains extension") +Signed-off-by: Sasha Levin +--- + net/core/dev.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/net/core/dev.c b/net/core/dev.c +index 8f2f14df3610b..ff62b0027d600 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -3263,7 +3263,18 @@ int skb_csum_hwoffload_help(struct sk_buff *skb, + return !!(features & NETIF_F_SCTP_CRC) ? 0 : + skb_crc32c_csum_help(skb); + +- return !!(features & NETIF_F_CSUM_MASK) ? 0 : skb_checksum_help(skb); ++ if (features & NETIF_F_HW_CSUM) ++ return 0; ++ ++ if (features & (NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM)) { ++ switch (skb->csum_offset) { ++ case offsetof(struct tcphdr, check): ++ case offsetof(struct udphdr, check): ++ return 0; ++ } ++ } ++ ++ return skb_checksum_help(skb); + } + EXPORT_SYMBOL(skb_csum_hwoffload_help); + +-- +2.43.0 + diff --git a/queue-5.4/netfilter-nft_payload-sanitize-offset-and-length-bef.patch b/queue-5.4/netfilter-nft_payload-sanitize-offset-and-length-bef.patch new file mode 100644 index 00000000000..317065d0ce3 --- /dev/null +++ b/queue-5.4/netfilter-nft_payload-sanitize-offset-and-length-bef.patch @@ -0,0 +1,42 @@ +From 48e0e9c89122abe7f304660afdd936b2d77ae65a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Oct 2024 23:13:48 +0100 +Subject: netfilter: nft_payload: sanitize offset and length before calling + skb_checksum() + +From: Pablo Neira Ayuso + +[ Upstream commit d5953d680f7e96208c29ce4139a0e38de87a57fe ] + +If access to offset + length is larger than the skbuff length, then +skb_checksum() triggers BUG_ON(). + +skb_checksum() internally subtracts the length parameter while iterating +over skbuff, BUG_ON(len) at the end of it checks that the expected +length to be included in the checksum calculation is fully consumed. + +Fixes: 7ec3f7b47b8d ("netfilter: nft_payload: add packet mangling support") +Reported-by: Slavin Liu +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_payload.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c +index a4f9a150812a3..e40948b508588 100644 +--- a/net/netfilter/nft_payload.c ++++ b/net/netfilter/nft_payload.c +@@ -532,6 +532,9 @@ static void nft_payload_set_eval(const struct nft_expr *expr, + if ((priv->csum_type == NFT_PAYLOAD_CSUM_INET || priv->csum_flags) && + (priv->base != NFT_PAYLOAD_TRANSPORT_HEADER || + skb->ip_summed != CHECKSUM_PARTIAL)) { ++ if (offset + priv->len > skb->len) ++ goto err; ++ + fsum = skb_checksum(skb, offset, priv->len, 0); + tsum = csum_partial(src, priv->len, 0); + +-- +2.43.0 + diff --git a/queue-5.4/series b/queue-5.4/series index 0509ac6235a..486d476b649 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -424,3 +424,18 @@ selinux-improve-error-checking-in-sel_write_load.patch arm64-uprobes-change-the-uprobe_opcode_t-typedef-to-fix-the-sparse-warning.patch xfrm-validate-new-sa-s-prefixlen-using-sa-family-whe.patch cgroup-fix-potential-overflow-issue-when-checking-ma.patch +wifi-mac80211-skip-non-uploaded-keys-in-ieee80211_it.patch +mac80211-do-drv_reconfig_complete-before-restarting-.patch +mac80211-add-support-to-trigger-sta-disconnect-on-ha.patch +wifi-iwlwifi-mvm-disconnect-station-vifs-if-recovery.patch +wifi-iwlwifi-mvm-fix-response-handling-in-iwl_mvm_se.patch +asoc-cs42l51-fix-some-error-handling-paths-in-cs42l5.patch +dt-bindings-gpu-convert-samsung-image-rotator-to-dt-.patch +igb-disable-threaded-irq-for-igb_msix_other.patch +gtp-simplify-error-handling-code-in-gtp_encap_enable.patch +gtp-allow-1-to-be-specified-as-file-description-from.patch +net-sched-stop-qdisc_tree_reduce_backlog-on-tc_h_roo.patch +bpf-fix-out-of-bounds-write-in-trie_get_next_key.patch +net-support-ip-generic-csum-processing-in-skb_csum_h.patch +net-skip-offload-for-netif_f_ipv6_csum-if-ipv6-heade.patch +netfilter-nft_payload-sanitize-offset-and-length-bef.patch diff --git a/queue-5.4/wifi-iwlwifi-mvm-disconnect-station-vifs-if-recovery.patch b/queue-5.4/wifi-iwlwifi-mvm-disconnect-station-vifs-if-recovery.patch new file mode 100644 index 00000000000..06508d18a94 --- /dev/null +++ b/queue-5.4/wifi-iwlwifi-mvm-disconnect-station-vifs-if-recovery.patch @@ -0,0 +1,61 @@ +From 5c6e45c4eb557b558922361cc1c5926e36bdcb9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Jan 2024 08:53:56 +0200 +Subject: wifi: iwlwifi: mvm: disconnect station vifs if recovery failed + +From: Emmanuel Grumbach + +[ Upstream commit e50a88e5cb8792cc416866496288c5f4d1eb4b1f ] + +This will allow to reconnect immediately instead of leaving the +connection in a limbo state. + +Signed-off-by: Emmanuel Grumbach +Reviewed-by: Gregory Greenman +Signed-off-by: Miri Korenblit +Link: https://msgid.link/20240128084842.e90531cd3a36.Iebdc9483983c0d8497f9dcf9d79ec37332a5fdcc@changeid +Signed-off-by: Johannes Berg +Stable-dep-of: 07a6e3b78a65 ("wifi: iwlwifi: mvm: Fix response handling in iwl_mvm_send_recovery_cmd()") +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c +index 27bd9ed48bec4..16bf070566e6c 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c +@@ -1182,6 +1182,13 @@ static int iwl_mvm_ppag_init(struct iwl_mvm *mvm) + } + #endif /* CONFIG_ACPI */ + ++static void iwl_mvm_disconnect_iterator(void *data, u8 *mac, ++ struct ieee80211_vif *vif) ++{ ++ if (vif->type == NL80211_IFTYPE_STATION) ++ ieee80211_hw_restart_disconnect(vif); ++} ++ + void iwl_mvm_send_recovery_cmd(struct iwl_mvm *mvm, u32 flags) + { + u32 error_log_size = mvm->fw->ucode_capa.error_log_size; +@@ -1226,10 +1233,15 @@ void iwl_mvm_send_recovery_cmd(struct iwl_mvm *mvm, u32 flags) + /* skb respond is only relevant in ERROR_RECOVERY_UPDATE_DB */ + if (flags & ERROR_RECOVERY_UPDATE_DB) { + resp = le32_to_cpu(*(__le32 *)host_cmd.resp_pkt->data); +- if (resp) ++ if (resp) { + IWL_ERR(mvm, + "Failed to send recovery cmd blob was invalid %d\n", + resp); ++ ++ ieee80211_iterate_interfaces(mvm->hw, 0, ++ iwl_mvm_disconnect_iterator, ++ mvm); ++ } + } + } + +-- +2.43.0 + diff --git a/queue-5.4/wifi-iwlwifi-mvm-fix-response-handling-in-iwl_mvm_se.patch b/queue-5.4/wifi-iwlwifi-mvm-fix-response-handling-in-iwl_mvm_se.patch new file mode 100644 index 00000000000..7771ed90242 --- /dev/null +++ b/queue-5.4/wifi-iwlwifi-mvm-fix-response-handling-in-iwl_mvm_se.patch @@ -0,0 +1,74 @@ +From 68edc5caeedacbb1d66bd6a74637c1dceaa883e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Oct 2024 14:05:05 +0300 +Subject: wifi: iwlwifi: mvm: Fix response handling in + iwl_mvm_send_recovery_cmd() + +From: Daniel Gabay + +[ Upstream commit 07a6e3b78a65f4b2796a8d0d4adb1a15a81edead ] + +1. The size of the response packet is not validated. +2. The response buffer is not freed. + +Resolve these issues by switching to iwl_mvm_send_cmd_status(), +which handles both size validation and frees the buffer. + +Fixes: f130bb75d881 ("iwlwifi: add FW recovery flow") +Signed-off-by: Daniel Gabay +Signed-off-by: Miri Korenblit +Link: https://patch.msgid.link/20241010140328.76c73185951e.Id3b6ca82ced2081f5ee4f33c997491d0ebda83f7@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/iwlwifi/mvm/fw.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c +index 16bf070566e6c..287f9c551525c 100644 +--- a/drivers/net/wireless/intel/iwlwifi/mvm/fw.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/fw.c +@@ -1192,8 +1192,8 @@ static void iwl_mvm_disconnect_iterator(void *data, u8 *mac, + void iwl_mvm_send_recovery_cmd(struct iwl_mvm *mvm, u32 flags) + { + u32 error_log_size = mvm->fw->ucode_capa.error_log_size; ++ u32 status = 0; + int ret; +- u32 resp; + + struct iwl_fw_error_recovery_cmd recovery_cmd = { + .flags = cpu_to_le32(flags), +@@ -1201,7 +1201,6 @@ void iwl_mvm_send_recovery_cmd(struct iwl_mvm *mvm, u32 flags) + }; + struct iwl_host_cmd host_cmd = { + .id = WIDE_ID(SYSTEM_GROUP, FW_ERROR_RECOVERY_CMD), +- .flags = CMD_WANT_SKB, + .data = {&recovery_cmd, }, + .len = {sizeof(recovery_cmd), }, + }; +@@ -1221,7 +1220,7 @@ void iwl_mvm_send_recovery_cmd(struct iwl_mvm *mvm, u32 flags) + recovery_cmd.buf_size = cpu_to_le32(error_log_size); + } + +- ret = iwl_mvm_send_cmd(mvm, &host_cmd); ++ ret = iwl_mvm_send_cmd_status(mvm, &host_cmd, &status); + kfree(mvm->error_recovery_buf); + mvm->error_recovery_buf = NULL; + +@@ -1232,11 +1231,10 @@ void iwl_mvm_send_recovery_cmd(struct iwl_mvm *mvm, u32 flags) + + /* skb respond is only relevant in ERROR_RECOVERY_UPDATE_DB */ + if (flags & ERROR_RECOVERY_UPDATE_DB) { +- resp = le32_to_cpu(*(__le32 *)host_cmd.resp_pkt->data); +- if (resp) { ++ if (status) { + IWL_ERR(mvm, + "Failed to send recovery cmd blob was invalid %d\n", +- resp); ++ status); + + ieee80211_iterate_interfaces(mvm->hw, 0, + iwl_mvm_disconnect_iterator, +-- +2.43.0 + diff --git a/queue-5.4/wifi-mac80211-skip-non-uploaded-keys-in-ieee80211_it.patch b/queue-5.4/wifi-mac80211-skip-non-uploaded-keys-in-ieee80211_it.patch new file mode 100644 index 00000000000..eff1e5730fd --- /dev/null +++ b/queue-5.4/wifi-mac80211-skip-non-uploaded-keys-in-ieee80211_it.patch @@ -0,0 +1,94 @@ +From 3d925bd658eae262b9642e74d5ebe4f6be574644 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Oct 2024 17:36:30 +0200 +Subject: wifi: mac80211: skip non-uploaded keys in ieee80211_iter_keys + +From: Felix Fietkau + +[ Upstream commit 52009b419355195912a628d0a9847922e90c348c ] + +Sync iterator conditions with ieee80211_iter_keys_rcu. + +Fixes: 830af02f24fb ("mac80211: allow driver to iterate keys") +Signed-off-by: Felix Fietkau +Link: https://patch.msgid.link/20241006153630.87885-1-nbd@nbd.name +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/key.c | 42 +++++++++++++++++++++++++----------------- + 1 file changed, 25 insertions(+), 17 deletions(-) + +diff --git a/net/mac80211/key.c b/net/mac80211/key.c +index 1be9cd265c727..5889a590b3edd 100644 +--- a/net/mac80211/key.c ++++ b/net/mac80211/key.c +@@ -883,6 +883,26 @@ void ieee80211_reenable_keys(struct ieee80211_sub_if_data *sdata) + mutex_unlock(&sdata->local->key_mtx); + } + ++static void ++ieee80211_key_iter(struct ieee80211_hw *hw, ++ struct ieee80211_vif *vif, ++ struct ieee80211_key *key, ++ void (*iter)(struct ieee80211_hw *hw, ++ struct ieee80211_vif *vif, ++ struct ieee80211_sta *sta, ++ struct ieee80211_key_conf *key, ++ void *data), ++ void *iter_data) ++{ ++ /* skip keys of station in removal process */ ++ if (key->sta && key->sta->removed) ++ return; ++ if (!(key->flags & KEY_FLAG_UPLOADED_TO_HARDWARE)) ++ return; ++ iter(hw, vif, key->sta ? &key->sta->sta : NULL, ++ &key->conf, iter_data); ++} ++ + void ieee80211_iter_keys(struct ieee80211_hw *hw, + struct ieee80211_vif *vif, + void (*iter)(struct ieee80211_hw *hw, +@@ -902,16 +922,13 @@ void ieee80211_iter_keys(struct ieee80211_hw *hw, + if (vif) { + sdata = vif_to_sdata(vif); + list_for_each_entry_safe(key, tmp, &sdata->key_list, list) +- iter(hw, &sdata->vif, +- key->sta ? &key->sta->sta : NULL, +- &key->conf, iter_data); ++ ieee80211_key_iter(hw, vif, key, iter, iter_data); + } else { + list_for_each_entry(sdata, &local->interfaces, list) + list_for_each_entry_safe(key, tmp, + &sdata->key_list, list) +- iter(hw, &sdata->vif, +- key->sta ? &key->sta->sta : NULL, +- &key->conf, iter_data); ++ ieee80211_key_iter(hw, &sdata->vif, key, ++ iter, iter_data); + } + mutex_unlock(&local->key_mtx); + } +@@ -929,17 +946,8 @@ _ieee80211_iter_keys_rcu(struct ieee80211_hw *hw, + { + struct ieee80211_key *key; + +- list_for_each_entry_rcu(key, &sdata->key_list, list) { +- /* skip keys of station in removal process */ +- if (key->sta && key->sta->removed) +- continue; +- if (!(key->flags & KEY_FLAG_UPLOADED_TO_HARDWARE)) +- continue; +- +- iter(hw, &sdata->vif, +- key->sta ? &key->sta->sta : NULL, +- &key->conf, iter_data); +- } ++ list_for_each_entry_rcu(key, &sdata->key_list, list) ++ ieee80211_key_iter(hw, &sdata->vif, key, iter, iter_data); + } + + void ieee80211_iter_keys_rcu(struct ieee80211_hw *hw, +-- +2.43.0 +