--- /dev/null
+From 61d8ed99c4f47df687a284c1bed9d8b3877dc40c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 2 Apr 2025 14:01:41 +0300
+Subject: Bluetooth: btrtl: Prevent potential NULL dereference
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+[ Upstream commit 324dddea321078a6eeb535c2bff5257be74c9799 ]
+
+The btrtl_initialize() function checks that rtl_load_file() either
+had an error or it loaded a zero length file. However, if it loaded
+a zero length file then the error code is not set correctly. It
+results in an error pointer vs NULL bug, followed by a NULL pointer
+dereference. This was detected by Smatch:
+
+drivers/bluetooth/btrtl.c:592 btrtl_initialize() warn: passing zero to 'ERR_PTR'
+
+Fixes: 26503ad25de8 ("Bluetooth: btrtl: split the device initialization into smaller parts")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/bluetooth/btrtl.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/bluetooth/btrtl.c b/drivers/bluetooth/btrtl.c
+index 0dfaf90a31b06..bdee7d2d88309 100644
+--- a/drivers/bluetooth/btrtl.c
++++ b/drivers/bluetooth/btrtl.c
+@@ -605,6 +605,8 @@ struct btrtl_device_info *btrtl_initialize(struct hci_dev *hdev,
+ rtl_dev_err(hdev, "mandatory config file %s not found",
+ btrtl_dev->ic_info->cfg_name);
+ ret = btrtl_dev->cfg_len;
++ if (!ret)
++ ret = -EINVAL;
+ goto err_free;
+ }
+ }
+--
+2.39.5
+
--- /dev/null
+From 0ff3b9f085efd22e4ae159c9db845c6730212ca9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 1 Apr 2025 13:02:08 -0400
+Subject: Bluetooth: hci_event: Fix sending MGMT_EV_DEVICE_FOUND for invalid
+ address
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+[ Upstream commit eb73b5a9157221f405b4fe32751da84ee46b7a25 ]
+
+This fixes sending MGMT_EV_DEVICE_FOUND for invalid address
+(00:00:00:00:00:00) which is a regression introduced by
+a2ec905d1e16 ("Bluetooth: fix kernel oops in store_pending_adv_report")
+since in the attempt to skip storing data for extended advertisement it
+actually made the code to skip the entire if statement supposed to send
+MGMT_EV_DEVICE_FOUND without attempting to use the last_addr_adv which
+is garanteed to be invalid for extended advertisement since we never
+store anything on it.
+
+Link: https://github.com/bluez/bluez/issues/1157
+Link: https://github.com/bluez/bluez/issues/1149#issuecomment-2767215658
+Fixes: a2ec905d1e16 ("Bluetooth: fix kernel oops in store_pending_adv_report")
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/bluetooth/hci_event.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
+index c00872f0dd2bb..33b025a52b83a 100644
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -5489,11 +5489,12 @@ static void process_adv_report(struct hci_dev *hdev, u8 type, bdaddr_t *bdaddr,
+ * event or send an immediate device found event if the data
+ * should not be stored for later.
+ */
+- if (!ext_adv && !has_pending_adv_report(hdev)) {
++ if (!has_pending_adv_report(hdev)) {
+ /* If the report will trigger a SCAN_REQ store it for
+ * later merging.
+ */
+- if (type == LE_ADV_IND || type == LE_ADV_SCAN_IND) {
++ if (!ext_adv && (type == LE_ADV_IND ||
++ type == LE_ADV_SCAN_IND)) {
+ store_pending_adv_report(hdev, bdaddr, bdaddr_type,
+ rssi, flags, data, len);
+ return;
+--
+2.39.5
+
--- /dev/null
+From 9bdc30186a5639cfccb0173cd95e07604d5fabcc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Apr 2025 22:04:34 +0200
+Subject: net: b53: enable BPDU reception for management port
+
+From: Jonas Gorski <jonas.gorski@gmail.com>
+
+[ Upstream commit 36355ddfe8955f226a88a543ed354b9f6b84cd70 ]
+
+For STP to work, receiving BPDUs is essential, but the appropriate bit
+was never set. Without GC_RX_BPDU_EN, the switch chip will filter all
+BPDUs, even if an appropriate PVID VLAN was setup.
+
+Fixes: ff39c2d68679 ("net: dsa: b53: Add bridge support")
+Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
+Link: https://patch.msgid.link/20250414200434.194422-1-jonas.gorski@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/b53/b53_common.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/drivers/net/dsa/b53/b53_common.c b/drivers/net/dsa/b53/b53_common.c
+index 1458416f4f912..9f5852657852a 100644
+--- a/drivers/net/dsa/b53/b53_common.c
++++ b/drivers/net/dsa/b53/b53_common.c
+@@ -671,6 +671,15 @@ static void b53_enable_mib(struct b53_device *dev)
+ b53_write8(dev, B53_MGMT_PAGE, B53_GLOBAL_CONFIG, gc);
+ }
+
++static void b53_enable_stp(struct b53_device *dev)
++{
++ u8 gc;
++
++ b53_read8(dev, B53_MGMT_PAGE, B53_GLOBAL_CONFIG, &gc);
++ gc |= GC_RX_BPDU_EN;
++ b53_write8(dev, B53_MGMT_PAGE, B53_GLOBAL_CONFIG, gc);
++}
++
+ static u16 b53_default_pvid(struct b53_device *dev)
+ {
+ if (is5325(dev) || is5365(dev))
+@@ -777,6 +786,7 @@ static int b53_switch_reset(struct b53_device *dev)
+ }
+
+ b53_enable_mib(dev);
++ b53_enable_stp(dev);
+
+ return b53_flush_arl(dev, FAST_AGE_STATIC);
+ }
+--
+2.39.5
+
--- /dev/null
+From de5ec2eeeda18d140afee0f600371f85c06b151f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 12 Apr 2025 12:40:18 +0200
+Subject: net: openvswitch: fix nested key length validation in the set()
+ action
+
+From: Ilya Maximets <i.maximets@ovn.org>
+
+[ Upstream commit 65d91192aa66f05710cfddf6a14b5a25ee554dba ]
+
+It's not safe to access nla_len(ovs_key) if the data is smaller than
+the netlink header. Check that the attribute is OK first.
+
+Fixes: ccb1352e76cf ("net: Add Open vSwitch kernel components.")
+Reported-by: syzbot+b07a9da40df1576b8048@syzkaller.appspotmail.com
+Closes: https://syzkaller.appspot.com/bug?extid=b07a9da40df1576b8048
+Tested-by: syzbot+b07a9da40df1576b8048@syzkaller.appspotmail.com
+Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
+Reviewed-by: Eelco Chaudron <echaudro@redhat.com>
+Acked-by: Aaron Conole <aconole@redhat.com>
+Link: https://patch.msgid.link/20250412104052.2073688-1-i.maximets@ovn.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/openvswitch/flow_netlink.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
+index 67125939d7eee..4ad4c89886ee3 100644
+--- a/net/openvswitch/flow_netlink.c
++++ b/net/openvswitch/flow_netlink.c
+@@ -2741,7 +2741,8 @@ static int validate_set(const struct nlattr *a,
+ size_t key_len;
+
+ /* There can be only one key in a action */
+- if (nla_total_size(nla_len(ovs_key)) != nla_len(a))
++ if (!nla_ok(ovs_key, nla_len(a)) ||
++ nla_total_size(nla_len(ovs_key)) != nla_len(a))
+ return -EINVAL;
+
+ key_len = nla_len(ovs_key);
+--
+2.39.5
+
--- /dev/null
+From bb80c7ec9fe6acd4afb62eaa996e4802163fa844 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Mar 2025 20:31:32 +0800
+Subject: RDMA/usnic: Fix passing zero to PTR_ERR in usnic_ib_pci_probe()
+
+From: Yue Haibing <yuehaibing@huawei.com>
+
+[ Upstream commit 95ba3850fed03e01b422ab5d7943aeba130c9723 ]
+
+drivers/infiniband/hw/usnic/usnic_ib_main.c:590
+ usnic_ib_pci_probe() warn: passing zero to 'PTR_ERR'
+
+Make usnic_ib_device_add() return NULL on fail path, also remove
+useless NULL check for usnic_ib_discover_pf()
+
+Fixes: e3cf00d0a87f ("IB/usnic: Add Cisco VIC low-level hardware driver")
+Link: https://patch.msgid.link/r/20250324123132.2392077-1-yuehaibing@huawei.com
+Signed-off-by: Yue Haibing <yuehaibing@huawei.com>
+Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
+Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/hw/usnic/usnic_ib_main.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/infiniband/hw/usnic/usnic_ib_main.c b/drivers/infiniband/hw/usnic/usnic_ib_main.c
+index c9abe1c01e4eb..eaa60554eb462 100644
+--- a/drivers/infiniband/hw/usnic/usnic_ib_main.c
++++ b/drivers/infiniband/hw/usnic/usnic_ib_main.c
+@@ -380,7 +380,7 @@ static void *usnic_ib_device_add(struct pci_dev *dev)
+ if (!us_ibdev) {
+ usnic_err("Device %s context alloc failed\n",
+ netdev_name(pci_get_drvdata(dev)));
+- return ERR_PTR(-EFAULT);
++ return NULL;
+ }
+
+ us_ibdev->ufdev = usnic_fwd_dev_alloc(dev);
+@@ -520,8 +520,8 @@ static struct usnic_ib_dev *usnic_ib_discover_pf(struct usnic_vnic *vnic)
+ }
+
+ us_ibdev = usnic_ib_device_add(parent_pci);
+- if (IS_ERR_OR_NULL(us_ibdev)) {
+- us_ibdev = us_ibdev ? us_ibdev : ERR_PTR(-EFAULT);
++ if (!us_ibdev) {
++ us_ibdev = ERR_PTR(-EFAULT);
+ goto out;
+ }
+
+@@ -584,10 +584,10 @@ static int usnic_ib_pci_probe(struct pci_dev *pdev,
+ }
+
+ pf = usnic_ib_discover_pf(vf->vnic);
+- if (IS_ERR_OR_NULL(pf)) {
+- usnic_err("Failed to discover pf of vnic %s with err%ld\n",
+- pci_name(pdev), PTR_ERR(pf));
+- err = pf ? PTR_ERR(pf) : -EFAULT;
++ if (IS_ERR(pf)) {
++ err = PTR_ERR(pf);
++ usnic_err("Failed to discover pf of vnic %s with err%d\n",
++ pci_name(pdev), err);
+ goto out_clean_vnic;
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 194293cf9496bf9143ebd3a8c1686ae578d3a358 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 11 Apr 2025 16:13:34 +0200
+Subject: Revert "wifi: mac80211: Update skb's control block key in
+ ieee80211_tx_dequeue()"
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+[ Upstream commit 0937cb5f345c79d702b4d0d744e2a2529b551cb2 ]
+
+This reverts commit a104042e2bf6528199adb6ca901efe7b60c2c27f.
+
+Since the original bug seems to have been around for years,
+but a new issue was report with the fix, revert the fix for
+now. We have a couple of weeks to figure it out for this
+release, if needed.
+
+Reported-by: Bert Karwatzki <spasswolf@web.de>
+Closes: https://lore.kernel.org/linux-wireless/20250410215527.3001-1-spasswolf@web.de
+Fixes: a104042e2bf6 ("wifi: mac80211: Update skb's control block key in ieee80211_tx_dequeue()")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/tx.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
+index f8d72f3e4def8..461cff7b94ad7 100644
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -3661,7 +3661,6 @@ struct sk_buff *ieee80211_tx_dequeue(struct ieee80211_hw *hw,
+ * The key can be removed while the packet was queued, so need to call
+ * this here to get the current key.
+ */
+- info->control.hw_key = NULL;
+ r = ieee80211_tx_h_select_key(&tx);
+ if (r != TX_CONTINUE) {
+ ieee80211_free_txskb(&local->hw, skb);
+--
+2.39.5
+
--- /dev/null
+From 8c0930caf0d268fb8e0e135e71f0e33d375f0d16 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 18 Mar 2025 17:43:43 +0800
+Subject: scsi: iscsi: Fix missing scsi_host_put() in error path
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 72eea84a1092b50a10eeecfeba4b28ac9f1312ab ]
+
+Add goto to ensure scsi_host_put() is called in all error paths of
+iscsi_set_host_param() function. This fixes a potential memory leak when
+strlen() check fails.
+
+Fixes: ce51c8170084 ("scsi: iscsi: Add strlen() check in iscsi_if_set{_host}_param()")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Link: https://lore.kernel.org/r/20250318094344.91776-1-linmq006@gmail.com
+Reviewed-by: Mike Christie <michael.christie@oracle.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/scsi_transport_iscsi.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
+index 9ef242d2a2c9d..d75097f13efcc 100644
+--- a/drivers/scsi/scsi_transport_iscsi.c
++++ b/drivers/scsi/scsi_transport_iscsi.c
+@@ -2924,11 +2924,14 @@ iscsi_set_host_param(struct iscsi_transport *transport,
+ }
+
+ /* see similar check in iscsi_if_set_param() */
+- if (strlen(data) > ev->u.set_host_param.len)
+- return -EINVAL;
++ if (strlen(data) > ev->u.set_host_param.len) {
++ err = -EINVAL;
++ goto out;
++ }
+
+ err = transport->set_host_param(shost, ev->u.set_host_param.param,
+ data, ev->u.set_host_param.len);
++out:
+ scsi_host_put(shost);
+ return err;
+ }
+--
+2.39.5
+
bluetooth-hci_uart-fix-another-race-during-initialization.patch
pwm-mediatek-always-use-bus-clock-for-pwm-on-mt7622.patch
hsi-ssi_protocol-fix-use-after-free-vulnerability-in-ssi_protocol-driver-due-to-race-condition.patch
+wifi-at76c50x-fix-use-after-free-access-in-at76_disc.patch
+wifi-mac80211-update-skb-s-control-block-key-in-ieee.patch
+wifi-mac80211-purge-vif-txq-in-ieee80211_do_stop.patch
+wifi-wl1251-fix-memory-leak-in-wl1251_tx_work.patch
+scsi-iscsi-fix-missing-scsi_host_put-in-error-path.patch
+rdma-usnic-fix-passing-zero-to-ptr_err-in-usnic_ib_p.patch
+bluetooth-hci_event-fix-sending-mgmt_ev_device_found.patch
+bluetooth-btrtl-prevent-potential-null-dereference.patch
+revert-wifi-mac80211-update-skb-s-control-block-key-.patch
+net-openvswitch-fix-nested-key-length-validation-in-.patch
+net-b53-enable-bpdu-reception-for-management-port.patch
--- /dev/null
+From fd945eb30a27f04cada25875a7312d552c04caad Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 30 Mar 2025 16:01:10 +0530
+Subject: wifi: at76c50x: fix use after free access in at76_disconnect
+
+From: Abdun Nihaal <abdun.nihaal@gmail.com>
+
+[ Upstream commit 27c7e63b3cb1a20bb78ed4a36c561ea4579fd7da ]
+
+The memory pointed to by priv is freed at the end of at76_delete_device
+function (using ieee80211_free_hw). But the code then accesses the udev
+field of the freed object to put the USB device. This may also lead to a
+memory leak of the usb device. Fix this by using udev from interface.
+
+Fixes: 29e20aa6c6af ("at76c50x-usb: fix use after free on failure path in at76_probe()")
+Signed-off-by: Abdun Nihaal <abdun.nihaal@gmail.com>
+Link: https://patch.msgid.link/20250330103110.44080-1-abdun.nihaal@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/atmel/at76c50x-usb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/atmel/at76c50x-usb.c b/drivers/net/wireless/atmel/at76c50x-usb.c
+index db2c3b8d491e5..c9ee3d4c8fa61 100644
+--- a/drivers/net/wireless/atmel/at76c50x-usb.c
++++ b/drivers/net/wireless/atmel/at76c50x-usb.c
+@@ -2554,7 +2554,7 @@ static void at76_disconnect(struct usb_interface *interface)
+
+ wiphy_info(priv->hw->wiphy, "disconnecting\n");
+ at76_delete_device(priv);
+- usb_put_dev(priv->udev);
++ usb_put_dev(interface_to_usbdev(interface));
+ dev_info(&interface->dev, "disconnected\n");
+ }
+
+--
+2.39.5
+
--- /dev/null
+From 18002b912b1be90b7f81eeee7c10b71ab06c2850 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Mar 2025 17:28:21 +0100
+Subject: wifi: mac80211: Purge vif txq in ieee80211_do_stop()
+
+From: Remi Pommarel <repk@triplefau.lt>
+
+[ Upstream commit 378677eb8f44621ecc9ce659f7af61e5baa94d81 ]
+
+After ieee80211_do_stop() SKB from vif's txq could still be processed.
+Indeed another concurrent vif schedule_and_wake_txq call could cause
+those packets to be dequeued (see ieee80211_handle_wake_tx_queue())
+without checking the sdata current state.
+
+Because vif.drv_priv is now cleared in this function, this could lead to
+driver crash.
+
+For example in ath12k, ahvif is store in vif.drv_priv. Thus if
+ath12k_mac_op_tx() is called after ieee80211_do_stop(), ahvif->ah can be
+NULL, leading the ath12k_warn(ahvif->ah,...) call in this function to
+trigger the NULL deref below.
+
+ Unable to handle kernel paging request at virtual address dfffffc000000001
+ KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
+ batman_adv: bat0: Interface deactivated: brbh1337
+ Mem abort info:
+ ESR = 0x0000000096000004
+ EC = 0x25: DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+ FSC = 0x04: level 0 translation fault
+ Data abort info:
+ ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
+ CM = 0, WnR = 0, TnD = 0, TagAccess = 0
+ GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
+ [dfffffc000000001] address between user and kernel address ranges
+ Internal error: Oops: 0000000096000004 [#1] SMP
+ CPU: 1 UID: 0 PID: 978 Comm: lbd Not tainted 6.13.0-g633f875b8f1e #114
+ Hardware name: HW (DT)
+ pstate: 10000005 (nzcV daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ pc : ath12k_mac_op_tx+0x6cc/0x29b8 [ath12k]
+ lr : ath12k_mac_op_tx+0x174/0x29b8 [ath12k]
+ sp : ffffffc086ace450
+ x29: ffffffc086ace450 x28: 0000000000000000 x27: 1ffffff810d59ca4
+ x26: ffffff801d05f7c0 x25: 0000000000000000 x24: 000000004000001e
+ x23: ffffff8009ce4926 x22: ffffff801f9c0800 x21: ffffff801d05f7f0
+ x20: ffffff8034a19f40 x19: 0000000000000000 x18: ffffff801f9c0958
+ x17: ffffff800bc0a504 x16: dfffffc000000000 x15: ffffffc086ace4f8
+ x14: ffffff801d05f83c x13: 0000000000000000 x12: ffffffb003a0bf03
+ x11: 0000000000000000 x10: ffffffb003a0bf02 x9 : ffffff8034a19f40
+ x8 : ffffff801d05f818 x7 : 1ffffff0069433dc x6 : ffffff8034a19ee0
+ x5 : ffffff801d05f7f0 x4 : 0000000000000000 x3 : 0000000000000001
+ x2 : 0000000000000000 x1 : dfffffc000000000 x0 : 0000000000000008
+ Call trace:
+ ath12k_mac_op_tx+0x6cc/0x29b8 [ath12k] (P)
+ ieee80211_handle_wake_tx_queue+0x16c/0x260
+ ieee80211_queue_skb+0xeec/0x1d20
+ ieee80211_tx+0x200/0x2c8
+ ieee80211_xmit+0x22c/0x338
+ __ieee80211_subif_start_xmit+0x7e8/0xc60
+ ieee80211_subif_start_xmit+0xc4/0xee0
+ __ieee80211_subif_start_xmit_8023.isra.0+0x854/0x17a0
+ ieee80211_subif_start_xmit_8023+0x124/0x488
+ dev_hard_start_xmit+0x160/0x5a8
+ __dev_queue_xmit+0x6f8/0x3120
+ br_dev_queue_push_xmit+0x120/0x4a8
+ __br_forward+0xe4/0x2b0
+ deliver_clone+0x5c/0xd0
+ br_flood+0x398/0x580
+ br_dev_xmit+0x454/0x9f8
+ dev_hard_start_xmit+0x160/0x5a8
+ __dev_queue_xmit+0x6f8/0x3120
+ ip6_finish_output2+0xc28/0x1b60
+ __ip6_finish_output+0x38c/0x638
+ ip6_output+0x1b4/0x338
+ ip6_local_out+0x7c/0xa8
+ ip6_send_skb+0x7c/0x1b0
+ ip6_push_pending_frames+0x94/0xd0
+ rawv6_sendmsg+0x1a98/0x2898
+ inet_sendmsg+0x94/0xe0
+ __sys_sendto+0x1e4/0x308
+ __arm64_sys_sendto+0xc4/0x140
+ do_el0_svc+0x110/0x280
+ el0_svc+0x20/0x60
+ el0t_64_sync_handler+0x104/0x138
+ el0t_64_sync+0x154/0x158
+
+To avoid that, empty vif's txq at ieee80211_do_stop() so no packet could
+be dequeued after ieee80211_do_stop() (new packets cannot be queued
+because SDATA_STATE_RUNNING is cleared at this point).
+
+Fixes: ba8c3d6f16a1 ("mac80211: add an intermediate software queue implementation")
+Signed-off-by: Remi Pommarel <repk@triplefau.lt>
+Link: https://patch.msgid.link/ff7849e268562456274213c0476e09481a48f489.1742833382.git.repk@triplefau.lt
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/iface.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
+index e49b80a9de520..0ce02c27b4e69 100644
+--- a/net/mac80211/iface.c
++++ b/net/mac80211/iface.c
+@@ -1023,6 +1023,9 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
+ if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
+ ieee80211_txq_remove_vlan(local, sdata);
+
++ if (sdata->vif.txq)
++ ieee80211_txq_purge(sdata->local, to_txq_info(sdata->vif.txq));
++
+ sdata->bss = NULL;
+
+ if (local->open_count == 0)
+--
+2.39.5
+
--- /dev/null
+From a902b68d21047ed7f531c22ac916f73fc75ec636 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 24 Mar 2025 17:28:20 +0100
+Subject: wifi: mac80211: Update skb's control block key in
+ ieee80211_tx_dequeue()
+
+From: Remi Pommarel <repk@triplefau.lt>
+
+[ Upstream commit a104042e2bf6528199adb6ca901efe7b60c2c27f ]
+
+The ieee80211 skb control block key (set when skb was queued) could have
+been removed before ieee80211_tx_dequeue() call. ieee80211_tx_dequeue()
+already called ieee80211_tx_h_select_key() to get the current key, but
+the latter do not update the key in skb control block in case it is
+NULL. Because some drivers actually use this key in their TX callbacks
+(e.g. ath1{1,2}k_mac_op_tx()) this could lead to the use after free
+below:
+
+ BUG: KASAN: slab-use-after-free in ath11k_mac_op_tx+0x590/0x61c
+ Read of size 4 at addr ffffff803083c248 by task kworker/u16:4/1440
+
+ CPU: 3 UID: 0 PID: 1440 Comm: kworker/u16:4 Not tainted 6.13.0-ge128f627f404 #2
+ Hardware name: HW (DT)
+ Workqueue: bat_events batadv_send_outstanding_bcast_packet
+ Call trace:
+ show_stack+0x14/0x1c (C)
+ dump_stack_lvl+0x58/0x74
+ print_report+0x164/0x4c0
+ kasan_report+0xac/0xe8
+ __asan_report_load4_noabort+0x1c/0x24
+ ath11k_mac_op_tx+0x590/0x61c
+ ieee80211_handle_wake_tx_queue+0x12c/0x1c8
+ ieee80211_queue_skb+0xdcc/0x1b4c
+ ieee80211_tx+0x1ec/0x2bc
+ ieee80211_xmit+0x224/0x324
+ __ieee80211_subif_start_xmit+0x85c/0xcf8
+ ieee80211_subif_start_xmit+0xc0/0xec4
+ dev_hard_start_xmit+0xf4/0x28c
+ __dev_queue_xmit+0x6ac/0x318c
+ batadv_send_skb_packet+0x38c/0x4b0
+ batadv_send_outstanding_bcast_packet+0x110/0x328
+ process_one_work+0x578/0xc10
+ worker_thread+0x4bc/0xc7c
+ kthread+0x2f8/0x380
+ ret_from_fork+0x10/0x20
+
+ Allocated by task 1906:
+ kasan_save_stack+0x28/0x4c
+ kasan_save_track+0x1c/0x40
+ kasan_save_alloc_info+0x3c/0x4c
+ __kasan_kmalloc+0xac/0xb0
+ __kmalloc_noprof+0x1b4/0x380
+ ieee80211_key_alloc+0x3c/0xb64
+ ieee80211_add_key+0x1b4/0x71c
+ nl80211_new_key+0x2b4/0x5d8
+ genl_family_rcv_msg_doit+0x198/0x240
+ <...>
+
+ Freed by task 1494:
+ kasan_save_stack+0x28/0x4c
+ kasan_save_track+0x1c/0x40
+ kasan_save_free_info+0x48/0x94
+ __kasan_slab_free+0x48/0x60
+ kfree+0xc8/0x31c
+ kfree_sensitive+0x70/0x80
+ ieee80211_key_free_common+0x10c/0x174
+ ieee80211_free_keys+0x188/0x46c
+ ieee80211_stop_mesh+0x70/0x2cc
+ ieee80211_leave_mesh+0x1c/0x60
+ cfg80211_leave_mesh+0xe0/0x280
+ cfg80211_leave+0x1e0/0x244
+ <...>
+
+Reset SKB control block key before calling ieee80211_tx_h_select_key()
+to avoid that.
+
+Fixes: bb42f2d13ffc ("mac80211: Move reorder-sensitive TX handlers to after TXQ dequeue")
+Signed-off-by: Remi Pommarel <repk@triplefau.lt>
+Link: https://patch.msgid.link/06aa507b853ca385ceded81c18b0a6dd0f081bc8.1742833382.git.repk@triplefau.lt
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/tx.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
+index 461cff7b94ad7..f8d72f3e4def8 100644
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -3661,6 +3661,7 @@ struct sk_buff *ieee80211_tx_dequeue(struct ieee80211_hw *hw,
+ * The key can be removed while the packet was queued, so need to call
+ * this here to get the current key.
+ */
++ info->control.hw_key = NULL;
+ r = ieee80211_tx_h_select_key(&tx);
+ if (r != TX_CONTINUE) {
+ ieee80211_free_txskb(&local->hw, skb);
+--
+2.39.5
+
--- /dev/null
+From ecf09911b384a43d31f67dd30ae5b3d886d5d39a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 30 Mar 2025 16:15:32 +0530
+Subject: wifi: wl1251: fix memory leak in wl1251_tx_work
+
+From: Abdun Nihaal <abdun.nihaal@gmail.com>
+
+[ Upstream commit a0f0dc96de03ffeefc2a177b7f8acde565cb77f4 ]
+
+The skb dequeued from tx_queue is lost when wl1251_ps_elp_wakeup fails
+with a -ETIMEDOUT error. Fix that by queueing the skb back to tx_queue.
+
+Fixes: c5483b719363 ("wl12xx: check if elp wakeup failed")
+Signed-off-by: Abdun Nihaal <abdun.nihaal@gmail.com>
+Reviewed-by: Michael Nemanov <michael.nemanov@ti.com>
+Link: https://patch.msgid.link/20250330104532.44935-1-abdun.nihaal@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/wireless/ti/wl1251/tx.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/wireless/ti/wl1251/tx.c b/drivers/net/wireless/ti/wl1251/tx.c
+index 98cd39619d579..5771f61392efb 100644
+--- a/drivers/net/wireless/ti/wl1251/tx.c
++++ b/drivers/net/wireless/ti/wl1251/tx.c
+@@ -342,8 +342,10 @@ void wl1251_tx_work(struct work_struct *work)
+ while ((skb = skb_dequeue(&wl->tx_queue))) {
+ if (!woken_up) {
+ ret = wl1251_ps_elp_wakeup(wl);
+- if (ret < 0)
++ if (ret < 0) {
++ skb_queue_head(&wl->tx_queue, skb);
+ goto out;
++ }
+ woken_up = true;
+ }
+
+--
+2.39.5
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
