From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 2 Sep 2023 13:29:37 +0000 (+0200)
Subject: 6.1-stable patches
X-Git-Tag: v6.5.2~31
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0a4d0f9bf63fc354ad34a47cfd92e7196d0a9aef;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_remove-due-to-race-condition.patch
	wifi-mt76-mt7921-do-not-support-one-stream-on-secondary-antenna-only.patch
	wifi-mt76-mt7921-fix-skb-leak-by-txs-missing-in-amsdu.patch
---

diff --git a/queue-6.1/bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_remove-due-to-race-condition.patch b/queue-6.1/bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_remove-due-to-race-condition.patch
new file mode 100644
index 00000000000..c1ae7b2afbb
--- /dev/null
+++ b/queue-6.1/bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_remove-due-to-race-condition.patch
@@ -0,0 +1,38 @@
+From 73f7b171b7c09139eb3c6a5677c200dc1be5f318 Mon Sep 17 00:00:00 2001
+From: Zheng Wang <zyytlz.wz@163.com>
+Date: Thu, 9 Mar 2023 00:45:01 +0800
+Subject: Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition
+
+From: Zheng Wang <zyytlz.wz@163.com>
+
+commit 73f7b171b7c09139eb3c6a5677c200dc1be5f318 upstream.
+
+In btsdio_probe, the data->work is bound with btsdio_work. It will be
+started in btsdio_send_frame.
+
+If the btsdio_remove runs with a unfinished work, there may be a race
+condition that hdev is freed but used in btsdio_work. Fix it by
+canceling the work before do cleanup in btsdio_remove.
+
+Fixes: CVE-2023-1989
+Fixes: ddbaf13e3609 ("[Bluetooth] Add generic driver for Bluetooth SDIO devices")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+[ Denis: Added CVE-2023-1989 and fixes tags. ]
+Signed-off-by: Denis Efremov (Oracle) <efremov@linux.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bluetooth/btsdio.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/bluetooth/btsdio.c
++++ b/drivers/bluetooth/btsdio.c
+@@ -357,6 +357,7 @@ static void btsdio_remove(struct sdio_fu
+ 	if (!data)
+ 		return;
+ 
++	cancel_work_sync(&data->work);
+ 	hdev = data->hdev;
+ 
+ 	sdio_set_drvdata(func, NULL);
diff --git a/queue-6.1/series b/queue-6.1/series
index 1ccd1136f05..56ebe8af5cb 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -15,3 +15,6 @@ usb-dwc3-meson-g12a-do-post-init-to-fix-broken-usb-after-resumption.patch
 usb-chipidea-imx-improve-logic-if-samsung-picophy-parameter-is-0.patch
 hid-wacom-remove-the-battery-when-the-ekr-is-off.patch
 staging-rtl8712-fix-race-condition.patch
+bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_remove-due-to-race-condition.patch
+wifi-mt76-mt7921-do-not-support-one-stream-on-secondary-antenna-only.patch
+wifi-mt76-mt7921-fix-skb-leak-by-txs-missing-in-amsdu.patch
diff --git a/queue-6.1/wifi-mt76-mt7921-do-not-support-one-stream-on-secondary-antenna-only.patch b/queue-6.1/wifi-mt76-mt7921-do-not-support-one-stream-on-secondary-antenna-only.patch
new file mode 100644
index 00000000000..4ae5bdb0c3e
--- /dev/null
+++ b/queue-6.1/wifi-mt76-mt7921-do-not-support-one-stream-on-secondary-antenna-only.patch
@@ -0,0 +1,42 @@
+From d616d3680264beb9a9d2c4fc681064b06f447eeb Mon Sep 17 00:00:00 2001
+From: Deren Wu <deren.wu@mediatek.com>
+Date: Wed, 10 May 2023 14:51:13 +0800
+Subject: wifi: mt76: mt7921: do not support one stream on secondary antenna only
+
+From: Deren Wu <deren.wu@mediatek.com>
+
+commit d616d3680264beb9a9d2c4fc681064b06f447eeb upstream.
+
+mt7921 support following antenna combiantions only.
+* primary + secondary (2x2)
+* primary only        (1x1)
+
+Since we cannot work on secondary antenna only, return error if the
+antenna bitmap is 0x2 in .set_antenna().
+
+For example:
+iw phy0 set antenna 3 3 /* valid */
+iw phy0 set antenna 1 1 /* valid */
+iw phy0 set antenna 2 2 /* invalid */
+
+Cc: stable@vger.kernel.org
+Fixes: e0f9fdda81bd ("mt76: mt7921: add ieee80211_ops")
+Suggested-by: Knox Chiou <knoxchiou@google.com>
+Signed-off-by: Deren Wu <deren.wu@mediatek.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt7921/main.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
+@@ -1280,7 +1280,7 @@ mt7921_set_antenna(struct ieee80211_hw *
+ 		return -EINVAL;
+ 
+ 	if ((BIT(hweight8(tx_ant)) - 1) != tx_ant)
+-		tx_ant = BIT(ffs(tx_ant) - 1) - 1;
++		return -EINVAL;
+ 
+ 	mt7921_mutex_acquire(dev);
+ 
diff --git a/queue-6.1/wifi-mt76-mt7921-fix-skb-leak-by-txs-missing-in-amsdu.patch b/queue-6.1/wifi-mt76-mt7921-fix-skb-leak-by-txs-missing-in-amsdu.patch
new file mode 100644
index 00000000000..8d93397c268
--- /dev/null
+++ b/queue-6.1/wifi-mt76-mt7921-fix-skb-leak-by-txs-missing-in-amsdu.patch
@@ -0,0 +1,52 @@
+From b642f4c5f3de0a8f47808d32b1ebd9c427a42a66 Mon Sep 17 00:00:00 2001
+From: Deren Wu <deren.wu@mediatek.com>
+Date: Wed, 17 May 2023 17:18:24 +0800
+Subject: wifi: mt76: mt7921: fix skb leak by txs missing in AMSDU
+
+From: Deren Wu <deren.wu@mediatek.com>
+
+commit b642f4c5f3de0a8f47808d32b1ebd9c427a42a66 upstream.
+
+txs may be dropped if the frame is aggregated in AMSDU. When the problem
+shows up, some SKBs would be hold in driver to cause network stopped
+temporarily. Even if the problem can be recovered by txs timeout handling,
+mt7921 still need to disable txs in AMSDU to avoid this issue.
+
+Cc: stable@vger.kernel.org
+Fixes: 163f4d22c118 ("mt76: mt7921: add MAC support")
+Reviewed-by: Shayne Chen <shayne.chen@mediatek.com>
+Signed-off-by: Deren Wu <deren.wu@mediatek.com>
+Reviewed-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c
++++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c
+@@ -465,6 +465,7 @@ void mt76_connac2_mac_write_txwi(struct
+ 				    BSS_CHANGED_BEACON_ENABLED));
+ 	bool inband_disc = !!(changed & (BSS_CHANGED_UNSOL_BCAST_PROBE_RESP |
+ 					 BSS_CHANGED_FILS_DISCOVERY));
++	bool amsdu_en = wcid->amsdu;
+ 
+ 	if (vif) {
+ 		struct mt76_vif *mvif = (struct mt76_vif *)vif->drv_priv;
+@@ -524,12 +525,14 @@ void mt76_connac2_mac_write_txwi(struct
+ 	txwi[4] = 0;
+ 
+ 	val = FIELD_PREP(MT_TXD5_PID, pid);
+-	if (pid >= MT_PACKET_ID_FIRST)
++	if (pid >= MT_PACKET_ID_FIRST) {
+ 		val |= MT_TXD5_TX_STATUS_HOST;
++		amsdu_en = amsdu_en && !is_mt7921(dev);
++	}
+ 
+ 	txwi[5] = cpu_to_le32(val);
+ 	txwi[6] = 0;
+-	txwi[7] = wcid->amsdu ? cpu_to_le32(MT_TXD7_HW_AMSDU) : 0;
++	txwi[7] = amsdu_en ? cpu_to_le32(MT_TXD7_HW_AMSDU) : 0;
+ 
+ 	if (is_8023)
+ 		mt76_connac2_mac_write_txwi_8023(txwi, skb, wcid);