From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 23 Apr 2025 11:23:12 +0000 (+0200)
Subject: 6.14-stable patches
X-Git-Tag: v6.1.135~20
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=39b6bb4f39df3d66fcae4ad58af4b672ddf32dde;p=thirdparty%2Fkernel%2Fstable-queue.git

6.14-stable patches

added patches:
	wifi-ath12k-fix-invalid-entry-fetch-in-ath12k_dp_mon_srng_process.patch
---

diff --git a/queue-6.14/series b/queue-6.14/series
index 1e9b1fe215..40bb08b16a 100644
--- a/queue-6.14/series
+++ b/queue-6.14/series
@@ -238,3 +238,4 @@ revert-wifi-ath12k-fix-invalid-entry-fetch-in-ath12k_dp_mon_srng_process.patch
 mips-dec-declare-which_prom-as-static.patch
 mips-cevt-ds1287-add-missing-ds1287.h-include.patch
 mips-ds1287-match-ds1287_set_base_clock-function-types.patch
+wifi-ath12k-fix-invalid-entry-fetch-in-ath12k_dp_mon_srng_process.patch
diff --git a/queue-6.14/wifi-ath12k-fix-invalid-entry-fetch-in-ath12k_dp_mon_srng_process.patch b/queue-6.14/wifi-ath12k-fix-invalid-entry-fetch-in-ath12k_dp_mon_srng_process.patch
new file mode 100644
index 0000000000..e523dac18a
--- /dev/null
+++ b/queue-6.14/wifi-ath12k-fix-invalid-entry-fetch-in-ath12k_dp_mon_srng_process.patch
@@ -0,0 +1,45 @@
+From 63fdc4509bcf483e79548de6bc08bf3c8e504bb3 Mon Sep 17 00:00:00 2001
+From: P Praneesh <quic_ppranees@quicinc.com>
+Date: Mon, 23 Dec 2024 11:31:24 +0530
+Subject: wifi: ath12k: Fix invalid entry fetch in ath12k_dp_mon_srng_process
+
+From: P Praneesh <quic_ppranees@quicinc.com>
+
+commit 63fdc4509bcf483e79548de6bc08bf3c8e504bb3 upstream.
+
+Currently, ath12k_dp_mon_srng_process uses ath12k_hal_srng_src_get_next_entry
+to fetch the next entry from the destination ring. This is incorrect because
+ath12k_hal_srng_src_get_next_entry is intended for source rings, not destination
+rings. This leads to invalid entry fetches, causing potential data corruption or
+crashes due to accessing incorrect memory locations. This happens because the
+source ring and destination ring have different handling mechanisms and using
+the wrong function results in incorrect pointer arithmetic and ring management.
+
+To fix this issue, replace the call to ath12k_hal_srng_src_get_next_entry with
+ath12k_hal_srng_dst_get_next_entry in ath12k_dp_mon_srng_process. This ensures
+that the correct function is used for fetching entries from the destination
+ring, preventing invalid memory accesses.
+
+Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1
+Tested-on: WCN7850 hw2.0 WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3
+
+Signed-off-by: P Praneesh <quic_ppranees@quicinc.com>
+Link: https://patch.msgid.link/20241223060132.3506372-7-quic_ppranees@quicinc.com
+Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com>
+Signed-off-by: Alexander Tsoy <alexander@tsoy.me>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/ath/ath12k/dp_mon.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ath12k/dp_mon.c
++++ b/drivers/net/wireless/ath/ath12k/dp_mon.c
+@@ -2054,7 +2054,7 @@ int ath12k_dp_mon_srng_process(struct at
+ 		dest_idx = 0;
+ move_next:
+ 		ath12k_dp_mon_buf_replenish(ab, buf_ring, 1);
+-		ath12k_hal_srng_src_get_next_entry(ab, srng);
++		ath12k_hal_srng_dst_get_next_entry(ab, srng);
+ 		num_buffs_reaped++;
+ 	}
+