From: Greg Kroah-Hartman Date: Wed, 22 Nov 2023 18:57:12 +0000 (+0000) Subject: 5.10-stable patches X-Git-Tag: v4.14.331~123 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b5360845ed88799b1b027502cdc2481994fc9574;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: acpi-resource-do-irq-override-on-tongfang-gmxxgxx.patch genirq-generic_chip-make-irq_remove_generic_chip-irqdomain-aware.patch mmc-meson-gx-remove-setting-of-cmd_cfg_error.patch pci-keystone-don-t-discard-.probe-callback.patch pci-keystone-don-t-discard-.remove-callback.patch regmap-ensure-range-selector-registers-are-updated-after-cache-sync.patch watchdog-move-softlockup_panic-back-to-early_param.patch wifi-ath11k-fix-dfs-radar-event-locking.patch wifi-ath11k-fix-htt-pktlog-locking.patch wifi-ath11k-fix-temperature-event-locking.patch --- diff --git a/queue-5.10/acpi-resource-do-irq-override-on-tongfang-gmxxgxx.patch b/queue-5.10/acpi-resource-do-irq-override-on-tongfang-gmxxgxx.patch new file mode 100644 index 00000000000..7f75dee64bf --- /dev/null +++ b/queue-5.10/acpi-resource-do-irq-override-on-tongfang-gmxxgxx.patch @@ -0,0 +1,45 @@ +From 0da9eccde3270b832c059ad618bf66e510c75d33 Mon Sep 17 00:00:00 2001 +From: Werner Sembach +Date: Mon, 16 Oct 2023 18:08:28 +0200 +Subject: ACPI: resource: Do IRQ override on TongFang GMxXGxx + +From: Werner Sembach + +commit 0da9eccde3270b832c059ad618bf66e510c75d33 upstream. + +The TongFang GMxXGxx/TUXEDO Stellaris/Pollaris Gen5 needs IRQ overriding +for the keyboard to work. + +Adding an entry for this laptop to the override_table makes the internal +keyboard functional. + +Signed-off-by: Werner Sembach +Cc: All applicable +Reviewed-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/resource.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/acpi/resource.c ++++ b/drivers/acpi/resource.c +@@ -443,6 +443,18 @@ static const struct dmi_system_id asus_l + }, + }, + { ++ /* TongFang GMxXGxx/TUXEDO Polaris 15 Gen5 AMD */ ++ .matches = { ++ DMI_MATCH(DMI_BOARD_NAME, "GMxXGxx"), ++ }, ++ }, ++ { ++ /* TongFang GM6XGxX/TUXEDO Stellaris 16 Gen5 AMD */ ++ .matches = { ++ DMI_MATCH(DMI_BOARD_NAME, "GM6XGxX"), ++ }, ++ }, ++ { + .ident = "Asus ExpertBook B2502", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), diff --git a/queue-5.10/genirq-generic_chip-make-irq_remove_generic_chip-irqdomain-aware.patch b/queue-5.10/genirq-generic_chip-make-irq_remove_generic_chip-irqdomain-aware.patch new file mode 100644 index 00000000000..ea518db56ba --- /dev/null +++ b/queue-5.10/genirq-generic_chip-make-irq_remove_generic_chip-irqdomain-aware.patch @@ -0,0 +1,82 @@ +From 5e7afb2eb7b2a7c81e9f608cbdf74a07606fd1b5 Mon Sep 17 00:00:00 2001 +From: Herve Codina +Date: Tue, 24 Oct 2023 17:03:35 +0200 +Subject: genirq/generic_chip: Make irq_remove_generic_chip() irqdomain aware + +From: Herve Codina + +commit 5e7afb2eb7b2a7c81e9f608cbdf74a07606fd1b5 upstream. + +irq_remove_generic_chip() calculates the Linux interrupt number for removing the +handler and interrupt chip based on gc::irq_base as a linear function of +the bit positions of set bits in the @msk argument. + +When the generic chip is present in an irq domain, i.e. created with a call +to irq_alloc_domain_generic_chips(), gc::irq_base contains not the base +Linux interrupt number. It contains the base hardware interrupt for this +chip. It is set to 0 for the first chip in the domain, 0 + N for the next +chip, where $N is the number of hardware interrupts per chip. + +That means the Linux interrupt number cannot be calculated based on +gc::irq_base for irqdomain based chips without a domain map lookup, which +is currently missing. + +Rework the code to take the irqdomain case into account and calculate the +Linux interrupt number by a irqdomain lookup of the domain specific +hardware interrupt number. + +[ tglx: Massage changelog. Reshuffle the logic and add a proper comment. ] + +Fixes: cfefd21e693d ("genirq: Add chip suspend and resume callbacks") +Signed-off-by: Herve Codina +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20231024150335.322282-1-herve.codina@bootlin.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/irq/generic-chip.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +--- a/kernel/irq/generic-chip.c ++++ b/kernel/irq/generic-chip.c +@@ -537,21 +537,34 @@ EXPORT_SYMBOL_GPL(irq_setup_alt_chip); + void irq_remove_generic_chip(struct irq_chip_generic *gc, u32 msk, + unsigned int clr, unsigned int set) + { +- unsigned int i = gc->irq_base; ++ unsigned int i, virq; + + raw_spin_lock(&gc_lock); + list_del(&gc->list); + raw_spin_unlock(&gc_lock); + +- for (; msk; msk >>= 1, i++) { ++ for (i = 0; msk; msk >>= 1, i++) { + if (!(msk & 0x01)) + continue; + ++ /* ++ * Interrupt domain based chips store the base hardware ++ * interrupt number in gc::irq_base. Otherwise gc::irq_base ++ * contains the base Linux interrupt number. ++ */ ++ if (gc->domain) { ++ virq = irq_find_mapping(gc->domain, gc->irq_base + i); ++ if (!virq) ++ continue; ++ } else { ++ virq = gc->irq_base + i; ++ } ++ + /* Remove handler first. That will mask the irq line */ +- irq_set_handler(i, NULL); +- irq_set_chip(i, &no_irq_chip); +- irq_set_chip_data(i, NULL); +- irq_modify_status(i, clr, set); ++ irq_set_handler(virq, NULL); ++ irq_set_chip(virq, &no_irq_chip); ++ irq_set_chip_data(virq, NULL); ++ irq_modify_status(virq, clr, set); + } + } + EXPORT_SYMBOL_GPL(irq_remove_generic_chip); diff --git a/queue-5.10/mmc-meson-gx-remove-setting-of-cmd_cfg_error.patch b/queue-5.10/mmc-meson-gx-remove-setting-of-cmd_cfg_error.patch new file mode 100644 index 00000000000..b77d96472d4 --- /dev/null +++ b/queue-5.10/mmc-meson-gx-remove-setting-of-cmd_cfg_error.patch @@ -0,0 +1,36 @@ +From 57925e16c9f7d18012bcf45bfa658f92c087981a Mon Sep 17 00:00:00 2001 +From: Rong Chen +Date: Thu, 26 Oct 2023 15:31:56 +0800 +Subject: mmc: meson-gx: Remove setting of CMD_CFG_ERROR + +From: Rong Chen + +commit 57925e16c9f7d18012bcf45bfa658f92c087981a upstream. + +For the t7 and older SoC families, the CMD_CFG_ERROR has no effect. +Starting from SoC family C3, setting this bit without SG LINK data +address will cause the controller to generate an IRQ and stop working. + +To fix it, don't set the bit CMD_CFG_ERROR anymore. + +Fixes: 18f92bc02f17 ("mmc: meson-gx: make sure the descriptor is stopped on errors") +Signed-off-by: Rong Chen +Reviewed-by: Jerome Brunet +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20231026073156.2868310-1-rong.chen@amlogic.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/meson-gx-mmc.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/mmc/host/meson-gx-mmc.c ++++ b/drivers/mmc/host/meson-gx-mmc.c +@@ -800,7 +800,6 @@ static void meson_mmc_start_cmd(struct m + + cmd_cfg |= FIELD_PREP(CMD_CFG_CMD_INDEX_MASK, cmd->opcode); + cmd_cfg |= CMD_CFG_OWNER; /* owned by CPU */ +- cmd_cfg |= CMD_CFG_ERROR; /* stop in case of error */ + + meson_mmc_set_response_bits(cmd, &cmd_cfg); + diff --git a/queue-5.10/pci-keystone-don-t-discard-.probe-callback.patch b/queue-5.10/pci-keystone-don-t-discard-.probe-callback.patch new file mode 100644 index 00000000000..9bb7289f49e --- /dev/null +++ b/queue-5.10/pci-keystone-don-t-discard-.probe-callback.patch @@ -0,0 +1,51 @@ +From 7994db905c0fd692cf04c527585f08a91b560144 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= +Date: Sun, 1 Oct 2023 19:02:54 +0200 +Subject: PCI: keystone: Don't discard .probe() callback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +commit 7994db905c0fd692cf04c527585f08a91b560144 upstream. + +The __init annotation makes the ks_pcie_probe() function disappear after +booting completes. However a device can also be bound later. In that case, +we try to call ks_pcie_probe(), but the backing memory is likely already +overwritten. + +The right thing to do is do always have the probe callback available. Note +that the (wrong) __refdata annotation prevented this issue to be noticed by +modpost. + +Fixes: 0c4ffcfe1fbc ("PCI: keystone: Add TI Keystone PCIe driver") +Link: https://lore.kernel.org/r/20231001170254.2506508-5-u.kleine-koenig@pengutronix.de +Signed-off-by: Uwe Kleine-König +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/dwc/pci-keystone.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/pci/controller/dwc/pci-keystone.c ++++ b/drivers/pci/controller/dwc/pci-keystone.c +@@ -1142,7 +1142,7 @@ static const struct of_device_id ks_pcie + { }, + }; + +-static int __init ks_pcie_probe(struct platform_device *pdev) ++static int ks_pcie_probe(struct platform_device *pdev) + { + const struct dw_pcie_host_ops *host_ops; + const struct dw_pcie_ep_ops *ep_ops; +@@ -1354,7 +1354,7 @@ static int ks_pcie_remove(struct platfor + return 0; + } + +-static struct platform_driver ks_pcie_driver __refdata = { ++static struct platform_driver ks_pcie_driver = { + .probe = ks_pcie_probe, + .remove = ks_pcie_remove, + .driver = { diff --git a/queue-5.10/pci-keystone-don-t-discard-.remove-callback.patch b/queue-5.10/pci-keystone-don-t-discard-.remove-callback.patch new file mode 100644 index 00000000000..81719ceeeb8 --- /dev/null +++ b/queue-5.10/pci-keystone-don-t-discard-.remove-callback.patch @@ -0,0 +1,52 @@ +From 200bddbb3f5202bbce96444fdc416305de14f547 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= +Date: Sun, 1 Oct 2023 19:02:53 +0200 +Subject: PCI: keystone: Don't discard .remove() callback +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +commit 200bddbb3f5202bbce96444fdc416305de14f547 upstream. + +With CONFIG_PCIE_KEYSTONE=y and ks_pcie_remove() marked with __exit, the +function is discarded from the driver. In this case a bound device can +still get unbound, e.g via sysfs. Then no cleanup code is run resulting in +resource leaks or worse. + +The right thing to do is do always have the remove callback available. +Note that this driver cannot be compiled as a module, so ks_pcie_remove() +was always discarded before this change and modpost couldn't warn about +this issue. Furthermore the __ref annotation also prevents a warning. + +Fixes: 0c4ffcfe1fbc ("PCI: keystone: Add TI Keystone PCIe driver") +Link: https://lore.kernel.org/r/20231001170254.2506508-4-u.kleine-koenig@pengutronix.de +Signed-off-by: Uwe Kleine-König +Signed-off-by: Bjorn Helgaas +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/controller/dwc/pci-keystone.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/pci/controller/dwc/pci-keystone.c ++++ b/drivers/pci/controller/dwc/pci-keystone.c +@@ -1338,7 +1338,7 @@ err_link: + return ret; + } + +-static int __exit ks_pcie_remove(struct platform_device *pdev) ++static int ks_pcie_remove(struct platform_device *pdev) + { + struct keystone_pcie *ks_pcie = platform_get_drvdata(pdev); + struct device_link **link = ks_pcie->link; +@@ -1356,7 +1356,7 @@ static int __exit ks_pcie_remove(struct + + static struct platform_driver ks_pcie_driver __refdata = { + .probe = ks_pcie_probe, +- .remove = __exit_p(ks_pcie_remove), ++ .remove = ks_pcie_remove, + .driver = { + .name = "keystone-pcie", + .of_match_table = of_match_ptr(ks_pcie_of_match), diff --git a/queue-5.10/regmap-ensure-range-selector-registers-are-updated-after-cache-sync.patch b/queue-5.10/regmap-ensure-range-selector-registers-are-updated-after-cache-sync.patch new file mode 100644 index 00000000000..809f071c563 --- /dev/null +++ b/queue-5.10/regmap-ensure-range-selector-registers-are-updated-after-cache-sync.patch @@ -0,0 +1,90 @@ +From 0ec7731655de196bc1e4af99e495b38778109d22 Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Thu, 26 Oct 2023 16:49:19 +0100 +Subject: regmap: Ensure range selector registers are updated after cache sync + +From: Mark Brown + +commit 0ec7731655de196bc1e4af99e495b38778109d22 upstream. + +When we sync the register cache we do so with the cache bypassed in order +to avoid overhead from writing the synced values back into the cache. If +the regmap has ranges and the selector register for those ranges is in a +register which is cached this has the unfortunate side effect of meaning +that the physical and cached copies of the selector register can be out of +sync after a cache sync. The cache will have whatever the selector was when +the sync started and the hardware will have the selector for the register +that was synced last. + +Fix this by rewriting all cached selector registers after every sync, +ensuring that the hardware and cache have the same content. This will +result in extra writes that wouldn't otherwise be needed but is simple +so hopefully robust. We don't read from the hardware since not all +devices have physical read support. + +Given that nobody noticed this until now it is likely that we are rarely if +ever hitting this case. + +Reported-by: Hector Martin +Cc: stable@vger.kernel.org +Signed-off-by: Mark Brown +Link: https://lore.kernel.org/r/20231026-regmap-fix-selector-sync-v1-1-633ded82770d@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/regmap/regcache.c | 30 ++++++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +--- a/drivers/base/regmap/regcache.c ++++ b/drivers/base/regmap/regcache.c +@@ -325,6 +325,11 @@ static int regcache_default_sync(struct + return 0; + } + ++static int rbtree_all(const void *key, const struct rb_node *node) ++{ ++ return 0; ++} ++ + /** + * regcache_sync - Sync the register cache with the hardware. + * +@@ -342,6 +347,7 @@ int regcache_sync(struct regmap *map) + unsigned int i; + const char *name; + bool bypass; ++ struct rb_node *node; + + if (WARN_ON(map->cache_type == REGCACHE_NONE)) + return -EINVAL; +@@ -386,6 +392,30 @@ out: + map->async = false; + map->cache_bypass = bypass; + map->no_sync_defaults = false; ++ ++ /* ++ * If we did any paging with cache bypassed and a cached ++ * paging register then the register and cache state might ++ * have gone out of sync, force writes of all the paging ++ * registers. ++ */ ++ rb_for_each(node, 0, &map->range_tree, rbtree_all) { ++ struct regmap_range_node *this = ++ rb_entry(node, struct regmap_range_node, node); ++ ++ /* If there's nothing in the cache there's nothing to sync */ ++ ret = regcache_read(map, this->selector_reg, &i); ++ if (ret != 0) ++ continue; ++ ++ ret = _regmap_write(map, this->selector_reg, i); ++ if (ret != 0) { ++ dev_err(map->dev, "Failed to write %x = %x: %d\n", ++ this->selector_reg, i, ret); ++ break; ++ } ++ } ++ + map->unlock(map->lock_arg); + + regmap_async_complete(map); diff --git a/queue-5.10/series b/queue-5.10/series index 8a425962f2f..b669b69715a 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -102,3 +102,13 @@ tty-sysrq-replace-smp_processor_id-with-get_cpu.patch hvc-xen-fix-console-unplug.patch hvc-xen-fix-error-path-in-xen_hvc_init-to-always-register-frontend-driver.patch pci-sysfs-protect-driver-s-d3cold-preference-from-user-space.patch +watchdog-move-softlockup_panic-back-to-early_param.patch +acpi-resource-do-irq-override-on-tongfang-gmxxgxx.patch +regmap-ensure-range-selector-registers-are-updated-after-cache-sync.patch +wifi-ath11k-fix-temperature-event-locking.patch +wifi-ath11k-fix-dfs-radar-event-locking.patch +wifi-ath11k-fix-htt-pktlog-locking.patch +mmc-meson-gx-remove-setting-of-cmd_cfg_error.patch +genirq-generic_chip-make-irq_remove_generic_chip-irqdomain-aware.patch +pci-keystone-don-t-discard-.remove-callback.patch +pci-keystone-don-t-discard-.probe-callback.patch diff --git a/queue-5.10/watchdog-move-softlockup_panic-back-to-early_param.patch b/queue-5.10/watchdog-move-softlockup_panic-back-to-early_param.patch new file mode 100644 index 00000000000..0990bb615c9 --- /dev/null +++ b/queue-5.10/watchdog-move-softlockup_panic-back-to-early_param.patch @@ -0,0 +1,55 @@ +From 8b793bcda61f6c3ed4f5b2ded7530ef6749580cb Mon Sep 17 00:00:00 2001 +From: Krister Johansen +Date: Fri, 27 Oct 2023 14:46:53 -0700 +Subject: watchdog: move softlockup_panic back to early_param + +From: Krister Johansen + +commit 8b793bcda61f6c3ed4f5b2ded7530ef6749580cb upstream. + +Setting softlockup_panic from do_sysctl_args() causes it to take effect +later in boot. The lockup detector is enabled before SMP is brought +online, but do_sysctl_args runs afterwards. If a user wants to set +softlockup_panic on boot and have it trigger should a softlockup occur +during onlining of the non-boot processors, they could do this prior to +commit f117955a2255 ("kernel/watchdog.c: convert {soft/hard}lockup boot +parameters to sysctl aliases"). However, after this commit the value +of softlockup_panic is set too late to be of help for this type of +problem. Restore the prior behavior. + +Signed-off-by: Krister Johansen +Cc: stable@vger.kernel.org +Fixes: f117955a2255 ("kernel/watchdog.c: convert {soft/hard}lockup boot parameters to sysctl aliases") +Signed-off-by: Luis Chamberlain +Signed-off-by: Greg Kroah-Hartman +--- + fs/proc/proc_sysctl.c | 1 - + kernel/watchdog.c | 7 +++++++ + 2 files changed, 7 insertions(+), 1 deletion(-) + +--- a/fs/proc/proc_sysctl.c ++++ b/fs/proc/proc_sysctl.c +@@ -1767,7 +1767,6 @@ static const struct sysctl_alias sysctl_ + {"hung_task_panic", "kernel.hung_task_panic" }, + {"numa_zonelist_order", "vm.numa_zonelist_order" }, + {"softlockup_all_cpu_backtrace", "kernel.softlockup_all_cpu_backtrace" }, +- {"softlockup_panic", "kernel.softlockup_panic" }, + { } + }; + +--- a/kernel/watchdog.c ++++ b/kernel/watchdog.c +@@ -176,6 +176,13 @@ static DEFINE_PER_CPU(unsigned long, hrt + static DEFINE_PER_CPU(unsigned long, hrtimer_interrupts_saved); + static unsigned long soft_lockup_nmi_warn; + ++static int __init softlockup_panic_setup(char *str) ++{ ++ softlockup_panic = simple_strtoul(str, NULL, 0); ++ return 1; ++} ++__setup("softlockup_panic=", softlockup_panic_setup); ++ + static int __init nowatchdog_setup(char *str) + { + watchdog_user_enabled = 0; diff --git a/queue-5.10/wifi-ath11k-fix-dfs-radar-event-locking.patch b/queue-5.10/wifi-ath11k-fix-dfs-radar-event-locking.patch new file mode 100644 index 00000000000..bde81374590 --- /dev/null +++ b/queue-5.10/wifi-ath11k-fix-dfs-radar-event-locking.patch @@ -0,0 +1,49 @@ +From 3b6c14833165f689cc5928574ebafe52bbce5f1e Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 19 Oct 2023 17:31:15 +0200 +Subject: wifi: ath11k: fix dfs radar event locking + +From: Johan Hovold + +commit 3b6c14833165f689cc5928574ebafe52bbce5f1e upstream. + +The ath11k active pdevs are protected by RCU but the DFS radar event +handling code calling ath11k_mac_get_ar_by_pdev_id() was not marked as a +read-side critical section. + +Mark the code in question as an RCU read-side critical section to avoid +any potential use-after-free issues. + +Compile tested only. + +Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") +Cc: stable@vger.kernel.org # 5.6 +Acked-by: Jeff Johnson +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20231019153115.26401-3-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath11k/wmi.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/wireless/ath/ath11k/wmi.c ++++ b/drivers/net/wireless/ath/ath11k/wmi.c +@@ -6355,6 +6355,8 @@ ath11k_wmi_pdev_dfs_radar_detected_event + ev->detector_id, ev->segment_id, ev->timestamp, ev->is_chirp, + ev->freq_offset, ev->sidx); + ++ rcu_read_lock(); ++ + ar = ath11k_mac_get_ar_by_pdev_id(ab, ev->pdev_id); + + if (!ar) { +@@ -6372,6 +6374,8 @@ ath11k_wmi_pdev_dfs_radar_detected_event + ieee80211_radar_detected(ar->hw); + + exit: ++ rcu_read_unlock(); ++ + kfree(tb); + } + diff --git a/queue-5.10/wifi-ath11k-fix-htt-pktlog-locking.patch b/queue-5.10/wifi-ath11k-fix-htt-pktlog-locking.patch new file mode 100644 index 00000000000..adb353dbd50 --- /dev/null +++ b/queue-5.10/wifi-ath11k-fix-htt-pktlog-locking.patch @@ -0,0 +1,52 @@ +From 3f77c7d605b29df277d77e9ee75d96e7ad145d2d Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 19 Oct 2023 13:25:21 +0200 +Subject: wifi: ath11k: fix htt pktlog locking + +From: Johan Hovold + +commit 3f77c7d605b29df277d77e9ee75d96e7ad145d2d upstream. + +The ath11k active pdevs are protected by RCU but the htt pktlog handling +code calling ath11k_mac_get_ar_by_pdev_id() was not marked as a +read-side critical section. + +Mark the code in question as an RCU read-side critical section to avoid +any potential use-after-free issues. + +Compile tested only. + +Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") +Cc: stable@vger.kernel.org # 5.6 +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20231019112521.2071-1-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath11k/dp_rx.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath11k/dp_rx.c ++++ b/drivers/net/wireless/ath/ath11k/dp_rx.c +@@ -1578,14 +1578,20 @@ static void ath11k_htt_pktlog(struct ath + u8 pdev_id; + + pdev_id = FIELD_GET(HTT_T2H_PPDU_STATS_INFO_PDEV_ID, data->hdr); ++ ++ rcu_read_lock(); ++ + ar = ath11k_mac_get_ar_by_pdev_id(ab, pdev_id); + if (!ar) { + ath11k_warn(ab, "invalid pdev id %d on htt pktlog\n", pdev_id); +- return; ++ goto out; + } + + trace_ath11k_htt_pktlog(ar, data->payload, hdr->size, + ar->ab->pktlog_defs_checksum); ++ ++out: ++ rcu_read_unlock(); + } + + static void ath11k_htt_backpressure_event_handler(struct ath11k_base *ab, diff --git a/queue-5.10/wifi-ath11k-fix-temperature-event-locking.patch b/queue-5.10/wifi-ath11k-fix-temperature-event-locking.patch new file mode 100644 index 00000000000..9fd8b5d176b --- /dev/null +++ b/queue-5.10/wifi-ath11k-fix-temperature-event-locking.patch @@ -0,0 +1,71 @@ +From 1a5352a81b4720ba43d9c899974e3bddf7ce0ce8 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 19 Oct 2023 17:31:14 +0200 +Subject: wifi: ath11k: fix temperature event locking + +From: Johan Hovold + +commit 1a5352a81b4720ba43d9c899974e3bddf7ce0ce8 upstream. + +The ath11k active pdevs are protected by RCU but the temperature event +handling code calling ath11k_mac_get_ar_by_pdev_id() was not marked as a +read-side critical section as reported by RCU lockdep: + + ============================= + WARNING: suspicious RCU usage + 6.6.0-rc6 #7 Not tainted + ----------------------------- + drivers/net/wireless/ath/ath11k/mac.c:638 suspicious rcu_dereference_check() usage! + + other info that might help us debug this: + + rcu_scheduler_active = 2, debug_locks = 1 + no locks held by swapper/0/0. + ... + Call trace: + ... + lockdep_rcu_suspicious+0x16c/0x22c + ath11k_mac_get_ar_by_pdev_id+0x194/0x1b0 [ath11k] + ath11k_wmi_tlv_op_rx+0xa84/0x2c1c [ath11k] + ath11k_htc_rx_completion_handler+0x388/0x510 [ath11k] + +Mark the code in question as an RCU read-side critical section to avoid +any potential use-after-free issues. + +Tested-on: WCN6855 hw2.1 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.23 + +Fixes: a41d10348b01 ("ath11k: add thermal sensor device support") +Cc: stable@vger.kernel.org # 5.7 +Signed-off-by: Johan Hovold +Acked-by: Jeff Johnson +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20231019153115.26401-2-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath11k/wmi.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/ath/ath11k/wmi.c ++++ b/drivers/net/wireless/ath/ath11k/wmi.c +@@ -6401,15 +6401,19 @@ ath11k_wmi_pdev_temperature_event(struct + ath11k_dbg(ab, ATH11K_DBG_WMI, + "pdev temperature ev temp %d pdev_id %d\n", ev->temp, ev->pdev_id); + ++ rcu_read_lock(); ++ + ar = ath11k_mac_get_ar_by_pdev_id(ab, ev->pdev_id); + if (!ar) { + ath11k_warn(ab, "invalid pdev id in pdev temperature ev %d", ev->pdev_id); +- kfree(tb); +- return; ++ goto exit; + } + + ath11k_thermal_event_temperature(ar, ev->temp); + ++exit: ++ rcu_read_unlock(); ++ + kfree(tb); + } +