From: Greg Kroah-Hartman Date: Sat, 2 Sep 2023 13:34:13 +0000 (+0200) Subject: 6.4-stable patches X-Git-Tag: v6.5.2~30 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fa2cd381824a379613b2a1aa95ddc9729075d09c;p=thirdparty%2Fkernel%2Fstable-queue.git 6.4-stable patches added patches: wifi-ath11k-cleanup-mac80211-references-on-failure-during-tx_complete.patch wifi-ath11k-don-t-drop-tx_status-when-peer-cannot-be-found.patch wifi-mt76-mt7921-do-not-support-one-stream-on-secondary-antenna-only.patch wifi-mt76-mt7921-fix-skb-leak-by-txs-missing-in-amsdu.patch wifi-rtw88-usb-kill-and-free-rx-urbs-on-probe-failure.patch --- diff --git a/queue-6.4/series b/queue-6.4/series index 1ccd1136f05..b17cd3842eb 100644 --- a/queue-6.4/series +++ b/queue-6.4/series @@ -15,3 +15,8 @@ usb-dwc3-meson-g12a-do-post-init-to-fix-broken-usb-after-resumption.patch usb-chipidea-imx-improve-logic-if-samsung-picophy-parameter-is-0.patch hid-wacom-remove-the-battery-when-the-ekr-is-off.patch staging-rtl8712-fix-race-condition.patch +wifi-mt76-mt7921-do-not-support-one-stream-on-secondary-antenna-only.patch +wifi-mt76-mt7921-fix-skb-leak-by-txs-missing-in-amsdu.patch +wifi-rtw88-usb-kill-and-free-rx-urbs-on-probe-failure.patch +wifi-ath11k-don-t-drop-tx_status-when-peer-cannot-be-found.patch +wifi-ath11k-cleanup-mac80211-references-on-failure-during-tx_complete.patch diff --git a/queue-6.4/wifi-ath11k-cleanup-mac80211-references-on-failure-during-tx_complete.patch b/queue-6.4/wifi-ath11k-cleanup-mac80211-references-on-failure-during-tx_complete.patch new file mode 100644 index 00000000000..7158d80afff --- /dev/null +++ b/queue-6.4/wifi-ath11k-cleanup-mac80211-references-on-failure-during-tx_complete.patch @@ -0,0 +1,55 @@ +From 29d15589f084d71a4ea8c544039c5839db0236e2 Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Tue, 22 Aug 2023 16:42:24 +0300 +Subject: wifi: ath11k: Cleanup mac80211 references on failure during tx_complete + +From: Sven Eckelmann + +commit 29d15589f084d71a4ea8c544039c5839db0236e2 upstream. + +When a function is using functions from mac80211 to free an skb then it +should do it consistently and not switch to the generic dev_kfree_skb_any +(or similar functions). Otherwise (like in the error handlers), mac80211 +will will not be aware of the freed skb and thus not clean up related +information in its internal data structures. + +Not doing so lead in the past to filled up structure which then prevented +new clients to connect. + +Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") +Fixes: 6257c702264c ("wifi: ath11k: fix tx status reporting in encap offload mode") +Cc: stable@vger.kernel.org +Signed-off-by: Sven Eckelmann +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230802-ath11k-ack_status_leak-v2-2-c0af729d6229@narfation.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath11k/dp_tx.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/ath/ath11k/dp_tx.c ++++ b/drivers/net/wireless/ath/ath11k/dp_tx.c +@@ -344,7 +344,7 @@ ath11k_dp_tx_htt_tx_complete_buf(struct + dma_unmap_single(ab->dev, skb_cb->paddr, msdu->len, DMA_TO_DEVICE); + + if (!skb_cb->vif) { +- dev_kfree_skb_any(msdu); ++ ieee80211_free_txskb(ar->hw, msdu); + return; + } + +@@ -566,12 +566,12 @@ static void ath11k_dp_tx_complete_msdu(s + dma_unmap_single(ab->dev, skb_cb->paddr, msdu->len, DMA_TO_DEVICE); + + if (unlikely(!rcu_access_pointer(ab->pdevs_active[ar->pdev_idx]))) { +- dev_kfree_skb_any(msdu); ++ ieee80211_free_txskb(ar->hw, msdu); + return; + } + + if (unlikely(!skb_cb->vif)) { +- dev_kfree_skb_any(msdu); ++ ieee80211_free_txskb(ar->hw, msdu); + return; + } + diff --git a/queue-6.4/wifi-ath11k-don-t-drop-tx_status-when-peer-cannot-be-found.patch b/queue-6.4/wifi-ath11k-don-t-drop-tx_status-when-peer-cannot-be-found.patch new file mode 100644 index 00000000000..20e74a3ae80 --- /dev/null +++ b/queue-6.4/wifi-ath11k-don-t-drop-tx_status-when-peer-cannot-be-found.patch @@ -0,0 +1,58 @@ +From 400ece6c7f346b0a30867bd00b03b5b2563d4357 Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Tue, 22 Aug 2023 16:42:24 +0300 +Subject: wifi: ath11k: Don't drop tx_status when peer cannot be found + +From: Sven Eckelmann + +commit 400ece6c7f346b0a30867bd00b03b5b2563d4357 upstream. + +When a station idles for a long time, hostapd will try to send a QoS Null +frame to the station as "poll". NL80211_CMD_PROBE_CLIENT is used for this +purpose. And the skb will be added to ack_status_frame - waiting for a +completion via ieee80211_report_ack_skb(). + +But when the peer was already removed before the tx_complete arrives, the +peer will be missing. And when using dev_kfree_skb_any (instead of going +through mac80211), the entry will stay inside ack_status_frames. This IDR +will therefore run full after 8K request were generated for such clients. +At this point, the access point will then just stall and not allow any new +clients because idr_alloc() for ack_status_frame will fail. + +ieee80211_free_txskb() on the other hand will (when required) call +ieee80211_report_ack_skb() and make sure that (when required) remove the +entry from the ack_status_frame. + +Tested-on: IPQ6018 hw1.0 WLAN.HK.2.5.0.1-01100-QCAHKSWPL_SILICONZ-1 + +Fixes: 6257c702264c ("wifi: ath11k: fix tx status reporting in encap offload mode") +Fixes: 94739d45c388 ("ath11k: switch to using ieee80211_tx_status_ext()") +Cc: stable@vger.kernel.org +Signed-off-by: Sven Eckelmann +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230802-ath11k-ack_status_leak-v2-1-c0af729d6229@narfation.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath11k/dp_tx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/ath/ath11k/dp_tx.c ++++ b/drivers/net/wireless/ath/ath11k/dp_tx.c +@@ -369,7 +369,7 @@ ath11k_dp_tx_htt_tx_complete_buf(struct + "dp_tx: failed to find the peer with peer_id %d\n", + ts->peer_id); + spin_unlock_bh(&ab->base_lock); +- dev_kfree_skb_any(msdu); ++ ieee80211_free_txskb(ar->hw, msdu); + return; + } + spin_unlock_bh(&ab->base_lock); +@@ -624,7 +624,7 @@ static void ath11k_dp_tx_complete_msdu(s + "dp_tx: failed to find the peer with peer_id %d\n", + ts->peer_id); + spin_unlock_bh(&ab->base_lock); +- dev_kfree_skb_any(msdu); ++ ieee80211_free_txskb(ar->hw, msdu); + return; + } + arsta = (struct ath11k_sta *)peer->sta->drv_priv; diff --git a/queue-6.4/wifi-mt76-mt7921-do-not-support-one-stream-on-secondary-antenna-only.patch b/queue-6.4/wifi-mt76-mt7921-do-not-support-one-stream-on-secondary-antenna-only.patch new file mode 100644 index 00000000000..29d893c8e2d --- /dev/null +++ b/queue-6.4/wifi-mt76-mt7921-do-not-support-one-stream-on-secondary-antenna-only.patch @@ -0,0 +1,42 @@ +From d616d3680264beb9a9d2c4fc681064b06f447eeb Mon Sep 17 00:00:00 2001 +From: Deren Wu +Date: Wed, 10 May 2023 14:51:13 +0800 +Subject: wifi: mt76: mt7921: do not support one stream on secondary antenna only + +From: Deren Wu + +commit d616d3680264beb9a9d2c4fc681064b06f447eeb upstream. + +mt7921 support following antenna combiantions only. +* primary + secondary (2x2) +* primary only (1x1) + +Since we cannot work on secondary antenna only, return error if the +antenna bitmap is 0x2 in .set_antenna(). + +For example: +iw phy0 set antenna 3 3 /* valid */ +iw phy0 set antenna 1 1 /* valid */ +iw phy0 set antenna 2 2 /* invalid */ + +Cc: stable@vger.kernel.org +Fixes: e0f9fdda81bd ("mt76: mt7921: add ieee80211_ops") +Suggested-by: Knox Chiou +Signed-off-by: Deren Wu +Signed-off-by: Felix Fietkau +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/mt7921/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c +@@ -1363,7 +1363,7 @@ mt7921_set_antenna(struct ieee80211_hw * + return -EINVAL; + + if ((BIT(hweight8(tx_ant)) - 1) != tx_ant) +- tx_ant = BIT(ffs(tx_ant) - 1) - 1; ++ return -EINVAL; + + mt7921_mutex_acquire(dev); + diff --git a/queue-6.4/wifi-mt76-mt7921-fix-skb-leak-by-txs-missing-in-amsdu.patch b/queue-6.4/wifi-mt76-mt7921-fix-skb-leak-by-txs-missing-in-amsdu.patch new file mode 100644 index 00000000000..2c58b8d25be --- /dev/null +++ b/queue-6.4/wifi-mt76-mt7921-fix-skb-leak-by-txs-missing-in-amsdu.patch @@ -0,0 +1,52 @@ +From b642f4c5f3de0a8f47808d32b1ebd9c427a42a66 Mon Sep 17 00:00:00 2001 +From: Deren Wu +Date: Wed, 17 May 2023 17:18:24 +0800 +Subject: wifi: mt76: mt7921: fix skb leak by txs missing in AMSDU + +From: Deren Wu + +commit b642f4c5f3de0a8f47808d32b1ebd9c427a42a66 upstream. + +txs may be dropped if the frame is aggregated in AMSDU. When the problem +shows up, some SKBs would be hold in driver to cause network stopped +temporarily. Even if the problem can be recovered by txs timeout handling, +mt7921 still need to disable txs in AMSDU to avoid this issue. + +Cc: stable@vger.kernel.org +Fixes: 163f4d22c118 ("mt76: mt7921: add MAC support") +Reviewed-by: Shayne Chen +Signed-off-by: Deren Wu +Reviewed-by: Simon Horman +Signed-off-by: Felix Fietkau +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76_connac_mac.c +@@ -495,6 +495,7 @@ void mt76_connac2_mac_write_txwi(struct + BSS_CHANGED_BEACON_ENABLED)); + bool inband_disc = !!(changed & (BSS_CHANGED_UNSOL_BCAST_PROBE_RESP | + BSS_CHANGED_FILS_DISCOVERY)); ++ bool amsdu_en = wcid->amsdu; + + if (vif) { + struct mt76_vif *mvif = (struct mt76_vif *)vif->drv_priv; +@@ -554,12 +555,14 @@ void mt76_connac2_mac_write_txwi(struct + txwi[4] = 0; + + val = FIELD_PREP(MT_TXD5_PID, pid); +- if (pid >= MT_PACKET_ID_FIRST) ++ if (pid >= MT_PACKET_ID_FIRST) { + val |= MT_TXD5_TX_STATUS_HOST; ++ amsdu_en = amsdu_en && !is_mt7921(dev); ++ } + + txwi[5] = cpu_to_le32(val); + txwi[6] = 0; +- txwi[7] = wcid->amsdu ? cpu_to_le32(MT_TXD7_HW_AMSDU) : 0; ++ txwi[7] = amsdu_en ? cpu_to_le32(MT_TXD7_HW_AMSDU) : 0; + + if (is_8023) + mt76_connac2_mac_write_txwi_8023(txwi, skb, wcid); diff --git a/queue-6.4/wifi-rtw88-usb-kill-and-free-rx-urbs-on-probe-failure.patch b/queue-6.4/wifi-rtw88-usb-kill-and-free-rx-urbs-on-probe-failure.patch new file mode 100644 index 00000000000..b68d45360ee --- /dev/null +++ b/queue-6.4/wifi-rtw88-usb-kill-and-free-rx-urbs-on-probe-failure.patch @@ -0,0 +1,58 @@ +From 290564367ab7fa7e2048bdc00d9c0ad016b41eea Mon Sep 17 00:00:00 2001 +From: Sascha Hauer +Date: Wed, 23 Aug 2023 09:50:21 +0200 +Subject: wifi: rtw88: usb: kill and free rx urbs on probe failure +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sascha Hauer + +commit 290564367ab7fa7e2048bdc00d9c0ad016b41eea upstream. + +After rtw_usb_alloc_rx_bufs() has been called rx urbs have been +allocated and must be freed in the error path. After rtw_usb_init_rx() +has been called they are submitted, so they also must be killed. + +Add these forgotten steps to the probe error path. + +Besides the lost memory this also fixes a problem when the driver +fails to download the firmware in rtw_chip_info_setup(). In this +case it can happen that the completion of the rx urbs handler runs +at a time when we already freed our data structures resulting in +a kernel crash. + +Fixes: a82dfd33d123 ("wifi: rtw88: Add common USB chip support") +Cc: stable@vger.kernel.org +Reported-by: Ilgaz Öcal +Signed-off-by: Sascha Hauer +Acked-by: Larry Finger +Acked-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230823075021.588596-1-s.hauer@pengutronix.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/realtek/rtw88/usb.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/realtek/rtw88/usb.c ++++ b/drivers/net/wireless/realtek/rtw88/usb.c +@@ -837,7 +837,7 @@ int rtw_usb_probe(struct usb_interface * + + ret = rtw_core_init(rtwdev); + if (ret) +- goto err_release_hw; ++ goto err_free_rx_bufs; + + ret = rtw_usb_intf_init(rtwdev, intf); + if (ret) { +@@ -883,6 +883,9 @@ err_destroy_usb: + err_deinit_core: + rtw_core_deinit(rtwdev); + ++err_free_rx_bufs: ++ rtw_usb_free_rx_bufs(rtwusb); ++ + err_release_hw: + ieee80211_free_hw(hw); +