From ff58560dbba5d29a9a42433fb576ff25697e28ff Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 11 Aug 2022 15:54:06 +0200
Subject: [PATCH] 5.10-stable patches

added patches:
	wifi-mac80211_hwsim-add-back-erroneously-removed-cast.patch
	wifi-mac80211_hwsim-fix-race-condition-in-pending-packet.patch
	wifi-mac80211_hwsim-use-32-bit-skb-cookie.patch
---
 queue-5.10/series                             |  3 +
 ...im-add-back-erroneously-removed-cast.patch | 33 +++++++
 ...fix-race-condition-in-pending-packet.patch | 88 +++++++++++++++++++
 ...mac80211_hwsim-use-32-bit-skb-cookie.patch | 65 ++++++++++++++
 4 files changed, 189 insertions(+)
 create mode 100644 queue-5.10/wifi-mac80211_hwsim-add-back-erroneously-removed-cast.patch
 create mode 100644 queue-5.10/wifi-mac80211_hwsim-fix-race-condition-in-pending-packet.patch
 create mode 100644 queue-5.10/wifi-mac80211_hwsim-use-32-bit-skb-cookie.patch

diff --git a/queue-5.10/series b/queue-5.10/series
index 49602482bb0..74d2323f4f1 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -5,3 +5,6 @@ scsi-revert-scsi-qla2xxx-fix-disk-failure-to-rediscover.patch
 alsa-bcd2000-fix-a-uaf-bug-on-the-error-path-of-probing.patch
 alsa-hda-realtek-add-quirk-for-clevo-nv45pz.patch
 alsa-hda-realtek-add-quirk-for-hp-spectre-x360-15-eb0xxx.patch
+wifi-mac80211_hwsim-fix-race-condition-in-pending-packet.patch
+wifi-mac80211_hwsim-add-back-erroneously-removed-cast.patch
+wifi-mac80211_hwsim-use-32-bit-skb-cookie.patch
diff --git a/queue-5.10/wifi-mac80211_hwsim-add-back-erroneously-removed-cast.patch b/queue-5.10/wifi-mac80211_hwsim-add-back-erroneously-removed-cast.patch
new file mode 100644
index 00000000000..24af2417fb5
--- /dev/null
+++ b/queue-5.10/wifi-mac80211_hwsim-add-back-erroneously-removed-cast.patch
@@ -0,0 +1,33 @@
+From 58b6259d820d63c2adf1c7541b54cce5a2ae6073 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Mon, 11 Jul 2022 13:14:24 +0200
+Subject: wifi: mac80211_hwsim: add back erroneously removed cast
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 58b6259d820d63c2adf1c7541b54cce5a2ae6073 upstream.
+
+The robots report that we're now casting to a differently
+sized integer, which is correct, and the previous patch
+had erroneously removed it.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Fixes: 4ee186fa7e40 ("wifi: mac80211_hwsim: fix race condition in pending packet")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Cc: Jeongik Cha <jeongik@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mac80211_hwsim.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/mac80211_hwsim.c
++++ b/drivers/net/wireless/mac80211_hwsim.c
+@@ -3540,7 +3540,7 @@ static int hwsim_tx_info_frame_received_
+ 		u64 skb_cookie;
+ 
+ 		txi = IEEE80211_SKB_CB(skb);
+-		skb_cookie = (u64)txi->rate_driver_data[0];
++		skb_cookie = (u64)(uintptr_t)txi->rate_driver_data[0];
+ 
+ 		if (skb_cookie == ret_skb_cookie) {
+ 			__skb_unlink(skb, &data2->pending);
diff --git a/queue-5.10/wifi-mac80211_hwsim-fix-race-condition-in-pending-packet.patch b/queue-5.10/wifi-mac80211_hwsim-fix-race-condition-in-pending-packet.patch
new file mode 100644
index 00000000000..72addf86013
--- /dev/null
+++ b/queue-5.10/wifi-mac80211_hwsim-fix-race-condition-in-pending-packet.patch
@@ -0,0 +1,88 @@
+From 4ee186fa7e40ae06ebbfbad77e249e3746e14114 Mon Sep 17 00:00:00 2001
+From: Jeongik Cha <jeongik@google.com>
+Date: Mon, 4 Jul 2022 17:43:54 +0900
+Subject: wifi: mac80211_hwsim: fix race condition in pending packet
+
+From: Jeongik Cha <jeongik@google.com>
+
+commit 4ee186fa7e40ae06ebbfbad77e249e3746e14114 upstream.
+
+A pending packet uses a cookie as an unique key, but it can be duplicated
+because it didn't use atomic operators.
+
+And also, a pending packet can be null in hwsim_tx_info_frame_received_nl
+due to race condition with mac80211_hwsim_stop.
+
+For this,
+ * Use an atomic type and operator for a cookie
+ * Add a lock around the loop for pending packets
+
+Signed-off-by: Jeongik Cha <jeongik@google.com>
+Link: https://lore.kernel.org/r/20220704084354.3556326-1-jeongik@google.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mac80211_hwsim.c |   14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/wireless/mac80211_hwsim.c
++++ b/drivers/net/wireless/mac80211_hwsim.c
+@@ -593,7 +593,7 @@ struct mac80211_hwsim_data {
+ 	bool ps_poll_pending;
+ 	struct dentry *debugfs;
+ 
+-	uintptr_t pending_cookie;
++	atomic64_t pending_cookie;
+ 	struct sk_buff_head pending;	/* packets pending */
+ 	/*
+ 	 * Only radios in the same group can communicate together (the
+@@ -1200,7 +1200,7 @@ static void mac80211_hwsim_tx_frame_nl(s
+ 	int i;
+ 	struct hwsim_tx_rate tx_attempts[IEEE80211_TX_MAX_RATES];
+ 	struct hwsim_tx_rate_flag tx_attempts_flags[IEEE80211_TX_MAX_RATES];
+-	uintptr_t cookie;
++	u64 cookie;
+ 
+ 	if (data->ps != PS_DISABLED)
+ 		hdr->frame_control |= cpu_to_le16(IEEE80211_FCTL_PM);
+@@ -1269,8 +1269,7 @@ static void mac80211_hwsim_tx_frame_nl(s
+ 		goto nla_put_failure;
+ 
+ 	/* We create a cookie to identify this skb */
+-	data->pending_cookie++;
+-	cookie = data->pending_cookie;
++	cookie = (u64)atomic64_inc_return(&data->pending_cookie);
+ 	info->rate_driver_data[0] = (void *)cookie;
+ 	if (nla_put_u64_64bit(skb, HWSIM_ATTR_COOKIE, cookie, HWSIM_ATTR_PAD))
+ 		goto nla_put_failure;
+@@ -3508,6 +3507,7 @@ static int hwsim_tx_info_frame_received_
+ 	const u8 *src;
+ 	unsigned int hwsim_flags;
+ 	int i;
++	unsigned long flags;
+ 	bool found = false;
+ 
+ 	if (!info->attrs[HWSIM_ATTR_ADDR_TRANSMITTER] ||
+@@ -3535,18 +3535,20 @@ static int hwsim_tx_info_frame_received_
+ 	}
+ 
+ 	/* look for the skb matching the cookie passed back from user */
++	spin_lock_irqsave(&data2->pending.lock, flags);
+ 	skb_queue_walk_safe(&data2->pending, skb, tmp) {
+ 		u64 skb_cookie;
+ 
+ 		txi = IEEE80211_SKB_CB(skb);
+-		skb_cookie = (u64)(uintptr_t)txi->rate_driver_data[0];
++		skb_cookie = (u64)txi->rate_driver_data[0];
+ 
+ 		if (skb_cookie == ret_skb_cookie) {
+-			skb_unlink(skb, &data2->pending);
++			__skb_unlink(skb, &data2->pending);
+ 			found = true;
+ 			break;
+ 		}
+ 	}
++	spin_unlock_irqrestore(&data2->pending.lock, flags);
+ 
+ 	/* not found */
+ 	if (!found)
diff --git a/queue-5.10/wifi-mac80211_hwsim-use-32-bit-skb-cookie.patch b/queue-5.10/wifi-mac80211_hwsim-use-32-bit-skb-cookie.patch
new file mode 100644
index 00000000000..af96620e355
--- /dev/null
+++ b/queue-5.10/wifi-mac80211_hwsim-use-32-bit-skb-cookie.patch
@@ -0,0 +1,65 @@
+From cc5250cdb43d444061412df7fae72d2b4acbdf97 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Wed, 13 Jul 2022 21:16:45 +0200
+Subject: wifi: mac80211_hwsim: use 32-bit skb cookie
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit cc5250cdb43d444061412df7fae72d2b4acbdf97 upstream.
+
+We won't really have enough skbs to need a 64-bit cookie,
+and on 32-bit platforms storing the 64-bit cookie into the
+void *rate_driver_data doesn't work anyway. Switch back to
+using just a 32-bit cookie and uintptr_t for the type to
+avoid compiler warnings about all this.
+
+Fixes: 4ee186fa7e40 ("wifi: mac80211_hwsim: fix race condition in pending packet")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Cc: Jeongik Cha <jeongik@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mac80211_hwsim.c |   10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/wireless/mac80211_hwsim.c
++++ b/drivers/net/wireless/mac80211_hwsim.c
+@@ -593,7 +593,7 @@ struct mac80211_hwsim_data {
+ 	bool ps_poll_pending;
+ 	struct dentry *debugfs;
+ 
+-	atomic64_t pending_cookie;
++	atomic_t pending_cookie;
+ 	struct sk_buff_head pending;	/* packets pending */
+ 	/*
+ 	 * Only radios in the same group can communicate together (the
+@@ -1200,7 +1200,7 @@ static void mac80211_hwsim_tx_frame_nl(s
+ 	int i;
+ 	struct hwsim_tx_rate tx_attempts[IEEE80211_TX_MAX_RATES];
+ 	struct hwsim_tx_rate_flag tx_attempts_flags[IEEE80211_TX_MAX_RATES];
+-	u64 cookie;
++	uintptr_t cookie;
+ 
+ 	if (data->ps != PS_DISABLED)
+ 		hdr->frame_control |= cpu_to_le16(IEEE80211_FCTL_PM);
+@@ -1269,7 +1269,7 @@ static void mac80211_hwsim_tx_frame_nl(s
+ 		goto nla_put_failure;
+ 
+ 	/* We create a cookie to identify this skb */
+-	cookie = (u64)atomic64_inc_return(&data->pending_cookie);
++	cookie = atomic_inc_return(&data->pending_cookie);
+ 	info->rate_driver_data[0] = (void *)cookie;
+ 	if (nla_put_u64_64bit(skb, HWSIM_ATTR_COOKIE, cookie, HWSIM_ATTR_PAD))
+ 		goto nla_put_failure;
+@@ -3537,10 +3537,10 @@ static int hwsim_tx_info_frame_received_
+ 	/* look for the skb matching the cookie passed back from user */
+ 	spin_lock_irqsave(&data2->pending.lock, flags);
+ 	skb_queue_walk_safe(&data2->pending, skb, tmp) {
+-		u64 skb_cookie;
++		uintptr_t skb_cookie;
+ 
+ 		txi = IEEE80211_SKB_CB(skb);
+-		skb_cookie = (u64)(uintptr_t)txi->rate_driver_data[0];
++		skb_cookie = (uintptr_t)txi->rate_driver_data[0];
+ 
+ 		if (skb_cookie == ret_skb_cookie) {
+ 			__skb_unlink(skb, &data2->pending);
-- 
2.47.3