PKG_NAME:=mac80211
-PKG_VERSION:=6.18.7
+PKG_VERSION:=6.18.26
PKG_RELEASE:=1
PKG_LICENSE:=GPL-2.0-only
PKG_LICENSE_FILES:=COPYING
PKG_SOURCE_URL:=https://github.com/openwrt/backports/releases/download/backports-v$(PKG_VERSION)
-PKG_HASH:=623e5cf46ca8e81fd413f4f465e2580a0143e24929f9c22ce1ba7c34f2872989
+PKG_HASH:=2ad578c6cae22f192fefd44e1449725228d4109ee781998b41dcbae872554968
PKG_SOURCE:=backports-$(PKG_VERSION).tar.zst
PKG_BUILD_DIR:=$(KERNEL_BUILD_DIR)/$(if $(BUILD_VARIANT),$(PKG_NAME)-$(BUILD_VARIANT)/)backports-$(PKG_VERSION)
--- a/drivers/net/wireless/ath/ath11k/mhi.c
+++ b/drivers/net/wireless/ath/ath11k/mhi.c
-@@ -239,6 +239,34 @@ static void ath11k_mhi_op_runtime_put(st
+@@ -235,6 +235,34 @@ static void ath11k_mhi_op_runtime_put(st
{
}
static char *ath11k_mhi_op_callback_to_str(enum mhi_callback reason)
{
switch (reason) {
-@@ -260,6 +288,8 @@ static char *ath11k_mhi_op_callback_to_s
+@@ -256,6 +284,8 @@ static char *ath11k_mhi_op_callback_to_s
return "MHI_CB_FATAL_ERROR";
case MHI_CB_BW_REQ:
return "MHI_CB_BW_REQ";
default:
return "UNKNOWN";
}
-@@ -290,6 +320,9 @@ static void ath11k_mhi_op_status_cb(stru
+@@ -286,6 +316,9 @@ static void ath11k_mhi_op_status_cb(stru
queue_work(ab->workqueue_aux, &ab->reset_work);
break;
default:
break;
}
-@@ -297,22 +330,6 @@ static void ath11k_mhi_op_status_cb(stru
+@@ -293,22 +326,6 @@ static void ath11k_mhi_op_status_cb(stru
ab_pci->mhi_pre_cb = cb;
}
{
.hw_rev = ATH11K_HW_IPQ8074,
.name = "ipq8074 hw2.0",
-@@ -2521,7 +2521,8 @@ static void ath11k_core_reset(struct wor
+@@ -2576,7 +2576,8 @@ static void ath11k_core_reset(struct wor
static int ath11k_init_hw_params(struct ath11k_base *ab)
{
const struct ath11k_hw_params *hw_params = NULL;
for (i = 0; i < ARRAY_SIZE(ath11k_hw_params); i++) {
hw_params = &ath11k_hw_params[i];
-@@ -2537,7 +2538,31 @@ static int ath11k_init_hw_params(struct
+@@ -2592,7 +2593,31 @@ static int ath11k_init_hw_params(struct
ab->hw_params = *hw_params;
int pdev_idx;
struct ath11k *ar;
enum wmi_vdev_type vdev_type;
-@@ -929,24 +772,14 @@ int ath11k_reg_handle_chan_list(struct a
- (char *)reg_info->alpha2, 2))
- goto retfail;
+@@ -932,24 +775,14 @@ int ath11k_reg_handle_chan_list(struct a
+ return 0;
+ }
- /* Intersect new rules with default regd if a new country setting was
- * requested, i.e a default regd was already set during initialization
--- a/drivers/net/wireless/ath/ath11k/dp_rx.c
+++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
-@@ -4931,8 +4931,13 @@ ath11k_dp_rx_mon_merg_msdus(struct ath11
+@@ -4930,8 +4930,13 @@ ath11k_dp_rx_mon_merg_msdus(struct ath11
}
prev_buf->next = NULL;
} else if (decap_format == DP_RX_DECAP_TYPE_NATIVE_WIFI) {
u8 qos_pkt = 0;
-@@ -4958,10 +4963,13 @@ ath11k_dp_rx_mon_merg_msdus(struct ath11
+@@ -4957,10 +4962,13 @@ ath11k_dp_rx_mon_merg_msdus(struct ath11
prev_buf = msdu;
msdu = msdu->next;
}
ath11k_dbg(ab, ATH11K_DBG_DATA,
"mpdu_buf %p mpdu_buf->len %u",
prev_buf, prev_buf->len);
-@@ -5086,12 +5094,27 @@ static int ath11k_dp_rx_mon_deliver(stru
+@@ -5085,12 +5093,27 @@ static int ath11k_dp_rx_mon_deliver(stru
header = mon_skb;
struct ath12k_hw {
--- a/drivers/net/wireless/ath/ath12k/mac.c
+++ b/drivers/net/wireless/ath/ath12k/mac.c
-@@ -14057,6 +14057,10 @@ static void ath12k_mac_setup(struct ath1
+@@ -14063,6 +14063,10 @@ static void ath12k_mac_setup(struct ath1
init_completion(&ar->mlo_setup_done);
init_completion(&ar->completed_11d_scan);
init_completion(&ar->regd_update_completed);
+#endif /* _ATH12K_THERMAL_ */
--- a/drivers/net/wireless/ath/ath12k/wmi.c
+++ b/drivers/net/wireless/ath/ath12k/wmi.c
-@@ -6674,31 +6674,6 @@ static int ath12k_pull_peer_assoc_conf_e
+@@ -6673,31 +6673,6 @@ static int ath12k_pull_peer_assoc_conf_e
return 0;
}
static void ath12k_wmi_op_ep_tx_credits(struct ath12k_base *ab)
{
/* try to send pending beacons first. they take priority */
-@@ -8713,25 +8688,45 @@ static void
+@@ -8712,25 +8687,45 @@ static void
ath12k_wmi_pdev_temperature_event(struct ath12k_base *ab,
struct sk_buff *skb)
{
--- a/drivers/net/wireless/ath/ath12k/wmi.c
+++ b/drivers/net/wireless/ath/ath12k/wmi.c
-@@ -2894,6 +2894,9 @@ int ath12k_wmi_send_scan_chan_list_cmd(s
+@@ -2900,6 +2900,9 @@ int ath12k_wmi_send_scan_chan_list_cmd(s
max_chan_limit = (wmi->wmi_ab->max_msg_len[ar->pdev_idx] - len) /
sizeof(*chan_info);
--- a/drivers/net/wireless/ath/ath12k/mac.c
+++ b/drivers/net/wireless/ath/ath12k/mac.c
-@@ -7724,9 +7724,7 @@ static void ath12k_mac_setup_ht_vht_cap(
+@@ -7727,9 +7727,7 @@ static void ath12k_mac_setup_ht_vht_cap(
rate_cap_rx_chainmask);
}
--- a/drivers/net/wireless/ath/ath9k/hw.c
+++ b/drivers/net/wireless/ath/ath9k/hw.c
-@@ -2429,6 +2429,7 @@ static bool ath9k_hw_dfs_tested(struct ath_hw *ah)
+@@ -2481,6 +2481,7 @@ static bool ath9k_hw_dfs_tested(struct a
static void ath9k_gpio_cap_init(struct ath_hw *ah)
{
struct ath9k_hw_capabilities *pCap = &ah->caps;
if (AR_SREV_9271(ah)) {
pCap->num_gpio_pins = AR9271_NUM_GPIO;
-@@ -2479,6 +2480,12 @@ static void ath9k_gpio_cap_init(struct ath_hw *ah)
+@@ -2531,6 +2532,12 @@ static void ath9k_gpio_cap_init(struct a
pCap->num_gpio_pins = AR_NUM_GPIO;
pCap->gpio_mask = AR_GPIO_MASK;
}
/* ready */
return;
-@@ -4649,3 +4860,40 @@ int brcmf_sdio_sleep(struct brcmf_sdio *
+@@ -4650,3 +4861,40 @@ int brcmf_sdio_sleep(struct brcmf_sdio *
return ret;
}
}
return err;
-@@ -1550,7 +1566,11 @@ static int cfg80211_netdev_notifier_call
+@@ -1549,7 +1565,11 @@ static int cfg80211_netdev_notifier_call
SET_NETDEV_DEVTYPE(dev, &wiphy_type);
wdev->netdev = dev;
/* can only change netns with wiphy */
--- a/drivers/net/wireless/virtual/mac80211_hwsim.c
+++ b/drivers/net/wireless/virtual/mac80211_hwsim.c
-@@ -6927,6 +6927,7 @@ static void hwsim_virtio_rx_done(struct
+@@ -6926,6 +6926,7 @@ static void hwsim_virtio_rx_done(struct
static int init_vqs(struct virtio_device *vdev)
{
struct virtqueue_info vqs_info[HWSIM_NUM_VQS] = {
[HWSIM_VQ_TX] = { "tx", hwsim_virtio_tx_done },
[HWSIM_VQ_RX] = { "rx", hwsim_virtio_rx_done },
-@@ -6934,6 +6935,19 @@ static int init_vqs(struct virtio_device
+@@ -6933,6 +6934,19 @@ static int init_vqs(struct virtio_device
return virtio_find_vqs(vdev, HWSIM_NUM_VQS,
hwsim_vqs, vqs_info, NULL);
+compat-$(CPTCFG_KERNEL_6_1) += backport-genetlink.o
compat-$(CPTCFG_KERNEL_6_4) += backport-6.4.o
compat-$(CPTCFG_KERNEL_6_11) += backport-6.11.o
-
+ compat-$(CPTCFG_KERNEL_6_14) += backport-faux.o
--- a/compat/backport-genetlink.c
+++ b/compat/backport-genetlink.c
@@ -17,6 +17,7 @@
.llseek = default_llseek,
};
-@@ -348,9 +353,10 @@ static ssize_t aql_enable_write(struct f
+@@ -344,9 +349,10 @@ static ssize_t aql_enable_write(struct f
return count;
}
.llseek = default_llseek,
};
-@@ -398,9 +404,10 @@ static ssize_t force_tx_status_write(str
+@@ -394,9 +400,10 @@ static ssize_t force_tx_status_write(str
return count;
}
.llseek = default_llseek,
};
-@@ -425,8 +432,9 @@ static ssize_t reset_write(struct file *
+@@ -421,8 +428,9 @@ static ssize_t reset_write(struct file *
return count;
}
.llseek = noop_llseek,
};
#endif
-@@ -653,8 +661,9 @@ static ssize_t stats_ ##name## _read(str
+@@ -649,8 +657,9 @@ static ssize_t stats_ ##name## _read(str
print_devstats_##name); \
} \
\
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
-@@ -1872,12 +1872,6 @@ static int ieee80211_stop_ap(struct wiph
-
- __sta_info_flush(sdata, true, link_id, NULL);
+@@ -1883,12 +1883,6 @@ static int ieee80211_stop_ap(struct wiph
+ ieee80211_link_info_change_notify(sdata, link,
+ BSS_CHANGED_BEACON_ENABLED);
- ieee80211_remove_link_keys(link, &keys);
- if (!list_empty(&keys)) {
- ieee80211_free_key_list(local, &keys);
- }
-
- ieee80211_stop_mbssid(sdata);
- RCU_INIT_POINTER(link_conf->tx_bss_conf, NULL);
-
+ if (sdata->wdev.links[link_id].cac_started) {
+ chandef = link_conf->chanreq.oper;
+ wiphy_delayed_work_cancel(wiphy, &link->dfs_cac_timer_work);
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
-@@ -679,21 +679,6 @@ int wiphy_verify_iface_combinations(stru
+@@ -675,21 +675,6 @@ int wiphy_verify_iface_combinations(stru
c->limits[j].max > 1))
return -EINVAL;
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
-@@ -2526,6 +2526,13 @@ static void sta_stats_decode_rate(struct
+@@ -2527,6 +2527,13 @@ static void sta_stats_decode_rate(struct
sband = local->hw.wiphy->bands[band];
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
-@@ -4086,7 +4086,7 @@ struct ieee80211_txq *ieee80211_next_txq
+@@ -4088,7 +4088,7 @@ struct ieee80211_txq *ieee80211_next_txq
if (deficit < 0)
sta->airtime[txqi->txq.ac].deficit +=
if (deficit < 0 || !aql_check) {
list_move_tail(&txqi->schedule_order,
-@@ -4231,7 +4231,8 @@ bool ieee80211_txq_may_transmit(struct i
+@@ -4233,7 +4233,8 @@ bool ieee80211_txq_may_transmit(struct i
}
sta = container_of(iter->txq.sta, struct sta_info, sta);
if (ieee80211_sta_deficit(sta, ac) < 0)
list_move_tail(&iter->schedule_order, &local->active_txqs[ac]);
}
-@@ -4239,7 +4240,7 @@ bool ieee80211_txq_may_transmit(struct i
+@@ -4241,7 +4242,7 @@ bool ieee80211_txq_may_transmit(struct i
if (sta->airtime[ac].deficit >= 0)
goto out;
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
-@@ -1428,10 +1428,12 @@ struct ieee80211_local {
+@@ -1426,10 +1426,12 @@ struct ieee80211_local {
spinlock_t handle_wake_tx_queue_lock;
u16 airtime_flags;
spin_lock_init(&local->active_txq_lock[i]);
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
-@@ -2431,13 +2431,28 @@ EXPORT_SYMBOL(ieee80211_sta_recalc_aggre
+@@ -2432,13 +2432,28 @@ EXPORT_SYMBOL(ieee80211_sta_recalc_aggre
void ieee80211_sta_update_pending_airtime(struct ieee80211_local *local,
struct sta_info *sta, u8 ac,
atomic_add(tx_airtime,
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
-@@ -2556,7 +2556,7 @@ static u16 ieee80211_store_ack_skb(struc
+@@ -2558,7 +2558,7 @@ static u16 ieee80211_store_ack_skb(struc
spin_lock_irqsave(&local->ack_status_lock, flags);
id = idr_alloc(&local->ack_status_frames, ack_skb,
spin_unlock_irqrestore(&local->ack_status_lock, flags);
if (id >= 0) {
-@@ -3987,20 +3987,20 @@ begin:
+@@ -3989,20 +3989,20 @@ begin:
encap_out:
info->control.vif = vif;
}
return skb;
-@@ -4052,6 +4052,7 @@ struct ieee80211_txq *ieee80211_next_txq
+@@ -4054,6 +4054,7 @@ struct ieee80211_txq *ieee80211_next_txq
struct ieee80211_txq *ret = NULL;
struct txq_info *txqi = NULL, *head = NULL;
bool found_eligible_txq = false;
spin_lock_bh(&local->active_txq_lock[ac]);
-@@ -4075,26 +4076,26 @@ struct ieee80211_txq *ieee80211_next_txq
+@@ -4077,26 +4078,26 @@ struct ieee80211_txq *ieee80211_next_txq
if (!head)
head = txqi;
if (txqi->schedule_round == local->schedule_round[ac])
goto out;
-@@ -4161,7 +4162,8 @@ bool ieee80211_txq_airtime_check(struct
+@@ -4163,7 +4164,8 @@ bool ieee80211_txq_airtime_check(struct
return true;
if (!txq->sta)
if (unlikely(txq->tid == IEEE80211_NUM_TIDS))
return true;
-@@ -4210,15 +4212,15 @@ bool ieee80211_txq_may_transmit(struct i
+@@ -4212,15 +4214,15 @@ bool ieee80211_txq_may_transmit(struct i
spin_lock_bh(&local->active_txq_lock[ac]);
+++ /dev/null
-From: Felix Fietkau <nbd@nbd.name>
-Date: Thu, 5 Mar 2026 17:04:11 +0000
-Subject: [PATCH] mac80211: fix crash in ieee80211_chan_bw_change for AP_VLAN
- stations
-
-ieee80211_chan_bw_change() iterates all stations and accesses
-link->reserved.oper via sta->sdata->link[link_id]. For stations on
-AP_VLAN interfaces (e.g. 4addr WDS clients), sta->sdata points to
-the VLAN sdata, whose link never participates in chanctx reservations.
-This leaves link->reserved.oper zero-initialized with chan == NULL,
-causing a NULL pointer dereference in __ieee80211_sta_cap_rx_bw()
-when accessing chandef->chan->band during CSA.
-
-Resolve the VLAN sdata to its parent AP sdata using get_bss_sdata()
-before accessing link data.
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Felix Fietkau <nbd@nbd.name>
----
-
---- a/net/mac80211/chan.c
-+++ b/net/mac80211/chan.c
-@@ -441,13 +441,15 @@ static void ieee80211_chan_bw_change(str
- rcu_read_lock();
- list_for_each_entry_rcu(sta, &local->sta_list,
- list) {
-- struct ieee80211_sub_if_data *sdata = sta->sdata;
-+ struct ieee80211_sub_if_data *sdata;
- enum ieee80211_sta_rx_bandwidth new_sta_bw;
- unsigned int link_id;
-
- if (!ieee80211_sdata_running(sta->sdata))
- continue;
-
-+ sdata = get_bss_sdata(sta->sdata);
-+
- for (link_id = 0; link_id < ARRAY_SIZE(sta->sdata->link); link_id++) {
- struct ieee80211_link_data *link =
- rcu_dereference(sdata->link[link_id]);
return false;
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
-@@ -2022,6 +2022,13 @@ int ieee80211_mesh_finish_csa(struct iee
+@@ -2020,6 +2020,13 @@ int ieee80211_mesh_finish_csa(struct iee
u64 *changed);
/* scan/BSS handling */
void ieee80211_scan_work(struct wiphy *wiphy, struct wiphy_work *work);
int ieee80211_request_ibss_scan(struct ieee80211_sub_if_data *sdata,
const u8 *ssid, u8 ssid_len,
-@@ -2060,6 +2067,7 @@ void ieee80211_sched_scan_stopped_work(s
+@@ -2058,6 +2065,7 @@ void ieee80211_sched_scan_stopped_work(s
/* off-channel/mgmt-tx */
void ieee80211_offchannel_stop_vifs(struct ieee80211_local *local);
void ieee80211_offchannel_return(struct ieee80211_local *local);
void ieee80211_roc_setup(struct ieee80211_local *local);
void ieee80211_start_next_roc(struct ieee80211_local *local);
void ieee80211_reconfig_roc(struct ieee80211_local *local);
-@@ -2719,6 +2727,8 @@ bool ieee80211_chandef_s1g_oper(struct i
+@@ -2717,6 +2725,8 @@ bool ieee80211_chandef_s1g_oper(struct i
struct cfg80211_chan_def *chandef);
void ieee80211_chandef_downgrade(struct cfg80211_chan_def *chandef,
struct ieee80211_conn_settings *conn);
static inline void
ieee80211_chanreq_downgrade(struct ieee80211_chan_req *chanreq,
struct ieee80211_conn_settings *conn)
-@@ -2775,7 +2785,7 @@ void ieee80211_recalc_chanctx_min_def(st
+@@ -2773,7 +2783,7 @@ void ieee80211_recalc_chanctx_min_def(st
struct ieee80211_chanctx *ctx,
struct ieee80211_link_data *rsvd_for,
bool check_reserved);
list_add_tail(&roc->list, &local->roc_list);
--- a/net/mac80211/scan.c
+++ b/net/mac80211/scan.c
-@@ -586,25 +586,72 @@ static int ieee80211_start_sw_scan(struc
+@@ -591,25 +591,72 @@ static int ieee80211_start_sw_scan(struc
return 0;
}
}
return true;
-@@ -612,12 +659,12 @@ static bool __ieee80211_can_leave_ch(str
+@@ -617,12 +664,12 @@ static bool __ieee80211_can_leave_ch(str
static bool ieee80211_can_scan(struct ieee80211_local *local,
struct ieee80211_sub_if_data *sdata,
return false;
if (sdata->vif.type == NL80211_IFTYPE_STATION &&
-@@ -629,19 +676,22 @@ static bool ieee80211_can_scan(struct ie
+@@ -634,19 +681,22 @@ static bool ieee80211_can_scan(struct ie
void ieee80211_run_deferred_scan(struct ieee80211_local *local)
{
return;
wiphy_delayed_work_queue(local->hw.wiphy, &local->scan_work,
-@@ -724,6 +774,7 @@ static int __ieee80211_start_scan(struct
+@@ -729,6 +779,7 @@ static int __ieee80211_start_scan(struct
{
struct ieee80211_local *local = sdata->local;
bool hw_scan = local->ops->hw_scan;
int rc;
lockdep_assert_wiphy(local->hw.wiphy);
-@@ -738,10 +789,11 @@ static int __ieee80211_start_scan(struct
+@@ -743,10 +794,11 @@ static int __ieee80211_start_scan(struct
!(sdata->vif.active_links & BIT(req->tsf_report_link_id)))
return -EINVAL;
* the suspend->resume cycle. Since we can't check each caller
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
-@@ -2943,6 +2943,9 @@ bool cfg80211_radio_chandef_valid(const
+@@ -2945,6 +2945,9 @@ bool cfg80211_radio_chandef_valid(const
{
u32 freq, width;
}
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
-@@ -2839,6 +2839,11 @@ u8 *ieee80211_get_bssid(struct ieee80211
+@@ -2837,6 +2837,11 @@ u8 *ieee80211_get_bssid(struct ieee80211
extern const struct ethtool_ops ieee80211_ethtool_ops;
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
-@@ -2977,6 +2977,29 @@ static void sta_set_link_sinfo(struct st
+@@ -2980,6 +2980,29 @@ static void sta_set_link_sinfo(struct st
}
}
void sta_set_sinfo(struct sta_info *sta, struct station_info *sinfo,
bool tidstats)
{
-@@ -3201,6 +3224,8 @@ void sta_set_sinfo(struct sta_info *sta,
+@@ -3205,6 +3228,8 @@ void sta_set_sinfo(struct sta_info *sta,
sinfo->sta_flags.set |= BIT(NL80211_STA_FLAG_TDLS_PEER);
thr = sta_get_expected_throughput(sta);
+}
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
-@@ -2859,6 +2859,8 @@ void ieee80211_destroy_frag_cache(struct
+@@ -2857,6 +2857,8 @@ void ieee80211_destroy_frag_cache(struct
u8 ieee80211_ie_len_eht_cap(struct ieee80211_sub_if_data *sdata);
struct ieee80211_supported_band *sband,
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
-@@ -1630,7 +1630,15 @@ static void ieee80211_iface_process_skb(
+@@ -1634,7 +1634,15 @@ static void ieee80211_iface_process_skb(
}
} else if (ieee80211_is_action(mgmt->frame_control) &&
mgmt->u.action.category == WLAN_CATEGORY_PROTECTED_EHT) {
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
-@@ -3252,7 +3252,10 @@ void sta_set_sinfo(struct sta_info *sta,
+@@ -3256,7 +3256,10 @@ void sta_set_sinfo(struct sta_info *sta,
struct link_sta_info *link_sta;
int link_id;
projects / thirdparty / openwrt.git / commitdiff
