From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 23 Apr 2026 11:40:04 +0000 (+0200)
Subject: 6.1-stable patches
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=adef6f8191981b77922b8ce2a88eaf461e2289e4;p=thirdparty%2Fkernel%2Fstable-queue.git

6.1-stable patches

added patches:
	wifi-iwlwifi-read-txq-read_ptr-under-lock.patch
---

diff --git a/queue-6.1/series b/queue-6.1/series
index d7d671c5e1..6d8a8e53f9 100644
--- a/queue-6.1/series
+++ b/queue-6.1/series
@@ -136,3 +136,4 @@ rxrpc-fix-recvmsg-unconditional-requeue.patch
 scsi-ufs-core-fix-use-after-free-in-init-error-and-remove-paths.patch
 alsa-control-avoid-warn-for-symlink-errors.patch
 f2fs-fix-null-ptr-deref-in-f2fs_submit_page_bio.patch
+wifi-iwlwifi-read-txq-read_ptr-under-lock.patch
diff --git a/queue-6.1/wifi-iwlwifi-read-txq-read_ptr-under-lock.patch b/queue-6.1/wifi-iwlwifi-read-txq-read_ptr-under-lock.patch
new file mode 100644
index 0000000000..61dab0ce17
--- /dev/null
+++ b/queue-6.1/wifi-iwlwifi-read-txq-read_ptr-under-lock.patch
@@ -0,0 +1,46 @@
+From c2ace6300600c634553657785dfe5ea0ed688ac2 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Tue, 19 Mar 2024 10:10:22 +0200
+Subject: wifi: iwlwifi: read txq->read_ptr under lock
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit c2ace6300600c634553657785dfe5ea0ed688ac2 upstream.
+
+If we read txq->read_ptr without lock, we can read the same
+value twice, then obtain the lock, and reclaim from there
+to two different places, but crucially reclaim the same
+entry twice, resulting in the WARN_ONCE() a little later.
+Fix that by reading txq->read_ptr under lock.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
+Link: https://msgid.link/20240319100755.bf4c62196504.I978a7ca56c6bd6f1bf42c15aa923ba03366a840b@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+[ Change read_ptr definition according to commit
+413be839bfca9("wifi: iwlwifi: add a validity check of queue_id in iwl_txq_reclaim"). ]
+Signed-off-by: Robert Garcia <rob_garcia@163.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/intel/iwlwifi/queue/tx.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/intel/iwlwifi/queue/tx.c
++++ b/drivers/net/wireless/intel/iwlwifi/queue/tx.c
+@@ -1555,7 +1555,7 @@ void iwl_txq_reclaim(struct iwl_trans *t
+ {
+ 	struct iwl_txq *txq = trans->txqs.txq[txq_id];
+ 	int tfd_num = iwl_txq_get_cmd_index(txq, ssn);
+-	int read_ptr = iwl_txq_get_cmd_index(txq, txq->read_ptr);
++	int read_ptr;
+ 	int last_to_free;
+ 
+ 	/* This function is not meant to release cmd queue*/
+@@ -1563,6 +1563,7 @@ void iwl_txq_reclaim(struct iwl_trans *t
+ 		return;
+ 
+ 	spin_lock_bh(&txq->lock);
++	read_ptr = iwl_txq_get_cmd_index(txq, txq->read_ptr);
+ 
+ 	if (!test_bit(txq_id, trans->txqs.queue_used)) {
+ 		IWL_DEBUG_TX_QUEUES(trans, "Q %d inactive - ignoring idx %d\n",