Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.1.168 2026-02-06T15:44:12+00:00 2026-02-06T15:44:12+00:00 Marek Vasut marex@nabladev.com 2026-01-09T23:56:29+00:00 urn:sha1:7c54d0c3e2cad4300be721ec2aecfcf8a63bc9f4 commit 4f431d88ea8093afc7ba55edf4652978c5a68f33 upstream. The struct ieee80211_vif contains trailing space for vif driver data, when struct ieee80211_vif is allocated, the total memory size that is allocated is sizeof(struct ieee80211_vif) + size of vif driver data. The size of vif driver data is set by each WiFi driver as needed. The RSI911x driver does not set vif driver data size, no trailing space for vif driver data is therefore allocated past struct ieee80211_vif . The RSI911x driver does however use the vif driver data to store its vif driver data structure "struct vif_priv". An access to vif->drv_priv leads to access out of struct ieee80211_vif bounds and corruption of some memory. In case of the failure observed locally, rsi_mac80211_add_interface() would write struct vif_priv *vif_info = (struct vif_priv *)vif->drv_priv; vif_info->vap_id = vap_idx. This write corrupts struct fq_tin member struct list_head new_flows . The flow = list_first_entry(head, struct fq_flow, flowchain); in fq_tin_reset() then reports non-NULL bogus address, which when accessed causes a crash. The trigger is very simple, boot the machine with init=/bin/sh , mount devtmpfs, sysfs, procfs, and then do "ip link set wlan0 up", "sleep 1", "ip link set wlan0 down" and the crash occurs. Fix this by setting the correct size of vif driver data, which is the size of "struct vif_priv", so that memory is allocated and the driver can store its driver data in it, instead of corrupting memory around it. Cc: stable@vger.kernel.org Fixes: dad0d04fa7ba ("rsi: Add RS9113 wireless driver") Signed-off-by: Marek Vasut <marex@nabladev.com> Link: https://patch.msgid.link/20260109235817.150330-1-marex@nabladev.com Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2023-07-19T14:21:07+00:00 Marek Vasut marex@denx.de 2023-05-27T22:28:59+00:00 urn:sha1:77f09d836bc92e0783982ee9bc5486325387c2dd [ Upstream commit e74f562328b03fbe9cf438f958464dff3a644dfc ] It makes no sense to set MMC_PM_KEEP_POWER in shutdown. The flag indicates to the MMC subsystem to keep the slot powered on during suspend, but in shutdown the slot should actually be powered off. Drop this call. Fixes: 063848c3e155 ("rsi: sdio: Add WOWLAN support for S5 shutdown state") Signed-off-by: Marek Vasut <marex@denx.de> Reviewed-by: Simon Horman <simon.horman@corigine.com> Signed-off-by: Kalle Valo <kvalo@kernel.org> Link: https://lore.kernel.org/r/20230527222859.273768-1-marex@denx.de Signed-off-by: Sasha Levin <sashal@kernel.org> 2023-07-19T14:21:07+00:00 Marek Vasut marex@denx.de 2023-05-27T22:28:33+00:00 urn:sha1:eb205a06908122f50b1dd1baa43f7c8036bfc7dc [ Upstream commit b241e260820b68c09586e8a0ae0fc23c0e3215bd ] In case WoWlan was never configured during the operation of the system, the hw->wiphy->wowlan_config will be NULL. rsi_config_wowlan() checks whether wowlan_config is non-NULL and if it is not, then WARNs about it. The warning is valid, as during normal operation the rsi_config_wowlan() should only ever be called with non-NULL wowlan_config. In shutdown this rsi_config_wowlan() should only ever be called if WoWlan was configured before by the user. Add checks for non-NULL wowlan_config into the shutdown hook. While at it, check whether the wiphy is also non-NULL before accessing wowlan_config . Drop the single-use wowlan_config variable, just inline it into function call. Fixes: 16bbc3eb8372 ("rsi: fix null pointer dereference during rsi_shutdown()") Signed-off-by: Marek Vasut <marex@denx.de> Reviewed-by: Simon Horman <simon.horman@corigine.com> Signed-off-by: Kalle Valo <kvalo@kernel.org> Link: https://lore.kernel.org/r/20230527222833.273741-1-marex@denx.de Signed-off-by: Sasha Levin <sashal@kernel.org> 2023-03-10T08:32:48+00:00 Yuan Can yuancan@huawei.com 2022-12-05T06:14:41+00:00 urn:sha1:c4f1ded67a90fb3b2e679e2c90b78921d9246044 [ Upstream commit 956fb851a6e19da5ab491e19c1bc323bb2c2cf6f ] The coex_cb needs to be freed when rsi_create_kthread() failed in rsi_coex_attach(). Fixes: 2108df3c4b18 ("rsi: add coex support") Signed-off-by: Yuan Can <yuancan@huawei.com> Reviewed-by: Simon Horman <simon.horman@corigine.com> Signed-off-by: Kalle Valo <kvalo@kernel.org> Link: https://lore.kernel.org/r/20221205061441.114632-1-yuancan@huawei.com Signed-off-by: Sasha Levin <sashal@kernel.org> 2022-12-31T12:32:09+00:00 Marek Vasut marex@denx.de 2022-11-04T16:33:39+00:00 urn:sha1:c6e31be0f72caec6b9f26afca5b3844b05ec9e2d [ Upstream commit b8f6efccbb9dc0ff5dee7e20d69a4747298ee603 ] When using wpa_supplicant v2.10, this driver is no longer able to associate with any AP and fails in the EAPOL 4-way handshake while sending the 2/4 message to the AP. The problem is not present in wpa_supplicant v2.9 or older. The problem stems from HostAP commit 144314eaa ("wpa_supplicant: Send EAPOL frames over nl80211 where available") which changes the way EAPOL frames are sent, from them being send at L2 frames to them being sent via nl80211 control port. An EAPOL frame sent as L2 frame is passed to the WiFi driver with skb->protocol ETH_P_PAE, while EAPOL frame sent via nl80211 control port has skb->protocol set to ETH_P_802_3 . The later happens in ieee80211_tx_control_port(), where the EAPOL frame is encapsulated into 802.3 frame. The rsi_91x driver handles ETH_P_PAE EAPOL frames as high-priority frames and sends them via highest-priority transmit queue, while the ETH_P_802_3 frames are sent as regular frames. The EAPOL 4-way handshake frames must be sent as highest-priority, otherwise the 4-way handshake times out. Therefore, to fix this problem, inspect the skb control flags and if flag IEEE80211_TX_CTRL_PORT_CTRL_PROTO is set, assume this is an EAPOL frame and transmit the frame via high-priority queue just like other ETH_P_PAE frames. Fixes: 0eb42586cf87 ("rsi: data packet descriptor enhancements") Signed-off-by: Marek Vasut <marex@denx.de> Signed-off-by: Kalle Valo <kvalo@kernel.org> Link: https://lore.kernel.org/r/20221104163339.227432-1-marex@denx.de Signed-off-by: Sasha Levin <sashal@kernel.org> 2022-09-06T08:34:40+00:00 Johannes Berg johannes.berg@intel.com 2022-09-06T08:33:44+00:00 urn:sha1:b008f4a195af92052f69a10869a06e9c403efe63 One of my previous patches here changed the function prototype, but since it was (half?) automated, I didn't update the docs. Fix that now. Fixes: b3e2130bf5f6 ("wifi: mac80211: change QoS settings API to take link into account") Signed-off-by: Johannes Berg <johannes.berg@intel.com> 2022-07-18T12:11:53+00:00 Jilin Yuan yuanjilin@cdjrlc.com 2022-07-10T04:30:07+00:00 urn:sha1:9a46c7d8d6f8998faff72a4f81e5b9dd523ccfbc Delete the redundant word 'the'. Signed-off-by: Jilin Yuan <yuanjilin@cdjrlc.com> Signed-off-by: Kalle Valo <kvalo@kernel.org> Link: https://lore.kernel.org/r/20220710043007.33288-1-yuanjilin@cdjrlc.com 2022-07-15T09:43:15+00:00 Johannes Berg johannes.berg@intel.com 2022-06-24T13:40:11+00:00 urn:sha1:b3e2130bf5f6c66831707cd51a8b13007137ac37 Take the link into account in the QoS settings (EDCA parameters) APIs. Signed-off-by: Johannes Berg <johannes.berg@intel.com> 2022-07-15T09:43:11+00:00 Johannes Berg johannes.berg@intel.com 2022-07-13T19:16:37+00:00 urn:sha1:9dd9495d560a39a3f6f43e77dc8cec3666efd7f7 Remove a variable here that was now set but never used. Fixes: f276e20b182d ("wifi: mac80211: move interface config to new struct") Signed-off-by: Johannes Berg <johannes.berg@intel.com> 2022-06-20T10:57:08+00:00 Shaul Triebitz shaul.triebitz@intel.com 2022-06-06T11:25:54+00:00 urn:sha1:6e8912a503759bb8f1f01c5b761d0d45815fa6de Pass the link id through to the get_beacon and return the beacon for a specific link id. Signed-off-by: Shaul Triebitz <shaul.triebitz@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>