Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.1.176 2026-06-19T11:37:21+00:00 2026-06-19T11:37:21+00:00 Marek Szyprowski m.szyprowski@samsung.com 2026-05-13T12:48:41+00:00 urn:sha1:d616bb10de79e5c2bd8a24230a1128aeaf715615 [ Upstream commit c623b63580880cc742255eaed3d79804c1b91143 ] Watchdog task might end between send_sig() and kthread_stop() calls, what results in the use-after-free issue. Fix this by increasing watchdog task reference count before calling send_sig() and dropping it by switching to kthread_stop_put(). Cc: stable@vger.kernel.org Fixes: 373c83a801f1 ("brcmfmac: stop watchdog before detach and free everything") Fixes: a9ffda88be74 ("brcm80211: fmac: abstract bus_stop interface function pointer") Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com> Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com> Link: https://patch.msgid.link/20260416093339.2066829-1-m.szyprowski@samsung.com Signed-off-by: Johannes Berg <johannes.berg@intel.com> [ replaced kthread_stop_put() with open-coded kthread_stop() + put_task_struct() ] Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-06-19T11:37:19+00:00 Daniel Hodges git@danielhodges.dev 2026-04-30T17:56:43+00:00 urn:sha1:a88f5391dc68f78cae5eb6a8cd341cafee795d3d [ Upstream commit ae5e95d4157481693be2317e3ffcd84e36010cbb ] The mwifiex_adapter_cleanup() function uses timer_delete() (non-synchronous) for the wakeup_timer before the adapter structure is freed. This is incorrect because timer_delete() does not wait for any running timer callback to complete. If the wakeup_timer callback (wakeup_timer_fn) is executing when mwifiex_adapter_cleanup() is called, the callback will continue to access adapter fields (adapter->hw_status, adapter->if_ops.card_reset, etc.) which may be freed by mwifiex_free_adapter() called later in the mwifiex_remove_card() path. Use timer_delete_sync() instead to ensure any running timer callback has completed before returning. Fixes: 4636187da60b ("mwifiex: add wakeup timer based recovery mechanism") Cc: stable@vger.kernel.org Signed-off-by: Daniel Hodges <git@danielhodges.dev> Link: https://patch.msgid.link/20260206194401.2346-1-git@danielhodges.dev Signed-off-by: Johannes Berg <johannes.berg@intel.com> [ changed `timer_delete_sync()` to `del_timer_sync()` ] Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2026-06-01T15:39:41+00:00 Matthew Leach matthew.leach@collabora.com 2026-04-24T09:50:35+00:00 urn:sha1:fcb479e55b37042b8dbff02ad86c803ea080a6a2 [ Upstream commit 2a2451a34afdf563b3102d36a4b6cf335cf813e2 ] It has been observed that on certain chipsets a peer can be assigned peer_id=0. For reception of non-aggregated MPDUs this is fine as ath11k_dp_rx_h_find_peer() has a fallback case where it locates the peer based upon the source MAC address. On an aggregated link, the mpdu_start header is only populated by hardware on the first sub-MSDU. This causes the peer resolution to be skipped for the subsequent MSDUs and the encryption type of these frames to be set to an incorrect value, resulting in these MSDUs being dropped by ieee80211. ath11k_pci 0000:03:00.0: data rx skb 000000002f4b704d len 1534 peer xx:xx:xx:xx:xx:xx 0 ucast sn 3063 he160 rate_idx 9 vht_nss 2 freq 5240 band 1 flag 0x40d1a fcs-err 0 mic-err 0 amsdu-more 0 peer_id 0 first_msdu 1 last_msdu 0 ath11k_pci 0000:03:00.0: data rx skb 0000000038acd580 len 1534 peer (null) 0 ucast sn 3063 he160 rate_idx 9 vht_nss 2 freq 5240 band 1 flag 0x40d00 fcs-err 0 mic-err 0 amsdu-more 0 peer_id 0 first_msdu 0 last_msdu 1 Remove the null peer_id checks in ath11k_dp_rx_h_find_peer() and ath11k_hal_rx_parse_mon_status_tlv(), allowing peers with an assigned ID of 0 to be resolved. Tested-on: QCA2066 hw2.1 PCI WLAN.HSP.1.1-03926.13-QCAHSPSWPL_V2_SILICONZ_CE-2.52297.9 Fixes: 2167fa606c0f ("ath11k: Add support for RX decapsulation offload") Reviewed-by: Baochen Qiang <baochen.qiang@oss.qualcomm.com> Signed-off-by: Matthew Leach <matthew.leach@collabora.com> Reviewed-by: P Praneesh <praneesh.p@oss.qualcomm.com> Link: https://patch.msgid.link/20260424-ath11k-null-peerid-workaround-v4-1-252b224d3cf6@collabora.com Signed-off-by: Jeff Johnson <jeff.johnson@oss.qualcomm.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-06-01T15:39:41+00:00 P Praneesh quic_ppranees@quicinc.com 2023-03-24T14:57:00+00:00 urn:sha1:c7ec1a257a306307135c4fa72a349395f7fcbce1 [ Upstream commit 031ffa6c2cd305a57ccc6d610f2decd956b2e7f6 ] In QCN9074, station dump signal values display default value which is -95 dbm, since there is firmware header change for HAL_RX_MPDU_START between QCN9074 and IPQ8074 which cause wrong peer_id fetch from msdu. Fix this by updating hal_rx_mpdu_info with corresponding QCN9074 tlv format. Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1 Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.4.0.1-01695-QCAHKSWPL_SILICONZ-1 Signed-off-by: P Praneesh <quic_ppranees@quicinc.com> Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com> Link: https://lore.kernel.org/r/20230320110312.20639-1-quic_ppranees@quicinc.com Stable-dep-of: 2a2451a34afd ("wifi: ath11k: fix peer resolution on rx path when peer_id=0") Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-06-01T15:39:41+00:00 Sriram R quic_srirrama@quicinc.com 2022-12-02T21:37:15+00:00 urn:sha1:291d8103a9dcf4a0362678591426c7ef4d470d35 [ Upstream commit 69968f88f1770d61cae0febef805fd00d66cf6a1 ] The Destination ring control register is different for IPQ5018 when compared to IPQ8074/IPQ6018/QCN9074. Hence create a new hw ops to fetch the hash ring map for different device variants. ipq5018 hw ops is similar to qcn9074 except for this change, so reuse all the qcn9074 ops for ipq5018. Tested-on: IPQ5018 hw1.0 AHB WLAN.HK.2.6.0.1-00861-QCAHKSWPL_SILICONZ-1 Signed-off-by: Sriram R <quic_srirrama@quicinc.com> Co-developed-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com> Signed-off-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com> Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com> Link: https://lore.kernel.org/r/20221122132152.17771-8-quic_kathirve@quicinc.com Stable-dep-of: 2a2451a34afd ("wifi: ath11k: fix peer resolution on rx path when peer_id=0") Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-06-01T15:39:41+00:00 Sriram R quic_srirrama@quicinc.com 2022-12-02T21:37:14+00:00 urn:sha1:d0ca5aa0fe7e3a43797ed1bf8b144c59863fd65c [ Upstream commit ba60f2793d3a37a00da14bb56a26558a902d2831 ] The ipq5018_ops is initialized for IPQ5018. This is different from other platforms. Tested-on: IPQ5018 hw1.0 AHB WLAN.HK.2.6.0.1-00861-QCAHKSWPL_SILICONZ-1 Signed-off-by: Sriram R <quic_srirrama@quicinc.com> Co-developed-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com> Signed-off-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com> Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com> Link: https://lore.kernel.org/r/20221122132152.17771-7-quic_kathirve@quicinc.com Stable-dep-of: 2a2451a34afd ("wifi: ath11k: fix peer resolution on rx path when peer_id=0") Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-06-01T15:39:41+00:00 Sriram R quic_srirrama@quicinc.com 2022-12-02T21:37:14+00:00 urn:sha1:f9a78708302c26655de4978f786bc8493898cf29 [ Upstream commit 711b80acbdfb9667a9cf8374e13320a6e624ce73 ] IPQ5018 hal srng register address & offsets are not similar to IPQ8074/IPQ6018/QCN9074, hence define a new set of srng register group data for IPQ5018. Tested-on: IPQ5018 hw1.0 AHB WLAN.HK.2.6.0.1-00861-QCAHKSWPL_SILICONZ-1 Signed-off-by: Sriram R <quic_srirrama@quicinc.com> Co-developed-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com> Signed-off-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com> Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com> Link: https://lore.kernel.org/r/20221122132152.17771-6-quic_kathirve@quicinc.com Stable-dep-of: 2a2451a34afd ("wifi: ath11k: fix peer resolution on rx path when peer_id=0") Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-06-01T15:39:41+00:00 Sriram R quic_srirrama@quicinc.com 2022-12-02T21:37:14+00:00 urn:sha1:a019ee286e26d8fd5cca21dc5e768423d5687ba4 [ Upstream commit b42b3678c91f3ca6e0888bf5a15c1e8678fd5f2d ] In IPQ5018 ce register space is moved out of wcss unlike ipq8074 or ipq6018 and the space is not contiguous, hence remap the CE registers to a new space to access them. Register read/write is modified to check if the register to be written falls in the CE register space and corresponding register is written. Also adjust the interrupt register address to ce irq enable/disable. Tested-on: IPQ5018 hw1.0 AHB WLAN.HK.2.6.0.1-00861-QCAHKSWPL_SILICONZ-1 Signed-off-by: Sriram R <quic_srirrama@quicinc.com> Co-developed-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com> Signed-off-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com> Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com> Link: https://lore.kernel.org/r/20221122132152.17771-5-quic_kathirve@quicinc.com Stable-dep-of: 2a2451a34afd ("wifi: ath11k: fix peer resolution on rx path when peer_id=0") Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-06-01T15:39:41+00:00 Sriram R quic_srirrama@quicinc.com 2022-12-02T21:37:14+00:00 urn:sha1:967ce322434eb68743ae7b46649a3f2a285d75b7 [ Upstream commit 26af7aabd2d8225c6b2056234626ba5099610871 ] IPQ5018 is a single pdev device. Update host and target CE configurations accordingly. Tested-on: IPQ5018 hw1.0 AHB WLAN.HK.2.6.0.1-00861-QCAHKSWPL_SILICONZ-1 Signed-off-by: Sriram R <quic_srirrama@quicinc.com> Co-developed-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com> Signed-off-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com> Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com> Link: https://lore.kernel.org/r/20221122132152.17771-4-quic_kathirve@quicinc.com Stable-dep-of: 2a2451a34afd ("wifi: ath11k: fix peer resolution on rx path when peer_id=0") Signed-off-by: Sasha Levin <sashal@kernel.org> 2026-06-01T15:39:41+00:00 Sriram R quic_srirrama@quicinc.com 2022-12-02T21:37:13+00:00 urn:sha1:4b41f8114f0336e69ac61dcf1efadef319e3826a [ Upstream commit 8dfe875aa24aec68baf6702018633c84c2c1feca ] Add new compatible string for IPQ5018 and add required hw params for IPQ5018. The hw descriptors size and datapath ops are similar to QCN9074, hence reuse the same. Tested-on: IPQ5018 hw1.0 AHB WLAN.HK.2.6.0.1-00861-QCAHKSWPL_SILICONZ-1 Signed-off-by: Sriram R <quic_srirrama@quicinc.com> Co-developed-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com> Signed-off-by: Karthikeyan Kathirvel <quic_kathirve@quicinc.com> Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com> Link: https://lore.kernel.org/r/20221122132152.17771-3-quic_kathirve@quicinc.com Stable-dep-of: 2a2451a34afd ("wifi: ath11k: fix peer resolution on rx path when peer_id=0") Signed-off-by: Sasha Levin <sashal@kernel.org>