Commit 0e3c08f1 authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge tag 'wireless-2026-05-21' of... 

Merge tag 'wireless-2026-05-21' of https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless

Johannes Berg says:

====================
Quite a few more updates:
 - cfg80211/mac80211:
   - various security(-ish) fixes
   - fix A-MSDU subframe handling
   - fix multi-link element parsing
 - ath10: avoid sending commands to dead device
 - ath11k:
   - fix WMI buffer leaks on error conditions
   - fix UAF in RX MSDU coalesce path
   - allow peer ID 0 on RX path (legal for mobile devices)
   - reinitialize shared SRNG pointers on restart
 - ath12k:
   - fix 20 MHz-only parsing of EHT-MCS map
 - iwlwifi:
   - fix TSO segmentation explosion
   - don't TX to dead device
   - fix warning in WoWLAN
   - fix TX rates on old devices
   - disconnect on beacon loss only if also no other traffic
   - fill NULL-ptr deref
   - fix STEP_URM hardware access

* tag 'wireless-2026-05-21' of https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless: (24 commits)
  wifi: cfg80211: wext: validate chandef in monitor mode
  wifi: mac80211: consume only present negotiated TTLM maps
  wifi: wilc1000: fix dma_buffer leak on bus acquire failure
  wifi: mac80211: capture fast-RX rate before mesh reuses skb->cb
  wifi: mac80211: fix multi-link element inheritance
  wifi: mac80211: fix MLE defragmentation
  wifi: mac80211: don't override max_amsdu_subframes
  wifi: mac80211: bounds-check link_id in ieee80211_ml_epcs
  wifi: ath12k: fix EHT TX MCS limitation due to wrong 20 MHz-only parsing
  wifi: ath11k: clear shared SRNG pointer state on restart
  wifi: ath11k: fix use after free in ath11k_dp_rx_msdu_coalesce()
  wifi: ath11k: fix peer resolution on rx path when peer_id=0
  wifi: iwlwifi: mld: disconnect only after 6 beacons without Rx
  wifi: iwlwifi: mld: don't WARN on WoWLAN suspend w/o BSS vif
  wifi: iwlwifi: use correct function to read STEP_URM register
  wifi: iwlwifi: mvm: fix driver-set TX rates on old devices
  wifi: iwlwifi: mld: don't dereference a pointer before NULL checking it
  wifi: iwlwifi: mld: stop TX during firmware restart
  wifi: iwlwifi: mld: fix TSO segmentation explosion when AMSDU is disabled
  wifi: ath10k: skip WMI and beacon transmission when device is wedged
  ...
====================

Link: https://patch.msgid.link/20260521152903.374070-3-johannes@sipsolutions.net


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents c33f944a dc14686f

drivers/net/wireless/ath/ath10k/wmi.c

+7 −8
Original line number Diff line number Diff line
@@ -3,7 +3,6 @@ 
 * Copyright (c) 2005-2011 Atheros Communications Inc.

 * Copyright (c) 2011-2017 Qualcomm Atheros, Inc.

 * Copyright (c) 2018-2019, The Linux Foundation. All rights reserved.

 * Copyright (c) 2021-2024 Qualcomm Innovation Center, Inc. All rights reserved.

 * Copyright (c) Qualcomm Technologies, Inc. and/or its subsidiaries.

 */
@@ -1947,7 +1946,7 @@ int ath10k_wmi_cmd_send(struct ath10k *ar, struct sk_buff *skb, u32 cmd_id) 
			ret = -ESHUTDOWN;

			ath10k_dbg(ar, ATH10K_DBG_WMI,

				   "drop wmi command %d, hardware is wedged\n", cmd_id);

		}

		} else {

			/* try to send pending beacons first. they take priority */

			ath10k_wmi_tx_beacons_nowait(ar);
@@ -1955,7 +1954,7 @@ int ath10k_wmi_cmd_send(struct ath10k *ar, struct sk_buff *skb, u32 cmd_id) 


			if (ret && test_bit(ATH10K_FLAG_CRASH_FLUSH, &ar->dev_flags))

				ret = -ESHUTDOWN;



		}

		(ret != -EAGAIN);

	}), 3 * HZ);

drivers/net/wireless/ath/ath11k/dp_rx.c

+5 −4
Original line number Diff line number Diff line
@@ -1761,6 +1761,7 @@ static int ath11k_dp_rx_msdu_coalesce(struct ath11k *ar, 
	int buf_first_hdr_len, buf_first_len;

	struct hal_rx_desc *ldesc;

	int space_extra, rem_len, buf_len;

	bool is_continuation;

	u32 hal_rx_desc_sz = ar->ab->hw_params.hal_desc_sz;



	/* As the msdu is spread across multiple rx buffers,
@@ -1810,7 +1811,8 @@ static int ath11k_dp_rx_msdu_coalesce(struct ath11k *ar, 
	rem_len = msdu_len - buf_first_len;

	while ((skb = __skb_dequeue(msdu_list)) != NULL && rem_len > 0) {

		rxcb = ATH11K_SKB_RXCB(skb);

		if (rxcb->is_continuation)

		is_continuation = rxcb->is_continuation;

		if (is_continuation)

			buf_len = DP_RX_BUFFER_SIZE - hal_rx_desc_sz;

		else

			buf_len = rem_len;
@@ -1828,7 +1830,7 @@ static int ath11k_dp_rx_msdu_coalesce(struct ath11k *ar, 
		dev_kfree_skb_any(skb);



		rem_len -= buf_len;

		if (!rxcb->is_continuation)

		if (!is_continuation)

			break;

	}
@@ -2214,7 +2216,6 @@ ath11k_dp_rx_h_find_peer(struct ath11k_base *ab, struct sk_buff *msdu) 


	lockdep_assert_held(&ab->base_lock);



	if (rxcb->peer_id)

	peer = ath11k_peer_find_by_id(ab, rxcb->peer_id);



	if (peer)

drivers/net/wireless/ath/ath11k/hal.c

+11 −3
Original line number Diff line number Diff line
@@ -1387,14 +1387,22 @@ EXPORT_SYMBOL(ath11k_hal_srng_deinit); 


void ath11k_hal_srng_clear(struct ath11k_base *ab)

{

	/* No need to memset rdp and wrp memory since each individual

	 * segment would get cleared in ath11k_hal_srng_src_hw_init()

	 * and ath11k_hal_srng_dst_hw_init().

	/*

	 * Preserve the shared pointer buffers, but clear the previous

	 * firmware instance's hp/tp state before handing them back to FW.

	 * LMAC rings reuse this shared memory without going through the

	 * normal SRNG hw-init path that zeros non-LMAC ring pointers.

	 */

	memset(ab->hal.srng_list, 0,

	       sizeof(ab->hal.srng_list));

	memset(ab->hal.shadow_reg_addr, 0,

	       sizeof(ab->hal.shadow_reg_addr));

	if (ab->hal.rdp.vaddr)

		memset(ab->hal.rdp.vaddr, 0,

		       sizeof(*ab->hal.rdp.vaddr) * HAL_SRNG_RING_ID_MAX);

	if (ab->hal.wrp.vaddr)

		memset(ab->hal.wrp.vaddr, 0,

		       sizeof(*ab->hal.wrp.vaddr) * HAL_SRNG_NUM_LMAC_RINGS);

	ab->hal.avail_blk_resource = 0;

	ab->hal.current_blk_index = 0;

	ab->hal.num_shadow_reg_configured = 0;

drivers/net/wireless/ath/ath11k/hal_rx.c

+1 −4
Original line number Diff line number Diff line
@@ -1467,11 +1467,8 @@ ath11k_hal_rx_parse_mon_status_tlv(struct ath11k_base *ab, 
	case HAL_RX_MPDU_START: {

		struct hal_rx_mpdu_info *mpdu_info =

				(struct hal_rx_mpdu_info *)tlv_data;

		u16 peer_id;



		peer_id = ath11k_hal_rx_mpduinfo_get_peerid(ab, mpdu_info);

		if (peer_id)

			ppdu_info->peer_id = peer_id;

		ppdu_info->peer_id = ath11k_hal_rx_mpduinfo_get_peerid(ab, mpdu_info);

		break;

	}

	case HAL_RXPCU_PPDU_END_INFO: {

drivers/net/wireless/ath/ath11k/testmode.c

+1 −0
Original line number Diff line number Diff line
@@ -457,6 +457,7 @@ static int ath11k_tm_cmd_wmi_ftm(struct ath11k *ar, struct nlattr *tb[]) 
		ret = ath11k_wmi_cmd_send(wmi, skb, cmd_id);

		if (ret) {

			ath11k_warn(ar->ab, "failed to send wmi ftm command: %d\n", ret);

			dev_kfree_skb(skb);

			goto out;

		}