Commit 7ac5cc26 authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge tag 'wireless-2025-07-10' of... 

Merge tag 'wireless-2025-07-10' of https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless

Johannes Berg says:

====================
Quite a number of fixes still:

 - mt76 (hadn't sent any fixes so far)
   - RCU
   - scanning
   - decapsulation offload
   - interface combinations
 - rt2x00: build fix (bad function pointer prototype)
 - cfg80211: prevent A-MSDU flipping attacks in mesh
 - zd1211rw: prevent race ending with NULL ptr deref
 - cfg80211/mac80211: more S1G fixes
 - mwifiex: avoid WARN on certain RX frames
 - mac80211:
   - avoid stack data leak in WARN cases
   - fix non-transmitted BSSID search
     (on certain multi-BSSID APs)
   - always initialize key list so driver
     iteration won't crash
   - fix monitor interface in device restart
   - fix __free() annotation usage

* tag 'wireless-2025-07-10' of https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless: (26 commits)
  wifi: mac80211: add the virtual monitor after reconfig complete
  wifi: mac80211: always initialize sdata::key_list
  wifi: mac80211: Fix uninitialized variable with __free() in ieee80211_ml_epcs()
  wifi: mt76: mt792x: Limit the concurrent STA and SoftAP to operate on the same channel
  wifi: mt76: mt7925: Fix null-ptr-deref in mt7925_thermal_init()
  wifi: mt76: fix queue assignment for deauth packets
  wifi: mt76: add a wrapper for wcid access with validation
  wifi: mt76: mt7921: prevent decap offload config before STA initialization
  wifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_sta_set_decap_offload()
  wifi: mt76: mt7925: fix incorrect scan probe IE handling for hw_scan
  wifi: mt76: mt7925: fix invalid array index in ssid assignment during hw scan
  wifi: mt76: mt7925: fix the wrong config for tx interrupt
  wifi: mt76: Remove RCU section in mt7996_mac_sta_rc_work()
  wifi: mt76: Move RCU section in mt7996_mcu_add_rate_ctrl()
  wifi: mt76: Move RCU section in mt7996_mcu_add_rate_ctrl_fixed()
  wifi: mt76: Move RCU section in mt7996_mcu_set_fixed_field()
  wifi: mt76: Assume __mt76_connac_mcu_alloc_sta_req runs in atomic context
  wifi: prevent A-MSDU attacks in mesh networks
  wifi: rt2x00: fix remove callback type mismatch
  wifi: mac80211: reject VHT opmode for unsupported channel widths
  ...
====================

Link: https://patch.msgid.link/20250710122212.24272-3-johannes@sipsolutions.net


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents 18cdb3d9 c07981af

drivers/net/wireless/marvell/mwifiex/util.c

+3 −1
Original line number Diff line number Diff line
@@ -459,7 +459,9 @@ mwifiex_process_mgmt_packet(struct mwifiex_private *priv, 
				    "auth: receive authentication from %pM\n",

				    ieee_hdr->addr3);

		} else {

			if (!priv->wdev.connected)

			if (!priv->wdev.connected ||

			    !ether_addr_equal(ieee_hdr->addr3,

					      priv->curr_bss_params.bss_descriptor.mac_address))

				return 0;



			if (ieee80211_is_deauth(ieee_hdr->frame_control)) {

drivers/net/wireless/mediatek/mt76/mt76.h

+10 −0
Original line number Diff line number Diff line
@@ -1224,6 +1224,16 @@ static inline int mt76_wed_dma_setup(struct mt76_dev *dev, struct mt76_queue *q, 
#define mt76_dereference(p, dev) \

	rcu_dereference_protected(p, lockdep_is_held(&(dev)->mutex))



static inline struct mt76_wcid *

__mt76_wcid_ptr(struct mt76_dev *dev, u16 idx)

{

	if (idx >= ARRAY_SIZE(dev->wcid))

		return NULL;

	return rcu_dereference(dev->wcid[idx]);

}



#define mt76_wcid_ptr(dev, idx) __mt76_wcid_ptr(&(dev)->mt76, idx)



struct mt76_dev *mt76_alloc_device(struct device *pdev, unsigned int size,

				   const struct ieee80211_ops *ops,

				   const struct mt76_driver_ops *drv_ops);

drivers/net/wireless/mediatek/mt76/mt7603/dma.c

+1 −1
Original line number Diff line number Diff line
@@ -44,7 +44,7 @@ mt7603_rx_loopback_skb(struct mt7603_dev *dev, struct sk_buff *skb) 
	if (idx >= MT7603_WTBL_STA - 1)

		goto free;



	wcid = rcu_dereference(dev->mt76.wcid[idx]);

	wcid = mt76_wcid_ptr(dev, idx);

	if (!wcid)

		goto free;

drivers/net/wireless/mediatek/mt76/mt7603/mac.c

+2 −8
Original line number Diff line number Diff line
@@ -487,10 +487,7 @@ mt7603_rx_get_wcid(struct mt7603_dev *dev, u8 idx, bool unicast) 
	struct mt7603_sta *sta;

	struct mt76_wcid *wcid;



	if (idx >= MT7603_WTBL_SIZE)

		return NULL;



	wcid = rcu_dereference(dev->mt76.wcid[idx]);

	wcid = mt76_wcid_ptr(dev, idx);

	if (unicast || !wcid)

		return wcid;
@@ -1266,12 +1263,9 @@ void mt7603_mac_add_txs(struct mt7603_dev *dev, void *data) 
	if (pid == MT_PACKET_ID_NO_ACK)

		return;



	if (wcidx >= MT7603_WTBL_SIZE)

		return;



	rcu_read_lock();



	wcid = rcu_dereference(dev->mt76.wcid[wcidx]);

	wcid = mt76_wcid_ptr(dev, wcidx);

	if (!wcid)

		goto out;

drivers/net/wireless/mediatek/mt76/mt7615/mac.c

+2 −5
Original line number Diff line number Diff line
@@ -90,10 +90,7 @@ static struct mt76_wcid *mt7615_rx_get_wcid(struct mt7615_dev *dev, 
	struct mt7615_sta *sta;

	struct mt76_wcid *wcid;



	if (idx >= MT7615_WTBL_SIZE)

		return NULL;



	wcid = rcu_dereference(dev->mt76.wcid[idx]);

	wcid = mt76_wcid_ptr(dev, idx);

	if (unicast || !wcid)

		return wcid;
@@ -1504,7 +1501,7 @@ static void mt7615_mac_add_txs(struct mt7615_dev *dev, void *data) 


	rcu_read_lock();



	wcid = rcu_dereference(dev->mt76.wcid[wcidx]);

	wcid = mt76_wcid_ptr(dev, wcidx);

	if (!wcid)

		goto out;