[gentoo-commits] proj/linux-patches:6.12 commit in: /

["Mike Pagano" <mpagano@gentoo.org>]

commit:     18ea66dfadb2f6fded8b475ebf3396a1e7cb622d
Author:     Mike Pagano <mpagano <AT> gentoo <DOT> org>
AuthorDate: Thu Mar 20 22:39:25 2025 +0000
Commit:     Mike Pagano <mpagano <AT> gentoo <DOT> org>
CommitDate: Thu Mar 20 22:39:25 2025 +0000
URL:        https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=18ea66df

wifi: mt76: mt7921: fix kernel panic due to null pointer dereference

Bug: https://bugs.gentoo.org/950243

Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>

 0000_README                                    | 34 +++---------
 2400_wifi-mt76-mt7921-null-ptr-deref-fix.patch | 74 ++++++++++++++++++++++++++
 2 files changed, 81 insertions(+), 27 deletions(-)

diff --git a/0000_README b/0000_README
index a2f75d4a..c53357bf 100644
--- a/0000_README
+++ b/0000_README
@@ -95,30 +95,6 @@ Patch:  1012_linux-6.12.13.patch
 From:   https://www.kernel.org
 Desc:   Linux 6.12.13
 
-Patch:  1013_linux-6.12.14.patch
-From:   https://www.kernel.org
-Desc:   Linux 6.12.14
-
-Patch:  1014_linux-6.12.15.patch
-From:   https://www.kernel.org
-Desc:   Linux 6.12.15
-
-Patch:  1015_linux-6.12.16.patch
-From:   https://www.kernel.org
-Desc:   Linux 6.12.16
-
-Patch:  1016_linux-6.12.17.patch
-From:   https://www.kernel.org
-Desc:   Linux 6.12.17
-
-Patch:  1017_linux-6.12.18.patch
-From:   https://www.kernel.org
-Desc:   Linux 6.12.18
-
-Patch:  1018_linux-6.12.19.patch
-From:   https://www.kernel.org
-Desc:   Linux 6.12.19
-
 Patch:  1500_fortify-copy-size-value-range-tracking-fix.patch
 From:   https://git.kernel.org/
 Desc:   fortify: Hide run-time copy size from value range tracking
@@ -139,6 +115,10 @@ Patch:  2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch
 From:   https://lore.kernel.org/linux-bluetooth/20190522070540.48895-1-marcel@holtmann.org/raw
 Desc:   Bluetooth: Check key sizes only when Secure Simple Pairing is enabled. See bug #686758
 
+Patch:  2400_wifi-mt76-mt7921-null-ptr-deref-fix.patch
+From:   https://github.com/nbd168/wireless/commit/adc3fd2a2277b7cc0b61692463771bf9bd298036
+Desc:   wifi: mt76: mt7921: fix kernel panic due to null pointer dereference
+
 Patch:  2901_tools-lib-subcmd-compile-fix.patch
 From:   https://lore.kernel.org/all/20240731085217.94928-1-michael.weiss@aisec.fraunhofer.de/
 Desc:   tools lib subcmd: Fixed uninitialized use of variable in parse-options
@@ -151,9 +131,9 @@ Patch:  2920_sign-file-patch-for-libressl.patch
 From:   https://bugs.gentoo.org/717166
 Desc:   sign-file: full functionality with modern LibreSSL
 
-Patch:  2980_kbuild-gcc15-gnu23-to-gnu11-fix.patch
-From:   https://github.com/hhoffstaette/kernel-patches/
-Desc:   gcc 15 kbuild fixes
+Patch:  2980_GCC15-gnu23-to-gnu11-fix.patch
+From:   https://lore.kernel.org/linux-kbuild/20241119044724.GA2246422@thelio-3990X/
+Desc:   GCC 15 defaults to -std=gnu23. Hack in CSTD_FLAG to pass -std=gnu11 everywhere.
 
 Patch:  2990_libbpf-v2-workaround-Wmaybe-uninitialized-false-pos.patch
 From:   https://lore.kernel.org/bpf/

diff --git a/2400_wifi-mt76-mt7921-null-ptr-deref-fix.patch b/2400_wifi-mt76-mt7921-null-ptr-deref-fix.patch
new file mode 100644
index 00000000..1cc1dbf3
--- /dev/null
+++ b/2400_wifi-mt76-mt7921-null-ptr-deref-fix.patch
@@ -0,0 +1,74 @@
+From adc3fd2a2277b7cc0b61692463771bf9bd298036 Mon Sep 17 00:00:00 2001
+From: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+Date: Tue, 18 Feb 2025 11:33:42 +0800
+Subject: [PATCH] wifi: mt76: mt7921: fix kernel panic due to null pointer
+ dereference
+
+Address a kernel panic caused by a null pointer dereference in the
+`mt792x_rx_get_wcid` function. The issue arises because the `deflink` structure
+is not properly initialized with the `sta` context. This patch ensures that the
+`deflink` structure is correctly linked to the `sta` context, preventing the
+null pointer dereference.
+
+ BUG: kernel NULL pointer dereference, address: 0000000000000400
+ #PF: supervisor read access in kernel mode
+ #PF: error_code(0x0000) - not-present page
+ PGD 0 P4D 0
+ Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI
+ CPU: 0 UID: 0 PID: 470 Comm: mt76-usb-rx phy Not tainted 6.12.13-gentoo-dist #1
+ Hardware name:  /AMD HUDSON-M1, BIOS 4.6.4 11/15/2011
+ RIP: 0010:mt792x_rx_get_wcid+0x48/0x140 [mt792x_lib]
+ RSP: 0018:ffffa147c055fd98 EFLAGS: 00010202
+ RAX: 0000000000000000 RBX: ffff8e9ecb652000 RCX: 0000000000000000
+ RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8e9ecb652000
+ RBP: 0000000000000685 R08: ffff8e9ec6570000 R09: 0000000000000000
+ R10: ffff8e9ecd2ca000 R11: ffff8e9f22a217c0 R12: 0000000038010119
+ R13: 0000000080843801 R14: ffff8e9ec6570000 R15: ffff8e9ecb652000
+ FS:  0000000000000000(0000) GS:ffff8e9f22a00000(0000) knlGS:0000000000000000
+ CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 0000000000000400 CR3: 000000000d2ea000 CR4: 00000000000006f0
+ Call Trace:
+  <TASK>
+  ? __die_body.cold+0x19/0x27
+  ? page_fault_oops+0x15a/0x2f0
+  ? search_module_extables+0x19/0x60
+  ? search_bpf_extables+0x5f/0x80
+  ? exc_page_fault+0x7e/0x180
+  ? asm_exc_page_fault+0x26/0x30
+  ? mt792x_rx_get_wcid+0x48/0x140 [mt792x_lib]
+  mt7921_queue_rx_skb+0x1c6/0xaa0 [mt7921_common]
+  mt76u_alloc_queues+0x784/0x810 [mt76_usb]
+  ? __pfx___mt76_worker_fn+0x10/0x10 [mt76]
+  __mt76_worker_fn+0x4f/0x80 [mt76]
+  kthread+0xd2/0x100
+  ? __pfx_kthread+0x10/0x10
+  ret_from_fork+0x34/0x50
+  ? __pfx_kthread+0x10/0x10
+  ret_from_fork_asm+0x1a/0x30
+  </TASK>
+ ---[ end trace 0000000000000000 ]---
+
+Reported-by: Nick Morrow <usbwifi2024@gmail.com>
+Closes: https://github.com/morrownr/USB-WiFi/issues/577
+Cc: stable@vger.kernel.org
+Fixes: 90c10286b176 ("wifi: mt76: mt7925: Update mt792x_rx_get_wcid for per-link STA")
+Signed-off-by: Ming Yen Hsieh <mingyen.hsieh@mediatek.com>
+Tested-by: Salah Coronya <salah.coronya@gmail.com>
+Link: https://patch.msgid.link/20250218033343.1999648-1-mingyen.hsieh@mediatek.com
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+---
+ drivers/net/wireless/mediatek/mt76/mt7921/main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/main.c b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
+index 13e58c328aff..78b77a54d195 100644
+--- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c
++++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c
+@@ -811,6 +811,7 @@ int mt7921_mac_sta_add(struct mt76_dev *mdev, struct ieee80211_vif *vif,
+ 	msta->deflink.wcid.phy_idx = mvif->bss_conf.mt76.band_idx;
+ 	msta->deflink.wcid.tx_info |= MT_WCID_TX_INFO_SET;
+ 	msta->deflink.last_txs = jiffies;
++	msta->deflink.sta = msta;
+ 
+ 	ret = mt76_connac_pm_wake(&dev->mphy, &dev->pm);
+ 	if (ret)