commit: 18ea66dfadb2f6fded8b475ebf3396a1e7cb622d Author: Mike Pagano <mpagano <AT> gentoo <DOT> org> AuthorDate: Thu Mar 20 22:39:25 2025 +0000 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org> CommitDate: Thu Mar 20 22:39:25 2025 +0000 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=18ea66df
wifi: mt76: mt7921: fix kernel panic due to null pointer dereference Bug: https://bugs.gentoo.org/950243 Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org> 0000_README | 34 +++--------- 2400_wifi-mt76-mt7921-null-ptr-deref-fix.patch | 74 ++++++++++++++++++++++++++ 2 files changed, 81 insertions(+), 27 deletions(-) diff --git a/0000_README b/0000_README index a2f75d4a..c53357bf 100644 --- a/0000_README +++ b/0000_README @@ -95,30 +95,6 @@ Patch: 1012_linux-6.12.13.patch From: https://www.kernel.org Desc: Linux 6.12.13 -Patch: 1013_linux-6.12.14.patch -From: https://www.kernel.org -Desc: Linux 6.12.14 - -Patch: 1014_linux-6.12.15.patch -From: https://www.kernel.org -Desc: Linux 6.12.15 - -Patch: 1015_linux-6.12.16.patch -From: https://www.kernel.org -Desc: Linux 6.12.16 - -Patch: 1016_linux-6.12.17.patch -From: https://www.kernel.org -Desc: Linux 6.12.17 - -Patch: 1017_linux-6.12.18.patch -From: https://www.kernel.org -Desc: Linux 6.12.18 - -Patch: 1018_linux-6.12.19.patch -From: https://www.kernel.org -Desc: Linux 6.12.19 - Patch: 1500_fortify-copy-size-value-range-tracking-fix.patch From: https://git.kernel.org/ Desc: fortify: Hide run-time copy size from value range tracking @@ -139,6 +115,10 @@ Patch: 2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch From: https://lore.kernel.org/linux-bluetooth/[email protected]/raw Desc: Bluetooth: Check key sizes only when Secure Simple Pairing is enabled. See bug #686758 +Patch: 2400_wifi-mt76-mt7921-null-ptr-deref-fix.patch +From: https://github.com/nbd168/wireless/commit/adc3fd2a2277b7cc0b61692463771bf9bd298036 +Desc: wifi: mt76: mt7921: fix kernel panic due to null pointer dereference + Patch: 2901_tools-lib-subcmd-compile-fix.patch From: https://lore.kernel.org/all/[email protected]/ Desc: tools lib subcmd: Fixed uninitialized use of variable in parse-options @@ -151,9 +131,9 @@ Patch: 2920_sign-file-patch-for-libressl.patch From: https://bugs.gentoo.org/717166 Desc: sign-file: full functionality with modern LibreSSL -Patch: 2980_kbuild-gcc15-gnu23-to-gnu11-fix.patch -From: https://github.com/hhoffstaette/kernel-patches/ -Desc: gcc 15 kbuild fixes +Patch: 2980_GCC15-gnu23-to-gnu11-fix.patch +From: https://lore.kernel.org/linux-kbuild/20241119044724.GA2246422@thelio-3990X/ +Desc: GCC 15 defaults to -std=gnu23. Hack in CSTD_FLAG to pass -std=gnu11 everywhere. Patch: 2990_libbpf-v2-workaround-Wmaybe-uninitialized-false-pos.patch From: https://lore.kernel.org/bpf/ diff --git a/2400_wifi-mt76-mt7921-null-ptr-deref-fix.patch b/2400_wifi-mt76-mt7921-null-ptr-deref-fix.patch new file mode 100644 index 00000000..1cc1dbf3 --- /dev/null +++ b/2400_wifi-mt76-mt7921-null-ptr-deref-fix.patch @@ -0,0 +1,74 @@ +From adc3fd2a2277b7cc0b61692463771bf9bd298036 Mon Sep 17 00:00:00 2001 +From: Ming Yen Hsieh <[email protected]> +Date: Tue, 18 Feb 2025 11:33:42 +0800 +Subject: [PATCH] wifi: mt76: mt7921: fix kernel panic due to null pointer + dereference + +Address a kernel panic caused by a null pointer dereference in the +`mt792x_rx_get_wcid` function. The issue arises because the `deflink` structure +is not properly initialized with the `sta` context. This patch ensures that the +`deflink` structure is correctly linked to the `sta` context, preventing the +null pointer dereference. + + BUG: kernel NULL pointer dereference, address: 0000000000000400 + #PF: supervisor read access in kernel mode + #PF: error_code(0x0000) - not-present page + PGD 0 P4D 0 + Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI + CPU: 0 UID: 0 PID: 470 Comm: mt76-usb-rx phy Not tainted 6.12.13-gentoo-dist #1 + Hardware name: /AMD HUDSON-M1, BIOS 4.6.4 11/15/2011 + RIP: 0010:mt792x_rx_get_wcid+0x48/0x140 [mt792x_lib] + RSP: 0018:ffffa147c055fd98 EFLAGS: 00010202 + RAX: 0000000000000000 RBX: ffff8e9ecb652000 RCX: 0000000000000000 + RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8e9ecb652000 + RBP: 0000000000000685 R08: ffff8e9ec6570000 R09: 0000000000000000 + R10: ffff8e9ecd2ca000 R11: ffff8e9f22a217c0 R12: 0000000038010119 + R13: 0000000080843801 R14: ffff8e9ec6570000 R15: ffff8e9ecb652000 + FS: 0000000000000000(0000) GS:ffff8e9f22a00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000400 CR3: 000000000d2ea000 CR4: 00000000000006f0 + Call Trace: + <TASK> + ? __die_body.cold+0x19/0x27 + ? page_fault_oops+0x15a/0x2f0 + ? search_module_extables+0x19/0x60 + ? search_bpf_extables+0x5f/0x80 + ? exc_page_fault+0x7e/0x180 + ? asm_exc_page_fault+0x26/0x30 + ? mt792x_rx_get_wcid+0x48/0x140 [mt792x_lib] + mt7921_queue_rx_skb+0x1c6/0xaa0 [mt7921_common] + mt76u_alloc_queues+0x784/0x810 [mt76_usb] + ? __pfx___mt76_worker_fn+0x10/0x10 [mt76] + __mt76_worker_fn+0x4f/0x80 [mt76] + kthread+0xd2/0x100 + ? __pfx_kthread+0x10/0x10 + ret_from_fork+0x34/0x50 + ? __pfx_kthread+0x10/0x10 + ret_from_fork_asm+0x1a/0x30 + </TASK> + ---[ end trace 0000000000000000 ]--- + +Reported-by: Nick Morrow <[email protected]> +Closes: https://github.com/morrownr/USB-WiFi/issues/577 +Cc: [email protected] +Fixes: 90c10286b176 ("wifi: mt76: mt7925: Update mt792x_rx_get_wcid for per-link STA") +Signed-off-by: Ming Yen Hsieh <[email protected]> +Tested-by: Salah Coronya <[email protected]> +Link: https://patch.msgid.link/[email protected] +Signed-off-by: Felix Fietkau <[email protected]> +--- + drivers/net/wireless/mediatek/mt76/mt7921/main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt7921/main.c b/drivers/net/wireless/mediatek/mt76/mt7921/main.c +index 13e58c328aff..78b77a54d195 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt7921/main.c ++++ b/drivers/net/wireless/mediatek/mt76/mt7921/main.c +@@ -811,6 +811,7 @@ int mt7921_mac_sta_add(struct mt76_dev *mdev, struct ieee80211_vif *vif, + msta->deflink.wcid.phy_idx = mvif->bss_conf.mt76.band_idx; + msta->deflink.wcid.tx_info |= MT_WCID_TX_INFO_SET; + msta->deflink.last_txs = jiffies; ++ msta->deflink.sta = msta; + + ret = mt76_connac_pm_wake(&dev->mphy, &dev->pm); + if (ret)
