releases/5.16.20/mt76-fix-monitor-mode-crash-with-sdio-driver.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 698124f4f0c58f4f2675265519fc159910dc79e0 Mon Sep 17 00:00:00 2001
 From: Sasha Levin <sashal@kernel.org>
 Date: Fri, 4 Mar 2022 22:54:05 +0800
 Subject: mt76: fix monitor mode crash with sdio driver

 From: Deren Wu <deren.wu@mediatek.com>

 [ Upstream commit 123bc712b1de0805f9d683687e17b1ec2aba0b68 ]

 mt7921s driver may receive frames with fragment buffers. If there is a
 CTS packet received in monitor mode, the payload is 10 bytes only and
 need 6 bytes header padding after RXD buffer. However, only RXD in the
 first linear buffer, if we pull buffer size RXD-size+6 bytes with
 skb_pull(), that would trigger "BUG_ON(skb->len < skb->data_len)" in
 __skb_pull().

 To avoid the nonlinear buffer issue, enlarge the RXD size from 128 to
 256 to make sure all MCU operation in linear buffer.

 [   52.007562] kernel BUG at include/linux/skbuff.h:2313!
 [   52.007578] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
 [   52.007987] pc : skb_pull+0x48/0x4c
 [   52.008015] lr : mt7921_queue_rx_skb+0x494/0x890 [mt7921_common]
 [   52.008361] Call trace:
 [   52.008377]  skb_pull+0x48/0x4c
 [   52.008400]  mt76s_net_worker+0x134/0x1b0 [mt76_sdio 35339a92c6eb7d4bbcc806a1d22f56365565135c]
 [   52.008431]  __mt76_worker_fn+0xe8/0x170 [mt76 ef716597d11a77150bc07e3fdd68eeb0f9b56917]
 [   52.008449]  kthread+0x148/0x3ac
 [   52.008466]  ret_from_fork+0x10/0x30

 Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
 Signed-off-by: Sean Wang <sean.wang@mediatek.com>
 Signed-off-by: Deren Wu <deren.wu@mediatek.com>
 Signed-off-by: Felix Fietkau <nbd@nbd.name>
 Signed-off-by: Sasha Levin <sashal@kernel.org>
 ---
  drivers/net/wireless/mediatek/mt76/mt76.h | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/drivers/net/wireless/mediatek/mt76/mt76.h b/drivers/net/wireless/mediatek/mt76/mt76.h
 index e2da720a91b6..f740a8ba164d 100644
 --- a/drivers/net/wireless/mediatek/mt76/mt76.h
 +++ b/drivers/net/wireless/mediatek/mt76/mt76.h
 @@ -19,7 +19,7 @@

  #define MT_MCU_RING_SIZE	32
  #define MT_RX_BUF_SIZE		2048
 -#define MT_SKB_HEAD_LEN		128
 +#define MT_SKB_HEAD_LEN		256

  #define MT_MAX_NON_AQL_PKT	16
  #define MT_TXQ_FREE_THR		32
 --
 2.35.1
	From 698124f4f0c58f4f2675265519fc159910dc79e0 Mon Sep 17 00:00:00 2001
	From: Sasha Levin <sashal@kernel.org>
	Date: Fri, 4 Mar 2022 22:54:05 +0800
	Subject: mt76: fix monitor mode crash with sdio driver

	From: Deren Wu <deren.wu@mediatek.com>

	[ Upstream commit 123bc712b1de0805f9d683687e17b1ec2aba0b68 ]

	mt7921s driver may receive frames with fragment buffers. If there is a
	CTS packet received in monitor mode, the payload is 10 bytes only and
	need 6 bytes header padding after RXD buffer. However, only RXD in the
	first linear buffer, if we pull buffer size RXD-size+6 bytes with
	skb_pull(), that would trigger "BUG_ON(skb->len < skb->data_len)" in
	__skb_pull().

	To avoid the nonlinear buffer issue, enlarge the RXD size from 128 to
	256 to make sure all MCU operation in linear buffer.

	[ 52.007562] kernel BUG at include/linux/skbuff.h:2313!
	[ 52.007578] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
	[ 52.007987] pc : skb_pull+0x48/0x4c
	[ 52.008015] lr : mt7921_queue_rx_skb+0x494/0x890 [mt7921_common]
	[ 52.008361] Call trace:
	[ 52.008377] skb_pull+0x48/0x4c
	[ 52.008400] mt76s_net_worker+0x134/0x1b0 [mt76_sdio 35339a92c6eb7d4bbcc806a1d22f56365565135c]
	[ 52.008431] __mt76_worker_fn+0xe8/0x170 [mt76 ef716597d11a77150bc07e3fdd68eeb0f9b56917]
	[ 52.008449] kthread+0x148/0x3ac
	[ 52.008466] ret_from_fork+0x10/0x30

	Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
	Signed-off-by: Sean Wang <sean.wang@mediatek.com>
	Signed-off-by: Deren Wu <deren.wu@mediatek.com>
	Signed-off-by: Felix Fietkau <nbd@nbd.name>
	Signed-off-by: Sasha Levin <sashal@kernel.org>
	---
	drivers/net/wireless/mediatek/mt76/mt76.h \| 2 +-
	1 file changed, 1 insertion(+), 1 deletion(-)

	diff --git a/drivers/net/wireless/mediatek/mt76/mt76.h b/drivers/net/wireless/mediatek/mt76/mt76.h
	index e2da720a91b6..f740a8ba164d 100644
	--- a/drivers/net/wireless/mediatek/mt76/mt76.h
	+++ b/drivers/net/wireless/mediatek/mt76/mt76.h
	@@ -19,7 +19,7 @@

	#define MT_MCU_RING_SIZE 32
	#define MT_RX_BUF_SIZE 2048
	-#define MT_SKB_HEAD_LEN 128
	+#define MT_SKB_HEAD_LEN 256

	#define MT_MAX_NON_AQL_PKT 16
	#define MT_TXQ_FREE_THR 32
	--
	2.35.1