From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 29D1AC61CE7 for ; Wed, 4 Jun 2025 02:01:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help :List-Post:List-Archive:List-Unsubscribe:List-Id:Content-Transfer-Encoding: Content-Type:MIME-Version:References:In-Reply-To:Message-Id:Date:Subject:Cc: To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=YNJsY6tlWGTOpRx0kcITN28M8ilEeTO0aeghjgpZb3o=; b=tufb7M6S6C6dolSXgu2w7xuFHy dg+MbAPyksc+xlH5DwluyihgvFS15fIgeRz+kluYUkS3C/hHg+kfkrals3IQ4LlSFotS/yqNNY8pH 8myYES8DsQ71+IUutM/jyyI2DktiCMe+oQk8P2vGb71mPrlHqWkoB1gcNpYuTqwl6cGTCuQDDUMMX NJJHtdrBrK9I35UTyNQC7zaNStGfh+HmUwqpN9ccZkc9LLyZoQbsFv8IrvB6HeiDc2gEi7/m7S0XS AVP7fZLFhnQypF9G3pEuWYZ7rjivCzjCnFlp0qlcIYnfNshcMixuvNpyx07s0EGeHxHkjziUyW5KS z8SFlW7w==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.98.2 #2 (Red Hat Linux)) id 1uMdRy-0000000CGay-3iCA; Wed, 04 Jun 2025 02:01:54 +0000 Received: from nyc.source.kernel.org ([147.75.193.91]) by bombadil.infradead.org with esmtps (Exim 4.98.2 #2 (Red Hat Linux)) id 1uMcTA-0000000C7jE-2bTs for ath12k@lists.infradead.org; Wed, 04 Jun 2025 00:59:06 +0000 Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by nyc.source.kernel.org (Postfix) with ESMTP id EAE57A4FE5C; Wed, 4 Jun 2025 00:59:03 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6D562C4CEEF; Wed, 4 Jun 2025 00:59:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1748998743; bh=GGdZyVX0V+7vWW+Zdhvke55vJjkda8KHsemqE9wIkBc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=gD9AStEG0u8z2s2dd7AX6JHtph3Pq9LxVaE3TYPBp3ZeyQ6kRstrHD6aqIn+tnFnd C1PP234LFxl018e9abx8xP6KDlwR8mqmfuWZr64kXw5fVzQnZPVQUhfHi7MMCdGDTN WRER1mDg+l63d5oYyxt4pkMQl8fE0nLcfooOWD0+KmrwClz638+VouNEi3X0xwDlpJ +2U+Vfe6H6+cuqfH4l7ndcduz8zO1CgFvY0PMJ4b9Cm64U85BaERAv5n4ifSGFsvlw jICkPdV1884otDiDPmDT0L0skYVryKKorRwhulIznGmbm6MJzjul6B2pdJmA+9biJc AaQ1WNgaJiduQ== From: Sasha Levin To: patches@lists.linux.dev, stable@vger.kernel.org Cc: Hari Chandrakanthan , Nicolas Escande , Vasanthakumar Thiagarajan , Karthikeyan Periyasamy , Jeff Johnson , Sasha Levin , jjohnson@kernel.org, linux-wireless@vger.kernel.org, ath12k@lists.infradead.org Subject: [PATCH AUTOSEL 6.14 105/108] wifi: ath12k: fix link valid field initialization in the monitor Rx Date: Tue, 3 Jun 2025 20:55:28 -0400 Message-Id: <20250604005531.4178547-105-sashal@kernel.org> X-Mailer: git-send-email 2.39.5 In-Reply-To: <20250604005531.4178547-1-sashal@kernel.org> References: <20250604005531.4178547-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 6.14.9 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20250603_175904_804918_19699AB5 X-CRM114-Status: GOOD ( 15.23 ) X-BeenThere: ath12k@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "ath12k" Errors-To: ath12k-bounces+ath12k=archiver.kernel.org@lists.infradead.org From: Hari Chandrakanthan [ Upstream commit 2826139f9295821fe2b049318a1cc057ec003131 ] Currently, the link_valid field is not initialized in the monitor Rx path. This can result in random values for the link_valid and link_id leads to undefined behaviour in mac80211. Therefore, initialize the link_valid field in the monitor Rx path. Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.3.1-00173-QCAHKSWPL_SILICONZ-1 Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0.c5-00481-QCAHMTSWPL_V1.0_V2.0_SILICONZ-3 Signed-off-by: Hari Chandrakanthan Tested-by: Nicolas Escande Reviewed-by: Vasanthakumar Thiagarajan Signed-off-by: Karthikeyan Periyasamy Link: https://patch.msgid.link/20250324062518.2752822-2-quic_periyasa@quicinc.com Signed-off-by: Jeff Johnson Signed-off-by: Sasha Levin --- Based on my analysis of the commit and the code context, here is my assessment: **YES** This commit should be backported to stable kernel trees. Here's my extensive analysis: ## Technical Analysis **Code Change Impact:** The commit adds a single line `status->link_valid = 0;` at the beginning of the `ath12k_dp_mon_rx_deliver_msdu()` function in the monitor Rx path. This initializes the `link_valid` field in the `ieee80211_rx_status` structure before any subsequent processing. **Root Cause and Problem:** 1. **Uninitialized Memory Issue**: The `ieee80211_rx_status` structure contains the `link_valid` field (1 bit) and `link_id` field (4 bits) that were not being initialized in the monitor Rx path. 2. **Undefined Behavior**: Without initialization, these fields contain random stack memory values, which can cause unpredictable behavior in mac80211 when it processes received frames. 3. **MLO Context**: The `link_valid` and `link_id` fields are specifically used for Multi-Link Operation (MLO) in WiFi 7, where mac80211 needs to know which link a frame was received on. ## Why This Should Be Backported **1. Bug Fix Nature:** - This is clearly a bug fix that addresses undefined behavior caused by uninitialized fields - The commit message explicitly states this fixes "undefined behaviour in mac80211" - Similar to reference commit #2 (which was backported) that fixed uninitialized variables **2. User Impact:** - Uninitialized fields can cause mac80211 to make incorrect decisions about packet processing - May lead to packet drops, incorrect link handling, or other unpredictable wireless behavior - Monitor mode is commonly used by network analysis tools, making this user-facing **3. Risk Assessment:** - **Very Low Risk**: The change is minimal (single line initialization) - **No Side Effects**: Setting `link_valid = 0` is the correct default for monitor mode - **Safe Change**: Only affects the monitor Rx path, doesn't change core functionality **4. Code Pattern Consistency:** Looking at the regular Rx path in `dp_rx.c`, I can see the same pattern: ```c if (pubsta && pubsta->valid_links) { status->link_valid = 1; status->link_id = peer->link_id; } ``` The monitor path was missing the corresponding initialization, creating an inconsistency where: - Regular Rx path: Properly sets `link_valid = 1` when appropriate - Monitor Rx path: Left `link_valid` uninitialized (now fixed to `link_valid = 0`) **5. Containment:** - Change is confined to a single function in the monitor path - No architectural changes or new feature additions - Follows established kernel practices for field initialization **6. Stable Tree Criteria Match:** - ✅ Important bug fix (undefined behavior) - ✅ Minimal risk of regression - ✅ Small, contained change - ✅ No new features - ✅ Affects user-facing functionality (monitor mode) **7. Reference Precedent:** This follows the same pattern as the backported commit #2 which fixed uninitialized variables and commit #3 which fixed incorrect field usage, both of which were deemed suitable for backporting. The commit properly addresses a real bug that could affect users of monitor mode with ath12k WiFi 7 devices, with virtually no risk of introducing regressions. drivers/net/wireless/ath/ath12k/dp_mon.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/wireless/ath/ath12k/dp_mon.c b/drivers/net/wireless/ath/ath12k/dp_mon.c index 8737dc8fea354..05a9cd21b5dc3 100644 --- a/drivers/net/wireless/ath/ath12k/dp_mon.c +++ b/drivers/net/wireless/ath/ath12k/dp_mon.c @@ -1019,6 +1019,8 @@ static void ath12k_dp_mon_rx_deliver_msdu(struct ath12k *ar, struct napi_struct bool is_mcbc = rxcb->is_mcbc; bool is_eapol_tkip = rxcb->is_eapol; + status->link_valid = 0; + if ((status->encoding == RX_ENC_HE) && !(status->flag & RX_FLAG_RADIOTAP_HE) && !(status->flag & RX_FLAG_SKIP_MONITOR)) { he = skb_push(msdu, sizeof(known)); -- 2.39.5