summaryrefslogtreecommitdiffstats
path: root/debian/patches/bugfix/all
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-04 10:15:42 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-04 10:15:42 +0000
commitdb196cd484f21495b246f9381e70d225e8a5212e (patch)
tree4ccef5191aa34d62d8f385644be6e2dff0c8dea7 /debian/patches/bugfix/all
parentMerging upstream version 6.1.85. (diff)
downloadlinux-debian/6.1.85-1.tar.xz
linux-debian/6.1.85-1.zip
Adding debian version 6.1.85-1.debian/6.1.85-1
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/patches/bugfix/all')
-rw-r--r--debian/patches/bugfix/all/Bluetooth-rfcomm-Fix-null-ptr-deref-in-rfcomm_check_.patch57
-rw-r--r--debian/patches/bugfix/all/Revert-scsi-core-Add-struct-for-args-to-execution-fu.patch198
-rw-r--r--debian/patches/bugfix/all/Revert-scsi-sd-usb_storage-uas-Access-media-prior-to.patch125
-rw-r--r--debian/patches/bugfix/all/aoe-fix-the-potential-use-after-free-problem-in-aoec.patch87
-rw-r--r--debian/patches/bugfix/all/efi-fix-panic-in-kdump-kernel.patch34
-rw-r--r--debian/patches/bugfix/all/efi-libstub-Cast-away-type-warning-in-use-of-max.patch30
-rw-r--r--debian/patches/bugfix/all/efi-libstub-fix-efi_random_alloc-to-allocate-memory-.patch68
-rw-r--r--debian/patches/bugfix/all/scsi-sd-usb_storage-uas-Access-media-prior-to-queryi.patch155
-rw-r--r--debian/patches/bugfix/all/sr9800-Add-check-for-usbnet_get_endpoints.patch39
-rw-r--r--debian/patches/bugfix/all/tty-n_gsm-require-CAP_NET_ADMIN-to-attach-N_GSM0710-.patch35
-rw-r--r--debian/patches/bugfix/all/wifi-ath10k-fix-NULL-pointer-dereference-in-ath10k_w.patch41
11 files changed, 513 insertions, 356 deletions
diff --git a/debian/patches/bugfix/all/Bluetooth-rfcomm-Fix-null-ptr-deref-in-rfcomm_check_.patch b/debian/patches/bugfix/all/Bluetooth-rfcomm-Fix-null-ptr-deref-in-rfcomm_check_.patch
deleted file mode 100644
index 258ab6ea4..000000000
--- a/debian/patches/bugfix/all/Bluetooth-rfcomm-Fix-null-ptr-deref-in-rfcomm_check_.patch
+++ /dev/null
@@ -1,57 +0,0 @@
-From: Yuxuan Hu <20373622@buaa.edu.cn>
-Date: Wed, 3 Jan 2024 17:10:43 +0800
-Subject: Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security
-Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=567c0411dc3b424fc7bd1e6109726d7ba32d4f73
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-22099
-
-[ Upstream commit 2535b848fa0f42ddff3e5255cf5e742c9b77bb26 ]
-
-During our fuzz testing of the connection and disconnection process at the
-RFCOMM layer, we discovered this bug. By comparing the packets from a
-normal connection and disconnection process with the testcase that
-triggered a KASAN report. We analyzed the cause of this bug as follows:
-
-1. In the packets captured during a normal connection, the host sends a
-`Read Encryption Key Size` type of `HCI_CMD` packet
-(Command Opcode: 0x1408) to the controller to inquire the length of
-encryption key.After receiving this packet, the controller immediately
-replies with a Command Completepacket (Event Code: 0x0e) to return the
-Encryption Key Size.
-
-2. In our fuzz test case, the timing of the controller's response to this
-packet was delayed to an unexpected point: after the RFCOMM and L2CAP
-layers had disconnected but before the HCI layer had disconnected.
-
-3. After receiving the Encryption Key Size Response at the time described
-in point 2, the host still called the rfcomm_check_security function.
-However, by this time `struct l2cap_conn *conn = l2cap_pi(sk)->chan->conn;`
-had already been released, and when the function executed
-`return hci_conn_security(conn->hcon, d->sec_level, auth_type, d->out);`,
-specifically when accessing `conn->hcon`, a null-ptr-deref error occurred.
-
-To fix this bug, check if `sk->sk_state` is BT_CLOSED before calling
-rfcomm_recv_frame in rfcomm_process_rx.
-
-Signed-off-by: Yuxuan Hu <20373622@buaa.edu.cn>
-Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/bluetooth/rfcomm/core.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
-index 8d6fce9005bd..4f54c7df3a94 100644
---- a/net/bluetooth/rfcomm/core.c
-+++ b/net/bluetooth/rfcomm/core.c
-@@ -1937,7 +1937,7 @@ static struct rfcomm_session *rfcomm_process_rx(struct rfcomm_session *s)
- /* Get data directly from socket receive queue without copying it. */
- while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
- skb_orphan(skb);
-- if (!skb_linearize(skb)) {
-+ if (!skb_linearize(skb) && sk->sk_state != BT_CLOSED) {
- s = rfcomm_recv_frame(s, skb);
- if (!s)
- break;
---
-2.43.0
-
diff --git a/debian/patches/bugfix/all/Revert-scsi-core-Add-struct-for-args-to-execution-fu.patch b/debian/patches/bugfix/all/Revert-scsi-core-Add-struct-for-args-to-execution-fu.patch
new file mode 100644
index 000000000..5e77d7985
--- /dev/null
+++ b/debian/patches/bugfix/all/Revert-scsi-core-Add-struct-for-args-to-execution-fu.patch
@@ -0,0 +1,198 @@
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Thu, 11 Apr 2024 09:26:49 +0200
+Subject: Revert "scsi: core: Add struct for args to execution functions"
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit?id=d1e620297a84caac1cd67615f4f4f6901527ca2b
+
+This reverts commit cf33e6ca12d814e1be2263cb76960d0019d7fb94 which is
+commit d0949565811f0896c1c7e781ab2ad99d34273fdf upstream.
+
+It is known to cause problems and has asked to be dropped.
+
+Link: https://lore.kernel.org/r/yq1frvvpymp.fsf@ca-mkp.ca.oracle.com
+Cc: Tasos Sahanidis <tasos@tasossah.com>
+Cc: Ewan D. Milne <emilne@redhat.com>
+Cc: Bart Van Assche <bvanassche@acm.org>
+Cc: Tasos Sahanidis <tasos@tasossah.com>
+Cc: Martin K. Petersen <martin.petersen@oracle.com>
+Cc: James Bottomley <jejb@linux.ibm.com>
+Cc: Sasha Levin <sashal@kernel.org>
+Reported-by: John David Anglin <dave.anglin@bell.net>
+Reported-by: Cyril Brulebois <kibi@debian.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/scsi_lib.c | 52 ++++++++++++++++++++------------------
+ include/scsi/scsi_device.h | 51 ++++++++++---------------------------
+ 2 files changed, 41 insertions(+), 62 deletions(-)
+
+diff --git a/drivers/scsi/scsi_lib.c b/drivers/scsi/scsi_lib.c
+index edd296f950a3..5c5954b78585 100644
+--- a/drivers/scsi/scsi_lib.c
++++ b/drivers/scsi/scsi_lib.c
+@@ -185,37 +185,39 @@ void scsi_queue_insert(struct scsi_cmnd *cmd, int reason)
+ __scsi_queue_insert(cmd, reason, true);
+ }
+
++
+ /**
+- * scsi_execute_cmd - insert request and wait for the result
+- * @sdev: scsi_device
++ * __scsi_execute - insert request and wait for the result
++ * @sdev: scsi device
+ * @cmd: scsi command
+- * @opf: block layer request cmd_flags
++ * @data_direction: data direction
+ * @buffer: data buffer
+ * @bufflen: len of buffer
++ * @sense: optional sense buffer
++ * @sshdr: optional decoded sense header
+ * @timeout: request timeout in HZ
+ * @retries: number of times to retry request
+- * @args: Optional args. See struct definition for field descriptions
++ * @flags: flags for ->cmd_flags
++ * @rq_flags: flags for ->rq_flags
++ * @resid: optional residual length
+ *
+ * Returns the scsi_cmnd result field if a command was executed, or a negative
+ * Linux error code if we didn't get that far.
+ */
+-int scsi_execute_cmd(struct scsi_device *sdev, const unsigned char *cmd,
+- blk_opf_t opf, void *buffer, unsigned int bufflen,
+- int timeout, int retries,
+- const struct scsi_exec_args *args)
++int __scsi_execute(struct scsi_device *sdev, const unsigned char *cmd,
++ int data_direction, void *buffer, unsigned bufflen,
++ unsigned char *sense, struct scsi_sense_hdr *sshdr,
++ int timeout, int retries, blk_opf_t flags,
++ req_flags_t rq_flags, int *resid)
+ {
+- static const struct scsi_exec_args default_args;
+ struct request *req;
+ struct scsi_cmnd *scmd;
+ int ret;
+
+- if (!args)
+- args = &default_args;
+- else if (WARN_ON_ONCE(args->sense &&
+- args->sense_len != SCSI_SENSE_BUFFERSIZE))
+- return -EINVAL;
+-
+- req = scsi_alloc_request(sdev->request_queue, opf, args->req_flags);
++ req = scsi_alloc_request(sdev->request_queue,
++ data_direction == DMA_TO_DEVICE ?
++ REQ_OP_DRV_OUT : REQ_OP_DRV_IN,
++ rq_flags & RQF_PM ? BLK_MQ_REQ_PM : 0);
+ if (IS_ERR(req))
+ return PTR_ERR(req);
+
+@@ -230,7 +232,8 @@ int scsi_execute_cmd(struct scsi_device *sdev, const unsigned char *cmd,
+ memcpy(scmd->cmnd, cmd, scmd->cmd_len);
+ scmd->allowed = retries;
+ req->timeout = timeout;
+- req->rq_flags |= RQF_QUIET;
++ req->cmd_flags |= flags;
++ req->rq_flags |= rq_flags | RQF_QUIET;
+
+ /*
+ * head injection *required* here otherwise quiesce won't work
+@@ -246,21 +249,20 @@ int scsi_execute_cmd(struct scsi_device *sdev, const unsigned char *cmd,
+ if (unlikely(scmd->resid_len > 0 && scmd->resid_len <= bufflen))
+ memset(buffer + bufflen - scmd->resid_len, 0, scmd->resid_len);
+
+- if (args->resid)
+- *args->resid = scmd->resid_len;
+- if (args->sense)
+- memcpy(args->sense, scmd->sense_buffer, SCSI_SENSE_BUFFERSIZE);
+- if (args->sshdr)
++ if (resid)
++ *resid = scmd->resid_len;
++ if (sense && scmd->sense_len)
++ memcpy(sense, scmd->sense_buffer, SCSI_SENSE_BUFFERSIZE);
++ if (sshdr)
+ scsi_normalize_sense(scmd->sense_buffer, scmd->sense_len,
+- args->sshdr);
+-
++ sshdr);
+ ret = scmd->result;
+ out:
+ blk_mq_free_request(req);
+
+ return ret;
+ }
+-EXPORT_SYMBOL(scsi_execute_cmd);
++EXPORT_SYMBOL(__scsi_execute);
+
+ /*
+ * Wake up the error handler if necessary. Avoid as follows that the error
+diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h
+index b407807cc669..d2751ed536df 100644
+--- a/include/scsi/scsi_device.h
++++ b/include/scsi/scsi_device.h
+@@ -479,51 +479,28 @@ extern const char *scsi_device_state_name(enum scsi_device_state);
+ extern int scsi_is_sdev_device(const struct device *);
+ extern int scsi_is_target_device(const struct device *);
+ extern void scsi_sanitize_inquiry_string(unsigned char *s, int len);
+-
+-/* Optional arguments to scsi_execute_cmd */
+-struct scsi_exec_args {
+- unsigned char *sense; /* sense buffer */
+- unsigned int sense_len; /* sense buffer len */
+- struct scsi_sense_hdr *sshdr; /* decoded sense header */
+- blk_mq_req_flags_t req_flags; /* BLK_MQ_REQ flags */
+- int *resid; /* residual length */
+-};
+-
+-int scsi_execute_cmd(struct scsi_device *sdev, const unsigned char *cmd,
+- blk_opf_t opf, void *buffer, unsigned int bufflen,
+- int timeout, int retries,
+- const struct scsi_exec_args *args);
+-
++extern int __scsi_execute(struct scsi_device *sdev, const unsigned char *cmd,
++ int data_direction, void *buffer, unsigned bufflen,
++ unsigned char *sense, struct scsi_sense_hdr *sshdr,
++ int timeout, int retries, blk_opf_t flags,
++ req_flags_t rq_flags, int *resid);
+ /* Make sure any sense buffer is the correct size. */
+-#define scsi_execute(_sdev, _cmd, _data_dir, _buffer, _bufflen, _sense, \
+- _sshdr, _timeout, _retries, _flags, _rq_flags, \
+- _resid) \
++#define scsi_execute(sdev, cmd, data_direction, buffer, bufflen, sense, \
++ sshdr, timeout, retries, flags, rq_flags, resid) \
+ ({ \
+- scsi_execute_cmd(_sdev, _cmd, (_data_dir == DMA_TO_DEVICE ? \
+- REQ_OP_DRV_OUT : REQ_OP_DRV_IN) | _flags, \
+- _buffer, _bufflen, _timeout, _retries, \
+- &(struct scsi_exec_args) { \
+- .sense = _sense, \
+- .sshdr = _sshdr, \
+- .req_flags = _rq_flags & RQF_PM ? \
+- BLK_MQ_REQ_PM : 0, \
+- .resid = _resid, \
+- }); \
++ BUILD_BUG_ON((sense) != NULL && \
++ sizeof(sense) != SCSI_SENSE_BUFFERSIZE); \
++ __scsi_execute(sdev, cmd, data_direction, buffer, bufflen, \
++ sense, sshdr, timeout, retries, flags, rq_flags, \
++ resid); \
+ })
+-
+ static inline int scsi_execute_req(struct scsi_device *sdev,
+ const unsigned char *cmd, int data_direction, void *buffer,
+ unsigned bufflen, struct scsi_sense_hdr *sshdr, int timeout,
+ int retries, int *resid)
+ {
+- return scsi_execute_cmd(sdev, cmd,
+- data_direction == DMA_TO_DEVICE ?
+- REQ_OP_DRV_OUT : REQ_OP_DRV_IN, buffer,
+- bufflen, timeout, retries,
+- &(struct scsi_exec_args) {
+- .sshdr = sshdr,
+- .resid = resid,
+- });
++ return scsi_execute(sdev, cmd, data_direction, buffer,
++ bufflen, NULL, sshdr, timeout, retries, 0, 0, resid);
+ }
+ extern void sdev_disable_disk_events(struct scsi_device *sdev);
+ extern void sdev_enable_disk_events(struct scsi_device *sdev);
+--
+2.43.0
+
diff --git a/debian/patches/bugfix/all/Revert-scsi-sd-usb_storage-uas-Access-media-prior-to.patch b/debian/patches/bugfix/all/Revert-scsi-sd-usb_storage-uas-Access-media-prior-to.patch
new file mode 100644
index 000000000..2b03fad36
--- /dev/null
+++ b/debian/patches/bugfix/all/Revert-scsi-sd-usb_storage-uas-Access-media-prior-to.patch
@@ -0,0 +1,125 @@
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Thu, 11 Apr 2024 09:24:48 +0200
+Subject: Revert "scsi: sd: usb_storage: uas: Access media prior to querying
+ device properties"
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit?id=fc7309d7c76e446d7804fcc075da53694cecd755
+Bug-Debian: https://bugs.debian.org/1068675
+
+This reverts commit b73dd5f9997279715cd450ee8ca599aaff2eabb9 which is
+commit 321da3dc1f3c92a12e3c5da934090d2992a8814c upstream.
+
+It is known to cause problems and has asked to be dropped.
+
+Link: https://lore.kernel.org/r/yq1frvvpymp.fsf@ca-mkp.ca.oracle.com
+Cc: Tasos Sahanidis <tasos@tasossah.com>
+Cc: Ewan D. Milne <emilne@redhat.com>
+Cc: Bart Van Assche <bvanassche@acm.org>
+Cc: Tasos Sahanidis <tasos@tasossah.com>
+Cc: Martin K. Petersen <martin.petersen@oracle.com>
+Cc: James Bottomley <jejb@linux.ibm.com>
+Cc: Sasha Levin <sashal@kernel.org>
+Reported-by: John David Anglin <dave.anglin@bell.net>
+Reported-by: Cyril Brulebois <kibi@debian.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/sd.c | 26 +-------------------------
+ drivers/usb/storage/scsiglue.c | 7 -------
+ drivers/usb/storage/uas.c | 7 -------
+ include/scsi/scsi_device.h | 1 -
+ 4 files changed, 1 insertion(+), 40 deletions(-)
+
+diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
+index f32236c3f81c..ad619f7c7418 100644
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -3286,24 +3286,6 @@ static bool sd_validate_opt_xfer_size(struct scsi_disk *sdkp,
+ return true;
+ }
+
+-static void sd_read_block_zero(struct scsi_disk *sdkp)
+-{
+- unsigned int buf_len = sdkp->device->sector_size;
+- char *buffer, cmd[10] = { };
+-
+- buffer = kmalloc(buf_len, GFP_KERNEL);
+- if (!buffer)
+- return;
+-
+- cmd[0] = READ_10;
+- put_unaligned_be32(0, &cmd[2]); /* Logical block address 0 */
+- put_unaligned_be16(1, &cmd[7]); /* Transfer 1 logical block */
+-
+- scsi_execute_cmd(sdkp->device, cmd, REQ_OP_DRV_IN, buffer, buf_len,
+- SD_TIMEOUT, sdkp->max_retries, NULL);
+- kfree(buffer);
+-}
+-
+ /**
+ * sd_revalidate_disk - called the first time a new disk is seen,
+ * performs disk spin up, read_capacity, etc.
+@@ -3343,13 +3325,7 @@ static int sd_revalidate_disk(struct gendisk *disk)
+ */
+ if (sdkp->media_present) {
+ sd_read_capacity(sdkp, buffer);
+- /*
+- * Some USB/UAS devices return generic values for mode pages
+- * until the media has been accessed. Trigger a READ operation
+- * to force the device to populate mode pages.
+- */
+- if (sdp->read_before_ms)
+- sd_read_block_zero(sdkp);
++
+ /*
+ * set the default to rotational. All non-rotational devices
+ * support the block characteristics VPD page, which will
+diff --git a/drivers/usb/storage/scsiglue.c b/drivers/usb/storage/scsiglue.c
+index 12cf9940e5b6..c54e9805da53 100644
+--- a/drivers/usb/storage/scsiglue.c
++++ b/drivers/usb/storage/scsiglue.c
+@@ -179,13 +179,6 @@ static int slave_configure(struct scsi_device *sdev)
+ */
+ sdev->use_192_bytes_for_3f = 1;
+
+- /*
+- * Some devices report generic values until the media has been
+- * accessed. Force a READ(10) prior to querying device
+- * characteristics.
+- */
+- sdev->read_before_ms = 1;
+-
+ /*
+ * Some devices don't like MODE SENSE with page=0x3f,
+ * which is the command used for checking if a device
+diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c
+index af619efe8eab..ee5621bdb11e 100644
+--- a/drivers/usb/storage/uas.c
++++ b/drivers/usb/storage/uas.c
+@@ -876,13 +876,6 @@ static int uas_slave_configure(struct scsi_device *sdev)
+ if (devinfo->flags & US_FL_CAPACITY_HEURISTICS)
+ sdev->guess_capacity = 1;
+
+- /*
+- * Some devices report generic values until the media has been
+- * accessed. Force a READ(10) prior to querying device
+- * characteristics.
+- */
+- sdev->read_before_ms = 1;
+-
+ /*
+ * Some devices don't like MODE SENSE with page=0x3f,
+ * which is the command used for checking if a device
+diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h
+index a64713fe5264..b407807cc669 100644
+--- a/include/scsi/scsi_device.h
++++ b/include/scsi/scsi_device.h
+@@ -204,7 +204,6 @@ struct scsi_device {
+ unsigned use_10_for_rw:1; /* first try 10-byte read / write */
+ unsigned use_10_for_ms:1; /* first try 10-byte mode sense/select */
+ unsigned set_dbd_for_ms:1; /* Set "DBD" field in mode sense */
+- unsigned read_before_ms:1; /* perform a READ before MODE SENSE */
+ unsigned no_report_opcodes:1; /* no REPORT SUPPORTED OPERATION CODES */
+ unsigned no_write_same:1; /* no WRITE SAME command */
+ unsigned use_16_for_rw:1; /* Use read/write(16) over read/write(10) */
+--
+2.43.0
+
diff --git a/debian/patches/bugfix/all/aoe-fix-the-potential-use-after-free-problem-in-aoec.patch b/debian/patches/bugfix/all/aoe-fix-the-potential-use-after-free-problem-in-aoec.patch
deleted file mode 100644
index f5cc88309..000000000
--- a/debian/patches/bugfix/all/aoe-fix-the-potential-use-after-free-problem-in-aoec.patch
+++ /dev/null
@@ -1,87 +0,0 @@
-From: Chun-Yi Lee <jlee@suse.com>
-Date: Tue, 5 Mar 2024 16:20:48 +0800
-Subject: aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts
-Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=74ca3ef68d2f449bc848c0a814cefc487bf755fa
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-6270
-
-[ Upstream commit f98364e926626c678fb4b9004b75cacf92ff0662 ]
-
-This patch is against CVE-2023-6270. The description of cve is:
-
- A flaw was found in the ATA over Ethernet (AoE) driver in the Linux
- kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on
- `struct net_device`, and a use-after-free can be triggered by racing
- between the free on the struct and the access through the `skbtxq`
- global queue. This could lead to a denial of service condition or
- potential code execution.
-
-In aoecmd_cfg_pkts(), it always calls dev_put(ifp) when skb initial
-code is finished. But the net_device ifp will still be used in
-later tx()->dev_queue_xmit() in kthread. Which means that the
-dev_put(ifp) should NOT be called in the success path of skb
-initial code in aoecmd_cfg_pkts(). Otherwise tx() may run into
-use-after-free because the net_device is freed.
-
-This patch removed the dev_put(ifp) in the success path in
-aoecmd_cfg_pkts(), and added dev_put() after skb xmit in tx().
-
-Link: https://nvd.nist.gov/vuln/detail/CVE-2023-6270
-Fixes: 7562f876cd93 ("[NET]: Rework dev_base via list_head (v3)")
-Signed-off-by: Chun-Yi Lee <jlee@suse.com>
-Link: https://lore.kernel.org/r/20240305082048.25526-1-jlee@suse.com
-Signed-off-by: Jens Axboe <axboe@kernel.dk>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/block/aoe/aoecmd.c | 12 ++++++------
- drivers/block/aoe/aoenet.c | 1 +
- 2 files changed, 7 insertions(+), 6 deletions(-)
-
-diff --git a/drivers/block/aoe/aoecmd.c b/drivers/block/aoe/aoecmd.c
-index d7317425be51..cc9077b588d7 100644
---- a/drivers/block/aoe/aoecmd.c
-+++ b/drivers/block/aoe/aoecmd.c
-@@ -419,13 +419,16 @@ aoecmd_cfg_pkts(ushort aoemajor, unsigned char aoeminor, struct sk_buff_head *qu
- rcu_read_lock();
- for_each_netdev_rcu(&init_net, ifp) {
- dev_hold(ifp);
-- if (!is_aoe_netif(ifp))
-- goto cont;
-+ if (!is_aoe_netif(ifp)) {
-+ dev_put(ifp);
-+ continue;
-+ }
-
- skb = new_skb(sizeof *h + sizeof *ch);
- if (skb == NULL) {
- printk(KERN_INFO "aoe: skb alloc failure\n");
-- goto cont;
-+ dev_put(ifp);
-+ continue;
- }
- skb_put(skb, sizeof *h + sizeof *ch);
- skb->dev = ifp;
-@@ -440,9 +443,6 @@ aoecmd_cfg_pkts(ushort aoemajor, unsigned char aoeminor, struct sk_buff_head *qu
- h->major = cpu_to_be16(aoemajor);
- h->minor = aoeminor;
- h->cmd = AOECMD_CFG;
--
--cont:
-- dev_put(ifp);
- }
- rcu_read_unlock();
- }
-diff --git a/drivers/block/aoe/aoenet.c b/drivers/block/aoe/aoenet.c
-index 63773a90581d..1e66c7a188a1 100644
---- a/drivers/block/aoe/aoenet.c
-+++ b/drivers/block/aoe/aoenet.c
-@@ -64,6 +64,7 @@ tx(int id) __must_hold(&txlock)
- pr_warn("aoe: packet could not be sent on %s. %s\n",
- ifp ? ifp->name : "netif",
- "consider increasing tx_queue_len");
-+ dev_put(ifp);
- spin_lock_irq(&txlock);
- }
- return 0;
---
-2.43.0
-
diff --git a/debian/patches/bugfix/all/efi-fix-panic-in-kdump-kernel.patch b/debian/patches/bugfix/all/efi-fix-panic-in-kdump-kernel.patch
deleted file mode 100644
index 009af084b..000000000
--- a/debian/patches/bugfix/all/efi-fix-panic-in-kdump-kernel.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From: Oleksandr Tymoshenko <ovt@google.com>
-Date: Sat, 23 Mar 2024 06:33:33 +0000
-Subject: efi: fix panic in kdump kernel
-Origin: https://git.kernel.org/linus/62b71cd73d41ddac6b1760402bbe8c4932e23531
-
-Check if get_next_variable() is actually valid pointer before
-calling it. In kdump kernel this method is set to NULL that causes
-panic during the kexec-ed kernel boot.
-
-Tested with QEMU and OVMF firmware.
-
-Fixes: bad267f9e18f ("efi: verify that variable services are supported")
-Signed-off-by: Oleksandr Tymoshenko <ovt@google.com>
-Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
----
- drivers/firmware/efi/efi.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c
-index 8859fb0b006d..fdf07dd6f459 100644
---- a/drivers/firmware/efi/efi.c
-+++ b/drivers/firmware/efi/efi.c
-@@ -203,6 +203,8 @@ static bool generic_ops_supported(void)
-
- name_size = sizeof(name);
-
-+ if (!efi.get_next_variable)
-+ return false;
- status = efi.get_next_variable(&name_size, &name, &guid);
- if (status == EFI_UNSUPPORTED)
- return false;
---
-2.43.0
-
diff --git a/debian/patches/bugfix/all/efi-libstub-Cast-away-type-warning-in-use-of-max.patch b/debian/patches/bugfix/all/efi-libstub-Cast-away-type-warning-in-use-of-max.patch
deleted file mode 100644
index 402582b17..000000000
--- a/debian/patches/bugfix/all/efi-libstub-Cast-away-type-warning-in-use-of-max.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From: Ard Biesheuvel <ardb@kernel.org>
-Date: Tue, 26 Mar 2024 11:15:25 +0100
-Subject: efi/libstub: Cast away type warning in use of max()
-Origin: https://git.kernel.org/pub/scm/linux/kernel/git/efi/efi.git/commit?id=07263d8a5a2cea66a3f10d930fea60ce49c7dc3b
-
-Add a missing (u64) cast to alloc_min, which is passed into
-efi_random_alloc() as unsigned long, while efi_physical_addr_t is u64.
-
-Fixes: 3cb4a4827596abc82e ("efi/libstub: fix efi_random_alloc() ...")
-Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
----
- drivers/firmware/efi/libstub/randomalloc.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/firmware/efi/libstub/randomalloc.c b/drivers/firmware/efi/libstub/randomalloc.c
-index 7e1852859550..fa81528150fe 100644
---- a/drivers/firmware/efi/libstub/randomalloc.c
-+++ b/drivers/firmware/efi/libstub/randomalloc.c
-@@ -120,7 +120,7 @@ efi_status_t efi_random_alloc(unsigned long size,
- continue;
- }
-
-- target = round_up(max(md->phys_addr, alloc_min), align) + target_slot * align;
-+ target = round_up(max(md->phys_addr, (u64)alloc_min), align) + target_slot * align;
- pages = size / EFI_PAGE_SIZE;
-
- status = efi_bs_call(allocate_pages, EFI_ALLOCATE_ADDRESS,
---
-2.43.0
-
diff --git a/debian/patches/bugfix/all/efi-libstub-fix-efi_random_alloc-to-allocate-memory-.patch b/debian/patches/bugfix/all/efi-libstub-fix-efi_random_alloc-to-allocate-memory-.patch
deleted file mode 100644
index d5590f5db..000000000
--- a/debian/patches/bugfix/all/efi-libstub-fix-efi_random_alloc-to-allocate-memory-.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From: =?UTF-8?q?KONDO=20KAZUMA=28=E8=BF=91=E8=97=A4=E3=80=80=E5=92=8C?=
- =?UTF-8?q?=E7=9C=9F=29?= <kazuma-kondo@nec.com>
-Date: Fri, 22 Mar 2024 10:47:02 +0000
-Subject: efi/libstub: fix efi_random_alloc() to allocate memory at alloc_min
- or higher address
-Origin: https://git.kernel.org/linus/3cb4a4827596abc82e55b80364f509d0fefc3051
-
-Following warning is sometimes observed while booting my servers:
- [ 3.594838] DMA: preallocated 4096 KiB GFP_KERNEL pool for atomic allocations
- [ 3.602918] swapper/0: page allocation failure: order:10, mode:0xcc1(GFP_KERNEL|GFP_DMA), nodemask=(null),cpuset=/,mems_allowed=0-1
- ...
- [ 3.851862] DMA: preallocated 1024 KiB GFP_KERNEL|GFP_DMA pool for atomic allocation
-
-If 'nokaslr' boot option is set, the warning always happens.
-
-On x86, ZONE_DMA is small zone at the first 16MB of physical address
-space. When this problem happens, most of that space seems to be used by
-decompressed kernel. Thereby, there is not enough space at DMA_ZONE to
-meet the request of DMA pool allocation.
-
-The commit 2f77465b05b1 ("x86/efistub: Avoid placing the kernel below
-LOAD_PHYSICAL_ADDR") tried to fix this problem by introducing lower
-bound of allocation.
-
-But the fix is not complete.
-
-efi_random_alloc() allocates pages by following steps.
-1. Count total available slots ('total_slots')
-2. Select a slot ('target_slot') to allocate randomly
-3. Calculate a starting address ('target') to be included target_slot
-4. Allocate pages, which starting address is 'target'
-
-In step 1, 'alloc_min' is used to offset the starting address of memory
-chunk. But in step 3 'alloc_min' is not considered at all. As the
-result, 'target' can be miscalculated and become lower than 'alloc_min'.
-
-When KASLR is disabled, 'target_slot' is always 0 and the problem
-happens everytime if the EFI memory map of the system meets the
-condition.
-
-Fix this problem by calculating 'target' considering 'alloc_min'.
-
-Cc: linux-efi@vger.kernel.org
-Cc: Tom Englund <tomenglund26@gmail.com>
-Cc: linux-kernel@vger.kernel.org
-Fixes: 2f77465b05b1 ("x86/efistub: Avoid placing the kernel below LOAD_PHYSICAL_ADDR")
-Signed-off-by: Kazuma Kondo <kazuma-kondo@nec.com>
-Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
----
- drivers/firmware/efi/libstub/randomalloc.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/drivers/firmware/efi/libstub/randomalloc.c b/drivers/firmware/efi/libstub/randomalloc.c
-index 4e96a855fdf4..7e1852859550 100644
---- a/drivers/firmware/efi/libstub/randomalloc.c
-+++ b/drivers/firmware/efi/libstub/randomalloc.c
-@@ -120,7 +120,7 @@ efi_status_t efi_random_alloc(unsigned long size,
- continue;
- }
-
-- target = round_up(md->phys_addr, align) + target_slot * align;
-+ target = round_up(max(md->phys_addr, alloc_min), align) + target_slot * align;
- pages = size / EFI_PAGE_SIZE;
-
- status = efi_bs_call(allocate_pages, EFI_ALLOCATE_ADDRESS,
---
-2.43.0
-
diff --git a/debian/patches/bugfix/all/scsi-sd-usb_storage-uas-Access-media-prior-to-queryi.patch b/debian/patches/bugfix/all/scsi-sd-usb_storage-uas-Access-media-prior-to-queryi.patch
new file mode 100644
index 000000000..c59abc9f8
--- /dev/null
+++ b/debian/patches/bugfix/all/scsi-sd-usb_storage-uas-Access-media-prior-to-queryi.patch
@@ -0,0 +1,155 @@
+From: "Martin K. Petersen" <martin.petersen@oracle.com>
+Date: Tue, 13 Feb 2024 09:33:06 -0500
+Subject: scsi: sd: usb_storage: uas: Access media prior to querying device
+ properties
+Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit?id=46e587855c060a0fdcbb4349accb62b31e9ce70f
+
+[ Upstream commit 321da3dc1f3c92a12e3c5da934090d2992a8814c ]
+
+It has been observed that some USB/UAS devices return generic properties
+hardcoded in firmware for mode pages for a period of time after a device
+has been discovered. The reported properties are either garbage or they do
+not accurately reflect the characteristics of the physical storage device
+attached in the case of a bridge.
+
+Prior to commit 1e029397d12f ("scsi: sd: Reorganize DIF/DIX code to
+avoid calling revalidate twice") we would call revalidate several
+times during device discovery. As a result, incorrect values would
+eventually get replaced with ones accurately describing the attached
+storage. When we did away with the redundant revalidate pass, several
+cases were reported where devices reported nonsensical values or would
+end up in write-protected state.
+
+An initial attempt at addressing this issue involved introducing a
+delayed second revalidate invocation. However, this approach still
+left some devices reporting incorrect characteristics.
+
+Tasos Sahanidis debugged the problem further and identified that
+introducing a READ operation prior to MODE SENSE fixed the problem and that
+it wasn't a timing issue. Issuing a READ appears to cause the devices to
+update their state to reflect the actual properties of the storage
+media. Device properties like vendor, model, and storage capacity appear to
+be correctly reported from the get-go. It is unclear why these devices
+defer populating the remaining characteristics.
+
+Match the behavior of a well known commercial operating system and
+trigger a READ operation prior to querying device characteristics to
+force the device to populate the mode pages.
+
+The additional READ is triggered by a flag set in the USB storage and
+UAS drivers. We avoid issuing the READ for other transport classes
+since some storage devices identify Linux through our particular
+discovery command sequence.
+
+Link: https://lore.kernel.org/r/20240213143306.2194237-1-martin.petersen@oracle.com
+Fixes: 1e029397d12f ("scsi: sd: Reorganize DIF/DIX code to avoid calling revalidate twice")
+Cc: stable@vger.kernel.org
+Reported-by: Tasos Sahanidis <tasos@tasossah.com>
+Reviewed-by: Ewan D. Milne <emilne@redhat.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Tested-by: Tasos Sahanidis <tasos@tasossah.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/sd.c | 26 +++++++++++++++++++++++++-
+ drivers/usb/storage/scsiglue.c | 7 +++++++
+ drivers/usb/storage/uas.c | 7 +++++++
+ include/scsi/scsi_device.h | 1 +
+ 4 files changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/sd.c b/drivers/scsi/sd.c
+index ad619f7c7418..3ec9b324fdcf 100644
+--- a/drivers/scsi/sd.c
++++ b/drivers/scsi/sd.c
+@@ -3286,6 +3286,24 @@ static bool sd_validate_opt_xfer_size(struct scsi_disk *sdkp,
+ return true;
+ }
+
++static void sd_read_block_zero(struct scsi_disk *sdkp)
++{
++ unsigned int buf_len = sdkp->device->sector_size;
++ char *buffer, cmd[10] = { };
++
++ buffer = kmalloc(buf_len, GFP_KERNEL);
++ if (!buffer)
++ return;
++
++ cmd[0] = READ_10;
++ put_unaligned_be32(0, &cmd[2]); /* Logical block address 0 */
++ put_unaligned_be16(1, &cmd[7]); /* Transfer 1 logical block */
++
++ scsi_execute_req(sdkp->device, cmd, DMA_FROM_DEVICE, buffer, buf_len,
++ NULL, SD_TIMEOUT, sdkp->max_retries, NULL);
++ kfree(buffer);
++}
++
+ /**
+ * sd_revalidate_disk - called the first time a new disk is seen,
+ * performs disk spin up, read_capacity, etc.
+@@ -3325,7 +3343,13 @@ static int sd_revalidate_disk(struct gendisk *disk)
+ */
+ if (sdkp->media_present) {
+ sd_read_capacity(sdkp, buffer);
+-
++ /*
++ * Some USB/UAS devices return generic values for mode pages
++ * until the media has been accessed. Trigger a READ operation
++ * to force the device to populate mode pages.
++ */
++ if (sdp->read_before_ms)
++ sd_read_block_zero(sdkp);
+ /*
+ * set the default to rotational. All non-rotational devices
+ * support the block characteristics VPD page, which will
+diff --git a/drivers/usb/storage/scsiglue.c b/drivers/usb/storage/scsiglue.c
+index c54e9805da53..12cf9940e5b6 100644
+--- a/drivers/usb/storage/scsiglue.c
++++ b/drivers/usb/storage/scsiglue.c
+@@ -179,6 +179,13 @@ static int slave_configure(struct scsi_device *sdev)
+ */
+ sdev->use_192_bytes_for_3f = 1;
+
++ /*
++ * Some devices report generic values until the media has been
++ * accessed. Force a READ(10) prior to querying device
++ * characteristics.
++ */
++ sdev->read_before_ms = 1;
++
+ /*
+ * Some devices don't like MODE SENSE with page=0x3f,
+ * which is the command used for checking if a device
+diff --git a/drivers/usb/storage/uas.c b/drivers/usb/storage/uas.c
+index ee5621bdb11e..af619efe8eab 100644
+--- a/drivers/usb/storage/uas.c
++++ b/drivers/usb/storage/uas.c
+@@ -876,6 +876,13 @@ static int uas_slave_configure(struct scsi_device *sdev)
+ if (devinfo->flags & US_FL_CAPACITY_HEURISTICS)
+ sdev->guess_capacity = 1;
+
++ /*
++ * Some devices report generic values until the media has been
++ * accessed. Force a READ(10) prior to querying device
++ * characteristics.
++ */
++ sdev->read_before_ms = 1;
++
+ /*
+ * Some devices don't like MODE SENSE with page=0x3f,
+ * which is the command used for checking if a device
+diff --git a/include/scsi/scsi_device.h b/include/scsi/scsi_device.h
+index d2751ed536df..1504d3137cc6 100644
+--- a/include/scsi/scsi_device.h
++++ b/include/scsi/scsi_device.h
+@@ -204,6 +204,7 @@ struct scsi_device {
+ unsigned use_10_for_rw:1; /* first try 10-byte read / write */
+ unsigned use_10_for_ms:1; /* first try 10-byte mode sense/select */
+ unsigned set_dbd_for_ms:1; /* Set "DBD" field in mode sense */
++ unsigned read_before_ms:1; /* perform a READ before MODE SENSE */
+ unsigned no_report_opcodes:1; /* no REPORT SUPPORTED OPERATION CODES */
+ unsigned no_write_same:1; /* no WRITE SAME command */
+ unsigned use_16_for_rw:1; /* Use read/write(16) over read/write(10) */
+--
+2.43.0
+
diff --git a/debian/patches/bugfix/all/sr9800-Add-check-for-usbnet_get_endpoints.patch b/debian/patches/bugfix/all/sr9800-Add-check-for-usbnet_get_endpoints.patch
deleted file mode 100644
index ac7fb2e3e..000000000
--- a/debian/patches/bugfix/all/sr9800-Add-check-for-usbnet_get_endpoints.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From: Chen Ni <nichen@iscas.ac.cn>
-Date: Tue, 5 Mar 2024 07:59:27 +0000
-Subject: sr9800: Add check for usbnet_get_endpoints
-Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=9c402819620a842cbfe39359a3ddfaac9adc8384
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-26651
-
-[ Upstream commit 07161b2416f740a2cb87faa5566873f401440a61 ]
-
-Add check for usbnet_get_endpoints() and return the error if it fails
-in order to transfer the error.
-
-Signed-off-by: Chen Ni <nichen@iscas.ac.cn>
-Reviewed-by: Simon Horman <horms@kernel.org>
-Fixes: 19a38d8e0aa3 ("USB2NET : SR9800 : One chip USB2.0 USB2NET SR9800 Device Driver Support")
-Link: https://lore.kernel.org/r/20240305075927.261284-1-nichen@iscas.ac.cn
-Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/usb/sr9800.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/drivers/net/usb/sr9800.c b/drivers/net/usb/sr9800.c
-index f5e19f3ef6cd..4de514482183 100644
---- a/drivers/net/usb/sr9800.c
-+++ b/drivers/net/usb/sr9800.c
-@@ -737,7 +737,9 @@ static int sr9800_bind(struct usbnet *dev, struct usb_interface *intf)
-
- data->eeprom_len = SR9800_EEPROM_LEN;
-
-- usbnet_get_endpoints(dev, intf);
-+ ret = usbnet_get_endpoints(dev, intf);
-+ if (ret)
-+ goto out;
-
- /* LED Setting Rule :
- * AABB:CCDD
---
-2.43.0
-
diff --git a/debian/patches/bugfix/all/tty-n_gsm-require-CAP_NET_ADMIN-to-attach-N_GSM0710-.patch b/debian/patches/bugfix/all/tty-n_gsm-require-CAP_NET_ADMIN-to-attach-N_GSM0710-.patch
new file mode 100644
index 000000000..bfb6301cf
--- /dev/null
+++ b/debian/patches/bugfix/all/tty-n_gsm-require-CAP_NET_ADMIN-to-attach-N_GSM0710-.patch
@@ -0,0 +1,35 @@
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Date: Mon, 31 Jul 2023 15:59:42 -0300
+Subject: tty: n_gsm: require CAP_NET_ADMIN to attach N_GSM0710 ldisc
+Origin: https://git.kernel.org/linus/67c37756898a5a6b2941a13ae7260c89b54e0d88
+Bug-Debian: https://bugs.debian.org/1068770
+
+Any unprivileged user can attach N_GSM0710 ldisc, but it requires
+CAP_NET_ADMIN to create a GSM network anyway.
+
+Require initial namespace CAP_NET_ADMIN to do that.
+
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Link: https://lore.kernel.org/r/20230731185942.279611-1-cascardo@canonical.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/n_gsm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c
+index 1cdefac4dd1b..c7a787f10a9c 100644
+--- a/drivers/tty/n_gsm.c
++++ b/drivers/tty/n_gsm.c
+@@ -3576,6 +3576,9 @@ static int gsmld_open(struct tty_struct *tty)
+ {
+ struct gsm_mux *gsm;
+
++ if (!capable(CAP_NET_ADMIN))
++ return -EPERM;
++
+ if (tty->ops->write == NULL)
+ return -EINVAL;
+
+--
+2.43.0
+
diff --git a/debian/patches/bugfix/all/wifi-ath10k-fix-NULL-pointer-dereference-in-ath10k_w.patch b/debian/patches/bugfix/all/wifi-ath10k-fix-NULL-pointer-dereference-in-ath10k_w.patch
deleted file mode 100644
index 2747ec5b6..000000000
--- a/debian/patches/bugfix/all/wifi-ath10k-fix-NULL-pointer-dereference-in-ath10k_w.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From: Xingyuan Mo <hdthky0@gmail.com>
-Date: Sun, 17 Dec 2023 13:29:01 +0200
-Subject: wifi: ath10k: fix NULL pointer dereference in
- ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev()
-Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit?id=90f089d77e38db1c48629f111f3c8c336be1bc38
-Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2023-7042
-
-[ Upstream commit ad25ee36f00172f7d53242dc77c69fff7ced0755 ]
-
-We should check whether the WMI_TLV_TAG_STRUCT_MGMT_TX_COMPL_EVENT tlv is
-present before accessing it, otherwise a null pointer deference error will
-occur.
-
-Fixes: dc405152bb64 ("ath10k: handle mgmt tx completion event")
-Signed-off-by: Xingyuan Mo <hdthky0@gmail.com>
-Acked-by: Jeff Johnson <quic_jjohnson@quicinc.com>
-Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
-Link: https://msgid.link/20231208043433.271449-1-hdthky0@gmail.com
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- drivers/net/wireless/ath/ath10k/wmi-tlv.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/drivers/net/wireless/ath/ath10k/wmi-tlv.c b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
-index 876410a47d1d..4d5009604eee 100644
---- a/drivers/net/wireless/ath/ath10k/wmi-tlv.c
-+++ b/drivers/net/wireless/ath/ath10k/wmi-tlv.c
-@@ -844,6 +844,10 @@ ath10k_wmi_tlv_op_pull_mgmt_tx_compl_ev(struct ath10k *ar, struct sk_buff *skb,
- }
-
- ev = tb[WMI_TLV_TAG_STRUCT_MGMT_TX_COMPL_EVENT];
-+ if (!ev) {
-+ kfree(tb);
-+ return -EPROTO;
-+ }
-
- arg->desc_id = ev->desc_id;
- arg->status = ev->status;
---
-2.43.0
-