3.10-stable patches

added patches:
	mac80211-fix-fragmentation-code-particularly-for-encryption.patch
	mac80211-move-roc-cookie-assignment-earlier.patch
	mac80211-release-the-channel-in-error-path-in-start_ap.patch

diff --git a/queue-3.10/mac80211-fix-fragmentation-code-particularly-for-encryption.patch b/queue-3.10/mac80211-fix-fragmentation-code-particularly-for-encryption.patch
new file mode 100644 (file)
index 0000000..38cf1c3
--- /dev/null
+++ b/queue-3.10/mac80211-fix-fragmentation-code-particularly-for-encryption.patch
@@ -0,0 +1,53 @@
+From 338f977f4eb441e69bb9a46eaa0ac715c931a67f Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Sat, 1 Feb 2014 00:16:23 +0100
+Subject: mac80211: fix fragmentation code, particularly for encryption
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 338f977f4eb441e69bb9a46eaa0ac715c931a67f upstream.
+
+The "new" fragmentation code (since my rewrite almost 5 years ago)
+erroneously sets skb->len rather than using skb_trim() to adjust
+the length of the first fragment after copying out all the others.
+This leaves the skb tail pointer pointing to after where the data
+originally ended, and thus causes the encryption MIC to be written
+at that point, rather than where it belongs: immediately after the
+data.
+
+The impact of this is that if software encryption is done, then
+ a) encryption doesn't work for the first fragment, the connection
+    becomes unusable as the first fragment will never be properly
+    verified at the receiver, the MIC is practically guaranteed to
+    be wrong
+ b) we leak up to 8 bytes of plaintext (!) of the packet out into
+    the air
+
+This is only mitigated by the fact that many devices are capable
+of doing encryption in hardware, in which case this can't happen
+as the tail pointer is irrelevant in that case. Additionally,
+fragmentation is not used very frequently and would normally have
+to be configured manually.
+
+Fix this by using skb_trim() properly.
+
+Fixes: 2de8e0d999b8 ("mac80211: rewrite fragmentation")
+Reported-by: Jouni Malinen <j@w1.fi>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/tx.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -854,7 +854,7 @@ static int ieee80211_fragment(struct iee
+       }
+ 
+       /* adjust first fragment's length */
+-      skb->len = hdrlen + per_fragm;
++      skb_trim(skb, hdrlen + per_fragm);
+       return 0;
+ }
+ 

diff --git a/queue-3.10/mac80211-move-roc-cookie-assignment-earlier.patch b/queue-3.10/mac80211-move-roc-cookie-assignment-earlier.patch
new file mode 100644 (file)
index 0000000..6d8ff7f
--- /dev/null
+++ b/queue-3.10/mac80211-move-roc-cookie-assignment-earlier.patch
@@ -0,0 +1,80 @@
+From 2f617435c3a6fe3f39efb9ae2baa77de2d6c97b8 Mon Sep 17 00:00:00 2001
+From: Eliad Peller <eliad@wizery.com>
+Date: Sun, 12 Jan 2014 11:06:37 +0200
+Subject: mac80211: move roc cookie assignment earlier
+
+From: Eliad Peller <eliad@wizery.com>
+
+commit 2f617435c3a6fe3f39efb9ae2baa77de2d6c97b8 upstream.
+
+ieee80211_start_roc_work() might add a new roc
+to existing roc, and tell cfg80211 it has already
+started.
+
+However, this might happen before the roc cookie
+was set, resulting in REMAIN_ON_CHANNEL (started)
+event with null cookie. Consequently, it can make
+wpa_supplicant go out of sync.
+
+Fix it by setting the roc cookie earlier.
+
+Signed-off-by: Eliad Peller <eliad@wizery.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/cfg.c |   36 ++++++++++++++++++------------------
+ 1 file changed, 18 insertions(+), 18 deletions(-)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -2476,6 +2476,24 @@ static int ieee80211_start_roc_work(stru
+       INIT_DELAYED_WORK(&roc->work, ieee80211_sw_roc_work);
+       INIT_LIST_HEAD(&roc->dependents);
+ 
++      /*
++       * cookie is either the roc cookie (for normal roc)
++       * or the SKB (for mgmt TX)
++       */
++      if (!txskb) {
++              /* local->mtx protects this */
++              local->roc_cookie_counter++;
++              roc->cookie = local->roc_cookie_counter;
++              /* wow, you wrapped 64 bits ... more likely a bug */
++              if (WARN_ON(roc->cookie == 0)) {
++                      roc->cookie = 1;
++                      local->roc_cookie_counter++;
++              }
++              *cookie = roc->cookie;
++      } else {
++              *cookie = (unsigned long)txskb;
++      }
++
+       /* if there's one pending or we're scanning, queue this one */
+       if (!list_empty(&local->roc_list) ||
+           local->scanning || local->radar_detect_enabled)
+@@ -2610,24 +2628,6 @@ static int ieee80211_start_roc_work(stru
+       if (!queued)
+               list_add_tail(&roc->list, &local->roc_list);
+ 
+-      /*
+-       * cookie is either the roc cookie (for normal roc)
+-       * or the SKB (for mgmt TX)
+-       */
+-      if (!txskb) {
+-              /* local->mtx protects this */
+-              local->roc_cookie_counter++;
+-              roc->cookie = local->roc_cookie_counter;
+-              /* wow, you wrapped 64 bits ... more likely a bug */
+-              if (WARN_ON(roc->cookie == 0)) {
+-                      roc->cookie = 1;
+-                      local->roc_cookie_counter++;
+-              }
+-              *cookie = roc->cookie;
+-      } else {
+-              *cookie = (unsigned long)txskb;
+-      }
+-
+       return 0;
+ }
+ 

diff --git a/queue-3.10/mac80211-release-the-channel-in-error-path-in-start_ap.patch b/queue-3.10/mac80211-release-the-channel-in-error-path-in-start_ap.patch
new file mode 100644 (file)
index 0000000..ec6ca29
--- /dev/null
+++ b/queue-3.10/mac80211-release-the-channel-in-error-path-in-start_ap.patch
@@ -0,0 +1,42 @@
+From 0297ea17bf7879fb5846fafd1be4c0471e72848d Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Mon, 27 Jan 2014 11:07:42 +0200
+Subject: mac80211: release the channel in error path in start_ap
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit 0297ea17bf7879fb5846fafd1be4c0471e72848d upstream.
+
+When the driver cannot start the AP or when the assignement
+of the beacon goes wrong, we need to unassign the vif.
+
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/cfg.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -975,8 +975,10 @@ static int ieee80211_start_ap(struct wip
+                                       IEEE80211_P2P_OPPPS_ENABLE_BIT;
+ 
+       err = ieee80211_assign_beacon(sdata, &params->beacon);
+-      if (err < 0)
++      if (err < 0) {
++              ieee80211_vif_release_channel(sdata);
+               return err;
++      }
+       changed |= err;
+ 
+       err = drv_start_ap(sdata->local, sdata);
+@@ -985,6 +987,7 @@ static int ieee80211_start_ap(struct wip
+               if (old)
+                       kfree_rcu(old, rcu_head);
+               RCU_INIT_POINTER(sdata->u.ap.beacon, NULL);
++              ieee80211_vif_release_channel(sdata);
+               return err;
+       }
+ 

diff --git a/queue-3.10/series b/queue-3.10/series
index 05bf7a431ab777e4abcee26aed882f15173f8558..b65ab145a4e2e7dcc72bce178f449ed9761662b1 100644 (file)
--- a/queue-3.10/series
+++ b/queue-3.10/series
@@ -6,3 +6,6 @@ mm-memory-failure.c-move-refcount-only-in-mf_count_increased.patch
 cifs-fix-smb2-mounts-so-they-don-t-try-to-set-or-get-xattrs-via-cifs.patch
 add-protocol-specific-operation-for-cifs-xattrs.patch
 retrieving-cifs-acls-when-mounted-with-smb2-fails-dropping-session.patch
+mac80211-move-roc-cookie-assignment-earlier.patch
+mac80211-release-the-channel-in-error-path-in-start_ap.patch
+mac80211-fix-fragmentation-code-particularly-for-encryption.patch