From: Greg Kroah-Hartman Date: Fri, 17 Dec 2021 13:07:58 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v4.4.296~71 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8464ed1e8bce8802fb1290b2c7545e825c381ec0;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: firmware-arm_scpi-fix-string-overflow-in-scpi-genpd-driver.patch mac80211-fix-rate-control-for-retransmitted-frames.patch mac80211-fix-regression-in-ssn-handling-of-addba-tx.patch mac80211-mark-tx-during-stop-for-tx-in-in_reconfig.patch mac80211-send-addba-requests-using-the-tid-queue-of-the-aggregation-session.patch mac80211-validate-extended-element-id-is-present.patch --- diff --git a/queue-5.15/firmware-arm_scpi-fix-string-overflow-in-scpi-genpd-driver.patch b/queue-5.15/firmware-arm_scpi-fix-string-overflow-in-scpi-genpd-driver.patch new file mode 100644 index 00000000000..b87ea15b62a --- /dev/null +++ b/queue-5.15/firmware-arm_scpi-fix-string-overflow-in-scpi-genpd-driver.patch @@ -0,0 +1,54 @@ +From 865ed67ab955428b9aa771d8b4f1e4fb7fd08945 Mon Sep 17 00:00:00 2001 +From: Sudeep Holla +Date: Thu, 9 Dec 2021 12:04:56 +0000 +Subject: firmware: arm_scpi: Fix string overflow in SCPI genpd driver + +From: Sudeep Holla + +commit 865ed67ab955428b9aa771d8b4f1e4fb7fd08945 upstream. + +Without the bound checks for scpi_pd->name, it could result in the buffer +overflow when copying the SCPI device name from the corresponding device +tree node as the name string is set at maximum size of 30. + +Let us fix it by using devm_kasprintf so that the string buffer is +allocated dynamically. + +Fixes: 8bec4337ad40 ("firmware: scpi: add device power domain support using genpd") +Reported-by: Pedro Batista +Signed-off-by: Sudeep Holla +Cc: stable@vger.kernel.org +Cc: Cristian Marussi +Link: https://lore.kernel.org/r/20211209120456.696879-1-sudeep.holla@arm.com' +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/scpi_pm_domain.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/firmware/scpi_pm_domain.c ++++ b/drivers/firmware/scpi_pm_domain.c +@@ -16,7 +16,6 @@ struct scpi_pm_domain { + struct generic_pm_domain genpd; + struct scpi_ops *ops; + u32 domain; +- char name[30]; + }; + + /* +@@ -110,8 +109,13 @@ static int scpi_pm_domain_probe(struct p + + scpi_pd->domain = i; + scpi_pd->ops = scpi_ops; +- sprintf(scpi_pd->name, "%pOFn.%d", np, i); +- scpi_pd->genpd.name = scpi_pd->name; ++ scpi_pd->genpd.name = devm_kasprintf(dev, GFP_KERNEL, ++ "%pOFn.%d", np, i); ++ if (!scpi_pd->genpd.name) { ++ dev_err(dev, "Failed to allocate genpd name:%pOFn.%d\n", ++ np, i); ++ continue; ++ } + scpi_pd->genpd.power_off = scpi_pd_power_off; + scpi_pd->genpd.power_on = scpi_pd_power_on; + diff --git a/queue-5.15/mac80211-fix-rate-control-for-retransmitted-frames.patch b/queue-5.15/mac80211-fix-rate-control-for-retransmitted-frames.patch new file mode 100644 index 00000000000..0ee8bf126c4 --- /dev/null +++ b/queue-5.15/mac80211-fix-rate-control-for-retransmitted-frames.patch @@ -0,0 +1,46 @@ +From 18688c80ad8a8dd50523dc9276e929932cac86d4 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Mon, 22 Nov 2021 21:43:23 +0100 +Subject: mac80211: fix rate control for retransmitted frames + +From: Felix Fietkau + +commit 18688c80ad8a8dd50523dc9276e929932cac86d4 upstream. + +Since retransmission clears info->control, rate control needs to be called +again, otherwise the driver might crash due to invalid rates. + +Cc: stable@vger.kernel.org # 5.14+ +Reported-by: Aaro Koskinen +Reported-by: Robert W +Fixes: 03c3911d2d67 ("mac80211: call ieee80211_tx_h_rate_ctrl() when dequeue") +Signed-off-by: Felix Fietkau +Tested-by: Aaro Koskinen +Link: https://lore.kernel.org/r/20211122204323.9787-1-nbd@nbd.name +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/tx.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -1821,15 +1821,15 @@ static int invoke_tx_handlers_late(struc + struct ieee80211_tx_info *info = IEEE80211_SKB_CB(tx->skb); + ieee80211_tx_result res = TX_CONTINUE; + ++ if (!ieee80211_hw_check(&tx->local->hw, HAS_RATE_CONTROL)) ++ CALL_TXH(ieee80211_tx_h_rate_ctrl); ++ + if (unlikely(info->flags & IEEE80211_TX_INTFL_RETRANSMISSION)) { + __skb_queue_tail(&tx->skbs, tx->skb); + tx->skb = NULL; + goto txh_done; + } + +- if (!ieee80211_hw_check(&tx->local->hw, HAS_RATE_CONTROL)) +- CALL_TXH(ieee80211_tx_h_rate_ctrl); +- + CALL_TXH(ieee80211_tx_h_michael_mic_add); + CALL_TXH(ieee80211_tx_h_sequence); + CALL_TXH(ieee80211_tx_h_fragment); diff --git a/queue-5.15/mac80211-fix-regression-in-ssn-handling-of-addba-tx.patch b/queue-5.15/mac80211-fix-regression-in-ssn-handling-of-addba-tx.patch new file mode 100644 index 00000000000..a931cc8d21f --- /dev/null +++ b/queue-5.15/mac80211-fix-regression-in-ssn-handling-of-addba-tx.patch @@ -0,0 +1,55 @@ +From 73111efacd3c6d9e644acca1d132566932be8af0 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Wed, 24 Nov 2021 10:40:24 +0100 +Subject: mac80211: fix regression in SSN handling of addba tx + +From: Felix Fietkau + +commit 73111efacd3c6d9e644acca1d132566932be8af0 upstream. + +Some drivers that do their own sequence number allocation (e.g. ath9k) rely +on being able to modify params->ssn on starting tx ampdu sessions. +This was broken by a change that modified it to use sta->tid_seq[tid] instead. + +Cc: stable@vger.kernel.org +Fixes: 31d8bb4e07f8 ("mac80211: agg-tx: refactor sending addba") +Reported-by: Eneas U de Queiroz +Signed-off-by: Felix Fietkau +Link: https://lore.kernel.org/r/20211124094024.43222-1-nbd@nbd.name +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/agg-tx.c | 4 ++-- + net/mac80211/sta_info.h | 1 + + 2 files changed, 3 insertions(+), 2 deletions(-) + +--- a/net/mac80211/agg-tx.c ++++ b/net/mac80211/agg-tx.c +@@ -480,8 +480,7 @@ static void ieee80211_send_addba_with_ti + + /* send AddBA request */ + ieee80211_send_addba_request(sdata, sta->sta.addr, tid, +- tid_tx->dialog_token, +- sta->tid_seq[tid] >> 4, ++ tid_tx->dialog_token, tid_tx->ssn, + buf_size, tid_tx->timeout); + + WARN_ON(test_and_set_bit(HT_AGG_STATE_SENT_ADDBA, &tid_tx->state)); +@@ -523,6 +522,7 @@ void ieee80211_tx_ba_session_handle_star + + params.ssn = sta->tid_seq[tid] >> 4; + ret = drv_ampdu_action(local, sdata, ¶ms); ++ tid_tx->ssn = params.ssn; + if (ret == IEEE80211_AMPDU_TX_START_DELAY_ADDBA) { + return; + } else if (ret == IEEE80211_AMPDU_TX_START_IMMEDIATE) { +--- a/net/mac80211/sta_info.h ++++ b/net/mac80211/sta_info.h +@@ -199,6 +199,7 @@ struct tid_ampdu_tx { + u8 stop_initiator; + bool tx_stop; + u16 buf_size; ++ u16 ssn; + + u16 failed_bar_ssn; + bool bar_pending; diff --git a/queue-5.15/mac80211-mark-tx-during-stop-for-tx-in-in_reconfig.patch b/queue-5.15/mac80211-mark-tx-during-stop-for-tx-in-in_reconfig.patch new file mode 100644 index 00000000000..2f8691dabb2 --- /dev/null +++ b/queue-5.15/mac80211-mark-tx-during-stop-for-tx-in-in_reconfig.patch @@ -0,0 +1,42 @@ +From db7205af049d230e7e0abf61c1e74c1aab40f390 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Mon, 29 Nov 2021 15:32:39 +0200 +Subject: mac80211: mark TX-during-stop for TX in in_reconfig + +From: Johannes Berg + +commit db7205af049d230e7e0abf61c1e74c1aab40f390 upstream. + +Mark TXQs as having seen transmit while they were stopped if +we bail out of drv_wake_tx_queue() due to reconfig, so that +the queue wake after this will make them catch up. This is +particularly necessary for when TXQs are used for management +packets since those TXQs won't see a lot of traffic that'd +make them catch up later. + +Cc: stable@vger.kernel.org +Fixes: 4856bfd23098 ("mac80211: do not call driver wake_tx_queue op during reconfig") +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Link: https://lore.kernel.org/r/iwlwifi.20211129152938.4573a221c0e1.I0d1d5daea3089be3fc0dccc92991b0f8c5677f0c@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/driver-ops.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/mac80211/driver-ops.h ++++ b/net/mac80211/driver-ops.h +@@ -1219,8 +1219,11 @@ static inline void drv_wake_tx_queue(str + { + struct ieee80211_sub_if_data *sdata = vif_to_sdata(txq->txq.vif); + +- if (local->in_reconfig) ++ /* In reconfig don't transmit now, but mark for waking later */ ++ if (local->in_reconfig) { ++ set_bit(IEEE80211_TXQ_STOP_NETIF_TX, &txq->flags); + return; ++ } + + if (!check_sdata_in_driver(sdata)) + return; diff --git a/queue-5.15/mac80211-send-addba-requests-using-the-tid-queue-of-the-aggregation-session.patch b/queue-5.15/mac80211-send-addba-requests-using-the-tid-queue-of-the-aggregation-session.patch new file mode 100644 index 00000000000..a2c7b1a8dbe --- /dev/null +++ b/queue-5.15/mac80211-send-addba-requests-using-the-tid-queue-of-the-aggregation-session.patch @@ -0,0 +1,37 @@ +From 1fe98f5690c4219d419ea9cc190f94b3401cf324 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Thu, 2 Dec 2021 13:45:33 +0100 +Subject: mac80211: send ADDBA requests using the tid/queue of the aggregation session + +From: Felix Fietkau + +commit 1fe98f5690c4219d419ea9cc190f94b3401cf324 upstream. + +Sending them out on a different queue can cause a race condition where a +number of packets in the queue may be discarded by the receiver, because +the ADDBA request is sent too early. +This affects any driver with software A-MPDU setup which does not allocate +packet seqno in hardware on tx, regardless of whether iTXQ is used or not. +The only driver I've seen that explicitly deals with this issue internally +is mwl8k. + +Cc: stable@vger.kernel.org +Signed-off-by: Felix Fietkau +Link: https://lore.kernel.org/r/20211202124533.80388-1-nbd@nbd.name +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/agg-tx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/agg-tx.c ++++ b/net/mac80211/agg-tx.c +@@ -106,7 +106,7 @@ static void ieee80211_send_addba_request + mgmt->u.action.u.addba_req.start_seq_num = + cpu_to_le16(start_seq_num << 4); + +- ieee80211_tx_skb(sdata, skb); ++ ieee80211_tx_skb_tid(sdata, skb, tid); + } + + void ieee80211_send_bar(struct ieee80211_vif *vif, u8 *ra, u16 tid, u16 ssn) diff --git a/queue-5.15/mac80211-validate-extended-element-id-is-present.patch b/queue-5.15/mac80211-validate-extended-element-id-is-present.patch new file mode 100644 index 00000000000..90c8b838809 --- /dev/null +++ b/queue-5.15/mac80211-validate-extended-element-id-is-present.patch @@ -0,0 +1,38 @@ +From 768c0b19b50665e337c96858aa2b7928d6dcf756 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Sat, 11 Dec 2021 20:10:24 +0100 +Subject: mac80211: validate extended element ID is present + +From: Johannes Berg + +commit 768c0b19b50665e337c96858aa2b7928d6dcf756 upstream. + +Before attempting to parse an extended element, verify that +the extended element ID is present. + +Fixes: 41cbb0f5a295 ("mac80211: add support for HE") +Reported-by: syzbot+59bdff68edce82e393b6@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20211211201023.f30a1b128c07.I5cacc176da94ba316877c6e10fe3ceec8b4dbd7d@changeid +Cc: stable@vger.kernel.org +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/util.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/net/mac80211/util.c ++++ b/net/mac80211/util.c +@@ -943,7 +943,12 @@ static void ieee80211_parse_extension_el + struct ieee802_11_elems *elems) + { + const void *data = elem->data + 1; +- u8 len = elem->datalen - 1; ++ u8 len; ++ ++ if (!elem->datalen) ++ return; ++ ++ len = elem->datalen - 1; + + switch (elem->data[0]) { + case WLAN_EID_EXT_HE_MU_EDCA: diff --git a/queue-5.15/series b/queue-5.15/series index cbf80dec47a..2621b79a344 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -4,3 +4,9 @@ kvm-selftests-make-sure-kvm_create_max_vcpus-test-wo.patch kvm-downgrade-two-bug_ons-to-warn_on_once.patch x86-kvm-remove-unused-ack_notifier-callbacks.patch kvm-x86-fix-tlb-flush-for-tdp-in-kvm_invalidate_pcid.patch +mac80211-fix-rate-control-for-retransmitted-frames.patch +mac80211-fix-regression-in-ssn-handling-of-addba-tx.patch +mac80211-mark-tx-during-stop-for-tx-in-in_reconfig.patch +mac80211-send-addba-requests-using-the-tid-queue-of-the-aggregation-session.patch +mac80211-validate-extended-element-id-is-present.patch +firmware-arm_scpi-fix-string-overflow-in-scpi-genpd-driver.patch