From: Greg Kroah-Hartman Date: Mon, 20 Jan 2020 11:18:49 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.4.211~33 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ae3a9bfc362e3c4e23964cf2529541dbe0d7bc68;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: cfg80211-fix-deadlocks-in-autodisconnect-work.patch cfg80211-fix-memory-leak-in-cfg80211_cqm_rssi_update.patch cfg80211-fix-page-refcount-issue-in-a-msdu-decap.patch --- diff --git a/queue-4.19/cfg80211-fix-deadlocks-in-autodisconnect-work.patch b/queue-4.19/cfg80211-fix-deadlocks-in-autodisconnect-work.patch new file mode 100644 index 00000000000..494739b5955 --- /dev/null +++ b/queue-4.19/cfg80211-fix-deadlocks-in-autodisconnect-work.patch @@ -0,0 +1,42 @@ +From 5a128a088a2ab0b5190eeb232b5aa0b1017a0317 Mon Sep 17 00:00:00 2001 +From: Markus Theil +Date: Wed, 8 Jan 2020 12:55:36 +0100 +Subject: cfg80211: fix deadlocks in autodisconnect work + +From: Markus Theil + +commit 5a128a088a2ab0b5190eeb232b5aa0b1017a0317 upstream. + +Use methods which do not try to acquire the wdev lock themselves. + +Cc: stable@vger.kernel.org +Fixes: 37b1c004685a3 ("cfg80211: Support all iftypes in autodisconnect_wk") +Signed-off-by: Markus Theil +Link: https://lore.kernel.org/r/20200108115536.2262-1-markus.theil@tu-ilmenau.de +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/sme.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/wireless/sme.c ++++ b/net/wireless/sme.c +@@ -1281,14 +1281,14 @@ void cfg80211_autodisconnect_wk(struct w + if (wdev->conn_owner_nlportid) { + switch (wdev->iftype) { + case NL80211_IFTYPE_ADHOC: +- cfg80211_leave_ibss(rdev, wdev->netdev, false); ++ __cfg80211_leave_ibss(rdev, wdev->netdev, false); + break; + case NL80211_IFTYPE_AP: + case NL80211_IFTYPE_P2P_GO: +- cfg80211_stop_ap(rdev, wdev->netdev, false); ++ __cfg80211_stop_ap(rdev, wdev->netdev, false); + break; + case NL80211_IFTYPE_MESH_POINT: +- cfg80211_leave_mesh(rdev, wdev->netdev); ++ __cfg80211_leave_mesh(rdev, wdev->netdev); + break; + case NL80211_IFTYPE_STATION: + case NL80211_IFTYPE_P2P_CLIENT: diff --git a/queue-4.19/cfg80211-fix-memory-leak-in-cfg80211_cqm_rssi_update.patch b/queue-4.19/cfg80211-fix-memory-leak-in-cfg80211_cqm_rssi_update.patch new file mode 100644 index 00000000000..e753826f46a --- /dev/null +++ b/queue-4.19/cfg80211-fix-memory-leak-in-cfg80211_cqm_rssi_update.patch @@ -0,0 +1,32 @@ +From df16737d438f534d0cc9948c7c5158f1986c5c87 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Wed, 8 Jan 2020 18:06:30 +0100 +Subject: cfg80211: fix memory leak in cfg80211_cqm_rssi_update + +From: Felix Fietkau + +commit df16737d438f534d0cc9948c7c5158f1986c5c87 upstream. + +The per-tid statistics need to be released after the call to rdev_get_station + +Cc: stable@vger.kernel.org +Fixes: 8689c051a201 ("cfg80211: dynamically allocate per-tid stats for station info") +Signed-off-by: Felix Fietkau +Link: https://lore.kernel.org/r/20200108170630.33680-2-nbd@nbd.name +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/nl80211.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -10305,6 +10305,7 @@ static int cfg80211_cqm_rssi_update(stru + if (err) + return err; + ++ cfg80211_sinfo_release_content(&sinfo); + if (sinfo.filled & BIT_ULL(NL80211_STA_INFO_BEACON_SIGNAL_AVG)) + wdev->cqm_config->last_rssi_event_value = + (s8) sinfo.rx_beacon_signal_avg; diff --git a/queue-4.19/cfg80211-fix-page-refcount-issue-in-a-msdu-decap.patch b/queue-4.19/cfg80211-fix-page-refcount-issue-in-a-msdu-decap.patch new file mode 100644 index 00000000000..23200edc71a --- /dev/null +++ b/queue-4.19/cfg80211-fix-page-refcount-issue-in-a-msdu-decap.patch @@ -0,0 +1,36 @@ +From 81c044fc3bdc5b7be967cd3682528ea94b58c06a Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Mon, 13 Jan 2020 19:21:07 +0100 +Subject: cfg80211: fix page refcount issue in A-MSDU decap + +From: Felix Fietkau + +commit 81c044fc3bdc5b7be967cd3682528ea94b58c06a upstream. + +The fragments attached to a skb can be part of a compound page. In that case, +page_ref_inc will increment the refcount for the wrong page. Fix this by +using get_page instead, which calls page_ref_inc on the compound head and +also checks for overflow. + +Fixes: 2b67f944f88c ("cfg80211: reuse existing page fragments in A-MSDU rx") +Cc: stable@vger.kernel.org +Signed-off-by: Felix Fietkau +Link: https://lore.kernel.org/r/20200113182107.20461-1-nbd@nbd.name +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/wireless/util.c ++++ b/net/wireless/util.c +@@ -537,7 +537,7 @@ __frame_add_frag(struct sk_buff *skb, st + struct skb_shared_info *sh = skb_shinfo(skb); + int page_offset; + +- page_ref_inc(page); ++ get_page(page); + page_offset = ptr - page_address(page); + skb_add_rx_frag(skb, sh->nr_frags, page, page_offset, len, size); + } diff --git a/queue-4.19/series b/queue-4.19/series index 1e6ec5d2a7a..95b57ac510e 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -52,3 +52,6 @@ mm-huge_memory.c-make-__thp_get_unmapped_area-static.patch mm-huge_memory.c-thp-fix-conflict-of-above-47bit-hin.patch arm64-dts-agilex-stratix10-fix-pmu-interrupt-numbers.patch bpf-fix-incorrect-verifier-simulation-of-arsh-under-alu32.patch +cfg80211-fix-deadlocks-in-autodisconnect-work.patch +cfg80211-fix-memory-leak-in-cfg80211_cqm_rssi_update.patch +cfg80211-fix-page-refcount-issue-in-a-msdu-decap.patch