From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 20 Jan 2015 07:11:09 +0000 (+0800)
Subject: 3.18-stable patches
X-Git-Tag: v3.10.66~48
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b19c54964926b1e12effc9501081eec432aa0622;p=thirdparty%2Fkernel%2Fstable-queue.git

3.18-stable patches

added patches:
	cfg80211-avoid-mem-leak-on-driver-hint-set.patch
	cfg80211-don-t-warn-about-two-consecutive-country-ie-hint.patch
	cfg80211-fix-160-mhz-channels-with-80-80-and-160-mhz-drivers.patch
	nl80211-check-matches-array-length-before-acessing-it.patch
---

diff --git a/queue-3.18/cfg80211-avoid-mem-leak-on-driver-hint-set.patch b/queue-3.18/cfg80211-avoid-mem-leak-on-driver-hint-set.patch
new file mode 100644
index 00000000000..0e94b936826
--- /dev/null
+++ b/queue-3.18/cfg80211-avoid-mem-leak-on-driver-hint-set.patch
@@ -0,0 +1,44 @@
+From 34f05f543f02350e920bddb7660ffdd4697aaf60 Mon Sep 17 00:00:00 2001
+From: Arik Nemtsov <arik@wizery.com>
+Date: Thu, 4 Dec 2014 12:22:16 +0200
+Subject: cfg80211: avoid mem leak on driver hint set
+
+From: Arik Nemtsov <arik@wizery.com>
+
+commit 34f05f543f02350e920bddb7660ffdd4697aaf60 upstream.
+
+In the already-set and intersect case of a driver-hint, the previous
+wiphy regdomain was not freed before being reset with a copy of the
+cfg80211 regdomain.
+
+Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
+Acked-by: Luis R. Rodriguez <mcgrof@suse.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/reg.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/wireless/reg.c
++++ b/net/wireless/reg.c
+@@ -1760,7 +1760,7 @@ static enum reg_request_treatment
+ reg_process_hint_driver(struct wiphy *wiphy,
+ 			struct regulatory_request *driver_request)
+ {
+-	const struct ieee80211_regdomain *regd;
++	const struct ieee80211_regdomain *regd, *tmp;
+ 	enum reg_request_treatment treatment;
+ 
+ 	treatment = __reg_process_hint_driver(driver_request);
+@@ -1780,7 +1780,10 @@ reg_process_hint_driver(struct wiphy *wi
+ 			reg_free_request(driver_request);
+ 			return REG_REQ_IGNORE;
+ 		}
++
++		tmp = get_wiphy_regdom(wiphy);
+ 		rcu_assign_pointer(wiphy->regd, regd);
++		rcu_free_regdom(tmp);
+ 	}
+ 
+ 
diff --git a/queue-3.18/cfg80211-don-t-warn-about-two-consecutive-country-ie-hint.patch b/queue-3.18/cfg80211-don-t-warn-about-two-consecutive-country-ie-hint.patch
new file mode 100644
index 00000000000..fc52d822f78
--- /dev/null
+++ b/queue-3.18/cfg80211-don-t-warn-about-two-consecutive-country-ie-hint.patch
@@ -0,0 +1,42 @@
+From 70dcec5a488a7b81779190ac8089475fe4b8b962 Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Tue, 2 Dec 2014 09:53:25 +0200
+Subject: cfg80211: don't WARN about two consecutive Country IE hint
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit 70dcec5a488a7b81779190ac8089475fe4b8b962 upstream.
+
+This can happen and there is no point in added more
+detection code lower in the stack. Catching these in one
+single point (cfg80211) is enough. Stop WARNING about this
+case.
+
+This fixes:
+https://bugzilla.kernel.org/show_bug.cgi?id=89001
+
+Fixes: 2f1c6c572d7b ("cfg80211: process non country IE conflicting first")
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/reg.c |    7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/net/wireless/reg.c
++++ b/net/wireless/reg.c
+@@ -1839,11 +1839,8 @@ __reg_process_hint_country_ie(struct wip
+ 			return REG_REQ_IGNORE;
+ 		return REG_REQ_ALREADY_SET;
+ 	}
+-	/*
+-	 * Two consecutive Country IE hints on the same wiphy.
+-	 * This should be picked up early by the driver/stack
+-	 */
+-	if (WARN_ON(regdom_changes(country_ie_request->alpha2)))
++
++	if (regdom_changes(country_ie_request->alpha2))
+ 		return REG_REQ_OK;
+ 	return REG_REQ_ALREADY_SET;
+ }
diff --git a/queue-3.18/cfg80211-fix-160-mhz-channels-with-80-80-and-160-mhz-drivers.patch b/queue-3.18/cfg80211-fix-160-mhz-channels-with-80-80-and-160-mhz-drivers.patch
new file mode 100644
index 00000000000..eae3a2b75f3
--- /dev/null
+++ b/queue-3.18/cfg80211-fix-160-mhz-channels-with-80-80-and-160-mhz-drivers.patch
@@ -0,0 +1,56 @@
+From 08f6f147773b23b765b94633a8eaa82e7defcf4c Mon Sep 17 00:00:00 2001
+From: Jouni Malinen <jouni@qca.qualcomm.com>
+Date: Thu, 11 Dec 2014 23:48:55 +0200
+Subject: cfg80211: Fix 160 MHz channels with 80+80 and 160 MHz drivers
+
+From: Jouni Malinen <jouni@qca.qualcomm.com>
+
+commit 08f6f147773b23b765b94633a8eaa82e7defcf4c upstream.
+
+The VHT supported channel width field is a two bit integer, not a
+bitfield. cfg80211_chandef_usable() was interpreting it incorrectly and
+ended up rejecting 160 MHz channel width if the driver indicated support
+for both 160 and 80+80 MHz channels.
+
+Fixes: 3d9d1d6656a73 ("nl80211/cfg80211: support VHT channel configuration")
+       (however, no real drivers had 160 MHz support it until 3.16)
+Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/chan.c |    9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/net/wireless/chan.c
++++ b/net/wireless/chan.c
+@@ -602,7 +602,7 @@ bool cfg80211_chandef_usable(struct wiph
+ {
+ 	struct ieee80211_sta_ht_cap *ht_cap;
+ 	struct ieee80211_sta_vht_cap *vht_cap;
+-	u32 width, control_freq;
++	u32 width, control_freq, cap;
+ 
+ 	if (WARN_ON(!cfg80211_chandef_valid(chandef)))
+ 		return false;
+@@ -642,7 +642,8 @@ bool cfg80211_chandef_usable(struct wiph
+ 			return false;
+ 		break;
+ 	case NL80211_CHAN_WIDTH_80P80:
+-		if (!(vht_cap->cap & IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160_80PLUS80MHZ))
++		cap = vht_cap->cap & IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_MASK;
++		if (cap != IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160_80PLUS80MHZ)
+ 			return false;
+ 	case NL80211_CHAN_WIDTH_80:
+ 		if (!vht_cap->vht_supported)
+@@ -653,7 +654,9 @@ bool cfg80211_chandef_usable(struct wiph
+ 	case NL80211_CHAN_WIDTH_160:
+ 		if (!vht_cap->vht_supported)
+ 			return false;
+-		if (!(vht_cap->cap & IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160MHZ))
++		cap = vht_cap->cap & IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_MASK;
++		if (cap != IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160MHZ &&
++		    cap != IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160_80PLUS80MHZ)
+ 			return false;
+ 		prohibited_flags |= IEEE80211_CHAN_NO_160MHZ;
+ 		width = 160;
diff --git a/queue-3.18/nl80211-check-matches-array-length-before-acessing-it.patch b/queue-3.18/nl80211-check-matches-array-length-before-acessing-it.patch
new file mode 100644
index 00000000000..00a9f97fd2d
--- /dev/null
+++ b/queue-3.18/nl80211-check-matches-array-length-before-acessing-it.patch
@@ -0,0 +1,84 @@
+From f89f46cf3a23d8d7c98f924a461fd931e1331746 Mon Sep 17 00:00:00 2001
+From: Luciano Coelho <luciano.coelho@intel.com>
+Date: Mon, 1 Dec 2014 11:32:09 +0200
+Subject: nl80211: check matches array length before acessing it
+
+From: Luciano Coelho <luciano.coelho@intel.com>
+
+commit f89f46cf3a23d8d7c98f924a461fd931e1331746 upstream.
+
+If the userspace passes a malformed sched scan request (or a net
+detect wowlan configuration) by adding a NL80211_ATTR_SCHED_SCAN_MATCH
+attribute without any nested matchsets, a NULL pointer dereference
+will occur.  Fix this by checking that we do have matchsets in our
+array before trying to access it.
+
+BUG: unable to handle kernel NULL pointer dereference at 0000000000000024
+IP: [<ffffffffa002fd69>] nl80211_parse_sched_scan.part.67+0x6e9/0x900 [cfg80211]
+PGD 865c067 PUD 865b067 PMD 0
+Oops: 0002 [#1] SMP
+Modules linked in: iwlmvm(O) iwlwifi(O) mac80211(O) cfg80211(O) compat(O) [last unloaded: compat]
+CPU: 2 PID: 2442 Comm: iw Tainted: G           O   3.17.2 #31
+Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
+task: ffff880013800790 ti: ffff880008d80000 task.ti: ffff880008d80000
+RIP: 0010:[<ffffffffa002fd69>]  [<ffffffffa002fd69>] nl80211_parse_sched_scan.part.67+0x6e9/0x900 [cfg80211]
+RSP: 0018:ffff880008d838d0  EFLAGS: 00010293
+RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
+RDX: 000000000000143c RSI: 0000000000000000 RDI: ffff880008ee8dd0
+RBP: ffff880008d83948 R08: 0000000000000002 R09: 0000000000000019
+R10: ffff88001d1b3c40 R11: 0000000000000002 R12: ffff880019e85e00
+R13: 00000000fffffed4 R14: ffff880009757800 R15: 0000000000001388
+FS:  00007fa3b6d13700(0000) GS:ffff88003e200000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 0000000000000024 CR3: 0000000008670000 CR4: 00000000000006e0
+Stack:
+ ffff880009757800 ffff880000000001 0000000000000000 ffff880008ee84e0
+ 0000000000000000 ffff880009757800 00000000fffffed4 ffff880008d83948
+ ffffffff814689c9 ffff880009757800 ffff880008ee8000 0000000000000000
+Call Trace:
+ [<ffffffff814689c9>] ? nla_parse+0xb9/0x120
+ [<ffffffffa00306de>] nl80211_set_wowlan+0x75e/0x960 [cfg80211]
+ [<ffffffff810bf3d5>] ? mark_held_locks+0x75/0xa0
+ [<ffffffff8161a77b>] genl_family_rcv_msg+0x18b/0x360
+ [<ffffffff810bf66d>] ? trace_hardirqs_on+0xd/0x10
+ [<ffffffff8161a9d4>] genl_rcv_msg+0x84/0xc0
+ [<ffffffff8161a950>] ? genl_family_rcv_msg+0x360/0x360
+ [<ffffffff81618e79>] netlink_rcv_skb+0xa9/0xd0
+ [<ffffffff81619458>] genl_rcv+0x28/0x40
+ [<ffffffff816184a5>] netlink_unicast+0x105/0x180
+ [<ffffffff8161886f>] netlink_sendmsg+0x34f/0x7a0
+ [<ffffffff8105a097>] ? kvm_clock_read+0x27/0x40
+ [<ffffffff815c644d>] sock_sendmsg+0x8d/0xc0
+ [<ffffffff811a75c9>] ? might_fault+0xb9/0xc0
+ [<ffffffff811a756e>] ? might_fault+0x5e/0xc0
+ [<ffffffff815d5d26>] ? verify_iovec+0x56/0xe0
+ [<ffffffff815c73e0>] ___sys_sendmsg+0x3d0/0x3e0
+ [<ffffffff810a7be8>] ? sched_clock_cpu+0x98/0xd0
+ [<ffffffff810611b4>] ? __do_page_fault+0x254/0x580
+ [<ffffffff810bb39f>] ? up_read+0x1f/0x40
+ [<ffffffff810611b4>] ? __do_page_fault+0x254/0x580
+ [<ffffffff812146ed>] ? __fget_light+0x13d/0x160
+ [<ffffffff815c7b02>] __sys_sendmsg+0x42/0x80
+ [<ffffffff815c7b52>] SyS_sendmsg+0x12/0x20
+ [<ffffffff81751f69>] system_call_fastpath+0x16/0x1b
+
+Fixes: ea73cbce4e1f ("nl80211: fix scheduled scan RSSI matchset attribute confusion")
+Signed-off-by: Luciano Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/nl80211.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -5799,7 +5799,7 @@ static int nl80211_start_sched_scan(stru
+ 		}
+ 
+ 		/* there was no other matchset, so the RSSI one is alone */
+-		if (i == 0)
++		if (i == 0 && n_match_sets)
+ 			request->match_sets[0].rssi_thold = default_match_rssi;
+ 
+ 		request->min_rssi_thold = INT_MAX;
diff --git a/queue-3.18/series b/queue-3.18/series
index 44f16491582..b8166b20f12 100644
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -54,3 +54,7 @@ cxl-add-timeout-to-process-element-commands.patch
 cxl-unmap-mmio-regions-when-detaching-a-context.patch
 xhci-check-if-slot-is-already-in-default-state-before-moving-it-there.patch
 xhci-add-broken-streams-quirk-for-fresco-logic-fl1000g-xhci-controllers.patch
+nl80211-check-matches-array-length-before-acessing-it.patch
+cfg80211-don-t-warn-about-two-consecutive-country-ie-hint.patch
+cfg80211-avoid-mem-leak-on-driver-hint-set.patch
+cfg80211-fix-160-mhz-channels-with-80-80-and-160-mhz-drivers.patch