From: Greg Kroah-Hartman Date: Tue, 11 Dec 2018 14:14:29 +0000 (+0100) Subject: 3.18-stable patches X-Git-Tag: v4.19.9~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bfd0f2ed55c581e596cb3aeddcdf09b437a6bf02;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: kgdboc-fix-kasan-global-out-of-bounds-bug-in-param_set_kgdboc_var.patch mac80211-clear-beacon_int-in-ieee80211_do_stop.patch mac80211-fix-reordering-of-buffered-broadcast-packets.patch --- diff --git a/queue-3.18/kgdboc-fix-kasan-global-out-of-bounds-bug-in-param_set_kgdboc_var.patch b/queue-3.18/kgdboc-fix-kasan-global-out-of-bounds-bug-in-param_set_kgdboc_var.patch new file mode 100644 index 00000000000..50e3199f47c --- /dev/null +++ b/queue-3.18/kgdboc-fix-kasan-global-out-of-bounds-bug-in-param_set_kgdboc_var.patch @@ -0,0 +1,82 @@ +From dada6a43b0402eba438a17ac86fdc64ac56a4607 Mon Sep 17 00:00:00 2001 +From: Macpaul Lin +Date: Wed, 17 Oct 2018 23:08:38 +0800 +Subject: kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var() + +From: Macpaul Lin + +commit dada6a43b0402eba438a17ac86fdc64ac56a4607 upstream. + +This patch is trying to fix KE issue due to +"BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198" +reported by Syzkaller scan." + +[26364:syz-executor0][name:report8t]BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198 +[26364:syz-executor0][name:report&]Read of size 1 at addr ffffff900e44f95f by task syz-executor0/26364 +[26364:syz-executor0][name:report&] +[26364:syz-executor0]CPU: 7 PID: 26364 Comm: syz-executor0 Tainted: G W 0 +[26364:syz-executor0]Call trace: +[26364:syz-executor0][] dump_bacIctrace+Ox0/0x470 +[26364:syz-executor0][] show_stack+0x20/0x30 +[26364:syz-executor0][] dump_stack+Oxd8/0x128 +[26364:syz-executor0][] print_address_description +0x80/0x4a8 +[26364:syz-executor0][] kasan_report+Ox178/0x390 +[26364:syz-executor0][] _asan_report_loadi_noabort+Ox18/0x20 +[26364:syz-executor0][] param_set_kgdboc_var+Ox194/0x198 +[26364:syz-executor0][] param_attr_store+Ox14c/0x270 +[26364:syz-executor0][] module_attr_store+0x60/0x90 +[26364:syz-executor0][] sysfs_kl_write+Ox100/0x158 +[26364:syz-executor0][] kernfs_fop_write+0x27c/0x3a8 +[26364:syz-executor0][] do_loop_readv_writev+0x114/0x1b0 +[26364:syz-executor0][] do_readv_writev+0x4f8/0x5e0 +[26364:syz-executor0][] vfs_writev+0x7c/Oxb8 +[26364:syz-executor0][] SyS_writev+Oxcc/0x208 +[26364:syz-executor0][] elO_svc_naked +0x24/0x28 +[26364:syz-executor0][name:report&] +[26364:syz-executor0][name:report&]The buggy address belongs to the variable: +[26364:syz-executor0][name:report&] kgdb_tty_line+Ox3f/0x40 +[26364:syz-executor0][name:report&] +[26364:syz-executor0][name:report&]Memory state around the buggy address: +[26364:syz-executor0] ffffff900e44f800: 00 00 00 00 00 04 fa fa fa fa fa fa 00 fa fa fa +[26364:syz-executor0] ffffff900e44f880: fa fa fa fa 00 fa fa fa fa fa fa fa 00 fa fa fa +[26364:syz-executor0]> ffffff900e44f900: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00 +[26364:syz-executor0][name:report&] ^ +[26364:syz-executor0] ffffff900e44f980: 00 fa fa fa fa fa fa fa 04 fa fa fa fa fa fa fa +[26364:syz-executor0] ffffff900e44fa00: 04 fa fa fa fa fa fa fa 00 fa fa fa fa fa fa fa +[26364:syz-executor0][name:report&] +[26364:syz-executor0][name:panic&]Disabling lock debugging due to kernel taint +[26364:syz-executor0]------------[cut here]------------ + +After checking the source code, we've found there might be an out-of-bounds +access to "config[len - 1]" array when the variable "len" is zero. + +Signed-off-by: Macpaul Lin +Acked-by: Daniel Thompson +Cc: stable +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/kgdboc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/tty/serial/kgdboc.c ++++ b/drivers/tty/serial/kgdboc.c +@@ -232,7 +232,7 @@ static void kgdboc_put_char(u8 chr) + + static int param_set_kgdboc_var(const char *kmessage, struct kernel_param *kp) + { +- int len = strlen(kmessage); ++ size_t len = strlen(kmessage); + + if (len >= MAX_CONFIG_LEN) { + printk(KERN_ERR "kgdboc: config string too long\n"); +@@ -254,7 +254,7 @@ static int param_set_kgdboc_var(const ch + + strcpy(config, kmessage); + /* Chop out \n char as a result of echo */ +- if (config[len - 1] == '\n') ++ if (len && config[len - 1] == '\n') + config[len - 1] = '\0'; + + if (configured == 1) diff --git a/queue-3.18/mac80211-clear-beacon_int-in-ieee80211_do_stop.patch b/queue-3.18/mac80211-clear-beacon_int-in-ieee80211_do_stop.patch new file mode 100644 index 00000000000..58bd7ea47ef --- /dev/null +++ b/queue-3.18/mac80211-clear-beacon_int-in-ieee80211_do_stop.patch @@ -0,0 +1,43 @@ +From 5c21e8100dfd57c806e833ae905e26efbb87840f Mon Sep 17 00:00:00 2001 +From: Ben Greear +Date: Tue, 23 Oct 2018 13:36:52 -0700 +Subject: mac80211: Clear beacon_int in ieee80211_do_stop + +From: Ben Greear + +commit 5c21e8100dfd57c806e833ae905e26efbb87840f upstream. + +This fixes stale beacon-int values that would keep a netdev +from going up. + +To reproduce: + +Create two VAP on one radio. +vap1 has beacon-int 100, start it. +vap2 has beacon-int 240, start it (and it will fail + because beacon-int mismatch). +reconfigure vap2 to have beacon-int 100 and start it. + It will fail because the stale beacon-int 240 will be used + in the ifup path and hostapd never gets a chance to set the + new beacon interval. + +Cc: stable@vger.kernel.org +Signed-off-by: Ben Greear +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/iface.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/mac80211/iface.c ++++ b/net/mac80211/iface.c +@@ -958,6 +958,8 @@ static void ieee80211_do_stop(struct iee + if (local->open_count == 0) + ieee80211_clear_tx_pending(local); + ++ sdata->vif.bss_conf.beacon_int = 0; ++ + /* + * If the interface goes down while suspended, presumably because + * the device was unplugged and that happens before our resume, diff --git a/queue-3.18/mac80211-fix-reordering-of-buffered-broadcast-packets.patch b/queue-3.18/mac80211-fix-reordering-of-buffered-broadcast-packets.patch new file mode 100644 index 00000000000..7a0319843d8 --- /dev/null +++ b/queue-3.18/mac80211-fix-reordering-of-buffered-broadcast-packets.patch @@ -0,0 +1,38 @@ +From 9ec1190d065998650fd9260dea8cf3e1f56c0e8c Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Wed, 28 Nov 2018 22:39:16 +0100 +Subject: mac80211: fix reordering of buffered broadcast packets + +From: Felix Fietkau + +commit 9ec1190d065998650fd9260dea8cf3e1f56c0e8c upstream. + +If the buffered broadcast queue contains packets, letting new packets bypass +that queue can lead to heavy reordering, since the driver is probably throttling +transmission of buffered multicast packets after beacons. + +Keep buffering packets until the buffer has been cleared (and no client +is in powersave mode). + +Cc: stable@vger.kernel.org +Signed-off-by: Felix Fietkau +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/tx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -419,8 +419,8 @@ ieee80211_tx_h_multicast_ps_buf(struct i + if (tx->local->hw.flags & IEEE80211_HW_QUEUE_CONTROL) + info->hw_queue = tx->sdata->vif.cab_queue; + +- /* no stations in PS mode */ +- if (!atomic_read(&ps->num_sta_ps)) ++ /* no stations in PS mode and no buffered packets */ ++ if (!atomic_read(&ps->num_sta_ps) && skb_queue_empty(&ps->bc_buf)) + return TX_CONTINUE; + + info->flags |= IEEE80211_TX_CTL_SEND_AFTER_DTIM; diff --git a/queue-3.18/series b/queue-3.18/series index 9cf6079c21d..70082ee54d1 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -49,3 +49,6 @@ dmaengine-cppi41-delete-channel-from-pending-list-when-stop-channel.patch xhci-prevent-u1-u2-link-pm-states-if-exit-latency-is-too-long.patch usb-serial-option-add-device-id-for-hp-lt2523-novate.patch staging-lustre-remove-two-build-warnings.patch +kgdboc-fix-kasan-global-out-of-bounds-bug-in-param_set_kgdboc_var.patch +mac80211-clear-beacon_int-in-ieee80211_do_stop.patch +mac80211-fix-reordering-of-buffered-broadcast-packets.patch