From: Greg Kroah-Hartman Date: Tue, 11 Dec 2018 14:15:49 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v4.19.9~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c8070cedf47b7bd2d3afd9a2109b9bd8f5d13acc;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: cifs-fix-separator-when-building-path-from-dentry.patch kgdboc-fix-kasan-global-out-of-bounds-bug-in-param_set_kgdboc_var.patch mac80211-clear-beacon_int-in-ieee80211_do_stop.patch mac80211-fix-reordering-of-buffered-broadcast-packets.patch mac80211-ignore-nullfunc-frames-in-the-duplicate-detection.patch mac80211-ignore-tx-status-for-ps-stations-in-ieee80211_tx_status_ext.patch mac80211_hwsim-timer-should-be-initialized-before-device-registered.patch tty-serial-8250_mtk-always-resume-the-device-in-probe.patch --- diff --git a/queue-4.4/cifs-fix-separator-when-building-path-from-dentry.patch b/queue-4.4/cifs-fix-separator-when-building-path-from-dentry.patch new file mode 100644 index 00000000000..937bff70a85 --- /dev/null +++ b/queue-4.4/cifs-fix-separator-when-building-path-from-dentry.patch @@ -0,0 +1,34 @@ +From c988de29ca161823db6a7125e803d597ef75b49c Mon Sep 17 00:00:00 2001 +From: Paulo Alcantara +Date: Thu, 15 Nov 2018 15:20:52 +0100 +Subject: cifs: Fix separator when building path from dentry + +From: Paulo Alcantara + +commit c988de29ca161823db6a7125e803d597ef75b49c upstream. + +Make sure to use the CIFS_DIR_SEP(cifs_sb) as path separator for +prefixpath too. Fixes a bug with smb1 UNIX extensions. + +Fixes: a6b5058fafdf ("fs/cifs: make share unaccessible at root level mountable") +Signed-off-by: Paulo Alcantara +Reviewed-by: Aurelien Aptel +Signed-off-by: Steve French +CC: Stable +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/dir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/cifs/dir.c ++++ b/fs/cifs/dir.c +@@ -163,7 +163,7 @@ cifs_bp_rename_retry: + + cifs_dbg(FYI, "using cifs_sb prepath <%s>\n", cifs_sb->prepath); + memcpy(full_path+dfsplen+1, cifs_sb->prepath, pplen-1); +- full_path[dfsplen] = '\\'; ++ full_path[dfsplen] = dirsep; + for (i = 0; i < pplen-1; i++) + if (full_path[dfsplen+1+i] == '/') + full_path[dfsplen+1+i] = CIFS_DIR_SEP(cifs_sb); diff --git a/queue-4.4/kgdboc-fix-kasan-global-out-of-bounds-bug-in-param_set_kgdboc_var.patch b/queue-4.4/kgdboc-fix-kasan-global-out-of-bounds-bug-in-param_set_kgdboc_var.patch new file mode 100644 index 00000000000..50e3199f47c --- /dev/null +++ b/queue-4.4/kgdboc-fix-kasan-global-out-of-bounds-bug-in-param_set_kgdboc_var.patch @@ -0,0 +1,82 @@ +From dada6a43b0402eba438a17ac86fdc64ac56a4607 Mon Sep 17 00:00:00 2001 +From: Macpaul Lin +Date: Wed, 17 Oct 2018 23:08:38 +0800 +Subject: kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var() + +From: Macpaul Lin + +commit dada6a43b0402eba438a17ac86fdc64ac56a4607 upstream. + +This patch is trying to fix KE issue due to +"BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198" +reported by Syzkaller scan." + +[26364:syz-executor0][name:report8t]BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198 +[26364:syz-executor0][name:report&]Read of size 1 at addr ffffff900e44f95f by task syz-executor0/26364 +[26364:syz-executor0][name:report&] +[26364:syz-executor0]CPU: 7 PID: 26364 Comm: syz-executor0 Tainted: G W 0 +[26364:syz-executor0]Call trace: +[26364:syz-executor0][] dump_bacIctrace+Ox0/0x470 +[26364:syz-executor0][] show_stack+0x20/0x30 +[26364:syz-executor0][] dump_stack+Oxd8/0x128 +[26364:syz-executor0][] print_address_description +0x80/0x4a8 +[26364:syz-executor0][] kasan_report+Ox178/0x390 +[26364:syz-executor0][] _asan_report_loadi_noabort+Ox18/0x20 +[26364:syz-executor0][] param_set_kgdboc_var+Ox194/0x198 +[26364:syz-executor0][] param_attr_store+Ox14c/0x270 +[26364:syz-executor0][] module_attr_store+0x60/0x90 +[26364:syz-executor0][] sysfs_kl_write+Ox100/0x158 +[26364:syz-executor0][] kernfs_fop_write+0x27c/0x3a8 +[26364:syz-executor0][] do_loop_readv_writev+0x114/0x1b0 +[26364:syz-executor0][] do_readv_writev+0x4f8/0x5e0 +[26364:syz-executor0][] vfs_writev+0x7c/Oxb8 +[26364:syz-executor0][] SyS_writev+Oxcc/0x208 +[26364:syz-executor0][] elO_svc_naked +0x24/0x28 +[26364:syz-executor0][name:report&] +[26364:syz-executor0][name:report&]The buggy address belongs to the variable: +[26364:syz-executor0][name:report&] kgdb_tty_line+Ox3f/0x40 +[26364:syz-executor0][name:report&] +[26364:syz-executor0][name:report&]Memory state around the buggy address: +[26364:syz-executor0] ffffff900e44f800: 00 00 00 00 00 04 fa fa fa fa fa fa 00 fa fa fa +[26364:syz-executor0] ffffff900e44f880: fa fa fa fa 00 fa fa fa fa fa fa fa 00 fa fa fa +[26364:syz-executor0]> ffffff900e44f900: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00 +[26364:syz-executor0][name:report&] ^ +[26364:syz-executor0] ffffff900e44f980: 00 fa fa fa fa fa fa fa 04 fa fa fa fa fa fa fa +[26364:syz-executor0] ffffff900e44fa00: 04 fa fa fa fa fa fa fa 00 fa fa fa fa fa fa fa +[26364:syz-executor0][name:report&] +[26364:syz-executor0][name:panic&]Disabling lock debugging due to kernel taint +[26364:syz-executor0]------------[cut here]------------ + +After checking the source code, we've found there might be an out-of-bounds +access to "config[len - 1]" array when the variable "len" is zero. + +Signed-off-by: Macpaul Lin +Acked-by: Daniel Thompson +Cc: stable +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/kgdboc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/tty/serial/kgdboc.c ++++ b/drivers/tty/serial/kgdboc.c +@@ -232,7 +232,7 @@ static void kgdboc_put_char(u8 chr) + + static int param_set_kgdboc_var(const char *kmessage, struct kernel_param *kp) + { +- int len = strlen(kmessage); ++ size_t len = strlen(kmessage); + + if (len >= MAX_CONFIG_LEN) { + printk(KERN_ERR "kgdboc: config string too long\n"); +@@ -254,7 +254,7 @@ static int param_set_kgdboc_var(const ch + + strcpy(config, kmessage); + /* Chop out \n char as a result of echo */ +- if (config[len - 1] == '\n') ++ if (len && config[len - 1] == '\n') + config[len - 1] = '\0'; + + if (configured == 1) diff --git a/queue-4.4/mac80211-clear-beacon_int-in-ieee80211_do_stop.patch b/queue-4.4/mac80211-clear-beacon_int-in-ieee80211_do_stop.patch new file mode 100644 index 00000000000..51bad2a1f20 --- /dev/null +++ b/queue-4.4/mac80211-clear-beacon_int-in-ieee80211_do_stop.patch @@ -0,0 +1,43 @@ +From 5c21e8100dfd57c806e833ae905e26efbb87840f Mon Sep 17 00:00:00 2001 +From: Ben Greear +Date: Tue, 23 Oct 2018 13:36:52 -0700 +Subject: mac80211: Clear beacon_int in ieee80211_do_stop + +From: Ben Greear + +commit 5c21e8100dfd57c806e833ae905e26efbb87840f upstream. + +This fixes stale beacon-int values that would keep a netdev +from going up. + +To reproduce: + +Create two VAP on one radio. +vap1 has beacon-int 100, start it. +vap2 has beacon-int 240, start it (and it will fail + because beacon-int mismatch). +reconfigure vap2 to have beacon-int 100 and start it. + It will fail because the stale beacon-int 240 will be used + in the ifup path and hostapd never gets a chance to set the + new beacon interval. + +Cc: stable@vger.kernel.org +Signed-off-by: Ben Greear +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/iface.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/mac80211/iface.c ++++ b/net/mac80211/iface.c +@@ -987,6 +987,8 @@ static void ieee80211_do_stop(struct iee + if (local->open_count == 0) + ieee80211_clear_tx_pending(local); + ++ sdata->vif.bss_conf.beacon_int = 0; ++ + /* + * If the interface goes down while suspended, presumably because + * the device was unplugged and that happens before our resume, diff --git a/queue-4.4/mac80211-fix-reordering-of-buffered-broadcast-packets.patch b/queue-4.4/mac80211-fix-reordering-of-buffered-broadcast-packets.patch new file mode 100644 index 00000000000..21b83877434 --- /dev/null +++ b/queue-4.4/mac80211-fix-reordering-of-buffered-broadcast-packets.patch @@ -0,0 +1,38 @@ +From 9ec1190d065998650fd9260dea8cf3e1f56c0e8c Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Wed, 28 Nov 2018 22:39:16 +0100 +Subject: mac80211: fix reordering of buffered broadcast packets + +From: Felix Fietkau + +commit 9ec1190d065998650fd9260dea8cf3e1f56c0e8c upstream. + +If the buffered broadcast queue contains packets, letting new packets bypass +that queue can lead to heavy reordering, since the driver is probably throttling +transmission of buffered multicast packets after beacons. + +Keep buffering packets until the buffer has been cleared (and no client +is in powersave mode). + +Cc: stable@vger.kernel.org +Signed-off-by: Felix Fietkau +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/tx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -431,8 +431,8 @@ ieee80211_tx_h_multicast_ps_buf(struct i + if (ieee80211_hw_check(&tx->local->hw, QUEUE_CONTROL)) + info->hw_queue = tx->sdata->vif.cab_queue; + +- /* no stations in PS mode */ +- if (!atomic_read(&ps->num_sta_ps)) ++ /* no stations in PS mode and no buffered packets */ ++ if (!atomic_read(&ps->num_sta_ps) && skb_queue_empty(&ps->bc_buf)) + return TX_CONTINUE; + + info->flags |= IEEE80211_TX_CTL_SEND_AFTER_DTIM; diff --git a/queue-4.4/mac80211-ignore-nullfunc-frames-in-the-duplicate-detection.patch b/queue-4.4/mac80211-ignore-nullfunc-frames-in-the-duplicate-detection.patch new file mode 100644 index 00000000000..c9102117af9 --- /dev/null +++ b/queue-4.4/mac80211-ignore-nullfunc-frames-in-the-duplicate-detection.patch @@ -0,0 +1,44 @@ +From 990d71846a0b7281bd933c34d734e6afc7408e7e Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Mon, 3 Dec 2018 21:16:07 +0200 +Subject: mac80211: ignore NullFunc frames in the duplicate detection + +From: Emmanuel Grumbach + +commit 990d71846a0b7281bd933c34d734e6afc7408e7e upstream. + +NullFunc packets should never be duplicate just like +QoS-NullFunc packets. + +We saw a client that enters / exits power save with +NullFunc frames (and not with QoS-NullFunc) despite the +fact that the association supports HT. +This specific client also re-uses a non-zero sequence number +for different NullFunc frames. +At some point, the client had to send a retransmission of +the NullFunc frame and we dropped it, leading to a +misalignment in the power save state. +Fix this by never consider a NullFunc frame as duplicate, +just like we do for QoS NullFunc frames. + +This fixes https://bugzilla.kernel.org/show_bug.cgi?id=201449 + +CC: +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/rx.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -1109,6 +1109,7 @@ ieee80211_rx_h_check_dup(struct ieee8021 + return RX_CONTINUE; + + if (ieee80211_is_ctl(hdr->frame_control) || ++ ieee80211_is_nullfunc(hdr->frame_control) || + ieee80211_is_qos_nullfunc(hdr->frame_control) || + is_multicast_ether_addr(hdr->addr1)) + return RX_CONTINUE; diff --git a/queue-4.4/mac80211-ignore-tx-status-for-ps-stations-in-ieee80211_tx_status_ext.patch b/queue-4.4/mac80211-ignore-tx-status-for-ps-stations-in-ieee80211_tx_status_ext.patch new file mode 100644 index 00000000000..08cda6924ef --- /dev/null +++ b/queue-4.4/mac80211-ignore-tx-status-for-ps-stations-in-ieee80211_tx_status_ext.patch @@ -0,0 +1,35 @@ +From a317e65face482371de30246b6494feb093ff7f9 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Tue, 13 Nov 2018 20:32:13 +0100 +Subject: mac80211: ignore tx status for PS stations in ieee80211_tx_status_ext + +From: Felix Fietkau + +commit a317e65face482371de30246b6494feb093ff7f9 upstream. + +Make it behave like regular ieee80211_tx_status calls, except for the lack of +filtered frame processing. +This fixes spurious low-ack triggered disconnections with powersave clients +connected to an AP. + +Fixes: f027c2aca0cf4 ("mac80211: add ieee80211_tx_status_noskb") +Cc: stable@vger.kernel.org +Signed-off-by: Felix Fietkau +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/status.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/mac80211/status.c ++++ b/net/mac80211/status.c +@@ -648,6 +648,8 @@ void ieee80211_tx_status_noskb(struct ie + /* Track when last TDLS packet was ACKed */ + if (test_sta_flag(sta, WLAN_STA_TDLS_PEER_AUTH)) + sta->status_stats.last_tdls_pkt_time = jiffies; ++ } else if (test_sta_flag(sta, WLAN_STA_PS_STA)) { ++ return; + } else { + ieee80211_lost_packet(sta, info); + } diff --git a/queue-4.4/mac80211_hwsim-timer-should-be-initialized-before-device-registered.patch b/queue-4.4/mac80211_hwsim-timer-should-be-initialized-before-device-registered.patch new file mode 100644 index 00000000000..f8be51acb8d --- /dev/null +++ b/queue-4.4/mac80211_hwsim-timer-should-be-initialized-before-device-registered.patch @@ -0,0 +1,54 @@ +From a1881c9b8a1edef0a5ae1d5c1b61406fe3402114 Mon Sep 17 00:00:00 2001 +From: Vasyl Vavrychuk +Date: Thu, 18 Oct 2018 01:02:12 +0300 +Subject: mac80211_hwsim: Timer should be initialized before device registered + +From: Vasyl Vavrychuk + +commit a1881c9b8a1edef0a5ae1d5c1b61406fe3402114 upstream. + +Otherwise if network manager starts configuring Wi-Fi interface +immidiatelly after getting notification of its creation, we will get +NULL pointer dereference: + + BUG: unable to handle kernel NULL pointer dereference at (null) + IP: [] hrtimer_active+0x28/0x50 + ... + Call Trace: + [] ? hrtimer_try_to_cancel+0x27/0x110 + [] ? hrtimer_cancel+0x15/0x20 + [] ? mac80211_hwsim_config+0x140/0x1c0 [mac80211_hwsim] + +Cc: stable@vger.kernel.org +Signed-off-by: Vasyl Vavrychuk +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/mac80211_hwsim.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -2515,6 +2515,10 @@ static int mac80211_hwsim_new_radio(stru + if (param->no_vif) + ieee80211_hw_set(hw, NO_AUTO_VIF); + ++ tasklet_hrtimer_init(&data->beacon_timer, ++ mac80211_hwsim_beacon, ++ CLOCK_MONOTONIC, HRTIMER_MODE_ABS); ++ + err = ieee80211_register_hw(hw); + if (err < 0) { + printk(KERN_DEBUG "mac80211_hwsim: ieee80211_register_hw failed (%d)\n", +@@ -2539,10 +2543,6 @@ static int mac80211_hwsim_new_radio(stru + data->debugfs, + data, &hwsim_simulate_radar); + +- tasklet_hrtimer_init(&data->beacon_timer, +- mac80211_hwsim_beacon, +- CLOCK_MONOTONIC, HRTIMER_MODE_ABS); +- + spin_lock_bh(&hwsim_radio_lock); + list_add_tail(&data->list, &hwsim_radios); + spin_unlock_bh(&hwsim_radio_lock); diff --git a/queue-4.4/series b/queue-4.4/series index 4964c3964aa..911d9ae4a6e 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -81,3 +81,11 @@ sunrpc-fix-leak-of-krb5p-encode-pages.patch dmaengine-cppi41-delete-channel-from-pending-list-when-stop-channel.patch xhci-prevent-u1-u2-link-pm-states-if-exit-latency-is-too-long.patch staging-lustre-remove-two-build-warnings.patch +cifs-fix-separator-when-building-path-from-dentry.patch +tty-serial-8250_mtk-always-resume-the-device-in-probe.patch +kgdboc-fix-kasan-global-out-of-bounds-bug-in-param_set_kgdboc_var.patch +mac80211_hwsim-timer-should-be-initialized-before-device-registered.patch +mac80211-clear-beacon_int-in-ieee80211_do_stop.patch +mac80211-ignore-tx-status-for-ps-stations-in-ieee80211_tx_status_ext.patch +mac80211-fix-reordering-of-buffered-broadcast-packets.patch +mac80211-ignore-nullfunc-frames-in-the-duplicate-detection.patch diff --git a/queue-4.4/tty-serial-8250_mtk-always-resume-the-device-in-probe.patch b/queue-4.4/tty-serial-8250_mtk-always-resume-the-device-in-probe.patch new file mode 100644 index 00000000000..a1f8f79f455 --- /dev/null +++ b/queue-4.4/tty-serial-8250_mtk-always-resume-the-device-in-probe.patch @@ -0,0 +1,69 @@ +From 100bc3e2bebf95506da57cbdf5f26b25f6da4c81 Mon Sep 17 00:00:00 2001 +From: Peter Shih +Date: Tue, 27 Nov 2018 12:49:50 +0800 +Subject: tty: serial: 8250_mtk: always resume the device in probe. + +From: Peter Shih + +commit 100bc3e2bebf95506da57cbdf5f26b25f6da4c81 upstream. + +serial8250_register_8250_port calls uart_config_port, which calls +config_port on the port before it tries to power on the port. So we need +the port to be on before calling serial8250_register_8250_port. Change +the code to always do a runtime resume in probe before registering port, +and always do a runtime suspend in remove. + +This basically reverts the change in commit 68e5fc4a255a ("tty: serial: +8250_mtk: use pm_runtime callbacks for enabling"), but still use +pm_runtime callbacks. + +Fixes: 68e5fc4a255a ("tty: serial: 8250_mtk: use pm_runtime callbacks for enabling") +Signed-off-by: Peter Shih +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/8250/8250_mtk.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +--- a/drivers/tty/serial/8250/8250_mtk.c ++++ b/drivers/tty/serial/8250/8250_mtk.c +@@ -231,17 +231,17 @@ static int mtk8250_probe(struct platform + + platform_set_drvdata(pdev, data); + +- pm_runtime_enable(&pdev->dev); +- if (!pm_runtime_enabled(&pdev->dev)) { +- err = mtk8250_runtime_resume(&pdev->dev); +- if (err) +- return err; +- } ++ err = mtk8250_runtime_resume(&pdev->dev); ++ if (err) ++ return err; + + data->line = serial8250_register_8250_port(&uart); + if (data->line < 0) + return data->line; + ++ pm_runtime_set_active(&pdev->dev); ++ pm_runtime_enable(&pdev->dev); ++ + return 0; + } + +@@ -252,13 +252,11 @@ static int mtk8250_remove(struct platfor + pm_runtime_get_sync(&pdev->dev); + + serial8250_unregister_port(data->line); ++ mtk8250_runtime_suspend(&pdev->dev); + + pm_runtime_disable(&pdev->dev); + pm_runtime_put_noidle(&pdev->dev); + +- if (!pm_runtime_status_suspended(&pdev->dev)) +- mtk8250_runtime_suspend(&pdev->dev); +- + return 0; + } +