From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 20 Feb 2014 21:33:15 +0000 (-0800)
Subject: 3.10-stable patches
X-Git-Tag: v3.4.82~38
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fe76ea26879f74811f36a2b381bc116e1abe7447;p=thirdparty%2Fkernel%2Fstable-queue.git

3.10-stable patches

added patches:
	mac80211-fix-fragmentation-code-particularly-for-encryption.patch
	mac80211-move-roc-cookie-assignment-earlier.patch
	mac80211-release-the-channel-in-error-path-in-start_ap.patch
---

diff --git a/queue-3.10/mac80211-fix-fragmentation-code-particularly-for-encryption.patch b/queue-3.10/mac80211-fix-fragmentation-code-particularly-for-encryption.patch
new file mode 100644
index 00000000000..38cf1c34e6c
--- /dev/null
+++ b/queue-3.10/mac80211-fix-fragmentation-code-particularly-for-encryption.patch
@@ -0,0 +1,53 @@
+From 338f977f4eb441e69bb9a46eaa0ac715c931a67f Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Sat, 1 Feb 2014 00:16:23 +0100
+Subject: mac80211: fix fragmentation code, particularly for encryption
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 338f977f4eb441e69bb9a46eaa0ac715c931a67f upstream.
+
+The "new" fragmentation code (since my rewrite almost 5 years ago)
+erroneously sets skb->len rather than using skb_trim() to adjust
+the length of the first fragment after copying out all the others.
+This leaves the skb tail pointer pointing to after where the data
+originally ended, and thus causes the encryption MIC to be written
+at that point, rather than where it belongs: immediately after the
+data.
+
+The impact of this is that if software encryption is done, then
+ a) encryption doesn't work for the first fragment, the connection
+    becomes unusable as the first fragment will never be properly
+    verified at the receiver, the MIC is practically guaranteed to
+    be wrong
+ b) we leak up to 8 bytes of plaintext (!) of the packet out into
+    the air
+
+This is only mitigated by the fact that many devices are capable
+of doing encryption in hardware, in which case this can't happen
+as the tail pointer is irrelevant in that case. Additionally,
+fragmentation is not used very frequently and would normally have
+to be configured manually.
+
+Fix this by using skb_trim() properly.
+
+Fixes: 2de8e0d999b8 ("mac80211: rewrite fragmentation")
+Reported-by: Jouni Malinen <j@w1.fi>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/tx.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -854,7 +854,7 @@ static int ieee80211_fragment(struct iee
+ 	}
+ 
+ 	/* adjust first fragment's length */
+-	skb->len = hdrlen + per_fragm;
++	skb_trim(skb, hdrlen + per_fragm);
+ 	return 0;
+ }
+ 
diff --git a/queue-3.10/mac80211-move-roc-cookie-assignment-earlier.patch b/queue-3.10/mac80211-move-roc-cookie-assignment-earlier.patch
new file mode 100644
index 00000000000..6d8ff7f50bc
--- /dev/null
+++ b/queue-3.10/mac80211-move-roc-cookie-assignment-earlier.patch
@@ -0,0 +1,80 @@
+From 2f617435c3a6fe3f39efb9ae2baa77de2d6c97b8 Mon Sep 17 00:00:00 2001
+From: Eliad Peller <eliad@wizery.com>
+Date: Sun, 12 Jan 2014 11:06:37 +0200
+Subject: mac80211: move roc cookie assignment earlier
+
+From: Eliad Peller <eliad@wizery.com>
+
+commit 2f617435c3a6fe3f39efb9ae2baa77de2d6c97b8 upstream.
+
+ieee80211_start_roc_work() might add a new roc
+to existing roc, and tell cfg80211 it has already
+started.
+
+However, this might happen before the roc cookie
+was set, resulting in REMAIN_ON_CHANNEL (started)
+event with null cookie. Consequently, it can make
+wpa_supplicant go out of sync.
+
+Fix it by setting the roc cookie earlier.
+
+Signed-off-by: Eliad Peller <eliad@wizery.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/cfg.c |   36 ++++++++++++++++++------------------
+ 1 file changed, 18 insertions(+), 18 deletions(-)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -2476,6 +2476,24 @@ static int ieee80211_start_roc_work(stru
+ 	INIT_DELAYED_WORK(&roc->work, ieee80211_sw_roc_work);
+ 	INIT_LIST_HEAD(&roc->dependents);
+ 
++	/*
++	 * cookie is either the roc cookie (for normal roc)
++	 * or the SKB (for mgmt TX)
++	 */
++	if (!txskb) {
++		/* local->mtx protects this */
++		local->roc_cookie_counter++;
++		roc->cookie = local->roc_cookie_counter;
++		/* wow, you wrapped 64 bits ... more likely a bug */
++		if (WARN_ON(roc->cookie == 0)) {
++			roc->cookie = 1;
++			local->roc_cookie_counter++;
++		}
++		*cookie = roc->cookie;
++	} else {
++		*cookie = (unsigned long)txskb;
++	}
++
+ 	/* if there's one pending or we're scanning, queue this one */
+ 	if (!list_empty(&local->roc_list) ||
+ 	    local->scanning || local->radar_detect_enabled)
+@@ -2610,24 +2628,6 @@ static int ieee80211_start_roc_work(stru
+ 	if (!queued)
+ 		list_add_tail(&roc->list, &local->roc_list);
+ 
+-	/*
+-	 * cookie is either the roc cookie (for normal roc)
+-	 * or the SKB (for mgmt TX)
+-	 */
+-	if (!txskb) {
+-		/* local->mtx protects this */
+-		local->roc_cookie_counter++;
+-		roc->cookie = local->roc_cookie_counter;
+-		/* wow, you wrapped 64 bits ... more likely a bug */
+-		if (WARN_ON(roc->cookie == 0)) {
+-			roc->cookie = 1;
+-			local->roc_cookie_counter++;
+-		}
+-		*cookie = roc->cookie;
+-	} else {
+-		*cookie = (unsigned long)txskb;
+-	}
+-
+ 	return 0;
+ }
+ 
diff --git a/queue-3.10/mac80211-release-the-channel-in-error-path-in-start_ap.patch b/queue-3.10/mac80211-release-the-channel-in-error-path-in-start_ap.patch
new file mode 100644
index 00000000000..ec6ca29f39f
--- /dev/null
+++ b/queue-3.10/mac80211-release-the-channel-in-error-path-in-start_ap.patch
@@ -0,0 +1,42 @@
+From 0297ea17bf7879fb5846fafd1be4c0471e72848d Mon Sep 17 00:00:00 2001
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Date: Mon, 27 Jan 2014 11:07:42 +0200
+Subject: mac80211: release the channel in error path in start_ap
+
+From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+
+commit 0297ea17bf7879fb5846fafd1be4c0471e72848d upstream.
+
+When the driver cannot start the AP or when the assignement
+of the beacon goes wrong, we need to unassign the vif.
+
+Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/cfg.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -975,8 +975,10 @@ static int ieee80211_start_ap(struct wip
+ 					IEEE80211_P2P_OPPPS_ENABLE_BIT;
+ 
+ 	err = ieee80211_assign_beacon(sdata, &params->beacon);
+-	if (err < 0)
++	if (err < 0) {
++		ieee80211_vif_release_channel(sdata);
+ 		return err;
++	}
+ 	changed |= err;
+ 
+ 	err = drv_start_ap(sdata->local, sdata);
+@@ -985,6 +987,7 @@ static int ieee80211_start_ap(struct wip
+ 		if (old)
+ 			kfree_rcu(old, rcu_head);
+ 		RCU_INIT_POINTER(sdata->u.ap.beacon, NULL);
++		ieee80211_vif_release_channel(sdata);
+ 		return err;
+ 	}
+ 
diff --git a/queue-3.10/series b/queue-3.10/series
index 05bf7a431ab..b65ab145a4e 100644
--- a/queue-3.10/series
+++ b/queue-3.10/series
@@ -6,3 +6,6 @@ mm-memory-failure.c-move-refcount-only-in-mf_count_increased.patch
 cifs-fix-smb2-mounts-so-they-don-t-try-to-set-or-get-xattrs-via-cifs.patch
 add-protocol-specific-operation-for-cifs-xattrs.patch
 retrieving-cifs-acls-when-mounted-with-smb2-fails-dropping-session.patch
+mac80211-move-roc-cookie-assignment-earlier.patch
+mac80211-release-the-channel-in-error-path-in-start_ap.patch
+mac80211-fix-fragmentation-code-particularly-for-encryption.patch