From 385d5248b69a4cdb811d1517aed80a1628e55847 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 6 Jun 2022 13:46:44 +0200 Subject: [PATCH] 4.9-stable patches added patches: iwlwifi-mvm-fix-assert-1f04-upon-reconfig.patch wifi-mac80211-fix-use-after-free-in-chanctx-code.patch --- ...se-timeout-waiting-for-ga-log-enable.patch | 7 +-- ...fi-mvm-fix-assert-1f04-upon-reconfig.patch | 36 ++++++++++++++ queue-4.9/series | 2 + ...1-fix-use-after-free-in-chanctx-code.patch | 48 +++++++++++++++++++ 4 files changed, 87 insertions(+), 6 deletions(-) create mode 100644 queue-4.9/iwlwifi-mvm-fix-assert-1f04-upon-reconfig.patch create mode 100644 queue-4.9/wifi-mac80211-fix-use-after-free-in-chanctx-code.patch diff --git a/queue-4.9/iommu-amd-increase-timeout-waiting-for-ga-log-enable.patch b/queue-4.9/iommu-amd-increase-timeout-waiting-for-ga-log-enable.patch index 6272085c5cd..017620c27b3 100644 --- a/queue-4.9/iommu-amd-increase-timeout-waiting-for-ga-log-enable.patch +++ b/queue-4.9/iommu-amd-increase-timeout-waiting-for-ga-log-enable.patch @@ -33,11 +33,9 @@ Signed-off-by: Joerg Roedel Link: https://lore.kernel.org/r/20220520102214.12563-1-joro@8bytes.org Signed-off-by: Sasha Levin --- - drivers/iommu/amd_iommu_init.c | 2 +- + drivers/iommu/amd_iommu_init.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c -index 45c809f3d24f..03bf538eabda 100644 --- a/drivers/iommu/amd_iommu_init.c +++ b/drivers/iommu/amd_iommu_init.c @@ -86,7 +86,7 @@ @@ -49,6 +47,3 @@ index 45c809f3d24f..03bf538eabda 100644 /* * ACPI table definitions * --- -2.35.1 - diff --git a/queue-4.9/iwlwifi-mvm-fix-assert-1f04-upon-reconfig.patch b/queue-4.9/iwlwifi-mvm-fix-assert-1f04-upon-reconfig.patch new file mode 100644 index 00000000000..89a8a7b6471 --- /dev/null +++ b/queue-4.9/iwlwifi-mvm-fix-assert-1f04-upon-reconfig.patch @@ -0,0 +1,36 @@ +From 9d096e3d3061dbf4ee10e2b59fc2c06e05bdb997 Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Tue, 17 May 2022 12:05:09 +0300 +Subject: iwlwifi: mvm: fix assert 1F04 upon reconfig + +From: Emmanuel Grumbach + +commit 9d096e3d3061dbf4ee10e2b59fc2c06e05bdb997 upstream. + +When we reconfig we must not send the MAC_POWER command that relates to +a MAC that was not yet added to the firmware. + +Ignore those in the iterator. + +Cc: stable@vger.kernel.org +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20220517120044.ed2ffc8ce732.If786e19512d0da4334a6382ea6148703422c7d7b@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/mvm/power.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/power.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/power.c +@@ -612,6 +612,9 @@ static void iwl_mvm_power_get_vifs_itera + struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif); + struct iwl_power_vifs *power_iterator = _data; + ++ if (!mvmvif->uploaded) ++ return; ++ + switch (ieee80211_vif_type_p2p(vif)) { + case NL80211_IFTYPE_P2P_DEVICE: + break; diff --git a/queue-4.9/series b/queue-4.9/series index 394f52368c0..8cd362258df 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -73,3 +73,5 @@ tty-fix-deadlock-caused-by-calling-printk-under-tty_.patch input-sparcspkr-fix-refcount-leak-in-bbc_beep_probe.patch video-fbdev-clcdfb-fix-refcount-leak-in-clcdfb_of_vr.patch iommu-amd-increase-timeout-waiting-for-ga-log-enable.patch +wifi-mac80211-fix-use-after-free-in-chanctx-code.patch +iwlwifi-mvm-fix-assert-1f04-upon-reconfig.patch diff --git a/queue-4.9/wifi-mac80211-fix-use-after-free-in-chanctx-code.patch b/queue-4.9/wifi-mac80211-fix-use-after-free-in-chanctx-code.patch new file mode 100644 index 00000000000..d72efe34c99 --- /dev/null +++ b/queue-4.9/wifi-mac80211-fix-use-after-free-in-chanctx-code.patch @@ -0,0 +1,48 @@ +From 2965c4cdf7ad9ce0796fac5e57debb9519ea721e Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Wed, 1 Jun 2022 09:19:36 +0200 +Subject: wifi: mac80211: fix use-after-free in chanctx code + +From: Johannes Berg + +commit 2965c4cdf7ad9ce0796fac5e57debb9519ea721e upstream. + +In ieee80211_vif_use_reserved_context(), when we have an +old context and the new context's replace_state is set to +IEEE80211_CHANCTX_REPLACE_NONE, we free the old context +in ieee80211_vif_use_reserved_reassign(). Therefore, we +cannot check the old_ctx anymore, so we should set it to +NULL after this point. + +However, since the new_ctx replace state is clearly not +IEEE80211_CHANCTX_REPLACES_OTHER, we're not going to do +anything else in this function and can just return to +avoid accessing the freed old_ctx. + +Cc: stable@vger.kernel.org +Fixes: 5bcae31d9cb1 ("mac80211: implement multi-vif in-place reservations") +Signed-off-by: Johannes Berg +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220601091926.df419d91b165.I17a9b3894ff0b8323ce2afdb153b101124c821e5@changeid +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/chan.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/net/mac80211/chan.c ++++ b/net/mac80211/chan.c +@@ -1640,12 +1640,9 @@ int ieee80211_vif_use_reserved_context(s + + if (new_ctx->replace_state == IEEE80211_CHANCTX_REPLACE_NONE) { + if (old_ctx) +- err = ieee80211_vif_use_reserved_reassign(sdata); +- else +- err = ieee80211_vif_use_reserved_assign(sdata); ++ return ieee80211_vif_use_reserved_reassign(sdata); + +- if (err) +- return err; ++ return ieee80211_vif_use_reserved_assign(sdata); + } + + /* -- 2.47.3