From 7c9e4237cb09a7007055801dd79e4e4707ce8555 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Fri, 25 Nov 2022 13:03:07 -0500 Subject: [PATCH] Fixes for 4.9 Signed-off-by: Sasha Levin --- ...ned-behavior-in-bit-shift-for-audit_.patch | 52 +++++++++ ...s-pic32-treat-port-as-signed-integer.patch | 105 ++++++++++++++++++ queue-4.9/series | 4 + ...x-ack-frame-idr-leak-when-mesh-has-n.patch | 42 +++++++ ...sim-fix-debugfs-attribute-ps-with-rc.patch | 57 ++++++++++ 5 files changed, 260 insertions(+) create mode 100644 queue-4.9/audit-fix-undefined-behavior-in-bit-shift-for-audit_.patch create mode 100644 queue-4.9/mips-pic32-treat-port-as-signed-integer.patch create mode 100644 queue-4.9/wifi-mac80211-fix-ack-frame-idr-leak-when-mesh-has-n.patch create mode 100644 queue-4.9/wifi-mac80211_hwsim-fix-debugfs-attribute-ps-with-rc.patch diff --git a/queue-4.9/audit-fix-undefined-behavior-in-bit-shift-for-audit_.patch b/queue-4.9/audit-fix-undefined-behavior-in-bit-shift-for-audit_.patch new file mode 100644 index 00000000000..3e37339bfe5 --- /dev/null +++ b/queue-4.9/audit-fix-undefined-behavior-in-bit-shift-for-audit_.patch @@ -0,0 +1,52 @@ +From d080c5c885edae6ced24e5347df05250a32bde51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Oct 2022 10:10:21 +0800 +Subject: audit: fix undefined behavior in bit shift for AUDIT_BIT + +From: Gaosheng Cui + +[ Upstream commit 986d93f55bdeab1cac858d1e47b41fac10b2d7f6 ] + +Shifting signed 32-bit value by 31 bits is undefined, so changing +significant bit to unsigned. The UBSAN warning calltrace like below: + +UBSAN: shift-out-of-bounds in kernel/auditfilter.c:179:23 +left shift of 1 by 31 places cannot be represented in type 'int' +Call Trace: + + dump_stack_lvl+0x7d/0xa5 + dump_stack+0x15/0x1b + ubsan_epilogue+0xe/0x4e + __ubsan_handle_shift_out_of_bounds+0x1e7/0x20c + audit_register_class+0x9d/0x137 + audit_classes_init+0x4d/0xb8 + do_one_initcall+0x76/0x430 + kernel_init_freeable+0x3b3/0x422 + kernel_init+0x24/0x1e0 + ret_from_fork+0x1f/0x30 + + +Signed-off-by: Gaosheng Cui +[PM: remove bad 'Fixes' tag as issue predates git, added in v2.6.6-rc1] +Signed-off-by: Paul Moore +Signed-off-by: Sasha Levin +--- + include/uapi/linux/audit.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h +index 208df7b44e90..d7ac6b9be18e 100644 +--- a/include/uapi/linux/audit.h ++++ b/include/uapi/linux/audit.h +@@ -170,7 +170,7 @@ + #define AUDIT_MAX_KEY_LEN 256 + #define AUDIT_BITMASK_SIZE 64 + #define AUDIT_WORD(nr) ((__u32)((nr)/32)) +-#define AUDIT_BIT(nr) (1 << ((nr) - AUDIT_WORD(nr)*32)) ++#define AUDIT_BIT(nr) (1U << ((nr) - AUDIT_WORD(nr)*32)) + + #define AUDIT_SYSCALL_CLASSES 16 + #define AUDIT_CLASS_DIR_WRITE 0 +-- +2.35.1 + diff --git a/queue-4.9/mips-pic32-treat-port-as-signed-integer.patch b/queue-4.9/mips-pic32-treat-port-as-signed-integer.patch new file mode 100644 index 00000000000..096cd7b1207 --- /dev/null +++ b/queue-4.9/mips-pic32-treat-port-as-signed-integer.patch @@ -0,0 +1,105 @@ +From a3ec296202ed7b06c2245946a56d8f91a756e50d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Oct 2022 15:23:44 +0200 +Subject: MIPS: pic32: treat port as signed integer + +From: Jason A. Donenfeld + +[ Upstream commit 648060902aa302331b5d6e4f26d8ee0761d239ab ] + +get_port_from_cmdline() returns an int, yet is assigned to a char, which +is wrong in its own right, but also, with char becoming unsigned, this +poses problems, because -1 is used as an error value. Further +complicating things, fw_init_early_console() is only ever called with a +-1 argument. Fix this up by removing the unused argument from +fw_init_early_console() and treating port as a proper signed integer. + +Cc: Thomas Bogendoerfer +Signed-off-by: Jason A. Donenfeld +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/fw/fw.h | 2 +- + arch/mips/pic32/pic32mzda/early_console.c | 13 ++++++------- + arch/mips/pic32/pic32mzda/init.c | 2 +- + 3 files changed, 8 insertions(+), 9 deletions(-) + +diff --git a/arch/mips/include/asm/fw/fw.h b/arch/mips/include/asm/fw/fw.h +index d0ef8b4892bb..d0494ce4b337 100644 +--- a/arch/mips/include/asm/fw/fw.h ++++ b/arch/mips/include/asm/fw/fw.h +@@ -26,6 +26,6 @@ extern char *fw_getcmdline(void); + extern void fw_meminit(void); + extern char *fw_getenv(char *name); + extern unsigned long fw_getenvl(char *name); +-extern void fw_init_early_console(char port); ++extern void fw_init_early_console(void); + + #endif /* __ASM_FW_H_ */ +diff --git a/arch/mips/pic32/pic32mzda/early_console.c b/arch/mips/pic32/pic32mzda/early_console.c +index d7b783463fac..4933c5337059 100644 +--- a/arch/mips/pic32/pic32mzda/early_console.c ++++ b/arch/mips/pic32/pic32mzda/early_console.c +@@ -34,7 +34,7 @@ + #define U_BRG(x) (UART_BASE(x) + 0x40) + + static void __iomem *uart_base; +-static char console_port = -1; ++static int console_port = -1; + + static int __init configure_uart_pins(int port) + { +@@ -54,7 +54,7 @@ static int __init configure_uart_pins(int port) + return 0; + } + +-static void __init configure_uart(char port, int baud) ++static void __init configure_uart(int port, int baud) + { + u32 pbclk; + +@@ -67,7 +67,7 @@ static void __init configure_uart(char port, int baud) + uart_base + PIC32_SET(U_STA(port))); + } + +-static void __init setup_early_console(char port, int baud) ++static void __init setup_early_console(int port, int baud) + { + if (configure_uart_pins(port)) + return; +@@ -137,16 +137,15 @@ static int __init get_baud_from_cmdline(char *arch_cmdline) + return baud; + } + +-void __init fw_init_early_console(char port) ++void __init fw_init_early_console(void) + { + char *arch_cmdline = pic32_getcmdline(); +- int baud = -1; ++ int baud, port; + + uart_base = ioremap_nocache(PIC32_BASE_UART, 0xc00); + + baud = get_baud_from_cmdline(arch_cmdline); +- if (port == -1) +- port = get_port_from_cmdline(arch_cmdline); ++ port = get_port_from_cmdline(arch_cmdline); + + if (port == -1) + port = EARLY_CONSOLE_PORT; +diff --git a/arch/mips/pic32/pic32mzda/init.c b/arch/mips/pic32/pic32mzda/init.c +index 406c6c5cec29..cf2625551b45 100644 +--- a/arch/mips/pic32/pic32mzda/init.c ++++ b/arch/mips/pic32/pic32mzda/init.c +@@ -68,7 +68,7 @@ void __init plat_mem_setup(void) + strlcpy(arcs_cmdline, boot_command_line, COMMAND_LINE_SIZE); + + #ifdef CONFIG_EARLY_PRINTK +- fw_init_early_console(-1); ++ fw_init_early_console(); + #endif + pic32_config_init(); + } +-- +2.35.1 + diff --git a/queue-4.9/series b/queue-4.9/series index e69de29bb2d..11c2bff3bd8 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -0,0 +1,4 @@ +wifi-mac80211_hwsim-fix-debugfs-attribute-ps-with-rc.patch +audit-fix-undefined-behavior-in-bit-shift-for-audit_.patch +wifi-mac80211-fix-ack-frame-idr-leak-when-mesh-has-n.patch +mips-pic32-treat-port-as-signed-integer.patch diff --git a/queue-4.9/wifi-mac80211-fix-ack-frame-idr-leak-when-mesh-has-n.patch b/queue-4.9/wifi-mac80211-fix-ack-frame-idr-leak-when-mesh-has-n.patch new file mode 100644 index 00000000000..f7ceacffcf9 --- /dev/null +++ b/queue-4.9/wifi-mac80211-fix-ack-frame-idr-leak-when-mesh-has-n.patch @@ -0,0 +1,42 @@ +From cd84bf1eac8d97e814100a03d44ad79f89278e8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Oct 2022 16:01:33 +0200 +Subject: wifi: mac80211: Fix ack frame idr leak when mesh has no route + +From: Nicolas Cavallari + +[ Upstream commit 39e7b5de9853bd92ddbfa4b14165babacd7da0ba ] + +When trying to transmit an data frame with tx_status to a destination +that have no route in the mesh, then it is dropped without recrediting +the ack_status_frames idr. + +Once it is exhausted, wpa_supplicant starts failing to do SAE with +NL80211_CMD_FRAME and logs "nl80211: Frame command failed". + +Use ieee80211_free_txskb() instead of kfree_skb() to fix it. + +Signed-off-by: Nicolas Cavallari +Link: https://lore.kernel.org/r/20221027140133.1504-1-nicolas.cavallari@green-communications.fr +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mesh_pathtbl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c +index 30a95a2ff196..78945dc9dcd7 100644 +--- a/net/mac80211/mesh_pathtbl.c ++++ b/net/mac80211/mesh_pathtbl.c +@@ -794,7 +794,7 @@ int mesh_path_send_to_gates(struct mesh_path *mpath) + void mesh_path_discard_frame(struct ieee80211_sub_if_data *sdata, + struct sk_buff *skb) + { +- kfree_skb(skb); ++ ieee80211_free_txskb(&sdata->local->hw, skb); + sdata->u.mesh.mshstats.dropped_frames_no_route++; + } + +-- +2.35.1 + diff --git a/queue-4.9/wifi-mac80211_hwsim-fix-debugfs-attribute-ps-with-rc.patch b/queue-4.9/wifi-mac80211_hwsim-fix-debugfs-attribute-ps-with-rc.patch new file mode 100644 index 00000000000..a04d948bfdb --- /dev/null +++ b/queue-4.9/wifi-mac80211_hwsim-fix-debugfs-attribute-ps-with-rc.patch @@ -0,0 +1,57 @@ +From a87abd1b4f055c31a7324ddda19d92f7ebc7a08e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Oct 2022 16:54:39 +0200 +Subject: wifi: mac80211_hwsim: fix debugfs attribute ps with rc table support + +From: Jonas Jelonek + +[ Upstream commit 69188df5f6e4cecc6b76b958979ba363cd5240e8 ] + +Fixes a warning that occurs when rc table support is enabled +(IEEE80211_HW_SUPPORTS_RC_TABLE) in mac80211_hwsim and the PS mode +is changed via the exported debugfs attribute. + +When the PS mode is changed, a packet is broadcasted via +hwsim_send_nullfunc by creating and transmitting a plain skb with only +header initialized. The ieee80211 rate array in the control buffer is +zero-initialized. When ratetbl support is enabled, ieee80211_get_tx_rates +is called for the skb with sta parameter set to NULL and thus no +ratetbl can be used. The final rate array then looks like +[-1,0; 0,0; 0,0; 0,0] which causes the warning in ieee80211_get_tx_rate. + +The issue is fixed by setting the count of the first rate with idx '0' +to 1 and hence ieee80211_get_tx_rates won't overwrite it with idx '-1'. + +Signed-off-by: Jonas Jelonek +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mac80211_hwsim.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c +index 70251c703c9e..53e0fec274a4 100644 +--- a/drivers/net/wireless/mac80211_hwsim.c ++++ b/drivers/net/wireless/mac80211_hwsim.c +@@ -671,6 +671,7 @@ static void hwsim_send_nullfunc(struct mac80211_hwsim_data *data, u8 *mac, + struct hwsim_vif_priv *vp = (void *)vif->drv_priv; + struct sk_buff *skb; + struct ieee80211_hdr *hdr; ++ struct ieee80211_tx_info *cb; + + if (!vp->assoc) + return; +@@ -691,6 +692,10 @@ static void hwsim_send_nullfunc(struct mac80211_hwsim_data *data, u8 *mac, + memcpy(hdr->addr2, mac, ETH_ALEN); + memcpy(hdr->addr3, vp->bssid, ETH_ALEN); + ++ cb = IEEE80211_SKB_CB(skb); ++ cb->control.rates[0].count = 1; ++ cb->control.rates[1].idx = -1; ++ + rcu_read_lock(); + mac80211_hwsim_tx_frame(data->hw, skb, + rcu_dereference(vif->chanctx_conf)->def.chan); +-- +2.35.1 + -- 2.47.3