--- /dev/null
+From b67fd72e84a88cae64cea8ab47ccdaab3bb3094d Mon Sep 17 00:00:00 2001
+From: Alexander Wetzel <alexander@wetzel-home.de>
+Date: Mon, 5 Aug 2019 14:34:00 +0200
+Subject: cfg80211: Fix Extended Key ID key install checks
+
+From: Alexander Wetzel <alexander@wetzel-home.de>
+
+commit b67fd72e84a88cae64cea8ab47ccdaab3bb3094d upstream.
+
+Fix two shortcomings in the Extended Key ID API:
+
+ 1) Allow the userspace to install pairwise keys using keyid 1 without
+ NL80211_KEY_NO_TX set. This allows the userspace to install and
+ activate pairwise keys with keyid 1 in the same way as for keyid 0,
+ simplifying the API usage for e.g. FILS and FT key installs.
+
+ 2) IEEE 802.11 - 2016 restricts Extended Key ID usage to CCMP/GCMP
+ ciphers in IEEE 802.11 - 2016 "9.4.2.25.4 RSN capabilities".
+ Enforce that when installing a key.
+
+Cc: stable@vger.kernel.org # 5.2
+Fixes: 6cdd3979a2bd ("nl80211/cfg80211: Extended Key ID support")
+Signed-off-by: Alexander Wetzel <alexander@wetzel-home.de>
+Link: https://lore.kernel.org/r/20190805123400.51567-1-alexander@wetzel-home.de
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/util.c | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+--- a/net/wireless/util.c
++++ b/net/wireless/util.c
+@@ -233,25 +233,30 @@ int cfg80211_validate_key_settings(struc
+
+ switch (params->cipher) {
+ case WLAN_CIPHER_SUITE_TKIP:
++ /* Extended Key ID can only be used with CCMP/GCMP ciphers */
++ if ((pairwise && key_idx) ||
++ params->mode != NL80211_KEY_RX_TX)
++ return -EINVAL;
++ break;
+ case WLAN_CIPHER_SUITE_CCMP:
+ case WLAN_CIPHER_SUITE_CCMP_256:
+ case WLAN_CIPHER_SUITE_GCMP:
+ case WLAN_CIPHER_SUITE_GCMP_256:
+- /* IEEE802.11-2016 allows only 0 and - when using Extended Key
+- * ID - 1 as index for pairwise keys.
++ /* IEEE802.11-2016 allows only 0 and - when supporting
++ * Extended Key ID - 1 as index for pairwise keys.
+ * @NL80211_KEY_NO_TX is only allowed for pairwise keys when
+ * the driver supports Extended Key ID.
+ * @NL80211_KEY_SET_TX can't be set when installing and
+ * validating a key.
+ */
+- if (params->mode == NL80211_KEY_NO_TX) {
+- if (!wiphy_ext_feature_isset(&rdev->wiphy,
+- NL80211_EXT_FEATURE_EXT_KEY_ID))
+- return -EINVAL;
+- else if (!pairwise || key_idx < 0 || key_idx > 1)
++ if ((params->mode == NL80211_KEY_NO_TX && !pairwise) ||
++ params->mode == NL80211_KEY_SET_TX)
++ return -EINVAL;
++ if (wiphy_ext_feature_isset(&rdev->wiphy,
++ NL80211_EXT_FEATURE_EXT_KEY_ID)) {
++ if (pairwise && (key_idx < 0 || key_idx > 1))
+ return -EINVAL;
+- } else if ((pairwise && key_idx) ||
+- params->mode == NL80211_KEY_SET_TX) {
++ } else if (pairwise && key_idx) {
+ return -EINVAL;
+ }
+ break;
--- /dev/null
+From f8b43c5cf4b62a19f2210a0f5367b84e1eff1ab9 Mon Sep 17 00:00:00 2001
+From: Denis Kenzior <denkenz@gmail.com>
+Date: Tue, 27 Aug 2019 17:41:20 -0500
+Subject: mac80211: Correctly set noencrypt for PAE frames
+
+From: Denis Kenzior <denkenz@gmail.com>
+
+commit f8b43c5cf4b62a19f2210a0f5367b84e1eff1ab9 upstream.
+
+The noencrypt flag was intended to be set if the "frame was received
+unencrypted" according to include/uapi/linux/nl80211.h. However, the
+current behavior is opposite of this.
+
+Cc: stable@vger.kernel.org
+Fixes: 018f6fbf540d ("mac80211: Send control port frames over nl80211")
+Signed-off-by: Denis Kenzior <denkenz@gmail.com>
+Link: https://lore.kernel.org/r/20190827224120.14545-3-denkenz@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/rx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -2447,7 +2447,7 @@ static void ieee80211_deliver_skb_to_loc
+ skb->protocol == cpu_to_be16(ETH_P_PREAUTH)) &&
+ sdata->control_port_over_nl80211)) {
+ struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
+- bool noencrypt = status->flag & RX_FLAG_DECRYPTED;
++ bool noencrypt = !(status->flag & RX_FLAG_DECRYPTED);
+
+ cfg80211_rx_control_port(dev, skb, noencrypt);
+ dev_kfree_skb(skb);
--- /dev/null
+From c8a41c6afa27b8c3f61622dfd882b912da9d6721 Mon Sep 17 00:00:00 2001
+From: Denis Kenzior <denkenz@gmail.com>
+Date: Tue, 27 Aug 2019 17:41:19 -0500
+Subject: mac80211: Don't memset RXCB prior to PAE intercept
+
+From: Denis Kenzior <denkenz@gmail.com>
+
+commit c8a41c6afa27b8c3f61622dfd882b912da9d6721 upstream.
+
+In ieee80211_deliver_skb_to_local_stack intercepts EAPoL frames if
+mac80211 is configured to do so and forwards the contents over nl80211.
+During this process some additional data is also forwarded, including
+whether the frame was received encrypted or not. Unfortunately just
+prior to the call to ieee80211_deliver_skb_to_local_stack, skb->cb is
+cleared, resulting in incorrect data being exposed over nl80211.
+
+Fixes: 018f6fbf540d ("mac80211: Send control port frames over nl80211")
+Cc: stable@vger.kernel.org
+Signed-off-by: Denis Kenzior <denkenz@gmail.com>
+Link: https://lore.kernel.org/r/20190827224120.14545-2-denkenz@gmail.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/rx.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -2452,6 +2452,8 @@ static void ieee80211_deliver_skb_to_loc
+ cfg80211_rx_control_port(dev, skb, noencrypt);
+ dev_kfree_skb(skb);
+ } else {
++ memset(skb->cb, 0, sizeof(skb->cb));
++
+ /* deliver to local stack */
+ if (rx->napi)
+ napi_gro_receive(rx->napi, skb);
+@@ -2546,8 +2548,6 @@ ieee80211_deliver_skb(struct ieee80211_r
+
+ if (skb) {
+ skb->protocol = eth_type_trans(skb, dev);
+- memset(skb->cb, 0, sizeof(skb->cb));
+-
+ ieee80211_deliver_skb_to_local_stack(skb, rx);
+ }
+
--- /dev/null
+From 5fd2f91ad483baffdbe798f8a08f1b41442d1e24 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Thu, 1 Aug 2019 09:30:33 +0200
+Subject: mac80211: fix possible sta leak
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 5fd2f91ad483baffdbe798f8a08f1b41442d1e24 upstream.
+
+If TDLS station addition is rejected, the sta memory is leaked.
+Avoid this by moving the check before the allocation.
+
+Cc: stable@vger.kernel.org
+Fixes: 7ed5285396c2 ("mac80211: don't initiate TDLS connection if station is not associated to AP")
+Link: https://lore.kernel.org/r/20190801073033.7892-1-johannes@sipsolutions.net
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/cfg.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1543,6 +1543,11 @@ static int ieee80211_add_station(struct
+ if (is_multicast_ether_addr(mac))
+ return -EINVAL;
+
++ if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER) &&
++ sdata->vif.type == NL80211_IFTYPE_STATION &&
++ !sdata->u.mgd.associated)
++ return -EINVAL;
++
+ sta = sta_info_alloc(sdata, mac, GFP_KERNEL);
+ if (!sta)
+ return -ENOMEM;
+@@ -1550,10 +1555,6 @@ static int ieee80211_add_station(struct
+ if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
+ sta->sta.tdls = true;
+
+- if (sta->sta.tdls && sdata->vif.type == NL80211_IFTYPE_STATION &&
+- !sdata->u.mgd.associated)
+- return -EINVAL;
+-
+ err = sta_apply_parameters(local, sta, params);
+ if (err) {
+ sta_info_free(local, sta);
--- /dev/null
+From 0d31d4dbf38412f5b8b11b4511d07b840eebe8cb Mon Sep 17 00:00:00 2001
+From: "Hodaszi, Robert" <Robert.Hodaszi@digi.com>
+Date: Fri, 14 Jun 2019 13:16:01 +0000
+Subject: Revert "cfg80211: fix processing world regdomain when non modular"
+
+From: Hodaszi, Robert <Robert.Hodaszi@digi.com>
+
+commit 0d31d4dbf38412f5b8b11b4511d07b840eebe8cb upstream.
+
+This reverts commit 96cce12ff6e0 ("cfg80211: fix processing world
+regdomain when non modular").
+
+Re-triggering a reg_process_hint with the last request on all events,
+can make the regulatory domain fail in case of multiple WiFi modules. On
+slower boards (espacially with mdev), enumeration of the WiFi modules
+can end up in an intersected regulatory domain, and user cannot set it
+with 'iw reg set' anymore.
+
+This is happening, because:
+- 1st module enumerates, queues up a regulatory request
+- request gets processed by __reg_process_hint_driver():
+ - checks if previous was set by CORE -> yes
+ - checks if regulator domain changed -> yes, from '00' to e.g. 'US'
+ -> sends request to the 'crda'
+- 2nd module enumerates, queues up a regulator request (which triggers
+ the reg_todo() work)
+- reg_todo() -> reg_process_pending_hints() sees, that the last request
+ is not processed yet, so it tries to process it again.
+ __reg_process_hint driver() will run again, and:
+ - checks if the last request's initiator was the core -> no, it was
+ the driver (1st WiFi module)
+ - checks, if the previous initiator was the driver -> yes
+ - checks if the regulator domain changed -> yes, it was '00' (set by
+ core, and crda call did not return yet), and should be changed to 'US'
+
+------> __reg_process_hint_driver calls an intersect
+
+Besides, the reg_process_hint call with the last request is meaningless
+since the crda call has a timeout work. If that timeout expires, the
+first module's request will lost.
+
+Cc: stable@vger.kernel.org
+Fixes: 96cce12ff6e0 ("cfg80211: fix processing world regdomain when non modular")
+Signed-off-by: Robert Hodaszi <robert.hodaszi@digi.com>
+Link: https://lore.kernel.org/r/20190614131600.GA13897@a1-hr
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/reg.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/wireless/reg.c
++++ b/net/wireless/reg.c
+@@ -2788,7 +2788,7 @@ static void reg_process_pending_hints(vo
+
+ /* When last_request->processed becomes true this will be rescheduled */
+ if (lr && !lr->processed) {
+- reg_process_hint(lr);
++ pr_debug("Pending regulatory request, waiting for it to be processed...\n");
+ return;
+ }
+
mms-sdhci-sprd-add-sdhci_quirk_broken_card_detection.patch
mm-memcg-partially-revert-mm-memcontrol.c-keep-local-vm-counters-in-sync-with-the-hierarchical-ones.patch
mm-memcontrol-fix-percpu-vmstats-and-vmevents-flush.patch
+revert-cfg80211-fix-processing-world-regdomain-when-non-modular.patch
+mac80211-fix-possible-sta-leak.patch
+cfg80211-fix-extended-key-id-key-install-checks.patch
+mac80211-don-t-memset-rxcb-prior-to-pae-intercept.patch
+mac80211-correctly-set-noencrypt-for-pae-frames.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
