alsa-bcd2000-fix-a-uaf-bug-on-the-error-path-of-probing.patch
alsa-hda-realtek-add-quirk-for-clevo-nv45pz.patch
alsa-hda-realtek-add-quirk-for-hp-spectre-x360-15-eb0xxx.patch
+wifi-mac80211_hwsim-fix-race-condition-in-pending-packet.patch
+wifi-mac80211_hwsim-add-back-erroneously-removed-cast.patch
+wifi-mac80211_hwsim-use-32-bit-skb-cookie.patch
--- /dev/null
+From 58b6259d820d63c2adf1c7541b54cce5a2ae6073 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Mon, 11 Jul 2022 13:14:24 +0200
+Subject: wifi: mac80211_hwsim: add back erroneously removed cast
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 58b6259d820d63c2adf1c7541b54cce5a2ae6073 upstream.
+
+The robots report that we're now casting to a differently
+sized integer, which is correct, and the previous patch
+had erroneously removed it.
+
+Reported-by: kernel test robot <lkp@intel.com>
+Fixes: 4ee186fa7e40 ("wifi: mac80211_hwsim: fix race condition in pending packet")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Cc: Jeongik Cha <jeongik@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mac80211_hwsim.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/mac80211_hwsim.c
++++ b/drivers/net/wireless/mac80211_hwsim.c
+@@ -3540,7 +3540,7 @@ static int hwsim_tx_info_frame_received_
+ u64 skb_cookie;
+
+ txi = IEEE80211_SKB_CB(skb);
+- skb_cookie = (u64)txi->rate_driver_data[0];
++ skb_cookie = (u64)(uintptr_t)txi->rate_driver_data[0];
+
+ if (skb_cookie == ret_skb_cookie) {
+ __skb_unlink(skb, &data2->pending);
--- /dev/null
+From 4ee186fa7e40ae06ebbfbad77e249e3746e14114 Mon Sep 17 00:00:00 2001
+From: Jeongik Cha <jeongik@google.com>
+Date: Mon, 4 Jul 2022 17:43:54 +0900
+Subject: wifi: mac80211_hwsim: fix race condition in pending packet
+
+From: Jeongik Cha <jeongik@google.com>
+
+commit 4ee186fa7e40ae06ebbfbad77e249e3746e14114 upstream.
+
+A pending packet uses a cookie as an unique key, but it can be duplicated
+because it didn't use atomic operators.
+
+And also, a pending packet can be null in hwsim_tx_info_frame_received_nl
+due to race condition with mac80211_hwsim_stop.
+
+For this,
+ * Use an atomic type and operator for a cookie
+ * Add a lock around the loop for pending packets
+
+Signed-off-by: Jeongik Cha <jeongik@google.com>
+Link: https://lore.kernel.org/r/20220704084354.3556326-1-jeongik@google.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mac80211_hwsim.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/wireless/mac80211_hwsim.c
++++ b/drivers/net/wireless/mac80211_hwsim.c
+@@ -593,7 +593,7 @@ struct mac80211_hwsim_data {
+ bool ps_poll_pending;
+ struct dentry *debugfs;
+
+- uintptr_t pending_cookie;
++ atomic64_t pending_cookie;
+ struct sk_buff_head pending; /* packets pending */
+ /*
+ * Only radios in the same group can communicate together (the
+@@ -1200,7 +1200,7 @@ static void mac80211_hwsim_tx_frame_nl(s
+ int i;
+ struct hwsim_tx_rate tx_attempts[IEEE80211_TX_MAX_RATES];
+ struct hwsim_tx_rate_flag tx_attempts_flags[IEEE80211_TX_MAX_RATES];
+- uintptr_t cookie;
++ u64 cookie;
+
+ if (data->ps != PS_DISABLED)
+ hdr->frame_control |= cpu_to_le16(IEEE80211_FCTL_PM);
+@@ -1269,8 +1269,7 @@ static void mac80211_hwsim_tx_frame_nl(s
+ goto nla_put_failure;
+
+ /* We create a cookie to identify this skb */
+- data->pending_cookie++;
+- cookie = data->pending_cookie;
++ cookie = (u64)atomic64_inc_return(&data->pending_cookie);
+ info->rate_driver_data[0] = (void *)cookie;
+ if (nla_put_u64_64bit(skb, HWSIM_ATTR_COOKIE, cookie, HWSIM_ATTR_PAD))
+ goto nla_put_failure;
+@@ -3508,6 +3507,7 @@ static int hwsim_tx_info_frame_received_
+ const u8 *src;
+ unsigned int hwsim_flags;
+ int i;
++ unsigned long flags;
+ bool found = false;
+
+ if (!info->attrs[HWSIM_ATTR_ADDR_TRANSMITTER] ||
+@@ -3535,18 +3535,20 @@ static int hwsim_tx_info_frame_received_
+ }
+
+ /* look for the skb matching the cookie passed back from user */
++ spin_lock_irqsave(&data2->pending.lock, flags);
+ skb_queue_walk_safe(&data2->pending, skb, tmp) {
+ u64 skb_cookie;
+
+ txi = IEEE80211_SKB_CB(skb);
+- skb_cookie = (u64)(uintptr_t)txi->rate_driver_data[0];
++ skb_cookie = (u64)txi->rate_driver_data[0];
+
+ if (skb_cookie == ret_skb_cookie) {
+- skb_unlink(skb, &data2->pending);
++ __skb_unlink(skb, &data2->pending);
+ found = true;
+ break;
+ }
+ }
++ spin_unlock_irqrestore(&data2->pending.lock, flags);
+
+ /* not found */
+ if (!found)
--- /dev/null
+From cc5250cdb43d444061412df7fae72d2b4acbdf97 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Wed, 13 Jul 2022 21:16:45 +0200
+Subject: wifi: mac80211_hwsim: use 32-bit skb cookie
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit cc5250cdb43d444061412df7fae72d2b4acbdf97 upstream.
+
+We won't really have enough skbs to need a 64-bit cookie,
+and on 32-bit platforms storing the 64-bit cookie into the
+void *rate_driver_data doesn't work anyway. Switch back to
+using just a 32-bit cookie and uintptr_t for the type to
+avoid compiler warnings about all this.
+
+Fixes: 4ee186fa7e40 ("wifi: mac80211_hwsim: fix race condition in pending packet")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Cc: Jeongik Cha <jeongik@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/wireless/mac80211_hwsim.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/wireless/mac80211_hwsim.c
++++ b/drivers/net/wireless/mac80211_hwsim.c
+@@ -593,7 +593,7 @@ struct mac80211_hwsim_data {
+ bool ps_poll_pending;
+ struct dentry *debugfs;
+
+- atomic64_t pending_cookie;
++ atomic_t pending_cookie;
+ struct sk_buff_head pending; /* packets pending */
+ /*
+ * Only radios in the same group can communicate together (the
+@@ -1200,7 +1200,7 @@ static void mac80211_hwsim_tx_frame_nl(s
+ int i;
+ struct hwsim_tx_rate tx_attempts[IEEE80211_TX_MAX_RATES];
+ struct hwsim_tx_rate_flag tx_attempts_flags[IEEE80211_TX_MAX_RATES];
+- u64 cookie;
++ uintptr_t cookie;
+
+ if (data->ps != PS_DISABLED)
+ hdr->frame_control |= cpu_to_le16(IEEE80211_FCTL_PM);
+@@ -1269,7 +1269,7 @@ static void mac80211_hwsim_tx_frame_nl(s
+ goto nla_put_failure;
+
+ /* We create a cookie to identify this skb */
+- cookie = (u64)atomic64_inc_return(&data->pending_cookie);
++ cookie = atomic_inc_return(&data->pending_cookie);
+ info->rate_driver_data[0] = (void *)cookie;
+ if (nla_put_u64_64bit(skb, HWSIM_ATTR_COOKIE, cookie, HWSIM_ATTR_PAD))
+ goto nla_put_failure;
+@@ -3537,10 +3537,10 @@ static int hwsim_tx_info_frame_received_
+ /* look for the skb matching the cookie passed back from user */
+ spin_lock_irqsave(&data2->pending.lock, flags);
+ skb_queue_walk_safe(&data2->pending, skb, tmp) {
+- u64 skb_cookie;
++ uintptr_t skb_cookie;
+
+ txi = IEEE80211_SKB_CB(skb);
+- skb_cookie = (u64)(uintptr_t)txi->rate_driver_data[0];
++ skb_cookie = (uintptr_t)txi->rate_driver_data[0];
+
+ if (skb_cookie == ret_skb_cookie) {
+ __skb_unlink(skb, &data2->pending);
projects / thirdparty / kernel / stable-queue.git / commitdiff
