From: Greg Kroah-Hartman Date: Mon, 6 Jun 2022 11:45:52 +0000 (+0200) Subject: 5.18-stable patches X-Git-Tag: v5.10.121~121 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=011cea9e7f05991581c36ae0b1c0788e489f4b9d;p=thirdparty%2Fkernel%2Fstable-queue.git 5.18-stable patches added patches: iwlwifi-fw-init-sar-geo-table-only-if-data-is-present.patch iwlwifi-mei-clear-the-sap-data-header-before-sending.patch iwlwifi-mei-fix-potential-null-ptr-deref.patch iwlwifi-mvm-fix-assert-1f04-upon-reconfig.patch wifi-mac80211-fix-use-after-free-in-chanctx-code.patch --- diff --git a/queue-5.18/iwlwifi-fw-init-sar-geo-table-only-if-data-is-present.patch b/queue-5.18/iwlwifi-fw-init-sar-geo-table-only-if-data-is-present.patch new file mode 100644 index 00000000000..5c4fbfe4b5f --- /dev/null +++ b/queue-5.18/iwlwifi-fw-init-sar-geo-table-only-if-data-is-present.patch @@ -0,0 +1,40 @@ +From d1f6530c3e373ddd7c76b05646052a27eead14ad Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 17 May 2022 12:05:08 +0300 +Subject: iwlwifi: fw: init SAR GEO table only if data is present + +From: Johannes Berg + +commit d1f6530c3e373ddd7c76b05646052a27eead14ad upstream. + +When no table data was read from ACPI, then filling the data +and returning success here will fill zero values, which means +transmit power will be limited to 0 dBm. This is clearly not +intended. + +Return an error from iwl_sar_geo_init() if there's no data to +fill into the command structure. + +Cc: stable@vger.kernel.org +Signed-off-by: Johannes Berg +Fixes: 78a19d5285d9 ("iwlwifi: mvm: Read the PPAG and SAR tables at INIT stage") +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20220517120044.bc45923b74e9.Id2b4362234b7f8ced82c591b95d4075dd2ec12f4@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/fw/acpi.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/wireless/intel/iwlwifi/fw/acpi.c ++++ b/drivers/net/wireless/intel/iwlwifi/fw/acpi.c +@@ -937,6 +937,9 @@ int iwl_sar_geo_init(struct iwl_fw_runti + { + int i, j; + ++ if (!fwrt->geo_enabled) ++ return -ENODATA; ++ + if (!iwl_sar_geo_support(fwrt)) + return -EOPNOTSUPP; + diff --git a/queue-5.18/iwlwifi-mei-clear-the-sap-data-header-before-sending.patch b/queue-5.18/iwlwifi-mei-clear-the-sap-data-header-before-sending.patch new file mode 100644 index 00000000000..5ba78da8742 --- /dev/null +++ b/queue-5.18/iwlwifi-mei-clear-the-sap-data-header-before-sending.patch @@ -0,0 +1,33 @@ +From 55cf10488d7a9fa1b1b473a5e44a80666932e094 Mon Sep 17 00:00:00 2001 +From: Avraham Stern +Date: Tue, 17 May 2022 12:05:13 +0300 +Subject: iwlwifi: mei: clear the sap data header before sending + +From: Avraham Stern + +commit 55cf10488d7a9fa1b1b473a5e44a80666932e094 upstream. + +The SAP data header has some fields that are marked as reserved +but are actually in use by CSME. Clear those fields before sending +the data to avoid having random values in those fields. + +Cc: stable@vger.kernel.org +Signed-off-by: Avraham Stern +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20220517120045.8dd3423cf683.I02976028eaa6aab395cb2e701fa7127212762eb7@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/mei/main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/intel/iwlwifi/mei/main.c ++++ b/drivers/net/wireless/intel/iwlwifi/mei/main.c +@@ -493,6 +493,7 @@ void iwl_mei_add_data_to_ring(struct sk_ + if (cb_tx) { + struct iwl_sap_cb_data *cb_hdr = skb_push(skb, sizeof(*cb_hdr)); + ++ memset(cb_hdr, 0, sizeof(*cb_hdr)); + cb_hdr->hdr.type = cpu_to_le16(SAP_MSG_CB_DATA_PACKET); + cb_hdr->hdr.len = cpu_to_le16(skb->len - sizeof(cb_hdr->hdr)); + cb_hdr->hdr.seq_num = cpu_to_le32(atomic_inc_return(&mei->sap_seq_no)); diff --git a/queue-5.18/iwlwifi-mei-fix-potential-null-ptr-deref.patch b/queue-5.18/iwlwifi-mei-fix-potential-null-ptr-deref.patch new file mode 100644 index 00000000000..3e429b943b9 --- /dev/null +++ b/queue-5.18/iwlwifi-mei-fix-potential-null-ptr-deref.patch @@ -0,0 +1,36 @@ +From 78488a64aea94a3336ee97f345c1496e9bc5ebdf Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 17 May 2022 12:05:14 +0300 +Subject: iwlwifi: mei: fix potential NULL-ptr deref + +From: Johannes Berg + +commit 78488a64aea94a3336ee97f345c1496e9bc5ebdf upstream. + +If SKB allocation fails, continue rather than using the NULL +pointer. + +Coverity CID: 1497650 + +Cc: stable@vger.kernel.org +Fixes: 2da4366f9e2c ("iwlwifi: mei: add the driver to allow cooperation with CSME") +Signed-off-by: Johannes Berg +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20220517120045.90c1b1fd534e.Ibb42463e74d0ec7d36ec81df22e171ae1f6268b0@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/mei/main.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/wireless/intel/iwlwifi/mei/main.c ++++ b/drivers/net/wireless/intel/iwlwifi/mei/main.c +@@ -1020,6 +1020,8 @@ static void iwl_mei_handle_sap_data(stru + + /* We need enough room for the WiFi header + SNAP + IV */ + skb = netdev_alloc_skb(netdev, len + QOS_HDR_IV_SNAP_LEN); ++ if (!skb) ++ continue; + + skb_reserve(skb, QOS_HDR_IV_SNAP_LEN); + ethhdr = skb_push(skb, sizeof(*ethhdr)); diff --git a/queue-5.18/iwlwifi-mvm-fix-assert-1f04-upon-reconfig.patch b/queue-5.18/iwlwifi-mvm-fix-assert-1f04-upon-reconfig.patch new file mode 100644 index 00000000000..abbe532d15d --- /dev/null +++ b/queue-5.18/iwlwifi-mvm-fix-assert-1f04-upon-reconfig.patch @@ -0,0 +1,36 @@ +From 9d096e3d3061dbf4ee10e2b59fc2c06e05bdb997 Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Tue, 17 May 2022 12:05:09 +0300 +Subject: iwlwifi: mvm: fix assert 1F04 upon reconfig + +From: Emmanuel Grumbach + +commit 9d096e3d3061dbf4ee10e2b59fc2c06e05bdb997 upstream. + +When we reconfig we must not send the MAC_POWER command that relates to +a MAC that was not yet added to the firmware. + +Ignore those in the iterator. + +Cc: stable@vger.kernel.org +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Gregory Greenman +Link: https://lore.kernel.org/r/20220517120044.ed2ffc8ce732.If786e19512d0da4334a6382ea6148703422c7d7b@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/intel/iwlwifi/mvm/power.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/wireless/intel/iwlwifi/mvm/power.c ++++ b/drivers/net/wireless/intel/iwlwifi/mvm/power.c +@@ -563,6 +563,9 @@ static void iwl_mvm_power_get_vifs_itera + struct iwl_power_vifs *power_iterator = _data; + bool active = mvmvif->phy_ctxt && mvmvif->phy_ctxt->id < NUM_PHY_CTX; + ++ if (!mvmvif->uploaded) ++ return; ++ + switch (ieee80211_vif_type_p2p(vif)) { + case NL80211_IFTYPE_P2P_DEVICE: + break; diff --git a/queue-5.18/series b/queue-5.18/series index 30b4e4727ce..c7f5291b7db 100644 --- a/queue-5.18/series +++ b/queue-5.18/series @@ -717,3 +717,8 @@ f2fs-fix-fallocate-to-use-file_modified-to-update-permissions-consistently.patch f2fs-fix-to-do-sanity-check-for-inline-inode.patch objtool-fix-objtool-regression-on-x32-systems.patch objtool-fix-symbol-creation.patch +wifi-mac80211-fix-use-after-free-in-chanctx-code.patch +iwlwifi-fw-init-sar-geo-table-only-if-data-is-present.patch +iwlwifi-mvm-fix-assert-1f04-upon-reconfig.patch +iwlwifi-mei-clear-the-sap-data-header-before-sending.patch +iwlwifi-mei-fix-potential-null-ptr-deref.patch diff --git a/queue-5.18/wifi-mac80211-fix-use-after-free-in-chanctx-code.patch b/queue-5.18/wifi-mac80211-fix-use-after-free-in-chanctx-code.patch new file mode 100644 index 00000000000..d7092ff9028 --- /dev/null +++ b/queue-5.18/wifi-mac80211-fix-use-after-free-in-chanctx-code.patch @@ -0,0 +1,48 @@ +From 2965c4cdf7ad9ce0796fac5e57debb9519ea721e Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Wed, 1 Jun 2022 09:19:36 +0200 +Subject: wifi: mac80211: fix use-after-free in chanctx code + +From: Johannes Berg + +commit 2965c4cdf7ad9ce0796fac5e57debb9519ea721e upstream. + +In ieee80211_vif_use_reserved_context(), when we have an +old context and the new context's replace_state is set to +IEEE80211_CHANCTX_REPLACE_NONE, we free the old context +in ieee80211_vif_use_reserved_reassign(). Therefore, we +cannot check the old_ctx anymore, so we should set it to +NULL after this point. + +However, since the new_ctx replace state is clearly not +IEEE80211_CHANCTX_REPLACES_OTHER, we're not going to do +anything else in this function and can just return to +avoid accessing the freed old_ctx. + +Cc: stable@vger.kernel.org +Fixes: 5bcae31d9cb1 ("mac80211: implement multi-vif in-place reservations") +Signed-off-by: Johannes Berg +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220601091926.df419d91b165.I17a9b3894ff0b8323ce2afdb153b101124c821e5@changeid +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/chan.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/net/mac80211/chan.c ++++ b/net/mac80211/chan.c +@@ -1749,12 +1749,9 @@ int ieee80211_vif_use_reserved_context(s + + if (new_ctx->replace_state == IEEE80211_CHANCTX_REPLACE_NONE) { + if (old_ctx) +- err = ieee80211_vif_use_reserved_reassign(sdata); +- else +- err = ieee80211_vif_use_reserved_assign(sdata); ++ return ieee80211_vif_use_reserved_reassign(sdata); + +- if (err) +- return err; ++ return ieee80211_vif_use_reserved_assign(sdata); + } + + /*