From: Greg Kroah-Hartman Date: Tue, 3 Sep 2019 19:34:12 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v4.4.191~20 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0868f4c45c12b36636d6233868d1c19b156edb9e;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: mac80211-fix-possible-sta-leak.patch revert-cfg80211-fix-processing-world-regdomain-when-non-modular.patch --- diff --git a/queue-4.14/mac80211-fix-possible-sta-leak.patch b/queue-4.14/mac80211-fix-possible-sta-leak.patch new file mode 100644 index 00000000000..408045f16f2 --- /dev/null +++ b/queue-4.14/mac80211-fix-possible-sta-leak.patch @@ -0,0 +1,47 @@ +From 5fd2f91ad483baffdbe798f8a08f1b41442d1e24 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Thu, 1 Aug 2019 09:30:33 +0200 +Subject: mac80211: fix possible sta leak + +From: Johannes Berg + +commit 5fd2f91ad483baffdbe798f8a08f1b41442d1e24 upstream. + +If TDLS station addition is rejected, the sta memory is leaked. +Avoid this by moving the check before the allocation. + +Cc: stable@vger.kernel.org +Fixes: 7ed5285396c2 ("mac80211: don't initiate TDLS connection if station is not associated to AP") +Link: https://lore.kernel.org/r/20190801073033.7892-1-johannes@sipsolutions.net +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/cfg.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1459,6 +1459,11 @@ static int ieee80211_add_station(struct + if (is_multicast_ether_addr(mac)) + return -EINVAL; + ++ if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER) && ++ sdata->vif.type == NL80211_IFTYPE_STATION && ++ !sdata->u.mgd.associated) ++ return -EINVAL; ++ + sta = sta_info_alloc(sdata, mac, GFP_KERNEL); + if (!sta) + return -ENOMEM; +@@ -1466,10 +1471,6 @@ static int ieee80211_add_station(struct + if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) + sta->sta.tdls = true; + +- if (sta->sta.tdls && sdata->vif.type == NL80211_IFTYPE_STATION && +- !sdata->u.mgd.associated) +- return -EINVAL; +- + err = sta_apply_parameters(local, sta, params); + if (err) { + sta_info_free(local, sta); diff --git a/queue-4.14/revert-cfg80211-fix-processing-world-regdomain-when-non-modular.patch b/queue-4.14/revert-cfg80211-fix-processing-world-regdomain-when-non-modular.patch new file mode 100644 index 00000000000..7f4c5990309 --- /dev/null +++ b/queue-4.14/revert-cfg80211-fix-processing-world-regdomain-when-non-modular.patch @@ -0,0 +1,63 @@ +From 0d31d4dbf38412f5b8b11b4511d07b840eebe8cb Mon Sep 17 00:00:00 2001 +From: "Hodaszi, Robert" +Date: Fri, 14 Jun 2019 13:16:01 +0000 +Subject: Revert "cfg80211: fix processing world regdomain when non modular" + +From: Hodaszi, Robert + +commit 0d31d4dbf38412f5b8b11b4511d07b840eebe8cb upstream. + +This reverts commit 96cce12ff6e0 ("cfg80211: fix processing world +regdomain when non modular"). + +Re-triggering a reg_process_hint with the last request on all events, +can make the regulatory domain fail in case of multiple WiFi modules. On +slower boards (espacially with mdev), enumeration of the WiFi modules +can end up in an intersected regulatory domain, and user cannot set it +with 'iw reg set' anymore. + +This is happening, because: +- 1st module enumerates, queues up a regulatory request +- request gets processed by __reg_process_hint_driver(): + - checks if previous was set by CORE -> yes + - checks if regulator domain changed -> yes, from '00' to e.g. 'US' + -> sends request to the 'crda' +- 2nd module enumerates, queues up a regulator request (which triggers + the reg_todo() work) +- reg_todo() -> reg_process_pending_hints() sees, that the last request + is not processed yet, so it tries to process it again. + __reg_process_hint driver() will run again, and: + - checks if the last request's initiator was the core -> no, it was + the driver (1st WiFi module) + - checks, if the previous initiator was the driver -> yes + - checks if the regulator domain changed -> yes, it was '00' (set by + core, and crda call did not return yet), and should be changed to 'US' + +------> __reg_process_hint_driver calls an intersect + +Besides, the reg_process_hint call with the last request is meaningless +since the crda call has a timeout work. If that timeout expires, the +first module's request will lost. + +Cc: stable@vger.kernel.org +Fixes: 96cce12ff6e0 ("cfg80211: fix processing world regdomain when non modular") +Signed-off-by: Robert Hodaszi +Link: https://lore.kernel.org/r/20190614131600.GA13897@a1-hr +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/reg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -2252,7 +2252,7 @@ static void reg_process_pending_hints(vo + + /* When last_request->processed becomes true this will be rescheduled */ + if (lr && !lr->processed) { +- reg_process_hint(lr); ++ pr_debug("Pending regulatory request, waiting for it to be processed...\n"); + return; + } + diff --git a/queue-4.14/series b/queue-4.14/series index 58f89710e8f..1e7e07c3de3 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -44,3 +44,5 @@ intel_th-pci-add-tiger-lake-support.patch drm-i915-don-t-deballoon-unused-ggtt-drm_mm_node-in-linux-guest.patch vmci-release-resource-if-the-work-is-already-queued.patch crypto-ccp-ignore-unconfigured-ccp-device-on-suspend-resume.patch +revert-cfg80211-fix-processing-world-regdomain-when-non-modular.patch +mac80211-fix-possible-sta-leak.patch