From: Greg Kroah-Hartman Date: Tue, 3 Sep 2019 19:34:44 +0000 (+0200) Subject: 5.2-stable patches X-Git-Tag: v4.4.191~18 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=728d2357c22b661edd2f6b963facfe3370c4ea6e;p=thirdparty%2Fkernel%2Fstable-queue.git 5.2-stable patches added patches: cfg80211-fix-extended-key-id-key-install-checks.patch mac80211-correctly-set-noencrypt-for-pae-frames.patch mac80211-don-t-memset-rxcb-prior-to-pae-intercept.patch mac80211-fix-possible-sta-leak.patch revert-cfg80211-fix-processing-world-regdomain-when-non-modular.patch --- diff --git a/queue-5.2/cfg80211-fix-extended-key-id-key-install-checks.patch b/queue-5.2/cfg80211-fix-extended-key-id-key-install-checks.patch new file mode 100644 index 00000000000..e833fec4c25 --- /dev/null +++ b/queue-5.2/cfg80211-fix-extended-key-id-key-install-checks.patch @@ -0,0 +1,73 @@ +From b67fd72e84a88cae64cea8ab47ccdaab3bb3094d Mon Sep 17 00:00:00 2001 +From: Alexander Wetzel +Date: Mon, 5 Aug 2019 14:34:00 +0200 +Subject: cfg80211: Fix Extended Key ID key install checks + +From: Alexander Wetzel + +commit b67fd72e84a88cae64cea8ab47ccdaab3bb3094d upstream. + +Fix two shortcomings in the Extended Key ID API: + + 1) Allow the userspace to install pairwise keys using keyid 1 without + NL80211_KEY_NO_TX set. This allows the userspace to install and + activate pairwise keys with keyid 1 in the same way as for keyid 0, + simplifying the API usage for e.g. FILS and FT key installs. + + 2) IEEE 802.11 - 2016 restricts Extended Key ID usage to CCMP/GCMP + ciphers in IEEE 802.11 - 2016 "9.4.2.25.4 RSN capabilities". + Enforce that when installing a key. + +Cc: stable@vger.kernel.org # 5.2 +Fixes: 6cdd3979a2bd ("nl80211/cfg80211: Extended Key ID support") +Signed-off-by: Alexander Wetzel +Link: https://lore.kernel.org/r/20190805123400.51567-1-alexander@wetzel-home.de +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/util.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +--- a/net/wireless/util.c ++++ b/net/wireless/util.c +@@ -233,25 +233,30 @@ int cfg80211_validate_key_settings(struc + + switch (params->cipher) { + case WLAN_CIPHER_SUITE_TKIP: ++ /* Extended Key ID can only be used with CCMP/GCMP ciphers */ ++ if ((pairwise && key_idx) || ++ params->mode != NL80211_KEY_RX_TX) ++ return -EINVAL; ++ break; + case WLAN_CIPHER_SUITE_CCMP: + case WLAN_CIPHER_SUITE_CCMP_256: + case WLAN_CIPHER_SUITE_GCMP: + case WLAN_CIPHER_SUITE_GCMP_256: +- /* IEEE802.11-2016 allows only 0 and - when using Extended Key +- * ID - 1 as index for pairwise keys. ++ /* IEEE802.11-2016 allows only 0 and - when supporting ++ * Extended Key ID - 1 as index for pairwise keys. + * @NL80211_KEY_NO_TX is only allowed for pairwise keys when + * the driver supports Extended Key ID. + * @NL80211_KEY_SET_TX can't be set when installing and + * validating a key. + */ +- if (params->mode == NL80211_KEY_NO_TX) { +- if (!wiphy_ext_feature_isset(&rdev->wiphy, +- NL80211_EXT_FEATURE_EXT_KEY_ID)) +- return -EINVAL; +- else if (!pairwise || key_idx < 0 || key_idx > 1) ++ if ((params->mode == NL80211_KEY_NO_TX && !pairwise) || ++ params->mode == NL80211_KEY_SET_TX) ++ return -EINVAL; ++ if (wiphy_ext_feature_isset(&rdev->wiphy, ++ NL80211_EXT_FEATURE_EXT_KEY_ID)) { ++ if (pairwise && (key_idx < 0 || key_idx > 1)) + return -EINVAL; +- } else if ((pairwise && key_idx) || +- params->mode == NL80211_KEY_SET_TX) { ++ } else if (pairwise && key_idx) { + return -EINVAL; + } + break; diff --git a/queue-5.2/mac80211-correctly-set-noencrypt-for-pae-frames.patch b/queue-5.2/mac80211-correctly-set-noencrypt-for-pae-frames.patch new file mode 100644 index 00000000000..97c9c6028fb --- /dev/null +++ b/queue-5.2/mac80211-correctly-set-noencrypt-for-pae-frames.patch @@ -0,0 +1,35 @@ +From f8b43c5cf4b62a19f2210a0f5367b84e1eff1ab9 Mon Sep 17 00:00:00 2001 +From: Denis Kenzior +Date: Tue, 27 Aug 2019 17:41:20 -0500 +Subject: mac80211: Correctly set noencrypt for PAE frames + +From: Denis Kenzior + +commit f8b43c5cf4b62a19f2210a0f5367b84e1eff1ab9 upstream. + +The noencrypt flag was intended to be set if the "frame was received +unencrypted" according to include/uapi/linux/nl80211.h. However, the +current behavior is opposite of this. + +Cc: stable@vger.kernel.org +Fixes: 018f6fbf540d ("mac80211: Send control port frames over nl80211") +Signed-off-by: Denis Kenzior +Link: https://lore.kernel.org/r/20190827224120.14545-3-denkenz@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/rx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -2447,7 +2447,7 @@ static void ieee80211_deliver_skb_to_loc + skb->protocol == cpu_to_be16(ETH_P_PREAUTH)) && + sdata->control_port_over_nl80211)) { + struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); +- bool noencrypt = status->flag & RX_FLAG_DECRYPTED; ++ bool noencrypt = !(status->flag & RX_FLAG_DECRYPTED); + + cfg80211_rx_control_port(dev, skb, noencrypt); + dev_kfree_skb(skb); diff --git a/queue-5.2/mac80211-don-t-memset-rxcb-prior-to-pae-intercept.patch b/queue-5.2/mac80211-don-t-memset-rxcb-prior-to-pae-intercept.patch new file mode 100644 index 00000000000..0ba20c2b98d --- /dev/null +++ b/queue-5.2/mac80211-don-t-memset-rxcb-prior-to-pae-intercept.patch @@ -0,0 +1,47 @@ +From c8a41c6afa27b8c3f61622dfd882b912da9d6721 Mon Sep 17 00:00:00 2001 +From: Denis Kenzior +Date: Tue, 27 Aug 2019 17:41:19 -0500 +Subject: mac80211: Don't memset RXCB prior to PAE intercept + +From: Denis Kenzior + +commit c8a41c6afa27b8c3f61622dfd882b912da9d6721 upstream. + +In ieee80211_deliver_skb_to_local_stack intercepts EAPoL frames if +mac80211 is configured to do so and forwards the contents over nl80211. +During this process some additional data is also forwarded, including +whether the frame was received encrypted or not. Unfortunately just +prior to the call to ieee80211_deliver_skb_to_local_stack, skb->cb is +cleared, resulting in incorrect data being exposed over nl80211. + +Fixes: 018f6fbf540d ("mac80211: Send control port frames over nl80211") +Cc: stable@vger.kernel.org +Signed-off-by: Denis Kenzior +Link: https://lore.kernel.org/r/20190827224120.14545-2-denkenz@gmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/rx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -2452,6 +2452,8 @@ static void ieee80211_deliver_skb_to_loc + cfg80211_rx_control_port(dev, skb, noencrypt); + dev_kfree_skb(skb); + } else { ++ memset(skb->cb, 0, sizeof(skb->cb)); ++ + /* deliver to local stack */ + if (rx->napi) + napi_gro_receive(rx->napi, skb); +@@ -2546,8 +2548,6 @@ ieee80211_deliver_skb(struct ieee80211_r + + if (skb) { + skb->protocol = eth_type_trans(skb, dev); +- memset(skb->cb, 0, sizeof(skb->cb)); +- + ieee80211_deliver_skb_to_local_stack(skb, rx); + } + diff --git a/queue-5.2/mac80211-fix-possible-sta-leak.patch b/queue-5.2/mac80211-fix-possible-sta-leak.patch new file mode 100644 index 00000000000..ad5dba9a2bd --- /dev/null +++ b/queue-5.2/mac80211-fix-possible-sta-leak.patch @@ -0,0 +1,47 @@ +From 5fd2f91ad483baffdbe798f8a08f1b41442d1e24 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Thu, 1 Aug 2019 09:30:33 +0200 +Subject: mac80211: fix possible sta leak + +From: Johannes Berg + +commit 5fd2f91ad483baffdbe798f8a08f1b41442d1e24 upstream. + +If TDLS station addition is rejected, the sta memory is leaked. +Avoid this by moving the check before the allocation. + +Cc: stable@vger.kernel.org +Fixes: 7ed5285396c2 ("mac80211: don't initiate TDLS connection if station is not associated to AP") +Link: https://lore.kernel.org/r/20190801073033.7892-1-johannes@sipsolutions.net +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/cfg.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1543,6 +1543,11 @@ static int ieee80211_add_station(struct + if (is_multicast_ether_addr(mac)) + return -EINVAL; + ++ if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER) && ++ sdata->vif.type == NL80211_IFTYPE_STATION && ++ !sdata->u.mgd.associated) ++ return -EINVAL; ++ + sta = sta_info_alloc(sdata, mac, GFP_KERNEL); + if (!sta) + return -ENOMEM; +@@ -1550,10 +1555,6 @@ static int ieee80211_add_station(struct + if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER)) + sta->sta.tdls = true; + +- if (sta->sta.tdls && sdata->vif.type == NL80211_IFTYPE_STATION && +- !sdata->u.mgd.associated) +- return -EINVAL; +- + err = sta_apply_parameters(local, sta, params); + if (err) { + sta_info_free(local, sta); diff --git a/queue-5.2/revert-cfg80211-fix-processing-world-regdomain-when-non-modular.patch b/queue-5.2/revert-cfg80211-fix-processing-world-regdomain-when-non-modular.patch new file mode 100644 index 00000000000..1297182690c --- /dev/null +++ b/queue-5.2/revert-cfg80211-fix-processing-world-regdomain-when-non-modular.patch @@ -0,0 +1,63 @@ +From 0d31d4dbf38412f5b8b11b4511d07b840eebe8cb Mon Sep 17 00:00:00 2001 +From: "Hodaszi, Robert" +Date: Fri, 14 Jun 2019 13:16:01 +0000 +Subject: Revert "cfg80211: fix processing world regdomain when non modular" + +From: Hodaszi, Robert + +commit 0d31d4dbf38412f5b8b11b4511d07b840eebe8cb upstream. + +This reverts commit 96cce12ff6e0 ("cfg80211: fix processing world +regdomain when non modular"). + +Re-triggering a reg_process_hint with the last request on all events, +can make the regulatory domain fail in case of multiple WiFi modules. On +slower boards (espacially with mdev), enumeration of the WiFi modules +can end up in an intersected regulatory domain, and user cannot set it +with 'iw reg set' anymore. + +This is happening, because: +- 1st module enumerates, queues up a regulatory request +- request gets processed by __reg_process_hint_driver(): + - checks if previous was set by CORE -> yes + - checks if regulator domain changed -> yes, from '00' to e.g. 'US' + -> sends request to the 'crda' +- 2nd module enumerates, queues up a regulator request (which triggers + the reg_todo() work) +- reg_todo() -> reg_process_pending_hints() sees, that the last request + is not processed yet, so it tries to process it again. + __reg_process_hint driver() will run again, and: + - checks if the last request's initiator was the core -> no, it was + the driver (1st WiFi module) + - checks, if the previous initiator was the driver -> yes + - checks if the regulator domain changed -> yes, it was '00' (set by + core, and crda call did not return yet), and should be changed to 'US' + +------> __reg_process_hint_driver calls an intersect + +Besides, the reg_process_hint call with the last request is meaningless +since the crda call has a timeout work. If that timeout expires, the +first module's request will lost. + +Cc: stable@vger.kernel.org +Fixes: 96cce12ff6e0 ("cfg80211: fix processing world regdomain when non modular") +Signed-off-by: Robert Hodaszi +Link: https://lore.kernel.org/r/20190614131600.GA13897@a1-hr +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/reg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -2788,7 +2788,7 @@ static void reg_process_pending_hints(vo + + /* When last_request->processed becomes true this will be rescheduled */ + if (lr && !lr->processed) { +- reg_process_hint(lr); ++ pr_debug("Pending regulatory request, waiting for it to be processed...\n"); + return; + } + diff --git a/queue-5.2/series b/queue-5.2/series index 27c41b792aa..585ca842629 100644 --- a/queue-5.2/series +++ b/queue-5.2/series @@ -121,3 +121,8 @@ mt76-mt76x0u-do-not-reset-radio-on-resume.patch mms-sdhci-sprd-add-sdhci_quirk_broken_card_detection.patch mm-memcg-partially-revert-mm-memcontrol.c-keep-local-vm-counters-in-sync-with-the-hierarchical-ones.patch mm-memcontrol-fix-percpu-vmstats-and-vmevents-flush.patch +revert-cfg80211-fix-processing-world-regdomain-when-non-modular.patch +mac80211-fix-possible-sta-leak.patch +cfg80211-fix-extended-key-id-key-install-checks.patch +mac80211-don-t-memset-rxcb-prior-to-pae-intercept.patch +mac80211-correctly-set-noencrypt-for-pae-frames.patch