From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 3 Sep 2019 19:33:57 +0000 (+0200)
Subject: 4.9-stable patches
X-Git-Tag: v4.4.191~21
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b9f0b93a12070ed5bd47e9ca836c07fb4d487fc8;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	mac80211-fix-possible-sta-leak.patch
	revert-cfg80211-fix-processing-world-regdomain-when-non-modular.patch
---

diff --git a/queue-4.9/mac80211-fix-possible-sta-leak.patch b/queue-4.9/mac80211-fix-possible-sta-leak.patch
new file mode 100644
index 00000000000..f68b34499f7
--- /dev/null
+++ b/queue-4.9/mac80211-fix-possible-sta-leak.patch
@@ -0,0 +1,47 @@
+From 5fd2f91ad483baffdbe798f8a08f1b41442d1e24 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Thu, 1 Aug 2019 09:30:33 +0200
+Subject: mac80211: fix possible sta leak
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 5fd2f91ad483baffdbe798f8a08f1b41442d1e24 upstream.
+
+If TDLS station addition is rejected, the sta memory is leaked.
+Avoid this by moving the check before the allocation.
+
+Cc: stable@vger.kernel.org
+Fixes: 7ed5285396c2 ("mac80211: don't initiate TDLS connection if station is not associated to AP")
+Link: https://lore.kernel.org/r/20190801073033.7892-1-johannes@sipsolutions.net
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/cfg.c |    9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -1418,6 +1418,11 @@ static int ieee80211_add_station(struct
+ 	if (is_multicast_ether_addr(mac))
+ 		return -EINVAL;
+ 
++	if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER) &&
++	    sdata->vif.type == NL80211_IFTYPE_STATION &&
++	    !sdata->u.mgd.associated)
++		return -EINVAL;
++
+ 	sta = sta_info_alloc(sdata, mac, GFP_KERNEL);
+ 	if (!sta)
+ 		return -ENOMEM;
+@@ -1425,10 +1430,6 @@ static int ieee80211_add_station(struct
+ 	if (params->sta_flags_set & BIT(NL80211_STA_FLAG_TDLS_PEER))
+ 		sta->sta.tdls = true;
+ 
+-	if (sta->sta.tdls && sdata->vif.type == NL80211_IFTYPE_STATION &&
+-	    !sdata->u.mgd.associated)
+-		return -EINVAL;
+-
+ 	err = sta_apply_parameters(local, sta, params);
+ 	if (err) {
+ 		sta_info_free(local, sta);
diff --git a/queue-4.9/revert-cfg80211-fix-processing-world-regdomain-when-non-modular.patch b/queue-4.9/revert-cfg80211-fix-processing-world-regdomain-when-non-modular.patch
new file mode 100644
index 00000000000..e065c6aa5e8
--- /dev/null
+++ b/queue-4.9/revert-cfg80211-fix-processing-world-regdomain-when-non-modular.patch
@@ -0,0 +1,63 @@
+From 0d31d4dbf38412f5b8b11b4511d07b840eebe8cb Mon Sep 17 00:00:00 2001
+From: "Hodaszi, Robert" <Robert.Hodaszi@digi.com>
+Date: Fri, 14 Jun 2019 13:16:01 +0000
+Subject: Revert "cfg80211: fix processing world regdomain when non modular"
+
+From: Hodaszi, Robert <Robert.Hodaszi@digi.com>
+
+commit 0d31d4dbf38412f5b8b11b4511d07b840eebe8cb upstream.
+
+This reverts commit 96cce12ff6e0 ("cfg80211: fix processing world
+regdomain when non modular").
+
+Re-triggering a reg_process_hint with the last request on all events,
+can make the regulatory domain fail in case of multiple WiFi modules. On
+slower boards (espacially with mdev), enumeration of the WiFi modules
+can end up in an intersected regulatory domain, and user cannot set it
+with 'iw reg set' anymore.
+
+This is happening, because:
+- 1st module enumerates, queues up a regulatory request
+- request gets processed by __reg_process_hint_driver():
+  - checks if previous was set by CORE -> yes
+    - checks if regulator domain changed -> yes, from '00' to e.g. 'US'
+      -> sends request to the 'crda'
+- 2nd module enumerates, queues up a regulator request (which triggers
+  the reg_todo() work)
+- reg_todo() -> reg_process_pending_hints() sees, that the last request
+  is not processed yet, so it tries to process it again.
+  __reg_process_hint driver() will run again, and:
+  - checks if the last request's initiator was the core -> no, it was
+    the driver (1st WiFi module)
+  - checks, if the previous initiator was the driver -> yes
+    - checks if the regulator domain changed -> yes, it was '00' (set by
+      core, and crda call did not return yet), and should be changed to 'US'
+
+------> __reg_process_hint_driver calls an intersect
+
+Besides, the reg_process_hint call with the last request is meaningless
+since the crda call has a timeout work. If that timeout expires, the
+first module's request will lost.
+
+Cc: stable@vger.kernel.org
+Fixes: 96cce12ff6e0 ("cfg80211: fix processing world regdomain when non modular")
+Signed-off-by: Robert Hodaszi <robert.hodaszi@digi.com>
+Link: https://lore.kernel.org/r/20190614131600.GA13897@a1-hr
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/reg.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/wireless/reg.c
++++ b/net/wireless/reg.c
+@@ -2165,7 +2165,7 @@ static void reg_process_pending_hints(vo
+ 
+ 	/* When last_request->processed becomes true this will be rescheduled */
+ 	if (lr && !lr->processed) {
+-		reg_process_hint(lr);
++		pr_debug("Pending regulatory request, waiting for it to be processed...\n");
+ 		return;
+ 	}
+ 
diff --git a/queue-4.9/series b/queue-4.9/series
index 3564b2cf5bd..6fffb442051 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -75,3 +75,5 @@ mmc-sdhci-of-at91-add-quirk-for-broken-hs200.patch
 mmc-core-fix-init-of-sd-cards-reporting-an-invalid-vdd-range.patch
 stm-class-fix-a-double-free-of-stm_source_device.patch
 vmci-release-resource-if-the-work-is-already-queued.patch
+revert-cfg80211-fix-processing-world-regdomain-when-non-modular.patch
+mac80211-fix-possible-sta-leak.patch