From 25c26c527c560225ec78fd33875511c93b6857c1 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 6 Sep 2022 13:56:57 +0200 Subject: [PATCH] 4.9-stable patches added patches: alsa-seq-fix-data-race-at-module-auto-loading.patch alsa-seq-oss-fix-data-race-for-max_midi_devs-access.patch net-mac802154-fix-a-condition-in-the-receive-path.patch wifi-mac80211-don-t-finalize-csa-in-ibss-mode-if-state-is-disconnected.patch --- ...fix-data-race-at-module-auto-loading.patch | 62 +++++++++++++++++++ ...x-data-race-for-max_midi_devs-access.patch | 44 +++++++++++++ ...-fix-a-condition-in-the-receive-path.patch | 45 ++++++++++++++ queue-4.9/series | 4 ++ ...n-ibss-mode-if-state-is-disconnected.patch | 48 ++++++++++++++ 5 files changed, 203 insertions(+) create mode 100644 queue-4.9/alsa-seq-fix-data-race-at-module-auto-loading.patch create mode 100644 queue-4.9/alsa-seq-oss-fix-data-race-for-max_midi_devs-access.patch create mode 100644 queue-4.9/net-mac802154-fix-a-condition-in-the-receive-path.patch create mode 100644 queue-4.9/wifi-mac80211-don-t-finalize-csa-in-ibss-mode-if-state-is-disconnected.patch diff --git a/queue-4.9/alsa-seq-fix-data-race-at-module-auto-loading.patch b/queue-4.9/alsa-seq-fix-data-race-at-module-auto-loading.patch new file mode 100644 index 00000000000..f964f092890 --- /dev/null +++ b/queue-4.9/alsa-seq-fix-data-race-at-module-auto-loading.patch @@ -0,0 +1,62 @@ +From 3e7e04b747adea36f349715d9f0998eeebf15d72 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 23 Aug 2022 09:27:17 +0200 +Subject: ALSA: seq: Fix data-race at module auto-loading + +From: Takashi Iwai + +commit 3e7e04b747adea36f349715d9f0998eeebf15d72 upstream. + +It's been reported that there is a possible data-race accessing to the +global card_requested[] array at ALSA sequencer core, which is used +for determining whether to call request_module() for the card or not. +This data race itself is almost harmless, as it might end up with one +extra request_module() call for the already loaded module at most. +But it's still better to fix. + +This patch addresses the possible data race of card_requested[] and +client_requested[] arrays by replacing them with bitmask. +It's an atomic operation and can work without locks. + +Reported-by: Abhishek Shah +Cc: +Link: https://lore.kernel.org/r/CAEHB24_ay6YzARpA1zgCsE7=H9CSJJzux618E=Ka4h0YdKn=qA@mail.gmail.com +Link: https://lore.kernel.org/r/20220823072717.1706-2-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/seq/seq_clientmgr.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -136,13 +136,13 @@ struct snd_seq_client *snd_seq_client_us + spin_unlock_irqrestore(&clients_lock, flags); + #ifdef CONFIG_MODULES + if (!in_interrupt()) { +- static char client_requested[SNDRV_SEQ_GLOBAL_CLIENTS]; +- static char card_requested[SNDRV_CARDS]; ++ static DECLARE_BITMAP(client_requested, SNDRV_SEQ_GLOBAL_CLIENTS); ++ static DECLARE_BITMAP(card_requested, SNDRV_CARDS); ++ + if (clientid < SNDRV_SEQ_GLOBAL_CLIENTS) { + int idx; + +- if (!client_requested[clientid]) { +- client_requested[clientid] = 1; ++ if (!test_and_set_bit(clientid, client_requested)) { + for (idx = 0; idx < 15; idx++) { + if (seq_client_load[idx] < 0) + break; +@@ -157,10 +157,8 @@ struct snd_seq_client *snd_seq_client_us + int card = (clientid - SNDRV_SEQ_GLOBAL_CLIENTS) / + SNDRV_SEQ_CLIENTS_PER_CARD; + if (card < snd_ecards_limit) { +- if (! card_requested[card]) { +- card_requested[card] = 1; ++ if (!test_and_set_bit(card, card_requested)) + snd_request_card(card); +- } + snd_seq_device_load_drivers(); + } + } diff --git a/queue-4.9/alsa-seq-oss-fix-data-race-for-max_midi_devs-access.patch b/queue-4.9/alsa-seq-oss-fix-data-race-for-max_midi_devs-access.patch new file mode 100644 index 00000000000..216c405c8d0 --- /dev/null +++ b/queue-4.9/alsa-seq-oss-fix-data-race-for-max_midi_devs-access.patch @@ -0,0 +1,44 @@ +From 22dec134dbfa825b963f8a1807ad19b943e46a56 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 23 Aug 2022 09:27:16 +0200 +Subject: ALSA: seq: oss: Fix data-race for max_midi_devs access + +From: Takashi Iwai + +commit 22dec134dbfa825b963f8a1807ad19b943e46a56 upstream. + +ALSA OSS sequencer refers to a global variable max_midi_devs at +creating a new port, storing it to its own field. Meanwhile this +variable may be changed by other sequencer events at +snd_seq_oss_midi_check_exit_port() in parallel, which may cause a data +race. + +OTOH, this data race itself is almost harmless, as the access to the +MIDI device is done via get_mdev() and it's protected with a refcount, +hence its presence is guaranteed. + +Though, it's sill better to address the data-race from the code sanity +POV, and this patch adds the proper spinlock for the protection. + +Reported-by: Abhishek Shah +Cc: +Link: https://lore.kernel.org/r/CAEHB2493pZRXs863w58QWnUTtv3HHfg85aYhLn5HJHCwxqtHQg@mail.gmail.com +Link: https://lore.kernel.org/r/20220823072717.1706-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/seq/oss/seq_oss_midi.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/core/seq/oss/seq_oss_midi.c ++++ b/sound/core/seq/oss/seq_oss_midi.c +@@ -280,7 +280,9 @@ snd_seq_oss_midi_clear_all(void) + void + snd_seq_oss_midi_setup(struct seq_oss_devinfo *dp) + { ++ spin_lock_irq(®ister_lock); + dp->max_mididev = max_midi_devs; ++ spin_unlock_irq(®ister_lock); + } + + /* diff --git a/queue-4.9/net-mac802154-fix-a-condition-in-the-receive-path.patch b/queue-4.9/net-mac802154-fix-a-condition-in-the-receive-path.patch new file mode 100644 index 00000000000..3e91dfd71fa --- /dev/null +++ b/queue-4.9/net-mac802154-fix-a-condition-in-the-receive-path.patch @@ -0,0 +1,45 @@ +From f0da47118c7e93cdbbc6fb403dd729a5f2c90ee3 Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Fri, 26 Aug 2022 16:29:54 +0200 +Subject: net: mac802154: Fix a condition in the receive path + +From: Miquel Raynal + +commit f0da47118c7e93cdbbc6fb403dd729a5f2c90ee3 upstream. + +Upon reception, a packet must be categorized, either it's destination is +the host, or it is another host. A packet with no destination addressing +fields may be valid in two situations: +- the packet has no source field: only ACKs are built like that, we + consider the host as the destination. +- the packet has a valid source field: it is directed to the PAN + coordinator, as for know we don't have this information we consider we + are not the PAN coordinator. + +There was likely a copy/paste error made during a previous cleanup +because the if clause is now containing exactly the same condition as in +the switch case, which can never be true. In the past the destination +address was used in the switch and the source address was used in the +if, which matches what the spec says. + +Cc: stable@vger.kernel.org +Fixes: ae531b9475f6 ("ieee802154: use ieee802154_addr instead of *_sa variants") +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/r/20220826142954.254853-1-miquel.raynal@bootlin.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Greg Kroah-Hartman +--- + net/mac802154/rx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac802154/rx.c ++++ b/net/mac802154/rx.c +@@ -52,7 +52,7 @@ ieee802154_subif_frame(struct ieee802154 + + switch (mac_cb(skb)->dest.mode) { + case IEEE802154_ADDR_NONE: +- if (mac_cb(skb)->dest.mode != IEEE802154_ADDR_NONE) ++ if (hdr->source.mode != IEEE802154_ADDR_NONE) + /* FIXME: check if we are PAN coordinator */ + skb->pkt_type = PACKET_OTHERHOST; + else diff --git a/queue-4.9/series b/queue-4.9/series index 74389163f78..34925857030 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -16,3 +16,7 @@ s390-hugetlb-fix-prepare_hugepage_range-check-for-2-gb-hugepages.patch s390-fix-nospec-table-alignments.patch usb-core-prevent-nested-device-reset-calls.patch usb-gadget-mass_storage-fix-cdrom-data-transfers-on-mac-os.patch +wifi-mac80211-don-t-finalize-csa-in-ibss-mode-if-state-is-disconnected.patch +net-mac802154-fix-a-condition-in-the-receive-path.patch +alsa-seq-oss-fix-data-race-for-max_midi_devs-access.patch +alsa-seq-fix-data-race-at-module-auto-loading.patch diff --git a/queue-4.9/wifi-mac80211-don-t-finalize-csa-in-ibss-mode-if-state-is-disconnected.patch b/queue-4.9/wifi-mac80211-don-t-finalize-csa-in-ibss-mode-if-state-is-disconnected.patch new file mode 100644 index 00000000000..b4ff830e5fa --- /dev/null +++ b/queue-4.9/wifi-mac80211-don-t-finalize-csa-in-ibss-mode-if-state-is-disconnected.patch @@ -0,0 +1,48 @@ +From 15bc8966b6d3a5b9bfe4c9facfa02f2b69b1e5f0 Mon Sep 17 00:00:00 2001 +From: Siddh Raman Pant +Date: Sun, 14 Aug 2022 20:45:12 +0530 +Subject: wifi: mac80211: Don't finalize CSA in IBSS mode if state is disconnected + +From: Siddh Raman Pant + +commit 15bc8966b6d3a5b9bfe4c9facfa02f2b69b1e5f0 upstream. + +When we are not connected to a channel, sending channel "switch" +announcement doesn't make any sense. + +The BSS list is empty in that case. This causes the for loop in +cfg80211_get_bss() to be bypassed, so the function returns NULL +(check line 1424 of net/wireless/scan.c), causing the WARN_ON() +in ieee80211_ibss_csa_beacon() to get triggered (check line 500 +of net/mac80211/ibss.c), which was consequently reported on the +syzkaller dashboard. + +Thus, check if we have an existing connection before generating +the CSA beacon in ieee80211_ibss_finish_csa(). + +Cc: stable@vger.kernel.org +Fixes: cd7760e62c2a ("mac80211: add support for CSA in IBSS mode") +Link: https://syzkaller.appspot.com/bug?id=05603ef4ae8926761b678d2939a3b2ad28ab9ca6 +Reported-by: syzbot+b6c9fe29aefe68e4ad34@syzkaller.appspotmail.com +Signed-off-by: Siddh Raman Pant +Tested-by: syzbot+b6c9fe29aefe68e4ad34@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20220814151512.9985-1-code@siddh.me +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/ibss.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/mac80211/ibss.c ++++ b/net/mac80211/ibss.c +@@ -544,6 +544,10 @@ int ieee80211_ibss_finish_csa(struct iee + + sdata_assert_lock(sdata); + ++ /* When not connected/joined, sending CSA doesn't make sense. */ ++ if (ifibss->state != IEEE80211_IBSS_MLME_JOINED) ++ return -ENOLINK; ++ + /* update cfg80211 bss information with the new channel */ + if (!is_zero_ether_addr(ifibss->bssid)) { + cbss = cfg80211_get_bss(sdata->local->hw.wiphy, -- 2.47.3