diff options
3 files changed, 179 insertions, 0 deletions
diff --git a/package/kernel/mac80211/patches/subsys/360-mac80211-fix-a-memory-leak-where-sta_info-is-not-fre.patch b/package/kernel/mac80211/patches/subsys/360-mac80211-fix-a-memory-leak-where-sta_info-is-not-fre.patch new file mode 100644 index 0000000000..ff3cb7be53 --- /dev/null +++ b/package/kernel/mac80211/patches/subsys/360-mac80211-fix-a-memory-leak-where-sta_info-is-not-fre.patch @@ -0,0 +1,77 @@ +From 4db561ae4a90c2d0e15996634567559e292dc9e5 Mon Sep 17 00:00:00 2001 +From: Ahmed Zaki <anzaki@gmail.com> +Date: Sat, 2 Oct 2021 08:53:29 -0600 +Subject: [PATCH] mac80211: fix a memory leak where sta_info is not freed + +commit 8f9dcc29566626f683843ccac6113a12208315ca upstream. + +The following is from a system that went OOM due to a memory leak: + +wlan0: Allocated STA 74:83:c2:64:0b:87 +wlan0: Allocated STA 74:83:c2:64:0b:87 +wlan0: IBSS finish 74:83:c2:64:0b:87 (---from ieee80211_ibss_add_sta) +wlan0: Adding new IBSS station 74:83:c2:64:0b:87 +wlan0: moving STA 74:83:c2:64:0b:87 to state 2 +wlan0: moving STA 74:83:c2:64:0b:87 to state 3 +wlan0: Inserted STA 74:83:c2:64:0b:87 +wlan0: IBSS finish 74:83:c2:64:0b:87 (---from ieee80211_ibss_work) +wlan0: Adding new IBSS station 74:83:c2:64:0b:87 +wlan0: moving STA 74:83:c2:64:0b:87 to state 2 +wlan0: moving STA 74:83:c2:64:0b:87 to state 3 +. +. +wlan0: expiring inactive not authorized STA 74:83:c2:64:0b:87 +wlan0: moving STA 74:83:c2:64:0b:87 to state 2 +wlan0: moving STA 74:83:c2:64:0b:87 to state 1 +wlan0: Removed STA 74:83:c2:64:0b:87 +wlan0: Destroyed STA 74:83:c2:64:0b:87 + +The ieee80211_ibss_finish_sta() is called twice on the same STA from 2 +different locations. On the second attempt, the allocated STA is not +destroyed creating a kernel memory leak. + +This is happening because sta_info_insert_finish() does not call +sta_info_free() the second time when the STA already exists (returns +-EEXIST). Note that the caller sta_info_insert_rcu() assumes STA is +destroyed upon errors. + +Same fix is applied to -ENOMEM. + +Signed-off-by: Ahmed Zaki <anzaki@gmail.com> +Link: https://lore.kernel.org/r/20211002145329.3125293-1-anzaki@gmail.com +[change the error path label to use the existing code] +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +Signed-off-by: Viacheslav Sablin <sablin@ispras.ru> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/mac80211/sta_info.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/mac80211/sta_info.c ++++ b/net/mac80211/sta_info.c +@@ -646,13 +646,13 @@ static int sta_info_insert_finish(struct + /* check if STA exists already */ + if (sta_info_get_bss(sdata, sta->sta.addr)) { + err = -EEXIST; +- goto out_err; ++ goto out_cleanup; + } + + sinfo = kzalloc(sizeof(struct station_info), GFP_KERNEL); + if (!sinfo) { + err = -ENOMEM; +- goto out_err; ++ goto out_cleanup; + } + + local->num_sta++; +@@ -708,8 +708,8 @@ static int sta_info_insert_finish(struct + out_drop_sta: + local->num_sta--; + synchronize_net(); ++ out_cleanup: + cleanup_single_sta(sta); +- out_err: + mutex_unlock(&local->sta_mtx); + kfree(sinfo); + rcu_read_lock(); diff --git a/package/kernel/mac80211/patches/subsys/361-wifi-mac80211-Don-t-finalize-CSA-in-IBSS-mode-if-sta.patch b/package/kernel/mac80211/patches/subsys/361-wifi-mac80211-Don-t-finalize-CSA-in-IBSS-mode-if-sta.patch new file mode 100644 index 0000000000..dd3e934c00 --- /dev/null +++ b/package/kernel/mac80211/patches/subsys/361-wifi-mac80211-Don-t-finalize-CSA-in-IBSS-mode-if-sta.patch @@ -0,0 +1,47 @@ +From 552ba102a6898630a7d16887f29e606d6fabe508 Mon Sep 17 00:00:00 2001 +From: Siddh Raman Pant <code@siddh.me> +Date: Sun, 14 Aug 2022 20:45:12 +0530 +Subject: [PATCH] wifi: mac80211: Don't finalize CSA in IBSS mode if state is + disconnected + +commit 15bc8966b6d3a5b9bfe4c9facfa02f2b69b1e5f0 upstream. + +When we are not connected to a channel, sending channel "switch" +announcement doesn't make any sense. + +The BSS list is empty in that case. This causes the for loop in +cfg80211_get_bss() to be bypassed, so the function returns NULL +(check line 1424 of net/wireless/scan.c), causing the WARN_ON() +in ieee80211_ibss_csa_beacon() to get triggered (check line 500 +of net/mac80211/ibss.c), which was consequently reported on the +syzkaller dashboard. + +Thus, check if we have an existing connection before generating +the CSA beacon in ieee80211_ibss_finish_csa(). + +Cc: stable@vger.kernel.org +Fixes: cd7760e62c2a ("mac80211: add support for CSA in IBSS mode") +Link: https://syzkaller.appspot.com/bug?id=05603ef4ae8926761b678d2939a3b2ad28ab9ca6 +Reported-by: syzbot+b6c9fe29aefe68e4ad34@syzkaller.appspotmail.com +Signed-off-by: Siddh Raman Pant <code@siddh.me> +Tested-by: syzbot+b6c9fe29aefe68e4ad34@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20220814151512.9985-1-code@siddh.me +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/mac80211/ibss.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/mac80211/ibss.c ++++ b/net/mac80211/ibss.c +@@ -534,6 +534,10 @@ int ieee80211_ibss_finish_csa(struct iee + + sdata_assert_lock(sdata); + ++ /* When not connected/joined, sending CSA doesn't make sense. */ ++ if (ifibss->state != IEEE80211_IBSS_MLME_JOINED) ++ return -ENOLINK; ++ + /* update cfg80211 bss information with the new channel */ + if (!is_zero_ether_addr(ifibss->bssid)) { + cbss = cfg80211_get_bss(sdata->local->hw.wiphy, diff --git a/package/kernel/mac80211/patches/subsys/362-wifi-mac80211-Fix-UAF-in-ieee80211_scan_rx.patch b/package/kernel/mac80211/patches/subsys/362-wifi-mac80211-Fix-UAF-in-ieee80211_scan_rx.patch new file mode 100644 index 0000000000..0e58b61602 --- /dev/null +++ b/package/kernel/mac80211/patches/subsys/362-wifi-mac80211-Fix-UAF-in-ieee80211_scan_rx.patch @@ -0,0 +1,55 @@ +From 5d20c6f932f2758078d0454729129c894fe353e7 Mon Sep 17 00:00:00 2001 +From: Siddh Raman Pant <code@siddh.me> +Date: Sat, 20 Aug 2022 01:33:40 +0530 +Subject: [PATCH] wifi: mac80211: Fix UAF in ieee80211_scan_rx() + +commit 60deb9f10eec5c6a20252ed36238b55d8b614a2c upstream. + +ieee80211_scan_rx() tries to access scan_req->flags after a +null check, but a UAF is observed when the scan is completed +and __ieee80211_scan_completed() executes, which then calls +cfg80211_scan_done() leading to the freeing of scan_req. + +Since scan_req is rcu_dereference()'d, prevent the racing in +__ieee80211_scan_completed() by ensuring that from mac80211's +POV it is no longer accessed from an RCU read critical section +before we call cfg80211_scan_done(). + +Cc: stable@vger.kernel.org +Link: https://syzkaller.appspot.com/bug?extid=f9acff9bf08a845f225d +Reported-by: syzbot+f9acff9bf08a845f225d@syzkaller.appspotmail.com +Suggested-by: Johannes Berg <johannes@sipsolutions.net> +Signed-off-by: Siddh Raman Pant <code@siddh.me> +Link: https://lore.kernel.org/r/20220819200340.34826-1-code@siddh.me +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/mac80211/scan.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/net/mac80211/scan.c ++++ b/net/mac80211/scan.c +@@ -461,16 +461,19 @@ static void __ieee80211_scan_completed(s + scan_req = rcu_dereference_protected(local->scan_req, + lockdep_is_held(&local->mtx)); + +- if (scan_req != local->int_scan_req) { +- local->scan_info.aborted = aborted; +- cfg80211_scan_done(scan_req, &local->scan_info); +- } + RCU_INIT_POINTER(local->scan_req, NULL); + RCU_INIT_POINTER(local->scan_sdata, NULL); + + local->scanning = 0; + local->scan_chandef.chan = NULL; + ++ synchronize_rcu(); ++ ++ if (scan_req != local->int_scan_req) { ++ local->scan_info.aborted = aborted; ++ cfg80211_scan_done(scan_req, &local->scan_info); ++ } ++ + /* Set power back to normal operating levels. */ + ieee80211_hw_config(local, 0); + |