From cc0b70467d0f67ea6481100631119ae77b76c9eb Mon Sep 17 00:00:00 2001 From: Koen Vandeputte Date: Fri, 2 Apr 2021 12:21:24 +0200 Subject: mac80211: backport upstream fixes Refreshed all patches. Includes all fixes up to 4.19.184 Signed-off-by: Koen Vandeputte --- ...n-t-set-set-TDLS-STA-bandwidth-wider-than.patch | 65 ++++++++++++++++++++ ...11-pause-TX-while-changing-interface-type.patch | 57 ++++++++++++++++++ ...371-mac80211-fix-fast-rx-encryption-check.patch | 29 +++++++++ ...1-fix-station-rate-table-updates-on-assoc.patch | 49 +++++++++++++++ ...x-potential-overflow-when-multiplying-to-.patch | 34 +++++++++++ .../subsys/374-mac80211-fix-rate-mask-reset.patch | 50 ++++++++++++++++ ...75-mac80211-fix-double-free-in-ibss_leave.patch | 69 ++++++++++++++++++++++ .../522-mac80211_configure_antenna_gain.patch | 2 +- 8 files changed, 354 insertions(+), 1 deletion(-) create mode 100644 package/kernel/mac80211/patches/subsys/369-mac80211-don-t-set-set-TDLS-STA-bandwidth-wider-than.patch create mode 100644 package/kernel/mac80211/patches/subsys/370-mac80211-pause-TX-while-changing-interface-type.patch create mode 100644 package/kernel/mac80211/patches/subsys/371-mac80211-fix-fast-rx-encryption-check.patch create mode 100644 package/kernel/mac80211/patches/subsys/372-mac80211-fix-station-rate-table-updates-on-assoc.patch create mode 100644 package/kernel/mac80211/patches/subsys/373-mac80211-fix-potential-overflow-when-multiplying-to-.patch create mode 100644 package/kernel/mac80211/patches/subsys/374-mac80211-fix-rate-mask-reset.patch create mode 100644 package/kernel/mac80211/patches/subsys/375-mac80211-fix-double-free-in-ibss_leave.patch (limited to 'package') diff --git a/package/kernel/mac80211/patches/subsys/369-mac80211-don-t-set-set-TDLS-STA-bandwidth-wider-than.patch b/package/kernel/mac80211/patches/subsys/369-mac80211-don-t-set-set-TDLS-STA-bandwidth-wider-than.patch new file mode 100644 index 0000000000..a88b24d402 --- /dev/null +++ b/package/kernel/mac80211/patches/subsys/369-mac80211-don-t-set-set-TDLS-STA-bandwidth-wider-than.patch @@ -0,0 +1,65 @@ +From ebbd7dc7ca856a182769c17c4c8a739cedc064c4 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Sun, 6 Dec 2020 14:54:44 +0200 +Subject: [PATCH] mac80211: don't set set TDLS STA bandwidth wider than + possible + +[ Upstream commit f65607cdbc6b0da356ef5a22552ddd9313cf87a0 ] + +When we set up a TDLS station, we set sta->sta.bandwidth solely based +on the capabilities, because the "what's the current bandwidth" check +is bypassed and only applied for other types of stations. + +This leads to the unfortunate scenario that the sta->sta.bandwidth is +160 MHz if both stations support it, but we never actually configure +this bandwidth unless the AP is already using 160 MHz; even for wider +bandwidth support we only go up to 80 MHz (at least right now.) + +For iwlwifi, this can also lead to firmware asserts, telling us that +we've configured the TX rates for a higher bandwidth than is actually +available due to the PHY configuration. + +For non-TDLS, we check against the interface's requested bandwidth, +but we explicitly skip this check for TDLS to cope with the wider BW +case. Change this to + (a) still limit to the TDLS peer's own chandef, which gets factored + into the overall PHY configuration we request from the driver, + and + (b) limit it to when the TDLS peer is authorized, because it's only + factored into the channel context in this case. + +Fixes: 504871e602d9 ("mac80211: fix bandwidth computation for TDLS peers") +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Link: https://lore.kernel.org/r/iwlwifi.20201206145305.fcc7d29c4590.I11f77e9e25ddf871a3c8d5604650c763e2c5887a@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/vht.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/net/mac80211/vht.c ++++ b/net/mac80211/vht.c +@@ -421,12 +421,18 @@ enum ieee80211_sta_rx_bandwidth ieee8021 + * IEEE80211-2016 specification makes higher bandwidth operation + * possible on the TDLS link if the peers have wider bandwidth + * capability. ++ * ++ * However, in this case, and only if the TDLS peer is authorized, ++ * limit to the tdls_chandef so that the configuration here isn't ++ * wider than what's actually requested on the channel context. + */ + if (test_sta_flag(sta, WLAN_STA_TDLS_PEER) && +- test_sta_flag(sta, WLAN_STA_TDLS_WIDER_BW)) +- return bw; +- +- bw = min(bw, ieee80211_chan_width_to_rx_bw(bss_width)); ++ test_sta_flag(sta, WLAN_STA_TDLS_WIDER_BW) && ++ test_sta_flag(sta, WLAN_STA_AUTHORIZED) && ++ sta->tdls_chandef.chan) ++ bw = min(bw, ieee80211_chan_width_to_rx_bw(sta->tdls_chandef.width)); ++ else ++ bw = min(bw, ieee80211_chan_width_to_rx_bw(bss_width)); + + return bw; + } diff --git a/package/kernel/mac80211/patches/subsys/370-mac80211-pause-TX-while-changing-interface-type.patch b/package/kernel/mac80211/patches/subsys/370-mac80211-pause-TX-while-changing-interface-type.patch new file mode 100644 index 0000000000..ce9776c112 --- /dev/null +++ b/package/kernel/mac80211/patches/subsys/370-mac80211-pause-TX-while-changing-interface-type.patch @@ -0,0 +1,57 @@ +From b26b5e0861578fa7cdf444b1aa61d06f739eb306 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 22 Jan 2021 17:11:16 +0100 +Subject: [PATCH] mac80211: pause TX while changing interface type + +[ Upstream commit 054c9939b4800a91475d8d89905827bf9e1ad97a ] + +syzbot reported a crash that happened when changing the interface +type around a lot, and while it might have been easy to fix just +the symptom there, a little deeper investigation found that really +the reason is that we allowed packets to be transmitted while in +the middle of changing the interface type. + +Disallow TX by stopping the queues while changing the type. + +Fixes: 34d4bc4d41d2 ("mac80211: support runtime interface type changes") +Reported-by: syzbot+d7a3b15976bf7de2238a@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20210122171115.b321f98f4d4f.I6997841933c17b093535c31d29355be3c0c39628@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/ieee80211_i.h | 1 + + net/mac80211/iface.c | 6 ++++++ + 2 files changed, 7 insertions(+) + +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -1057,6 +1057,7 @@ enum queue_stop_reason { + IEEE80211_QUEUE_STOP_REASON_FLUSH, + IEEE80211_QUEUE_STOP_REASON_TDLS_TEARDOWN, + IEEE80211_QUEUE_STOP_REASON_RESERVE_TID, ++ IEEE80211_QUEUE_STOP_REASON_IFTYPE_CHANGE, + + IEEE80211_QUEUE_STOP_REASONS, + }; +--- a/net/mac80211/iface.c ++++ b/net/mac80211/iface.c +@@ -1621,6 +1621,10 @@ static int ieee80211_runtime_change_ifty + if (ret) + return ret; + ++ ieee80211_stop_vif_queues(local, sdata, ++ IEEE80211_QUEUE_STOP_REASON_IFTYPE_CHANGE); ++ synchronize_net(); ++ + ieee80211_do_stop(sdata, false); + + ieee80211_teardown_sdata(sdata); +@@ -1641,6 +1645,8 @@ static int ieee80211_runtime_change_ifty + err = ieee80211_do_open(&sdata->wdev, false); + WARN(err, "type change: do_open returned %d", err); + ++ ieee80211_wake_vif_queues(local, sdata, ++ IEEE80211_QUEUE_STOP_REASON_IFTYPE_CHANGE); + return ret; + } + diff --git a/package/kernel/mac80211/patches/subsys/371-mac80211-fix-fast-rx-encryption-check.patch b/package/kernel/mac80211/patches/subsys/371-mac80211-fix-fast-rx-encryption-check.patch new file mode 100644 index 0000000000..f6ce40ac24 --- /dev/null +++ b/package/kernel/mac80211/patches/subsys/371-mac80211-fix-fast-rx-encryption-check.patch @@ -0,0 +1,29 @@ +From b70798906c4c85314511cf6d5cae98385861fc07 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Fri, 18 Dec 2020 19:47:17 +0100 +Subject: [PATCH] mac80211: fix fast-rx encryption check + +[ Upstream commit 622d3b4e39381262da7b18ca1ed1311df227de86 ] + +When using WEP, the default unicast key needs to be selected, instead of +the STA PTK. + +Signed-off-by: Felix Fietkau +Link: https://lore.kernel.org/r/20201218184718.93650-5-nbd@nbd.name +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/rx.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -4019,6 +4019,8 @@ void ieee80211_check_fast_rx(struct sta_ + + rcu_read_lock(); + key = rcu_dereference(sta->ptk[sta->ptk_idx]); ++ if (!key) ++ key = rcu_dereference(sdata->default_unicast_key); + if (key) { + switch (key->conf.cipher) { + case WLAN_CIPHER_SUITE_TKIP: diff --git a/package/kernel/mac80211/patches/subsys/372-mac80211-fix-station-rate-table-updates-on-assoc.patch b/package/kernel/mac80211/patches/subsys/372-mac80211-fix-station-rate-table-updates-on-assoc.patch new file mode 100644 index 0000000000..693904b495 --- /dev/null +++ b/package/kernel/mac80211/patches/subsys/372-mac80211-fix-station-rate-table-updates-on-assoc.patch @@ -0,0 +1,49 @@ +From 1d3a84f92f75bb0c2f981a75f507f55afed12f2c Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Mon, 1 Feb 2021 09:33:24 +0100 +Subject: [PATCH] mac80211: fix station rate table updates on assoc + +commit 18fe0fae61252b5ae6e26553e2676b5fac555951 upstream. + +If the driver uses .sta_add, station entries are only uploaded after the sta +is in assoc state. Fix early station rate table updates by deferring them +until the sta has been uploaded. + +Cc: stable@vger.kernel.org +Signed-off-by: Felix Fietkau +Link: https://lore.kernel.org/r/20210201083324.3134-1-nbd@nbd.name +[use rcu_access_pointer() instead since we won't dereference here] +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/driver-ops.c | 5 ++++- + net/mac80211/rate.c | 3 ++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +--- a/net/mac80211/driver-ops.c ++++ b/net/mac80211/driver-ops.c +@@ -128,8 +128,11 @@ int drv_sta_state(struct ieee80211_local + } else if (old_state == IEEE80211_STA_AUTH && + new_state == IEEE80211_STA_ASSOC) { + ret = drv_sta_add(local, sdata, &sta->sta); +- if (ret == 0) ++ if (ret == 0) { + sta->uploaded = true; ++ if (rcu_access_pointer(sta->sta.rates)) ++ drv_sta_rate_tbl_update(local, sdata, &sta->sta); ++ } + } else if (old_state == IEEE80211_STA_ASSOC && + new_state == IEEE80211_STA_AUTH) { + drv_sta_remove(local, sdata, &sta->sta); +--- a/net/mac80211/rate.c ++++ b/net/mac80211/rate.c +@@ -941,7 +941,8 @@ int rate_control_set_rates(struct ieee80 + if (old) + kfree_rcu(old, rcu_head); + +- drv_sta_rate_tbl_update(hw_to_local(hw), sta->sdata, pubsta); ++ if (sta->uploaded) ++ drv_sta_rate_tbl_update(hw_to_local(hw), sta->sdata, pubsta); + + ieee80211_sta_set_expected_throughput(pubsta, sta_get_expected_throughput(sta)); + diff --git a/package/kernel/mac80211/patches/subsys/373-mac80211-fix-potential-overflow-when-multiplying-to-.patch b/package/kernel/mac80211/patches/subsys/373-mac80211-fix-potential-overflow-when-multiplying-to-.patch new file mode 100644 index 0000000000..f5d9d843f5 --- /dev/null +++ b/package/kernel/mac80211/patches/subsys/373-mac80211-fix-potential-overflow-when-multiplying-to-.patch @@ -0,0 +1,34 @@ +From 2a4b99ffcda9f6739d4deb7bd7d2e0ed8444dda7 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Fri, 5 Feb 2021 17:53:52 +0000 +Subject: [PATCH] mac80211: fix potential overflow when multiplying to u32 + integers + +[ Upstream commit 6194f7e6473be78acdc5d03edd116944bdbb2c4e ] + +The multiplication of the u32 variables tx_time and estimated_retx is +performed using a 32 bit multiplication and the result is stored in +a u64 result. This has a potential u32 overflow issue, so avoid this +by casting tx_time to a u64 to force a 64 bit multiply. + +Addresses-Coverity: ("Unintentional integer overflow") +Fixes: 050ac52cbe1f ("mac80211: code for on-demand Hybrid Wireless Mesh Protocol") +Signed-off-by: Colin Ian King +Link: https://lore.kernel.org/r/20210205175352.208841-1-colin.king@canonical.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/mesh_hwmp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/mesh_hwmp.c ++++ b/net/mac80211/mesh_hwmp.c +@@ -355,7 +355,7 @@ static u32 airtime_link_metric_get(struc + */ + tx_time = (device_constant + 10 * test_frame_len / rate); + estimated_retx = ((1 << (2 * ARITH_SHIFT)) / (s_unit - err)); +- result = (tx_time * estimated_retx) >> (2 * ARITH_SHIFT); ++ result = ((u64)tx_time * estimated_retx) >> (2 * ARITH_SHIFT); + return (u32)result; + } + diff --git a/package/kernel/mac80211/patches/subsys/374-mac80211-fix-rate-mask-reset.patch b/package/kernel/mac80211/patches/subsys/374-mac80211-fix-rate-mask-reset.patch new file mode 100644 index 0000000000..36d5bee123 --- /dev/null +++ b/package/kernel/mac80211/patches/subsys/374-mac80211-fix-rate-mask-reset.patch @@ -0,0 +1,50 @@ +From 4311a94e7598ca19311b04eb965556b5bb33accd Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 12 Feb 2021 11:22:14 +0100 +Subject: [PATCH] mac80211: fix rate mask reset + +[ Upstream commit 1944015fe9c1d9fa5e9eb7ffbbb5ef8954d6753b ] + +Coverity reported the strange "if (~...)" condition that's +always true. It suggested that ! was intended instead of ~, +but upon further analysis I'm convinced that what really was +intended was a comparison to 0xff/0xffff (in HT/VHT cases +respectively), since this indicates that all of the rates +are enabled. + +Change the comparison accordingly. + +I'm guessing this never really mattered because a reset to +not having a rate mask is basically equivalent to having a +mask that enables all rates. + +Reported-by: Colin Ian King +Fixes: 2ffbe6d33366 ("mac80211: fix and optimize MCS mask handling") +Fixes: b119ad6e726c ("mac80211: add rate mask logic for vht rates") +Reviewed-by: Colin Ian King +Link: https://lore.kernel.org/r/20210212112213.36b38078f569.I8546a20c80bc1669058eb453e213630b846e107b@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/cfg.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -2779,14 +2779,14 @@ static int ieee80211_set_bitrate_mask(st + continue; + + for (j = 0; j < IEEE80211_HT_MCS_MASK_LEN; j++) { +- if (~sdata->rc_rateidx_mcs_mask[i][j]) { ++ if (sdata->rc_rateidx_mcs_mask[i][j] != 0xff) { + sdata->rc_has_mcs_mask[i] = true; + break; + } + } + + for (j = 0; j < NL80211_VHT_NSS_MAX; j++) { +- if (~sdata->rc_rateidx_vht_mcs_mask[i][j]) { ++ if (sdata->rc_rateidx_vht_mcs_mask[i][j] != 0xffff) { + sdata->rc_has_vht_mcs_mask[i] = true; + break; + } diff --git a/package/kernel/mac80211/patches/subsys/375-mac80211-fix-double-free-in-ibss_leave.patch b/package/kernel/mac80211/patches/subsys/375-mac80211-fix-double-free-in-ibss_leave.patch new file mode 100644 index 0000000000..e5245811bc --- /dev/null +++ b/package/kernel/mac80211/patches/subsys/375-mac80211-fix-double-free-in-ibss_leave.patch @@ -0,0 +1,69 @@ +From 7da363fba2fc8526dbf3f966bac6f03fec98f095 Mon Sep 17 00:00:00 2001 +From: Markus Theil +Date: Sat, 13 Feb 2021 14:36:53 +0100 +Subject: [PATCH] mac80211: fix double free in ibss_leave + +commit 3bd801b14e0c5d29eeddc7336558beb3344efaa3 upstream. + +Clear beacon ie pointer and ie length after free +in order to prevent double free. + +================================================================== +BUG: KASAN: double-free or invalid-free \ +in ieee80211_ibss_leave+0x83/0xe0 net/mac80211/ibss.c:1876 + +CPU: 0 PID: 8472 Comm: syz-executor100 Not tainted 5.11.0-rc6-syzkaller #0 +Call Trace: + __dump_stack lib/dump_stack.c:79 [inline] + dump_stack+0x107/0x163 lib/dump_stack.c:120 + print_address_description.constprop.0.cold+0x5b/0x2c6 mm/kasan/report.c:230 + kasan_report_invalid_free+0x51/0x80 mm/kasan/report.c:355 + ____kasan_slab_free+0xcc/0xe0 mm/kasan/common.c:341 + kasan_slab_free include/linux/kasan.h:192 [inline] + __cache_free mm/slab.c:3424 [inline] + kfree+0xed/0x270 mm/slab.c:3760 + ieee80211_ibss_leave+0x83/0xe0 net/mac80211/ibss.c:1876 + rdev_leave_ibss net/wireless/rdev-ops.h:545 [inline] + __cfg80211_leave_ibss+0x19a/0x4c0 net/wireless/ibss.c:212 + __cfg80211_leave+0x327/0x430 net/wireless/core.c:1172 + cfg80211_leave net/wireless/core.c:1221 [inline] + cfg80211_netdev_notifier_call+0x9e8/0x12c0 net/wireless/core.c:1335 + notifier_call_chain+0xb5/0x200 kernel/notifier.c:83 + call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2040 + call_netdevice_notifiers_extack net/core/dev.c:2052 [inline] + call_netdevice_notifiers net/core/dev.c:2066 [inline] + __dev_close_many+0xee/0x2e0 net/core/dev.c:1586 + __dev_close net/core/dev.c:1624 [inline] + __dev_change_flags+0x2cb/0x730 net/core/dev.c:8476 + dev_change_flags+0x8a/0x160 net/core/dev.c:8549 + dev_ifsioc+0x210/0xa70 net/core/dev_ioctl.c:265 + dev_ioctl+0x1b1/0xc40 net/core/dev_ioctl.c:511 + sock_do_ioctl+0x148/0x2d0 net/socket.c:1060 + sock_ioctl+0x477/0x6a0 net/socket.c:1177 + vfs_ioctl fs/ioctl.c:48 [inline] + __do_sys_ioctl fs/ioctl.c:753 [inline] + __se_sys_ioctl fs/ioctl.c:739 [inline] + __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739 + do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Reported-by: syzbot+93976391bf299d425f44@syzkaller.appspotmail.com +Signed-off-by: Markus Theil +Link: https://lore.kernel.org/r/20210213133653.367130-1-markus.theil@tu-ilmenau.de +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman +--- + net/mac80211/ibss.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/mac80211/ibss.c ++++ b/net/mac80211/ibss.c +@@ -1869,6 +1869,8 @@ int ieee80211_ibss_leave(struct ieee8021 + + /* remove beacon */ + kfree(sdata->u.ibss.ie); ++ sdata->u.ibss.ie = NULL; ++ sdata->u.ibss.ie_len = 0; + + /* on the next join, re-program HT parameters */ + memset(&ifibss->ht_capa, 0, sizeof(ifibss->ht_capa)); diff --git a/package/kernel/mac80211/patches/subsys/522-mac80211_configure_antenna_gain.patch b/package/kernel/mac80211/patches/subsys/522-mac80211_configure_antenna_gain.patch index 31137e1b37..ebf46c6a4c 100644 --- a/package/kernel/mac80211/patches/subsys/522-mac80211_configure_antenna_gain.patch +++ b/package/kernel/mac80211/patches/subsys/522-mac80211_configure_antenna_gain.patch @@ -87,7 +87,7 @@ CFG80211_TESTMODE_CMD(ieee80211_testmode_cmd) --- a/net/mac80211/ieee80211_i.h +++ b/net/mac80211/ieee80211_i.h -@@ -1365,6 +1365,7 @@ struct ieee80211_local { +@@ -1366,6 +1366,7 @@ struct ieee80211_local { int dynamic_ps_forced_timeout; int user_power_level; /* in dBm, for all interfaces */ -- cgit v1.2.3