[openwrt/openwrt] mac80211: backport upstream fixes
LEDE Commits
lede-commits at lists.infradead.org
Fri Apr 9 14:45:23 BST 2021
xback pushed a commit to openwrt/openwrt.git, branch openwrt-19.07:
https://git.openwrt.org/cc0b70467d0f67ea6481100631119ae77b76c9eb
commit cc0b70467d0f67ea6481100631119ae77b76c9eb
Author: Koen Vandeputte <koen.vandeputte at citymesh.com>
AuthorDate: Fri Apr 2 12:21:24 2021 +0200
mac80211: backport upstream fixes
Refreshed all patches.
Includes all fixes up to 4.19.184
Signed-off-by: Koen Vandeputte <koen.vandeputte at citymesh.com>
---
...n-t-set-set-TDLS-STA-bandwidth-wider-than.patch | 65 ++++++++++++++++++++
...11-pause-TX-while-changing-interface-type.patch | 57 ++++++++++++++++++
...371-mac80211-fix-fast-rx-encryption-check.patch | 29 +++++++++
...1-fix-station-rate-table-updates-on-assoc.patch | 49 +++++++++++++++
...x-potential-overflow-when-multiplying-to-.patch | 34 +++++++++++
.../subsys/374-mac80211-fix-rate-mask-reset.patch | 50 ++++++++++++++++
...75-mac80211-fix-double-free-in-ibss_leave.patch | 69 ++++++++++++++++++++++
.../522-mac80211_configure_antenna_gain.patch | 2 +-
8 files changed, 354 insertions(+), 1 deletion(-)
diff --git a/package/kernel/mac80211/patches/subsys/369-mac80211-don-t-set-set-TDLS-STA-bandwidth-wider-than.patch b/package/kernel/mac80211/patches/subsys/369-mac80211-don-t-set-set-TDLS-STA-bandwidth-wider-than.patch
new file mode 100644
index 0000000000..a88b24d402
--- /dev/null
+++ b/package/kernel/mac80211/patches/subsys/369-mac80211-don-t-set-set-TDLS-STA-bandwidth-wider-than.patch
@@ -0,0 +1,65 @@
+From ebbd7dc7ca856a182769c17c4c8a739cedc064c4 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg at intel.com>
+Date: Sun, 6 Dec 2020 14:54:44 +0200
+Subject: [PATCH] mac80211: don't set set TDLS STA bandwidth wider than
+ possible
+
+[ Upstream commit f65607cdbc6b0da356ef5a22552ddd9313cf87a0 ]
+
+When we set up a TDLS station, we set sta->sta.bandwidth solely based
+on the capabilities, because the "what's the current bandwidth" check
+is bypassed and only applied for other types of stations.
+
+This leads to the unfortunate scenario that the sta->sta.bandwidth is
+160 MHz if both stations support it, but we never actually configure
+this bandwidth unless the AP is already using 160 MHz; even for wider
+bandwidth support we only go up to 80 MHz (at least right now.)
+
+For iwlwifi, this can also lead to firmware asserts, telling us that
+we've configured the TX rates for a higher bandwidth than is actually
+available due to the PHY configuration.
+
+For non-TDLS, we check against the interface's requested bandwidth,
+but we explicitly skip this check for TDLS to cope with the wider BW
+case. Change this to
+ (a) still limit to the TDLS peer's own chandef, which gets factored
+ into the overall PHY configuration we request from the driver,
+ and
+ (b) limit it to when the TDLS peer is authorized, because it's only
+ factored into the channel context in this case.
+
+Fixes: 504871e602d9 ("mac80211: fix bandwidth computation for TDLS peers")
+Signed-off-by: Johannes Berg <johannes.berg at intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho at intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20201206145305.fcc7d29c4590.I11f77e9e25ddf871a3c8d5604650c763e2c5887a@changeid
+Signed-off-by: Johannes Berg <johannes.berg at intel.com>
+Signed-off-by: Sasha Levin <sashal at kernel.org>
+---
+ net/mac80211/vht.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/net/mac80211/vht.c
++++ b/net/mac80211/vht.c
+@@ -421,12 +421,18 @@ enum ieee80211_sta_rx_bandwidth ieee8021
+ * IEEE80211-2016 specification makes higher bandwidth operation
+ * possible on the TDLS link if the peers have wider bandwidth
+ * capability.
++ *
++ * However, in this case, and only if the TDLS peer is authorized,
++ * limit to the tdls_chandef so that the configuration here isn't
++ * wider than what's actually requested on the channel context.
+ */
+ if (test_sta_flag(sta, WLAN_STA_TDLS_PEER) &&
+- test_sta_flag(sta, WLAN_STA_TDLS_WIDER_BW))
+- return bw;
+-
+- bw = min(bw, ieee80211_chan_width_to_rx_bw(bss_width));
++ test_sta_flag(sta, WLAN_STA_TDLS_WIDER_BW) &&
++ test_sta_flag(sta, WLAN_STA_AUTHORIZED) &&
++ sta->tdls_chandef.chan)
++ bw = min(bw, ieee80211_chan_width_to_rx_bw(sta->tdls_chandef.width));
++ else
++ bw = min(bw, ieee80211_chan_width_to_rx_bw(bss_width));
+
+ return bw;
+ }
diff --git a/package/kernel/mac80211/patches/subsys/370-mac80211-pause-TX-while-changing-interface-type.patch b/package/kernel/mac80211/patches/subsys/370-mac80211-pause-TX-while-changing-interface-type.patch
new file mode 100644
index 0000000000..ce9776c112
--- /dev/null
+++ b/package/kernel/mac80211/patches/subsys/370-mac80211-pause-TX-while-changing-interface-type.patch
@@ -0,0 +1,57 @@
+From b26b5e0861578fa7cdf444b1aa61d06f739eb306 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg at intel.com>
+Date: Fri, 22 Jan 2021 17:11:16 +0100
+Subject: [PATCH] mac80211: pause TX while changing interface type
+
+[ Upstream commit 054c9939b4800a91475d8d89905827bf9e1ad97a ]
+
+syzbot reported a crash that happened when changing the interface
+type around a lot, and while it might have been easy to fix just
+the symptom there, a little deeper investigation found that really
+the reason is that we allowed packets to be transmitted while in
+the middle of changing the interface type.
+
+Disallow TX by stopping the queues while changing the type.
+
+Fixes: 34d4bc4d41d2 ("mac80211: support runtime interface type changes")
+Reported-by: syzbot+d7a3b15976bf7de2238a at syzkaller.appspotmail.com
+Link: https://lore.kernel.org/r/20210122171115.b321f98f4d4f.I6997841933c17b093535c31d29355be3c0c39628@changeid
+Signed-off-by: Johannes Berg <johannes.berg at intel.com>
+Signed-off-by: Sasha Levin <sashal at kernel.org>
+---
+ net/mac80211/ieee80211_i.h | 1 +
+ net/mac80211/iface.c | 6 ++++++
+ 2 files changed, 7 insertions(+)
+
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -1057,6 +1057,7 @@ enum queue_stop_reason {
+ IEEE80211_QUEUE_STOP_REASON_FLUSH,
+ IEEE80211_QUEUE_STOP_REASON_TDLS_TEARDOWN,
+ IEEE80211_QUEUE_STOP_REASON_RESERVE_TID,
++ IEEE80211_QUEUE_STOP_REASON_IFTYPE_CHANGE,
+
+ IEEE80211_QUEUE_STOP_REASONS,
+ };
+--- a/net/mac80211/iface.c
++++ b/net/mac80211/iface.c
+@@ -1621,6 +1621,10 @@ static int ieee80211_runtime_change_ifty
+ if (ret)
+ return ret;
+
++ ieee80211_stop_vif_queues(local, sdata,
++ IEEE80211_QUEUE_STOP_REASON_IFTYPE_CHANGE);
++ synchronize_net();
++
+ ieee80211_do_stop(sdata, false);
+
+ ieee80211_teardown_sdata(sdata);
+@@ -1641,6 +1645,8 @@ static int ieee80211_runtime_change_ifty
+ err = ieee80211_do_open(&sdata->wdev, false);
+ WARN(err, "type change: do_open returned %d", err);
+
++ ieee80211_wake_vif_queues(local, sdata,
++ IEEE80211_QUEUE_STOP_REASON_IFTYPE_CHANGE);
+ return ret;
+ }
+
diff --git a/package/kernel/mac80211/patches/subsys/371-mac80211-fix-fast-rx-encryption-check.patch b/package/kernel/mac80211/patches/subsys/371-mac80211-fix-fast-rx-encryption-check.patch
new file mode 100644
index 0000000000..f6ce40ac24
--- /dev/null
+++ b/package/kernel/mac80211/patches/subsys/371-mac80211-fix-fast-rx-encryption-check.patch
@@ -0,0 +1,29 @@
+From b70798906c4c85314511cf6d5cae98385861fc07 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd at nbd.name>
+Date: Fri, 18 Dec 2020 19:47:17 +0100
+Subject: [PATCH] mac80211: fix fast-rx encryption check
+
+[ Upstream commit 622d3b4e39381262da7b18ca1ed1311df227de86 ]
+
+When using WEP, the default unicast key needs to be selected, instead of
+the STA PTK.
+
+Signed-off-by: Felix Fietkau <nbd at nbd.name>
+Link: https://lore.kernel.org/r/20201218184718.93650-5-nbd@nbd.name
+Signed-off-by: Johannes Berg <johannes.berg at intel.com>
+Signed-off-by: Sasha Levin <sashal at kernel.org>
+---
+ net/mac80211/rx.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -4019,6 +4019,8 @@ void ieee80211_check_fast_rx(struct sta_
+
+ rcu_read_lock();
+ key = rcu_dereference(sta->ptk[sta->ptk_idx]);
++ if (!key)
++ key = rcu_dereference(sdata->default_unicast_key);
+ if (key) {
+ switch (key->conf.cipher) {
+ case WLAN_CIPHER_SUITE_TKIP:
diff --git a/package/kernel/mac80211/patches/subsys/372-mac80211-fix-station-rate-table-updates-on-assoc.patch b/package/kernel/mac80211/patches/subsys/372-mac80211-fix-station-rate-table-updates-on-assoc.patch
new file mode 100644
index 0000000000..693904b495
--- /dev/null
+++ b/package/kernel/mac80211/patches/subsys/372-mac80211-fix-station-rate-table-updates-on-assoc.patch
@@ -0,0 +1,49 @@
+From 1d3a84f92f75bb0c2f981a75f507f55afed12f2c Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd at nbd.name>
+Date: Mon, 1 Feb 2021 09:33:24 +0100
+Subject: [PATCH] mac80211: fix station rate table updates on assoc
+
+commit 18fe0fae61252b5ae6e26553e2676b5fac555951 upstream.
+
+If the driver uses .sta_add, station entries are only uploaded after the sta
+is in assoc state. Fix early station rate table updates by deferring them
+until the sta has been uploaded.
+
+Cc: stable at vger.kernel.org
+Signed-off-by: Felix Fietkau <nbd at nbd.name>
+Link: https://lore.kernel.org/r/20210201083324.3134-1-nbd@nbd.name
+[use rcu_access_pointer() instead since we won't dereference here]
+Signed-off-by: Johannes Berg <johannes.berg at intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ net/mac80211/driver-ops.c | 5 ++++-
+ net/mac80211/rate.c | 3 ++-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/mac80211/driver-ops.c
++++ b/net/mac80211/driver-ops.c
+@@ -128,8 +128,11 @@ int drv_sta_state(struct ieee80211_local
+ } else if (old_state == IEEE80211_STA_AUTH &&
+ new_state == IEEE80211_STA_ASSOC) {
+ ret = drv_sta_add(local, sdata, &sta->sta);
+- if (ret == 0)
++ if (ret == 0) {
+ sta->uploaded = true;
++ if (rcu_access_pointer(sta->sta.rates))
++ drv_sta_rate_tbl_update(local, sdata, &sta->sta);
++ }
+ } else if (old_state == IEEE80211_STA_ASSOC &&
+ new_state == IEEE80211_STA_AUTH) {
+ drv_sta_remove(local, sdata, &sta->sta);
+--- a/net/mac80211/rate.c
++++ b/net/mac80211/rate.c
+@@ -941,7 +941,8 @@ int rate_control_set_rates(struct ieee80
+ if (old)
+ kfree_rcu(old, rcu_head);
+
+- drv_sta_rate_tbl_update(hw_to_local(hw), sta->sdata, pubsta);
++ if (sta->uploaded)
++ drv_sta_rate_tbl_update(hw_to_local(hw), sta->sdata, pubsta);
+
+ ieee80211_sta_set_expected_throughput(pubsta, sta_get_expected_throughput(sta));
+
diff --git a/package/kernel/mac80211/patches/subsys/373-mac80211-fix-potential-overflow-when-multiplying-to-.patch b/package/kernel/mac80211/patches/subsys/373-mac80211-fix-potential-overflow-when-multiplying-to-.patch
new file mode 100644
index 0000000000..f5d9d843f5
--- /dev/null
+++ b/package/kernel/mac80211/patches/subsys/373-mac80211-fix-potential-overflow-when-multiplying-to-.patch
@@ -0,0 +1,34 @@
+From 2a4b99ffcda9f6739d4deb7bd7d2e0ed8444dda7 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king at canonical.com>
+Date: Fri, 5 Feb 2021 17:53:52 +0000
+Subject: [PATCH] mac80211: fix potential overflow when multiplying to u32
+ integers
+
+[ Upstream commit 6194f7e6473be78acdc5d03edd116944bdbb2c4e ]
+
+The multiplication of the u32 variables tx_time and estimated_retx is
+performed using a 32 bit multiplication and the result is stored in
+a u64 result. This has a potential u32 overflow issue, so avoid this
+by casting tx_time to a u64 to force a 64 bit multiply.
+
+Addresses-Coverity: ("Unintentional integer overflow")
+Fixes: 050ac52cbe1f ("mac80211: code for on-demand Hybrid Wireless Mesh Protocol")
+Signed-off-by: Colin Ian King <colin.king at canonical.com>
+Link: https://lore.kernel.org/r/20210205175352.208841-1-colin.king@canonical.com
+Signed-off-by: Johannes Berg <johannes.berg at intel.com>
+Signed-off-by: Sasha Levin <sashal at kernel.org>
+---
+ net/mac80211/mesh_hwmp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac80211/mesh_hwmp.c
++++ b/net/mac80211/mesh_hwmp.c
+@@ -355,7 +355,7 @@ static u32 airtime_link_metric_get(struc
+ */
+ tx_time = (device_constant + 10 * test_frame_len / rate);
+ estimated_retx = ((1 << (2 * ARITH_SHIFT)) / (s_unit - err));
+- result = (tx_time * estimated_retx) >> (2 * ARITH_SHIFT);
++ result = ((u64)tx_time * estimated_retx) >> (2 * ARITH_SHIFT);
+ return (u32)result;
+ }
+
diff --git a/package/kernel/mac80211/patches/subsys/374-mac80211-fix-rate-mask-reset.patch b/package/kernel/mac80211/patches/subsys/374-mac80211-fix-rate-mask-reset.patch
new file mode 100644
index 0000000000..36d5bee123
--- /dev/null
+++ b/package/kernel/mac80211/patches/subsys/374-mac80211-fix-rate-mask-reset.patch
@@ -0,0 +1,50 @@
+From 4311a94e7598ca19311b04eb965556b5bb33accd Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg at intel.com>
+Date: Fri, 12 Feb 2021 11:22:14 +0100
+Subject: [PATCH] mac80211: fix rate mask reset
+
+[ Upstream commit 1944015fe9c1d9fa5e9eb7ffbbb5ef8954d6753b ]
+
+Coverity reported the strange "if (~...)" condition that's
+always true. It suggested that ! was intended instead of ~,
+but upon further analysis I'm convinced that what really was
+intended was a comparison to 0xff/0xffff (in HT/VHT cases
+respectively), since this indicates that all of the rates
+are enabled.
+
+Change the comparison accordingly.
+
+I'm guessing this never really mattered because a reset to
+not having a rate mask is basically equivalent to having a
+mask that enables all rates.
+
+Reported-by: Colin Ian King <colin.king at canonical.com>
+Fixes: 2ffbe6d33366 ("mac80211: fix and optimize MCS mask handling")
+Fixes: b119ad6e726c ("mac80211: add rate mask logic for vht rates")
+Reviewed-by: Colin Ian King <colin.king at canonical.com>
+Link: https://lore.kernel.org/r/20210212112213.36b38078f569.I8546a20c80bc1669058eb453e213630b846e107b@changeid
+Signed-off-by: Johannes Berg <johannes.berg at intel.com>
+Signed-off-by: Sasha Levin <sashal at kernel.org>
+---
+ net/mac80211/cfg.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -2779,14 +2779,14 @@ static int ieee80211_set_bitrate_mask(st
+ continue;
+
+ for (j = 0; j < IEEE80211_HT_MCS_MASK_LEN; j++) {
+- if (~sdata->rc_rateidx_mcs_mask[i][j]) {
++ if (sdata->rc_rateidx_mcs_mask[i][j] != 0xff) {
+ sdata->rc_has_mcs_mask[i] = true;
+ break;
+ }
+ }
+
+ for (j = 0; j < NL80211_VHT_NSS_MAX; j++) {
+- if (~sdata->rc_rateidx_vht_mcs_mask[i][j]) {
++ if (sdata->rc_rateidx_vht_mcs_mask[i][j] != 0xffff) {
+ sdata->rc_has_vht_mcs_mask[i] = true;
+ break;
+ }
diff --git a/package/kernel/mac80211/patches/subsys/375-mac80211-fix-double-free-in-ibss_leave.patch b/package/kernel/mac80211/patches/subsys/375-mac80211-fix-double-free-in-ibss_leave.patch
new file mode 100644
index 0000000000..e5245811bc
--- /dev/null
+++ b/package/kernel/mac80211/patches/subsys/375-mac80211-fix-double-free-in-ibss_leave.patch
@@ -0,0 +1,69 @@
+From 7da363fba2fc8526dbf3f966bac6f03fec98f095 Mon Sep 17 00:00:00 2001
+From: Markus Theil <markus.theil at tu-ilmenau.de>
+Date: Sat, 13 Feb 2021 14:36:53 +0100
+Subject: [PATCH] mac80211: fix double free in ibss_leave
+
+commit 3bd801b14e0c5d29eeddc7336558beb3344efaa3 upstream.
+
+Clear beacon ie pointer and ie length after free
+in order to prevent double free.
+
+==================================================================
+BUG: KASAN: double-free or invalid-free \
+in ieee80211_ibss_leave+0x83/0xe0 net/mac80211/ibss.c:1876
+
+CPU: 0 PID: 8472 Comm: syz-executor100 Not tainted 5.11.0-rc6-syzkaller #0
+Call Trace:
+ __dump_stack lib/dump_stack.c:79 [inline]
+ dump_stack+0x107/0x163 lib/dump_stack.c:120
+ print_address_description.constprop.0.cold+0x5b/0x2c6 mm/kasan/report.c:230
+ kasan_report_invalid_free+0x51/0x80 mm/kasan/report.c:355
+ ____kasan_slab_free+0xcc/0xe0 mm/kasan/common.c:341
+ kasan_slab_free include/linux/kasan.h:192 [inline]
+ __cache_free mm/slab.c:3424 [inline]
+ kfree+0xed/0x270 mm/slab.c:3760
+ ieee80211_ibss_leave+0x83/0xe0 net/mac80211/ibss.c:1876
+ rdev_leave_ibss net/wireless/rdev-ops.h:545 [inline]
+ __cfg80211_leave_ibss+0x19a/0x4c0 net/wireless/ibss.c:212
+ __cfg80211_leave+0x327/0x430 net/wireless/core.c:1172
+ cfg80211_leave net/wireless/core.c:1221 [inline]
+ cfg80211_netdev_notifier_call+0x9e8/0x12c0 net/wireless/core.c:1335
+ notifier_call_chain+0xb5/0x200 kernel/notifier.c:83
+ call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2040
+ call_netdevice_notifiers_extack net/core/dev.c:2052 [inline]
+ call_netdevice_notifiers net/core/dev.c:2066 [inline]
+ __dev_close_many+0xee/0x2e0 net/core/dev.c:1586
+ __dev_close net/core/dev.c:1624 [inline]
+ __dev_change_flags+0x2cb/0x730 net/core/dev.c:8476
+ dev_change_flags+0x8a/0x160 net/core/dev.c:8549
+ dev_ifsioc+0x210/0xa70 net/core/dev_ioctl.c:265
+ dev_ioctl+0x1b1/0xc40 net/core/dev_ioctl.c:511
+ sock_do_ioctl+0x148/0x2d0 net/socket.c:1060
+ sock_ioctl+0x477/0x6a0 net/socket.c:1177
+ vfs_ioctl fs/ioctl.c:48 [inline]
+ __do_sys_ioctl fs/ioctl.c:753 [inline]
+ __se_sys_ioctl fs/ioctl.c:739 [inline]
+ __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Reported-by: syzbot+93976391bf299d425f44 at syzkaller.appspotmail.com
+Signed-off-by: Markus Theil <markus.theil at tu-ilmenau.de>
+Link: https://lore.kernel.org/r/20210213133653.367130-1-markus.theil@tu-ilmenau.de
+Signed-off-by: Johannes Berg <johannes.berg at intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ net/mac80211/ibss.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/mac80211/ibss.c
++++ b/net/mac80211/ibss.c
+@@ -1869,6 +1869,8 @@ int ieee80211_ibss_leave(struct ieee8021
+
+ /* remove beacon */
+ kfree(sdata->u.ibss.ie);
++ sdata->u.ibss.ie = NULL;
++ sdata->u.ibss.ie_len = 0;
+
+ /* on the next join, re-program HT parameters */
+ memset(&ifibss->ht_capa, 0, sizeof(ifibss->ht_capa));
diff --git a/package/kernel/mac80211/patches/subsys/522-mac80211_configure_antenna_gain.patch b/package/kernel/mac80211/patches/subsys/522-mac80211_configure_antenna_gain.patch
index 31137e1b37..ebf46c6a4c 100644
--- a/package/kernel/mac80211/patches/subsys/522-mac80211_configure_antenna_gain.patch
+++ b/package/kernel/mac80211/patches/subsys/522-mac80211_configure_antenna_gain.patch
@@ -87,7 +87,7 @@
CFG80211_TESTMODE_CMD(ieee80211_testmode_cmd)
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
-@@ -1365,6 +1365,7 @@ struct ieee80211_local {
+@@ -1366,6 +1366,7 @@ struct ieee80211_local {
int dynamic_ps_forced_timeout;
int user_power_level; /* in dBm, for all interfaces */
More information about the lede-commits
mailing list