[openwrt/openwrt] mac80211: merge upstream fixes

LEDE Commits lede-commits at lists.infradead.org
Fri Sep 16 00:18:00 PDT 2022 

xback pushed a commit to openwrt/openwrt.git, branch master:
https://git.openwrt.org/aa9be386d40f3a5e559c0f2183c772175a45cf0d

commit aa9be386d40f3a5e559c0f2183c772175a45cf0d
Author: Koen Vandeputte <koen.vandeputte at ncentric.com>
AuthorDate: Mon Aug 22 11:18:35 2022 +0200

    mac80211: merge upstream fixes
    
    fetched from upstream kernel v5.15.67
    
    Signed-off-by: Koen Vandeputte <koen.vandeputte at ncentric.com>
---
 ...x-a-memory-leak-where-sta_info-is-not-fre.patch | 77 ++++++++++++++++++++++
 ...11-Don-t-finalize-CSA-in-IBSS-mode-if-sta.patch | 47 +++++++++++++
 ...ifi-mac80211-Fix-UAF-in-ieee80211_scan_rx.patch | 55 ++++++++++++++++
 3 files changed, 179 insertions(+)

diff --git a/package/kernel/mac80211/patches/subsys/360-mac80211-fix-a-memory-leak-where-sta_info-is-not-fre.patch b/package/kernel/mac80211/patches/subsys/360-mac80211-fix-a-memory-leak-where-sta_info-is-not-fre.patch
new file mode 100644
index 0000000000..ff3cb7be53
--- /dev/null
+++ b/package/kernel/mac80211/patches/subsys/360-mac80211-fix-a-memory-leak-where-sta_info-is-not-fre.patch
@@ -0,0 +1,77 @@
+From 4db561ae4a90c2d0e15996634567559e292dc9e5 Mon Sep 17 00:00:00 2001
+From: Ahmed Zaki <anzaki at gmail.com>
+Date: Sat, 2 Oct 2021 08:53:29 -0600
+Subject: [PATCH] mac80211: fix a memory leak where sta_info is not freed
+
+commit 8f9dcc29566626f683843ccac6113a12208315ca upstream.
+
+The following is from a system that went OOM due to a memory leak:
+
+wlan0: Allocated STA 74:83:c2:64:0b:87
+wlan0: Allocated STA 74:83:c2:64:0b:87
+wlan0: IBSS finish 74:83:c2:64:0b:87 (---from ieee80211_ibss_add_sta)
+wlan0: Adding new IBSS station 74:83:c2:64:0b:87
+wlan0: moving STA 74:83:c2:64:0b:87 to state 2
+wlan0: moving STA 74:83:c2:64:0b:87 to state 3
+wlan0: Inserted STA 74:83:c2:64:0b:87
+wlan0: IBSS finish 74:83:c2:64:0b:87 (---from ieee80211_ibss_work)
+wlan0: Adding new IBSS station 74:83:c2:64:0b:87
+wlan0: moving STA 74:83:c2:64:0b:87 to state 2
+wlan0: moving STA 74:83:c2:64:0b:87 to state 3
+.
+.
+wlan0: expiring inactive not authorized STA 74:83:c2:64:0b:87
+wlan0: moving STA 74:83:c2:64:0b:87 to state 2
+wlan0: moving STA 74:83:c2:64:0b:87 to state 1
+wlan0: Removed STA 74:83:c2:64:0b:87
+wlan0: Destroyed STA 74:83:c2:64:0b:87
+
+The ieee80211_ibss_finish_sta() is called twice on the same STA from 2
+different locations. On the second attempt, the allocated STA is not
+destroyed creating a kernel memory leak.
+
+This is happening because sta_info_insert_finish() does not call
+sta_info_free() the second time when the STA already exists (returns
+-EEXIST). Note that the caller sta_info_insert_rcu() assumes STA is
+destroyed upon errors.
+
+Same fix is applied to -ENOMEM.
+
+Signed-off-by: Ahmed Zaki <anzaki at gmail.com>
+Link: https://lore.kernel.org/r/20211002145329.3125293-1-anzaki@gmail.com
+[change the error path label to use the existing code]
+Signed-off-by: Johannes Berg <johannes.berg at intel.com>
+Signed-off-by: Viacheslav Sablin <sablin at ispras.ru>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ net/mac80211/sta_info.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/net/mac80211/sta_info.c
++++ b/net/mac80211/sta_info.c
+@@ -646,13 +646,13 @@ static int sta_info_insert_finish(struct
+ 	/* check if STA exists already */
+ 	if (sta_info_get_bss(sdata, sta->sta.addr)) {
+ 		err = -EEXIST;
+-		goto out_err;
++		goto out_cleanup;
+ 	}
+ 
+ 	sinfo = kzalloc(sizeof(struct station_info), GFP_KERNEL);
+ 	if (!sinfo) {
+ 		err = -ENOMEM;
+-		goto out_err;
++		goto out_cleanup;
+ 	}
+ 
+ 	local->num_sta++;
+@@ -708,8 +708,8 @@ static int sta_info_insert_finish(struct
+  out_drop_sta:
+ 	local->num_sta--;
+ 	synchronize_net();
++ out_cleanup:
+ 	cleanup_single_sta(sta);
+- out_err:
+ 	mutex_unlock(&local->sta_mtx);
+ 	kfree(sinfo);
+ 	rcu_read_lock();
diff --git a/package/kernel/mac80211/patches/subsys/361-wifi-mac80211-Don-t-finalize-CSA-in-IBSS-mode-if-sta.patch b/package/kernel/mac80211/patches/subsys/361-wifi-mac80211-Don-t-finalize-CSA-in-IBSS-mode-if-sta.patch
new file mode 100644
index 0000000000..dd3e934c00
--- /dev/null
+++ b/package/kernel/mac80211/patches/subsys/361-wifi-mac80211-Don-t-finalize-CSA-in-IBSS-mode-if-sta.patch
@@ -0,0 +1,47 @@
+From 552ba102a6898630a7d16887f29e606d6fabe508 Mon Sep 17 00:00:00 2001
+From: Siddh Raman Pant <code at siddh.me>
+Date: Sun, 14 Aug 2022 20:45:12 +0530
+Subject: [PATCH] wifi: mac80211: Don't finalize CSA in IBSS mode if state is
+ disconnected
+
+commit 15bc8966b6d3a5b9bfe4c9facfa02f2b69b1e5f0 upstream.
+
+When we are not connected to a channel, sending channel "switch"
+announcement doesn't make any sense.
+
+The BSS list is empty in that case. This causes the for loop in
+cfg80211_get_bss() to be bypassed, so the function returns NULL
+(check line 1424 of net/wireless/scan.c), causing the WARN_ON()
+in ieee80211_ibss_csa_beacon() to get triggered (check line 500
+of net/mac80211/ibss.c), which was consequently reported on the
+syzkaller dashboard.
+
+Thus, check if we have an existing connection before generating
+the CSA beacon in ieee80211_ibss_finish_csa().
+
+Cc: stable at vger.kernel.org
+Fixes: cd7760e62c2a ("mac80211: add support for CSA in IBSS mode")
+Link: https://syzkaller.appspot.com/bug?id=05603ef4ae8926761b678d2939a3b2ad28ab9ca6
+Reported-by: syzbot+b6c9fe29aefe68e4ad34 at syzkaller.appspotmail.com
+Signed-off-by: Siddh Raman Pant <code at siddh.me>
+Tested-by: syzbot+b6c9fe29aefe68e4ad34 at syzkaller.appspotmail.com
+Link: https://lore.kernel.org/r/20220814151512.9985-1-code@siddh.me
+Signed-off-by: Johannes Berg <johannes.berg at intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ net/mac80211/ibss.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/mac80211/ibss.c
++++ b/net/mac80211/ibss.c
+@@ -534,6 +534,10 @@ int ieee80211_ibss_finish_csa(struct iee
+ 
+ 	sdata_assert_lock(sdata);
+ 
++	/* When not connected/joined, sending CSA doesn't make sense. */
++	if (ifibss->state != IEEE80211_IBSS_MLME_JOINED)
++		return -ENOLINK;
++
+ 	/* update cfg80211 bss information with the new channel */
+ 	if (!is_zero_ether_addr(ifibss->bssid)) {
+ 		cbss = cfg80211_get_bss(sdata->local->hw.wiphy,
diff --git a/package/kernel/mac80211/patches/subsys/362-wifi-mac80211-Fix-UAF-in-ieee80211_scan_rx.patch b/package/kernel/mac80211/patches/subsys/362-wifi-mac80211-Fix-UAF-in-ieee80211_scan_rx.patch
new file mode 100644
index 0000000000..0e58b61602
--- /dev/null
+++ b/package/kernel/mac80211/patches/subsys/362-wifi-mac80211-Fix-UAF-in-ieee80211_scan_rx.patch
@@ -0,0 +1,55 @@
+From 5d20c6f932f2758078d0454729129c894fe353e7 Mon Sep 17 00:00:00 2001
+From: Siddh Raman Pant <code at siddh.me>
+Date: Sat, 20 Aug 2022 01:33:40 +0530
+Subject: [PATCH] wifi: mac80211: Fix UAF in ieee80211_scan_rx()
+
+commit 60deb9f10eec5c6a20252ed36238b55d8b614a2c upstream.
+
+ieee80211_scan_rx() tries to access scan_req->flags after a
+null check, but a UAF is observed when the scan is completed
+and __ieee80211_scan_completed() executes, which then calls
+cfg80211_scan_done() leading to the freeing of scan_req.
+
+Since scan_req is rcu_dereference()'d, prevent the racing in
+__ieee80211_scan_completed() by ensuring that from mac80211's
+POV it is no longer accessed from an RCU read critical section
+before we call cfg80211_scan_done().
+
+Cc: stable at vger.kernel.org
+Link: https://syzkaller.appspot.com/bug?extid=f9acff9bf08a845f225d
+Reported-by: syzbot+f9acff9bf08a845f225d at syzkaller.appspotmail.com
+Suggested-by: Johannes Berg <johannes at sipsolutions.net>
+Signed-off-by: Siddh Raman Pant <code at siddh.me>
+Link: https://lore.kernel.org/r/20220819200340.34826-1-code@siddh.me
+Signed-off-by: Johannes Berg <johannes.berg at intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
+---
+ net/mac80211/scan.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/net/mac80211/scan.c
++++ b/net/mac80211/scan.c
+@@ -461,16 +461,19 @@ static void __ieee80211_scan_completed(s
+ 	scan_req = rcu_dereference_protected(local->scan_req,
+ 					     lockdep_is_held(&local->mtx));
+ 
+-	if (scan_req != local->int_scan_req) {
+-		local->scan_info.aborted = aborted;
+-		cfg80211_scan_done(scan_req, &local->scan_info);
+-	}
+ 	RCU_INIT_POINTER(local->scan_req, NULL);
+ 	RCU_INIT_POINTER(local->scan_sdata, NULL);
+ 
+ 	local->scanning = 0;
+ 	local->scan_chandef.chan = NULL;
+ 
++	synchronize_rcu();
++
++	if (scan_req != local->int_scan_req) {
++		local->scan_info.aborted = aborted;
++		cfg80211_scan_done(scan_req, &local->scan_info);
++	}
++
+ 	/* Set power back to normal operating levels. */
+ 	ieee80211_hw_config(local, 0);
+

More information about the lede-commits mailing list