mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-20 06:08:08 +00:00
mac80211: merge upstream fixes
fetched from upstream kernel v5.15.67
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
(cherry-picked from commit aa9be386d4
)
This commit is contained in:
parent
b6487c3ccc
commit
a077c6da98
@ -0,0 +1,77 @@
|
||||
From 4db561ae4a90c2d0e15996634567559e292dc9e5 Mon Sep 17 00:00:00 2001
|
||||
From: Ahmed Zaki <anzaki@gmail.com>
|
||||
Date: Sat, 2 Oct 2021 08:53:29 -0600
|
||||
Subject: [PATCH] mac80211: fix a memory leak where sta_info is not freed
|
||||
|
||||
commit 8f9dcc29566626f683843ccac6113a12208315ca upstream.
|
||||
|
||||
The following is from a system that went OOM due to a memory leak:
|
||||
|
||||
wlan0: Allocated STA 74:83:c2:64:0b:87
|
||||
wlan0: Allocated STA 74:83:c2:64:0b:87
|
||||
wlan0: IBSS finish 74:83:c2:64:0b:87 (---from ieee80211_ibss_add_sta)
|
||||
wlan0: Adding new IBSS station 74:83:c2:64:0b:87
|
||||
wlan0: moving STA 74:83:c2:64:0b:87 to state 2
|
||||
wlan0: moving STA 74:83:c2:64:0b:87 to state 3
|
||||
wlan0: Inserted STA 74:83:c2:64:0b:87
|
||||
wlan0: IBSS finish 74:83:c2:64:0b:87 (---from ieee80211_ibss_work)
|
||||
wlan0: Adding new IBSS station 74:83:c2:64:0b:87
|
||||
wlan0: moving STA 74:83:c2:64:0b:87 to state 2
|
||||
wlan0: moving STA 74:83:c2:64:0b:87 to state 3
|
||||
.
|
||||
.
|
||||
wlan0: expiring inactive not authorized STA 74:83:c2:64:0b:87
|
||||
wlan0: moving STA 74:83:c2:64:0b:87 to state 2
|
||||
wlan0: moving STA 74:83:c2:64:0b:87 to state 1
|
||||
wlan0: Removed STA 74:83:c2:64:0b:87
|
||||
wlan0: Destroyed STA 74:83:c2:64:0b:87
|
||||
|
||||
The ieee80211_ibss_finish_sta() is called twice on the same STA from 2
|
||||
different locations. On the second attempt, the allocated STA is not
|
||||
destroyed creating a kernel memory leak.
|
||||
|
||||
This is happening because sta_info_insert_finish() does not call
|
||||
sta_info_free() the second time when the STA already exists (returns
|
||||
-EEXIST). Note that the caller sta_info_insert_rcu() assumes STA is
|
||||
destroyed upon errors.
|
||||
|
||||
Same fix is applied to -ENOMEM.
|
||||
|
||||
Signed-off-by: Ahmed Zaki <anzaki@gmail.com>
|
||||
Link: https://lore.kernel.org/r/20211002145329.3125293-1-anzaki@gmail.com
|
||||
[change the error path label to use the existing code]
|
||||
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
|
||||
Signed-off-by: Viacheslav Sablin <sablin@ispras.ru>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
---
|
||||
net/mac80211/sta_info.c | 6 +++---
|
||||
1 file changed, 3 insertions(+), 3 deletions(-)
|
||||
|
||||
--- a/net/mac80211/sta_info.c
|
||||
+++ b/net/mac80211/sta_info.c
|
||||
@@ -646,13 +646,13 @@ static int sta_info_insert_finish(struct
|
||||
/* check if STA exists already */
|
||||
if (sta_info_get_bss(sdata, sta->sta.addr)) {
|
||||
err = -EEXIST;
|
||||
- goto out_err;
|
||||
+ goto out_cleanup;
|
||||
}
|
||||
|
||||
sinfo = kzalloc(sizeof(struct station_info), GFP_KERNEL);
|
||||
if (!sinfo) {
|
||||
err = -ENOMEM;
|
||||
- goto out_err;
|
||||
+ goto out_cleanup;
|
||||
}
|
||||
|
||||
local->num_sta++;
|
||||
@@ -708,8 +708,8 @@ static int sta_info_insert_finish(struct
|
||||
out_drop_sta:
|
||||
local->num_sta--;
|
||||
synchronize_net();
|
||||
+ out_cleanup:
|
||||
cleanup_single_sta(sta);
|
||||
- out_err:
|
||||
mutex_unlock(&local->sta_mtx);
|
||||
kfree(sinfo);
|
||||
rcu_read_lock();
|
@ -0,0 +1,47 @@
|
||||
From 552ba102a6898630a7d16887f29e606d6fabe508 Mon Sep 17 00:00:00 2001
|
||||
From: Siddh Raman Pant <code@siddh.me>
|
||||
Date: Sun, 14 Aug 2022 20:45:12 +0530
|
||||
Subject: [PATCH] wifi: mac80211: Don't finalize CSA in IBSS mode if state is
|
||||
disconnected
|
||||
|
||||
commit 15bc8966b6d3a5b9bfe4c9facfa02f2b69b1e5f0 upstream.
|
||||
|
||||
When we are not connected to a channel, sending channel "switch"
|
||||
announcement doesn't make any sense.
|
||||
|
||||
The BSS list is empty in that case. This causes the for loop in
|
||||
cfg80211_get_bss() to be bypassed, so the function returns NULL
|
||||
(check line 1424 of net/wireless/scan.c), causing the WARN_ON()
|
||||
in ieee80211_ibss_csa_beacon() to get triggered (check line 500
|
||||
of net/mac80211/ibss.c), which was consequently reported on the
|
||||
syzkaller dashboard.
|
||||
|
||||
Thus, check if we have an existing connection before generating
|
||||
the CSA beacon in ieee80211_ibss_finish_csa().
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Fixes: cd7760e62c2a ("mac80211: add support for CSA in IBSS mode")
|
||||
Link: https://syzkaller.appspot.com/bug?id=05603ef4ae8926761b678d2939a3b2ad28ab9ca6
|
||||
Reported-by: syzbot+b6c9fe29aefe68e4ad34@syzkaller.appspotmail.com
|
||||
Signed-off-by: Siddh Raman Pant <code@siddh.me>
|
||||
Tested-by: syzbot+b6c9fe29aefe68e4ad34@syzkaller.appspotmail.com
|
||||
Link: https://lore.kernel.org/r/20220814151512.9985-1-code@siddh.me
|
||||
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
---
|
||||
net/mac80211/ibss.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
--- a/net/mac80211/ibss.c
|
||||
+++ b/net/mac80211/ibss.c
|
||||
@@ -534,6 +534,10 @@ int ieee80211_ibss_finish_csa(struct iee
|
||||
|
||||
sdata_assert_lock(sdata);
|
||||
|
||||
+ /* When not connected/joined, sending CSA doesn't make sense. */
|
||||
+ if (ifibss->state != IEEE80211_IBSS_MLME_JOINED)
|
||||
+ return -ENOLINK;
|
||||
+
|
||||
/* update cfg80211 bss information with the new channel */
|
||||
if (!is_zero_ether_addr(ifibss->bssid)) {
|
||||
cbss = cfg80211_get_bss(sdata->local->hw.wiphy,
|
@ -0,0 +1,55 @@
|
||||
From 5d20c6f932f2758078d0454729129c894fe353e7 Mon Sep 17 00:00:00 2001
|
||||
From: Siddh Raman Pant <code@siddh.me>
|
||||
Date: Sat, 20 Aug 2022 01:33:40 +0530
|
||||
Subject: [PATCH] wifi: mac80211: Fix UAF in ieee80211_scan_rx()
|
||||
|
||||
commit 60deb9f10eec5c6a20252ed36238b55d8b614a2c upstream.
|
||||
|
||||
ieee80211_scan_rx() tries to access scan_req->flags after a
|
||||
null check, but a UAF is observed when the scan is completed
|
||||
and __ieee80211_scan_completed() executes, which then calls
|
||||
cfg80211_scan_done() leading to the freeing of scan_req.
|
||||
|
||||
Since scan_req is rcu_dereference()'d, prevent the racing in
|
||||
__ieee80211_scan_completed() by ensuring that from mac80211's
|
||||
POV it is no longer accessed from an RCU read critical section
|
||||
before we call cfg80211_scan_done().
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Link: https://syzkaller.appspot.com/bug?extid=f9acff9bf08a845f225d
|
||||
Reported-by: syzbot+f9acff9bf08a845f225d@syzkaller.appspotmail.com
|
||||
Suggested-by: Johannes Berg <johannes@sipsolutions.net>
|
||||
Signed-off-by: Siddh Raman Pant <code@siddh.me>
|
||||
Link: https://lore.kernel.org/r/20220819200340.34826-1-code@siddh.me
|
||||
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
|
||||
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||||
---
|
||||
net/mac80211/scan.c | 11 +++++++----
|
||||
1 file changed, 7 insertions(+), 4 deletions(-)
|
||||
|
||||
--- a/net/mac80211/scan.c
|
||||
+++ b/net/mac80211/scan.c
|
||||
@@ -461,16 +461,19 @@ static void __ieee80211_scan_completed(s
|
||||
scan_req = rcu_dereference_protected(local->scan_req,
|
||||
lockdep_is_held(&local->mtx));
|
||||
|
||||
- if (scan_req != local->int_scan_req) {
|
||||
- local->scan_info.aborted = aborted;
|
||||
- cfg80211_scan_done(scan_req, &local->scan_info);
|
||||
- }
|
||||
RCU_INIT_POINTER(local->scan_req, NULL);
|
||||
RCU_INIT_POINTER(local->scan_sdata, NULL);
|
||||
|
||||
local->scanning = 0;
|
||||
local->scan_chandef.chan = NULL;
|
||||
|
||||
+ synchronize_rcu();
|
||||
+
|
||||
+ if (scan_req != local->int_scan_req) {
|
||||
+ local->scan_info.aborted = aborted;
|
||||
+ cfg80211_scan_done(scan_req, &local->scan_info);
|
||||
+ }
|
||||
+
|
||||
/* Set power back to normal operating levels. */
|
||||
ieee80211_hw_config(local, 0);
|
||||
|
Loading…
Reference in New Issue
Block a user