mac80211: backport upstream fixes
authorKoen Vandeputte <koen.vandeputte@citymesh.com>
Fri, 2 Apr 2021 10:21:24 +0000 (12:21 +0200)
committerKoen Vandeputte <koen.vandeputte@ncentric.com>
Fri, 9 Apr 2021 13:43:38 +0000 (15:43 +0200)
Refreshed all patches.
Includes all fixes up to 4.19.184

Signed-off-by: Koen Vandeputte <koen.vandeputte@citymesh.com>
package/kernel/mac80211/patches/subsys/369-mac80211-don-t-set-set-TDLS-STA-bandwidth-wider-than.patch [new file with mode: 0644]
package/kernel/mac80211/patches/subsys/370-mac80211-pause-TX-while-changing-interface-type.patch [new file with mode: 0644]
package/kernel/mac80211/patches/subsys/371-mac80211-fix-fast-rx-encryption-check.patch [new file with mode: 0644]
package/kernel/mac80211/patches/subsys/372-mac80211-fix-station-rate-table-updates-on-assoc.patch [new file with mode: 0644]
package/kernel/mac80211/patches/subsys/373-mac80211-fix-potential-overflow-when-multiplying-to-.patch [new file with mode: 0644]
package/kernel/mac80211/patches/subsys/374-mac80211-fix-rate-mask-reset.patch [new file with mode: 0644]
package/kernel/mac80211/patches/subsys/375-mac80211-fix-double-free-in-ibss_leave.patch [new file with mode: 0644]
package/kernel/mac80211/patches/subsys/522-mac80211_configure_antenna_gain.patch

diff --git a/package/kernel/mac80211/patches/subsys/369-mac80211-don-t-set-set-TDLS-STA-bandwidth-wider-than.patch b/package/kernel/mac80211/patches/subsys/369-mac80211-don-t-set-set-TDLS-STA-bandwidth-wider-than.patch
new file mode 100644 (file)
index 0000000..a88b24d
--- /dev/null
@@ -0,0 +1,65 @@
+From ebbd7dc7ca856a182769c17c4c8a739cedc064c4 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Sun, 6 Dec 2020 14:54:44 +0200
+Subject: [PATCH] mac80211: don't set set TDLS STA bandwidth wider than
+ possible
+
+[ Upstream commit f65607cdbc6b0da356ef5a22552ddd9313cf87a0 ]
+
+When we set up a TDLS station, we set sta->sta.bandwidth solely based
+on the capabilities, because the "what's the current bandwidth" check
+is bypassed and only applied for other types of stations.
+
+This leads to the unfortunate scenario that the sta->sta.bandwidth is
+160 MHz if both stations support it, but we never actually configure
+this bandwidth unless the AP is already using 160 MHz; even for wider
+bandwidth support we only go up to 80 MHz (at least right now.)
+
+For iwlwifi, this can also lead to firmware asserts, telling us that
+we've configured the TX rates for a higher bandwidth than is actually
+available due to the PHY configuration.
+
+For non-TDLS, we check against the interface's requested bandwidth,
+but we explicitly skip this check for TDLS to cope with the wider BW
+case. Change this to
+ (a) still limit to the TDLS peer's own chandef, which gets factored
+     into the overall PHY configuration we request from the driver,
+     and
+ (b) limit it to when the TDLS peer is authorized, because it's only
+     factored into the channel context in this case.
+
+Fixes: 504871e602d9 ("mac80211: fix bandwidth computation for TDLS peers")
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
+Link: https://lore.kernel.org/r/iwlwifi.20201206145305.fcc7d29c4590.I11f77e9e25ddf871a3c8d5604650c763e2c5887a@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/vht.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/net/mac80211/vht.c
++++ b/net/mac80211/vht.c
+@@ -421,12 +421,18 @@ enum ieee80211_sta_rx_bandwidth ieee8021
+        * IEEE80211-2016 specification makes higher bandwidth operation
+        * possible on the TDLS link if the peers have wider bandwidth
+        * capability.
++       *
++       * However, in this case, and only if the TDLS peer is authorized,
++       * limit to the tdls_chandef so that the configuration here isn't
++       * wider than what's actually requested on the channel context.
+        */
+       if (test_sta_flag(sta, WLAN_STA_TDLS_PEER) &&
+-          test_sta_flag(sta, WLAN_STA_TDLS_WIDER_BW))
+-              return bw;
+-
+-      bw = min(bw, ieee80211_chan_width_to_rx_bw(bss_width));
++          test_sta_flag(sta, WLAN_STA_TDLS_WIDER_BW) &&
++          test_sta_flag(sta, WLAN_STA_AUTHORIZED) &&
++          sta->tdls_chandef.chan)
++              bw = min(bw, ieee80211_chan_width_to_rx_bw(sta->tdls_chandef.width));
++      else
++              bw = min(bw, ieee80211_chan_width_to_rx_bw(bss_width));
+       return bw;
+ }
diff --git a/package/kernel/mac80211/patches/subsys/370-mac80211-pause-TX-while-changing-interface-type.patch b/package/kernel/mac80211/patches/subsys/370-mac80211-pause-TX-while-changing-interface-type.patch
new file mode 100644 (file)
index 0000000..ce9776c
--- /dev/null
@@ -0,0 +1,57 @@
+From b26b5e0861578fa7cdf444b1aa61d06f739eb306 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Fri, 22 Jan 2021 17:11:16 +0100
+Subject: [PATCH] mac80211: pause TX while changing interface type
+
+[ Upstream commit 054c9939b4800a91475d8d89905827bf9e1ad97a ]
+
+syzbot reported a crash that happened when changing the interface
+type around a lot, and while it might have been easy to fix just
+the symptom there, a little deeper investigation found that really
+the reason is that we allowed packets to be transmitted while in
+the middle of changing the interface type.
+
+Disallow TX by stopping the queues while changing the type.
+
+Fixes: 34d4bc4d41d2 ("mac80211: support runtime interface type changes")
+Reported-by: syzbot+d7a3b15976bf7de2238a@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/r/20210122171115.b321f98f4d4f.I6997841933c17b093535c31d29355be3c0c39628@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/ieee80211_i.h | 1 +
+ net/mac80211/iface.c       | 6 ++++++
+ 2 files changed, 7 insertions(+)
+
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -1057,6 +1057,7 @@ enum queue_stop_reason {
+       IEEE80211_QUEUE_STOP_REASON_FLUSH,
+       IEEE80211_QUEUE_STOP_REASON_TDLS_TEARDOWN,
+       IEEE80211_QUEUE_STOP_REASON_RESERVE_TID,
++      IEEE80211_QUEUE_STOP_REASON_IFTYPE_CHANGE,
+       IEEE80211_QUEUE_STOP_REASONS,
+ };
+--- a/net/mac80211/iface.c
++++ b/net/mac80211/iface.c
+@@ -1621,6 +1621,10 @@ static int ieee80211_runtime_change_ifty
+       if (ret)
+               return ret;
++      ieee80211_stop_vif_queues(local, sdata,
++                                IEEE80211_QUEUE_STOP_REASON_IFTYPE_CHANGE);
++      synchronize_net();
++
+       ieee80211_do_stop(sdata, false);
+       ieee80211_teardown_sdata(sdata);
+@@ -1641,6 +1645,8 @@ static int ieee80211_runtime_change_ifty
+       err = ieee80211_do_open(&sdata->wdev, false);
+       WARN(err, "type change: do_open returned %d", err);
++      ieee80211_wake_vif_queues(local, sdata,
++                                IEEE80211_QUEUE_STOP_REASON_IFTYPE_CHANGE);
+       return ret;
+ }
diff --git a/package/kernel/mac80211/patches/subsys/371-mac80211-fix-fast-rx-encryption-check.patch b/package/kernel/mac80211/patches/subsys/371-mac80211-fix-fast-rx-encryption-check.patch
new file mode 100644 (file)
index 0000000..f6ce40a
--- /dev/null
@@ -0,0 +1,29 @@
+From b70798906c4c85314511cf6d5cae98385861fc07 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Fri, 18 Dec 2020 19:47:17 +0100
+Subject: [PATCH] mac80211: fix fast-rx encryption check
+
+[ Upstream commit 622d3b4e39381262da7b18ca1ed1311df227de86 ]
+
+When using WEP, the default unicast key needs to be selected, instead of
+the STA PTK.
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Link: https://lore.kernel.org/r/20201218184718.93650-5-nbd@nbd.name
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/rx.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -4019,6 +4019,8 @@ void ieee80211_check_fast_rx(struct sta_
+       rcu_read_lock();
+       key = rcu_dereference(sta->ptk[sta->ptk_idx]);
++      if (!key)
++              key = rcu_dereference(sdata->default_unicast_key);
+       if (key) {
+               switch (key->conf.cipher) {
+               case WLAN_CIPHER_SUITE_TKIP:
diff --git a/package/kernel/mac80211/patches/subsys/372-mac80211-fix-station-rate-table-updates-on-assoc.patch b/package/kernel/mac80211/patches/subsys/372-mac80211-fix-station-rate-table-updates-on-assoc.patch
new file mode 100644 (file)
index 0000000..693904b
--- /dev/null
@@ -0,0 +1,49 @@
+From 1d3a84f92f75bb0c2f981a75f507f55afed12f2c Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Mon, 1 Feb 2021 09:33:24 +0100
+Subject: [PATCH] mac80211: fix station rate table updates on assoc
+
+commit 18fe0fae61252b5ae6e26553e2676b5fac555951 upstream.
+
+If the driver uses .sta_add, station entries are only uploaded after the sta
+is in assoc state. Fix early station rate table updates by deferring them
+until the sta has been uploaded.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Link: https://lore.kernel.org/r/20210201083324.3134-1-nbd@nbd.name
+[use rcu_access_pointer() instead since we won't dereference here]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/driver-ops.c | 5 ++++-
+ net/mac80211/rate.c       | 3 ++-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/mac80211/driver-ops.c
++++ b/net/mac80211/driver-ops.c
+@@ -128,8 +128,11 @@ int drv_sta_state(struct ieee80211_local
+       } else if (old_state == IEEE80211_STA_AUTH &&
+                  new_state == IEEE80211_STA_ASSOC) {
+               ret = drv_sta_add(local, sdata, &sta->sta);
+-              if (ret == 0)
++              if (ret == 0) {
+                       sta->uploaded = true;
++                      if (rcu_access_pointer(sta->sta.rates))
++                              drv_sta_rate_tbl_update(local, sdata, &sta->sta);
++              }
+       } else if (old_state == IEEE80211_STA_ASSOC &&
+                  new_state == IEEE80211_STA_AUTH) {
+               drv_sta_remove(local, sdata, &sta->sta);
+--- a/net/mac80211/rate.c
++++ b/net/mac80211/rate.c
+@@ -941,7 +941,8 @@ int rate_control_set_rates(struct ieee80
+       if (old)
+               kfree_rcu(old, rcu_head);
+-      drv_sta_rate_tbl_update(hw_to_local(hw), sta->sdata, pubsta);
++      if (sta->uploaded)
++              drv_sta_rate_tbl_update(hw_to_local(hw), sta->sdata, pubsta);
+       ieee80211_sta_set_expected_throughput(pubsta, sta_get_expected_throughput(sta));
diff --git a/package/kernel/mac80211/patches/subsys/373-mac80211-fix-potential-overflow-when-multiplying-to-.patch b/package/kernel/mac80211/patches/subsys/373-mac80211-fix-potential-overflow-when-multiplying-to-.patch
new file mode 100644 (file)
index 0000000..f5d9d84
--- /dev/null
@@ -0,0 +1,34 @@
+From 2a4b99ffcda9f6739d4deb7bd7d2e0ed8444dda7 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Fri, 5 Feb 2021 17:53:52 +0000
+Subject: [PATCH] mac80211: fix potential overflow when multiplying to u32
+ integers
+
+[ Upstream commit 6194f7e6473be78acdc5d03edd116944bdbb2c4e ]
+
+The multiplication of the u32 variables tx_time and estimated_retx is
+performed using a 32 bit multiplication and the result is stored in
+a u64 result. This has a potential u32 overflow issue, so avoid this
+by casting tx_time to a u64 to force a 64 bit multiply.
+
+Addresses-Coverity: ("Unintentional integer overflow")
+Fixes: 050ac52cbe1f ("mac80211: code for on-demand Hybrid Wireless Mesh Protocol")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Link: https://lore.kernel.org/r/20210205175352.208841-1-colin.king@canonical.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/mesh_hwmp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/mac80211/mesh_hwmp.c
++++ b/net/mac80211/mesh_hwmp.c
+@@ -355,7 +355,7 @@ static u32 airtime_link_metric_get(struc
+        */
+       tx_time = (device_constant + 10 * test_frame_len / rate);
+       estimated_retx = ((1 << (2 * ARITH_SHIFT)) / (s_unit - err));
+-      result = (tx_time * estimated_retx) >> (2 * ARITH_SHIFT);
++      result = ((u64)tx_time * estimated_retx) >> (2 * ARITH_SHIFT);
+       return (u32)result;
+ }
diff --git a/package/kernel/mac80211/patches/subsys/374-mac80211-fix-rate-mask-reset.patch b/package/kernel/mac80211/patches/subsys/374-mac80211-fix-rate-mask-reset.patch
new file mode 100644 (file)
index 0000000..36d5bee
--- /dev/null
@@ -0,0 +1,50 @@
+From 4311a94e7598ca19311b04eb965556b5bb33accd Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Fri, 12 Feb 2021 11:22:14 +0100
+Subject: [PATCH] mac80211: fix rate mask reset
+
+[ Upstream commit 1944015fe9c1d9fa5e9eb7ffbbb5ef8954d6753b ]
+
+Coverity reported the strange "if (~...)" condition that's
+always true. It suggested that ! was intended instead of ~,
+but upon further analysis I'm convinced that what really was
+intended was a comparison to 0xff/0xffff (in HT/VHT cases
+respectively), since this indicates that all of the rates
+are enabled.
+
+Change the comparison accordingly.
+
+I'm guessing this never really mattered because a reset to
+not having a rate mask is basically equivalent to having a
+mask that enables all rates.
+
+Reported-by: Colin Ian King <colin.king@canonical.com>
+Fixes: 2ffbe6d33366 ("mac80211: fix and optimize MCS mask handling")
+Fixes: b119ad6e726c ("mac80211: add rate mask logic for vht rates")
+Reviewed-by: Colin Ian King <colin.king@canonical.com>
+Link: https://lore.kernel.org/r/20210212112213.36b38078f569.I8546a20c80bc1669058eb453e213630b846e107b@changeid
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/mac80211/cfg.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -2779,14 +2779,14 @@ static int ieee80211_set_bitrate_mask(st
+                       continue;
+               for (j = 0; j < IEEE80211_HT_MCS_MASK_LEN; j++) {
+-                      if (~sdata->rc_rateidx_mcs_mask[i][j]) {
++                      if (sdata->rc_rateidx_mcs_mask[i][j] != 0xff) {
+                               sdata->rc_has_mcs_mask[i] = true;
+                               break;
+                       }
+               }
+               for (j = 0; j < NL80211_VHT_NSS_MAX; j++) {
+-                      if (~sdata->rc_rateidx_vht_mcs_mask[i][j]) {
++                      if (sdata->rc_rateidx_vht_mcs_mask[i][j] != 0xffff) {
+                               sdata->rc_has_vht_mcs_mask[i] = true;
+                               break;
+                       }
diff --git a/package/kernel/mac80211/patches/subsys/375-mac80211-fix-double-free-in-ibss_leave.patch b/package/kernel/mac80211/patches/subsys/375-mac80211-fix-double-free-in-ibss_leave.patch
new file mode 100644 (file)
index 0000000..e524581
--- /dev/null
@@ -0,0 +1,69 @@
+From 7da363fba2fc8526dbf3f966bac6f03fec98f095 Mon Sep 17 00:00:00 2001
+From: Markus Theil <markus.theil@tu-ilmenau.de>
+Date: Sat, 13 Feb 2021 14:36:53 +0100
+Subject: [PATCH] mac80211: fix double free in ibss_leave
+
+commit 3bd801b14e0c5d29eeddc7336558beb3344efaa3 upstream.
+
+Clear beacon ie pointer and ie length after free
+in order to prevent double free.
+
+==================================================================
+BUG: KASAN: double-free or invalid-free \
+in ieee80211_ibss_leave+0x83/0xe0 net/mac80211/ibss.c:1876
+
+CPU: 0 PID: 8472 Comm: syz-executor100 Not tainted 5.11.0-rc6-syzkaller #0
+Call Trace:
+ __dump_stack lib/dump_stack.c:79 [inline]
+ dump_stack+0x107/0x163 lib/dump_stack.c:120
+ print_address_description.constprop.0.cold+0x5b/0x2c6 mm/kasan/report.c:230
+ kasan_report_invalid_free+0x51/0x80 mm/kasan/report.c:355
+ ____kasan_slab_free+0xcc/0xe0 mm/kasan/common.c:341
+ kasan_slab_free include/linux/kasan.h:192 [inline]
+ __cache_free mm/slab.c:3424 [inline]
+ kfree+0xed/0x270 mm/slab.c:3760
+ ieee80211_ibss_leave+0x83/0xe0 net/mac80211/ibss.c:1876
+ rdev_leave_ibss net/wireless/rdev-ops.h:545 [inline]
+ __cfg80211_leave_ibss+0x19a/0x4c0 net/wireless/ibss.c:212
+ __cfg80211_leave+0x327/0x430 net/wireless/core.c:1172
+ cfg80211_leave net/wireless/core.c:1221 [inline]
+ cfg80211_netdev_notifier_call+0x9e8/0x12c0 net/wireless/core.c:1335
+ notifier_call_chain+0xb5/0x200 kernel/notifier.c:83
+ call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:2040
+ call_netdevice_notifiers_extack net/core/dev.c:2052 [inline]
+ call_netdevice_notifiers net/core/dev.c:2066 [inline]
+ __dev_close_many+0xee/0x2e0 net/core/dev.c:1586
+ __dev_close net/core/dev.c:1624 [inline]
+ __dev_change_flags+0x2cb/0x730 net/core/dev.c:8476
+ dev_change_flags+0x8a/0x160 net/core/dev.c:8549
+ dev_ifsioc+0x210/0xa70 net/core/dev_ioctl.c:265
+ dev_ioctl+0x1b1/0xc40 net/core/dev_ioctl.c:511
+ sock_do_ioctl+0x148/0x2d0 net/socket.c:1060
+ sock_ioctl+0x477/0x6a0 net/socket.c:1177
+ vfs_ioctl fs/ioctl.c:48 [inline]
+ __do_sys_ioctl fs/ioctl.c:753 [inline]
+ __se_sys_ioctl fs/ioctl.c:739 [inline]
+ __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Reported-by: syzbot+93976391bf299d425f44@syzkaller.appspotmail.com
+Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de>
+Link: https://lore.kernel.org/r/20210213133653.367130-1-markus.theil@tu-ilmenau.de
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/ibss.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/mac80211/ibss.c
++++ b/net/mac80211/ibss.c
+@@ -1869,6 +1869,8 @@ int ieee80211_ibss_leave(struct ieee8021
+       /* remove beacon */
+       kfree(sdata->u.ibss.ie);
++      sdata->u.ibss.ie = NULL;
++      sdata->u.ibss.ie_len = 0;
+       /* on the next join, re-program HT parameters */
+       memset(&ifibss->ht_capa, 0, sizeof(ifibss->ht_capa));
index 31137e1b373955d8c55a17479c0d125c0f4d8666..ebf46c6a4cc094e9412af9d276fd18c24d2026cf 100644 (file)
@@ -87,7 +87,7 @@
        CFG80211_TESTMODE_CMD(ieee80211_testmode_cmd)
 --- a/net/mac80211/ieee80211_i.h
 +++ b/net/mac80211/ieee80211_i.h
-@@ -1365,6 +1365,7 @@ struct ieee80211_local {
+@@ -1366,6 +1366,7 @@ struct ieee80211_local {
        int dynamic_ps_forced_timeout;
  
        int user_power_level; /* in dBm, for all interfaces */