xavi/android_kernel_m2note/net/wireless, branch ng-7.1.2

cfg80211: check dev_set_name() return value

2019-05-03T17:27:53+00:00

commit 59b179b48ce2a6076448a44531242ac2b3f6cef2 upstream. syzbot reported a warning from rfkill_alloc(), and after a while I think that the reason is that it was doing fault injection and the dev_set_name() failed, leaving the name NULL, and we didn't check the return value and got to rfkill_alloc() with a NULL name. Since we really don't want a NULL name, we ought to check the return value. Fixes: fb28ad35906a ("net: struct device - replace bus_id with dev_name(), dev_set_name()") Change-Id: Iecd16d788290c9d51a62c22a7c2784623aa0abc6 Reported-by: syzbot+1ddfb3357e1d7bb5b5d3@syzkaller.appspotmail.com Signed-off-by: Johannes Berg [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings

nl80211: take RCU read lock when calling ieee80211_bss_get_ie()

2019-05-03T17:27:38+00:00

commit 7a94b8c2eee7083ddccd0515830f8c81a8e44b1a upstream. As ieee80211_bss_get_ie() derefences an RCU to return ssid_ie, both the call to this function and any operation on this variable need protection by the RCU read lock. Fixes: 44905265bc15 ("nl80211: don't expose wdev->ssid for most interfaces") Change-Id: I7d9c6c32135f4be34678537653787654d435116e Signed-off-by: Dominik Brodowski Signed-off-by: Johannes Berg Signed-off-by: Ben Hutchings

nl80211: fix nl80211_send_iface() error paths

2019-05-03T17:26:52+00:00

commit 4564b187c16327045d87596e8980c65ba7b84c50 upstream. Evidently I introduced a locking bug in my change here, the nla_put_failure sometimes needs to unlock. Fix it. Fixes: 44905265bc15 ("nl80211: don't expose wdev->ssid for most interfaces") Change-Id: I10e56d2a47ec402597a603e0abb3e1335dfb8be3 Signed-off-by: Johannes Berg Signed-off-by: Ben Hutchings

nl80211: don't expose wdev->ssid for most interfaces

2019-05-03T17:26:41+00:00

commit 44905265bc155e0237c76c25bf5ddf740d85a8f2 upstream. For mesh, this is simply wrong - there's no SSID, only the mesh ID, so don't expose it at all. For (P2P) client, it's wrong, because it exposes an internal value that's only used when certain APIs are used. For AP, it's actually the only correct case, so leave that. All other interface types shouldn't be setting this anyway, so there it won't change anything. Fixes: b84e7a05f619 ("nl80211: send the NL80211_ATTR_SSID in nl80211_send_iface()") Change-Id: I71aa50fc03d401264fb19bf83da3b253f157ad72 Signed-off-by: Johannes Berg Signed-off-by: Ben Hutchings

cfg80211: reg: Init wiphy_idx in regulatory_hint_core()

2019-05-03T17:24:03+00:00

commit 24f33e64fcd0d50a4b1a8e5b41bd0257aa66b0e8 upstream. Core regulatory hints didn't set wiphy_idx to WIPHY_IDX_INVALID. Since the regulatory request is zeroed, wiphy_idx was always implicitly set to 0. This resulted in updating only phy #0. Fix that. Fixes: 806a9e39670b ("cfg80211: make regulatory_request use wiphy_idx instead of wiphy") Signed-off-by: Andrei Otcheretianski Signed-off-by: Luca Coelho [add fixes tag] Signed-off-by: Johannes Berg Signed-off-by: Ben Hutchings Change-Id: If98e015f5778873df7f29cf4bc67cd2ae5c4bc27

cfg80211: nl80211_update_ft_ies() to validate NL80211_ATTR_IE

2019-05-03T17:24:03+00:00

commit 4f0223bfe9c3e62d8f45a85f1ef1b18a8a263ef9 upstream. nl80211_update_ft_ies() tried to validate NL80211_ATTR_IE with is_valid_ie_attr() before dereferencing it, but that helper function returns true in case of NULL pointer (i.e., attribute not included). This can result to dereferencing a NULL pointer. Fix that by explicitly checking that NL80211_ATTR_IE is included. Fixes: 355199e02b83 ("cfg80211: Extend support for IEEE 802.11r Fast BSS Transition") Change-Id: Ie7ac476919af2ef4d38ff04b8519ad9bdc5e9ed8 Signed-off-by: Arunk Khandavalli Signed-off-by: Jouni Malinen Signed-off-by: Johannes Berg Signed-off-by: Ben Hutchings

cfg80211: fix station info handling bugs

2019-05-02T15:01:08+00:00

commit 5762d7d3eda25c03cc2d9d45227be3f5ab6bec9e upstream. Fix two places where the structure isn't initialized to zero, and thus can't be filled properly by the driver. Fixes: 4a4b8169501b ("cfg80211: Accept multiple RSSI thresholds for CQM") Fixes: 9930380f0bd8 ("cfg80211: implement IWRATE") Change-Id: I2cd090709e9349aa70a5196951e582a29679c4ab Signed-off-by: Johannes Berg Signed-off-by: David S. Miller [bwh: Backported to 3.16: drop change in cfg80211_cqm_rssi_update()] Signed-off-by: Ben Hutchings

nl80211: Define policy for packet pattern attributes

2018-05-16T11:09:57+00:00

Define a policy for packet pattern attributes in order to fix a potential read over the end of the buffer during nla_get_u32() of the NL80211_WOWLAN_PKTPAT_OFFSET attribute. Note that the data there can always be read due to SKB allocation (with alignment and struct skb_shared_info at the end), but the data might be uninitialized. This could be used to leak some data from uninitialized vmalloc() memory, but most drivers don't allow an offset (so you'd just get -EINVAL if the data is non-zero) or just allow it with a fixed value - 100 or 128 bytes, so anything above that would get -EINVAL. With brcmfmac the limit is 1500 so (at least) one byte could be obtained. Cc: stable@kernel.org Bug: 64403015 Signed-off-by: Peng Xu Signed-off-by: Jouni Malinen [rewrite description based on SKB allocation knowledge] Signed-off-by: Johannes Berg Git-commit: ad670233c9e1d5feb365d870e30083ef1b889177 Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next.git CRs-fixed: 2116387 Change-Id: Ia84ca10f85507fe3ddbbb518388ca7b453fd8453 [Backport: Fix conflicts] Signed-off-by: Vidyullatha Kanchanapally Signed-off-by: Peng Xu Signed-off-by: Srinivas Dasari

cfg80211: Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE

2017-12-08T16:14:38+00:00

Buffer overread may happen as nl80211_set_station() reads 4 bytes from the attribute NL80211_ATTR_LOCAL_MESH_POWER_MODE without validating the size of data received when userspace sends less than 4 bytes of data with NL80211_ATTR_LOCAL_MESH_POWER_MODE. Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE to avoid the buffer overread. Fixes: 3b1c5a5307f ("{cfg,nl}80211: mesh power mode primitives and userspace access") Cc: stable@vger.kernel.org Bug: 36819059 Signed-off-by: Srinivas Dasari Signed-off-by: Jouni Malinen Signed-off-by: Johannes Berg Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211.git Git-commit: 8feb69c7bd89513be80eb19198d48f154b254021 Change-Id: Ie20993309501fd242782311b9fe787931f716116 CRs-Fixed: 2055013 Signed-off-by: Srinivas Dasari (cherry picked from commit ac4f175b41aef6a924d0a8f1a79bca89b6ea62e0)

cfg80211: Check if PMKID attribute is of expected size

2017-11-06T14:33:02+00:00

commit 9361df14d1cbf966409d5d6f48bb334384fbe138 upstream. nla policy checks for only maximum length of the attribute data when the attribute type is NLA_BINARY. If userspace sends less data than specified, the wireless drivers may access illegal memory. When type is NLA_UNSPEC, nla policy check ensures that userspace sends minimum specified length number of bytes. Remove type assignment to NLA_BINARY from nla_policy of NL80211_ATTR_PMKID to make this NLA_UNSPEC and to make sure minimum WLAN_PMKID_LEN bytes are received from userspace with NL80211_ATTR_PMKID. Fixes: 67fbb16be69d ("nl80211: PMKSA caching support") Cc: stable@vger.kernel.org Signed-off-by: Srinivas Dasari Signed-off-by: Jouni Malinen Signed-off-by: Johannes Berg Signed-off-by: Willy Tarreau