Merge 5.10.149 into android12-5.10-lts
Changes in 5.10.149 Revert "fs: check FMODE_LSEEK to control internal pipe splicing" mac80211: mlme: find auth challenge directly wifi: mac80211: don't parse mbssid in assoc response wifi: mac80211: fix MBSSID parsing use-after-free Linux 5.10.149 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I527f235f0d3e4c1de679bb54c6714aac5021b0f9
This commit is contained in:
Greg Kroah-Hartman
2
Makefile
2
Makefile
@@ -1,7 +1,7 @@
|
|||||||
# SPDX-License-Identifier: GPL-2.0
|
# SPDX-License-Identifier: GPL-2.0
|
||||||
VERSION = 5
|
VERSION = 5
|
||||||
PATCHLEVEL = 10
|
PATCHLEVEL = 10
|
||||||
SUBLEVEL = 148
|
SUBLEVEL = 149
|
||||||
EXTRAVERSION =
|
EXTRAVERSION =
|
||||||
NAME = Dare mighty things
|
NAME = Dare mighty things
|
||||||
|
|
||||||
|
|||||||
10
fs/splice.c
10
fs/splice.c
@@ -806,15 +806,17 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd,
|
|||||||
{
|
{
|
||||||
struct pipe_inode_info *pipe;
|
struct pipe_inode_info *pipe;
|
||||||
long ret, bytes;
|
long ret, bytes;
|
||||||
|
umode_t i_mode;
|
||||||
size_t len;
|
size_t len;
|
||||||
int i, flags, more;
|
int i, flags, more;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* We require the input to be seekable, as we don't want to randomly
|
* We require the input being a regular file, as we don't want to
|
||||||
* drop data for eg socket -> socket splicing. Use the piped splicing
|
* randomly drop data for eg socket -> socket splicing. Use the
|
||||||
* for that!
|
* piped splicing for that!
|
||||||
*/
|
*/
|
||||||
if (unlikely(!(in->f_mode & FMODE_LSEEK)))
|
i_mode = file_inode(in)->i_mode;
|
||||||
|
if (unlikely(!S_ISREG(i_mode) && !S_ISBLK(i_mode)))
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
|||||||
@@ -1485,7 +1485,6 @@ struct ieee802_11_elems {
|
|||||||
const u8 *supp_rates;
|
const u8 *supp_rates;
|
||||||
const u8 *ds_params;
|
const u8 *ds_params;
|
||||||
const struct ieee80211_tim_ie *tim;
|
const struct ieee80211_tim_ie *tim;
|
||||||
const u8 *challenge;
|
|
||||||
const u8 *rsn;
|
const u8 *rsn;
|
||||||
const u8 *rsnx;
|
const u8 *rsnx;
|
||||||
const u8 *erp_info;
|
const u8 *erp_info;
|
||||||
@@ -1538,7 +1537,6 @@ struct ieee802_11_elems {
|
|||||||
u8 ssid_len;
|
u8 ssid_len;
|
||||||
u8 supp_rates_len;
|
u8 supp_rates_len;
|
||||||
u8 tim_len;
|
u8 tim_len;
|
||||||
u8 challenge_len;
|
|
||||||
u8 rsn_len;
|
u8 rsn_len;
|
||||||
u8 rsnx_len;
|
u8 rsnx_len;
|
||||||
u8 ext_supp_rates_len;
|
u8 ext_supp_rates_len;
|
||||||
@@ -1553,6 +1551,8 @@ struct ieee802_11_elems {
|
|||||||
u8 country_elem_len;
|
u8 country_elem_len;
|
||||||
u8 bssid_index_len;
|
u8 bssid_index_len;
|
||||||
|
|
||||||
|
void *nontx_profile;
|
||||||
|
|
||||||
/* whether a parse error occurred while retrieving these elements */
|
/* whether a parse error occurred while retrieving these elements */
|
||||||
bool parse_error;
|
bool parse_error;
|
||||||
};
|
};
|
||||||
|
|||||||
@@ -2899,14 +2899,14 @@ static void ieee80211_auth_challenge(struct ieee80211_sub_if_data *sdata,
|
|||||||
{
|
{
|
||||||
struct ieee80211_local *local = sdata->local;
|
struct ieee80211_local *local = sdata->local;
|
||||||
struct ieee80211_mgd_auth_data *auth_data = sdata->u.mgd.auth_data;
|
struct ieee80211_mgd_auth_data *auth_data = sdata->u.mgd.auth_data;
|
||||||
|
const struct element *challenge;
|
||||||
u8 *pos;
|
u8 *pos;
|
||||||
struct ieee802_11_elems elems;
|
|
||||||
u32 tx_flags = 0;
|
u32 tx_flags = 0;
|
||||||
|
|
||||||
pos = mgmt->u.auth.variable;
|
pos = mgmt->u.auth.variable;
|
||||||
ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, &elems,
|
challenge = cfg80211_find_elem(WLAN_EID_CHALLENGE, pos,
|
||||||
mgmt->bssid, auth_data->bss->bssid);
|
len - (pos - (u8 *)mgmt));
|
||||||
if (!elems.challenge)
|
if (!challenge)
|
||||||
return;
|
return;
|
||||||
auth_data->expected_transaction = 4;
|
auth_data->expected_transaction = 4;
|
||||||
drv_mgd_prepare_tx(sdata->local, sdata, 0);
|
drv_mgd_prepare_tx(sdata->local, sdata, 0);
|
||||||
@@ -2914,7 +2914,8 @@ static void ieee80211_auth_challenge(struct ieee80211_sub_if_data *sdata,
|
|||||||
tx_flags = IEEE80211_TX_CTL_REQ_TX_STATUS |
|
tx_flags = IEEE80211_TX_CTL_REQ_TX_STATUS |
|
||||||
IEEE80211_TX_INTFL_MLME_CONN_TX;
|
IEEE80211_TX_INTFL_MLME_CONN_TX;
|
||||||
ieee80211_send_auth(sdata, 3, auth_data->algorithm, 0,
|
ieee80211_send_auth(sdata, 3, auth_data->algorithm, 0,
|
||||||
elems.challenge - 2, elems.challenge_len + 2,
|
(void *)challenge,
|
||||||
|
challenge->datalen + sizeof(*challenge),
|
||||||
auth_data->bss->bssid, auth_data->bss->bssid,
|
auth_data->bss->bssid, auth_data->bss->bssid,
|
||||||
auth_data->key, auth_data->key_len,
|
auth_data->key, auth_data->key_len,
|
||||||
auth_data->key_idx, tx_flags);
|
auth_data->key_idx, tx_flags);
|
||||||
@@ -3299,7 +3300,7 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
|
|||||||
}
|
}
|
||||||
capab_info = le16_to_cpu(mgmt->u.assoc_resp.capab_info);
|
capab_info = le16_to_cpu(mgmt->u.assoc_resp.capab_info);
|
||||||
ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, elems,
|
ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, elems,
|
||||||
mgmt->bssid, assoc_data->bss->bssid);
|
mgmt->bssid, NULL);
|
||||||
|
|
||||||
if (elems->aid_resp)
|
if (elems->aid_resp)
|
||||||
aid = le16_to_cpu(elems->aid_resp->aid);
|
aid = le16_to_cpu(elems->aid_resp->aid);
|
||||||
@@ -3393,6 +3394,7 @@ static bool ieee80211_assoc_success(struct ieee80211_sub_if_data *sdata,
|
|||||||
sdata_info(sdata,
|
sdata_info(sdata,
|
||||||
"AP bug: VHT operation missing from AssocResp\n");
|
"AP bug: VHT operation missing from AssocResp\n");
|
||||||
}
|
}
|
||||||
|
kfree(bss_elems.nontx_profile);
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@@ -3707,7 +3709,7 @@ static void ieee80211_rx_mgmt_assoc_resp(struct ieee80211_sub_if_data *sdata,
|
|||||||
return;
|
return;
|
||||||
|
|
||||||
ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, &elems,
|
ieee802_11_parse_elems(pos, len - (pos - (u8 *)mgmt), false, &elems,
|
||||||
mgmt->bssid, assoc_data->bss->bssid);
|
mgmt->bssid, NULL);
|
||||||
|
|
||||||
if (status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY &&
|
if (status_code == WLAN_STATUS_ASSOC_REJECTED_TEMPORARILY &&
|
||||||
elems.timeout_int &&
|
elems.timeout_int &&
|
||||||
@@ -4044,6 +4046,7 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
|
|||||||
ifmgd->assoc_data->timeout = jiffies;
|
ifmgd->assoc_data->timeout = jiffies;
|
||||||
ifmgd->assoc_data->timeout_started = true;
|
ifmgd->assoc_data->timeout_started = true;
|
||||||
run_again(sdata, ifmgd->assoc_data->timeout);
|
run_again(sdata, ifmgd->assoc_data->timeout);
|
||||||
|
kfree(elems.nontx_profile);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -4221,7 +4224,7 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
|
|||||||
ieee80211_report_disconnect(sdata, deauth_buf,
|
ieee80211_report_disconnect(sdata, deauth_buf,
|
||||||
sizeof(deauth_buf), true,
|
sizeof(deauth_buf), true,
|
||||||
WLAN_REASON_DEAUTH_LEAVING);
|
WLAN_REASON_DEAUTH_LEAVING);
|
||||||
return;
|
goto free;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (sta && elems.opmode_notif)
|
if (sta && elems.opmode_notif)
|
||||||
@@ -4236,6 +4239,8 @@ static void ieee80211_rx_mgmt_beacon(struct ieee80211_sub_if_data *sdata,
|
|||||||
elems.cisco_dtpc_elem);
|
elems.cisco_dtpc_elem);
|
||||||
|
|
||||||
ieee80211_bss_info_change_notify(sdata, changed);
|
ieee80211_bss_info_change_notify(sdata, changed);
|
||||||
|
free:
|
||||||
|
kfree(elems.nontx_profile);
|
||||||
}
|
}
|
||||||
|
|
||||||
void ieee80211_sta_rx_queued_ext(struct ieee80211_sub_if_data *sdata,
|
void ieee80211_sta_rx_queued_ext(struct ieee80211_sub_if_data *sdata,
|
||||||
|
|||||||
@@ -227,6 +227,8 @@ ieee80211_bss_info_update(struct ieee80211_local *local,
|
|||||||
rx_status, beacon);
|
rx_status, beacon);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
kfree(elems.nontx_profile);
|
||||||
|
|
||||||
return bss;
|
return bss;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -1124,10 +1124,6 @@ _ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
|
|||||||
} else
|
} else
|
||||||
elem_parse_failed = true;
|
elem_parse_failed = true;
|
||||||
break;
|
break;
|
||||||
case WLAN_EID_CHALLENGE:
|
|
||||||
elems->challenge = pos;
|
|
||||||
elems->challenge_len = elen;
|
|
||||||
break;
|
|
||||||
case WLAN_EID_VENDOR_SPECIFIC:
|
case WLAN_EID_VENDOR_SPECIFIC:
|
||||||
if (elen >= 4 && pos[0] == 0x00 && pos[1] == 0x50 &&
|
if (elen >= 4 && pos[0] == 0x00 && pos[1] == 0x50 &&
|
||||||
pos[2] == 0xf2) {
|
pos[2] == 0xf2) {
|
||||||
@@ -1487,6 +1483,11 @@ u32 ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
|
|||||||
cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
|
cfg80211_find_ext_elem(WLAN_EID_EXT_NON_INHERITANCE,
|
||||||
nontransmitted_profile,
|
nontransmitted_profile,
|
||||||
nontransmitted_profile_len);
|
nontransmitted_profile_len);
|
||||||
|
if (!nontransmitted_profile_len) {
|
||||||
|
nontransmitted_profile_len = 0;
|
||||||
|
kfree(nontransmitted_profile);
|
||||||
|
nontransmitted_profile = NULL;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
crc = _ieee802_11_parse_elems_crc(start, len, action, elems, filter,
|
crc = _ieee802_11_parse_elems_crc(start, len, action, elems, filter,
|
||||||
@@ -1516,7 +1517,7 @@ u32 ieee802_11_parse_elems_crc(const u8 *start, size_t len, bool action,
|
|||||||
offsetofend(struct ieee80211_bssid_index, dtim_count))
|
offsetofend(struct ieee80211_bssid_index, dtim_count))
|
||||||
elems->dtim_count = elems->bssid_index->dtim_count;
|
elems->dtim_count = elems->bssid_index->dtim_count;
|
||||||
|
|
||||||
kfree(nontransmitted_profile);
|
elems->nontx_profile = nontransmitted_profile;
|
||||||
|
|
||||||
return crc;
|
return crc;
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user